Hardware Trojan

In general, Trojans try to bypass or disable the security fence of a system: for example, leaking confidential information by radio emission.

Hardware Trojans may be introduced as hidden "Front-doors" that are inserted while designing a computer chip, by using a pre-made application-specific integrated circuit (ASIC) semiconductor intellectual property core (IP Core) that have been purchased from a non-reputable source, or inserted internally by a rogue employee, either acting on their own, or on behalf of rogue special interest groups, or state sponsored spying and espionage.

This is especially the case when purchasing such equipment from non-reputable sources that could have placed hardware Trojans to leak keyboard passwords, or provide remote unauthorized entry.

Resolving doubt about hardware integrity is one way to reduce technology vulnerabilities in the military, finance, energy and political sectors of an economy.

A Trojan is functional if the adversary adds or deletes any transistors or gates to the original chip design.

Because a Trojan can consist of many components, the designer can distribute the parts of a malicious logic on the chip.

The additional logic can occupy the chip wherever it is needed to modify, add, or remove a function.

In some cases, high-effort adversaries in may regenerate the layout so that the placement of the components of the IC is altered.

That is due to the leakage currents generated by the trigger or counter circuit activating the Trojan.

The malicious circuitry could wait for a count down logic an attacker added to the chip, so that the Trojan awakes after a specific time-span.

[5][6] A common Trojan is passive for the most time-span an altered device is in use, but the activation can cause a fatal damage.

If a Trojan is activated the functionality can be changed, the device can be destroyed or disabled, it can leak confidential information or tear down the security and safety.

To detect Trojan hardware which include (crypto) keys which are different, an image diff can be taken to reveal the different structure on the chip.

Where DFT usually coordinates with some external testing mechanism, BIST-enabled chips incorporate custom test-pattern generators.

BIST functionality often exists to perform at-speed (high speed) verification where it is not possible to use scan chains or other low-speed DFT capabilities.

Both methods were originally developed to detect manufacturing errors, but also have the double-edged potential to detect some effects of malicious logic on the chip, or to be exploited by malicious logic to covertly inspect remote state within the chip.

Those signals – that are caused by the electric activity, can be analyzed to gain information about the state and the data which the device processes.