Please do not ask for source. As I myself don't know and do not bother about
it, how can I give you the source? I receive most of these mails from one of
my tech savvy colleagues. As he forwards/sends me in the form of attachments,
I have to open and read then copy and paste to this list. I hope those who ask
for source will understand this. If I know the source, I will surely mention
it.
'Hardware Trojans' could turn microchips into timebombs
Firewalls and anti-virus software will be useless against to a new
generation of attacks that target the very fabric of microchips
by Paul Marks
MICROCHIPS are vulnerable to a host of attacks during their
manufacture that could quietly render them useless shortly after being
put to use in crucial applications. The possibility is raising fears
that critical systems such as air traffic control, power grids and
military systems could be hacked more easily than had been thought.
Last week, engineers from Case Western Reserve University in
Cleveland, Ohio, and the electronics firm Rockwell Automation of
Milwaukee, Wisconsin, revealed how microchips could be effectively
turned into time bombs in two papers published on the physics preprint
server (arXiv:0906.3832 and 0906.3834). There is currently no way to
test for chips adulterated in this way, says electronics engineer
Frank Wolff of the Case Western team, although he and others are
exploring detection techniques (see "Tripping up trojans").
Another kind of chip doctoring is exercising the minds of engineers at
the Pentagon's Defense Advanced Research Projects Agency (DARPA).
In 2005, a report from the Defense Science Board, an advisory
committee for the US military, warned that the inexorable migration of
silicon chip manufacturing from the US to countries employing cheaper
labour meant the US was no longer in complete control of the
technology it relies upon.
How would anyone know, the board asked, if a chip-industry engineer in
Taiwan, Singapore or China, say, had introduced a malicious circuit -
a remotely controllable kill switch, for example - in a chip
containing many millions of transistors?
How would anyone know if a malicious, remotely controlled circuit had
been introduced into a chip?
As a result of that report, DARPA, based in Arlington, Virginia,
established a research programme called Trust in Integrated Circuits.
Its research, carried out largely in secret, is to work out how memory
chips, logic circuit designs and the like can be adulterated - and how
to detect those that have been.
To sabotage a chip, a culprit would have to be an expert chip designer
with access to the computer-aided design systems containing a chip's
blueprints. The latest fear, however, is that it's not only designs
that can be sabotaged - the manufacturing process itself is also
vulnerable.
The Case Western and Rockwell team says there are four ways in which
the properties of semiconductors might allow hidden defects - which
they call hardware trojans - to be introduced into microchips. They
are all based on the mechanisms that eventually cause chips to wear
out naturally some time after their 10-year guaranteed lifetime. The
mechanism that most concerns them is called "hot carrier
injection" (HCI) because it works by gradually - but undetectably -
degrading the function of some of the transistors in a chip.
So how would an HCI-based attack work? A transistor is an on-off
switch with three terminals: a source and a drain through which the
current flows, and a gate that sits above these terminals, linking
them together. Applying a voltage to the gate sets up an electric
field that allows a current to flow. The speed at which this happens
is crucial as it helps to determine the clock speed of a
microprocessor, or the access time of a memory.
The gate terminal has a layer of silicon dioxide insulation beneath it
which is constantly bombarded by electrons (hot carriers) whizzing
through the channel between the source and drain. To prevent that
insulation from deteriorating, engineers dope it with nitric oxide or
nitrous oxide during manufacturing to create a resilient nitrate
layer.
So without the need to know anything about the circuit design, an
engineer in a chip-making facility could modify the nitrate
concentration, or the temperature of the nitrate layering process, to
create a chip wafer with a thinner protective layer that is more
vulnerable to hot carriers. The upshot is that the switching time
becomes gradually slower until the gate's insulation breaks down
completely - at which point the chip fails.
Measuring the thickness of this layer in a chip is almost impossible
so victims are initially unaware they've been targeted. A further
problem is that the process of deterioration can vary hugely. "That
would cause some devices on a wafer to wear out in months to a few
years, thus creating a reliability-based trojan," say the team.
Earlier this year, Colonel Glenn Zimmerman of the Pentagon's Cyber
Command for computer warfare said the need to verify critical
microchips is crucial. "We now import most of our semiconductor
devices so there is no question that they, and the chip fabrication
foundries they come from, need authenticating," he says.
Tripping up trojans
A SABOTEUR involved in the design of a microchip could include extra
circuitry in a chip that distorts calculations only after it is
triggered by a predetermined set of instructions. This kind of
skulduggery is tricky to spot because such a "hardware trojan" would
not reveal itself until it is activated. An ordinary chip test would
not find it, and spotting the extra circuits among the billions of
legitimate ones is practically impossible.
But at an IEEE conference on hardware security in San Francisco in
July, engineers at Case Western Reserve University in Cleveland, Ohio,
and Rockwell Automation of Milwaukee, Wisconsin, will reveal a smart
way to detect such compromised circuits.
Their idea is to run critical applications only on chips with multiple
processors, or "cores", rather than older chips with a single core.
The idea is to run each logical task on at least two cores and compare
the outputs. If one of the cores is compromised, the outputs will
differ after the trojan is triggered. This allows the core with a
trojan to be identified and excluded from use.
The penalty is the need to run an ultrafast software algorithm that
can carry out this comparison process behind the scenes - but at least
the chip can continue in operation despite any adulteration.
"This addresses the 'time bomb' issue by using multicore processors to
learn where the trojans are over time. It's currently the most
attractive solution," says Frank Wolff, a computer security specialist
on the Case Western team.
To unsubscribe send a message to accessindia-requ...@accessindia.org.in with
the subject unsubscribe.
To change your subscription to digest mode or make any other changes, please
visit the list home page at
http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
