This is quite clever, since the required addition to the "mask" (actually multiple mask layers) to implement such a function would be quite simple.
During chip design, there are tools (DRC and LVS) that very carefully verify that the mask has exactly what the designers intend it to have, not a single transistor more or less. This abstract mask is called GDSII[1] (or perhaps a successor such as OASIS, the principle is the same).
Once upon a time the layers of the GDSII could be used directly to build ICs. But now chip design rules are too tricky, so the masks are tweaked post-tapeout, in order to be able to get a decent yield of functioning chips.
Still, it is possible to take actual silicon and extract the circuitry from it. This, while quite difficult to do, is routinely done by "reverse engineering" companies.
If it's your own chip you already know exactly what to expect, you actually specified every transistor there. So it would be much "easier" (ha ha) to reverse engineer to verify that your actual chip has all the circuitry, no more, no less, that you intended it to have. I wrote a little about this in an HN discussion a few years ago.[2]
That's the theory. But in reality, does any company reverse engineer their own chips to check? Highly unlikely. Which means they're implicitly trusting TSMC (or whoever the fab is).
Not only that, what's to keep some bad actor at TSMC from inserting this circuitry into your chips perhaps 6 months after initial production. Must you repeatedly keep reverse engineering your own chips to make sure they're still unmodified?
But, as I mentioned in my earlier post, there are many IP blocks in current silicon that come from third-party suppliers. Does anyone fully understand the operation of every transistor in every IP block they bought, or they inherited from an earlier design? If I were to backdoor an IC, I'd use the third-party IP method. It would be much easier to sneak something in that way.
A few years a ago I attended a talk given by an engineer of one of the largest American semiconductor companies. After the talk someone asked if they were able to verify that the chips they get back from the fabs are made as specified.
The answer was that they couldn‘t but that the problem was considered a serious concern and that their company invested resources into a solution.
And what about all the blackbox IP that get added after you design your functionality. There could be absolutely anything in that test logic added by the vendor, anything in that random 'process measurement' cell added by the fab. I don't see how the verification required is remotely possible.
> If I were to backdoor an IC, I'd use the third-party IP method. It would be much easier to sneak something in that way.
I'm not a hardware designer, but I imagine that restricting a backdoor to a specific block might make it much harder to cause the rest of the hardware to behave in a specific way?
During chip design, there are tools (DRC and LVS) that very carefully verify that the mask has exactly what the designers intend it to have, not a single transistor more or less. This abstract mask is called GDSII[1] (or perhaps a successor such as OASIS, the principle is the same).
Once upon a time the layers of the GDSII could be used directly to build ICs. But now chip design rules are too tricky, so the masks are tweaked post-tapeout, in order to be able to get a decent yield of functioning chips.
Still, it is possible to take actual silicon and extract the circuitry from it. This, while quite difficult to do, is routinely done by "reverse engineering" companies.
If it's your own chip you already know exactly what to expect, you actually specified every transistor there. So it would be much "easier" (ha ha) to reverse engineer to verify that your actual chip has all the circuitry, no more, no less, that you intended it to have. I wrote a little about this in an HN discussion a few years ago.[2]
That's the theory. But in reality, does any company reverse engineer their own chips to check? Highly unlikely. Which means they're implicitly trusting TSMC (or whoever the fab is).
Not only that, what's to keep some bad actor at TSMC from inserting this circuitry into your chips perhaps 6 months after initial production. Must you repeatedly keep reverse engineering your own chips to make sure they're still unmodified?
But, as I mentioned in my earlier post, there are many IP blocks in current silicon that come from third-party suppliers. Does anyone fully understand the operation of every transistor in every IP block they bought, or they inherited from an earlier design? If I were to backdoor an IC, I'd use the third-party IP method. It would be much easier to sneak something in that way.
[1] https://en.wikipedia.org/wiki/GDSII [2] https://news.ycombinator.com/item?id=11880935#11891857