We introduce a new class of hardware trojans called interrupt-resilient trojans (IRTs). Our work is motivated by the observation that hardware trojan attacks on CPUs, even under favorable attack scenarios (e.g., an attacker with local system access), are affected by unpredictability due to non-deterministic context switching events. As we confirm experimentally, these events can lead to race conditions between trigger signals and the CPU events targeted by the trojan payloads (e.g., a CPU memory access), thus affecting the reliability of the attacks. Our work shows that interrupt-resilient trojans can successfully address the problem of non-deterministic triggering in CPUs, thereby providing high reliability guarantees in the implementation of sophisticated hardware trojan attacks. Specifically, we successfully utilize IRTs in different attack scenarios against a Linux-capable CPU design and showcase its resilience against context-switching events. More importantly, we show that our design allows for seamless integration during fabrication stage attacks.We evaluate different strategies for the implementation of our attacks on a tape-out ready high-speed RISC-V microarchitecture in a 28nm commercial technology process and successfully implement them with an average overhead delay of only 20 picoseconds, while leaving the sign-off characteristics of the layout intact. In doing so, we challenge the common wisdom regarding the low flexibility of late supply chain stages (e.g., fabrication) for the insertion of powerful trojans. To promote further research on microprocessor trojans, we open-source our designs and provide the accompanying supporting software logic.

翻译：我们提出了一类新型硬件木马——中断弹性木马（IRTs）。本研究的动机源于以下观察：在CPU上实施硬件木马攻击时，即便在有利的攻击场景下（例如攻击者拥有本地系统权限），非确定性上下文切换事件可能导致不可预测性。实验证实，这些事件会引发触发信号与木马载荷所针对的CPU事件（如CPU内存访问）之间的竞争条件，从而影响攻击的可靠性。我们的研究表明，中断弹性木马能有效解决CPU中非确定性触发的问题，从而为复杂的硬件木马攻击实施提供高可靠性保障。具体而言，我们在多项针对支持Linux的CPU设计的攻击场景中成功运用IRTs，验证了其对上下文切换事件的鲁棒性。更重要的是，我们的设计可在制造阶段攻击中无缝集成。我们基于28纳米商用工艺节点的可流片高速RISC-V微架构，评估了不同攻击实施策略，并以仅20皮秒的平均延迟开销成功实现攻击，同时保持布局的签核特性不变。这一成果挑战了"后期供应链环节（如制造阶段）难以植入强大木马"的传统认知。为促进微处理器木马领域的进一步研究，我们开源了相关设计并配套提供支撑软件逻辑。