Hardware Trojan Insertion in Finalized Layouts: From Methodology to a Silicon Demonstration
This work addresses security risks for fabless semiconductor companies outsourcing fabrication, by showing how easily malicious actors can insert trojans, though it is incremental as it builds on existing hardware trojan concepts.
The authors tackled the problem of hardware trojan insertion in finalized integrated circuit layouts by developing an insertion framework based on the engineering change order flow, and they demonstrated its viability by successfully inserting side-channel trojans into four cryptocores in a 65nm CMOS ASIC prototype, with the attack taking just over an hour and being robust against manufacturing process variations.
Owning a high-end semiconductor foundry is a luxury very few companies can afford. Thus, fabless design companies outsource integrated circuit fabrication to third parties. Within foundries, rogue elements may gain access to the customer's layout and perform malicious acts, including the insertion of a hardware trojan (HT). Many works focus on the structure/effects of a HT, while very few have demonstrated the viability of their HTs in silicon. Even fewer disclose how HTs are inserted or the time required for this activity. Our work details, for the first time, how effortlessly a HT can be inserted into a finalized layout by presenting an insertion framework based on the engineering change order flow. For validation, we have built an ASIC prototype in 65nm CMOS technology comprising of four trojaned cryptocores. A side-channel HT is inserted in each core with the intent of leaking the cryptokey over a power channel. Moreover, we have determined that the entire attack can be mounted in a little over one hour. We also show that the attack was successful for all tested samples. Finally, our measurements demonstrate the robustness of our SCT against skews in the manufacturing process.