![Page 1: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/1.jpg)
Why We Should Be Worried about Hardware Trojans
Janet Lackey under CC license
The Summer Research Institute 2018EPFL, June 18, 2018
Christof PaarRuhr Universität Bochum & University of Massachusetts Amherst
![Page 2: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/2.jpg)
• Georg Becker
• Pawel Swierczynski
• Marc Fyrbiak
Acknowledgement
![Page 3: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/3.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 4: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/4.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 5: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/5.jpg)
Hardware TrojansMalicious change or addition to an IC that adds or remove functionality, or reduces reliability
Many rather unpleasant “applications”
![Page 6: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/6.jpg)
Hardware Trojans & the Scientific Community
0 20 19 23 37 36 6683 110 102 101
1766
93
152199
227
310
415
480
577585
0
100
200
300
400
500
600
700
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Publications w/ „Hardware Trojans“ or „malicious Hardware“(Google Scholar, Oct 2017)
only title
in paper
![Page 7: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/7.jpg)
Trojan Injection & Adversaries Scenarios
ManufacturingMalicious factory, esp. off‐shore (foreign Government)
Design Manipulation 3rd party IP‐cores malicious employee
During shipment
Built‐inbackdoors etc.
DoD scenario 2005
not‐so‐unlikely 2013
Source: Wikipedia
NSA’s interdiction
![Page 8: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/8.jpg)
Where are we with “real” HW Trojans?
No true hardware Trojan observed in the wild
Vast majority of publications focus on detection
All examples from academia
![Page 9: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/9.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 10: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/10.jpg)
Our Thoughts
1. Designing Trojan could be fun too
2. Especially those that go undetected
![Page 11: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/11.jpg)
Simple Example: Inverter Trojan
Let’s modify an inverter so that it always outputs “1” (VDD) without visible changes.
A Y A Y
VDD
GND
VDD
GND
A Y0 11 0
![Page 12: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/12.jpg)
PMOS Transistor Trojan
N‐well(connected to VDD)
P‐dopantP‐dopant
Source (connected to
VDD)
Drain(the output)
Gate
N‐well(connected to VDD)
N‐dopantN‐dopant
Unmodified PMOS transistor Trojan trans. w/ constant VDD output
22nm
![Page 13: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/13.jpg)
“Always One” Trojan Inverter
A Y A Y = 1
VDD VDD
GND GND
Q1: Can the manipulation be detected?Q2: How to build a useful Trojan from here?
A Y0 11 0
PMOS transistor permanent closed
NMOS transistor permanent open
![Page 14: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/14.jpg)
Detection: layout view of Trojan inverter
Original Inverter “Always One” Trojan
Unchanged:• All metal layers• Polysilicon layer• Active area• Wells
Dopant changes (very ?) difficult to detect usingoptical inspection!
Which one has the Trojan?
![Page 15: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/15.jpg)
“Small” remaining question
Q2: Can we build a meaningful Trojan using dopant modifications that passes functional testing?
• Unfortunately, we merely introduce a stuck‐at fault …
• … functional testing (after manufacturing) will detect fault right away
![Page 16: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/16.jpg)
A Real‐World True Random Number Generator
dopant Trojan
• secure web browsing
• email encryption
• document certification
• …
… random numbers generate cryptographic keys for
TRNG
![Page 17: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/17.jpg)
Crypto Key
2 Modules form Random Number Generator
128
entropy source
011001011110 …
digital post processing
![Page 18: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/18.jpg)
AES
+1
Crypto Key
Inside the Random Number Generator
128128
128
…0 0 1 1 0 1 0 1 1 01
…1 0 0 1 0 0 0 1 1 10State register c
State register k
256 random bits
entropy source
011001011110 …
• 1,000,000,000,000,000,000,000,000,000,000,000,000,000 possible crypto keys
testing all keys:lifetime of the universe
![Page 19: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/19.jpg)
AES
+1
Crypto key
Trojan Random Number Generator
128128
128
…0 1 1 0 1 1 0 1 0 11
…c1 c2 … c32 0 0 01
128
• 1,000,000,000,000,000,000,000,000,000,000,000,000,000 possible crypto keys
Testing all keys:few seconds
only 32 random bits
224 Trojan bits (fixed by attacker!)
• 1,000,000,000 possible crypto keys
... but circuit would still be tested as “faulty” during manufacturing…
![Page 20: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/20.jpg)
Built‐in self test prevents detection of fault
Test Mode
256 bit state
Digital Post Processing (AES)
known input
512 bits CRCChecksum
ReferenceChecksum?
256 bit state
Digital Post Processing (AES)
known input
512 bits CRCChecksum
ReferenceChecksum?
TROJAN
≠ =
32 bits
32 bits
Due to clever choosing of the Trojan bits
![Page 21: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/21.jpg)
Meaningful hardware Trojans are possible without extra logic Many detection techniques don’t guarantee a Trojan free design! Built‐in self tests can be dangerous More details:
Becker, Regazzoni, P, Burleson, Stealthy Dopant‐Level Hardware Trojans.CHES 2013
Conclusion
… but the scientific community functions as it is supposed to do:
Trojan detection is possible w/ scanning electron microscopeSugawara et al., Reversing Stealthy Dopant‐Level Circuits.CHES 2014
![Page 22: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/22.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 23: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/23.jpg)
FPGAs = Reconfigurable Hardware… are widely used
world market: ≈ 5b devices
![Page 24: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/24.jpg)
Configuration during power‐up
Configuration file“bitstream”
power‐up
Can an we build hardware Trojansby manipulating the bitstream?
![Page 25: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/25.jpg)
Principle of FPGA‐based Trojans
Manipulate Bits
configure
Source Graphics: SimpleIcon, Xilinx
T
![Page 26: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/26.jpg)
FPGA fabric
The Mechanics of FPGAs103 … 106 logic cells
bitstream is complex and proprietary
Two challenges1. find AES in unknown design2. meaningful manipulation
![Page 27: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/27.jpg)
• S‐boxes are realized as 6x1 look‐up tables (LUTs)
Finding AES:Luckily, crypto has very specific components
• LUT locations can be „easily“ found in bitstream
• S‐box contents is very specific (luckily)
![Page 28: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/28.jpg)
8 different real‐world AES implementations
AES detection in practice
![Page 29: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/29.jpg)
Algorithm substitution attack and its implications
1. Injectweak S‐boxes in bitstream
2. Trojan AES is configured
PT CT = AEST (k, PT)“Useful“ attacks are still possible!1. Storage encryption – Plaintext recovery
• Attacker can recover plaintext without access to k
2. Temporary device access – Key extraction• switch S‐box and recover k from CT• configure orginal S‐box
cute work … but not interoperable with regular AES
T
![Page 30: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/30.jpg)
New attack vector against FPGAs!
Reconfigurability allows “hardware” Trojans designed in the lab
Bitstream protection is crucial!(but not easy, cf. our work at CCS 2011 & FPGA 2013)
Details at:Swierczynski, Fyrbiak, Koppe, P, FPGA Trojans through Detecting and Weakening of Cryptographic Primitives. IEEE TCAD 2015.
Conclusion
![Page 31: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/31.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 32: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/32.jpg)
What else can we do with bitstreammanipulations?
Hmm, are their simpler ways to extract keys from FPGAs
without Trojans?
![Page 33: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/33.jpg)
Set‐Up
classicalknown‐plaintext set‐up
PT CT = AES (k, PT)
configure
kCan bitstream manipulation of
unknown design lead to key leakage?Can bitstream manipulation of
unknown design lead to key leakage?
non‐classical set‐up:alteration of algorithm
(via bitstream)
??
![Page 34: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/34.jpg)
Bitstream Fault Injections (BiFI)
PT CT = AES (k, PT)
configure
k
…
10‐30k LUTs per FPGA
(surprising) attack strategy1. manipulate 1st LUT table (e.g., all‐zero)
4. check: Does CT contain k?if not: GOTO 1 and manipulate next LUT
3. send PT 2. configure FPGA
![Page 35: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/35.jpg)
How exactly does the key leak ???
PT CT = AES (k, PT)
configure
k
…
Many LUT manipulations possible• all‐zero• all‐one• invert• upper half of LUT all‐zero• …
Different leakage types(key hypotheses)• CT = roundkey• CT = inverted roundkey• CT = PT xor roundkey• …
![Page 36: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/36.jpg)
Results for Bitstream Fault Injections (BiFI)
kReal world attack• 16 unknown AES designs (Internet)• 16 different manipulation rules• ≈ 20k LUTs• 3.3 sec for configuring and checking one manipulation
Results
• successful key extraction for every design!• on average ≈ 2000 configurations (≈ 2h)• works even for encrypted bitstream (w/o MAC)
![Page 37: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/37.jpg)
Bitstream Fault Injections (BiFI) is a new family of fault attacks
Malleability of bitstream is major weakness for FPGAs!
Are there more bitstream‐based attacks ?
Details at:Swierczynski, Becker, Moradi, P: Bitstream Fault Injections (BiFI) – Automated Fault Attacks against SRAM‐based FPGAs. IEEE Transactions on Computers, March 2018.
Conclusion
![Page 38: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/38.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 39: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/39.jpg)
Relevant Conferences
CHES – Cryptographic Hardware & Embedded SystemsAmsterdam, September 9‐12, 2018
escar – Embedded Security in CarsBrussels, November 13‐14, 2018
![Page 40: Why We Should Be Worried about Hardware Trojans€¦ · Built‐in self test prevents detection of fault Test Mode 256 bit ... Amsterdam, September 9‐12, 2018 escar – Embedded](https://reader035.vdocument.in/reader035/viewer/2022071210/6021adb4f630c85d5c27b71f/html5/thumbnails/40.jpg)
Thank you very much for your attention!
Christof Paar