“The Die is Cast”
Communications of the ACM, January 2021, Vol. 64 No. 1, Pages 56-60
By Edlyn V. Levine
“While globalization has drastically reduced industry costs by tapping inexpensive labor markets and economies of scale, it has simultaneously opened many windows of opportunity for attackers to maliciously modify hardware without the knowledge of original device manufacturers (ODMs) or their customers.”
In 2011, a fictitious company was created by the U.S. Government Accountability Office (GAO) to gain access to vendors of military-grade integrated circuits (ICs) used in weapons systems. Upon successfully joining online vendor platforms, the GAO requested quotes for bogus part numbers not associated with any authentic electronics components. No fewer than 40 offers returned from vendors in China to supply the bogus chips, and the GAO successfully obtained bogus parts from a handful of these vendors. The ramifications of the GAO findings are stark: The assumption of trusted hardware is inappropriate to invoke for cybersecure systems.
Injection of counterfeit electronics into the market is only a subset of vulnerabilities that exist in the global IC supply chain. Other types of attacks include trojans built into the circuitry, piracy of intellectual property, and reverse engineering. Modern ICs are exceptionally complex devices, consisting of upward of billions of transistors, miles of micron-scale interconnecting wires, advanced packaging configurations, and multisystem integration into chips sized on the order of a U.S. quarter. These ICs are designed, manufactured, and assembled by an equivalently complicated, globally distributed supply chain. A semiconductor company can have more than 16,000 suppliers spread around the world. While globalization has drastically reduced industry costs by tapping inexpensive labor markets and economies of scale, it has simultaneously opened many windows of opportunity for attackers to maliciously modify hardware without the knowledge of original device manufacturers (ODMs) or their customers.
The tenet that “trust starts in silicon” underscores hardware as the root of security upon which software protections are implemented. Secure systems cannot be architected on a foundation of compromised hardware. Unlike software, there is no patch update that can fix a malicious hardware insertion short of replacing the device. Securing hardware is a multifaceted problem consisting of shoring up the manufacturing chain, developing robust means to detect malicious insertions, and designing systems to be secure against the inevitability of hardware compromise.
Innovative research efforts spanning DARPA’s TRUST (Trusted Integrated Circuits) program to its LADS (Leveraging the Analog Domain for Security) program emphasize the increasing spotlight on hardware security as do high-profile reports ranging from the Defense Science Board to the President’s Council of Advisors on Science and Technology. Modern economies and critical systems depend on IC technologies, making the ramifications of hardware attacks increasingly dire.
Sidebar: From Specs and Sand to Semiconductors: How ICs Are Made
Break open your laptop and you will find on the order of 100 to 1,000 ICs. These range from the CPU to microprocessors to memory. Each of these circuits has crossed the globe multiple times, moving among geographically distributed supply-chain vendors during their evolution from an initial specification to final assembly as a component in the machine sitting in your home or office. IC manufacturing can be broken into three primary stages—design, fabrication, and assembly and testing—each of which presents opportunities for hardware to be altered or assembled systems to be compromised.
Specifications and Design
Designing a new IC begins once the desired specifications for the chip are established. The specs determine the required performance of a chip for a targeted environment, including function, power, size, and timing. Semiconductor design is typically undertaken by teams of engineers who translate the IC specification into a register transfer level (RTL) description of the circuit in an HDL (hardware description language) such as VHDL (Very High-speed Integrated Circuit HDL) or Verilog. The RTL description is synthesized into a gate-level netlist using the logic gates and components from the desired technology library. The netlist is then converted to the transistor level with a fully placed and routed physical layout (shown in a GDSII file, the standard format used to represent the layout) using electronic design automation (EDA) software, thereby completing the circuit description.
Design is undertaken by both IDMs (integrated device manufacturers) that own fabrication facilities and fabless semiconductor companies that outsource semiconductor manufacturing. Throughout the design process, engineers incorporate IP from external vendors. The third-party IP companies develop and license circuit blocks, called IP cores, that are integrated into the overall design of a new chip. IP cores can take the form of synthesizable RTL or of a GDSII representation of the fully placed and routed core design. Leading IP vendors can have their IP cores included in tens of billions of chips manufactured each year.
Completed GDSII files are sent to a semiconductor fabrication facility, called a foundry, for manufacturing. Foundries are either owned and operated by IDMs or exist as stand-alone fabrication companies contracted by fabless semiconductor companies. GDSII files are converted by the foundry or a third party into mask sets that are used for patterning the physical circuit layout into layers in a silicon wafer during photolithography.
The full fabrication process includes multiple steps of material deposition, etching, and patterning, along with the processes of ion implantation and annealing that fine-tune electrical properties of the integrated elements. Once the transistor level has been fabricated, patterned metal wires are deposited to link transistor elements. The geometrical configuration of these interconnections is optimized for the functional specification of the chip, with complex ICs having upward of 20 metal layers. A completed fabricated wafer is tested and cut into individual silicon chips (dies) that are shipped for assembly and further testing.
Assembly, Testing, and Distribution
The packaging of individual silicon dies creates a protective interface between the die and the external environment. Package integration incorporates the silicon die with package wiring, substrates, heat spreaders, and ground planes, thereby creating the required electrical, mechanical, and thermal environment for the chip to interface properly with an external system. The packaged ICs are tested, binned according to performance, and distributed to electronics assembly plants that incorporate the ICs into end-user products.
About the Author:
Edlyn V. Levine is Chief Engineer of MITRE Engenuity and a research associate in the Department of Physics at Harvard University. She is internationally recognized for her contributions in information technology as an AFCEA 40-under-40 award winner.
Why Is It Taking So Long to Secure Internet Routing?
What is a CSO Good For?
Building Systems to be Shared Securely
Poul-Henning Kamp and Robert Watson