Hardware Trojans

Question 1

what is a hardware trojan?

Answer 1

A malicious addition or modification to the existing circuit elements

Question 2

what are 3 effects of HT?

Answer 2

• Change functionality
• Drain resources
• Leak secret info

Question 3

Specification phase

Answer 3

• Designers map out what requirements of chip (power, timing, etc)
• HTs can change functional specifications

Question 4

Design phase

Answer 4

• Designers consider functional, logical, timing, and physical constraints
• HT can be in any component in the design

Question 5

fabrication phase

Answer 5

• When the chip is physically made

- Subtle mask changes can have a serious effect

Question 6

testing phase

Answer 6

• Great opportunity to test for HT

- Need to make sure that the test vectors are kept secret so that adversary cannot make test vectors that will hide HT

Question 7

assembly phase

Answer 7

• Chip is combined with other circuitry on PCB

- Every interface where components interact is a place for HT

Question 8

name the 2 components of HT

Answer 8

trigger and payload

Question 9

can HT be removed?

Answer 9

not without replacing the hardware of a computer

Question 10

no-trigger activation

Answer 10

HT is always on

Question 11

trigger activation

Answer 11

needs either internal or external event in order to active

Question 12

how long do triggered HTs remain active?

Answer 12

indefinitely, a specific amount of time, or until a specific condition

Question 13

internal triggers

Answer 13

time-based or event-based events (counter or temperature threshold)

Question 14

External triggers

Answer 14

based on input from outside the chip

Question 15

combination trojan

Answer 15

“I need to see these two inputs to activate”

Question 16

sequential trojan

Answer 16

“I need x, y, and z to happen in order to activate”

Question 17

Pre-silicon HT detection

Answer 17

non-destructive, cannot detect HT after design phase

Question 18

Post-Silicon HT detection

Answer 18

functional testing (not accurate) or SC

Question 19

Failure-based HT detection techniques

Answer 19

Use techniques usually reserved for determining why a chip failed to look for HT. time-consuming and expensive, not meant to be used on every chip

Question 20

Automatic Test Pattern Generation (ATPG)

Answer 20

HT detection. Fuzzing but for chips ==> automatically create test vectors. Good for HT that modify components, but not good for adding logic (because we don’t know to test for it). not good if we dont know activation criteria

Question 21

IDDQ

Answer 21

HT detection SC. Every gate leaks power even when in idle state. Measure power in quiescent (idle) state => if extra gate, there will be more power leakage

Question 22

IDDT

Answer 22

Power side channel via dynamic power

Question 23

Path delay

Answer 23

• Additional gates and capacitance will cause circuit to take longer to do a computation
• Even if those gates are not directly involved (i.e. not activated yet), if they are connected to other components, they will cause a slight delay

Question 24

Challenges with path delay

Answer 24

• Can be small increase that is hard to spot
• Hard to get complete code coverage
• Chips are not completely constant in speed

Question 25

What is path delay better at detecting that power SC?

Answer 25

• Distributed HT

- Hard-to-activate HT

Question 26

why must delay measurements be part of circuitry?

Answer 26

Need to be able to measure all internal paths (not just the ones exposed by pins)

Question 27

Shadow / clock register path delay detection

Answer 27

• Have a shadow register (different from regular register) that latches the results of each circuit output
• Have a shadow clock that runs ‘shadow’ to system clock
• At end of shadow clock cycle, shadow registers get set
• Repeatedly shift shadow clock earlier and earlier to measure the timing of a path
• Can tell when to stop because the two registers won’t be equal

Question 28

Clock Sweeping

Answer 28

Can measure delay also by speeding up the clock until the path fails to compute correctly

Question 29

4 benefits of using back-scattering for HT detection

Answer 29

• Does not require trojan to be active
• Can detect small and fast switching HT activities
• Signal strength is not dependent on device/HT
• Can pick frequency => help with SNR

Question 30

backscattering detection

Answer 30

• Use amplitude ratios from the spectrogram
• Ratios are used to normalize the signal since amplitude can change based on strength of our transmitter
• Use spectrogram so that we are not looking for one tiny blip in an entire run of a program
• Collect trace from non-HT chip to compare other traces to

Question 31

how does activation size affect backscattering detection?

Answer 31

Easier to detect HT with larger activation size

Question 32

how does payload size affect backscattering detection

Answer 32

it doesnt

Question 33

how does HT location affect backscattering detection

Answer 33

easier to detect HT with triggers that are farther away from the rest of the circuit. payload location doesnt matter

Question 34

power ranking of detection sc (esp for dormant trojans)

Answer 34

Backscatter&raquo_space; EM&raquo_space; Power