formal verification of gate-level multiple side channel
TRANSCRIPT
Formal Verification of Gate-Level Multiple Side ChannelParameters to Detect Hardware Trojans
Imran Abbasi, Faiq Khalid Lodhi, Awais Kamboh and Osman Hasan
System Analysis and Verification (SAVe Lab)National University of Sciences and Technology (NUST)
Islamabad, Pakistan
FTSCS 2016Tokyo, Japan
November 14, 2016
Outline
1 Introduction
2 Proposed Methodology
3 Case Studies
4 Conclusions
Osman Hasan Formal Verification for HT Detection November 14, 2016 2 / 25
Hardware Trojans
Malicious alteration or modification in Integrated Circuits (ICs)
Change the FunctionalityReduce the Reliability (Aging Based Trojan)Disable the chip in future (Time Bomb Trojan)Leak confidential information (Data Ex-filtration Trojan)
Potential Sources of Threat
Third Party Intellectual Property (3PIP) VendorSoC DeveloperFoundry
Osman Hasan Formal Verification for HT Detection November 14, 2016 3 / 25
Hardware Trojans
Malicious alteration or modification in Integrated Circuits (ICs)
Change the FunctionalityReduce the Reliability (Aging Based Trojan)Disable the chip in future (Time Bomb Trojan)Leak confidential information (Data Ex-filtration Trojan)
Potential Sources of Threat
Third Party Intellectual Property (3PIP) VendorSoC DeveloperFoundry
Osman Hasan Formal Verification for HT Detection November 14, 2016 3 / 25
Counterfeit Chips on Rise
Electronic Resellers Association
International (ERAI)
Table: Different types of counterfeited ICs
Ranks Component Type % of Reported Incidents1 Analog IC 25.20%
2 Microprocessor IC 13.40%
3 Memory IC 13.10%
4 Programmable Logic IC 8.30%
5 Transistor 7.60%
Osman Hasan Formal Verification for HT Detection November 14, 2016 4 / 25
Historical IncidentsCounterfeiting Incident in 2011
Reported in IEEE Spectrum
October 2013
Failure of Ice detection Block of P-8A Po-seidon (17th August 2011)
Reason
Time Bomb Trojan due to a ReworkedXillinx FPGA
Investigation
BAE Systems, a UK based defence orga-nization, was responsible for the hardwaredesignSubcontracted Access Electronics, whichwas selling used Xillinx parts as new
Osman Hasan Formal Verification for HT Detection November 14, 2016 5 / 25
Historical IncidentsCounterfeiting Incident in 2011
Reported in IEEE Spectrum
October 2013
Failure of Ice detection Block of P-8A Po-seidon (17th August 2011)
Reason
Time Bomb Trojan due to a ReworkedXillinx FPGA
Investigation
BAE Systems, a UK based defence orga-nization, was responsible for the hardwaredesignSubcontracted Access Electronics, whichwas selling used Xillinx parts as new
Osman Hasan Formal Verification for HT Detection November 14, 2016 5 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Hardware Trojan Detection Techniques
None of these techniques offers a Complete and Accurate Analysis
Osman Hasan Formal Verification for HT Detection November 14, 2016 6 / 25
Formal Verification for Hardware Trojan DetectionRathmair et. al. (2013) 1
Used the SMV Model Checker to verify the functional properties
Malicious behavior can be detected if the desired properties fail
The counterexamples can be used to identify the intrusions
Threat Model: Untrusted Foundry
Trojan: Logical
Complete Analysis
Cannot detect side channel based Trojans
1Rathmair et. al., “Hardware Trojan detection by Specifying Malicious Circuit Properties”, InConference on Electronics
Information and Emergency Communication (ICEIEC), 2013, pp. 317-320.
Osman Hasan Formal Verification for HT Detection November 14, 2016 7 / 25
Formal Verification for Hardware Trojan DetectionRathmair et. al. (2013) 1
Used the SMV Model Checker to verify the functional properties
Malicious behavior can be detected if the desired properties fail
The counterexamples can be used to identify the intrusions
Threat Model: Untrusted Foundry
Trojan: Logical
Complete Analysis
Cannot detect side channel based Trojans
1Rathmair et. al., “Hardware Trojan detection by Specifying Malicious Circuit Properties”, InConference on Electronics
Information and Emergency Communication (ICEIEC), 2013, pp. 317-320.
Osman Hasan Formal Verification for HT Detection November 14, 2016 7 / 25
Formal Verification for Hardware Trojan DetectionRathmair et. al. (2013) 1
Used the SMV Model Checker to verify the functional properties
Malicious behavior can be detected if the desired properties fail
The counterexamples can be used to identify the intrusions
Threat Model: Untrusted Foundry
Trojan: Logical
Complete Analysis
Cannot detect side channel based Trojans
1Rathmair et. al., “Hardware Trojan detection by Specifying Malicious Circuit Properties”, InConference on Electronics
Information and Emergency Communication (ICEIEC), 2013, pp. 317-320.
Osman Hasan Formal Verification for HT Detection November 14, 2016 7 / 25
Outline
1 Introduction
2 Proposed Methodology
3 Case Studies
4 Conclusions
Osman Hasan Formal Verification for HT Detection November 14, 2016 8 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyTo Cater for Side Channel based Trojans
Osman Hasan Formal Verification for HT Detection November 14, 2016 9 / 25
Proposed MethodologyGate Level Modeling
Formally model and verify the commonly used gates based on Side Chan-nel parameters
Osman Hasan Formal Verification for HT Detection November 14, 2016 10 / 25
Proposed MethodologyGate Level Modeling
Formally model and verify the commonly used gates based on Side Chan-nel parameters
Osman Hasan Formal Verification for HT Detection November 14, 2016 10 / 25
Proposed MethodologyGate Level Modeling
Formally model and verify the commonly used gates based on Side Chan-nel parameters
Osman Hasan Formal Verification for HT Detection November 14, 2016 10 / 25
Proposed MethodologyGate Level Modeling (Switching Power)
Switching Power
Pswitching = αCtotalVss2f (1)
Where:αi = SwitchingActivityFactorf = OperatingFrequencyVss = OperatingVoltage
Ctotal = Cdiffusion + Cload
Cdiffusion =(OpMOS × fanout ×WRpMOS ×
WminP × CdminP
)+(OnMOS × fanout ×
WRnMOS ×WminN × CdminN
)Cload =
∑pi=1 CgatepMOSi +
∑nj=1 CgatenMOSi
CgatepMOS = fanout ×WRpMOS × CgminP
CgatenMOS = fanout ×WRnMOS × CgminN
OpMOS and OnMOS are the Number
of internal pMOS and nMOS
connected at the output,
respectively
Osman Hasan Formal Verification for HT Detection November 14, 2016 11 / 25
Proposed MethodologyGate Level Modeling (Switching Power)
Switching Power
Pswitching = αCtotalVss2f (1)
Where:αi = SwitchingActivityFactorf = OperatingFrequencyVss = OperatingVoltage
Ctotal = Cdiffusion + Cload
Cdiffusion =(OpMOS × fanout ×WRpMOS ×
WminP × CdminP
)+(OnMOS × fanout ×
WRnMOS ×WminN × CdminN
)Cload =
∑pi=1 CgatepMOSi +
∑nj=1 CgatenMOSi
CgatepMOS = fanout ×WRpMOS × CgminP
CgatenMOS = fanout ×WRnMOS × CgminN
OpMOS and OnMOS are the Number
of internal pMOS and nMOS
connected at the output,
respectivelyOsman Hasan Formal Verification for HT Detection November 14, 2016 11 / 25
Proposed MethodologySwitching Power LTL Properties
Maximum Power
G(powermax >= (gate1.pwr + gate2.pwr +...+ gaten.pwr))
Minimum Power
G(powermin <= (gate1.pwr + gate2.pwr +...+ gaten.pwr))
The maximum and minimum bounds for the power consumption arecomputed by considering the maximum and minimum fanout of thegates allowed by the technology and the worst and best case delays ofthe gates, respectively
Osman Hasan Formal Verification for HT Detection November 14, 2016 12 / 25
Proposed MethodologyGate Level Modeling (Path Delay)
Switching Power
tdelay = ln 2 × τelmore (2)
Where:τelmore =
∑i RisCi
Input Output Elmore Delay00 1 (2 × Rp × Ctotal ) / (Fanout × WRpMOS × WminP )
01 1 (Rn × Ctotal ) / (Fanout × WRnMOS × WminN )
10 1 (Rn × (Ctotal + CstackN)) / (Fanout × WRnMOS × WminN )
11 0 (Rn × Ctotal ) / (Fanout × WRnMOS × WminN )
Osman Hasan Formal Verification for HT Detection November 14, 2016 13 / 25
Proposed MethodologyPath Delay LTL Properties
LTL properties to validate the delays for every path in the circuit have tobe specified
Maximum Delay for path i
G(del.(pathi)max >= ((gate1(i).del + gate2(i).del +...+
gatek(i).del))
Minimum Delay for path i
G(del.(pathi)min <= ((gate1(i).del + gate2(i).del +...+
gatek(i).del))
Osman Hasan Formal Verification for HT Detection November 14, 2016 14 / 25
Proposed MethodologyGate Modeling
NAND GateMODULE nand2i(a, b, Pa 0, Pa 1, Pb 0, Pb 1, fan out,
freq, Cgmin p, Cgmin n, vdd, Wmin, Cdmin p, Cdmin n,
Csmin p, Csmin n, Rn, Rp, Cg1, Cg2, Cg3, Cg4)
DEFINE
out := !(a & b);
pout 0 := Pa 1 * Pb 1;
pout 1 := 1 - (Pa 1 * Pb 1);
alpha := pout 0 * pout 1;
ASSIGN
init(pwr dyn) := 0;
next(pwr dyn) := alpha * cap total * vdd * vdd * freq;
init(delay) := 0;
next(delay) := case
!a & b : case
fan out = 4 : 0.69 * (Rp * cap total / (4 * Wp));
fan out = 3 : 0.69 * (Rp * cap total / (3 * Wp));
fan out = 2 : 0.69 * (Rp * cap total / (2 * Wp));
TRUE : 0.69 * (Rp * cap total / (1 * Wp));
esac;
Osman Hasan Formal Verification for HT Detection November 14, 2016 15 / 25
Proposed MethodologyHardware Intrusions
Intrude the Gate Level Models with Side Channel based Trojans to gener-ate the counterexamples
Power Based Trojans
Path Delay Based Trojans
Benchmark Intrusions are available on https://www.trust-hub.org/
Osman Hasan Formal Verification for HT Detection November 14, 2016 16 / 25
Proposed MethodologyHardware Intrusions
Intrude the Gate Level Models with Side Channel based Trojans to gener-ate the counterexamples
Power Based Trojans Path Delay Based Trojans
Benchmark Intrusions are available on https://www.trust-hub.org/
Osman Hasan Formal Verification for HT Detection November 14, 2016 16 / 25
Proposed MethodologyHardware Intrusions
Intrude the Gate Level Models with Side Channel based Trojans to gener-ate the counterexamples
Power Based Trojans Path Delay Based Trojans
Benchmark Intrusions are available on https://www.trust-hub.org/
Osman Hasan Formal Verification for HT Detection November 14, 2016 16 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach pathIdentify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gions
Verify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach pathIdentify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regions
Isolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach pathIdentify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach pathIdentify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach path
Identify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach path
Identify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach pathIdentify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach pathIdentify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Proposed MethodologyHardware Intrusions
The counterexamples can be used to identify the malicious behavior
Power Analysis
Divide the IC into distinct re-gionsVerify of power properties forindividual regionsIsolate the Trojan-free andTrojan-inserted regions
Timing Analysis
Verify the delay property foreach pathIdentify the Intruded path onproperty failure
Osman Hasan Formal Verification for HT Detection November 14, 2016 17 / 25
Outline
1 Introduction
2 Proposed Methodology
3 Case Studies
4 Conclusions
Osman Hasan Formal Verification for HT Detection November 14, 2016 18 / 25
Case Studies
ISCAS-85 C17
(6 Basic Gates)
Full Adder
(16 Basic Gates)
Ripple Carry Adder
(64 Basic Gates)
Osman Hasan Formal Verification for HT Detection November 14, 2016 19 / 25
Case StudiesIntrusions for ISCAS-85 C17
ISCAS-85 C17 Intrusion I
Total Number of basic Gates = 7
Number of Malicious Gates = 1
Effect: Power Consumption
Type: Side Channel Based Trojan
ISCAS-85 C17 Intrusion II
Total Number of basic Gates = 12
Number of Malicious Gates = 6
Effect: Functionality, Delay and Power
Type: Logical/Side Channel Based Trojan
Osman Hasan Formal Verification for HT Detection November 14, 2016 20 / 25
Case StudiesIntrusions for ISCAS-85 C17
ISCAS-85 C17 Intrusion I
Total Number of basic Gates = 7
Number of Malicious Gates = 1
Effect: Power Consumption
Type: Side Channel Based Trojan
ISCAS-85 C17 Intrusion II
Total Number of basic Gates = 12
Number of Malicious Gates = 6
Effect: Functionality, Delay and Power
Type: Logical/Side Channel Based Trojan
Osman Hasan Formal Verification for HT Detection November 14, 2016 20 / 25
Case StudiesISCAS-85 C17 2
The proposed approach was able to detect the exact Trojan
2Wei et. al.“Malicious Circuitry Detection using Thermal Conditioning”, IEEE Transactions on Information Forensics and
Security 6(3), 2011, pp. 11361145
Osman Hasan Formal Verification for HT Detection November 14, 2016 21 / 25
Case StudiesISCAS-85 C17 2
The proposed approach was able to detect the exact Trojan
2Wei et. al.“Malicious Circuitry Detection using Thermal Conditioning”, IEEE Transactions on Information Forensics and
Security 6(3), 2011, pp. 11361145
Osman Hasan Formal Verification for HT Detection November 14, 2016 21 / 25
Case StudiesISCAS-85 C17 2
The proposed approach was able to detect the exact Trojan
2Wei et. al.“Malicious Circuitry Detection using Thermal Conditioning”, IEEE Transactions on Information Forensics and
Security 6(3), 2011, pp. 11361145
Osman Hasan Formal Verification for HT Detection November 14, 2016 21 / 25
Case StudiesISCAS-85 C17 2
The proposed approach was able to detect the exact Trojan
2Wei et. al.“Malicious Circuitry Detection using Thermal Conditioning”, IEEE Transactions on Information Forensics and
Security 6(3), 2011, pp. 11361145
Osman Hasan Formal Verification for HT Detection November 14, 2016 21 / 25
Case StudiesISCAS-85 C17 2
The proposed approach was able to detect the exact Trojan
2Wei et. al.“Malicious Circuitry Detection using Thermal Conditioning”, IEEE Transactions on Information Forensics and
Security 6(3), 2011, pp. 11361145
Osman Hasan Formal Verification for HT Detection November 14, 2016 21 / 25
Case StudiesResults
Machine: Core i7 processor, 2.67GHz, with 6 GB memory
0
20
40
60
80
100
120
140
(C 17) 6 (Full Adder) 16 (RCA)64
Me
mo
ry (
MB
)
Number of Gates
Memory (MB) Un-Intruded
Power Delay
0
500
1000
1500
2000
2500
3000
3500
4000
(C 17) 6 (Full Adder) 16 (RCA)64
Tim
e (
s)
Number of Gates
Time (s) Un-intruded
Power Delay
0
10
20
30
40
50
60
70
80
90
(C 17 -I )7 (C 17 -II )12 (Full Adder) 21 (RCA) 68
Me
mo
ry (
MB
)
Number of Gates
Memory (MB) Intruded
Power Delay
0
200
400
600
800
1000
1200
1400
(C 17 -I )7 (C 17 -II )12 (Full Adder) 21 (RCA) 68
Tim
e (
s)
Number of Gates
Time (s) Intruded
Power Delay
Osman Hasan Formal Verification for HT Detection November 14, 2016 22 / 25
Outline
1 Introduction
2 Proposed Methodology
3 Case Studies
4 Conclusions
Osman Hasan Formal Verification for HT Detection November 14, 2016 23 / 25
Conclusions
A formal verification based methodology to detect Hardware Trojansbased on side channel information (dynamic power and path delay)
ExhaustivenessnuXmv model checker
Rational numbersSMT Solvers
Ongoing and Future Work
Incorporating the leakage power parameter to enhance the precision andscope of Hardware Trojan detectionIntegrating the effects of process variationAutomating netlist translationExperimenting with larger case studies
Osman Hasan Formal Verification for HT Detection November 14, 2016 24 / 25
Conclusions
A formal verification based methodology to detect Hardware Trojansbased on side channel information (dynamic power and path delay)
ExhaustivenessnuXmv model checker
Rational numbersSMT Solvers
Ongoing and Future Work
Incorporating the leakage power parameter to enhance the precision andscope of Hardware Trojan detection
Integrating the effects of process variationAutomating netlist translationExperimenting with larger case studies
Osman Hasan Formal Verification for HT Detection November 14, 2016 24 / 25
Conclusions
A formal verification based methodology to detect Hardware Trojansbased on side channel information (dynamic power and path delay)
ExhaustivenessnuXmv model checker
Rational numbersSMT Solvers
Ongoing and Future Work
Incorporating the leakage power parameter to enhance the precision andscope of Hardware Trojan detectionIntegrating the effects of process variation
Automating netlist translationExperimenting with larger case studies
Osman Hasan Formal Verification for HT Detection November 14, 2016 24 / 25
Conclusions
A formal verification based methodology to detect Hardware Trojansbased on side channel information (dynamic power and path delay)
ExhaustivenessnuXmv model checker
Rational numbersSMT Solvers
Ongoing and Future Work
Incorporating the leakage power parameter to enhance the precision andscope of Hardware Trojan detectionIntegrating the effects of process variationAutomating netlist translation
Experimenting with larger case studies
Osman Hasan Formal Verification for HT Detection November 14, 2016 24 / 25
Conclusions
A formal verification based methodology to detect Hardware Trojansbased on side channel information (dynamic power and path delay)
ExhaustivenessnuXmv model checker
Rational numbersSMT Solvers
Ongoing and Future Work
Incorporating the leakage power parameter to enhance the precision andscope of Hardware Trojan detectionIntegrating the effects of process variationAutomating netlist translationExperimenting with larger case studies
Osman Hasan Formal Verification for HT Detection November 14, 2016 24 / 25
Thanks!
More information: save.nust.seecs.edu.pk
Osman Hasan Formal Verification for HT Detection November 14, 2016 25 / 25