Jennifer Dworak Southern Methodist University Al Crouch ASSET InterTech Presented at the 2011 Board Test Workshop, October 25-27, 2011

Overview: Security needs to be considered in design and test of 3D ICs Security is a already significant concern for 2D Trojans and Counterfeits Measures exist to expose both Security and Trust is much more complex in 3D Lack of access to each die Complexity of developing functional tests Individual die are hidden between other die Vertical routes are more difficult to “virtually probe” for illicit connections

Types of Counterfeits in 2D Reverse engineer, design, and manufacture chips to be functionally similar to the original Salvage old chips from boards and sell them as new chips Re-label low-performing die as high-performing Sell defective parts as working chips

Impact of counterfeits Less reliable than valid die Harms the reputation of the real chip provider Denies revenue to original chip provider Increases support costs – the counterfeit die may require support or may be returned May contain malicious functionality

Selected Counterfeit Incidents Between 2007 and 2010 over 5.6 million counterfeit semiconductor devices were seized by Customs and Border Patrol (CBP) and ICE (Immigrations and Custom Enforcement) In 2009, a NASA probe project was delayed nine months and went 20% over-budget due partly to counterfeit parts. Entire NEC product line was counterfeited in across multiple factories in China and Taiwan Company called VisionTech imported more than 3200 identified or suspected shipments of counterfeit microelectronics to the U.S. Sold to military for use in missile targeting systems, identification friend-or-foe systems, among others Thousands of parts may still be in the supply chain

VisionTech’s Cost to Companies AMD$34.9KNational Semiconductor$5.9K Altera$7.6KNEC$24.8K Analog Devices$75.6KPeregrine Semiconductor$2.6K Cypress Semiconductor$33.4KPhillips Electronics$1.6K Freescale$40KRenesas$2.4K Infineon Technologies$10KSamsung Elect. America$77.2K Intel$100.9KSTMicroelectronics$18.6K Intersil$1.9KTexas Instruments$92.9K Linear Technology$32KToshiba$2.4K Maxim$1.6KXilinx$22.2K Mitel$2.6KTotal$591.4K

Detecting/Avoiding Counterfeits Buying from authorized suppliers Inspection of packaging Incoming test Device authentication (e.g. with die ID and a trusted database.) Reporting suspected or discovered counterfeit incidents to an anti-counterfeiting clearinghouse

Hardware Trojans Malicious changes to a design intentionally inserted by an attacker May be inserted at any stage of the design and manufacturing process: specification, RTL, manufacturing, supply chain Most attention has focused on manufacturing Inserted with the intention of being stealthy Two components: Trigger Payload

2D Circuit with Combinational Trojan Trigger should be stealthy B=0, C=0 should be rare during functional operation B=0, C=0 should not be targeted during structural test. Trigger Payload Payload should affect something of functional importance to attacker Leak Data Cause Errors Reduce Performance Destroy the chip

Sequential 2D Trojan TriggerCounter 0 1 Encryption circuit ciphertext key Data to broadcast plaintext

How can we detect Trojans inserted at manufacturing? Logic testing is generally ineffective Too hard to activate Side channels affected by even inactive Trojans Delay Power Obtain “fingerprints” of chips verified as Trojan-free Process variations make comparison difficult Difference between Trojan and non-Trojan containing circuits is very small. Only works if Trojan is inserted at mask Chip ID Delay Fingerprint good bad

Real Life Trojans….  On September 6, 2007, the Israeli Air Force carried out an airstrike on a Syrian nuclear reactor in Operation Orchard. Hidden back door in microprocessors used in radar may have allowed them to be disabled remotely. beforeafter  French microprocessors used in military applications have remote “kill switches” to allow them to be disabled.  During the Cold War, secret cameras were inserted inside Xerox 914 copy machines in the Soviet embassy to record copied documents.

So what changes in 3D?

Where can Trojans and Counterfeits be inserted? Manufacturing SpecSupply ChainDesign 3 rd Party Assembler

Die Access and Observability So what does this mean for security? Die in 3D IC’s are less observable. An entire board in a package Access to all die comes only through the base die Can’t visually inspect die once assembled Can’t remove and analyze die once assembled. Overall variability is likely to increase. It’s easier to hide things and harder to find them!!

Potential 3D Security Issues

Issue 1: 2D Trojan in a Die Potential Actions: Data Collection and Transmission (e.g. encryption codes) Denial of Service or Early Reliability Failures (such as generating a high temp spot) Chip/Die Destruction (e.g. on-demand kill-switch)

Detecting a 2D Trojan in a 3D Stack Variations increase in 3D Relative size of Trojan effect is miniscule May need to shut off power to all but one die Need ability to obtain accurate delay measurements to flops and TSV’s Verify design and 3 rd party IP at RTL

Issue 2: Counterfeit Die or Interposer Same as 2D: Less reliable and may contain Trojans Buy from trusted sources & perform incoming test Authenticate on-die device ID with a trusted database New Problems Poor copying of packages no longer helps with detection Need to access device ID securely through stack Can no longer replace by desoldering from board.

Issue 3: Extra Die in Stack Original Die Stack Extra Die in stack can cause complex Trojans If TSV information is standardized or published, that info can be used by Trojan designer to access desired info. RF Antenna could be added with an extra die on top of the stack and broadcast the data on the bus RF TX die Extra memory and controller die Out of band TSV’s Extra memory and controller die can save selected data for later extraction.

Detecting Extra Die in Stack Depends on where in the stack extra die are located: top of stack is harder: Strategies: Voltage drop Temperature Profile Side Channel Analysis (Power and Delay) X-rays or other imaging approaches Extra processor Extra processor die can drive data bus with opposite values when triggered—shorting power and ground.

Issue 4: Evil FPGA’s in Stack FPGA’s likely to be included for valid reasons: Replace ASICs Built-in Self Repair Test other parts of stack Security Concerns: Firmware Corruption Extra FPGA in stack Trojan can be inserted in the field Hot Spot on FPGA die created by significant switching when Trojan die is triggered. Very complex Trojans are possible

Issue 5: Trojan Interposers Upper Die Lower Die Interposer Silicon Interposers may be needed to align TSV’s on adjacent die—including TSV’s for power and ground. Upper Die Lower Die Trojan Interposer Trojan Logic Trojan Logic in the Interposer (or in one of the die in the stack) could be used to shut off power or data to all upper die In 2D, this is like shutting off power or data to most of the chips on the board!!! If the Trojan is in an interposer, it would not be visible to JTAG or any other DFT hardware by design.

Issue 6: Incorrect Die Ordering Processor Memory ASIC 1 ASIC 2 RF Transceiver Original ordering Processor Memory ASIC 1 ASIC 2 RF Transceiver Trojan ordering Especially if standard interposers are available, an attacker could reorder the die. Causes loss of reliability and performance. Detection Methods: Testing and Die IDs (JTAG, INTEST, etc.)

Issue 7: Protecting IP Today, defective chips can be de-soldered and sent back to the manufacturer for FA. In 3D entire stack will need to be spent. Need to be able to access individual die for debug. Need to protect the IP of each die provider. AMD Processor TI Analog Die Memory ARM Core

Outlook Some of these issues are likely easier to solve than others. Even the easy ones won’t be detected if you aren’t looking! When 3D assembly issues are solved and 3D becomes commonplace, really evil counterfeits are possible. Easy to manufacture with standard, interchangeable die Hard to detect in package Incoming Test is Mandatory!

Conclusions 3D Security and Trust must be addressed at both design and test. Research is needed to mitigate these issues now. Waiting may make solutions much more expensive or impossible to implement If we don’t look for these issues, they will happen, and the consequences could be disastrous.

The End….