Security Implications of Intentional Capacitive Crosstalk

Abstract

With advances in shrinking process technology sizes, the parasitic effects of closely routed adjacent wires, crosstalk , still present problems in practice since they directly influence performance and functionality. Even though there is a solid understanding of parasitic effects in hardware designs, the security implications of such undesired effects have been scarcely investigated. In this paper, we leverage the physical routing effects of capacitive crosstalk to demonstrate a new parametric hardware Trojan design methodology. We show that such Trojans can be implemented by only rerouting already existing resources. Thus, our approach possesses a zero-gate area overhead which is both stealthy and challenging to detect with standard visual inspection techniques. In two case studies, we demonstrate its devastating consequences: (1) we realize an implementation attack on a third-party cryptographic AES IP core and (2) we realize a privilege escalation on a general-purpose processor capable of running any modern operating system. In these case studies, we take special care to ensure that the Trojans do not violate design rule checks, which further highlights that the capacitive crosstalk Trojans can be building blocks for malicious circuitry design. We then investigate how state-of-the-art visual inspection techniques can be enhanced to cope with parametric hardware Trojans. In particular, we develop an automated layout-level mitigation approach which exploits the characteristic wire length of capacitive crosstalk Trojans. Finally, we highlight further implementation strategies for capacitive crosstalk Trojans and pinpoint future research directions.