Hardware Trojan

transcript

Content

0 Trojan

0 Software Trojan & its types

0 Hardware Trojan

0 Trigger Mechanism

0 Hardware Trojan Actions

0 Classification on the base of location of Trojan

0 Design Phases of Hardware Trojan

0 Prevention

0 Trojan Detection- Destructive & Non-Destructive Way

0 Examples of Hardware Trojan

Trojans

Trojan means playing any trick that causes a target to

invite a foe(unknowingly) into a securely protected space.

Trojan

Software Trojans

Hardware

Trojans

Software Trojan

Software Trojan is a program in

which malicious or harmful code is contained inside apparently

harmless programming or data in such a way that it can get control and do its chosen form of damage

Types of Software Trojan

0 Remote Access Trojans

0 Data Sending Trojans

0 Destructive Trojans

0 Proxy Trojans

0 FTP Trojans

0 Security software disabler Trojans

0 Denial-of-service attack (DoS) Trojans

Hardware Trojan

It a malicious addition or modification to the existing circuit elements that can change the functionality, reduce the

reliability, or leak valuable information which can be inserted at any phase of the

IC design

Trojans that are triggered usually requires two parts:

Trigger: It acts like a sensing circuitry, which activates a Trojan to perform a specific task.

Payload: It is responsible for the malicious activity of the trojan.

Once inserted into a system most Hardware Trojans will lie dormant until activated (or triggered) to perform malicious activity.

Trigger Mechanism

Trigger

Always On

Internally Triggered Externally Triggered

Always ON

0 Trojans that are always-on consists of only the payload part.

Examples:

0 Leaking data through a circuit based side channel

0 Devices on a wafer are modified to wear out after a certain time period (Reliability based Hardware Trojan)

Externally Triggered

0 External triggers rely on some interaction with the outside world, distinct from the system that the target device is integrated within

0 embedding a receiver or antenna within a target device

0 On-chip sensors that could monitor the external environment, including sensing temperature, voltages, EMI, humidity, and altitude.

Externally Triggered

0 A trigger may also come from another component that is externally connected, e.g., a connected memory device

Internally Triggered

0 Internally triggered Hardware Trojans rely on some specific internal state of the target device being reached

Internally Triggered

Combinational Activation

Sequential Activation

Combinational Activation

0 A Hardware Trojan is activated when certain values are detected simultaneously at specific internal circuit nodes within a device – a trigger state.

0 This type of trigger mechanism can be implemented solely by combinational logic.

0 e.g A specific address on bus triggers the Hardware Trojan

Sequential Activation

0 Sequentially triggered Hardware Trojans rely on a sequence of events occurring for activation.

Hardware Trojan Actions

Modify Functionality

Modify Specification Leak Information

Denial of Service

Modify Functionalities

0 Add logic

0 Remove logic

0 Bypass Logic

0 Change Content of programmable ROM

Modify Specification

0 Change Target IC’s parametric properties

Clock or timing parameters

Power usage

0 Done by directly influencing internsic IC properties that of wire and transistor geometry

Leak Information

0 Transmit information without knowledge to the user

JTAG interface

Optical

Thermal

Denial of Service

0 Trojan that affect service by exhausting scarce resources such as bandwidth

0 Disable partial or all power supply to a device

Location

Processor

Memory

Power Supply

Clock Grid

Specification

Design Fabrication

Testing and Assembling

Prevention

Trojan Detection

Destructive Method Non-Destructive Method

Trojan Detection- Destructive Method

Techniques:

0 Scanning optical microscopy(SOM)

0 Scanning Electron Microscope (SEM)

0 Voltage Contrast imaging(VCI)

0 Light-induced voltage alternation(LIVA)

0 Charge induced Voltage alternation(CIVA)

Light-induced voltage alternation(LIVA)

0 Optical beam generates photocarriers at focal point.

0 Photoconductive effect in integrated circuit (IC) creates local changes in resistance.

0 Change in Resistance causes the change in voltage

0 Digital record of voltage versus scanner position produces LIVA image.

Trojan Detection- Destructive Method

0 These techniques are ineffective in nanometer domain

0 Hacker is most likely to modify only a small random sample of chips in the production line.

0 Destructive methods of validating an IC are extremely expensive with respect to time and cost and technology intensive, with validation of a single IC taking months

Non-Destructive Method

Side-Channel Analysis

Logical Analysis

Built in TEST

Trojan Detection- Side-Channel Analysis

0 The side–channel analysis based techniques utilize the effect of an inserted Trojan on a measurable physical quantity like:

the supply current

path delays

Amount of heat produced in certain locations

0 Such a measured circuit parameter can be referred as a fingerprint for the IC.

0 The Trojan does not need to be activated in order to be detected.

0 An intelligent adversary can craft a very small Trojan circuit with just a few logic gates which causes minimal impact on circuit power or delay. Thus it can easily evade side–channel detection techniques

1. Select a few ICs at random from a family of ICs (i.e., ICs with the same mask and manufactured in the same unit).

2. Run sufficient I/O tests multiple times on the selected ICs so as to exercise all of their expected circuitry and collect one or more side-channel signals from the ICs during these tests.

3. Use these side-channel signals to build a “side-channel fingerprint” for the IC family.

4. Destructively test the selected ICs to validate that they are compliant to the original specifications.

5. All other ICs from the same family are nondestructively validated by subjecting them to the same I/O tests and validating that their side-channel signals are consistent with the “side-channel fingerprint” of the family.

Real Circuit(Green) Trojan Circuit (Blue)

100 MHz 500 Khz

Shadow Register

Logic Test Based Approach

0 000000

0 000001

0 001000

0 001001

0 001100

0 001101

0 010000

0 010001

0 011000

0 011001

0 011100

0 011101

0 100000

0 100001

0 101000

0 101001

0 101100

0 101101

0 110000

0 110001

0 111000

0 111001

0 111100

0 111101

Build in Test

Ring Oscillator

Examples

Assume a chip receives encrypted commands from an RF channel and stores the value in a register for subsequent decryption

Adversary transmits "code" that causes activation - missile detonates before reaching its target

Cell Phone Hardware Trojan

References 0 TRUSTWORTHY HARDWARE: IDENTIFYING AND CLASSIFYING HARDWARE

TROJANS - Ramesh Karri and Jeyavijayan Rajendran, Kurt Rosenfeld, Mohammad Tehranipoo

0 Hardware Trojan- Prevention, Detection & countermeasures - Mark

Beaumont, Bradley Hopkins and Tristan Newby

0 Hardware Trojan Detection Using Path Delay Fingerprint - Yier Jin, Yiorgos Makris

0 Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions - Xiaoxiao Wang, Mohammad Tehranipoor and Jim Plusquellic

0 Trojan Detection using IC Fingerprinting - Dakshi Agrawal, Selc¸uk Baktır,Deniz Karakoyunlu, Pankaj Rohatgi, Berk Sunar

0 Hardware Trojan Horse Detection Using Gate-Level Characterization - Miodrag Potkonjak, Ani Nahapetian, Michael Nelson, Tammara Massey

0 Design and Analysis of Ring Oscillator based Design-for-Trust technique - Jeyavijayan Rajendran, Vinayaka Jyothi, Ozgur Sinanoglu & Ramesh Karri

References

0 Hardware Trojan Detection Solutions and Design-for-Trust Challenges - Mohammad Tehranipoor, Hassan Salmani, Xuehui Zhang, Xiaoxiao Wang, Ramesh Karri, Jeyavijayan Rajendran, and Kurt Rosenfeld

0 At-Speed Delay Characterization for IC Authentication and Trojan Horse Detection - Jie Li, John Lach

0 A Survey of Hardware Trojan Taxonomy and Detection - Mohammad Tehranipoor, Farinaz Koushanfar

Thank You

Hardware Trojan

Documents