Stealthy Dopant-Level Hardware Trojans 166
DoctorBit writes "A team of researchers funded in part by the NSF has just published a paper in which they demonstrate a way to introduce hardware Trojans into a chip by altering only the dopant masks of a few of the chip's transistors. From the paper: 'Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against "golden chips."' In a test of their technique against Intel's Ivy Bridge Random Number Generator (RNG) the researchers found that by setting selected flip-flop outputs to zero or one, 'Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen.' They conclude that 'Since the Trojan RNG has an entropy of n bits and [the original circuitry] uses a very good digital post-processing, namely AES, the Trojan easily passes the NIST random number test suite if n is chosen sufficiently high by the attacker. We tested the Trojan for n = 32 with the NIST random number test suite and it passed for all tests. The higher the value n that the attacker chooses, the harder it will be for an evaluator to detect that the random numbers have been compromised.'"
Get Your Tinfoil Hats (Score:5, Informative)
http://linux.slashdot.org/story/13/09/10/1311247/linus-responds-to-rdrand-petition-with-scorn [slashdot.org]
Re:I wonder (Score:2, Informative)
Yes. A device that contains something concealed and malevolent? That's a hardware trojan right there.
Will not past verification - Scan. (Score:3, Informative)
These parts would not pass the standard verification process and would be rejected from being assembled into devices.
Standard testing of ICs for functional faults includes a scan process. Per the design specification that the part was supposed to buildt a number of scan vectors are passed through the devices. These scan vectors check as much of the device as possible. The goal is to check every flop and every logic path between flops. The tests are to detect manufacturing errors. And can find single faults in devices.
Typical errors are stuck at 1 or stuck at 0, also shorts and would easily expose modifications of this sort, especially of such a scale as to radically change things.
Re:accidental misdoping even more troubling (Score:3, Informative)
In semiconductor manufacturing, doping is the introduction of slight amounts of impurities into a semiconducting material, to create a condition of surplus or deficit electrons. Donors such as arsenic and phosphorus add electrons, creating n-type semiconductors, while acceptors such as boron and aluminum cause a deficit of electrons, making a p-type semiconductor. The terms surplus and deficit are relative to a state where all of the atomic orbitals are filled and the semiconductor has almost no conductivity. Thus, doping makes semiconductors into conductors.
Doping is commonly done by exposing the wafer of semiconducting material at high temperatures to a gas containing the dopant. The dopant diffuses into the surface of the wafer. A mask covers the wafer so that the diffusion only takes place where the wafer is uncovered. Note that the mask has microscopic detail, the quantities of dopants employed are low, and the chemicals used are nasty.
The circuit is created by the arrangement of the doped materials. For example, a p-type region adjacent to an n-type region makes a diode, while three adjacent regions in series make a bipolar transistor. The circuit is wired together using layers of metal (such as aluminum) deposited onto the surface and etched away in a pattern, done similarly to the way printed circuit boards are made.
Re:I wonder (Score:4, Informative)
Well, there goes the mod I plopped in, but...
1) Intel's high-end chip fabs are in Oregon, Arizona, California... not exactly close to Beijing. (They're still building some rather massive additions to their Ronler Acres fab up here in Oregon).
2) ARM chips, on the other hand (e.g. tablets and smartphone bits)? In that case I hereby petition Slashdot to introduce the "scary as fuck" mod.