1
HARDWARE TROJAN
EEC 492/592, CIS 493
Hands-on Experience on Computer System Security
Chan Yu
Cleveland State University
HARDWARE TROJAN
Hardware Trojan: Malicious alteration of hardware, that
could, under specific conditions, result in functional changes
of the system.
Time Bomb Trojan disables a system at some future time.
Data Exfiltration Trojan leaks confidential information over a
secret channel.
A few slides borrowed from Dr. Fouad Kiamilev,
University of Delaware
3
TROJAN PAYLOAD (DETECTION)
Thermal
An external resistor is electrically modulated creating thermal emission.
The micro-controller, or other parts of the circuit are quickly saturated with
operations, creating thermal emission.
The thermal signal is sensed using an IR camera.
Optical
An external LED is electrically modulated at a rate undetectable by human eye.
The optical signal is sensed using an optical-to-audio amplifier.
Radio
An external I/O pin is modulated causing radio emission.
The radio signal is sensed using radio receiver and postprocessing received
signal on PC.
NEXT STEP
Experiment #4c
ALU design using Quartus & DE0
HT insertion (trigger, payload)
Competition
Advanced
4
AN ALU (ARITHMETIC LOGIC UNIT)
Let's build an ALU to support the and/or/add instructions
we'll just build a 1 bit ALU, and use 3 of them
and/or is simpler because each bit operates independently
add is complicated due to carry
AN ALU (ARITHMETIC LOGIC UNIT)
1-bit andi and ori
3-input implementation (a,b,op)
b
a
operation
result
op a b res
5
A DIFFERENT IMPLEMENTATION WITH:
THE MULTIPLEXOR
Selects one of the inputs to be the output, based on a
control input
Lets build our ALU using a MUX: (1-bit and/or)
S
CA
B
0
1
note: we call this a 2-input mux
even though it has 3 inputs!
A
B
S
C
A
B
S
C
0
1
1-BIT ALU FOR ADDITION
Boolean equation for carryout ???
Boolean equation for sum???
Implementation ???
cout = a b + a cin + b cin
Sum
CarryIn
CarryOut
a
b
sum = a xor b xor cin
6
1-BIT ALU FOR ADDITION (FULLADDER)
1-BIT ALU FOR AND / OR / ADDITION
How could we build a 1-bit ALU for add, and, and or?
How could we build a 3-bit ALU?
A
B
S
C
addersum
carryout
adder has two outputs
What to do with the carryout??? => connect to the
next bit ALU
0
1
2
7
1-BIT ALU FOR AND/OR/ADD (ALU1)
S1 S0 Q
0 0 D0 (AND)
0 1 D1 (OR)
1 0 D2 (ADD)
1 1 N/A or DC (Don’t Care)
BUILDING A 3 BIT ALU
b
0
2
Result
Operation
a
1
CarryIn
CarryOut
Result31
a31
b31
Result0
CarryIn
a0
b0
Result1
a1
b1
Result2
a2
b2
Operation
ALU0
CarryIn
CarryOut
ALU1
CarryIn
CarryOut
ALU2
CarryIn
CarryOut
ALU31
CarryIn
and:0
or:1
add:2
8
BUILDING A 3 BIT ALU
b
0
2
Result
Operation
a
1
CarryIn
CarryOut
Re
su
lt31
a3
1
b3
1
Re
su
lt0
Carr
yIn
a0
b0
Re
su
lt1
a1
b1
Re
su
lt2
a2
b2
Ope
ratio
n
ALU
0
Carr
yIn
Carr
yO
ut
ALU
1
Carr
yIn
Carr
yO
ut
ALU
2
Carr
yIn
Carr
yO
ut
ALU
31
Carr
yIn
and:0
or:1
add:2
3-BIT ALU (ALU3)
su[2]
9
3-BIT ALU (ALU3)
su[2]
A=sw[9:7]
B=sw[6:4]
S=sw[1:0]cout=LEDG6
Result=
HEX1
S1 S0 R
0 0 A.and.B
0 1 A.or.B
1 0 A.add.B
1 1 N/A or DC (Don’t Care)
DON’T CARES
Satisfiability Don’t Cares (SDC)
SDC consists of all input patterns that will never occur
For 1-bit ALU case, SDC is {S1=1, S0=1}
For XOR in the following circuit, SDC is {x=1, y=1} and {x=0, y=1}
Observability Don’t Cares (ODC)
ODC consists of all input patterns that does not affect the output
ODC of the following subsystem is {x=1, y=0} and {x=0, y=0}
XOR can be
removed!
Figures by
Prof. G. Qu
University
of
Maryland
10
DESIGN VULNERABILITIES
On input “000”, output “11” is a backdoor to the case of input “100”
On input “011” or “111”, output “00” is a fault injection attack to the
next module
E.G., A CIRCULAR SYSTEM AND TROJAN
Slides by
Prof. G. Qu
University
of
Maryland
11
3-BIT ALU – HARDWARE TROJAN
su[2]
Trigger
Payload
What is the harm?
HT – TRIGGERING MECHANISMS(1)
Rajat Subhra Chakraborty, Seetharam Narasimhan, and
Swarup Bhunia, “Hardware Trojan: Threats and Emerging
Solutions”, IEEE International High Level Design
Validation and Test Workshop (HLDVT), pp. 166-171,
2009
12
HT – TRIGGERING MECHANISMS(2)
Rajat Subhra Chakraborty, Seetharam Narasimhan, and
Swarup Bhunia, “Hardware Trojan: Threats and Emerging
Solutions”, IEEE International High Level Design
Validation and Test Workshop (HLDVT), pp. 166-171,
2009
HT - PAYLOAD
RS232 end sequence information
leakage
Denial of service
AM transmission
LED transmission
…
Alex Baumgarten and Michael Steffen and Matthew
Clausman and Joseph Zambreno, A Case Study in
Hardware Trojan Design and Implementation,
International Journal of Information Security (IJIS),
10(1), 2011