Side-Channel Trojan Insertion -- a Practical Foundry-Side Attack via ECO

TL;DR

This paper demonstrates a practical method for inserting side-channel hardware trojans into integrated circuits during the ECO flow, revealing a significant security vulnerability in outsourced IC fabrication.

Contribution

It introduces a novel framework for ECO-based trojan insertion, highlighting how easily malicious modifications can be made by foundry insiders.

Findings

Trojan can leak multiple bits per power signature

ECO flow enables effortless trojan insertion

Foundry-side attack is feasible with current methods

Abstract

Design companies often outsource their integrated circuit (IC) fabrication to third parties where ICs are susceptible to malicious acts such as the insertion of a side-channel hardware trojan horse (SCT). In this paper, we present a framework for designing and inserting an SCT based on an engineering change order (ECO) flow, which makes it the first to disclose how effortlessly a trojan can be inserted into an IC. The trojan is designed with the goal of leaking multiple bits per power signature reading. Our findings and results show that a rogue element within a foundry has, today, all means necessary for performing a foundry-side attack via ECO.