Trojans Flashcards

1
Q

Hardware Trojan

A

A malicious, intentional addition or modification to the existing circuit
elements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Using Hardware Trojans to

A
  • Change the functionality (e.g., deactivating authentication or
    encryption)
  • Reduce the reliability (e.g., accelerate aging)
  • Leak valuable information (e.g., bypassing the side-channel
    protections, providing backdoors, etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Hardware trojan Targets

A

Vulnerability of chips to add/delete/alterations of
circuit structure or through modification of
manufacturing process steps that causes
reliability issues in ICs in applications such as:
- Defense/military application
- Aerospace applications
- Civilian security-critical security
- Financial applications
- Transportation applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

General Structure of a Hardware Trojan

A
Trigger Logic is responsible for
activation mechanism
- Payload Logic is responsible to the
effect
- A hardware Trojan causes a
malfunction by modifying signal S
to S´
- Activated only under very rare
conditions
- Trojans are stealthy: it evades
detection under conventional postmanufacturing test/validation process.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Insertion Phase- Specification phase:

A

Definition of system’s
characteristics
m For example, a Trojan changes the hardware’s timing
requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Insertion Phase- Design Phase

A

Design gets implemented for the target
technology
- Trojans might be in any of the components that aid the
design (third-party IP blocks and standard cells).
- For example, a standard cell library can be tampered
with Trojans
- Insertion during design&raquo_space; HDL level Trojans
- Combinational and Sequential Trojans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

insertion phase- Fabrication Phase

A

Creation of mask set
and use wafer to create mask
- Changing dopant concentration to increase the aging
(Time Bombs)
- Modifying dopant polarity
- Modifying the layout=chip functionality
m Insertion during fabrication&raquo_space; Layout Trojans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Insertion Phase : Testing phase

A

Modifying automatic test pattern generators&raquo_space; reduce chance

that trojan gets detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Insertion Phase - Assembly

A

Assemble components on a PCB
- For example, adding unshielded wire&raquo_space; electromagnetic
coupling&raquo_space; side-channel leakage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Abstraction Level- System level:

A

Trojan can a be triggered by system component,

e.g. by specific ASCII input from keyboard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Abstraction Level - RTL level:

A

Manipulating RTL design, e.g., half rounds of

cryptographic implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Abstraction Level- Gate level

A

Trojan consisting of basic gates (AND, XOR, OR) that

monitor the chip’s inner signals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Abstraction Level - Transistor level:

A

insert, remove, change functionality, size&raquo_space; delay and

reliability changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Abstraction Level - Physical level:

A

change, insert, remove wires&raquo_space; add/remove

connections, change timing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Activation Mechanisms

A

Always on
Triggered
- Internally triggered: time-based or physicalcondition-based; e.g. counter, temperature
threshold
- Externally triggered: triggered by user-input or
component-output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Payload

A

Change functionality
- e.g., a Trojan might cause an
error detection module to accept inputs that
normally should be rejected

 Downgrade performance (power, delay)
- e.g., insert more buffers to drain battery more quickly

Leak information
- covert and overt channels, all kinds of side-channels,
unused ports, e.g. leak cryptographic key

Denial-of-Service
- exhaust resources, destroy device, disable
device/functionality, alter configuratio

17
Q

Location

A

Random logic

  • insertion into synthesized logic portion of the IC
  • very hard to detect

Processing unit

  • insertion into logic units that are part of a processor
  • e.g., change instruction order

Crypto accelerator
- e.g., leak sensitive information, compromise security, replace
keys

Memory units
- alter content stored in memory

I/O ports
- control over communication

Power supply
- alter voltage, e.g., to cause failures

Clock grid
- e.g., glitches, fault attacks, halt clock

18
Q

Trojans in Cryptographic Engines

A

A Trojan that attempts to leak a secret key from inside a
cryptographic IC through power side-channels using a
technique called malicious off-chip leakage enabled by side
channels (MOLES)

  • Another possibility: The payload could be a mechanism that
    presents dummy keys, predefined by the attacker
19
Q

Trojans in General-Purpose Processors

A
  • An attacker at the fabrication facility can implement a
    backdoor, which can be exploited in the field by a software adversary.
  • The attacker at an untrusted fabrication facility could
    implement a backdoor which disables the secure booting
    mechanism under certain rare conditions or when
    presented with a unique rare input condition in the hands
    of an end-user adversary
20
Q

Hardware Trojan Designs

A

HDL level Trojans&raquo_space; Insertion during design
-Combinational and Sequential Trojans

Layout Trojans&raquo_space; Insertion during fabrication

  • Changing dopant concentration to increase the aging (Time Bombs)
  • Modifying dopant polarity
  • Modifying the layout=chip functionality
21
Q

HDL Level - Combinational Trigger

A

Activation depends on the occurrence of a particular
condition at certain nodes of the circuit (here A = 0
and B=0)

22
Q

HDL Level - Sequential Trigger

A
  • Activation depends on the occurrence of a specific
    sequence of are logic values at internal nodes (timebomb)
  • Synchronous k-bit counter which activates when the
    count reaches 2k−1
23
Q

HDL Level - Asynchronous Trigger

A

Sequential Trojan independent of the system Clock:
- the count is increased not by the clock, but by a rising
transition at the output of an AND gate with inputs
p and q

24
Q

HDL Level - Hybrid Trigger

A
  • Combination of combinational and sequential Trojans: counts
    of both a synchronous and an asynchronous counter
    simultaneously determine the Trojan trigger condition
  • More complex state machines of different types and sizes can
    be used to generate the trigger condition based on a
    sequence of rare events
25
HDL Level - Analog Trigger
An analog trigger mechanism where the inserted capacitance is charged through the resistor if the condition q1= 1, q2= 1 is satisfied, and discharged otherwise, causing the logic threshold to be crossed after a large number of cycles.
26
Analog payload
- A bridging fault is introduced using an inserted resistor - The delay of the path is affected by increasing the capacitive load.
27
Analog trigger
Using the dedicated temperature sensors on the chip to | trigger the payload!
28
Layout Level - Stealthy Dopant-Level Trojan
``` - Changing the dopant of NMOS and PMOS transistors - Example: Changing the dopant of an Inverter to give out always “1” or “0” independent of its input - Successful implementation on Intel Ivy Bridge’s RNG and establishing hidden side channels for AES ```
29
Layout Level - Diffusion Programmable | Device (DPD)
Changing the dopant of SRAM cells to manipulate the LUT output to constant values
30
Pre-Silicon Trojan Detection Methods
Code-Coverage analysis -Completeness of functional verification, identify suspicious signals, validate trustworthiness of third-party-IP - e.g., remove unused circuit paths Formal verification - e.g., formal proof provided by 3rd party vendor, integrator validates proof Logic testing using simulation -Apply different input patterns to activate the trojan Functional analysis using simulation - Apply random input patterns - Try to find “nearly-unused logic”
31
Destructive Post-Silicon Trojan Detection
Use reverse-engineering to depackage the IC and get images of each layer of the chip r >> Reconstruct the design and do validation - Using Scanning Electron Microscope with a golden chip - Comparing optical images of different chips with layout reveal “the” additional wires and transistors - Advantage: - Can find inactive trojans - Disadvantage: - Expensive and time consuming - Hardware gets unusable - Need golden chip