efficient control flow subgraph matching for detecting
play

Efficient Control-Flow Subgraph Matching for Detecting Hardware - PowerPoint PPT Presentation

Jun 07, 2023 •220 likes •840 views

ACM/IEEE CODES + ISSS 2017, Seoul, South Korea Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L. Piccolboni 1,2 , A. Menon 2 , and G. Pravadelli 2 1 Columbia University, New York, NY, USA 2 University of

  1. ACM/IEEE CODES + ISSS 2017, Seoul, South Korea Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L. Piccolboni 1,2 , A. Menon 2 , and G. Pravadelli 2 1 Columbia University, New York, NY, USA 2 University of Verona, Verona, Italy

  2. Hardware Trojans • A Hardware Trojan is defined as a malicious and intentional alteration of an integrated circuit that results in undesired behaviors Hardware Trojan Trigger Logic Payload Logic activates the malicious behavior implements the actual under specific conditions malicious behavior ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 1 / 21

  3. Hardware Trojans Limitations in Current Methodologies • Several methodologies have been proposed to detect Trojans at Register-Transfer Level (RTL) • Nevertheless, there are still some limitations: 1. Manual effort from designers is required 2. They focus on a specific type of threat, e.g., a particular payload or a trigger ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 2 / 21

  4. Contributions • We propose a verification approach based on a Control-Flow Subgraph Matching Algorithm RTL Verilog/VHDL RTL Verilog/VHDL 1 Design Under Hardware Hardware Verification Trojan Trojan (DUV) Library Report 2 3 Extraction Algorithm Detection Algorithm • Get Control-Flow Graphs • Search instances of the (CFGs) from DUV and HTs Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 3 / 21

  5. Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT • basic block (node) = it is a sequence b of instructions without any branch • edge = connects the block b 1 with b 2 if the block b 1 can be executed after b 2 in at least one DUV/HT executions ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

  6. Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT first basic block of the process s 1 b 2 b 3 b 4 b 5 last basic block of the process e 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

  7. Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT Branch rule: s 1 • left if true b 2 b 3 • right if false b 4 b 5 e 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

  8. Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT if (reset) a = 1 s 1 if (c == 1) b = 0 code associated b 2 b 3 with the basic b 4 b 5 blocks a++ a = 1 b = 0 b++ e 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

  9. Hardware Trojan Library RTL Verilog/VHDL RTL Verilog/VHDL 1 Design Under Hardware Hardware Verification Trojan Trojan (DUV) Library Report Extraction Algorithm Detection Algorithm • Get Control-Flow Graphs • Search instances of the (CFGs) from DUV and HTs Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 5 / 21

  10. Hardware Trojan Library • We defined a Hardware Trojan (HT) Library that includes the RTL implementations of known HT triggers and their camouflaged variants ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 5 / 21

  11. Hardware Trojan Library Trigger #1: Cheat Codes • A cheat code is a value (or sequence of values) that triggers the payload when observed in a register if (reset) trigger = s 2 s 1 v 1 & v 2 if (c 1 ) b 2 b 3 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 6 / 21

  12. Hardware Trojan Library Trigger #2: Dead Machines • A dead machine code triggers the payload when specific state-based conditions are satisfied trigger = 1 if (reset) if (cond) s 2 s 1 b 2 b 3 b 4 b 1 reset vars b 4 b 5 e 1 case 1 b 7 b 6 case 2 case 3 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 7 / 21

  13. Hardware Trojan Library Trigger #3: Ticking Timebombs • A ticking timebomb triggers the payload when a certain number of clock cycles has been passed if (reset) ++cnt if (reset) s 2 s 1 if (cnt == N) b 3 b 4 b 1 b 2 b 5 b 6 cnt = 0 e 1 trigger = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 8 / 21

  14. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  15. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) b 2 b 3 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  16. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  17. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  18. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  19. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 5. add-edge (b 7 , $2) e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  20. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 5. add-edge (b 7 , $2) e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) 8. drop-edge (b 7 , e 2 ) v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  21. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 source 5. add-edge (b 7 , $2) e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) 8. drop-edge (b 7 , e 2 ) v 2 = 1 b 8 b 9 $2 $1 9. old-source-block b 7 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  22. Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 5. add-edge (b 7 , $2) source e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) 8. drop-edge (b 7 , e 2 ) v 2 = 1 b 8 b 9 $2 $1 9. old-source-block b 7 10. up-source-block $2 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

  23. Hardware Trojan Library Pros and Cons • We defined a Hardware Trojan (HT) Library that includes the RTL implementations of known HT triggers and their camouflaged variants Pros Cons • Unique verification approach • Unique verification approach • Easy to extend the approach • Need of the implementations for new hardware Trojans of the hardware Trojans • Easy to customize the library • Only the hardware Trojans in to the needs of the user the library or their variations can be detected ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 10 / 21

  24. Hardware Trojan Detection Extraction Algorithm RTL Verilog/VHDL RTL Verilog/VHDL Design Under Hardware Hardware Verification Trojan Trojan (DUV) Library Report 2 Extraction Algorithm Detection Algorithm • Get Control-Flow Graphs • Search instances of the (CFGs) from DUV and HTs Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo Martignoni Mattia Monga Dipartimento di Informatica e Comunicazione Universit` a degli Studi di Milano { bruschi,martign,monga } @dico.unimi.it

356 views • 23 slides
eventlet eventlet coroutines flexible efficient control flow greenlet non-blocking i/o

eventlet eventlet coroutines flexible efficient control flow greenlet non-blocking i/o

eventlet eventlet coroutines flexible efficient control flow greenlet non-blocking i/o efficient network i/o select/poll/epoll threads switch between async and sync queues/pipes coroutines main subroutine: subroutine(1, 2)

487 views • 23 slides
Towards a Type System for Detecting Never-Matching Pointcut Compositions Tomoyuki Aotani

Towards a Type System for Detecting Never-Matching Pointcut Compositions Tomoyuki Aotani

Towards a Type System for Detecting Never-Matching Pointcut Compositions Tomoyuki Aotani Hidehiko Masuhara Programming Principles and Practices Group University of Tokyo 1 Never-matching pointcut Dont match any join point in any program

550 views • 20 slides
CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) =

CS 401 Max Flow / Bipartite Matching Xiaorui Sun 1 Flow network Flow network. G = (V, E) = directed graph, no parallel edges. Two distinguished nodes: s = source, t = sink. c(e) = capacity of edge e. 9 2 5 10 15 15 10 4 source 5

1.01k views • 21 slides
1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

1 What Is Control-Flow Analysis? Loop Concepts Control-flow analysis discovers the flow of

Control-Flow Analysis and Loop Detection Context Last time Data-flow Speeding up data-flow analysis Flow of data values from defs to uses Could alternatively be represented as a data dependence Today Control-flow analysis

516 views • 5 slides
Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification

Flow and Congestion Control CS 218 F2003 Oct 29, 03 Flow control goals Classification and overview of main techniques TCP Tahoe, Reno, Vegas TCP Westwood Readings: (1) Keshavs book Chapter on Flow Control; (2)

374 views • 22 slides
Control flow Conditionals and Control Flow l A conditional branch

Control flow Conditionals and Control Flow l A conditional branch

10/2/15 Control flow Conditionals and Control Flow l A conditional branch is sufficient to implement most control Condition codes flow constructs offered in higher

356 views • 12 slides
1 Why Why flow flow control? control? sender

1 Why Why flow flow control? control? sender

Lecture 7. Lecture 7. TCP mechanisms for: TCP mechanisms for: data transfer control / flow control error control congestion control Graphical examples (applet java) of several algorithms at:

589 views • 13 slides
Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of

Flow of Control Flow of Control Recitation 09/(11,12)/2008 CS 180 CS 180 Department of Computer Science, Purdue University Project 2 j Now posted on the class webpage. Due Wed, Sept. 17 at 10 pm. Start early All

663 views • 22 slides
V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which

V3 1/3/2015 Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control

310 views • 12 slides
Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are

Programming in C 1 Flow of Control Flow of control The order in which statements are executed Transfer of control When the next statement executed is not the next one in sequence 2 Flow of Control Control structures

540 views • 34 slides
Efficient Densest Subgraph Computation in Evolving Graphs Alessandro Epasto Joint work with

Efficient Densest Subgraph Computation in Evolving Graphs Alessandro Epasto Joint work with

Efficient Densest Subgraph Computation in Evolving Graphs Alessandro Epasto Joint work with Silvio Lattanzi (Google Research, NY) and Mauro Sozio (Tlcom ParisTech) Social Networks are Constantly Evolving Brutus Julius Social Networks are

724 views • 57 slides
Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow

Exceptional Control Flow: Hardware support for reacting to the rest of the world. Control Flow Processor: read instruction, execute it, go to next instruction, repeat Physical control flow Explicit changes: Jumps (conditional, unconditional)

428 views • 8 slides
ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

ex 1. compare and test : conditions Aside: save conditions b,a computes a - b , sets flags,

Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Control flow Processor Control-Flow State Familiar C constructs Condition codes (a.k.a. flags ) if else l

191 views • 8 slides
Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow

Control Structures Lecture 4 COP 3014 Fall 2020 September 10, 2020 Control Flow Control flow refers to the specification of the order in which the individual statements, instructions or function calls of an imperative program are executed or

333 views • 19 slides
Mini Max-Flow Unit Part 2: Flow with Demands, Cool Reductions, Bipartite Matching, and Konigs

Mini Max-Flow Unit Part 2: Flow with Demands, Cool Reductions, Bipartite Matching, and Konigs

Mini Max-Flow Unit Part 2: Flow with Demands, Cool Reductions, Bipartite Matching, and Konigs Theorem Lucca Siaudzionis and Jack Spalding-Jamieson 2020/02/04 University of British Columbia Announcements Presentations are due tomorrow .

898 views • 61 slides
CMSC 451: Max-Flow Extensions Slides By: Carl Kingsford Department of Computer Science

CMSC 451: Max-Flow Extensions Slides By: Carl Kingsford Department of Computer Science

CMSC 451: Max-Flow Extensions Slides By: Carl Kingsford Department of Computer Science University of Maryland, College Park Based on Section 7.7 of Algorithm Design by Kleinberg & Tardos. Circulations with Demands Suppose we have

339 views • 17 slides
Particle Flow Bayes Rule Xinshi Chen 1* , Hanjun Dai 1* , Le Song 1,2 1 Georgia Tech, 2

Particle Flow Bayes Rule Xinshi Chen 1* , Hanjun Dai 1* , Le Song 1,2 1 Georgia Tech, 2

Particle Flow Bayes Rule Xinshi Chen 1* , Hanjun Dai 1* , Le Song 1,2 1 Georgia Tech, 2 Ant Financial (*equal contribution) ICML 2019 Sequential Bayesian Inference 1. Prior distribution () # $ %

237 views • 10 slides
Conflicting Family Values in Mutual Fund Families (Q-Group Spring 2011 Presentation) Utpal

Conflicting Family Values in Mutual Fund Families (Q-Group Spring 2011 Presentation) Utpal

Conflicting Family Values in Mutual Fund Families (Q-Group Spring 2011 Presentation) Utpal Bhattacharya Jung Hoon Lee Veronika Krepely Pool Motivation Fund Families With Equity Funds (683 in 2007 ) . . . . Equity Funds Active Equity

628 views • 29 slides
Modeling Per-flow Throughput and Capturing Starvation in CSMA Multi-hop Wireless Networks

Modeling Per-flow Throughput and Capturing Starvation in CSMA Multi-hop Wireless Networks

Modeling Per-flow Throughput and Capturing Starvation in CSMA Multi-hop Wireless Networks Michele Garetto Theodoros Salonidis Edward W. Knightly Rice Networks Group http://www.ece.rice.edu/networks Modeling Per-flow Throughput and Capturing

697 views • 28 slides
JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99)

JFlow: Practical Mostly- Static Information Flow Control By Andrew C. Myers (POPL 99) Presented by Daryl Zuniga Overview Information-flow: what and why JFlow: Intro JFlow: How it works JFlow: Characteristics and limitations

810 views • 53 slides
Residual Flows for Invertible Generative Modeling Ricky T. Q. Chen, Jens Behrmann, David

Residual Flows for Invertible Generative Modeling Ricky T. Q. Chen, Jens Behrmann, David

Residual Flows for Invertible Generative Modeling Ricky T. Q. Chen, Jens Behrmann, David Duvenaud, Jrn-Henrik Jacobsen Invertible Residual Networks (i-ResNet) It can be shown that residual blocks can be inverted by fixed-point iteration and

442 views • 16 slides
Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and

Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and

Network flow Definition: A flow network is a directed graph G = (V,E) with two nodes s and t, and a function c(u,v) 0 on each directed edge (u,v) s is called the source t is called the sink c: ER + is called the capacity

1.16k views • 79 slides
Optical Flow: Constant Flow Computer Vision 16-385 Carnegie Mellon University (Kris Kitani)

Optical Flow: Constant Flow Computer Vision 16-385 Carnegie Mellon University (Kris Kitani)

Optical Flow: Constant Flow Computer Vision 16-385 Carnegie Mellon University (Kris Kitani) Optical Flow (a.k.a., Video Stabilization, Tracking, Stereo Matching, Registration) Given a pair of images { I t , I t +1 } Estimate the optical flow

293 views • 27 slides

More recommend