extremely stealthy hardware Trojans - existing transistor dopant polarity changes

[Zenaan Harkness]

Holy firetruck, Punkman, sh1rts gettin' real:


 Georg T. Becker, Francesco Regazzoni, Christof Paar, and
 Wayne P.  Burleson in the abstract of a paper [PDF]
 https://link.springer.com/article/10.1007/s13389-013-0068-0

 In recent years, hardware Trojans have drawn the attention of
 governments and industry as well as the scientific community. One of
 the main concerns is that integrated circuits, e.g., for military or
 critical-infrastructure applications, could be maliciously
 manipulated during the manufacturing process, which often takes
 place abroad. However, since there have been no reported hardware
 Trojans in practice yet, little is known about how such a Trojan
 would look like and how difficult it would be in practice to
 implement one. In this paper we propose an extremely stealthy
 approach for implementing hardware Trojans below the gate level, and
 we evaluate their impact on the security of the target device.
 Instead of adding additional circuitry to the target design, we
 insert our hardware Trojans by changing the dopant polarity of
 existing transistors. Since the modified circuit appears legitimate
 on all wiring layers (including all metal and polysilicon), our
 family of Trojans is resistant to most detection techniques,
 including fine-grain optical inspection and checking against "golden
 chips". We demonstrate the effectiveness of our approach by
 inserting Trojans into two designs—a digital post-processing derived
 from Intel's cryptographically secure RNG design used in the Ivy
 Bridge processors and a side-channel resistant SBox
 implementation—and by exploring their detectability and their
 effects on security.


(From LWN Briefs: https://lwn.net/Articles/749980/ )