Securing the Silicon Supply Chain
I don’t know about you, but when I hear the name Rambus, I think of the company that was founded in 1990. I remember them leaping into the limelight with a fanfare of trumpets. Well, if the truth be told, it was with their 600 MHz interface technology, which addressed the memory bottleneck issues being faced by system designers of the time, but hearing their sumptuous specifications was the computer engineering equivalent of having one’s ears massaged by a magnificence of mellophones.
Rambus’s technology was based on a very high speed, chip-to-chip interface that was incorporated into dynamic random-access-memory (DRAM) components, processors and controllers, which achieved performance rates over ten times faster than conventional DRAM implementations.
The thing is that, even though I know Rambus purchased Cryptography Research in 2011, I still think of them as a memory company, which is a shame because they are so much more.
A few days ago, I was chatting with Neeraj Paliwal, who is Vice President and General Manager of Rambus Security. Neeraj is a delightful person and I was looking forward to cheerful conversation. Sad to relate, the tortuous tales he told have left me a much sadder man.
The topic of our conversation was the silicon supply chain in general and the problem of counterfeit integrated circuits (a.k.a. “silicon chips” or “chips” for short) in particular. Of course, the counterfeiting of silicon chips has been a fact of life for a long time. Eight years ago in 2012, for example, the EETimes article Counterfeit Parts Putting Military at Risk quoted the market research organization IHS iSuppli as reporting that a typical bill of materials for a military/defense program can have anywhere from a few hundred to over tens of thousands of purchased parts, of which between 0.5 to 5 percent typically match incidents of counterfeit. Furthermore, IHS said that the same was true for medical equipment.
Counterfeit chips come in a variety of flavors. Perhaps the most benign are so-called “Compatible Chips,” whereby someone builds a component that mimics the function of the authentic chip. These chips are not sold as authentic OEM components, but rather as lower-cost replacements.
Then there are “Reconditioned Chips,” in which someone “harvests” components from electronic waste using crude and poorly controlled processes, performs a physical recondition (cleans the leads, re-marks the package), and sells as new. A big problem here is that the end users think these chips are new. They have no way of knowing about any environmental conditions and usage factors to which the reconditioned chips have exposed. The resulting components can have significantly higher failure rates than genuine components. Some may fail under test, while others may fail after only a few days, weeks, or months of deployment.
The next step up the ladder of nefariousness brings us to “Gray Market Chips,” which may originate from overbuilds, reworked failures, or reclaims from retired systems. Although these chips function similar to the authentic versions, they are potentially hazardous since they are not tested, sold, or warranted by the chip owner, which means it’s impossible to guarantee their reliability.
The worst-case scenario involves “Reverse-Engineered Chips” (a.k.a. “Rogue Chips”). In this case, some disreputable player deconstructs a chip layer-by-layer while recording all of the semiconductor and metallization structures that are observed. The adversary subsequently uses this information to recreate a new version of the device that they can sell as authentic. Rogue chips can also include additional functionality that can be used to corrupt data, cause a malfunction, or — most sinister of all — exfiltrate data (see also “Holy Security Systems Batman!” Our Boards are Bugged!).
This is not a small problem. In 2017 as part of “Operation Wafers,” a European-wide Joint Customs Operation seized more than one million counterfeit semiconductor devices during a two-week campaign. In 2019, as reported in the EET Asia article Counterfeits Costing Semiconductor Industry Billions, Industry Week sized the worldwide fake semiconductor market at $75B, while Havocscope reported that more than $169B in counterfeit electronics are currently in circulation.
Fortunately, all is not lost, because cybersecurity companies around the globe are working furiously on the chip counterfeiting problem. For example, Rambus offers a wide range of Security IP, including something they call the CryptoManager Infrastructure, which can be used to provide a secure supply chain solution for semiconductor and device manufacturers, starting in manufacturing and extending through end-of-life (EOL).
There are so many layers involved in securing the silicon supply chain that it makes my head spin. However, there are two good aspects to all of this. First, it’s not my problem. And second, companies like Rambus are providing solutions that will allow me to sleep at night. How about you? Have you experienced any issues with regard to counterfeit chips?
