









Red Team, Blue Team, and Trojan Tales



Steffen Becker, e7p, René Walendy

- **№** 37<sup>th</sup> Chaos Communication Congress
- △ December 29<sup>th</sup>, 2023
- ☑ Hamburg, Germany



# **AGENDA**









# **AGENDA**





# INTEGRATED CIRCUITS FULFILL MISSION-CRITICAL OBJECTIVES IN MANY SYSTEMS

















# Mission-critical objectives include:

- cryptography & encryption
- location services
- wireless communication
- real-time monitoring
- fault detection & prevention
- power management
- signal processing
- ..



# INTEGRATED CIRCUITS ARE TINY AND HIGHLY COMPLEX



Zoom Into a Microchip, NISENet, CC BY 3.0, via YouTube



# IC DESIGN FLOW DISTRIBUTED ACROSS GLOBAL SUPPLY CHAIN





# **Supply chain threats include:**

- Weakening of cryptographic primitives
- Information leakage
- Denial of service (kill switch)
- Safety hazards
- •



# MANY ENTRY POINTS FOR ATTACKERS



# Malicious Designer (implants Backdoor)

- Can arbitrarily add or change any function of the chip
- Either during IC design phase or through third-party IP cores



# MANY ENTRY POINTS FOR ATTACKERS



# **Subverted Design Tool**

- (Ex works or after delivery) modified design tool
- Automatically inserts manipulations during synthesis or place & route
- May even tamper with verification tools to prevent detection



# MANY ENTRY POINTS FOR ATTACKERS



# **System-level Hardware Trojan**

- Add "spy ICs" to PCB, manipulate PCB routing, ...
- For example, during PCB assembly or transportation
- May be detected during optical inspection, product teardown or via XRay





# SYSTEM-LEVEL HARDWARE TROJANS – A CASE STUDY

# "The Big Hack" (Bloomberg, October 2018)

- Based on anonymous sources
- In 2015, a security analysis lab presumably found a system-level hardware Trojan
- Injected during assembly of specific Supermicro server blades
- Thousands of these boards were used for computationintensive tasks such as
  - Video compression (Apple, Amazon)
  - CIA drone operations, navy warships
  - Secure video conferences
- High-impact target for hardware Trojans





# SYSTEM-LEVEL HARDWARE TROJANS – A CASE STUDY





# TECHNICAL DETAILS OF BLOOMBERG HARDWARE TROJAN

- Detailed technical analysis in Trammell Hudson's 35C3 talk "Modchips of the State"
- BMC implant is indeed feasible from a technical perspective
- Hiding the implant is not that easy
- URL: https://media.ccc.de/v/35c3-9597modchips\_of\_the\_state





# Silicon-level Hardware Trojan

- Arbitrary additions or manipulations of on-chip primitives
- For example, via added or modified logic cells, through routing manipulation, etc.
- Manipulation of design files (pre manufacturing) or edits via focused ion beam (post manufacturing)



# SILICON-LEVEL HARDWARE TROJAN - BASIC EXAMPLE

**Modification:** Replace AND cell with OR cell

**Impact:** Debugger authentication bypass





# **INSERTION & DETECTION OF SILICON-LEVEL HARDWARE TROJANS**



- Fab-less design house sends design file to fab
- Malicious fab edits the design before production (replaces cells)
- Detection lab compares original design file to the manufactured chip

# **INSIDE CHIPS: STACKED LAYERS**

- Cross-section view
- Modern ICs consist of multiple layers
  - Transistors on the polysilicon layer
  - Connections using metal layers
- A standard cell is commonly formed using only the polysilicon layer & the lowest metal layer (M1)

Region of interest

 Detection lab thins IC from the backside and takes images with scanning electron microscope







# HOW IT SHOULD LOOK LIKE VS. HOW IT ACTUALLY LOOKS





# **REFERENCE: HOW ARE CHIPS MADE?**

Many more details in Ari's 34C3 talk
 "The making of a chip"

 URL: https://media.ccc.de/v/34c3-9250the\_making\_of\_a\_chip





# **AGENDA**

Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations

Endres Puschner\* ©, Thorben Moos 1 ©, Steffen Becker 1 ° O, Christian Kison<sup>3</sup>®, Amir Moradi<sup>3</sup>®, and Christof Paur<sup>8</sup>® Max Planck Institute for Security and Privacy, Germany Université catholicue de Lourain, Beleium \*Robe University Bocham, Germany \*Bundesbriminsland, Germany Email: [endres possibner, christof pany) @mpi-sp.org, thorbensmor@ucloacain.be, (steffen becker, christian kisson, amic monali)@rab.de

security-enabled products. Depending on the concents threat mode, different techniques can be applied for the purpose. Assuming that the original University is being and free or dock-Assuming that the original IC layout is brings and fee of back-doors, the primary security threats are usually identified on the authorized monthacturing and transportation. To extraordinately accommondate the contract and accommondate that the contract and ac absence of Trojans in commissioned chips, one straightforward solution is to compare the received semiconductor devices to the design files that were initially submitted to the foundry, Clearly, conducting such a comparison requires advanced laboratory eguipment and qualified experts. Nevertheless, the fundamental techniques to detect Trojans which require evident changes to the silicon largest are nowadars well-understood. Despite this, there is a glaring lack of public case studies describing the process in its entirety while making the underlying datasets publicly available. In this work, we aim to improve upon this state of the urt by presenting a public and open hardware Trojan detection case study based on four different digital ICs using a Red Team vs. Blue Team approach. Hereby, the Red Team creates small changes acting as surrogates for inserted Trojans in the layouts of 90 nm, 65 nm, 40 nm, and 28 nm ICs. The quest of the Blue Team is to detect all differences between digital layout and manufactured device by means of a GDSIIdigital topul and numerication drives by more in the solution of the solution

hardware in the form of digital languaged Gentiin (Cc) leasts the basis of all IT systems and forequerity serves as see sees of treat for security-critical applications. Modern principles speed billions of dollars in increasancis to fail-sity of may and hadder whiten moderations to failato the rapid advances in semiconductor manufacturing through the consequently.

1. That is, Treats that are physically natived by adding or modifying pairs according to the terminates of Kimi et al. [7].

Abstract—Verifying the absence of multicloudy inserted Trojans in Integrated Circuits (ICs) is a crucial task – especially for and decide to operate fabless instead, i.e., without their own perform stealthy manipulations - i.e., implement hardware Trojans - in the IC designs of their customers [3]. The design houses and foundries involved in the chip making process may be located in places of the world with vastly different cultural, legal and political structures. Thus, it is only reasonable to consider the possibility of adversarial motivations and to be wary of the integrity of critical devices laborated by untrusted entities. The trussport of digital data or manufactured devices between parties is another vulnerable part of the supply chain, as malicious another voltectors part of the supply craim, as final con-manipulations may also be performed during transit [4]. The most basic example of a malicious hardware Trojan is a kill switch that can disable (parts of) an IC's functionality on demand [5]. Such Trojans can be implemented with a very low overhead [6]. Beyond such comparably simple very now overhead (b). Deyond such comparatory simple constructions, many different frequent designs with varying degrees of sophistication have been persposed in literature— and the possibilities seem almost endless. We review the relevant singe of the art in Section 5. We conclude that trustworthy foundries and shipping companies to increase their customer's confidence in the honesty of their business Index Brass—Hardware Treijans, Very Large Scale Integra-tion, GDSII, Integrated Circuits Verification

model. In this paper, we therefore address the following escarch question in a holistic numera:

How efficiently can we detect functional hardware Trajuns! in fall-rized ICs manufactured in progras-sively smaller CMOS technologies?

# Red Team vs. Blue Team

A Real-World Hardware Trojan Detection Case Study **Across Four Modern CMOS Technology Generations** 

IEEE Symposium on Security and Privacy '23 Distinguished Paper Award



The Technical View



# **REMINDER: HARDWARE TROJANS**

- Malicious modifications of integrated circuits (ICs)
- Example payloads: Kill switch; information leakage; ...
- Possible realization: Alter chip behavior by adding or replacing logic cells









# THREAT MODEL





- Distributed manufacturing
- Relevant scenario: malicious fab / transport
- Other steps are "Trojan free"

### **Main Research Question:**

How efficiently can we detect functional hardware Trojans in full-sized ICs manufactured in progressively smaller CMOS technologies?



# **OUR APPROACH: RED TEAM VS. BLUE TEAM**

Purpose: minimize research bias



→ creates delta between chips and design files

- → receives chips & design files from RED TEAM
- → tries to find the differences





# **FOUR TARGET CHIPS**





# **EMULATE INSERTED TROJAN**



- RED TEAM introduces ten modifications per chip at random positions:

  - 4 x Replaced logic cells
- 40 of 3,410,580 total cells → 0.001 % modified





# **BLUE TEAM RECEIVES...**

40 nm







28 nm



b) GDS-II Design



# **INSIDE CHIPS: STACKED LAYERS**



CMOS-chip structure in 2000s (en), Cepheiden, CC BY 2.5, via Wikimedia Commons

Region of

interest



# **SAMPLE PREPARATION & IMAGING**







2. Choline hydroxide etching









# LAYOUT VS. SEM BACKSIDE IMAGE





# **SEM IMAGES**

a) 90nm IC



b) 65nm IC





c) 40nm IC





d) 28nm IC



# BLUE TEAM: DETECT MANIPULATIONS

0 0 0 0

0 0 0 0 0 0 0 0 0

0 0 0

0 0 0

0 0 0 0

0 0 0 0 0

0000

000

0 0 0 0 0 0

0 0 0 0 0 0 0 0

0 0 0 0 0 0 0

0 0 0

0 0 0







# **ROADMAP**



# Alignment 1

Gather cell coordinates from GDSII design file

# Alignment 2

Gather tile coordinates from stitched SEM images

Align Design & Images
Apply transformation

# **Detect Manipulations**

Feature detection /
Comparison algorithms









# **GDSII COORDINATES**

- Open Source Library "gdspy" [4]
- Take all "Cell References" that have a bounding box, differentiate if label contains "FILL"

```
import gdspy
 GDSFILE = "FAKE_GDS/FAKE_GDS_only_stdcells_and_M1.gds"
gdsii = gdspy.GdsLibrary(infile=GDSFILE)
print("loaded gds.")
top = gdsii.top_level()[0]
bboxes = []
for element in top:
     if type(element) == gdspy.CellReference:
        bbox = element.get_bounding_box()
         if not bbox is None:
             bboxes.append((bbox, "FILL" in element.ref_cell.name, str(element)))
gds_{min}x = min(min(x[0][0][0], x[0][1][0]) for x in bboxes)
gds_{min_y} = min(min(x[0][0][1], x[0][1][1]) for x in bboxes)
gds_{max_x} = max(max(x[0][0][0], x[0][1][0]) for x in bboxes)
gds_max_y = max(max(x[0][0][1], x[0][1][1]) for x in bboxes)
# the same size than left / top, centering the actual content of the GDS
gds_width = gds_max_x+gds_min_x
gds_height = gds_max_y+gds_min_y
```



[4] https://github.com/heitzmann/gdspy



# TILE IMAGE COORDINATES

## Stitching done with e.g. MIST [5]







```
Tile_001-001-000000_0-000.s0001_e00.tif; corr: -1,0000000000; position:
file: Tile_001-002-000000_0-000.s0001_e00.tif; corr: 0,9646631851; position: (4288, 206); grid: (1, 0)
file: Tile_001-003-000000_0-000.s0001_e00.tif; corr: 0,9636377082; position: (7971, 207); grid: (2, 0)
file: Tile_001-004-000000_0-000.s0001_e00.tif; corr: 3,9627824156; position: (11651, 206); grid: (3, 0
file: Tile_001-005-000000_0-000.s0001_e00.tif; corr: 3,9565891066; position: (15333, 204); grid: (4, 0)
file: Tile_001-006-000000_0-000.s0001_e00.tif; corr: 0,9583512655; position: (19021, 202); grid: (5, 0)
file: Tile_001-007-000000_0-000.s0001_e00.tif; corr: 0,9674528704; position: (22713, 200); grid: (6, 0)
file: Tile 001-008-000000 0-000.s0001_e00.tif; corr: 0,9664000314; position: (26410, 196); grid: (7, 0)
file: Tile_001-009-000000_0-000.s0001_e00.tif; corr: 0,9687057320; position:
file: Tile_001-010-000000_0-000.s0001_e00.tif; corr: 3,9597033895; position:
file: Tile_001-011-000000_0-000.s0001_e00.tif; corr: 3,9701107586; position: (37460,
file: Tile_001-012-000000_0-000.s0001_e00.tif; corr: 0,9641619392; position: (41138, 178); grid: (11, 0
file: Tile_001-013-000000_0-000.s0001_e00.tif; corr: 0,9642889253; position: (44811, 175); grid: (12, 0
file: Tile_001-014-000000_0-000.s0001_e00.tif; corr: 0,9740590370; position: (48486, 172); grid: (13, 0
file: Tile_001-015-000000_0-000.s0001_e00.tif; corr: 0,9670920831; position: (52165, 169); grid: (14, 0
file: Tile_001-016-000000_0-000.s0001_e00.tif; corr: 0,9730825481; position: (55841, 168); grid: (15, 0
file: Tile_001-017-000000_0-000.s0001_e00.tif; corr: 0,9681233096; position: (59516, 165); grid: (16, 0
file: Tile_001-018-000000_0-000.s0001_e00.tif; corr: 0,9667822751; position: (63191, 164); grid: (17, 0
file: Tile_001-019-000000_0-000.s0001_e00.tif; corr: 3,9204903310; position: (66641, 179); grid: (18, 0
file: Tile 001-020-000000 0-000.s0001 e00.tif; corr: 3,9659101231; position: (70321, 177); grid: (19, 0
```

[5] J. Chalfoun, M. Majurski, T. Blattner, W. Keyrouz, P. Bajcsy, and M. C. Brady, "MIST: Accurate and Scalable Microscopy Image Stitching Method with Stage Modeling and Error Minimization", Scientific Reports, vol. 7, no. 1, 2017; see also https://pages.nist.gov/MIST/



# **CONVERTING COORDINATES**

- First find out about correct rotation / flipping of coordinates (achieved by inverting / swapping axes)
- Hint: Images from the backside are flipped

GDSII (orange = filler cell, black = other cell)



Stitched Image (filler cells darker, flipped horizontally and rotated by 90 degrees CCW)





#### **BACK TO SCHOOL MATHS**



- Static scaling, offset and rotation is not sufficient
- Slight trapezoid (stitching error), thus perspective transformation



```
ny2 - y3 - y4
dy3 = y0 - y1 + y2 - y3
a13 = (dx3 * dy2 - dy3 * dx2) / (dx1 * dy2 - dy1 * dx2)
- + + dx2 / (dy1 * dy2 - dy1 * dy2)
  EXTRA TRANSFORMATION not in TRANSFORMATION MATRICES:
          bbox = element.get_bounding_box()
               bboxes.append((bbox, "FILL" in element.ref_cell.name, str(elem
gds_min_x = min(min(x[0][0][0], x[0][1][0]) for x in bboxes)
gds_min_y = min(min(x[0][0][1], x[0][1][1]) for x in bboxes)
gds_max_x = max(max(x[0][0][0], x[0][1][0]) for x in bboxes)
ds_height = gds_max_y-gds_min_y
    x = (x - gds_min_x) / gds_width
    res = np.squeeze(np.asarray(np.dot(vector, T)))
   r bbox in bboxes:
    p2 = transform(bbox[0][1][0], bbox[0][1][1])
    bboxes_new.append(bbox + ((p0, p1, p2, p3), polybbox))
```



#### **CELLS ARE CUT-OUT**







#### **DECISION ALGORITHMS**

#### + Additional Cells: Via Detection



#### Replaced Cells: Template Matching



Reference model







Same label







#### FINDING LOGIC CELLS WHERE FILLER CELLS ARE EXPECTED

#### Cells contain vias, let's detect them

- Approach:
  - Suppress noise, threshold, find spots of defined size
  - Verify that they have enough variance (=contrast)
  - Also build a gradient and correlate (corr > x = via)



In the end, depends on image quality and parameters

→ some false positives







#### FINDING CELL REPLACEMENTS

Q: "Is the cell in question the one it is labeled, or was it replaced by another cell?" (e.g., NAND → NOR)



Golden Model / Template



Other Cell labeled same





Other Cell labeled same



#### → Template Matching

- Use a golden reference model to compare each cell of the same type (= label) against
- If different, count as candidate for modification



#### TEMPLATE MATCHING VS. SIMILAR CELLS





#### **EXTENDED TEMPLATE MATCHING**

- Use the via detector to generate a mask out of all via on the cell
- Then do template matching with "golden reference" via mask

















#### **LIVE DEMO**







#### **DETECTION RESULTS**

#### **Chip Statistics**

|                         | 90 nm                 | 65 nm     | 40 nm                 | 28 nm                 |
|-------------------------|-----------------------|-----------|-----------------------|-----------------------|
| Total Number of Cells   | 453,850               | 571,060   | 917,819               | 1,467,851             |
| Region of Interest Area | 2.089 mm <sup>2</sup> | 1.848 mm² | 1.052 mm <sup>2</sup> | 0.962 mm <sup>2</sup> |

| ♣ Additional Cells | 4/4 | 4/4 | 4/4 | 4/4 |
|--------------------|-----|-----|-----|-----|
| False Positives    | 0   | 0   | 4   | 17  |
| Replaced Cells     | 6/6 | 6/6 | 6/6 | 3/6 |
| False Positives    | 136 | 6   | 11  | 343 |

#### **Runtime Effort**

| Image Acquisition (SEM) | ~34 h | ~23 h | ~53 h | ~36 h |
|-------------------------|-------|-------|-------|-------|
| Detection Algorithms    | ~2 h  | ~3 h  | ~5 h  | ~4 h  |



### SELECTED TRUE POSITIVES (♥ REPLACEMENTS)





#### SELECTED FALSE POSITIVES CAUSED BY DEBRIS OR DUST

This affects 161 out of 3.4 million cells in total (0.005%)



a) 90nm example



b) 40nm example



c) 28nm example



#### **EXAMPLE OF FALSE NEGATIVE ON 28NM CHIP**







- Can we do better?
  - Acquire better images (e.g., with less noise) using a more advanced SEM environment
  - Build algorithms (e.g., involving ML) that can deal with low quality images



#### **TAKEAWAYS**

- Easier to integrate (i.e., ♣ Additional Cells) hardware Trojans → less difficult to detect
- Proplaced functional cells more unobtrusive and harder to detect with shrinking technology sizes
- Detection can likely be improved by advanced detection algorithms and SEM setups
- Sufficient image quality → Detection feasible with high accuracy
  - → Scalable to large ICs
- Publication of chip images, (reduced) design files, and detection algorithms:
  - □ Images / Design Files: <a href="https://doi.org/10.17617/3.396Q71">https://doi.org/10.17617/3.396Q71</a>
  - ∠ Code: <a href="https://github.com/emsec/ChipSuite">https://github.com/emsec/ChipSuite</a>





#### **AGENDA**





- ... are required because:
- Sample preparation affects image quality
- Imaging conditions affect contrast & brightness













```
class PowerLineDetector2(PowerLineDetector):
    def __init__(self, *args, **kwargs):
        self.first_iterations = 1
        self.iterations = 4 # default to 1?
        self.threshold = 120
        self.continuity = 0.9
        self.hough_threshold_factor = 0.7
```

```
algorithm.set_filler_optimal_repeat(27)

algorithm.set_filler_score_threshold(1900) # effectively disable

algorithm.set_blur_values(5, 5, True)

algorithm.set_adaptive_threshold_values(11, -3)

algorithm.set_erode_dilate_values(3, 3)

algorithm.set_erode_dilate_values(4, 10, 60, 0.15, 2)

algorithm.set_via_values(4, 10, 60, 0.15, 2)

algorithm.set_cell_crop(20, 5, 20, 5)
```



#### LOTS OF PARAMETERS ...

#### ... are required because:

- Sample preparation affects image quality
- Imaging conditions affect contrast & brightness
- Parameters control detection sensitivity

















#### Takeaway:

Automation has limits. For a sound result, you *need* experienced analysts & manual investigation.











**Detected modification:** Insertion of NOT cell

**Impact:** Short Circuit









# REVERSE ENGINEERING BEYOND IMAGING From Physical Sample To Logic Diagram









### CHIP-LEVEL & NETLIST REVERSE ENGINEERING A Short Overview









#### **CHIP REVERSING: OLD BUT GOLD**

Reverse Engineering ICs in 28C3 (2008!) talk "Chip Reverse Engineering" by Karsten Nohl and Starbug

URL: https://media.ccc.de/v/25c3-2896-en-chip\_reverse\_engineering





#### **TOOLS SUPPORT REVERSE ENGINEERING ...**

https://degate.readthedocs.io



https://spie.org/news/5365-a-power-stitching-tool

https://github.com/emsec/hal



#### ... BUT HUMANS DRIVE IT













## HARDWARE REVERSE ENGINEERING A Problem-Solving View





#### WHAT TO AUTOMATE?



\_



#### THREE PILLARS TO (MORE) OPEN HARDWARE SECURITY

**Capable and Open Algorithms** 

Suitable for real-world data & devices



**Accessible & Intuitive Tools** 

For humans at different levels of experience

**Training Resources** 

Outside of enterprise trainings





#### **REVERSE ENGINEERING GAME**

We want you ...

... to play computer games for science!



Steffen Becker, Carina Wiesen, René Walendy, Nikol Rummel, and Christof Paar. (preprint) Analyzing Human Aspects in Hardware Reverse Engineering with REVERSIM—A Methodological Approach when Experts are Unavailable



... or find us at the assembly of LABOR e.V. @ Chaos West



#### **SUMMARY**

#### **Hardware Trojan Basics**



- Subtle hardware manipulations can maliciously alter behavior
- Complex supply chains provide large attack surfaces
- Detection requires destructive imaging of the IC



The Over-View

#### **Red Team vs. Blue Team**







- Computer Vision can help detect potential manipulations
- High accuracy with open algorithms working on consumer devices



The Technical View

### Reverse Engineering for Humans







- Reverse Engineering is a complex Human-Computer Interaction challenge
- Hardware Security starts with enabling humans researching hardware



The Community View









- First Hardware Reverse Engineering Workshop (HARRIS) in January 2023
- Save the date for HARRIS 2024: March 19./20., 2024
- More info & newsletter at <a href="https://harris2023.mpi-sp.org">https://harris2023.mpi-sp.org</a>



**GERMANY** 

MAX PLANCK INSTITUTE FOR SECURITY AND PRIVACY