HARDWARE TROJAN

DETECTIONa size-aware approach

Department of Computer Engineering

MS ThesisSeyed Behnam Heydarshahi

2

WELCOME

You may scan this QR Code to access these slides on SlideShare.com right now.

This will provide you with the flexibility to jump forward or backward among my slides, regardless of my pace.

3

LIST OF CONTENTS

1. Introduction

2. Recent work

3. Our approach

4. Results

5. Future work

6. References

4

1. INTRODUCTION

HARDWARE TROJAN: extraneous hardware with malicious intent

INTENTION:

1. Data leakage

2. Changing original functionality

3. Sabotaging IC

5

1. INTRODUCTION – HARDWARE TROJAN TAXONOMY

Figure 1. Hardware Trojan Taxonomy [1]

6

1. INTRODUCTION (CONTINUED) Hardware Trojan Prevention The best way to prevent the insertion of a Hardware Trojan into an

IC is to tightly control the process from end to end.

1. Prevention at Design: e.g. Obfuscation, by Bhunia et al.

2. Prevention at Fabrication: e.g. IP Vendor formal verification, by Jin and Makris.

3. Prevention at Post-Fabricatione.g. reconfigurable logic programming of the circuit, by

Zamberano et al.

7

1. INTRODUCTION (CONTINUED)Hardware Trojan Detection

• Find out about existence of Hardware Trojans

• Fast and efficient

• Useful for industry

• Purpose of our study

Hardware Trojan Location

• Find at which exact node(s) the Trojan is placed

• Requires additional effort

• Entails long-time test

• Not our intention

8

1. INTRODUCTION – DETECTION APPROACHES

9

LIST OF CONTENTS

1. Introduction

2. Recent work

3. Our approach

4. Results

5. Future work

6. References

10

2. RECENT WORK

Characteristics of Hardware Detection Approaches:

1. Destructive or Non-Destructive

2. Intrusive or Non-Intrusive

3. Performed at Design-Time or Run-Time

4. Functional Test or Side-Channel Effect Analysis

5. In Simulation or on manufactured device

11

2. RECENT WORK

12

2. RECENT WORK (CONTINUED)

13

2. RECENT WORK – DETECTION PROBABILITY

14

LIST OF CONTENTS

1. Introduction

2. Recent work

3. Our approach

4. Results

5. Future work

6. References

15

3. OUR APPROACH - INTRODUCTION Our test is Size-Aware:

1. Trojan size is: a. Relative to the host circuit b. Intrinsic Size

2. Trojan size will help us determine which detection approach(s) to take

16

3. OUR APPROACH - INTRODUCTION Our test is Combined: 1. Functional(structural) Test

Verification of logical function, similar to conventional stuck-at fault test We will devise a Test Pattern Generation algorithm with two primary purposes:

a. To drastically reduce test vectors, which results in faster test b. To excite Trojan-prone nodes in circuit, which results in an enhanced side-channel

test in the next step

2. Side-channel analysis Transient power, static power, path delay, layout area, etc. We focus on power. We also take into account “process variation”

17

3. OUR APPROACH – DATA SET

CUT, and Random TPG

Circuits-Under-Test are ten combinational ISCAS-85 circuits (C series)

Input vectors: 100k Random Test Pattern Generation

MERO II

MERO: Multiple Excitement of Rare Occurrences, O(N^2)

MERO II: Input vector patterns generated by an efficient optimized MERO algorithm, O(N*Log(N))

permission from:Dr. Swarup Bhunia, Prof. at ECE Dept., Case Western Reserve University.

18

3. OUR APPROACH - TOOLS

1. Trojan Helper Application

A) Daemon helper

• Developed in Java for desktop computers, on Linux, win, mac..

Figure 2. Trojan Helper, server daemon UI

19

3. OUR APPROACH – TOOLS – TROJAN HELPER – TROJAN INSERTER“Inserter” program, takes two parameters: a Verilog circuit, and a size for Trojan circuit.

The program parses the Verilog circuit into Object Oriented models (Input, Output, Circuit, NetModel,…)

Then creates an AND-Trigger, XOR-Payload Trojan with a size determined by the second input

The program generates a Verilog circuit output, with the Trojan Inserted at random nodes

Program Signature: InsertTrojan <golden design hdl file path> <trojan size>

Q: Why place Trojans on random nodes and not just Rare nodes?

20

3. OUR APPROACH – TOOLS – TROJAN HELPER – MERO II TEST PATTERN GENERATOR Core to our system, the “Test Pattern Generator” program will receive a circuit net-list as input, and generate MERO II test patterns for it.

Our approach uses heap-sort and heuristic algorithm to reduce the

time complexity of MERO from O(N^2) to O(N*Log(N)) where N is the number of random input vectors. We have used 100k for the number of vectors.

The reduced pattern set excites each Rare node exactly 10 times, in our algorithm. This highly improves the chance that the Trojan is activated and consequently detected.

The 100k random patterns are averagely reduced to 1k and less. Which gives a 85 to 95 percent vector reduction.

21

3. OUR APPROACH – TOOLS – TROJAN HELPER – MERO II TEST PATTERN GENERATOR

22

3. OUR APPROACH – TOOLS – TROJAN HELPER – MERO II TEST PATTERN GENERATOR

23

3. OUR APPROACH – TOOLS – TROJAN HELPER – TROJAN SIMULATOR TROJAN SIMULATOR simulates a gate-level Verilog circuit Is synchronous, with one primary clock Inputs are a Golden Verilog circuit, an untrusted circuit, and the test

pattern vector. Propagates signals using a clock-based scheduler Supports AND, NAND, NOT, OR, NOR, XOR logic gates Lightweight: Very fast and efficient, better than running ModelSim

when possible

TWO use cases: 1. Used in MERO II, as Circuit Simulator, to determine excitement of rare nodes. 2. Used as Trojan Simulator to detect Trojans.

24

3. OUR APPROACH – TOOLS – TROJAN HELPER – SIDE-CHANNEL ANALYZER

“Side-Channel Analyzer” program, will receive Design Compiler power reports of a circuit, and take into account criteria such as process variation, to find out if Trojans are present in the circuit.

Process variation: 5%

The code is a typical design synthesis using design compiler, with addition of two commands: read_saif, and report_power.

25

3. OUR APPROACH – TOOLS – TROJAN HELPER – TRANSMITTER SERVER Transmitter server” server, transmits Switching Activity Interchange Format data to client

Uses socket programming to do so.

A convenient tool to have, since the client can provide interactive user interface.

The client is described next.

26

3. OUR APPROACH – TOOLS (CONTINUED)1. Trojan Helper application B) Client-side

Developed in Java for desktop computer, and in Android for tablets and smartphones

In graphical, demonstrates Trojan-prone nodes that are recommended for Trojan insertion

Figure 3. Trojan Helper client UI

27

3. OUR APPROACH – TOOLS (CONTINUED)

2. ModelSim Simulate the

circuit Calculate

Value Change Dump, and store it into a .vcd file

Perform functional test

Figure 5. Simulation of c432 with ModelSim

28

3. OUR APPROACH (CONTINUED) 3. Synopsis Design Compiler Utilized to synthesize the circuit, to exert side-channel analysis on

it.

4. Synopsis vcd2saif command-line tool This program enables us to convert voluminous VCD data into

easily understood SAIF files

29

LIST OF CONTENTS

1. Introduction

2. Recent work

3. Our approach

4. Results

5. Future work

6. References

30

4. RESULTSDrastically reduced test time

Table2. Reduction, as compared to 100K vectors

31

RESULTS

Competitively accurate test, and even more!

Table 3. competitive accuracy

32

4. RESULTS - CONTRIBUTIONS1. A better MERO test pattern generator

Lower run-time for MERO algorithm. Why? The outer loop.

Better patterns Why? The inner loop.

2. An improved functional circuit test

Tests are clearly faster than random patterns. Reduced

Higher accuracy Hence higher Trojan Coverage

33

4. RESULTS - CONTRIBUTIONS3. (MAIN) Novel side-channel analysis, based on test results

Previously power-based side-channel analyses were done using random vectors.

Our approach analysis was performed using smart vectors.

Hence it bears better combined results.

34

LIST OF CONTENTS

1. Introduction

2. Recent work

3. Our approach

4. Results

5. Future work

6. References

35

5. FUTURE WORK

Automated test, we had to profile our ISCAS circuits first More optimized MERO Trojan position hypothesis Trojan Model Test accuracy: other noises Real Test

36

LIST OF CONTENTS

1. Introduction

2. Recent work

3. Our approach

4. Results

5. Future work

6. References

37

6. REFERENCES

[1] M. Tehranipoor and F. Koushanfar, "A Survey of Hardware Trojan Taxonomy and Detection," IEEE Design and Test, vol. PP, no. 99, pp. 10-25, Mar. 2013.

[2] R.S. Chakraborty, F. Wolff, S. Paul, C. Papachristou and S. Bhunia, "MERO: a statistical approach for hardware Trojan detection," Cryptographic Hardware and Embedded Systems (CHES'09), vol. 5747, pp. 396-410, 2009.

[3] M. Banga, M. Hsiao, "A Novel Sustained Vector Technique for the Detection of Hardware Trojans," in 22nd International Conference on VLSI Design, New Delhi , 2009.

[4] Mathew, B. and Saab, D.G.: Combining multiple DFT schemes with test generation. IEEE Trans. on CAD. 18 (1999) 685-696

38

THANK YOU

Questions

Please don’t hesitate to ask questions at the defense session.

You might also inbox me in the future, should any further question occur to you: Heydarshahi@ce.sharif.edu

The server’s virtually always down

Behnam.Heydarshahi@gmail.com

My thesis LaTeX source code: