1260–1180 BC
Bronze Age

After a fruitless 10-year siege, the Greeks constructed a huge
wooden horse, and hid a select force of men inside. The Greeks
pretended to sail away and that night the Greek force crept out of the
horse and opened the gates for the rest of the Greek army and
destroyed the city of Troy

The views expressed in this presentation
are Mere Apne. Reference to any
specific products, process, or service do
not necessarily constitute or imply
endorsement, recommendation, or
favoring by any Government or the
Department of Defense
ALL FIGURES IN THE PPT ARE ONLY FOR DEPICTION
PURPOSE.

Not here
to

A Hardware Trojan is a
Malicious Modification of the
circuitry of an integrated circuit.

“Outsourcing the fabrication and design to third
parties imputed to the huge scales of requirements
and economies involved”

Bogus packaging
could disguise a
questionable chip as
legitimate one &
baking a chip for 24
hours after
fabrication could
shorten its life span
from 15 years to a
scant 6 months
Adding 1000 extra
transistors during
either the design or
the fabrication
process could create
a kill switch or a
trapdoor or could
enable access for a
hidden code that
shuts off all.
NICK THE WIRE
A notch in few
interconnects would
be almost
impossible to detect
but would cause
eventual mechanical
failure as the wire
become overloaded.
ADD OR
RECONNECT WIRING
During the layout
process, new circuit
traces and wiring
can be added to the
circuit. A skilled
engineer familiar
with the chips
blueprint could
reconnect the wires
to undesired output.

DESIGN
• Untrusted Third
party IP cores
• Untrusted CAD
tools
• Untrusted
automation scripts
• Untrusted Libraries
FABRICATION
• Untrusted
Foundries
TEST & VALIDATIONS
• Untrusted if not
done in-house
• Trusted if done in
house

The IP core can be described as being
for chip design what a library is for computer
programming .

Electronic Design Automation (EDA) is a
category of software tools for designing
Electronic systems such as Printed circuit
boards and Integrated Circuits.
The tools work together in a design
flow that chip designers use to design
and analyze entire semiconductor chips.

****Focused ion beam is a technique used particularly in the semiconductor industry, materials
science for deposition, and ablation of materials.

Hardware Trojans
Physical
Distribution
Structure
Size
Type
Activation
Externally
Antenna
Sensor
Internally Always on Conditional
Logic
Sensor
Action
Transmit
Modify Specs
Modify Function

Hardware Trojans
Design
Phase
Specs
Fabrication
Test
Assembly
and
Package
Abstraction
Level
System
Level
Development
RT Level
Gate Level
Physical
Level
Effects
Change
Function
Change
Specs
Leak Info
Denial of
Service
Location
Part/Identity
Processor
Memory
I/O
Power
Supply
Clock
Activation
Always on Triggered
Internally
Externally

Internet of Things
• 10 billion Devices and Counting
• Everything right from your computer to your phone to
your microwave can be compromised without you ever
knowing about it.

Logistics Systems and Support domain:
Transport Infrastructure, Traffic Control,
Metro/Rail Monitoring & Control

Civil Critical Applications: Banking, Stock
market IT Infrastructure

Military Systems: Weapon Control systems,
Satellite controls, Radar systems,
Surveillance Systems, Decision support
Systems.

Aviation and Aeronautics industry : Flight
control systems, Space Shuttles, Satellites
etc.

Miscellaneous
Data centers IT Infrastructure, Personal Info
stored in Clouds, Government Systems in
Critical Setups etc

Attribute Hardware Trojans Software Trojans
Agency involved
to infect
Pre fabrication embedding in
the hardware IC during
manufacturing or retrofitted
later.
Resides in code of the OS or
in the running applications
and gets activated whilst
execution.
Mode
Third party untrusted
agencies involved to
manufacture ICs in various
stages of fabrication.
Downloading malicious files
from internet or via social
engineering methods
executing malicious files or
commonly sources USB etc.
Current Remedial
Measure
available
Currently none since one
embedded there is no way to
remove the same other then
destroying.
Signatures released by
antivirus companies and
software patches based on
behavioral pattern observed.
Behavioral
Attribute
Once activated the behavioral
action of the Hardware
Trojan cannot be changed.
A Trojan behavior can
change by further update or
patch application etc

Anatomy of a
Events which enable the
Trojan Payload
Stealth depends on Triggers
The Ammo / firepower
Size is not proportional to
destruction
Prior to triggering, a hardware trojan lies dormant without
interfering with the operation of any electronics.

“September 2007, Israeli jets bombed a suspected nuclear
installation in northeastern Syria. Among the many mysteries
still surrounding that strike was the failure of Syrian radar,
supposedly state of the art, to warn the Syrian military of the
incoming assault. It wasn’t long before military and
technology bloggers concluded that this was an incident of
electronic warfare and not just any kind. Post after post
speculated that the commercial off-the-shelf microprocessors
in the Syrian radar might have been purposely fabricated with
a hidden “backdoor” inside. By sending a preprogrammed
code to those chips, an unknown antagonist had disrupted
the chips’ function and temporarily blocked the radar”
Source : IEEE spectrum, 2007
Syrian RADAR
Case

Computer Chip in a Commercial Jet
Compromised

• The method involves accessing and sending
instructions to the chip housed on smart batteries
• Completely disables the batteries on laptops, making
them permanently unusable,
• Perform a number of other unintended actions like
false reporting of battery levels, temperature etc.
• Could also be used for more malicious purposes down
the road.
Laptop Batteries Can Be Bricked

A advantageously contrived and implanted backdoor at an
untrusted fabrication facility involved in manufacturing the
typical pc processor can be victimized by a software
antagonist at a later scheduled time line.
This kind of a backdoor in a
processor will never be
divulged by the run of the mill
or state of the art antivirus
versions predominately
available COTS.

• Sabotage on the Cryptographic Capability of Intel Processor
• Reduces the entropy of the random number generator from
128 bits to 32 bits.
• Accomplished by changing the doping polarity of a few
transistors.
• Undetectable by built in self tests and physical inspection.
Intel Ivy Bridge Can’t Keep Your
Secret
**entropy is the randomness collected by an application for use in cryptography

A hardware Trojan to operate,
needs ground and power supply
which can be low or high
depending on the design it is
based on.
A Trojan that requires a low end
power supply will have low
chances of being detected
whereas a Trojan requiring higher
power supply would be at a larger
chance of detection.

A Golden Chip is a chip which
is known to not include malicious
modifications

Countermeasures
For
Hardware Trojans
Trojan
Detection
Approaches
Design For
Security
Prevent
Insertion
Facilitate
Detection
Run Time
Monitoring

Hardware is the
Root of Trust; Even
a small malicious
modification can be
devastating to
system security
Key Takeaway #1

Key Takeaway #2
Virtually any and
every Electronic
System around us
can be potentially
Compromised.

Key Takeaway #3
Most
semiconductor
companies
OUTSOURCE their
manufacturing due
to the high capital
and operational
costs

Key Takeaway #4
The trust in the
chip Design process
is Broken

A Hardware Trojan
is near Impossible
to detect in tests
because its
designed to trigger
in mission mode
Key Takeaway #5

Long term research
can bring built in
security and tamper
resistance in IC
designs. However,
for short term, the
threat can be
mitigated by making
the supply chain
trusted.
Key Takeaway #6

http://www.eetimes.com/electronics-news/4373667/Report-reveals-fake-chips-in-military-hardware
• http://www.theatlanticwire.com/technology/2011/06/us-military-fake-microchips-china/39359/
• https://citp.princeton.edu/research/memory/media/
• Cyber security in federal government, Booz Allen Hamilton
• The hunt for the kill switch, IEEE Spectrum, May 2008
• Report of the Defense Science Board Task Force on High Performance Microchip Supply,’’ Defense Science
Board, US DoD, Feb. 2005; http://www.acq.osd.mil/dsb/ reports/2005-02-HPMS_Report_Final.pdf.
• ‘‘Innovation at Risk Intellectual Property Challenges and Opportunities,’’ Semiconductor Equipment
and Materials International, June 2008.
• www.darpa.mil/mto/solicitations/baa07-24/index.html
• The hunt for the kill switch, IEEE Spectrum, May 2008
• Towards a comprehensive and systematic classification of hardware Trojans, J Rajendran et.al.
• http://larc.ee.nthu.edu.tw/~cww/n/625/6251/05DFT0603.pdf
• X. Wang, M. Tehranipoor, and J. Plusquellic, ‘‘Detecting Malicious Inclusions in Secure Hardware:
Challenges and
• Hardware Trojan: Threats and Emerging Solutions, Rajat Subhra Chakraborty et al.

I am at :
anupam605@gmail.com
http://about.me/anupa
m.tiwari