Defensive Routing: a Preventive Layout-Level Defense Against Untrusted Foundries
Since the inception of the integrated circuit (IC), the size of the transistors used to construct them continually shrink. While this advancement significantly improves computing capability, the associated massive complexity forces IC designers to outsource fabrication. Outsourcing presents a security threat: comprehensive post-fabrication inspection is infeasible given the size of modern ICs, thus it is nearly impossible to know if the foundry has altered your design during fabrication (i.e., inserted a hardware Trojan). Defending against a foundry-side adversary is challenging because---with as little as two gates---hardware Trojans can completely undermine software security. Prior work attempts to both detect and prevent such foundry-side attacks, but all existing defenses are ineffective against the most advanced hardware Trojans. We present Defensive Routing (DR), a preventive layout-level defense against untrusted foundries, capable of thwarting the insertion of even the stealthiest hardware Trojans. DR is directed and routing-centric: it prevents foundry-side attackers from connecting rogue wires to security-critical wires by shielding them with guard wires. Unlike shield wires commonly deployed for cross-talk reduction, DR guard wires present an additional technical challenge: they must be tamper-evident in both the digital and analog domains. To address this challenge, we present two different categories of guard wires: natural and synthetic. Natural guard wires are comprised of pre-existing wires that we route adjacent to security-critical wires, while synthetic guard wires are added to the design specifically to protect security-critical wires. Natural guard wires require no additional hardware and are digitally tamper-evident. Synthetic guard wires require additional hardware, but are tamper-evident in both the digital and analog domains.
READ FULL TEXT