Building trust into integrated circuits

The Defense Advanced Research Projects Agency is looking to develop a system for assessing the extent to which program managers can trust the source of the integrated circuit chips they are buying for use in everything from communications systems to weapons.

DARPA recently awarded contracts to three vendors to work on the first phase of the Trust in Integrated Circuits program. The program is intended to address concerns that chips with malicious code could end up in defense electronics, causing them to stop functioning or perhaps perform unintended operations. The problem is that many integrated circuits are manufactured overseas, and defense program managers have no way to know whether a given manufacturer is reliable.

The goal of the program is to develop measurement techniques that will allow the military to quantify the level of trust that can be applied to any IC, something that has never been done either for the design or fabrication of ICs.

“You can do very interesting things with an extra 1,000 transistors, which would probably not be noticeable in modern chips that have a total of a billion transistors or more,” said Dean Collins, deputy director of DARPA’s Microsystems Technology Office.

Current industry IC design and manufacturing protocols only call for a chip to be examined to make sure it can do what it is designed to do, he said. As long as its intended functions are not interfered with, those extra transistors — which would become active only at a specific time or when a certain event happens — would not be detected.

“The problem then is trying to find if the IC can do anything else that it isn’t designed to do, and the tools for that are generally not yet available,” Collins said.

The U.S. military already has one way to obtain the chips it needs, through the Trusted Foundry program it began in 2004 based on a contract the Defense Department already had with IBM. The National Security Agency was later assigned to manage that program and expand the number of accredited chip suppliers.

But the newer DARPA program goes beyond this and attempts to involve nonaccredited chipmakers. The intent is not to replace the Trusted Foundry program, DARPA executives said, but to address trust issues for products manufactured in nontrusted foundries or commercial products.

The need for these new tools comes as the U.S. military’s influence over IC design and manufacturing has waned. In the 1960s and 1970s, it was the biggest single customer of the U.S. chip industry, but its needs now provide less than 1 percent of the U.S. chip market’s demand.

Along with that has come a dramatic decline in chip manufacture in the United States. Now, Taiwan and China are reckoned to account for as much as 70 percent of global semiconductor manufacturing capacity, with much of the rest situated in places such as Europe, Singapore and Japan.

Most U.S. chip companies are now mainly design houses that send their designs overseas to be manufactured in foreign foundries.

Because DOD depends so strongly on global commercial sources for the majority of its IC purchases, and many of them are likely to continue to come from those foreign sources, the military cannot rely on the Trusted Foundry program alone to provide its chip needs, said Brian Cohen, assistant director of the information technology and systems division at the Institute for Defense Analyses.

Cohen has been working with DOD since 2002 to address the military’s concerns about the decline in domestic sources of critical ICs.

“While the criteria for a domestic supplier to become trusted...[are] reasonably achievable and affordable, large foreign-based commercial firms will not be able to readily clear their facilities and personnel,” he told a subcommittee of the House Armed Services Committee last year.

In the long term, he said, that means DOD has to come to terms with key research challenges focused on how to trust ICs from foreign suppliers, domestic suppliers that face potential foreign influence or exposure to insider threats or criminal acts, and suppliers who are unable or unwilling to become accredited.

Malicious circuits can be inserted in various ways, Collins said. The software that U.S. companies use to design ICs can contain software modules that are developed by companies in other countries, for example. But as long as they provide what’s needed for the IC’s functionality, no one checks for other features they might contain.

Also, ICs called field programmable gate arrays are increasingly being used in military systems for greater flexibility. They can be reprogrammed in the field instead of being hard-coded. Besides being vulnerable to the design software problems of other ICs, the way they are designed requires much greater use of vendor-specific, proprietary tools that call for different verification methods — which brings up all kinds of issues.

The need is for tools that can quickly tell if a chip can be trusted, Collins said. There are companies that can now go into a chip, take it apart and tell you very specifically what is in it, he said, but that can take as long as six months.

“Our program is aimed at developing ways to also do that, but do it very quickly,” he said.

The eventual goal of the DARPA Trust in ICs program is to provide government program managers a number that represents a certain trust level. By establishing a trust level for ICs, the initiative will provide program managers with another factor to consider, beyond cost and availability, when making purchasing decisions, Collins said.

Collins said he believes he can sell chip companies on the importance of the program because they are always looking for ways to ensure the quality of their products.

“They do have a big interest in high-reliability systems for use in such things as automotive applications,” he said. “Since the techniques we are developing are measurement techniques, and there’s a linkage in what we are trying to do and the quality of the product they are trying to sell, then that’s where they become interested.”