The University of California San Diego (UCSD) has developed a technique that it claims will be able to detect hardware trojans that might be introduced to a chip design during its progress along the manufacturing supply chain. The complexity of modern chips, some containing in excess of 1 billion transistors, combined with the globalization of the manufacturing process makes this a very real threat.
There are no proven examples of existing hardware Trojans. However, following Israel’s successful air strike against Syria in 2007 there was considerable speculation that a ‘kill switch’ had been built into the off-the-shelf microprocessors that controlled the Syrian radar. There were later suggestions that France had built hardware trojan kill switches into its own weapons to prevent them being used against its allies (it was a French Exocet missile that destroyed the UK’s HMS Sheffield during the 1982 Falklands War).
Whether any of this is true or not, it is theoretically possible. A trojan could be introduced at the coding stage when new algorithms are added to the CAD tools used to design the chips; or it could be done at the manufacturing stage. A ‘trojan’ comprising a dozen tiny transistors would be difficult if not impossible to detect hidden among a billion other transistors.
“Trojans are designed specifically to avoid activation during testing,” explains UCSD Professor Ryan Kastner. “Hardware designs are complex and often consist of millions of lines of code. The standard rule is to expect one ‘bug’ per five lines of code. People with bad intentions – say, a disgruntled employee – can insert these special ‘bugs’ into sequence patterns that are very unlikely to be tested, where they lie dormant and wait for a rare input to happen and then they trigger something malicious, like draining your phone’s battery or stealing your cryptographic key.”
Existing detection methods are expensive and not foolproof; and mostly statistical. “The state of the art right now,” added Kastner “is teams at Qualcomm or Intel, for example, manually inspecting hardware code and the physical characteristics of the chip to determine what they think could happen. It’s a terribly imprecise process, and you could easily overlook a small error which could have large consequences.”
The new technique is described in a paper written by Wei Hu and Ryan Kastner from UCSD, Baolei Mao from Northwestern Polytechnical University, and Jason Oberg of Tortuga Logic titled Detecting Hardware Trojans with Gate-Level Information-Flow Tracking. It uses a technique called GLIFT — gate-level information flow tracking — which assigns a label to important data in a hardware design.
For example, if a test engineer wishes to understand the flow of, say, a cryptographic key, he would write a formal property asserting that the labeled key data should be constrained within a secure area. If the key flows outside of that area, then the hardware is capable of being compromised.
The authors admit that this new process cannot detect all types of hardware trojan, such as those that leak information through physical side channels. Nevertheless, they conclude, “our method holds a unique place in the spectrum of methods to detect hardware Trojans – namely, the identification of Trojans that can cause violation of information-flow security properties related to confidentiality and integrity.”