Comparisons with several variants of NAND2 and DFlip–Flop
standard cells from commercial libraries are summarized in
Table 1. The area of the trigger circuit not using IO device
is similar to a X4 strength DFlip–Flop. Using an IO device
increases trigger circuit size significantly, but area is still
similar to the area of two standard cells, which ensures it can
be inserted into empty space in final design layout. AC power
is the total energy consumed by the circuits when input
changes, the power numbers are simulated with SPICE on
a netlist including extracted parasitics. Standby power is the
power consumption of the circuits when inputs are static,
which comes from leakage currents of CMOS devices.
After inserting A2, post-layout simulation with extracted
parasitics shows that the extra delay of victim wires is 1.2ps
on average, which is only 0.33% of 4ns clock period and
well below the process variation and noise range. In practice, such delay difference is nearly impossible to measure,
unless a high-resolution time to digital converter is included
on chip, which is impractical due to its large area and power
Comparison to digital-only attacks. If we look at a previously proposed, digital only and smallest implementation of
a privilege escalation attack, 5 it requires 25 gates and 80mm2
while our analog attack requires as little as one gate for the
same effect. Our attack is also much more stealthy as it
requires dozens of consecutive rare events, where the other
attack only requires two. We also implement a digital only,
counter-based attack that aims to mimic A2. The digital version of A2 requires 91 cells and 382mm2, almost two orders-of-magnitude more than the analog counterpart. These
results demonstrate how analog attacks can provide attackers the same power and control as existing digital attacks,
but much more difficult to catch.
We perform all experiments with our fabricated 2.1mm2
malicious OR1200 processor as shown in Figure 6. Figure 6
also marks the locations of A2 attacks, with two levels of
zoom to aide in understanding the challenges of identifying
A2 in a sea of non-malicious logic. In fact, A2 occupies less
than 0.08% of the chip’s area. Our fabricated chip contains
two sets of attacks: the first set of attacks are one and two-
stage triggers baked-in to the processor that we use to assess
the end-to-end impact of A2. The second set of attacks exist
of the design, so locating the desired signal is trivial. But an
attack inserted at back-end stage can still be discovered by
SPICE simulation and layout checks, though the chance is
extremely low if no knowledge about the attack exists. In
contrast, fabrication time attacks can only be discovered by
post-silicon testing, which is believed to be very expensive
and difficult to find small Trojans. To insert an attack during
chip fabrication, some insights about the design are needed,
which can be extracted from layout through physical verifi-
cation tools and digital simulations or from a co-conspirator
involved in the design phase.
The next step is to find empty space around the victim
wire and insert the analog trigger circuit. Unused space is
usually automatically filled with filler cells or capacitor cells
by placement and routing tools. Removing these cells will
not affect the functionality or timing.
To insert the attack payload circuit, the reset wire needs
to be cut as discussed in Section 3. 3. It has been shown
that timing of reset signal is flexible, so the AND or OR gate
only need to be placed somewhere close to the reset signal.
Because the added gates can be a minimum strength cell,
their area is small and finding space for them is trivial.
The last step is to manually do the routing from trigger
input wires to analog trigger circuit and then to the payload
circuits. There is no timing requirement on this path so that
the routing can go around existing wires at same metal layer
(jogging) or jump over existing wires by going to another
metal layer (jumping). If long and high metal wires become
a concern of the attacker due to potentially easier detection,
repeaters (buffers) can be added to break long wire into
small sections. Furthermore, it is possible that the attacker
can choose different trigger input wires and/or payload
according to the existing layout of the target design.
In our OR1200 implementation, inserting the attack following the steps above is trivial, even with the design’s 80%
area utilization. Routing techniques including jogging and
jumping are used, but such routing approach is very common for automatic routing tools so the information leaked
by such wires is limited.
Side-channel information. For the attack to be stealthy
and defeat existing protections, the area, power and timing
overhead of the analog trigger circuit should be minimized.
High accuracy SPICE simulation is used to characterize
power and timing overhead of implemented trigger circuits.
Table 1. Comparison of area and power between our implemented analog trigger circuits and commercial standard cells in 65nm GP CMOS
Function Drive strength Width† AC power† Standby power†
NAND2 X1 1 1 1
NAND2 X4 3 3. 7 4. 1
NAND2 X8 5. 75 7. 6 8. 1
DFF with Async reset X1 6 12. 7 2. 6
DFF with Async reset X4 7. 75 21. 8 7. 2
DFF with Async set and reset X1 7. 5 14. 5 3. 3
DFF with Async set and reset X4 8. 75 23. 6 8. 1
Trigger w/o IO device – 8 7. 7 2. 2
Trigger w/ IO device – 13. 5 0.08 0.08
DFF stands for D Flip Flop. † Normalized values.