Owning a high-end semiconductor foundry is a luxury very few companies can afford. Thus, fabless design companies outsource integrated circuit fabrication to third parties. Within foundries, rogue elements may gain access to the customer's layout and perform malicious acts, including the insertion of a hardware trojan (HT). Many works focus on the structure/effects of a HT, while very few have demonstrated the viability of their HTs in silicon. Even fewer disclose how HTs are inserted or the time required for this activity. Our work details, for the first time, how effortlessly a HT can be inserted into a finalized layout by presenting an insertion framework based on the engineering change order flow. For validation, we have built an ASIC prototype in 65nm CMOS technology comprising of four trojaned cryptocores. A side-channel HT is inserted in each core with the intent of leaking the cryptokey over a power channel. Moreover, we have determined that the entire attack can be mounted in a little over one hour. We also show that the attack was successful for all tested samples. Finally, our measurements demonstrate the robustness of our SCT against skews in the manufacturing process.
翻译:拥有高端半导体铸造器是一种奢侈品,很少几家公司能够负担得起。 因此, 假名设计公司将集成电路制造外包给第三方。 在铸造公司中, 流氓元素可能会进入客户的布局, 并从事恶意行为, 包括插入硬质硬铁( HT ) 。 许多工作都侧重于高端半导体的结构/ 效果, 而很少有人能展示其在硅质中HT的可行性。 更少的公司会披露HT是如何插入的, 或这项活动所需要的时间 。 我们的工作细节, 第一次将HT无懈可遗地插入到最终的布局中, 是在工程变更单流的基础上提供一个插入框架。 为了验证, 我们已在65nm CMOS 中建立了一个AS 原型模型, 由四个铁质的加密岩芯组成。 在每个核心中都插入了一个侧网, 目的是在电道上泄漏加密钥匙。 此外, 我们确定整个攻击可以在一个小小时内安装整个攻击, 。 我们还证明这次攻击是如何成功地制造了我们所有的SCT。