host hardware trojans i ece 525 hardware trojans ht what
play

HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a - PowerPoint PPT Presentation

Mar 09, 2023 •155 likes •394 views

HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate and malicious change to an IC that adds or removes functionality or reduces reliability The modifications may be designed to leak sensitive

  1. HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate and malicious change to an IC that adds or removes functionality or reduces reliability • The modifications may be designed to leak sensitive information, personal or corpo- rate • The modifications may be designed to cause a system to fail at a critical time while operating in mission mode • The modification may be designed to reduce the reliability of the IC What makes this a challenging problem? Adversary makes purposeful discovery highly improbable & physical inspection is very expensive ECE UNM 1 (3/26/18)

  2. HOST Hardware Trojans I ECE 525 HT Example Missile control system Assume a chip receives encrypted commands from an RF channel and stores the value in a register for subsequent decryption Wire in original 31 A design Inserted gate To HT detonator B activation 32-bit register wire Missile Chip HT gates and wires 0 Decryption Engine Adversary transmits "code" that causes activation - missile detonates before reaching its target ECE UNM 2 (3/26/18)

  3. HOST Hardware Trojans I ECE 525 HT Example Adversary may try a ’stealthier’ strategy, e.g., a ’monolithic NAND gate 31 Wire in original design Inserted gate To 32-bit register detonator Trojan activation wire 32-input NAND gate Trojan transistors, 0 gates and wires Many other implementations are possible, e.g. pass-gate versions, some better than others at minimizing power supply anomalies ECE UNM 3 (3/26/18)

  4. HOST Hardware Trojans I ECE 525 Insertion Points The horizontal dissemination of the IC design, fabrication and test processes to many distinct companies has dramatically increased the potential for malicious activities • Designing third party IP blocks • Developing CAD tool scripts • Integration activities where IP blocks and glue logic are assembled into SoCs • Behavioral synthesis and place and route (PnR) carried out by CAD tools • Layout mask data generation and mask preparation • Process parameter control mechanisms used in the multi-step fabrication process • Supply chain transactions associated with transferring wafers between facilities ECE UNM 4 (3/26/18)

  5. HOST Hardware Trojans I ECE 525 Insertion Points • Generating test vectors using automatic test pattern generation (ATPG) • Wafer-probing activities for measuring test structures and detecting defects • Supply chain transactions associated with creating and transferring dice • Processes responsible for packaging ICs • Applying ATPG vectors to packaged ICs using ATE • Supply chain transactions associated with transferring packaged parts • Printed circuit board (PCB) design and fabrication • Processes responsible for installing PCB components (populating PCBs) • System integration and deployment activities ECE UNM 5 (3/26/18)

  6. HOST Hardware Trojans I ECE 525 Insertion Points The wide range and widely distributed nature of these activities presents an over- whelming opportunity for subversion Moreover, the diversity among the tasks will require a very sophisticated and com- plex system to manage the entire set of trust vulnerabilities from start to finish The research community is tackling these trust challenges one-at-a-time, focusing on those that are the most attractive insertion points for adversaries • Subversion of IP blocks is a serious concern given the ease in which malicious functionalities can be covertly inserted Moreover, the absence of alternate representations and models for comparison compounds the challenge • Layout modifications and IC fabrication insertion points represent another important focus area Challenges here include the huge complexity associated with analyzing fabri- cated ICs and the wide range of opportunities available to the adversary ECE UNM 6 (3/26/18)

  7. HOST Hardware Trojans I ECE 525 HT Scenarios: Soft-IP Trojans Adversary can compromise soft-IP by inserting extra, hidden functionality into the netlist Implications • No golden model is available • Every IC has the HT Detection strategies include • Formal verification methods Prove that the functionality of the IP is equivalent to some higher-level, more abstract ’trusted’ specification Unfortunately, formal verification is only applicable to small circuits, i.e., com- ponents of the design There has been a lot of recent work in this area that offers alternative solutions, e.g., circuit obfuscation techniques, which we will cover later in this course ECE UNM 7 (3/26/18)

  8. HOST Hardware Trojans I ECE 525 HT Scenarios: Hard- and Soft-IP Trojans • Monitoring the IC using a ’trusted companion IC’ Trusted companion IC has access to the internal state of the untrusted IC through extra pins/scan chain Trusted companion IC is ’programmed’ such that it knows the legal state space of the untrusted IC, and sets off an alarm and/or shuts down the IC if violated This technique can also be used for GDS-based HT High security applications would likely use only IP developed in-house or from trusted sources Hard-IP Trojans The insertion point here is the layout (GDS) We mentioned earlier that several modifications are possible, e.g., those designed to 1) disable/destroy, 2) to leak information and 3) decrease reliability ECE UNM 8 (3/26/18)

  9. HOST Hardware Trojans I ECE 525 HT Scenarios: Hard-IP Trojans Changes to the IC’s function can be implemented by • Using existing ’white-space’ (places in the layout where there are no transistors or where there is a by-pass capacitor) • ’Nudging’ gates to make space for the HT gates In case you were thinking about adding some type of verifiable white space filler to prevent the first case from occurring Modifications designed to reduce reliability can be implemented by thinning wires to accelerate EM effects, by manipulating doping concentrations, etc. I would like to argue that when direct control is needed by the adversary, then func- tional modifications (the first type) are more attractive Why do you think this might be the case? Let’s consider another HT parameter, the size of the HT HT can be very small and be effective, e.g., only a couple/three gates For HT designed to change functionality, small HT are risky - why? ECE UNM 9 (3/26/18)

  10. HOST Hardware Trojans I ECE 525 HT Scenarios: Hard-IP Trojans Therefore, I argue that HT designed to change functionality, e.g., disable, enable remote control, are likely to be larger, 10’s to 100’s of gates to prevent discovery Unfortunately, the same is not true for information leakage HT Since they do not, at least in an obvious way, change functionality, they can be very small and remain secure against detection Information leakage HT can ’leak’ information in ways that are not easily detected • By broadcasting data as EM radiation using a portion of the power grid • By inserting data into a communication channel, that appears as error bits to a valid receiver • By inserting data into a communication channel at a higher frequency, e.g., baud rate, than the valid receiver is expecting Lot’s of strategies have been proposed -- all of them difficult to detect and in many cases, requiring non-traditional testing methods ECE UNM 10 (3/26/18)

  11. HOST Hardware Trojans I ECE 525 HT Scenarios: Hard-IP Trojans Unlike manufacturing defects, you only need to detect ONE HT to yield success! For example, if a layout-based HT is inserted in EVERY copy of a manufactured IC, then alternative test strategies that use MUCH larger test sets can be used Unfortunately, layout-based HT can be inserted in only a subset of the ICs (unlike soft-IP Trojans which are, by definition, in every copy) This makes it more difficult to develop methods to detect them Whether the HT is selectively inserted or inserted into every copy depends on the application I argue that functionally disruptive HT, like the missile HT, are likely to be inserted into every copy of an IC -- why? I also argue that information leakage HT do not need to be inserted into every copy of the IC to be useful -- why? ECE UNM 11 (3/26/18)

  12. HOST Hardware Trojans I ECE 525 Important Considerations Note that significant differences exist in the HT countermeasures and detection strat- egies that are applicable This is true even when only considering only the Soft-IP and Hard-IP insertion points discussed above For example, golden models are not available at the soft-IP block insertion point, but architectural changes that obfuscate the design are available as countermeasures In contrast, the Hard-IP insertion point allows layout design data to be used to vali- date the functional and analog behaviors of the IC But obfuscation is limited to ‘dummy via’ insertion and other nano-level manip- ulations of the design Also, side channel information is not available or is not accurate enough to be useful for soft-IP blocks but is very powerful for layout-level HT detection ECE UNM 12 (3/26/18)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD

Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD

Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD 2015 Hardware Security and Hardware Trojans User apps Each layer trusts all layers below it Kernel Hypervisor More privilege Widely

706 views • 49 slides
Hardware Trojans: A Threat for CyberSecurity Julien Francq julien.francq@cassidian.com

Hardware Trojans: A Threat for CyberSecurity Julien Francq julien.francq@cassidian.com

Hardware Trojans: A Threat for CyberSecurity Julien Francq julien.francq@cassidian.com Cassidian CyberSecurity 2013, July the 8th Introduction to Hardware Trojans Hardware Trojan Taxonomy HT Detection Methods Design for Hardware Trust

1.57k views • 74 slides
HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D.

HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D.

HOST Hardware Trojans III ECE 525 Seminal Trojan Detection Method D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar, Trojan Detection using IC Fingerprinting, Symposium on Security and Privacy, 2007, pp. 296 - 310 They use noise

543 views • 37 slides
How to Attack the IoT with Hardware Trojans Janet Lackey under CC license hardwear.io Den Haag,

How to Attack the IoT with Hardware Trojans Janet Lackey under CC license hardwear.io Den Haag,

How to Attack the IoT with Hardware Trojans Janet Lackey under CC license hardwear.io Den Haag, September 22, 2017 Christof Paar Ruhr Universitt Bochum & University of Massachusetts Amherst Acknowledgement Georg Becker Pawel

616 views • 40 slides
Why We Should Be Worried about Hardware Trojans Janet Lackey under CC license The Summer Research

Why We Should Be Worried about Hardware Trojans Janet Lackey under CC license The Summer Research

Why We Should Be Worried about Hardware Trojans Janet Lackey under CC license The Summer Research Institute 2018 EPFL, June 18, 2018 Christof Paar Ruhr Universitt Bochum & University of Massachusetts Amherst Acknowledgement Georg Becker

449 views • 40 slides
How to Attack the IoT with Hardware Trojans Janet Lackey under CC license CROSSING Conference

How to Attack the IoT with Hardware Trojans Janet Lackey under CC license CROSSING Conference

16.05.2017 How to Attack the IoT with Hardware Trojans Janet Lackey under CC license CROSSING Conference Darmstadt, May 16, 2017 Christof Paar Ruhr Universitt Bochum Acknowledgement Georg Becker Pawel Swierczynski Marc Fyrbiak 1

593 views • 20 slides
Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L.

Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L.

ACM/IEEE CODES + ISSS 2017, Seoul, South Korea Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L. Piccolboni 1,2 , A. Menon 2 , and G. Pravadelli 2 1 Columbia University, New York, NY, USA 2 University of

840 views • 60 slides
Toward threat estimation of system memory Hardware Trojans John Shield, Brad Hopkins, Chris North

Toward threat estimation of system memory Hardware Trojans John Shield, Brad Hopkins, Chris North

UNCLASSIFIED Toward threat estimation of system memory Hardware Trojans John Shield, Brad Hopkins, Chris North Redefining R&D Needs for Australian Cyber Security UNSW ACCS at ADFA, November 16 th 2015 1 UNCLASSIFIED The Australian

411 views • 9 slides
HOST Introduction ECE 525 Hardware-Oriented Security and Trust (HOST) Instructor: Prof. Jim

HOST Introduction ECE 525 Hardware-Oriented Security and Trust (HOST) Instructor: Prof. Jim

HOST Introduction ECE 525 Hardware-Oriented Security and Trust (HOST) Instructor: Prof. Jim Plusquellic Text: The Hardware Trojan War: Attacks, Myths, and Defenses, Chapter 10, J. Plusquellic and F. Saqib, "Detecting Hardware

293 views • 6 slides
DISTROY: Detec-ng IC Trojans with Compressive Measurements

DISTROY: Detec-ng IC Trojans with Compressive Measurements

DISTROY: Detec-ng IC Trojans with Compressive Measurements Youngjune Gwon, H. T. Kung, and Dario Vlah Harvard University August 9, 2011 Understanding

415 views • 17 slides
Malware Reading Material Ken Thompson and Trojans

Malware Reading Material Ken Thompson and Trojans

Malware Reading Material Ken Thompson and Trojans h6p://www.ece.cmu.edu/~ganger/712.fall02/ papers/p761-thompson.pdf Worm Anatomy and Model

1.65k views • 130 slides
HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection thr Obfuscation) Circuit modification techniques designed to conceal or lock the functionality and/or circuit structure The modifications are designed

157 views • 11 slides
We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud

We know what you did this summer Android Banking Trojans Exposing Its Sins in The Cloud Siegfried Rasthofer (TU Darmstadt / CASED) Eric Bodden (TU Darmstadt / Fraunhofer SIT) Carlos Castillo (Intel Security) Alex Hinchliffe (Intel

510 views • 39 slides
Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations

Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations

Roberto Guanciale Estonian Winter School Day 02 Formal verification of low-level execution platforms Apps OS Hardware Host 1 Motivations Apps Crypto Service OS Hypervisor/ Separation Kernel Hardware Host 1 Motivations Separation

850 views • 63 slides
VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

The Business of Making Strategies for Success from Startup to Exit Hardware and Robotic Startup Accelerator what hardware used to be . VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to Entry Open

604 views • 32 slides
Rootkits and Trojans on your SAP Landscape Ertunga Arsal Chaos Communication Congress 2010 1

Rootkits and Trojans on your SAP Landscape Ertunga Arsal Chaos Communication Congress 2010 1

Rootkits and Trojans on your SAP Landscape Ertunga Arsal Chaos Communication Congress 2010 1 Agenda Introduc.on to Enterprise Security SAP * Applica.ons in General BASIS (SAP infrastructure)

1.69k views • 43 slides
bnlearn Learning Bayesian Networks 10 Years Later Marco Scutari scutari@stats.ox.ac.uk

bnlearn Learning Bayesian Networks 10 Years Later Marco Scutari scutari@stats.ox.ac.uk

bnlearn Learning Bayesian Networks 10 Years Later Marco Scutari scutari@stats.ox.ac.uk Department of Statistics University of Oxford September 19, 2017 bnlearn , an R package for Bayesian networks bnlearn aspires to provide a free-software

681 views • 23 slides
VHDL Testbench Design Textbook chapters 2.19, 4.10-4.12, 9.5 The Test Bench Concept Elements of

VHDL Testbench Design Textbook chapters 2.19, 4.10-4.12, 9.5 The Test Bench Concept Elements of

VHDL Testbench Design Textbook chapters 2.19, 4.10-4.12, 9.5 The Test Bench Concept Elements of a VHDL/Verilog testbench Unit Under Test (UUT) or Device Under Test (DUT) instantiate one or more UUTs Stimulus of UUT inputs

882 views • 22 slides
Lecture 13: A,en.on Jus$n Johnson October 23, 2019 Lecture 13 - 1 Midterm Grades will be out

Lecture 13: A,en.on Jus$n Johnson October 23, 2019 Lecture 13 - 1 Midterm Grades will be out

Lecture 13: A,en.on Jus$n Johnson October 23, 2019 Lecture 13 - 1 Midterm Grades will be out in ~1 week Please do not discuss midterm ques$ons on Piazza Someone leD a waterboEle in exam room Post on Piazza if it is yours Jus$n Johnson

1.21k views • 106 slides
Computational Learning Theory - HT 2018 formerly Advanced Machine Learning (HT 2017) Introduction

Computational Learning Theory - HT 2018 formerly Advanced Machine Learning (HT 2017) Introduction

Computational Learning Theory - HT 2018 formerly Advanced Machine Learning (HT 2017) Introduction and Course Details Varun Kanade University of Oxford January 15, 2018 What is Machine Learning? 200-basic level categories Here: Six

466 views • 18 slides
On the Formal Generation of Process Redesigns Mariska Netjes Hajo A. Reijers Wil M.P. van der

On the Formal Generation of Process Redesigns Mariska Netjes Hajo A. Reijers Wil M.P. van der

MDE4BPM On the Formal Generation of Process Redesigns Mariska Netjes Hajo A. Reijers Wil M.P. van der Aalst Eindhoven University of Technology m.netjes@tue.nl MDE4BPM Outline Introduction The evolutionary approach towards process

779 views • 40 slides
General Pearls Immunocompromised patients with Management of post transplant infections

General Pearls Immunocompromised patients with Management of post transplant infections

9/29/2016 General Pearls Immunocompromised patients with Management of post transplant infections are often sicker than they look infections often have more extensive disease than is Whats new in 2016 apparent may require

674 views • 18 slides
part II codon substitution models and the analysis of natural selection pressure Joseph P.

part II codon substitution models and the analysis of natural selection pressure Joseph P.

2015-07-21 part II codon substitution models and the analysis of natural selection pressure Joseph P. Bielawski Department of Biology Department of Mathematics & Statistics Dalhousie University part II model based inference 1. 3

718 views • 39 slides
Multilingual and Crosslingual Information Retrieval and Access Feiyu Xu DFKI, LT-Lab Germany

Multilingual and Crosslingual Information Retrieval and Access Feiyu Xu DFKI, LT-Lab Germany

Language Technology Multilingual and Crosslingual Information Retrieval and Access Feiyu Xu DFKI, LT-Lab Germany Feiyu Xu, 2005 Language Technology Multilingual Information System Motivation Strategies MIETTA System Feiyu Xu,

835 views • 49 slides

More recommend