DARPA Sponsors a Hunt For Malware In Microchips

Phurge links to an IEEE Spectrum story on an interesting DARPA project with some scary implications about just what it is we don't know about what chips are doing under the surface. It's a difficult problem to find invasive or otherwise malicious capabilities built into a CPU; this project's goal is to see whether vendors can find such hardware-level spyware in chips like those used in military hardware. Phurge excerpts: "Recognizing this enormous vulnerability, the DOD recently launched its most ambitious program yet to verify the integrity of the electronics that will underpin future additions to its arsenal. ... In January, the Trust program started its prequalifying rounds by sending to three contractors four identical versions of a chip that contained unspecified malicious circuitry. The teams have until the end of this month to ferret out as many of the devious insertions as they can."

Right out of the fiction section

[HW_Hack]

This issue is a main element in Richard Clarke's latest book - Breakpoint. Clarke is the terrorist guru from the late '90s in the Clinton administration ... and the guy the Bush administration chose to ignore. Bottom line is if you let your key silicon + hardware be exclusively built in forgien countries ( i.e. China) you're at risk of hardware level "back doors". Published in '06 - Clarke again signals a warning for the US .....

Speaking as a chip designer...

[stevew]

I find this intersting.

I deal with foreign fab houses on every project. The odd things is that most of the backend software used by these fab houses are sold by American companies (much of which is written in India).

There is a step in the process where a point tool (one not written by the fab house - but again an American company) is used to re-extract the design out from the polygons that describe the silicon to be fabbed. This is compared to the source gate level design I originally supplied using formal verification methods. This is done by me.

So I suppose someone could surreptitiously change the gates I'm getting back to hide what is being inserted in there (not an easy thing to do all by itself at this level) There are places where it could be done in the process.

At the same time - to add additional logic to a design you are not well versed in is REALLY difficult.

Re:All about China

[quanticle]

The thing with embargoes is that they work both ways. Currently, China is so dependent on the US consumer market to absorb its production that an embargo would hurt them as much as it hurts us.

The other thing is that, despite what you've been hearing, China is not the be-all-end-all for electronics. Korea still holds the crown for manufacturing memory, Taiwan is still the leader for TFT LCDs, Israel is still manufacturing networking equipment, etc. If China embargoes the US, these other countries will ramp up production and diversify their offerings to meet the redirected demand from the US market.

On the other hand, China's only large customer is the US. If they slap an embargo on the US, the US can go to other suppliers, whereas China has few other customers rich enough to buy the massive quantities of goods they are producing.

The Chinese know that, at least in the near future, an embargo will hurt them at least as much as it hurts us. This is why they've been actively growing their trade surplus vis a vis the US. Having a massive amount of dollar reserves gives them the option of manipulating our currency (and, by proxy, our economy) without resorting to something as blunt as an embargo.

It's about the design, not the fab

[smellsofbikes]

I've written about this before. It's all about the design of the IC -- they're tightly integrated designs. The designer works with a design team, who reviews the layout, and sends it off to get fabricated. If what comes back isn't exactly the same as what went out it's going to be *completely* obvious. First off, the most important thing is how large the die is. Nobody can change that without everything downstream breaking -- your wafersort test hardware won't match up with the die (and wafersort is done by test engineers working with the designer, so is done where the designer works). So you can't make a larger die to put extra malicious circuitry in. Secondly, every bit of the die space you have is used. There's never unused silicon because that's wasted money. People will completely relayout a design from a square to a rectangle if that means they can get 10 more chips off a wafer. So you can't sneak malicious circuitry into an existing design.
And, for that matter, a designer or even an applications engineer can tell, at a glance, if the silicon that came back from the fab is the same as their design. Some of our applications engineers can tell, without a microscope, what another manufacturer's raw silicon does, just by looking at it. (Not everything, obviously, but they can say "this part is logic, this part is a big power FET, there's a bunch of ESD stuff over here...")
Bottom line: if you have to trust the design, you need to have your designer and your design review team where you can see them. The fabs don't really matter that much.

Re:It's about the design, not the fab

[MobyDisk]

I respectfully disagree.

First off, the most important thing is how large the die is.

Obviously they would not change the die size. If the military orders .25mm bolts and gets .45mm bolts that don't fit, they don't need a security audit to figure that out.

Secondly, every bit of the die space you have is used.

There's lots of ways to make space. De-optimize some areas: Remove the carry lookahead logic, shrink the cache. Remove some of the full-complementary logic. Replace fast structures with smaller sub-optimal things like transmission-gate XORs. If the chip has duplicate cache to compensate for manufacturing yields, that would provide TONS of space.

Some of our applications engineers can tell, without a microscope, what another manufacturer's raw silicon does, just by looking at it.

Other than removing a large part of the cache, none the of the things I mentioned above would be noticable to the human eye. One could probably reduce the cache a tiny tiny bit and still have room for whatever extra logic is needed.

How many layers of metal are we up to now? If I rewired a chip and left all the transistors in place but changed the metal, would anyone be able to tell? Can you even look down to that 7th layer of metal sandwiched underneath all the transistors to even tell that it was changed? It would be tough, but the chip could be rewired without moving any of the visible surface structures.

But the biggest area of concern would be the microcode. It would be nearly impossible to see the differences and a whole lot of changes could be done without anyone noticing.

IMHO, it would be really really really hard to do any of the things I listed above. But, I think it would be completely impossible to detect.