introduction to the hardware trojan problemtehrani/teaching/tcs/intro_htp_teh.pdf · wafer probe...
TRANSCRIPT
![Page 1: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/1.jpg)
Introduction to the Hardware Trojan Problem
![Page 2: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/2.jpg)
Globalization
• Companies worldwide develop ICs
• Designed, Fabricated, and Assembled separately
o More companies, more vulnerabilities
o Fab-less Designers
![Page 3: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/3.jpg)
Globalization
• IP Cores
o Reusable modules
o Licensed to designers
o Present at each abstraction level
• SoC Designs
• Too costly to reverse globalization
![Page 4: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/4.jpg)
4
HW Threats
IP Vendor
System Integrator
Manufacture
Any of these steps can be untrusted
![Page 5: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/5.jpg)
5
HW Threats
IP Vendor
System Integrator
Manufacture
Untrusted
IP Trust
IC Trust
![Page 6: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/6.jpg)
6
Issues with Third IP Design
Company X
Company Y
Company Z
Company W Company V
System-on-chip (SoC)
![Page 7: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/7.jpg)
7
Issues with Third IP Design
Company X
Company Y
Company Z
Company W Company V
These companies are located across
the world
There is no control on the design
process
System-on-chip (SoC)
![Page 8: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/8.jpg)
8
HW Threats
IP Vendor
System Integrator
Manufacture
Untrusted
IP Piracy
System Trust
IC Trust
![Page 9: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/9.jpg)
9
HW Threats
IP Vendor
System Integrator
Manufacture
Untrusted
IC Trust
IC Piracy (Counterfeiting)
Secure Manufacturing Test
Untrusted Foundry
![Page 10: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/10.jpg)
10
IC/IP Trust Problem
Chip design and fabrication is becoming increasingly
vulnerable to malicious activities and alterations with
globalization
Design and Foundry:
A designer/foundry can add functionality to the design
An adversary can introduce:
A Trojan designed to disable and/or destroy a system at some
future time
A Trojan that may serve to leak confidential information covertly
to the adversary
![Page 11: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/11.jpg)
11
IC/IP Trust Problem
Chip design and fabrication is becoming increasingly
vulnerable to malicious activities and alterations with
globalization
Design and Foundry:
A designer/foundry can add functionality to the design
An adversary can introduce:
A Trojan designed to disable and/or destroy a system at some
future time
A Trojan that may serve to leak confidential information covertly
to the adversary
U.S. Senate, 2003
Defense Science Board, 2005
Semiconductor Equipment and
Materials Industry (SEMI), 2008
IEEE Spectrum, 2008
IEEE Symposium on Hardware-
Oriented Security and Trust (HOST)
More articles have addressed this issue
within the last few years
![Page 12: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/12.jpg)
12
ASIC Design Process – Untrusted Foundry
Design Design Process
Trusted
Either
Untrusted
IP CAD Tools STD Cells Models Design Specification
Manufacturing
Test Process Wafer Probe Dice & Package Package Test
Fab Interface Mask Fab Fabrication
Process
Deploy and Monitor
IC Authentication: Trojan Detection
and Isolation
![Page 13: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/13.jpg)
13
Untrusted Designer and Foundry
Manufacturing
Test Process Wafer Probe Dice & Package Package Test
Deploy and Monitor IC Authentication: Trojan Detection
and Isolation
Fab Interface Mask Fab Fabrication Process
Design Design Process
Trusted
Either
Untrusted
IP CAD Tools STD Cells Models Design Specification
![Page 14: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/14.jpg)
14
Applications and Threats
Thousands of
chips are being
fabricated in
untrusted
foundries
![Page 15: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/15.jpg)
15
Hardware Trojan – Back Door
Untrusted Hardware
Antenna
Adversary can place an Antenna on the
fabricated chip
Such Trojan cannot be detected since it
does not change the functionality of the
circuit.
Adversary can send and
receive secret information
Adversary can disable the
chip, blowup the chip,
send wrong processing
data, impact circuit
information etc.
![Page 16: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/16.jpg)
16
Time Bomb
Untrusted Hardware
Such Trojan cannot be detected
since it does not change the
functionality of the circuit.
In some cases, adversary has
little control on the exact time of
Trojan action
Cause reliability issue
Counter
Finite state machine (FSM)
Comparator to monitor key data
Wires/transistors that violate design rules
![Page 17: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/17.jpg)
Defining the Problem
Photo Credit: Meter Mulligan. 2007. Under the Creative Commons license.
![Page 18: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/18.jpg)
18
Hardware vs. Software Trojans
Hardware Trojans
A Trojan is inserted into an IC
Once inserted, the Trojan behavior cannot change
An IC is very much like a black box, a Trojan cannot be observed
Software Trojans
A Trojan is part of the code in software
A Trojan behavior can change
A Trojan can be added to a software via network
Once identified, it can be removed and added to a database to look for
it in the future
![Page 19: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/19.jpg)
Taxonomy
Karri, R.; Rajendran, J.; Rosenfeld, K.; Tehranipoor, M.; , "Trustworthy Hardware: Identifying and Classifying Hardware Trojans," Computer , vol.43, no.10, pp.39-46, Oct. 2010
![Page 20: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/20.jpg)
Taxonomy: Insertion Phase
![Page 21: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/21.jpg)
Taxonomy: Abstraction Level
![Page 22: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/22.jpg)
Case Study: RTL Trojan
• Code segment of 8051 microprocessor in VHDL
• Trojan changes program counter behavior o Increment maps to
accumulator jump
o Behaves normally while inactive
• Cannot directly control number of gates used
![Page 23: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/23.jpg)
Case Study: Gate Level Trojan
• Gate Level Trojan to attack cryptographic hardware
o Trigger seeks "10100011"
o On trigger, encryption is skipped
• Particular gates used can be controlled
o Location cannot • Practical GL Trojans are
in netlist form
![Page 24: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/24.jpg)
Taxonomy: Activation Mechanism
• Also called the "trigger" • A rare trigger makes a
Trojan stealthier o not always possible
• Adversary goal: o Adversary can predict
or induce triggering
o User / chip tester cannot
![Page 25: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/25.jpg)
Internal vs. External
• Externally Triggered
o Depends directly on external inputs
o Can be both user and component driven
o e.g. transmitter • Internal
o Can also include internal signals
![Page 26: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/26.jpg)
Case Study: Physical Condition
![Page 27: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/27.jpg)
Case Study: Time Bomb Trigger
• Subclass of time-based
o Called "time bomb" • Weaknesses
o What if chip tester waits long enough?
o Increasing time increases area
O(log2(n)) Example: 1GHz * 1 day = 8 x 1013
log2(8 x 1013) = 47 bits
![Page 28: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/28.jpg)
Case Study: Time based trigger
![Page 29: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/29.jpg)
Taxonomy: Effects
• For triggered Trojans also called the "payload"
• Functional Changes must be triggered
o Otherwise they are not stealthy
• Information leakage associated with cryptography
• Is it possible to make a triggered performance altering Trojan?
![Page 30: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/30.jpg)
Case Study: Triggered Performance Degradation
• RO activates frequently burning the chip.
• Requires long trigger pulsewidth
o Activation probability should still be low
o Can use latch
![Page 31: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/31.jpg)
Case Study: Key Leaking Trojan
• MOVX_A_ATDPTR implies the key is being moved from the acc.
• Requires just two 2:1 multiplexiers to
• Is this the activation rare enough?
o Opcodes are easily manipulated
o 232=4.3 x 109
o x 100MHz = 50s o Assume instructions
are 1-9 cycles
In FSM Controller:
In Memory Controller:
![Page 32: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/32.jpg)
Taxonomy: Location
• Location refers to the part of the system
o It does not refer to physical placement
• Not all Trojans will have a single or any location
• Location likely implies implies either o Activation mechanism
o Effect
![Page 33: Introduction to the Hardware Trojan Problemtehrani/teaching/tcs/intro_htp_teh.pdf · Wafer Probe Dice & Package Package Test Deploy and Monitor IC Authentication: ... microprocessor](https://reader031.vdocument.in/reader031/viewer/2022022009/5af168247f8b9aa17b903f70/html5/thumbnails/33.jpg)
Taxonomy: Physical Characteristics
• Distribution: is the Trojan spread out?
o distributed Trojans will impact uniformly
• Structure
o If the layout changes, detection is trivial Trojans have an
area constraint o Detection schemes
assume unchanged