Forget Supersonic Jets. The Military Needs an Odometer for Computer Chips.


Project could keep out Chinese counterfeit chips from military systems

Consider U.S. airstrikes over Syria hitting a civilian hospital instead of an oil refinery powering Islamic State operations. According to the computer chip industry, that scenario could become reality with the risk of corrupted semiconductors -- the circuits underpinning all computers -- behaving in unexpected ways. 

Critics of U.S. customs procedures and new federal defense acquisition regulations say those controls won’t do much to keep out Chinese counterfeit or tainted chips from military systems, including drone controllers.

But a federally funded odometer in the works at Carnegie Mellon University might.

This week, the National Science Foundation awarded the school $300,000 to build a tool that can detect the age, use and other qualities of an allegedly new semiconductor to ensure the chip does not perform any unexpected tricks. The grant is part of a joint program with the Semiconductor Research Corporation, called the Secure, Trustworthy, Assured and Resilient Semiconductors and Systems, or STARSS.

STARSS will finance techniques for spotting rogue chip behavior before circuits are deployed in government or consumer electronics. 

Never mind Shellshock -- the major cyber risk du jour -- which can let hackers run malicious commands at the computer server level. Bad semiconductors can hijack the hardware. 

"The semiconductor industry is very good at determining whether a chip is performing as it is supposed to. They can test for that," said Keith Marzullo, an NSF division director who co-leads STARSS. "But it’s hard for them to tell whether it does something else. An unintentional behavior might be used as an attack surface to capture information or otherwise corrupt the mission that is being run on the processor." 

The Carnegie Mellon odometer would flag flawed semiconductors older than advertised. 

"When anyone buys a computer, be it a government customer or anyone, how do you know what the chips that are in there are doing? This would tell you," Marzullo said. 

It functions similarly to both a car's odometer and vehicle identification number, or VIN. Instead of gauging mileage and identifying the make, model and manufacturer of a car, the semiconductor odometer would measure the chip's age, use and manufacturer.

Or in the consumer realm, "You can tell, ‘Have I brought a brand-new iPhone?' You know whether it’s actually using new processors or whether there are some that have been recycled and put in by, say, some third-party overseas manufacturer,'" Marzullo said. 

China is known for reusing antiquated semiconductors and selling them on the black market for cut-rate prices. In June, Peter Picone, 41, of Massachusetts, pled guilty to knowingly reselling counterfeit circuits from China to U.S. customers, including Navy contractors supplying parts for nuclear submarines. His clients had specified they only wanted new chips and would not accept Chinese-made items. Navy and contractor tests found the circuits had been resurfaced to change the date code and affix counterfeit marks.

The odometers would provide a deeper forensics analysis, and potentially do so more quickly. 

STARSS focuses on, among other defenses, rooting out Trojans -- malicious bugs that can cause a circuit to fail, akin to worms that can compromise software. 

An additional STARSS project funded this week aims to deflect "differential power analysis" hacks. These malicious maneuvers decipher security codes by measuring the electricity use of a chip. Analyzing power use reveals what kind of computational operations a device is performing, including transfers of secret keys.

But don't look for an odometer to inspect drone circuits anytime soon. The fruits of this research won't bear out in industry for another five to 10 years, Marzullo expects. 

The first round of awards totaled nearly $4 million and was spread among nine academic projects. The next distribution of grants is slated for the first half of 2015, as part of a larger $72 million NSF cyber investment portfolio

A separate Defense Advanced Research Projects Agency program with another clever acronym, the Supply Chain Hardware Integrity for Electronics Defense, or SHIELD, is developing tiny smart chips that would be embedded in computer chips and self-destruct if tampered with. This approach places responsibility for preventing counterfeits on the semiconductor original manufacturer. The odometer would be used on the other end of the supply chain, by device makers and users. 

(Image via Raimundas/