TY - GEN
T1 - Hardware trojan cyber-physical threats to supply chains
AU - Sauer, Kurt
AU - David, Michael
AU - Sakurai, Kouichi
PY - 2018/1/1
Y1 - 2018/1/1
N2 - Many actors are involved in the supply chain processes needed to produce an integrated circuit. Any one of these individuals or groups could make illicit copies of semiconductor IP during their work. In addition, chips could be intentionally compromised during the design process, before they are even manufactured. If placed into the design with sufficient skill, these built-in vulnerabilities would be extremely difficult to detect during testing. Moreover, they could lay dormant, only to be triggered months or years later to disrupt or exfiltrate data from a system containing the compromised chip. This paper primarily reviews the risks posed by design tampering, looks at threat actors and their possible activities, threat models for these activities, and possible mitigations. It assesses the impacts of security composability theory on risk management and practical design, and tries to identify the greatest threat. Our proposal is to contrast Trojan insertion risks at the two ends of the spectrum in early design phase: first at the highest abstraction level, the RTL description, and second at the layout level, in GDSII. A key question for the future is how to develop security architectures that are Trojan tolerant, meaning that other layers of protective controls exist to protect the overall system from malfunctioning at a level commensurate with the risk tolerance of the system. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.
AB - Many actors are involved in the supply chain processes needed to produce an integrated circuit. Any one of these individuals or groups could make illicit copies of semiconductor IP during their work. In addition, chips could be intentionally compromised during the design process, before they are even manufactured. If placed into the design with sufficient skill, these built-in vulnerabilities would be extremely difficult to detect during testing. Moreover, they could lay dormant, only to be triggered months or years later to disrupt or exfiltrate data from a system containing the compromised chip. This paper primarily reviews the risks posed by design tampering, looks at threat actors and their possible activities, threat models for these activities, and possible mitigations. It assesses the impacts of security composability theory on risk management and practical design, and tries to identify the greatest threat. Our proposal is to contrast Trojan insertion risks at the two ends of the spectrum in early design phase: first at the highest abstraction level, the RTL description, and second at the layout level, in GDSII. A key question for the future is how to develop security architectures that are Trojan tolerant, meaning that other layers of protective controls exist to protect the overall system from malfunctioning at a level commensurate with the risk tolerance of the system. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.
UR - http://www.scopus.com/inward/record.url?scp=85051711548&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85051711548&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85051711548
T3 - Proceedings of the 13th International Conference on Cyber Warfare and Security, ICCWS 2018
SP - 448
EP - 455
BT - Proceedings of the 13th International Conference on Cyber Warfare and Security, ICCWS 2018
A2 - Hurley, John S.
A2 - Chen, Jim Q.
PB - Academic Conferences and Publishing International Limited
T2 - 13th International Conference on Cyber Warfare and Security, ICCWS 2018
Y2 - 8 March 2018 through 9 March 2018
ER -