We introduce a new class of hardware trojans called interrupt-resilient trojans (IRTs). Our work is motivated by the observation that hardware trojan attacks on CPUs, even under favorable attack scenarios (e.g., an attacker with local system access), are affected by unpredictability due to non-deterministic context switching events. As we confirm experimentally, these events can lead to race conditions between trigger signals and the CPU events targeted by the trojan payloads (e.g., a CPU memory access), thus affecting the reliability of the attacks. Our work shows that interrupt-resilient trojans can successfully address the problem of non-deterministic triggering in CPUs, thereby providing high reliability guarantees in the implementation of sophisticated hardware trojan attacks. Specifically, we successfully utilize IRTs in different attack scenarios against a Linux-capable CPU design and showcase its resilience against context-switching events. More importantly, we show that our design allows for seamless integration during fabrication stage attacks.We evaluate different strategies for the implementation of our attacks on a tape-out ready high-speed RISC-V microarchitecture in a 28nm commercial technology process and successfully implement them with an average overhead delay of only 20 picoseconds, while leaving the sign-off characteristics of the layout intact. In doing so, we challenge the common wisdom regarding the low flexibility of late supply chain stages (e.g., fabrication) for the insertion of powerful trojans. To promote further research on microprocessor trojans, we open-source our designs and provide the accompanying supporting software logic.

翻译：我们提出了一类新型硬件木马——中断容忍木马（IRTs）。本研究的动机源于以下观察：即使在有利的攻击场景下（例如攻击者拥有本地系统访问权限），针对CPU的硬件木马攻击仍会受到非确定性上下文切换事件引起的不可预测性影响。实验证实，这些事件会导致触发信号与木马载荷目标CPU事件（如CPU内存访问）之间产生竞争条件，从而影响攻击的可靠性。研究表明，中断容忍木马能够有效解决CPU中非确定性触发问题，从而为复杂硬件木马攻击的实施提供高可靠性保障。具体而言，我们在针对支持Linux的CPU设计的多种攻击场景中成功运用IRTs，并展示了其对抗上下文切换事件的鲁棒性。更重要的是，我们证明该设计可在制造阶段攻击中实现无缝集成。我们在28纳米商用工艺节点的流片级高速RISC-V微架构上评估了多种攻击实施策略，以平均仅20皮秒的开销延迟成功实现攻击，同时保持版图的签核特性不变。通过上述工作，我们挑战了关于供应链后期阶段（如制造）植入强效木马灵活性较低的普遍认知。为促进微处理器木马的进一步研究，我们开源了相关设计并提供了配套支撑软件逻辑。