Trojans Flashcards
Hardware Trojan
A malicious, intentional addition or modification to the existing circuit
elements
Using Hardware Trojans to
- Change the functionality (e.g., deactivating authentication or
encryption) - Reduce the reliability (e.g., accelerate aging)
- Leak valuable information (e.g., bypassing the side-channel
protections, providing backdoors, etc
Hardware trojan Targets
Vulnerability of chips to add/delete/alterations of
circuit structure or through modification of
manufacturing process steps that causes
reliability issues in ICs in applications such as:
- Defense/military application
- Aerospace applications
- Civilian security-critical security
- Financial applications
- Transportation applications
General Structure of a Hardware Trojan
Trigger Logic is responsible for activation mechanism - Payload Logic is responsible to the effect - A hardware Trojan causes a malfunction by modifying signal S to S´ - Activated only under very rare conditions - Trojans are stealthy: it evades detection under conventional postmanufacturing test/validation process.
Insertion Phase- Specification phase:
Definition of system’s
characteristics
m For example, a Trojan changes the hardware’s timing
requirements
Insertion Phase- Design Phase
Design gets implemented for the target
technology
- Trojans might be in any of the components that aid the
design (third-party IP blocks and standard cells).
- For example, a standard cell library can be tampered
with Trojans
- Insertion during design»_space; HDL level Trojans
- Combinational and Sequential Trojans
insertion phase- Fabrication Phase
Creation of mask set
and use wafer to create mask
- Changing dopant concentration to increase the aging
(Time Bombs)
- Modifying dopant polarity
- Modifying the layout=chip functionality
m Insertion during fabrication»_space; Layout Trojans
Insertion Phase : Testing phase
Modifying automatic test pattern generators»_space; reduce chance
that trojan gets detected
Insertion Phase - Assembly
Assemble components on a PCB
- For example, adding unshielded wire»_space; electromagnetic
coupling»_space; side-channel leakage
Abstraction Level- System level:
Trojan can a be triggered by system component,
e.g. by specific ASCII input from keyboard
Abstraction Level - RTL level:
Manipulating RTL design, e.g., half rounds of
cryptographic implementation
Abstraction Level- Gate level
Trojan consisting of basic gates (AND, XOR, OR) that
monitor the chip’s inner signals
Abstraction Level - Transistor level:
insert, remove, change functionality, size»_space; delay and
reliability changes
Abstraction Level - Physical level:
change, insert, remove wires»_space; add/remove
connections, change timing
Activation Mechanisms
Always on
Triggered
- Internally triggered: time-based or physicalcondition-based; e.g. counter, temperature
threshold
- Externally triggered: triggered by user-input or
component-output
Payload
Change functionality
- e.g., a Trojan might cause an
error detection module to accept inputs that
normally should be rejected
Downgrade performance (power, delay) - e.g., insert more buffers to drain battery more quickly
Leak information
- covert and overt channels, all kinds of side-channels,
unused ports, e.g. leak cryptographic key
Denial-of-Service
- exhaust resources, destroy device, disable
device/functionality, alter configuratio
Location
Random logic
- insertion into synthesized logic portion of the IC
- very hard to detect
Processing unit
- insertion into logic units that are part of a processor
- e.g., change instruction order
Crypto accelerator
- e.g., leak sensitive information, compromise security, replace
keys
Memory units
- alter content stored in memory
I/O ports
- control over communication
Power supply
- alter voltage, e.g., to cause failures
Clock grid
- e.g., glitches, fault attacks, halt clock
Trojans in Cryptographic Engines
A Trojan that attempts to leak a secret key from inside a
cryptographic IC through power side-channels using a
technique called malicious off-chip leakage enabled by side
channels (MOLES)
- Another possibility: The payload could be a mechanism that
presents dummy keys, predefined by the attacker
Trojans in General-Purpose Processors
- An attacker at the fabrication facility can implement a
backdoor, which can be exploited in the field by a software adversary. - The attacker at an untrusted fabrication facility could
implement a backdoor which disables the secure booting
mechanism under certain rare conditions or when
presented with a unique rare input condition in the hands
of an end-user adversary
Hardware Trojan Designs
HDL level Trojans»_space; Insertion during design
-Combinational and Sequential Trojans
Layout Trojans»_space; Insertion during fabrication
- Changing dopant concentration to increase the aging (Time Bombs)
- Modifying dopant polarity
- Modifying the layout=chip functionality
HDL Level - Combinational Trigger
Activation depends on the occurrence of a particular
condition at certain nodes of the circuit (here A = 0
and B=0)
HDL Level - Sequential Trigger
- Activation depends on the occurrence of a specific
sequence of are logic values at internal nodes (timebomb) - Synchronous k-bit counter which activates when the
count reaches 2k−1
HDL Level - Asynchronous Trigger
Sequential Trojan independent of the system Clock:
- the count is increased not by the clock, but by a rising
transition at the output of an AND gate with inputs
p and q
HDL Level - Hybrid Trigger
- Combination of combinational and sequential Trojans: counts
of both a synchronous and an asynchronous counter
simultaneously determine the Trojan trigger condition - More complex state machines of different types and sizes can
be used to generate the trigger condition based on a
sequence of rare events