A Google researcher has uploaded a series of papers which suggest the company is worried about the possibility of Trojans finding their way into hardware at the semiconductor manufacturing stage.
The papers, which include "Hardware Trojan Detection Solutions and Design-for-Trust Challenges," "Security Challenges During VLSI Test," and "Trustworthy Hardware: Identifying and Classifying Hardware Trojans," have been uploaded to Google's research repository by company researcher Kurt Rosenfeld, and suggest a new direction for the advertising giant's research.
Previous papers uploaded by Google researchers are more in-keeping with the company's commercial efforts: titles include "Improving Video Classification via YouTube Video Co-Watch Data," "Quantitative Analysis of Culture Using Millions of Digitized Books," and "Dynamic Stylized Shading Primitives," but Rosenfeld's work is quite different.
In the papers, Rosenfeld describes what he believes is the next frontier in information security: the silicon itself. "Vulnerabilities in the current integrated circuit development process have raised serious concerns about possible threats from hardware Trojans
to military, financial, transportation, and other critical systems," he warns in one publication.
"An adversary can introduce a Trojan through an IC that will disable or destroy a system at some specific future time. Alternatively, an attacker can design a wire or some other IC component to survive the testing phase but fail before the expected lifetime. A hardware Trojan can also covertly cause a system to leak confidential information or secret keys," he clarifies.
Rosenfeld - and his fellow authors, including staff from the University of Connecticut and the Polytechnic Institute of New York University - warn that increased scrutiny must be placed on the intellectual property that goes into the cores and integrated circuits of modern ASICs, FPGAs, DSPs, processors, and system-on-chip designs.
Nothing Rosenfeld et al describe in the papers will come as a particular surprise to the industry: Intel, one of the world's largest suppliers of processors, spent almost £5 billion last year acquiring security specialist McAfee in the hopes of creating hardware-based security systems to detect and block viruses, Trojans, worms, and other forms of malware.
The fact that Google is interested in the topic, however, is interesting: unlike previous players in this realm, Google doesn't make any silicon of its own that could become infected at the manufacturing stage.
The company does, however, work closely with the likes of Intel, Qualcomm, Nvidia, Texas Instruments, Samsung, and others as part of its Android mobile platform efforts. Should a SoC design from one of those manufacturers prove to have a hidden Trojan, it would be bad news for Google - and if the flaw is introduced at the design stage at ARM, a Trojan could potentially be planted into every single ARM-based SoC manufactured from that point on.
It's a worrying spectre, but one that Rosenfeld et al suggest can be mitigated: in a joint paper, Rosenfeld and fellow researcher Ramesh Karri describe a security enhancement for system-on-chip test access that removes the threat from untrustworthy cores while maintaining the economy of bus or daisy-chain wiring topologies.
Thus far, there's no hint from Google as to the reason that it's been paying Rosenfeld to carry out in-depth research in an area which is clearly not core to the advertising giant's business. While a move to manufacturing its own silicon - in the same way it currently builds its own servers - seems unlikely in the extreme, one thing's for certain: Google is spreading its wings in some interesting new areas.
The papers can be accessed, in PDF form, via Google's Publications page (opens in new tab).