Hardware Trojan Threats and Countermeasures Lecture 1 PDF

Hardware Trojan Threats and Countermeasures A/P Gwee Bah Hwee Dr Cheng Deruo © 2021 Nanyang Technological University, Singapore. All Rights Reserved. Course Objectives This course aims to introduce the concept and taxonomy of hardware Trojans with practical examples, and to provide both destructive and non-destructive countermeasures against hardware Trojans. Upon completion of this course, the learners will be able to: Define hardware Trojans Describe the various types of hardware Trojans Describe the potential impact of different types of hardware Trojans. Differentiate between destructive and non-destructive approaches for hardware Trojan detection. Describe and classify different countermeasures against hardware Trojans © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 1 Course Structure Live Online Sessions (5.5hrs) – Lecture 1: Introduction to Hardware Trojan and Threats 09:30 - 11:30 on 2nd Nov – E-consultation 19:30 - 21:00 on 6th Nov – Lecture 2: Hardware Trojan Detection and Countermeasures 09:30 - 11:30 on 9th Nov Asynchronous E-learning (5.5hrs) – A Work Example (will be discussed during E-consultation) – 3 Videos A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations (15mins) DFECON 16: Demonstration of Hardware Trojans (18mins) Hardware Trojans in Wireless Cryptographic Integrated Circuits (71mins) – A Survey Paper Ten Years of Hardware Trojans: A Survey From The Attacker's Perspective Assessment – Class Participation (10% + 5% + 10%) – Online Quiz (75%) © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 2 Instructor Information Assoc Prof Gwee Bah Hwee, School of EEE, NTU Email: [email protected] Dr Cheng Deruo, Temasek Laboratories, NTU Email: [email protected] © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 3 Overview of Lecture 1 Introduction to Hardware Trojan Taxonomy & Examples of Hardware Trojan Countermeasures for Hardware Trojan ▪ Run-time Monitoring © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 4 Introduction to Hardware Trojan © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 5 Security Concerns on Hardware Trojan “Additional chips were hidden under coils and capacitors. These are barely noticeable on microscopic examination and even on X-ray due to the numerous metal layers. Solder points and additional conductor tracks can reveal the additional chips. However, if these are wired as chip-on-board with aluminium bonds, they are almost invisible.” https://www.ihp-microelectronics.com/news/detail/threat-from-hardware-trojans-study-shows-manipulation-possibilities © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 6 Security Concerns on Hardware Trojan D. E. Sanger and T. Shanker, ‘‘N.S.A. Devises Radio Pathway Into Computers,’’ The New York Times, Jan. 14, 2014. [Online]. Available: http://www.nytimes.com/2014/01/15/us/nsa- effort-pries-open-computers-not-connected-to-internet.html © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 7 Security Concerns on Hardware Trojan “Using an innovative patented technique we were able to detect and analyse in the first documented case of its kind, a backdoor inserted into the Actel/Microsemi ProASIC3 chips. … we were able to extract the secret key to activate the backdoor. This way an attacker can disable all the security on the chip, reprogram crypto and access keys, modify low-level silicon features, access unencrypted configuration bitstream or permanently damage the device. … Most concerning, it is not possible to patch the backdoor in chips already deployed, meaning those using this family of chips have to accept the fact it can be easily compromised or it will have to be physically replaced after a redesign of the silicon itself. S. Skorobogatov and C. Woods, ‘‘Breakthrough Silicon Scanning Discovers Backdoor in Military Chip,’’ Workshop on Cryptographic Hardware and Embedded Systems (CHES), 2012. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 8 Security Concerns on Hardware Trojan “Last September, Israeli jets bombed a suspected nuclear installation in northeastern Syria. Among the many mysteries still surrounding that strike was the failure of a Syrian radar—supposedly state-of-the-art— to warn the Syrian military of the incoming assault.” “Post after post speculated that the commercial off- the-shelf microprocessors in the Syrian radar might have been purposely fabricated with a hidden “backdoor” inside. By sending a preprogrammed code to those chips, an unknown antagonist had disrupted the chips’ function and temporarily blocked the radar.” S. Adee, “The Hunt For The Kill Switch,” IEEE Spectrum, vol. 45, no. 5, pp. 34 – 39, May 2008. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 9 Security Concerns on Hardware Trojan “Instead of crappy Chinese fakes being put into Navy weapons systems, the chips could have been hacked, able to shut off a missile in the event of war or lie around just waiting to malfunction.” “The Intelligence Advance Research Projects Agency, the spy community’s way-out research arm, is looking to avoid a repeat. The Trusted Integrated Circuit program is IARPA’s attempt to keep foreign adversaries from messing with our chips – and check the circuits for backdoors once they’ve been made.” A. Rawnsley, ‘‘Fishy Chips: Spies Want to Hack-Proof Circuits,’’ Wired, Jun. 24, 2011. [Online]. Available: http://www.wired.com/dangerroom/2011/06/chips-oy-spies-want-tohack-proof-circuits/ © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 10 Security Concerns on Hardware Trojan © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 11 Hardware Trojan ▪ A Hardware Trojan (HT) is a malicious modification of the circuitry of an integrated circuit. ▪ Malicious modification refers to the undesired changes made to the circuit by adversaries for bad intention, for example - to bypass or disable the security fence of a system, or even disable, damage or destroy the entire chip or components of it. ▪ Possible consequences ▪ Disrupt major national infrastructure by causing malfunction in electronics used in mission-critical systems ▪ Leak secret information from inside a chip ▪ Provide back doors for on-chip manipulation © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 12 Hardware Trojan ▪ The entire IC design flow involves multiple parties, any party can be a potential adversary who inserts hardware Trojans ▪ Ideally, Hardware Trojans should be detectable by pre-/post-silicon verification, but such detection is usually not the case because: ❖ Difficult to perform exhaustive verification ❖ Hardware Trojans could be only inserted to some ICs on a wafer, not the entire population ❖ Stealthy nature of Hardware Trojans – triggered under rare circuit conditions © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 13 Hardware Trojan IP Vendor System Foundry Chip vendor Designer or User Sells soft IP Buys IP from Manufactures Receives cores IP vendor the final design fabricated Can insert To detect any Can insert chips Trojan in the Trojans in IP Trojan in the To assert IP core Can insert layout before hardware Trojan in the fabrication security final design before deployment Pre-Silicon Post-Silicon © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 14 Hardware Trojan Trojan generally refers to threats related to unauthorized access without the knowledge of developers or manufacturers. The threats are mainly from insiders (but not outsiders) including collaborators, internal moles, foundry, and those players along the product supply chain. These threats are somewhat "active" threats. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 15 Taxonomy & Examples of Hardware Trojan © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 16 Hardware Trojan General structure of a hardware Trojan Activation mechanisms are referred to as ‘triggers’ & effects are referred to as ‘payloads’. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 17 Trojan Taxonomy – Version 1 ▪ Trigger – Activation mechanisms (criteria that cause a Hardware Trojan to be active) based on the type of circuit implementation ▪ Payload – Functionality Interruption © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 18 Trojan Taxonomy – Version 2 ▪ Physical characteristics – hardware manifestation of Hardware Trojan ▪ Activation characteristics –the criteria that cause a Hardware Trojan to be active (based on the control means) ▪ Action characteristics – types of the disruptive behavior Source: X. Wang, M. Tehranipoor, J. Plusquellic, “Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions,” Proc. IEEE HOST, Anaheim, CA, USA, 13–14 June 2008, pp. 15–1 © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 19 Trojan Taxonomy – Version 3 Source: “Introduction to Hardware Security and Trust”, Editors: M. Tehranipoor and Cliff Wang, Chapter 14, by Ramesh Karri, J. Rajendran and K. Rosenfeld © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 20 Trojan Taxonomy – Version 3 (1/5) What are the different insertion phases during design? ▪ Design Phase – Phase of Insertion (during the development cycle) ▪ Specification – characteristics of the systems are defined (e.g., target environment, expected function, size, power, delay, etc.) ▪ Design – functional, logical, timing, physical constraints ▪ Fabrication – masks, sub-masks, chemical composition change (e.g., to alter power lines) ▪ Test – for testing in part to insert Hardware Trojans ▪ Assembly/Packaging – suspicious components attached (e.g., unshielded wire) © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 21 Trojan Taxonomy – Version 3 (2/5) What are the different abstraction levels for Trojan insertion? ▪ Abstract Level - Phase of Insertion (during the implementation cycle) ▪ System level – hardware modules, interconnections, and communication protocols ▪ Development environment – via synthesis, simulations, verifications, and validation tools ▪ Register transfer level – functionality description (high risks) ▪ Gate level – Boolean expression (high risks) ▪ Transistor level – electrical characteristics (high risks) ▪ Layout level – dimension/locations of al circuit components © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 22 Trojan Taxonomy – Version 3 (3/5) What are the different activation phases ▪ Activation Mechanism - Phase of Activation ▪ Always-on – usually as parametric Hardware Trojans ▪ Internally triggered – timed based (time-bomb) or physical-condition based (e.g., triggered by temperature) ▪ Externally triggered - external user input (push-buttons, switches, keywords, patterns, data stream) or external component (e.g., sensors) © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 23 Trojan Taxonomy – Version 3 (4/5) What are the different Trojan effects? ▪ Effects - Response ▪ Change functionality – subtle errors (e.g., malfunction) ▪ Reduce reliability – fault insertion, power increase, speed penalty ▪ Leak information – signal transmission, side-channel leakage, ▪ Denial of service – bandwidth exhaustion, part damage, change of configuration © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 24 Trojan Taxonomy – Version 3 (5/5) What are the different locations for Trojan insertion? ▪ Location – Physical Location ▪ Processing units – logical change, execution order of instruction ▪ Memory unit – change of program data, memory leakage ▪ I/O units – communication protocols ▪ Power supply units – change of voltage/current to the chip ▪ Clock grids – frequency change or clock stopping or similar scenarios in a reset grid © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 25 Hardware Trojan Example: Conceptual Combinational Trojan contains no state elements (registers or latches). A combination of rare condition at a number of nodes Sequential Trojan is harder to detect. A rare sequence of states to be traversed E.g., asynchronous counter S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan, “Hardware Trojan Attacks: Threat Analysis and Countermeasures,” Proceedings of the IEEE, vol. 102, no. 8, pp. 1229 – 1247, 2014. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 26 Hardware Trojan Example: Software Control Sequential Trojan design as an FSM1 for monitoring specific sequence of instruction and data Once triggered, software IP or encryption key is leaked through output port or stored in unprivileged idle memory locations. Design phase Trojan inserted in control logic of 8051 microcontroller Area overhead is low for combinational logic but relatively large for FFs2. % overhead could be lower if targeting more complex processors. X. Wang, T. Mal-Sarkar, A. Krishna, S. Narasimhan, and S. Bhunia, “Software Exploitable Hardware Trojans in Embedded Processor,” in 2012 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems, pp. 55 – 58, 2012. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 27 Hardware Trojan Example: Security Risk in FSM Design Don’t care state 3-state FSM implemented With actual implementation, 1 with 2 FFs more state & 4 more transitions For state B & input 0, next are introduced. state & output unspecified: State ‘00’ (state A) becomes don’t care transition accessible (unsafe). C. Dunbar and G. Qu, “Designing Trusted Embedded Systems from Finite State Machines,” ACM Transactions on Embedded Computing Systems, vol. 13, no. 5s, pp. 1 – 20, 2014. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 28 Hardware Trojan Example: Attack on FSM Design Case I: Existing Vulnerability Case 2: Inserted Trojan (Design Phase) No design modification allowed Can modify FSM implementation Rely on existing security vulnerability Attempt to establish a path from state A introduced by traditional FSM design to state B that does not exist in the flow specification Attempt to find a path from state A to Attacking Procedure state B that does not exist in the Look for any don’t care transition from specification state A and make state B the next state Attacking Procedure for the transition Perform random walk from state A If transitions from state A are all with random input sequence specified, look for any don’t care Attack is successful if state B is transition from any reachable state of accessible. state A. C. Dunbar and G. Qu, “Designing Trusted Embedded Systems from Finite State Machines,” ACM Transactions on Embedded Computing Systems, vol. 13, no. 5s, pp. 1 – 20, 2014. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 29 Hardware Trojan Example: Analog Trigger Trojan design based on charge accumulating on a capacitor from nearby wires inside a processor Once fully charged, privilege escalation attack is deployed by toggling privilege bit in processor. Fabrication phase Trojan inserted in layout Small and low impact on area, power and timing Careful design for reliable attack and avoiding activation in normal operation under PVT1 variations Selection of trigger inputs with low baseline activity and controllability given the expected level of access of the attacker K. Yang, M. Hicks, Q. Dong, T. Austin, and D. Sylvester, “A2: Analog Malicious Hardware”, in 2016 IEEE Symposium on Security and Privacy (SP), pp. 18 – 37. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 30 Hardware Trojan Example: Side Channel Information leakage conveyed by side-channels is composed of analog signals and must be interpreted through advanced off-chip signal analyses. Capable of leaking multi-bit information below the noise power level of the host IC to evade evaluators’ detections Modulate each key bit with a long pseudo-random number (PN) sequence by an XOR operation, connect output of each XOR to a capacitive load that leaks a small amount of power when a 0->1 logic transition occurs: power side-channel Only the attacker who chooses the PN sequences can demodulate the side-channel leakage. L. Lin, W. Burleson, and C. Paar, “MOLES: Malicious Off-Chip Leakage Enabled by Side-Channels,” in 2009 IEEE/ACM International Conference on Computer-Aided Design, pp. 117 – 122, 2009. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 31 Hardware Trojan Example: Wireless Transmission Leaking the AES encryption key by hiding it in the wireless transmission amplitude / frequency margins allowed for process variations Area overhead of 0.005% and 0.025%, power overhead of 0.4% and 0.1% Detection evasion: no change in functionality & no violation of circuit & system specifications Y. Liu, Y. Jin, A. Nosratinia, and Y. Makris, “Silicon Demonstration of Hardware Trojan Design and Detection in Wireless Cryptographic ICs,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 25, no. 4, pp. 1506 – 1519, 2017. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 32 Hardware Trojan Example: Wireless Transmission Trojan I Ciphertext bit of value “1” Ciphertext bit of value “0” Y. Liu, Y. Jin, A. Nosratinia, and Y. Makris, “Silicon Demonstration of Hardware Trojan Design and Detection in Wireless Cryptographic ICs,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 25, no. 4, pp. 1506 – 1519, 2017. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 33 Hardware Trojan Example: Wireless Transmission Trojan II Ciphertext bit of value “1” Ciphertext bit of value “0” Y. Liu, Y. Jin, A. Nosratinia, and Y. Makris, “Silicon Demonstration of Hardware Trojan Design and Detection in Wireless Cryptographic ICs,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 25, no. 4, pp. 1506 – 1519, 2017. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 34 Hardware Trojan Example: Board Level Trojans Fabrication Phase Trojans Modifications of signal traces Design Phase Trojans Insertion of additional components Replacement of existing components S. Ghosh, A. Basak, and S. Bhunia, “How Secure Are Printed Circuit Boards Against Trojan Attacks?” IEEE Design & Test, vol. 32, no. 2, pp. 7 – 16, 2015. © 2021 Nanyang Technological University, Singapore. All Rights Reserved. 35 Hardware Trojan Examples always @ (posedge CLK) If ({A,B} == 2’b00) If ({counter} == N) Cmodified

Hardware Trojan Threats and Countermeasures Lecture 1 PDF

Document Details

Tags

Related

Summary

Full Transcript