Content
0 Trojan
0 Software Trojan & its types
0 Hardware Trojan
0 Trigger Mechanism
0 Hardware Trojan Actions
0 Classification on the base of location of Trojan
0 Design Phases of Hardware Trojan
0 Prevention
0 Trojan Detection- Destructive & Non-Destructive Way
0 Examples of Hardware Trojan
Trojans
Trojan means playing any trick that causes a target to
invite a foe(unknowingly) into a securely protected space.
Trojan
Software Trojans
Hardware
Trojans
Software Trojan
Software Trojan is a program in
which malicious or harmful code is contained inside apparently
harmless programming or data in such a way that it can get control and do its chosen form of damage
Types of Software Trojan
0 Remote Access Trojans
0 Data Sending Trojans
0 Destructive Trojans
0 Proxy Trojans
0 FTP Trojans
0 Security software disabler Trojans
0 Denial-of-service attack (DoS) Trojans
Hardware Trojan
It a malicious addition or modification to the existing circuit elements that can change the functionality, reduce the
reliability, or leak valuable information which can be inserted at any phase of the
IC design
Trojans that are triggered usually requires two parts:
Trigger: It acts like a sensing circuitry, which activates a Trojan to perform a specific task.
Payload: It is responsible for the malicious activity of the trojan.
Once inserted into a system most Hardware Trojans will lie dormant until activated (or triggered) to perform malicious activity.
Trigger Mechanism
Trigger
Always On
Internally Triggered Externally Triggered
Always ON
0 Trojans that are always-on consists of only the payload part.
Examples:
0 Leaking data through a circuit based side channel
0 Devices on a wafer are modified to wear out after a certain time period (Reliability based Hardware Trojan)
Externally Triggered
0 External triggers rely on some interaction with the outside world, distinct from the system that the target device is integrated within
0 embedding a receiver or antenna within a target device
0 On-chip sensors that could monitor the external environment, including sensing temperature, voltages, EMI, humidity, and altitude.
Externally Triggered
0 A trigger may also come from another component that is externally connected, e.g., a connected memory device
Internally Triggered
0 Internally triggered Hardware Trojans rely on some specific internal state of the target device being reached
Internally Triggered
Combinational Activation
Sequential Activation
Combinational Activation
0 A Hardware Trojan is activated when certain values are detected simultaneously at specific internal circuit nodes within a device – a trigger state.
0 This type of trigger mechanism can be implemented solely by combinational logic.
0 e.g A specific address on bus triggers the Hardware Trojan
Sequential Activation
0 Sequentially triggered Hardware Trojans rely on a sequence of events occurring for activation.
Hardware Trojan Actions
Modify Functionality
Modify Specification Leak Information
Denial of Service
Modify Functionalities
0 Add logic
0 Remove logic
0 Bypass Logic
0 Change Content of programmable ROM
Modify Specification
0 Change Target IC’s parametric properties
Clock or timing parameters
Power usage
0 Done by directly influencing internsic IC properties that of wire and transistor geometry
Leak Information
0 Transmit information without knowledge to the user
RF
RS232
JTAG interface
Optical
Thermal
Power
Denial of Service
0 Trojan that affect service by exhausting scarce resources such as bandwidth
0 Disable partial or all power supply to a device
Location
Processor
Memory
Power Supply
I/0
Clock Grid
Specification
Design Fabrication
Testing and Assembling
Prevention
Trojan Detection
Trojan Detection
Destructive Method Non-Destructive Method
Trojan Detection- Destructive Method
Techniques:
0 Scanning optical microscopy(SOM)
0 Scanning Electron Microscope (SEM)
0 Voltage Contrast imaging(VCI)
0 Light-induced voltage alternation(LIVA)
0 Charge induced Voltage alternation(CIVA)
Light-induced voltage alternation(LIVA)
0 Optical beam generates photocarriers at focal point.
0 Photoconductive effect in integrated circuit (IC) creates local changes in resistance.
0 Change in Resistance causes the change in voltage
0 Digital record of voltage versus scanner position produces LIVA image.
Trojan Detection- Destructive Method
0 These techniques are ineffective in nanometer domain
0 Hacker is most likely to modify only a small random sample of chips in the production line.
0 Destructive methods of validating an IC are extremely expensive with respect to time and cost and technology intensive, with validation of a single IC taking months
Non-Destructive Method
Side-Channel Analysis
Logical Analysis
Built in TEST
Trojan Detection- Side-Channel Analysis
0 The side–channel analysis based techniques utilize the effect of an inserted Trojan on a measurable physical quantity like:
the supply current
path delays
Amount of heat produced in certain locations
Trojan Detection- Side-Channel Analysis
0 Such a measured circuit parameter can be referred as a fingerprint for the IC.
0 The Trojan does not need to be activated in order to be detected.
Trojan Detection- Side-Channel Analysis
0 An intelligent adversary can craft a very small Trojan circuit with just a few logic gates which causes minimal impact on circuit power or delay. Thus it can easily evade side–channel detection techniques
Trojan Detection- Side-Channel Analysis
1. Select a few ICs at random from a family of ICs (i.e., ICs with the same mask and manufactured in the same unit).
2. Run sufficient I/O tests multiple times on the selected ICs so as to exercise all of their expected circuitry and collect one or more side-channel signals from the ICs during these tests.
3. Use these side-channel signals to build a “side-channel fingerprint” for the IC family.
Trojan Detection- Side-Channel Analysis
4. Destructively test the selected ICs to validate that they are compliant to the original specifications.
5. All other ICs from the same family are nondestructively validated by subjecting them to the same I/O tests and validating that their side-channel signals are consistent with the “side-channel fingerprint” of the family.
Real Circuit(Green) Trojan Circuit (Blue)
100 MHz 500 Khz
Shadow Register
Logic Test Based Approach
y
0
0
0
0
0
x
0
z
y
0
0
0
0
1
x
0
z
0 000000
0 000001
0 001000
0 001001
0 001100
0 001101
0 010000
0 010001
0 011000
0 011001
0 011100
0 011101
0 100000
0 100001
0 101000
0 101001
0 101100
0 101101
0 110000
0 110001
0 111000
0 111001
0 111100
0 111101
y
0
0
0
0
1
x
0
z
Build in Test
Ring Oscillator
R01
R02
Examples
Assume a chip receives encrypted commands from an RF channel and stores the value in a register for subsequent decryption
Adversary transmits "code" that causes activation - missile detonates before reaching its target
Cell Phone Hardware Trojan
References 0 TRUSTWORTHY HARDWARE: IDENTIFYING AND CLASSIFYING HARDWARE
TROJANS - Ramesh Karri and Jeyavijayan Rajendran, Kurt Rosenfeld, Mohammad Tehranipoo
0 Hardware Trojan- Prevention, Detection & countermeasures - Mark
Beaumont, Bradley Hopkins and Tristan Newby
0 Hardware Trojan Detection Using Path Delay Fingerprint - Yier Jin, Yiorgos Makris
0 Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions - Xiaoxiao Wang, Mohammad Tehranipoor and Jim Plusquellic
0 Trojan Detection using IC Fingerprinting - Dakshi Agrawal, Selc¸uk Baktır,Deniz Karakoyunlu, Pankaj Rohatgi, Berk Sunar
0 Hardware Trojan Horse Detection Using Gate-Level Characterization - Miodrag Potkonjak, Ani Nahapetian, Michael Nelson, Tammara Massey
0 Design and Analysis of Ring Oscillator based Design-for-Trust technique - Jeyavijayan Rajendran, Vinayaka Jyothi, Ozgur Sinanoglu & Ramesh Karri
References
0 Hardware Trojan Detection Solutions and Design-for-Trust Challenges - Mohammad Tehranipoor, Hassan Salmani, Xuehui Zhang, Xiaoxiao Wang, Ramesh Karri, Jeyavijayan Rajendran, and Kurt Rosenfeld
0 At-Speed Delay Characterization for IC Authentication and Trojan Horse Detection - Jie Li, John Lach
0 A Survey of Hardware Trojan Taxonomy and Detection - Mohammad Tehranipoor, Farinaz Koushanfar
Thank You