thesis 91210369
TRANSCRIPT
HARDWARE TROJAN
DETECTIONa size-aware approach
Department of Computer Engineering
MS ThesisSeyed Behnam Heydarshahi
2
WELCOME
You may scan this QR Code to access these slides on SlideShare.com right now.
This will provide you with the flexibility to jump forward or backward among my slides, regardless of my pace.
3
LIST OF CONTENTS
1. Introduction
2. Recent work
3. Our approach
4. Results
5. Future work
6. References
4
1. INTRODUCTION
HARDWARE TROJAN: extraneous hardware with malicious intent
INTENTION:
1. Data leakage
2. Changing original functionality
3. Sabotaging IC
6
1. INTRODUCTION (CONTINUED) Hardware Trojan Prevention The best way to prevent the insertion of a Hardware Trojan into an
IC is to tightly control the process from end to end.
1. Prevention at Design: e.g. Obfuscation, by Bhunia et al.
2. Prevention at Fabrication: e.g. IP Vendor formal verification, by Jin and Makris.
3. Prevention at Post-Fabricatione.g. reconfigurable logic programming of the circuit, by
Zamberano et al.
7
1. INTRODUCTION (CONTINUED)Hardware Trojan Detection
• Find out about existence of Hardware Trojans
• Fast and efficient
• Useful for industry
• Purpose of our study
Hardware Trojan Location
• Find at which exact node(s) the Trojan is placed
• Requires additional effort
• Entails long-time test
• Not our intention
9
LIST OF CONTENTS
1. Introduction
2. Recent work
3. Our approach
4. Results
5. Future work
6. References
10
2. RECENT WORK
Characteristics of Hardware Detection Approaches:
1. Destructive or Non-Destructive
2. Intrusive or Non-Intrusive
3. Performed at Design-Time or Run-Time
4. Functional Test or Side-Channel Effect Analysis
5. In Simulation or on manufactured device
14
LIST OF CONTENTS
1. Introduction
2. Recent work
3. Our approach
4. Results
5. Future work
6. References
15
3. OUR APPROACH - INTRODUCTION Our test is Size-Aware:
1. Trojan size is: a. Relative to the host circuit b. Intrinsic Size
2. Trojan size will help us determine which detection approach(s) to take
16
3. OUR APPROACH - INTRODUCTION Our test is Combined: 1. Functional(structural) Test
Verification of logical function, similar to conventional stuck-at fault test We will devise a Test Pattern Generation algorithm with two primary purposes:
a. To drastically reduce test vectors, which results in faster test b. To excite Trojan-prone nodes in circuit, which results in an enhanced side-channel
test in the next step
2. Side-channel analysis Transient power, static power, path delay, layout area, etc. We focus on power. We also take into account “process variation”
17
3. OUR APPROACH – DATA SET
CUT, and Random TPG
Circuits-Under-Test are ten combinational ISCAS-85 circuits (C series)
Input vectors: 100k Random Test Pattern Generation
MERO II
MERO: Multiple Excitement of Rare Occurrences, O(N^2)
MERO II: Input vector patterns generated by an efficient optimized MERO algorithm, O(N*Log(N))
permission from:Dr. Swarup Bhunia, Prof. at ECE Dept., Case Western Reserve University.
18
3. OUR APPROACH - TOOLS
1. Trojan Helper Application
A) Daemon helper
• Developed in Java for desktop computers, on Linux, win, mac..
Figure 2. Trojan Helper, server daemon UI
19
3. OUR APPROACH – TOOLS – TROJAN HELPER – TROJAN INSERTER“Inserter” program, takes two parameters: a Verilog circuit, and a size for Trojan circuit.
The program parses the Verilog circuit into Object Oriented models (Input, Output, Circuit, NetModel,…)
Then creates an AND-Trigger, XOR-Payload Trojan with a size determined by the second input
The program generates a Verilog circuit output, with the Trojan Inserted at random nodes
Program Signature: InsertTrojan <golden design hdl file path> <trojan size>
Q: Why place Trojans on random nodes and not just Rare nodes?
20
3. OUR APPROACH – TOOLS – TROJAN HELPER – MERO II TEST PATTERN GENERATOR Core to our system, the “Test Pattern Generator” program will receive a circuit net-list as input, and generate MERO II test patterns for it.
Our approach uses heap-sort and heuristic algorithm to reduce the
time complexity of MERO from O(N^2) to O(N*Log(N)) where N is the number of random input vectors. We have used 100k for the number of vectors.
The reduced pattern set excites each Rare node exactly 10 times, in our algorithm. This highly improves the chance that the Trojan is activated and consequently detected.
The 100k random patterns are averagely reduced to 1k and less. Which gives a 85 to 95 percent vector reduction.
23
3. OUR APPROACH – TOOLS – TROJAN HELPER – TROJAN SIMULATOR TROJAN SIMULATOR simulates a gate-level Verilog circuit Is synchronous, with one primary clock Inputs are a Golden Verilog circuit, an untrusted circuit, and the test
pattern vector. Propagates signals using a clock-based scheduler Supports AND, NAND, NOT, OR, NOR, XOR logic gates Lightweight: Very fast and efficient, better than running ModelSim
when possible
TWO use cases: 1. Used in MERO II, as Circuit Simulator, to determine excitement of rare nodes. 2. Used as Trojan Simulator to detect Trojans.
24
3. OUR APPROACH – TOOLS – TROJAN HELPER – SIDE-CHANNEL ANALYZER
“Side-Channel Analyzer” program, will receive Design Compiler power reports of a circuit, and take into account criteria such as process variation, to find out if Trojans are present in the circuit.
Process variation: 5%
The code is a typical design synthesis using design compiler, with addition of two commands: read_saif, and report_power.
25
3. OUR APPROACH – TOOLS – TROJAN HELPER – TRANSMITTER SERVER Transmitter server” server, transmits Switching Activity Interchange Format data to client
Uses socket programming to do so.
A convenient tool to have, since the client can provide interactive user interface.
The client is described next.
26
3. OUR APPROACH – TOOLS (CONTINUED)1. Trojan Helper application B) Client-side
Developed in Java for desktop computer, and in Android for tablets and smartphones
In graphical, demonstrates Trojan-prone nodes that are recommended for Trojan insertion
Figure 3. Trojan Helper client UI
27
3. OUR APPROACH – TOOLS (CONTINUED)
2. ModelSim Simulate the
circuit Calculate
Value Change Dump, and store it into a .vcd file
Perform functional test
Figure 5. Simulation of c432 with ModelSim
28
3. OUR APPROACH (CONTINUED) 3. Synopsis Design Compiler Utilized to synthesize the circuit, to exert side-channel analysis on
it.
4. Synopsis vcd2saif command-line tool This program enables us to convert voluminous VCD data into
easily understood SAIF files
29
LIST OF CONTENTS
1. Introduction
2. Recent work
3. Our approach
4. Results
5. Future work
6. References
32
4. RESULTS - CONTRIBUTIONS1. A better MERO test pattern generator
Lower run-time for MERO algorithm. Why? The outer loop.
Better patterns Why? The inner loop.
2. An improved functional circuit test
Tests are clearly faster than random patterns. Reduced
Higher accuracy Hence higher Trojan Coverage
33
4. RESULTS - CONTRIBUTIONS3. (MAIN) Novel side-channel analysis, based on test results
Previously power-based side-channel analyses were done using random vectors.
Our approach analysis was performed using smart vectors.
Hence it bears better combined results.
34
LIST OF CONTENTS
1. Introduction
2. Recent work
3. Our approach
4. Results
5. Future work
6. References
35
5. FUTURE WORK
Automated test, we had to profile our ISCAS circuits first More optimized MERO Trojan position hypothesis Trojan Model Test accuracy: other noises Real Test
36
LIST OF CONTENTS
1. Introduction
2. Recent work
3. Our approach
4. Results
5. Future work
6. References
37
6. REFERENCES
[1] M. Tehranipoor and F. Koushanfar, "A Survey of Hardware Trojan Taxonomy and Detection," IEEE Design and Test, vol. PP, no. 99, pp. 10-25, Mar. 2013.
[2] R.S. Chakraborty, F. Wolff, S. Paul, C. Papachristou and S. Bhunia, "MERO: a statistical approach for hardware Trojan detection," Cryptographic Hardware and Embedded Systems (CHES'09), vol. 5747, pp. 396-410, 2009.
[3] M. Banga, M. Hsiao, "A Novel Sustained Vector Technique for the Detection of Hardware Trojans," in 22nd International Conference on VLSI Design, New Delhi , 2009.
[4] Mathew, B. and Saab, D.G.: Combining multiple DFT schemes with test generation. IEEE Trans. on CAD. 18 (1999) 685-696
38
THANK YOU
Questions
Please don’t hesitate to ask questions at the defense session.
You might also inbox me in the future, should any further question occur to you: [email protected]
The server’s virtually always down
My thesis LaTeX source code: