Chen Dong,Yi Xu,Ximeng Liu,Fan Zhang,Guorong He,Yuzhong Chen

DOI: https://doi.org/10.3390/s20185165

IF: 3.9

2020-01-01

Sensors

Abstract:Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

Maik Ender,Pawel Swierczynski,Sebastian Wallat,Matthias Wilhelm,Paul Martin Knopp,Christof Paar

DOI: https://doi.org/10.1145/3287624.3288742

2019-10-01

Abstract:The threat of inserting hardware Trojans during the design, production, or in-field poses a danger for integrated circuits in real-world applications. A particular critical case of hardware Trojans is the malicious manipulation of third-party FPGA configurations. In addition to attack vectors during the design process, FPGAs can be infiltrated in a non-invasive manner after shipment through alterations of the bitstream. First, we present an improved methodology for bitstream file format reversing. Second, we introduce a novel idea for Trojan insertion.

Cryptography and Security

Samaneh Ghandali,Thorben Moos,Amir Moradi,Christof Paar

DOI: https://doi.org/10.48550/arXiv.1910.00737

2019-09-23

Abstract:Hardware Trojans have drawn the attention of academia, industry and government agencies. Effective detection mechanisms and countermeasures against such malicious designs can only be developed when there is a deep understanding of how hardware Trojans can be built in practice, in particular Trojans specifically designed to avoid detection. In this work, we present a mechanism to introduce an extremely stealthy hardware Trojan into cryptographic primitives equipped with provably-secure first-order side-channel countermeasures. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage, leading to successful key recovery attacks. Generally, such a Trojan requires neither addition nor removal of any logic which makes it extremely hard to detect. On ASICs, it can be inserted by subtle manipulations at the sub-transistor level and on FPGAs by changing the routing of particular signals, leading to \textbf{zero} logic overhead. The underlying concept is based on modifying a securely-masked hardware implementation in such a way that running the device at a particular clock frequency violates one of its essential properties, leading to exploitable leakage. We apply our technique to a Threshold Implementation of the PRESENT block cipher realized in two different CMOS technologies, and show that triggering the Trojan makes the ASIC prototypes vulnerable.

Cryptography and Security,Hardware Architecture

Athanasios Moschos,Fabian Monrose,Angelos D. Keromytis

2024-05-03

Abstract:We introduce a new class of hardware trojans called interrupt-resilient trojans (IRTs). Our work is motivated by the observation that hardware trojan attacks on CPUs, even under favorable attack scenarios (e.g., an attacker with local system access), are affected by unpredictability due to non-deterministic context switching events. As we confirm experimentally, these events can lead to race conditions between trigger signals and the CPU events targeted by the trojan payloads (e.g., a CPU memory access), thus affecting the reliability of the attacks. Our work shows that interrupt-resilient trojans can successfully address the problem of non-deterministic triggering in CPUs, thereby providing high reliability guarantees in the implementation of sophisticated hardware trojan attacks. Specifically, we successfully utilize IRTs in different attack scenarios against a Linux-capable CPU design and showcase its resilience against context-switching events. More importantly, we show that our design allows for seamless integration during fabrication stage attacks.We evaluate different strategies for the implementation of our attacks on a tape-out ready high-speed RISC-V microarchitecture in a 28nm commercial technology process and successfully implement them with an average overhead delay of only 20 picoseconds, while leaving the sign-off characteristics of the layout intact. In doing so, we challenge the common wisdom regarding the low flexibility of late supply chain stages (e.g., fabrication) for the insertion of powerful trojans. To promote further research on microprocessor trojans, we open-source our designs and provide the accompanying supporting software logic.

Cryptography and Security

Tony F. Wu,Karthik Ganesan,Yunqing Alexander Hu,H.-S. Philip Wong,Simon Wong,Subhasish Mitra

DOI: https://doi.org/10.1109/TCAD.2015.2474373

2015-08-25

Abstract:There are increasing concerns about possible malicious modifications of integrated circuits (ICs) used in critical applications. Such attacks are often referred to as hardware Trojans. While many techniques focus on hardware Trojan detection during IC testing, it is still possible for attacks to go undetected. Using a combination of new design techniques and new memory technologies, we present a new approach that detects a wide variety of hardware Trojans during IC testing and also during system operation in the field. Our approach can also prevent a wide variety of attacks during synthesis, place-and-route, and fabrication of ICs. It can be applied to any digital system, and can be tuned for both traditional and split-manufacturing methods. We demonstrate its applicability for both ASICs and FPGAs. Using fabricated test chips with Trojan emulation capabilities and also using simulations, we demonstrate: 1. The area and power costs of our approach can range between 7.4-165% and 0.07-60%, respectively, depending on the design and the attacks targeted; 2. The speed impact can be minimal (close to 0%); 3. Our approach can detect 99.998% of Trojans (emulated using test chips) that do not require detailed knowledge of the design being attacked; 4. Our approach can prevent 99.98% of specific attacks (simulated) that utilize detailed knowledge of the design being attacked (e.g., through reverse-engineering). 5. Our approach never produces any false positives, i.e., it does not report attacks when the IC operates correctly.

Hardware Architecture,Cryptography and Security

Sebastian Wallat,Marc Fyrbiak,Moritz Schlögel,Christof Paar

DOI: https://doi.org/10.1109/IVSW.2017.8031551

2019-10-01

Abstract:A massive threat to the modern and complex IC production chain is the use of untrusted off-shore foundries which are able to infringe valuable hardware design IP or to inject hardware Trojans causing severe loss of safety and security. Similarly, market dominating SRAM-based FPGAs are vulnerable to both attacks since the crucial gate-level netlist can be retrieved even in field for the majority of deployed device series. In order to perform IP infringement or Trojan injection, reverse engineering (parts of) the hardware design is necessary to understand its internal workings. Even though IP protection and obfuscation techniques exist to hinder both attacks, the security of most techniques is doubtful since realistic capabilities of reverse engineering are often neglected. The contribution of our work is twofold: first, we carefully review an IP watermarking scheme tailored to FPGAs and improve its security by using opaque predicates. In addition, we show novel reverse engineering strategies on proposed opaque predicate implementations that again enables to automatically detect and alter watermarks. Second, we demonstrate automatic injection of hardware Trojans specifically tailored for third-party cryptographic IP gate-level netlists. More precisely, we extend our understanding of adversary's capabilities by presenting how block and stream cipher implementations can be surreptitiously weakened.

Cryptography and Security

Wei Hu,Beibei Li,Lingjuan Wu,Yiwei Li,Xuefei Li,Liang Hong

2023-11-21

Abstract:Third-party intellectual property cores are essential building blocks of modern system-on-chip and integrated circuit designs. However, these design components usually come from vendors of different trust levels and may contain undocumented design functionality. Distinguishing such stealthy lightweight malicious design modification can be a challenging task due to the lack of a golden reference. In this work, we make a step towards design for assurance by developing a method for identifying and preventing hardware Trojans, employing functional verification tools and languages familiar to hardware designers. We dump synthesized design netlist mapped to a field programmable gate array technology library and perform switching as well as coverage analysis at the granularity of look-up-tables (LUTs) in order to identify specious signals and cells. We automatically extract and formally prove properties related to switching and coverage, which allows us to retrieve Trojan trigger condition. We further provide a solution to preventing Trojan from activation by reconfiguring the confirmed malicious LUTs. Experimental results have demonstrated that our method can detect and mitigate Trust-Hub as well as recently reported don't care Trojans.

Cryptography and Security

Aderinola Gbade-Alabi,David Keezer,Vincent Mooney,Axel Y. Poschmann,Marc Stöttinger,Kshitij Divekar

DOI: https://doi.org/10.1145/2668322.2668325

2014-01-01

Abstract:Trust in the integrated circuit (IC) fabrication industry is an ongoing concern given the trend towards "fabless" design and associated use of third-parties for fabrication. A Hardware Trojan (HT) introduced during fabrication can corrupt an IC's outputs, leak secret information, and yet go undetected by traditional system testing techniques. In this paper we propose an architecture to detect HTs during IC test or at run-time. An HT that would corrupt an IC's output and otherwise proceed undetected will then be rendered useless by this architecture. This approach will therefore discourage the insertion of HTs in the first place. The proposed architecture takes encryption hardware as a paradigmatic case-study and uses digital "signatures" derived from the plaintext to identify if the ciphertext has been corrupted by HTs. We test this methodology through simulation on various types of HTs inserted into a lightweight cryptographic system called "PRESENT"[13]. Our results validate that activated HTs are detected by this methodology.

Tiago D. Perez,Samuel Pagliarini,Tiago Perez

DOI: https://doi.org/10.1109/tcad.2022.3223846

IF: 2.9

2022-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Owning a high-end semiconductor foundry is a luxury very few companies can afford. Thus, fabless design companies outsource integrated circuit fabrication to third parties. Within foundries, rogue elements may gain access to the customer’s layout and perform malicious acts, including the insertion of a hardware trojan (HT). Many works focus on the structure/effects of an HT, while very few have demonstrated the viability of their HTs in silicon. Even fewer disclose how HTs are inserted or the time required for this activity. Our work details, for the first time, how effortlessly an HT can be inserted into a finalized layout by presenting an insertion framework based on the engineering change order flow. For validation, we have built an ASIC prototype in 65-nm CMOS technology comprising of four trojaned cryptocores. A side-channel HT is inserted in each core with the intent of leaking the cryptokey over a power channel. Moreover, we have determined that the entire attack can be mounted in a little over one hour. We also show that the attack was successful for all tested samples. Finally, our measurements demonstrate the robustness of our side-channel trojan against skews in the manufacturing process.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Timothy Trippel,Kang G. Shin,Kevin B. Bush,Matthew Hicks

DOI: https://doi.org/10.48550/arXiv.1906.08842

2020-10-28

Abstract:Since the inception of the Integrated Circuit (IC), the size of the transistors used to construct them has continually shrunk. While this advancement significantly improves computing capability, fabrication costs have skyrocketed. As a result, most IC designers must now outsource fabrication. Outsourcing, however, presents a security threat: comprehensive post-fabrication inspection is infeasible given the size of modern ICs, so it is nearly impossible to know if the foundry has altered the original design during fabrication (i.e., inserted a hardware Trojan). Defending against a foundry-side adversary is challenging because---even with as few as two gates---hardware Trojans can completely undermine software security. Researchers have attempted to both detect and prevent foundry-side attacks, but all existing defenses are ineffective against Trojans with footprints of a few gates or less. We present Targeted Tamper-Evident Routing (T-TER), a preventive layout-level defense against untrusted foundries, capable of thwarting the insertion of even the stealthiest hardware Trojans. T-TER is directed and routing-centric: it prevents foundry-side attackers from routing Trojan wires to, or directly adjacent to, security-critical wires by shielding them with guard wires. Unlike shield wires commonly deployed for cross-talk reduction, T-TER guard wires pose an additional technical challenge: they must be tamper-evident in both the digital (deletion attacks) and analog (move and jog attacks) domains. We address this challenge by developing a class of designed-in guard wires, that are added to the design specifically to protect security-critical wires. T-TER's guard wires incur minimal overhead, scale with design complexity, and provide tamper-evidence against attacks.

Cryptography and Security

Syed Kamran Haider,Chenglu Jin,Marten van Dijk

DOI: https://doi.org/10.48550/arXiv.1605.08413

2017-04-13

Abstract:Electronic Design Automation (EDA) industry heavily reuses third party IP cores. These IP cores are vulnerable to insertion of Hardware Trojans (HTs) at design time by third party IP core providers or by malicious insiders in the design team. State of the art research has shown that existing HT detection techniques, which claim to detect all publicly available HT benchmarks, can still be defeated by carefully designing new sophisticated HTs. The reason being that these techniques consider the HT landscape to be limited only to the publicly known HT benchmarks, or other similar (simple) HTs. However the adversary is not limited to these HTs and may devise new HT design principles to bypass these countermeasures. In this paper, we discover certain crucial properties of HTs which lead to the definition of an exponentially large class of Deterministic Hardware Trojans $H_D$ that an adversary can (but is not limited to) design. The discovered properties serve as HT design principles, based on which we design a new HT called 'XOR-LFSR' and present it as a 'proof-of-concept' example from the class $H_D$. These design principles help us understand the tremendous ways an adversary has to design a HT, and show that the existing publicly known HT benchmarks are just the tip of the iceberg on this huge landscape. This work, therefore, stresses that instead of guaranteeing a certain (low) false negative rate for a small constant set of publicly known HTs, a rigorous HT detection tool should take into account these newly discovered HT design principles and hence guarantee the detection of an exponentially large class (exponential in number of wires in IP core) of HTs with negligible false negative rate.

Cryptography and Security

Xinming Wei,Jiaxi Zhang,Guojie Luo

DOI: https://doi.org/10.1109/sp54263.2024.00160

2024-01-01

Abstract:Due to the escalating complexity of chip design and the exorbitant cost of building cutting-edge manufacturing facilities, outsourcing the fabrication of Integrated Circuits (ICs) is prevalent in modern semiconductor industry. However, significant security risks may arise because untrustworthy foundries can conduct insidious attacks without close supervision. Since prior works show the feasibility of implementing practical foundry-level Trojan attacks that circumvent post-fabrication detection, IC designers should protect their IC layouts before sending them to a third-party foundry, and such protections are known as design-time defenses. To this end, security metrics for layout vulnerability assessment are crucial to test the effectiveness of the proposed defenses. However, existing metrics are geometric-only and Trojan-oblivious, failing to capture the fundamental aspects of foundry-level Trojan insertion and the associated side effects.To bridge the gap between real attacks and threat prediction, we present SiliconCritic, a simulation-based, extensible framework that leverages design-time techniques to simulate the blackbox foundry-level Trojan attacks and post-fabrication analysis. SiliconCritic encodes the difficulty of inserting a specific Trojan into a finalized physical layout by measuring the variation of side-channel parameters (timing, power) after the simulated Trojan insertion, where larger deviations denote better detectability and thus enhanced security. SiliconCritic allows IC designers to interactively refine defensive strategies against the objective Trojan based on the feedback of side-channel analysis. Through evaluations on real-world ASIC designs and reported hardware Trojans, SiliconCritic demonstrates the limitations of existing layout-level defenses and highlights the influence of Trojan properties on defensive efficacy. Our work refreshes the understanding of Trojan prevention and suggests future directions for defenses against untrustworthy foundries.

Yier Jin,Nathan Kupp,Yiorgos Makris

DOI: https://doi.org/10.1109/hst.2009.5224971

2009-01-01

Abstract:We report our experiences in designing and implementing several hardware Trojans within the framework of the Embedded System Challenge competition that was held as part of the Cyber Security Awareness Week (CSAW) at the Polytechnic Institute of New York University in October 2008. Due to the globalization of the Integrated Circuit (IC) manufacturing industry, hardware Trojans constitute an increasingly probable threat to both commercial and military applications. With traditional testing methods falling short in the quest of finding hardware Trojans, several specialized detection methods have surfaced. To facilitate research in this area, a better understanding of what Hardware Trojans would look like and what impact they would incur to an IC is required. To this end, we present eight distinct attack techniques employing Register Transfer Level (RTL) hardware Trojans to compromise the security of an Alpha encryption module implemented on a Digilent BASYS Spartan-3 FPGA board. Our work, which earned second place in the aforementioned competition, demonstrates that current RTL designs are, indeed, quite vulnerable to hardware Trojan attacks.

Alexander Hepp,Tiago Perez,Samuel Pagliarini,Georg Sigl

DOI: https://doi.org/10.48550/arXiv.2208.09235

2022-08-19

Cryptography and Security

Abstract:A potential vulnerability for integrated circuits (ICs) is the insertion of hardware trojans (HTs) during manufacturing. Understanding the practicability of such an attack can lead to appropriate measures for mitigating it. In this paper, we demonstrate a pragmatic framework for analyzing HT susceptibility of finalized layouts. Our framework is representative of a fabrication-time attack, where the adversary is assumed to have access only to a layout representation of the circuit. The framework inserts trojans into tapeout-ready layouts utilizing an Engineering Change Order (ECO) flow. The attacked security nodes are blindly searched utilizing reverse-engineering techniques. For our experimental investigation, we utilized three crypto-cores (AES-128, SHA-256, and RSA) and a microcontroller (RISC-V) as targets. We explored 96 combinations of triggers, payloads and targets for our framework. Our findings demonstrate that even in high-density designs, the covert insertion of sophisticated trojans is possible. All this while maintaining the original target logic, with minimal impact on power and performance. Furthermore, from our exploration, we conclude that it is too naive to only utilize placement resources as a metric for HT vulnerability. This work highlights that the HT insertion success is a complex function of the placement, routing resources, the position of the attacked nodes, and further design-specific characteristics. As a result, our framework goes beyond just an attack, we present the most advanced analysis tool to assess the vulnerability of HT insertion into finalized layouts.

Alex Baumgarten,Michael Steffen,Matthew Clausman,Joseph Zambreno

DOI: https://doi.org/10.1007/s10207-010-0115-0

2010-09-03

International Journal of Information Security

Abstract:As integrated circuits (ICs) continue to have an overwhelming presence in our digital information-dominated world, having trust in their manufacture and distribution mechanisms is crucial. However, with ever-shrinking transistor technologies, the cost of new fabrication facilities is becoming prohibitive, pushing industry to make greater use of potentially less reliable foreign sources for their IC supply. The 2008 Computer Security Awareness Week (CSAW) Embedded Systems Challenge at the Polytechnic Institute of NYU highlighted some of the vulnerabilities of the IC supply chain in the form of a hardware hacking challenge. This paper explores the design and implementation of our winning entry.

computer science, information systems, theory & methods, software engineering

Fan Zhang,Chen Dong,Wucheng Hu,Jinghui Chen,Guorong He

DOI: https://doi.org/10.1109/IAEAC47372.2019.8997863

2019-01-01

Abstract:EDA tools almost completely automate the current chip design. However, EDA tools are all provided by third-party companies, therefore the credibility of EDA tools and the trust issues brought by their process libraries have attracted people's attention. Given these problems, this paper proposes a self-training hardware Trojan confrontation framework based on machine learning embedded in EDA tools. The framework focuses on the gate-level netlist files generated during the integrated chip comprehensive optimization phase, thereby detects, locates and deletes hardware Trojans that may appear. The experimental results show that the framework can achieve more than 85% detection effect for unknown hardware Trojans. Moreover, for known hardware Trojans, this framework can achieve almost 100% detection. Accordingly, hardware Trojans can be located and deleted.

Ruochen Dai,Tuba Yavuz

DOI: https://doi.org/10.48550/arXiv.2111.03989

2021-11-07

Abstract:Due to the globalization of Integrated Circuit (IC) supply chain, hardware trojans and the attacks that can trigger them have become an important security issue. One type of hardware Trojans leverages the don't care transitions in Finite State Machines (FSMs) of hardware designs. In this paper, we present a symbolic approach to detecting don't care transitions and the hidden Trojans. Our detection approach works at both RTL and gate-level, does not require a golden design, and works in three stages. In the first stage, it explores the reachable states. In the second stage, it performs an approximate analysis to find the don't care transitions. In the third stage, it performs a state-space exploration from reachable states that have incoming don't care transitions to find behavioral discrepancies with respect to what has been observed in the first stage. We also present a pruning technique based on the reachability of FSM states. We present a methodology that leverages both RTL and gate-level for soundness and efficiency. Specifically, we show that don't care transitions must be detected at the gate-level, i.e., after synthesis has been performed, for soundness. However, under specific conditions, Trojan detection can be performed more efficiently at RTL. Evaluation of our approach on a set of benchmarks from OpenCores and TrustHub and using gate-level representation generated by two synthesis tools, Yosys and Synopsis Design Compiler (SDC), shows that our approach is both efficient (up to 10X speedup w.r.t. no pruning) and precise (0% false positives) in detecting don't care transitions and the Trojans that leverage them. Additionally, the total analysis time can achieve up to 3.40X (using Yosys) and 2.52X (SDC) speedup when synthesis preserves the FSM structure and the Trojan detection is performed at RTL.

Symbolic Computation

Fangzhou Wang,Qijing Wang,Lilas Alrahis,Bangqi Fu,Shui Jiang,Xiaopeng Zhang,Ozgur Sinanoglu,Tsung-Yi Ho,Evangeline F.Y. Young,Johann Knechtel

2024-05-09

Abstract:Due to cost benefits, supply chains of integrated circuits (ICs) are largely outsourced nowadays. However, passing ICs through various third-party providers gives rise to many security threats, like piracy of IC intellectual property or insertion of hardware Trojans, i.e., malicious circuit modifications.

Cryptography and Security,Hardware Architecture,Machine Learning

Fangzhou Wang,Qijing Wang,Bangqi Fu,Shui Jiang,Xiaopeng Zhang,Lilas Alrahis,Ozgur Sinanoglu,Johann Knechtel,Tsung-Yi Ho,Evangeline F. Y. Young

DOI: https://doi.org/10.48550/arXiv.2211.07997

2022-11-15

Abstract:Due to cost benefits, supply chains of integrated circuits (ICs) are largely outsourced nowadays. However, passing ICs through various third-party providers gives rise to many threats, like piracy of IC intellectual property or insertion of hardware Trojans, i.e., malicious circuit modifications. In this work, we proactively and systematically harden the physical layouts of ICs against post-design insertion of Trojans. Toward that end, we propose a multiplexer-based logic-locking scheme that is (i) devised for layout-level Trojan prevention, (ii) resilient against state-of-the-art, oracle-less machine learning attacks, and (iii) fully integrated into a tailored, yet generic, commercial-grade design flow. Our work provides in-depth security and layout analysis on a challenging benchmark suite. We show that ours can render layouts resilient, with reasonable overheads, against Trojan insertion in general and also against second-order attacks (i.e., adversaries seeking to bypass the locking defense in an oracle-less setting). We release our layout artifacts for independent verification [29] and we will release our methodology's source code.

Cryptography and Security,Hardware Architecture,Machine Learning

Kevin Kwiat,Jason Kulick,Paul Ratazzi

2024-10-01

Abstract:Many design companies have gone fabless and rely on external fabrication facilities to produce chips due to increasing cost of semiconductor manufacturing. However, not all of these facilities can be considered trustworthy; some may inject hardware Trojans and jeopardize the security of the system. One common objective of hardware Trojans is to establish a side channel for data leakage. While extensive literature exists on various defensive measures, almost all of them focus on preventing the establishment of side channels, and can be compromised if attackers gain access to the physical chip and can perform reverse engineering between multiple fabrication runs. In this paper, we advance (from theory to practice) RECORD: Randomized Encoding of COmbinational Logic for Resistance to Data Leakage. RECORD is a novel scheme of temporarily randomized encoding for combinational logic that, with the aid of Quilt Packaging, prevents attackers from interpreting the data.

Cryptography and Security