The views expressed in this presentation

are Mere Apne. Reference to any

specific products, process, or service do
not necessarily constitute or imply
endorsement, recommendation, or
favoring by any Government or the
Department of Defense

ALL FIGURES IN THE PPT ARE ONLY FOR DEPICTION

PURPOSE.

An Opening Caveat

Ye TROJAN TROJAN kya hai?...ye TROJAN

TROJAN!!!!!!

12601180 BC
Bronze Age

After a fruitless 10-year siege, the Greeks constructed a huge

wooden horse, and hid a select force of men inside. The Greeks
pretended to sail away and that night the Greek force crept out of the
horse and opened the gates for the rest of the Greek army and
destroyed the city of Troy

A ardware rojan is a
Malicious Modification of the
circuitry of an integrated circuit.

Outsourcing the fabrication and design to third

parties imputed to the huge scales of requirements
and economies involved

Bogus packaging
could disguise a
questionable chip as
legitimate one &
baking a chip for 24
hours after
fabrication could
shorten its life span
from 15 years to a
scant 6 months
Adding 1000 extra
transistors during
either the design or
the fabrication
process could create
a kill switch or a
trapdoor or could
enable access for a
hidden code that
shuts off all.

NICK THE WIRE

A notch in few
interconnects would
be almost
impossible to detect
but would cause
eventual mechanical
failure as the wire
become overloaded.
ADD OR
RECONNECT WIRING
During the layout
process, new circuit
traces and wiring
can be added to the
circuit. A skilled
engineer familiar
with the chips
blueprint could
reconnect the wires
to undesired output.

DESIGN

FABRICATION

TEST & VALIDATIONS

Untrusted Third
party IP cores

Untrusted
Foundries

Untrusted if not
done in-house
Trusted if done in
house

Untrusted CAD
tools
Untrusted
automation scripts

Untrusted Libraries

The IP core can be described as being

for chip design what a library is for computer
programming .

Pre Silicon

In Silicon

Post Silicon

Electronic Design Automation (EDA) is a

category of software tools for designing
Electronic systems such as Printed circuit
boards and Integrated Circuits.

The tools work together in a design

flow that chip designers use to design
and analyze entire semiconductor chips.

****Focused ion beam is a technique used particularly in the semiconductor industry, materials
science for deposition, and ablation of materials.

Hardware Trojans
Physical
Distribution

Structure
Size
Type

Activation
Externally

Internally

Always on

Action
Conditional

Transmit

Antenna

Logic

Modify Specs

Sensor

Sensor

Modify Function

Hardware Trojans

Design
Phase
Specs
Fabrication
Test
Assembly
and
Package

Abstraction
Level
System
Level
Development
Gate Level

Physical
Level

Effects

Location

Activation

Change
Function

Part/Identity

Change
Specs

Processor

Internally

Denial of
Service

Memory

Externally

I/O
Power
Supply
Clock

Always on

Triggered

Internet of Things
10 billion Devices and Counting
Everything right from your computer to your phone to
your microwave can be compromised without you ever
knowing about it.

Logistics Systems and Support domain:

Transport Infrastructure, Traffic Control,
Metro/Rail Monitoring & Control

Civil Critical Applications: Banking, Stock

market IT Infrastructure

Military Systems: Weapon Control systems,

Satellite controls, Radar systems,
Surveillance Systems, Decision support
Systems.

Aviation and Aeronautics industry : Flight

control systems, Space Shuttles, Satellites
etc.

Miscellaneous
Data centers IT Infrastructure, Personal Info
stored in Clouds, Government Systems in
Critical Setups etc

Attribute

Agency involved
to infect

Mode

Hardware Trojans
Pre fabrication embedding in
the hardware IC during
manufacturing or retrofitted
later.

Third party untrusted

agencies involved to
manufacture ICs in various
stages of fabrication.

Currently none since one

Current Remedial
embedded there is no way to
Measure
remove the same other then
available
destroying.

Behavioral
Attribute

Software Trojans
Resides in code of the OS or
in the running applications
and gets activated whilst
execution.
Downloading malicious files
from internet or via social
engineering
methods
executing malicious files or
commonly sources USB etc.
Signatures
released
by
antivirus companies and
software patches based on
behavioral pattern observed.

Once activated the behavioral A Trojan behavior can

change by further update or
action of the Hardware
patch application etc
Trojan cannot be changed.

Anatomy of a

Events which enable the

Trojan Payload

The Ammo / firepower

Stealth depends on Triggers

Size is not proportional to

destruction

Prior to triggering, a hardware trojan lies dormant without

interfering with the operation of any electronics.

Syrian RADAR Case

September 2007, Israeli jets bombed a suspected nuclear
installation in northeastern Syria. Among the many mysteries
still surrounding that strike was the failure of Syrian radar,
supposedly state of the art, to warn the Syrian military of the
incoming assault. It wasnt long before military and
technology bloggers concluded that this was an incident of
electronic warfare and not just any kind. Post after post
speculated that the commercial off-the-shelf microprocessors
in the Syrian radar might have been purposely fabricated with
a hidden backdoor inside. By sending a preprogrammed
code to those chips, an unknown antagonist had disrupted
the chips function and temporarily blocked the radar
Source : IEEE spectrum, 2007

Computer Chip in a Commercial Jet

Compromised

Laptop Batteries Can Be Bricked

The method involves accessing and sending
instructions to the chip housed on smart batteries
Completely disables the batteries on laptops, making
them permanently unusable,
Perform a number of other unintended actions like
false reporting of battery levels, temperature etc.
Could also be used for more malicious purposes down
the road.

A advantageously contrived and implanted backdoor at an

untrusted fabrication facility involved in manufacturing the
typical pc processor can be victimized by a software
antagonist at a later scheduled time line.

This kind of a backdoor in a

processor will never be
divulged by the run of the
mill or state of the art
antivirus versions
predominately available
COTS.

Intel Ivy Bridge Cant Keep Your

Secret
Sabotage on the Cryptographic Capability of Intel Processor

Reduces the entropy of the random number generator from

128 bits to 32 bits.
Undetectable by built in self tests and physical inspection.

**entropy is the randomness collected by an application for use in cryptography

A hardware Trojan to operate,

needs ground and power supply
which can be low or high
depending on the design it is
based on.
A Trojan that requires a low end
power supply will have low
chances of being detected
whereas a Trojan requiring higher
power supply would be at a larger
chance of detection.

A Golden Chip is a chip which

is known to not include malicious
modifications

Countermeasures
For
Hardware Trojans

Trojan
Detection
Approaches

Design For
Security

Prevent
Insertion

Run Time
Monitoring

Facilitate
Detection

Key Takeaway #1

Hardware is the
Root of Trust; Even
a small malicious
modification can be
devastating to
system security

Key Takeaway #2

Virtually any and

every Electronic
System around us
can be potentially
Compromised.

Key Takeaway #3

Most
semiconductor
companies
OUTSOURCE their
manufacturing due
to the high capital
and operational
costs

Key Takeaway #4

The trust in the

chip Design process
is Broken

Key Takeaway #5

A Hardware Trojan
is near Impossible
to detect in tests
because its
designed to trigger
in mission mode

Key Takeaway #6

Long term research

can bring built in
security and tamper
resistance in IC
designs. However,
for short term, the
threat can be
mitigated by making
the supply chain
trusted.

You are Secure only till

someone
Becomes Interested
In You
100 % SECURITY WILL REMAIN A MYTH FOR
NEXT FEW YEARS

http://www.eetimes.com/electronics-news/4373667/Report-reveals-fake-chips-in-military-hardware
http://www.theatlanticwire.com/technology/2011/06/us-military-fake-microchips-china/39359/
https://citp.princeton.edu/research/memory/media/
Cyber security in federal government, Booz Allen Hamilton
The hunt for the kill switch, IEEE Spectrum, May 2008
Report of the Defense Science Board Task Force on High Performance Microchip Supply, Defense Science
Board, US DoD, Feb. 2005; http://www.acq.osd.mil/dsb/ reports/2005-02-HPMS_Report_Final.pdf.
Innovation at Risk Intellectual Property Challenges and Opportunities, Semiconductor Equipment
and Materials International, June 2008.
www.darpa.mil/mto/solicitations/baa07-24/index.html
The hunt for the kill switch, IEEE Spectrum, May 2008
Towards a comprehensive and systematic classification of hardware Trojans, J Rajendran et.al.
http://larc.ee.nthu.edu.tw/~cww/n/625/6251/05DFT0603.pdf
X. Wang, M. Tehranipoor, and J. Plusquellic, Detecting Malicious Inclusions in Secure Hardware:
Challenges and
Hardware Trojan: Threats and Emerging Solutions, Rajat Subhra Chakraborty et al.

E-Mail : anupam.tiwari@nic.in

LinkedIn : https://in.linkedin.com/in/anupam-tiwari-3848883
Blog at : http://anupriti.blogspot.com