FOR IMMEDIATE RELEASE
Student Hackers and a Dose of Skepticism Secure Vital Hardware
NYU-Poly and UConn Researchers Develop New Design Techniques to Protect Against
Vulnerabilities in the Electronics Supply Chain
NEW YORK, November 8, 2011 – New design techniques to protect vulnerable hardware from
malicious manufacturing flaws have been developed by researchers at Polytechnic Institute of
New York University (NYU-Poly) and the University of Connecticut with some help from the
crowd.
Ramesh Karri, NYU-Poly professor of electrical and computer engineering, explains that most
engineers design systems under the assumption that the underlying hardware is trustworthy; in
other words, free of malicious elements. That assumption, he says, is false.
In May 2010, for example, the FBI’s Operation Network Raider seized more than 700 pieces of
counterfeit Cisco network hardware and labels with an estimated retail value of more than $143
million. While that scheme was likely conceived for financial gain, designers of integrated
circuits, or microchips, also need to protect military, financial, transportation and other critical
digital infrastructure from Trojans inserted by intruders with other criminal or military
intentions. Like the Trojan horses of Greek mythology, cyber Trojans appear to be harmless but
instead steal information or harm a system once it is in operation.
Karri and researchers from the University of Connecticut developed new techniques that
designers can use to defend against weaknesses in the supply chain, which typically includes an
overseas manufacturer and often stretches across the globe. Their new “design for trust”
techniques update the well established “design for manufacturability” and “design for testability”
mantras. They were outlined in two IEEE Computer Magazine articles, “Trustworthy Hardware:
Trojan Detection and Design-for-Trust Challenges,” and “Trustworthy Hardware: Identifying
and Classifying Hardware Trojans.”
“The ‘design for trust’ techniques build on existing design and testing methods,” explains Karri.
- more -
One such technique involves ring oscillators, which are sets of odd numbered, inverting logic
gates that designers use to ensure an integrated circuit’s reliability. Circuits with ring oscillators
produce specific frequencies based on the arrangement of ring oscillators. Trojans alter the
original design’s frequencies and alert testers to a compromised circuit. However, sophisticated
criminals could account for the frequency change in their Trojan design and implementation.
Karri and his team suggest designers thwart their tactics by creating more variants of ring
oscillator arrangements than criminals can keep track of, making it harder for them to implant a
Trojan without testers detecting it.
Unlike microbiologists with relatively easy access to sample viruses, Karri and other hardware
security researchers cannot study ample real-world Trojans because companies and governments
are reluctant to share infected hardware for reasons of intellectual property, national security or
fear of embarrassment. So Karri and his colleagues turned to the crowd to collect sample Trojans
that informed their design-for-trust techniques.
Graduate and undergraduate students from across the country build and detect hardware Trojans
for the Embedded Systems Challenge, part of NYU-Poly’s annual Cyber Security Awareness
Week (CSAW) white-hat hacking competition. Karri and his team analyzed a diverse collection
of 58 submissions from the 2008 competition and developed a taxonomy that is helping to
standardize metrics for evaluating Trojans.
Crowdsourcing Trojans benefits the team’s research and will help guide future researchers and
practitioners, according to Jeyavijayan Rajendran, an NYU-Poly electrical and computer
engineering doctoral candidate and co-author. Rajendran was the 2009 winner of the Embedded
Systems Challenge and has been the student leader of the national challenge since then. In the
2010 competition, Rajendran’s 2009-winning defense was successfully attacked. “I went back
and studied the vulnerabilities and developed additional techniques to fix them,” he says. “The
Embedded Systems Challenge changed my research process. Now I am not only thinking from a
defender's point of view, but I am also thinking from an attacker's point of view.”
Trojans from the Embedded Systems Challenge and the design-for-trust techniques are available
on TrustHub.org, a National Science Foundation (NSF) funded site created to encourage
community building and knowledge exchange among hardware security researchers and
professionals. NYU-Poly is one of four cybersecurity research institutions that founded the site.
In addition to the NSF, the Air Force Research Laboratory supports Karri and his team’s research
at NYU-Poly. The final rounds of the 2011 NYU-Poly CSAW challenges will be held Nov. 9 –
11, 2011, in Brooklyn. To register, visit http://www.poly.edu/csaw2011.
- more -
About Polytechnic Institute of New York University
Polytechnic Institute of New York University (formerly Polytechnic University), an affiliate of
New York University, is a comprehensive school of engineering, applied sciences, technology
and research, and is rooted in a 157-year tradition of invention, innovation and entrepreneurship:
i2e. The institution, founded in 1854, is the nation’s second-oldest private engineering school. In
addition to its main campus in New York City at MetroTech Center in downtown Brooklyn, it
also offers programs at sites throughout the region and around the globe. Globally, NYU-Poly
has programs in Israel, China and is an integral part of NYU's campus in Abu Dhabi. For more
information, visit www.poly.edu.
# # #
Note to Editors:
Images at http://research.poly.edu/~resourcespace/?c=419&k=1531098509
Contact:
Kathleen Hamilton
718-260-3792 office
347-843-9782 mobile
hamilton@poly.edu