Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealthy Dopant-Level Hardware Trojans

Posted by Soulskill on from the getting-in-before-the-rush dept.

DoctorBit writes "A team of researchers funded in part by the NSF has just published a paper in which they demonstrate a way to introduce hardware Trojans into a chip by altering only the dopant masks of a few of the chip's transistors. From the paper: 'Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against "golden chips."' In a test of their technique against Intel's Ivy Bridge Random Number Generator (RNG) the researchers found that by setting selected flip-flop outputs to zero or one, 'Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen.' They conclude that 'Since the Trojan RNG has an entropy of n bits and [the original circuitry] uses a very good digital post-processing, namely AES, the Trojan easily passes the NIST random number test suite if n is chosen sufficiently high by the attacker. We tested the Trojan for n = 32 with the NIST random number test suite and it passed for all tests. The higher the value n that the attacker chooses, the harder it will be for an evaluator to detect that the random numbers have been compromised.'"

4 of 166 comments (clear)

  1. Re:I wonder by GameboyRMH · · Score: 3, Interesting

    I wonder if they also considered that the NIST random number test suite might also be compromised by the NSA...

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  2. Re:Fascinating... by omnichad · · Score: 3, Interesting

    All they need to do? It's already been done at the fab! Why else would this be coming out now? These researchers have been under a gag order for years and only now got bold enough to stand up to the NSA.

    Opinions above are exaggerated for entertainment purposes only

  3. Proxy whistleblowing? (Re:Get Your Tinfoil Hats) by Anonymous Coward · · Score: 4, Interesting

    If I were a disgruntled member of the intelligence industrial complex and knew that this was actually being done by a government agency, and I did not relish the thought of a Russian sabbatical, couldn't I surface the news by telling researcher friends of mine how to do it?

  4. accidental misdoping even more troubling by hormiga · · Score: 3, Interesting

    Given Hanlon's razor, an accidental, rather than malicious, error in doping would be even more likely. If the chip were inadvertently doped incorrectly, it would pass visual inspections and even software tests without awareness of the defect. How many defective dice, not merely with RNGs but also with other circuits, are already in service due to inspection failures?

    Although this paper shows how insidious a threat from a well-funded adversary might be, even more it shows the need for more comprehensive inspection mechanisms to discover misdoping which might go undetected by existing standard procedures.

    BTW, the paper includes a well written and readable introduction to the context of the problem. Good job.