CDR Mike Bilzor
16AUGUST 2010

I Title and Introduction

Using 3D Circuit Integration to Detect Malicious
Inclusions in General Purpose Processors

Proposed Dissertation Statement

Hardware malicious inclusions in microprocessors present an increasing threat to U.S. high-assurance computing systems, particularly those of the Department of Defense, due to vulnerabilities at several stages in the acquisition chain. Existing testing techniques are limited in their ability to detect these maliciously modified integrated circuits.

We propose a novel method,based on the evolution of three-dimensional (3D) integrated circuit fabrication techniques and on execution monitor theory,by which malicious inclusions, including those not detectable by existing means, may be detected and potentially mitigated in the laband in fielded, real time operation.

We propose to develop and implement techniques for detecting and mitigating hardware malicious inclusions by utilizing 3D connections to monitor the control and data flows in an untrusted, target commodity processorfrom atrusted attached processor called the "control plane".

Research Goals

There are a number of potential new security-related applications of circuit-level three dimensional (3D) architecture fabrication methods which provide certain novel capabilities. Our research will focus on developing new techniques for identifying hardware malicious inclusions, specifically those not detectable by existing methods, in general purpose processors. To date, no other work has leveraged the capabilities of 3D architectural techniques to identify malicious inclusions in processor hardware; existing approaches are either destructive, or operate externally, and only during the test phase, not during deployed use.

We will conduct experiments in support of an assessment of the feasibility of the 3D approach to detecting malicious inclusions, specifically commenting on:

  • Which types of malicious inclusion that a 3D system is best, and least, able to detect and mitigate
  • Which types of malicious inclusion that a 3D system can detect and mitigate that a 2D system cannot
  • How to most effectively mitigate the likeliest and most dangerous malicious inclusions using the 3-D analysis approach

II Problem Description

Modern Weapons and High-Assurance Military Systems Rely on Microprocessors

Today's Defense Department relies on advanced microprocessors for its high-assurance needs. Those applications include everything from advanced weaponry, fighter jets, ships, and tanks, to satellites and desktop computers for classified systems. Much attention and resources have been devoted to securing the software that runs these devices and the networks on which they communicate. However, two significant trends make it increasingly important that we also focus on securing the underlying hardware that runs these high-assurance devices. The first is the U.S.'greater reliance on processors produced overseas. The second is the evolution in the complexity of hardware, along with the ease of making malicious changes to it.

Trusting the Supply Chain

Every year, more microprocessors destined for U.S. Department of Defense (DoD) systems are manufactured overseas, and fewer are made inside the U.S. As a result, there is a greater risk of processors being manufactured with malicious inclusions, or "hardware Trojans," which could compromise high-assurance systems. This concern was highlighted in a 2005 report by the Defense Science Board, which noted a continued exodus of high-technology fabrication facilities from the U.S. [1]. Since this report, "more U.S. companies have shifted production overseas, have sold or licensed high-end capabilities to foreign entities, or have exited the business." [2]

One of the Defense Science Board report's key findings reads, "Throughout the past ten years, the need for classifieddevices has been satisfied primarily through the use of governmentowned,government- or contractor-operated or dedicated facilitiessuch as those operated by the NSA and Sandia. The rapid evolution oftechnology has made the NSA facility obsolete or otherwiseinadequate to perform this mission; the cost of continuously keepingit near to the state of the art is regarded as prohibitive. Sandia is notwell suited to supply the variety and volume of DoD special circuits. There is no longer a diverse base of U.S. integrated circuit fabricators capable ofmeeting trusted and classified chip needs." [1]

Moving Fabrication Overseas

Today, most semiconductor design still occurs in the U.S., but some design centers have recently developed in Taiwan and China [7]. In addition, major U.S. corporations are moving more of their front-line fabrication operations overseas for economic reasons:

  • "Pressreports indicate that Intel received up to $1 billion in incentives from theChinese government to build its new front-end fab in Dalian, which isscheduled to begin production in 2010." [8]
  • "Cisco Systems has pronounced that it is a 'Chinese company,' and that virtually all of its products are produced under contract in factories overseas."[2]
  • "Raising even greater alarm in the defense electronics community was the announcement by IBM to transfer its 45-nanometer bulk process integrated circuit (IC) technology to Semiconductor Manufacturing International Corp. (SMIC), which is headquartered in Shanghai, China. There is a concern within the defense community that it is IBM's first step to becoming a 'fab-less' semiconductor company. IBM is the only state-of-the-art IC manufacturer that has a 'trusted' take-or-pay contract with the Defense Department and the National Security Agency at its plant in Vermont. Intel, the other cutting-edge U.S. integrated circuit maker, does not want to do dedicated work for the U.S. government." [2]

The author of [9] notes, "almost all field-programmable gate arrays (FPGAs) are now made at foundries outside the United States, about 80 percent of them in Taiwan. Defense contractors have no good way of guaranteeing that these economical chips haven't been tampered with. Building a kill switch into an FPGA could mean embedding as few as 1,000 transistors within its many hundreds of millions."

In general, the large percentage of U.S. semiconductors manufactured in Taiwan isalso a longer-term concern because of the political uncertainty of future China-Taiwan relations. In the case of political unification, which the U.S. may not be in a position to prevent, China could hypothetically gain access to the manufacture of millions more U.S.-bound processors in relatively short order, exacerbating supply chain concerns.

Processors - More Complex, Designed in Software, Modifiable After Manufacture

The Defense Science Board report observes, "Defense system electronic hardware ... has undergone a radical transformation. Whereas custom circuits, unique to specific applications, were oncewidely used, most information processing today is performed by combinations of memory chips and programmable microchips... Of the two classes of parts, the latter have more intricate designs, which make them difficult to validate (especiallyafter manufacturing) and thus more subject to undetectedcompromise." [1]

Since modern processors are designed in software, the processor design plans become a potential target of attack. John Randall, a semiconductor expert at Zyvex Corp., notes that "any malefactor who can penetrate government security can find out what chips are being ordered by the Defense Department and then target them for sabotage. If they can access the chip designs and add the modifications, then the chips could be manufactured correctly anywhere and still contain the unwanted circuitry. " [9]

In addition to the overseas fabrication threat, malicious design modifications could theoretically occur either outside or inside the United States. According to IEEE Associate Editor Sally Adee, "The Defense Department's assumption that onshore assembly is more secure than offshore reveals a blind spot." Adds Samsung's Victoria Coleman, "Why can't people put something bad into the chips made right here? " [9]

Such undetected logic can be inserted during the design phase, if malicious code is inserted into the design template, or even after a chip has been manufactured. "Chip alteration can even be done after the device has been manufactured and packaged, provided the design data are available, notes Chad Rue, an engineer with FEI ... Skilled circuit editing requires electrical engineering know-how, the blueprints of the chip,and anetching machine (which) shoots a stream of ions at precise areas on the chip, mechanically milling away tiny amounts of material... You can remove material, cut a metal line, and make new connections ...The results can be astonishing: a knowledgeable technician can edit the chip's design just as easily as if he were taking 'an eraser and a pencil to it.' " [9]

The "Kill Switch"

Though reports of actual malicious inclusions are often classified or kept quiet for other reasons, some reports do surface, like this unverified account: "According to a U.S. defense contractor who spoke on condition of anonymity, a 'European chip maker' recently built into its microprocessors a kill switch that could be accessed remotely. French defense contractors have used the chips in military equipment, the contractor told IEEE Spectrum. If in the future the equipment fell into hostile hands, 'the French wanted a way to disable that circuit,' he said." [9]

According to the New York Times, such a "kill switch" may have been used in the 2007 Israeli raid on a suspected Syrian nuclear facility under construction. The Times report cites an unnamed American semiconductor industry executive, claiming direct knowledge of the operation. [52]

Summary

High performance general purpose processors used in Department of Defense high-assurance systems are increasingly being manufactured and assembled overseas. An adversary with sufficient resources could maliciously modify a general purpose processor at several different stages of the acquisition chain, from design and fabrication to assembly and transport. As discussed in the following sections, our current ability to detect and mitigate such malicious modifications in processors is limited, and therefore new methods need to be developed.

III Description of 3D Integration Techniques

General Overview

In the last few years, hardware manufacturers and scientific researchers have been studying methods of connecting silicon-based computational circuits in non-traditional ways. Up until now, integrated circuit manufacturing has been limited to designs that are essentially two-dimensional. Increasing the number of circuits per unit area has required decreasing the size of the features in the circuit. However, techniques for decreasing feature size are approaching their theoretical physical limits. New circuit interconnection methods under development allow two or more computational planes, each of them an essentially 2D structure, to be interconnected, allowing them to form a composite, three-dimensional computing structure.

The most immediate benefits of this technology relate to speed, time, and distance. At current computing speeds, electrons can only move a limited distance in one clock cycle. Admiral Grace Hopper was famous for demonstrating the distance that electromagnetic energy can travel in a nanosecond by showing off pieces of wire ("nanoseconds") just under a foot in length [19]. The farther away an external memory cache sits from the processor, for example, the more clock cycles it will take to conduct a memory transaction between them. In [20], the authors demonstrate reductions in the average wire lengths within a circuit, when implementing it with 3D technology, as compared to traditional 2D technology only.

There are several different technologies under consideration for 3D integration. One promising method involves the creation of "vias", which are direct metal connections, much like ordinary wires. Since they will normally travel through a silicon plane, such they are often referred to as "through-silicon vias", or TSVs [20], which are also informally referred to as "posts".

Other possible 3D connection technologies include so-called "wireless superconnect", "wire bonding,"and "multi-chip modules" [6], as well as connection techniques relying on electrical inductance. A survey of some of the techniques for 3D interconnects under development is presented in [21].

A survey of various 3D fabrication techniques from [21].

Terminology. In describing our approach, we will often use the following terms:

3D interconnect - a connection between one integrated circuit and another integrated circuit, each manufactured separately but attached during a later process. Sometimes we will informally call these "posts", independent of the attachment technique.

3D fabrication technique - any technique, from the above descriptions or otherwise, for joining two or more integrated circuits together at points within their computation circuits (not just along their edges).

3D security (or 3Dsec) - a security-oriented application of the 3D interconnect methods above, involving two integrated circuits: one untrusted target integrated circuit, sometimes referred to as the "computation plane," and one trusted integrated circuit, sometimes called the "control plane," which monitors and/or modifies the behavior of the former.

Malicious Inclusion[1](MI) - an unauthorized modification to an integrated circuit that can cause the circuit's behavior to deviate from its specified functionality. Deviations may include, but are not limited to, unauthorized shutdown or impairment of the circuit, subversion of the circuit's functions to facilitate an attack on its running software, or corruption or compromise (leakage) of data passing through the integrated circuit.

Using 3D Technology for Security

Though a great deal of research has been done on the potential performance benefits of 3D integration, such as connecting an external memory cache, relatively little attention in the industry has been focused on the potential for using 3D technology to enhance security for high assurance users.

The main ideas for using 3D technology in the security context areidentified and outlined in [6]:

By fabricating the control plane with functions that are complementary to (but separate from) the main processor, stacked interconnect offers the potential to add security mechanisms on just a small subset of devices without impacting the overall cost of the main processor. Just to be clear, we are advocating the fabrication of a processor which is always fabricated with connections built in for security (via an optional control plane chip). The difference between the system sold to the cost-sensitive consumer and the one that is sold to the high-assurance customer is only whether a specialized security device is actually stacked on top of the standard IC or not...

A security overlay also provides the freedom to place specific security mechanisms directly above where they are needed ... For a given device type, reconfiguration of the security policy mechanisms can be implemented, thus efficiently supporting different user requirements. An overlay also provides several clear theoretical benefits. As always, it is critical to protect security mechanisms, but in this case they may be much less prone to tampering as they are when they are entangled with the monitored design."

The computation and control planes would be constructed separately (with the interconnect locations specified in the design), then connected later, in a separate process, as in the following diagrams:


Two possible arrangements of the computation and control plane integrated circuits.

Assumptions and Viability

For the purpose of our investigation, we will assume that economically feasible techniques for connecting two or more integrated circuits will continue to develop. The particular method of interconnection that wins industry favor is not relevant to our approach, as long as it meets several criteria:

  • The time it takes for an electrical signal to propagate and stabilize across an interconnect is sufficiently short. For example, in [24], Mysore, et al., perform a detailed analysis of a 3D interconnect system that requires only a single clock buffer, and hence only one cycle of latency, to facilitate 3D monitoring.
  • Heat dissipation technology is sufficient to allow the passthrough of both data and power signals across the interconnects.
  • The number of total interconnects that could be produced to facilitate control-plane monitoring will be sufficient (we will examine the approximate number of required interconnects as part of our research). A simulation in [20] illustrates the practicality of using on the order of 1,000-10,000 through-silicon vias (TSVs), for example.

The viability of many of the physical assumptions underlying the 3D security approach was demonstrated in [24], in which the authors modeled a Pentium 4 computation plane being monitored, using 1,024 3D interconnects, by an XScale ARM processor. The authors used a variety of modeling techniques to demonstrate:

  • An increase to the (computation plane) commodity processor of only .021mm2 in area and 1.4% in power, as a result of adding the 3D connection points.
  • An increase in power to drive data across the interconnects, with the monitoring plane attached, of 23%, with the potential for reducing that to around 8%.
  • 3D hardware monitoring can be performed with significantly less power and shorter wires, compared to a comparable 2D monitoring scheme, because the monitoring plane can be placed much closer. In the simulation, the 3D approach consumes half the increased power compared to the 2D approach, and a twentieth of the increase in the area imposed on the computation plane.
  • Even using the worst case thermal assumptions, tiling eight analysis chips on top of the computation chip only led to a temperature increase of about 2.5C.

Relationship of 3D to Other Monitoring Approaches

Why not implement the monitoring logic right in the computation chip itself?

We are operating under the assumption that the commodity computation chip may befrom an untrusted source, and anyone with sufficient access to modify the processor could also modify the monitoring logic. By adding the monitoring logic separately, via 3D integration, the monitoring logic can come from a more trusted source, be reconfigurable, and be isolated from threats to the computation plane during most of the development cycle.

Why not put the monitoring logic in a coprocessor?

A security coprocessor could use some of the same techniques we will explore, but is limited by the bandwidth and fidelity of the target processor's main connection to the printed circuit board. The 3D approach permits finer-grained access to the key architectural nodes within the target processor. Also, the 3D approach has the potential for performing the same security functions with shorter wires and lower power requirements [24].