Chen Dong,Yi Xu,Ximeng Liu,Fan Zhang,Guorong He,Yuzhong Chen

DOI: https://doi.org/10.3390/s20185165

IF: 3.9

2020-01-01

Sensors

Abstract:Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

Xiaofei Zhang,Jianhua Feng,Zhoupeng Xue,Yinxuan Lv

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.029

2017-01-01

Abstract:To reduce the dependency of hardware Trojan on low-controllability nodes,a method for improving the implanted node selection and the internal structure of hardware Trojan was designed. For Trojan implanted nodes, a node searching algorithm for finding low-probability combination from high-controllability nodes was proposed.For low-probability nodes inside Trojan,a Trojan de-sign model based on non-rare events and multi-nodes controlling attack path was presented.By the ISCAS-85 benchmark circuit,the triggering probabilities of Trojans based on low-probability nodes and the combination probability are compared,and a Trojan design with 6-inputs based on the pro-posed method was realized.The experimental results show that the hardware Trojans based on com-bination probability can achieve a comparable(or even lower)triggering probability with that based on low-probability nodes when the numbers of Trojan triggering ports increase.And Trojan internal nodes with a direct impact on Trojan triggering probability can be eliminated by the Trojan design based on non-rare events,protecting Trojan from being triggered by auto-test patterns.Thus,impro-ving the concealment of hardware Trojan.

Fan Zhang,Yiran Zhang,Shengwen Shi,Shize Guo,Ziyuan Liang,Samiya Qureshi,Congyuan Xu

DOI: https://doi.org/10.1109/PADSW.2018.8644906

2018-01-01

Abstract:An optimized lightweight Hardware Trojan (HT)based fault attack is proposed, especially for those resource-constrained environments such as IoT networks. Firstly, Algebraic fault analysis (AFA)is introduced to evaluate different fault models and search for the optimal one. Next, considering the limited resource, a lightweight HT is carefully designed which only flips one bit of the circuit in IoT device. Finally, AFA is applied again to exploit the fault and recover the secret key. An illustrative attack is demonstrated on DES implemented on an FPGA platform, SASEBO-GII. This paper shows that, for single bit fault injection at different rounds or different indexes in the same round, the reduced key search space of DES varies. The proposed technique can search for the optimal fault model, guide the lightweight Hardware Trojan design and automatically recover the secret key. Only one fault is required to recover the secret key of DES, which improves the stealthiness of the designed Hardware Trojan in IoT networks. The entire attack framework can also be applied to other block ciphers such as AES and PRESENT.

Syed Kamran Haider,Chenglu Jin,Marten van Dijk

DOI: https://doi.org/10.48550/arXiv.1605.08413

2017-04-13

Abstract:Electronic Design Automation (EDA) industry heavily reuses third party IP cores. These IP cores are vulnerable to insertion of Hardware Trojans (HTs) at design time by third party IP core providers or by malicious insiders in the design team. State of the art research has shown that existing HT detection techniques, which claim to detect all publicly available HT benchmarks, can still be defeated by carefully designing new sophisticated HTs. The reason being that these techniques consider the HT landscape to be limited only to the publicly known HT benchmarks, or other similar (simple) HTs. However the adversary is not limited to these HTs and may devise new HT design principles to bypass these countermeasures. In this paper, we discover certain crucial properties of HTs which lead to the definition of an exponentially large class of Deterministic Hardware Trojans $H_D$ that an adversary can (but is not limited to) design. The discovered properties serve as HT design principles, based on which we design a new HT called 'XOR-LFSR' and present it as a 'proof-of-concept' example from the class $H_D$. These design principles help us understand the tremendous ways an adversary has to design a HT, and show that the existing publicly known HT benchmarks are just the tip of the iceberg on this huge landscape. This work, therefore, stresses that instead of guaranteeing a certain (low) false negative rate for a small constant set of publicly known HTs, a rigorous HT detection tool should take into account these newly discovered HT design principles and hence guarantee the detection of an exponentially large class (exponential in number of wires in IP core) of HTs with negligible false negative rate.

Cryptography and Security

Lei LI,Zijing SHANG,Jianhua FENG,Xing ZHANG,Huiyao AN

2013-01-01

Abstract:According to the hardware Trojans inserted during design and fabrication, the authors provide a new model of Trojan. New model is based on a finite state machine which is more difficult to trigger and detect than those based on combinational circuits. Also, the locations in target circuits to insert Trojans are considered to avoid being detected using path delay fingerprint method. S349 circuit from ISCAS'89 benchmark circuits is chosen as the target circuit. Functional simulations are performed and delay information is simulated. The results show that this type of hardware Trojan is difficult to activate and the insertion method is effective to hide delay information.

Tony F. Wu,Karthik Ganesan,Yunqing Alexander Hu,H.-S. Philip Wong,Simon Wong,Subhasish Mitra

DOI: https://doi.org/10.1109/TCAD.2015.2474373

2015-08-25

Abstract:There are increasing concerns about possible malicious modifications of integrated circuits (ICs) used in critical applications. Such attacks are often referred to as hardware Trojans. While many techniques focus on hardware Trojan detection during IC testing, it is still possible for attacks to go undetected. Using a combination of new design techniques and new memory technologies, we present a new approach that detects a wide variety of hardware Trojans during IC testing and also during system operation in the field. Our approach can also prevent a wide variety of attacks during synthesis, place-and-route, and fabrication of ICs. It can be applied to any digital system, and can be tuned for both traditional and split-manufacturing methods. We demonstrate its applicability for both ASICs and FPGAs. Using fabricated test chips with Trojan emulation capabilities and also using simulations, we demonstrate: 1. The area and power costs of our approach can range between 7.4-165% and 0.07-60%, respectively, depending on the design and the attacks targeted; 2. The speed impact can be minimal (close to 0%); 3. Our approach can detect 99.998% of Trojans (emulated using test chips) that do not require detailed knowledge of the design being attacked; 4. Our approach can prevent 99.98% of specific attacks (simulated) that utilize detailed knowledge of the design being attacked (e.g., through reverse-engineering). 5. Our approach never produces any false positives, i.e., it does not report attacks when the IC operates correctly.

Hardware Architecture,Cryptography and Security

Lijun Liu,Tao Wang,Xiaohan Wang,Tianyu He

DOI: https://doi.org/10.1016/j.compeleceng.2021.107229

2021-07-01

Abstract:<p>In order to reduce the impact of Hardware Trojan (HT) implantation on the original circuit power consumption, a method using Evolvable Hardware (EHW) to implant combinational HT is proposed. First, the truth table of the original circuit is modified according to the category of HT. Secondly, the symmetric value and similar value are used to evaluate the difficulty degree of evolution, and the truth table which is easy to evolve is selected for evolution. Finally, from the various circuits generated by evolution, the circuit close to the number of logic gates and power consumption of the original circuit is selected to replace the original circuit. The obtained circuit not only includes the HT function, but also improve the anti-power detection ability. According to the experimental results, the HT implanted by EHW has smaller power consumption difference than the HT implanted by general method, and has stronger anti-power detection ability.</p>

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Wei Hu,Beibei Li,Lingjuan Wu,Yiwei Li,Xuefei Li,Liang Hong

2023-11-21

Abstract:Third-party intellectual property cores are essential building blocks of modern system-on-chip and integrated circuit designs. However, these design components usually come from vendors of different trust levels and may contain undocumented design functionality. Distinguishing such stealthy lightweight malicious design modification can be a challenging task due to the lack of a golden reference. In this work, we make a step towards design for assurance by developing a method for identifying and preventing hardware Trojans, employing functional verification tools and languages familiar to hardware designers. We dump synthesized design netlist mapped to a field programmable gate array technology library and perform switching as well as coverage analysis at the granularity of look-up-tables (LUTs) in order to identify specious signals and cells. We automatically extract and formally prove properties related to switching and coverage, which allows us to retrieve Trojan trigger condition. We further provide a solution to preventing Trojan from activation by reconfiguring the confirmed malicious LUTs. Experimental results have demonstrated that our method can detect and mitigate Trust-Hub as well as recently reported don't care Trojans.

Cryptography and Security

Di Wang,Liji Wu,Xiangmin Zhang,XingJun Wu

DOI: https://doi.org/10.1109/isdfs.2018.8355314

2018-01-01

Abstract:Hardware Trojan research has become an important research topic in recent time since the increased awareness of hardware security. In this work, we designed a novel counter-type Hardware Trojan based on One-hot code, which has better performance than classic solutions. By improvement in this work, the dynamic power consumption of counter Trojan has reached a decrease of 25%. At the same time, power consumption peak caused by flipping like 0111111→1000000 under binary encoding was avoided. The performance of designed Trojan has been fully tested in the software-hardware co-verification environment, which shows that Trojan implantation did not influence the proper work of background circuit, only did some tricks in the way we need; and the Trojan latent period is controllable by connecting Trojan circuit to different trigger nodes.

Imran Hafeez Abbassi,Faiq Khalid,Semeen Rehman,Awais Mehmood Kamboh,Axel Jantsch,Siddharth Garg,Muhammad Shafique

DOI: https://doi.org/10.48550/arXiv.1812.02770

2018-11-05

Abstract:Conventional Hardware Trojan (HT) detection techniques are based on the validation of integrated circuits to determine changes in their functionality, and on non-invasive side-channel analysis to identify the variations in their physical parameters. In particular, almost all the proposed side-channel power-based detection techniques presume that HTs are detectable because they only add gates to the original circuit with a noticeable increase in power consumption. This paper demonstrates how undetectable HTs can be realized with zero impact on the power and area footprint of the original circuit. Towards this, we propose a novel concept of TrojanZero and a systematic methodology for designing undetectable HTs in the circuits, which conceals their existence by gate-level modifications. The crux is to salvage the cost of the HT from the original circuit without being detected using standard testing techniques. Our methodology leverages the knowledge of transition probabilities of the circuit nodes to identify and safely remove expendable gates, and embeds malicious circuitry at the appropriate locations with zero power and area overheads when compared to the original circuit. We synthesize these designs and then embed in multiple ISCAS85 benchmarks using a 65nm technology library, and perform a comprehensive power and area characterization. Our experimental results demonstrate that the proposed TrojanZero designs are undetectable by the state-of-the-art power-based detection methods.

Cryptography and Security,Hardware Architecture

Behnam Omidi,Khaled N. Khasawneh,Ihsen Alouani

2024-01-05

Abstract:The globalization of the Integrated Circuit (IC) supply chain, driven by time-to-market and cost considerations, has made ICs vulnerable to hardware Trojans (HTs). Against this threat, a promising approach is to use Machine Learning (ML)-based side-channel analysis, which has the advantage of being a non-intrusive method, along with efficiently detecting HTs under golden chip-free settings. In this paper, we question the trustworthiness of ML-based HT detection via side-channel analysis. We introduce a HT obfuscation (HTO) approach to allow HTs to bypass this detection method. Rather than theoretically misleading the model by simulated adversarial traces, a key aspect of our approach is the design and implementation of adversarial noise as part of the circuitry, alongside the HT. We detail HTO methodologies for ASICs and FPGAs, and evaluate our approach using TrustHub benchmark. Interestingly, we found that HTO can be implemented with only a single transistor for ASIC designs to generate adversarial power traces that can fool the defense with 100% efficiency. We also efficiently implemented our approach on a Spartan 6 Xilinx FPGA using 2 different variants: (i) DSP slices-based, and (ii) ring-oscillator-based design. Additionally, we assess the efficiency of countermeasures like spectral domain analysis, and we show that an adaptive attacker can still design evasive HTOs by constraining the design with a spectral noise budget. In addition, while adversarial training (AT) offers higher protection against evasive HTs, AT models suffer from a considerable utility loss, potentially rendering them unsuitable for such security application. We believe this research represents a significant step in understanding and exploiting ML vulnerabilities in a hardware security context, and we make all resources and designs openly available online:

Cryptography and Security,Hardware Architecture,Machine Learning

Tiago D. Perez,Samuel Pagliarini,Tiago Perez

DOI: https://doi.org/10.1109/tcad.2022.3223846

IF: 2.9

2022-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Owning a high-end semiconductor foundry is a luxury very few companies can afford. Thus, fabless design companies outsource integrated circuit fabrication to third parties. Within foundries, rogue elements may gain access to the customer’s layout and perform malicious acts, including the insertion of a hardware trojan (HT). Many works focus on the structure/effects of an HT, while very few have demonstrated the viability of their HTs in silicon. Even fewer disclose how HTs are inserted or the time required for this activity. Our work details, for the first time, how effortlessly an HT can be inserted into a finalized layout by presenting an insertion framework based on the engineering change order flow. For validation, we have built an ASIC prototype in 65-nm CMOS technology comprising of four trojaned cryptocores. A side-channel HT is inserted in each core with the intent of leaking the cryptokey over a power channel. Moreover, we have determined that the entire attack can be mounted in a little over one hour. We also show that the attack was successful for all tested samples. Finally, our measurements demonstrate the robustness of our side-channel trojan against skews in the manufacturing process.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Thilo Krachenfels,Jean-Pierre Seifert,Shahin Tajik

DOI: https://doi.org/10.48550/arXiv.2107.10147

2023-02-02

Abstract:The threat of hardware Trojans (HTs) and their detection is a widely studied field. While the effort for inserting a Trojan into an application-specific integrated circuit (ASIC) can be considered relatively high, especially when trusting the chip manufacturer, programmable hardware is vulnerable to Trojan insertion even after the product has been shipped or during usage. At the same time, detecting dormant HTs with small or zero-overhead triggers and payloads on these platforms is still a challenging task, as the Trojan might not get activated during the chip verification using logical testing or physical measurements. In this work, we present a novel Trojan detection approach based on a technique known from integrated circuit (IC) failure analysis, capable of detecting virtually all classes of dormant Trojans. Using laser logic state imaging (LLSI), we show how supply voltage modulations can awaken inactive Trojans, making them detectable using laser voltage imaging techniques. Therefore, our technique does not require triggering the Trojan. To support our claims, we present three case studies on 28 and 20 SRAM- and flash-based field-programmable gate arrays (FPGAs). We demonstrate how to detect with high confidence small changes in sequential and combinatorial logic as well as in the routing configuration of FPGAs in a non-invasive manner. Finally, we discuss the practical applicability of our approach on dormant analog Trojans in ASICs.

Cryptography and Security

Wanting Zhou,Kuo-Hui Ye,Shiwei Yuan,Lei Li

DOI: https://doi.org/10.1016/j.heliyon.2023.e17085

IF: 3.776

2023-06-13

Heliyon

Abstract:As the core of Internet of Things (IoT), embedded processors are being used more and more extensive. However, embedded processors face various hardware security issues such as hardware trojans (HT) and code tamper attacks. In this paper, a cycle-level recovery method for embedded processor against HT tamper is proposed, which builds two hardware-implementation units, a General-Purpose Register (GPRs) backup unit and a PC rollback unit. Once a HT tamper is detected, the two units will carry out fast recovery through rolling back to the exact PC address corresponding to the wrong instruction and resuming the instruction execution. An open RISC-V core of PULPino is adopted for recovery mechanism verification, the experimental results and hardware costs show that the proposed method could guarantee the processor restore from abnormal state in real time with a reasonable hardware overhead.

Xiaoming Chen,Qiaoyi Liu,Song Yao,Jia Wang,Qiang Xu,Yu Wang,Yongpan Liu,Huazhong Yang

DOI: https://doi.org/10.1109/tcad.2017.2748021

IF: 2.9

2017-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:In modern integrated circuit (IC) designs, intellectual property (IP) cores are often outsourced and designed by third-party vendors, resulting in the partial relinquishment of the control over the IC design flow. Thus, reliable verifications are required to mitigate the threat of hardware Trojans (HTs) which may be inserted into IP cores by malicious vendors. Existing trustiness verification methods cannot take the merit of high efficiency and accuracy at the same time. In this paper, we propose a multilevel fast trustiness verification framework based on feature analysis to detect HTs in third-party digital IP cores. The proposed framework combines flip-flop level and combinational logic level feature analysis to achieve both high efficiency and accuracy. Experimental results demonstrate that both explicitly and implicitly triggered HTs can be detected in very short time with a negligible false positive rate. More importantly, our framework has the unique advantage of being scalable to defend against future and stealthier HTs by adding new features into the framework.

xuwei ye,jianhua feng,haoran gong,chunhua he,weilei feng

DOI: https://doi.org/10.1109/edssc.2015.7285146

2015-01-01

Abstract:Hardware Trojan, realized by malicious modification of design characteristics, has emerged as a major security concern. The recently proposed Trojan detection methods arc mainly classified into two categories: side-channel signal analysis and logic testing. Due to the stealthy nature of Trojan circuits, it's difficult to activate Trojans to perform logic testing. In this paper, an activation probability-based approach is proposed. A probability obfuscation scan chain (POSC) is presented aiming at increasing the difficulty of Trojan insertion and increasing the activation probability of the Trojan circuits. It proves to be very effective in detecting the presence of a Trojan in a circuit. Experimental results on ISCAS benchmark circuits show that this approach can effectively increase Trojan activation probability and make the detection of the Trojan more easily.

Elena Dubrova,Mats Näslund,Gunnar Carlsson,John Fornehed,Ben Smeets

DOI: https://doi.org/10.1007/s11265-016-1127-4

2016-03-11

Journal of Signal Processing Systems

Abstract:The threat of hardware Trojans has been widely recognized by academia, industry, and government agencies. A Trojan can compromise security of a system in spite of cryptographic protection. The damage caused by a Trojan may not be limited to a business or reputation, but could have a severe impact on public safety, national economy, or national security. An extremely stealthy way of implementing hardware Trojans has been presented by Becker et al. at CHES’2012. Their work have shown that it is possible to inject a Trojan in a random number generator compliant with FIPS 140-2 and NIST SP800-90 standards by exploiting non-zero aliasing probability of Logic Built-In-Self-Test (LBIST). In this paper, we present two methods for modifying LBIST to prevent such an attack. The first method makes test patterns dependent on a configurable key which is programed into a chip after the manufacturing stage. The second method uses a remote test management system which can execute LBIST using a different set of test patterns at each test cycle.

English Else

Yumin Hou,Hu He,Kaveh Shamsi,Yier Jin,Dong Wu,Huaqiang Wu

DOI: https://doi.org/10.1109/tcad.2018.2864246

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:With the globalization of semiconductor industry, hardware security issues have been gaining increasing attention. Among all hardware security threats, the insertion of hardware Trojans is one of the main concerns. Meanwhile, many current Trojan detection solutions follow the assumption that the hardware Trojan itself should be composed of digital logic. This assumption is invalidated by recently proposed analog Trojans which are extremely small and can detect rare events. This paper proposes a runtime hardware Trojan detection method which is geared toward detecting such advanced Trojans. The principle of this method is to guard a set of concerned signals, and initiate a hardware interrupt request when abnormal toggling events occur in these guarded signals. To prove the effectiveness of this method, we design a processor based on ARMv7-A&R ISA, and insert an analog Trojan into the processor. We fabricated the design in an SMIC 130-nm process and demonstrate the effectiveness of the proposed methodology.

Akshay Wali,Harikrishnan Ravichandran,Saptarshi Das

DOI: https://doi.org/10.1039/d2nh00568a

2023-05-02

Abstract:Hardware Trojans (HTs) have emerged as a major security threat for integrated circuits (ICs) owing to the involvement of untrustworthy actors in the globally distributed semiconductor supply chain. HTs are intentional malicious modifications, which remain undetectable through simple electrical measurements but can cause catastrophic failure in the functioning of ICs in mission critical applications. In this article, we show how two-dimensional (2D) material based in-memory computing elements such as memtransistors can be used as hardware Trojans. We found that logic gates based on 2D memtransistors can be made to malfunction by exploiting their inherent programming capabilities. While we use 2D memtransistor-based ICs as the testbed for our demonstration, the results are equally applicable to any state-of-the-art and emerging in-memory computing technologies.

Fan Zhang,Chen Dong,Wucheng Hu,Jinghui Chen,Guorong He

DOI: https://doi.org/10.1109/IAEAC47372.2019.8997863

2019-01-01

Abstract:EDA tools almost completely automate the current chip design. However, EDA tools are all provided by third-party companies, therefore the credibility of EDA tools and the trust issues brought by their process libraries have attracted people's attention. Given these problems, this paper proposes a self-training hardware Trojan confrontation framework based on machine learning embedded in EDA tools. The framework focuses on the gate-level netlist files generated during the integrated chip comprehensive optimization phase, thereby detects, locates and deletes hardware Trojans that may appear. The experimental results show that the framework can achieve more than 85% detection effect for unknown hardware Trojans. Moreover, for known hardware Trojans, this framework can achieve almost 100% detection. Accordingly, hardware Trojans can be located and deleted.