Aug_EDFA_Digital

edfas.org 19 ELECTRONIC DEV ICE FA I LURE ANALYSIS | VOLUME 23 NO . 3 is automatically a mistake, either unintentional or pur- poseful, because the designators are used throughout the design process to enable correct assembly. Therefore, one relatively simple way to check a board is to check for missing or incorrect reference designators. The taxonomy can be summarized in Tables 1 and 2. The likely success of a schematic, layout, or design- file attack lies in the fact that it is difficult to compare an assembled board to (in increasing order of difficulty) the design file, layout, or schematic. The board’s design can be altered after the designer is finished with it but before it is fabricated. There is little to connect a fabricated board in hand back to the file that was used to create it, and the only way to be certain is to do some formof manual com- parison. Stated differently, the design of circuit boards is not tamper-evident. Checking for an attack involves comparison, first, of an actual bare board to a trusted design file and, second, of an actual assembled board to a trusted set of design files (including bill of materials). If someone detects an attack, there are some simple questions that can shed light on the nature of the attack. Is the attack the result of an added or altered component? Does the component have a reference designator? Is the unwanted component found on every board or only on a subset of boards? EXAMPLE ATTACKS To illustrate the easewithwhichanattack canbemade, a design-file attackwas demonstrated in earlier published work. [4] A four-pin footprint was added to a design’s I 2 C bus; the footprint included power, ground, and two I 2 C signals as well as the vias and wiring necessary to attach all four signals. The component also had its own refer- ence designator so that it would be more difficult to spot by eye. The attack was carried out by editing a board’s Gerber file using publicly available, commercially sold Gerber-editing software. Another example is a mock-up of an altered footprint (Fig. 2). In this example, a two-pin 0805 surface-mount resistor is replaced with an eight-pin resistor network footprint. To be clear, this mock-up was created using image- editing software, but illustrates how difficult alterations can be to see by the naked eye. The altered component is R34 near the center of the photograph (circled). As a third example, a more complex component was added to a larger circuit board. A board that is being designed on the South Alabama campus as part of a fully functional CubeSat satellite was selected because the board is complex (293 components on a 10 cm by 10 cm board) and there was access both to the board’s design files and to a fully assembledmodel. (The fully assembled model was needed for the photo shoot, as shown in the figures.) The goal was to add an actual, commercially sold microprocessor to an I 2 C bus. The microprocessor could presumably be programmed to intercept and record data Table 1 Taxonomy of attack locations Location of attack Summary Detection strategy Schematic attack Design schematic is altered Double-check the schematic carefully for aberrations. Compare physical board to a trustworthy version of the schematic. Layout attack Design layout is altered Compare physical board to schematic and bill of materials. Design file attack Design file is altered Compare physical board to original layout file, schematic, and bill of materials. Rework attack Component is added by hand after board is assembled Look for hand-added components. Table 2 Modes of attack Mode of attack Summary Detection strategy Altered component mode Footprint of legitimate component is altered Compare every footprint to that found in a trusted schematic. Added component mode A new component is added to the board Compare every footprint to that found in a trusted layout.