How to Attack the IoT with Hardware Trojans Janet Lackey under CC - - PDF document

how to attack the iot with hardware trojans
SMART_READER_LITE
LIVE PREVIEW

How to Attack the IoT with Hardware Trojans Janet Lackey under CC - - PDF document

Sep 07, 2023 386 likes •594 views

16.05.2017 How to Attack the IoT with Hardware Trojans Janet Lackey under CC license CROSSING Conference Darmstadt, May 16, 2017 Christof Paar Ruhr Universitt Bochum Acknowledgement Georg Becker Pawel Swierczynski Marc Fyrbiak 1

slide-1
SLIDE 1

16.05.2017 1

How to Attack the IoT with Hardware Trojans

Janet Lackey under CC license

CROSSING Conference Darmstadt, May 16, 2017

Christof Paar Ruhr Universität Bochum

  • Georg Becker
  • Pawel Swierczynski
  • Marc Fyrbiak

Acknowledgement

slide-2
SLIDE 2

16.05.2017 2

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-3
SLIDE 3

16.05.2017 3

Hardware Trojans

Malicious change or addition to an IC that adds or remove functionality, or reduces reliability Many rather unpleasant “applications”

Hardware Trojans & the Scientific Community

15 17 18 32 34 15 47 68 133 167 199 50 100 150 200 250 2007 2008 2009 2010 2011 2012

Publications w/ „Hardware Trojans“ or „malicious Hardware“

(Google Scholar, Aug 2013)

  • nly title

in paper

slide-4
SLIDE 4

16.05.2017 4

Trojan Injection & Adversaries Scenarios

  • Manufacturing

Malicious factory, esp. off‐shore (foreign Government)

  • Design Manipulation
  • 3rd party IP‐cores
  • malicious employee
  • During shipment
  • cf. NSA’s interdiction
  • Built‐in

backdoors etc.

DoD scenario 2005 not‐so‐unlikely 2013

Where are we with “real” HW Trojans?

  • No true hardware Trojan observed in the wild
  • Vast majority of publications focus on detection
  • All examples from academia
slide-5
SLIDE 5

16.05.2017 5

Our Thoughts ca. 2012

  • 1. Designing Trojan could be fun too
  • 2. Especially those that go undetected

Simple Example: Inverter Trojan

Let’s modify an inverter so that it always outputs “1” (VDD) without visible changes.

A Y A Y VDD GND VDD GND A Y 1 1

slide-6
SLIDE 6

16.05.2017 6

PMOS Transistor Trojan

N‐well (connected to VDD) P‐dopant P‐dopant Source (connected to VDD) Drain (the output) Gate N‐well (connected to VDD) N‐dopant N‐dopant Source (connected to VDD) Drain (the output) Gate Unmodified PMOS transistor Trojan trans. w/ constant VDD output

“Always One” Trojan Inverter

A Y A Y = 1 VDD VDD GND GND

Q1: Can the manipulation be detected? Q2: How to build a useful Trojan from here?

A Y 1 1

PMOS transistor permanent closed NMOS transistor permanent open

slide-7
SLIDE 7

16.05.2017 7

Detection: layout view of Trojan inverter

Original Inverter “Always One” Trojan

Unchanged:

  • All metal layers
  • Polysilicon layer
  • Active area
  • Wells

 Dopant changes (very ?) difficult to detect using

  • ptical inspection!

Which one has the Trojan?

“Small” remaining question

Q2: Can we build a meaningful Trojan using dopant modifications that passes functional testing?

  • Unfortunately, circuits will not function correctly with this

simple stuck‐at fault …

  • … functional testing (after manufacturing) will detect fault

right away

slide-8
SLIDE 8

16.05.2017 8

A Real‐World True Random Number Generator

Dopant Trojan

  • secure web browsing
  • email encryption
  • document certification

… random numbers generate cryptographic keys for

AES +1 Crypto Key

Inside the Random Number Generator

128 128 128

0 0 1 1 0 1 0 1 1 1

1 0 0 1 0 0 0 1 1 1 State register c State register k

256 random bits

entropy source

011001011110 …

  • 1,000,000,000,000,000,000,000,000,000,000,000,000,000

possible crypto keys

testing all keys: lifetime of the universe

slide-9
SLIDE 9

16.05.2017 9

AES

+1

Crypto key

Trojan Random Number Generator

128 128 128

0 1 1 0 1 1 0 1 0 1 1

c1 c2

c32 0 0 1 128

  • 1,000,000,000,000,000,000,000,000,000,000,000,000,000

possible crypto keys

Testing all keys: few seconds

  • nly 32 random bits

224 Trojan bits (fixed by attacker!)

  • 1,000,000,000

possible crypto keys ... but circuit would still be tested as “faulty” during manufacturing…

Detection prevention through built‐in self test

Test Mode

256 bit state

Rate Matcher

(Based on AES)

known input

512 bits

CRC Checksum Reference Checksum

?

256 bit state

Rate Matcher

(Based on AES)

known input

512 bits

CRC Checksum Reference Checksum

?

TROJAN

≠ =

32 bits 32 bits Due to clever choosing

  • f the Trojan bits
slide-10
SLIDE 10

16.05.2017 10

  • Meaningful hardware Trojans are possible without extra logic
  • Many detection techniques don’t guarantee a Trojan free design!
  • Built‐in self tests can be dangerous
  • More details:

Becker, Regazzoni, P, Burleson, Stealthy Dopant‐Level Hardware Trojans. CHES 2013

Conclusion

… but the scientific community functions as it is supposed to do:

  • Trojan detection is possible w/ scanning electron microscope

Sugawara et al., Reversing Stealthy Dopant‐Level Circuits. CHES 2014

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-11
SLIDE 11

16.05.2017 11

FPGAs = Reconfigurable Hardware … are widely used

world market: ≈ 5b devices

Configuration during power‐up

Configuration file “bitstream” power‐up

Can an we build hardware Trojans by manipulating the bitstream?

slide-12
SLIDE 12

16.05.2017 12

Principle of FPGA‐based Trojans

Manipulate Bits configure

Source Graphics: SimpleIcon, Xilinx

T

small look‐up tables realize logic FPGA fabric

The Mechanics of FPGAs

103 … 106 logic cells bitstream is complex and proprietary

Two challenges

  • 1. find AES in unknown design
  • 2. meaningful manipulation
slide-13
SLIDE 13

16.05.2017 13

  • S‐boxes are realized as 6x1 look‐up tables (LUTs)

Finding AES: Luckily, crypto has very specific components

  • LUT locations can be found in bitstream
  • S‐box contents is very specific (luckily)

8 different real‐world AES implementations

AES detection in practice

slide-14
SLIDE 14

16.05.2017 14

Algorithm substitution attack and its implications

  • 1. Inject weak S‐boxes in

bitstream

  • 2. Trojan AES

is configured

PT CT = AEST (k, PT) “Useful“ attacks are still possible!

  • 1. Storage encryption – Plaintext recovery
  • Attacker can recover plaintext without access to k
  • 2. Temporary device access – Key extraction
  • switch S‐box and recover k from CT
  • configure orginal S‐box

cute work … but not interoperable with regular AES

T

  • New attack vector against FPGAs!
  • Reconfigurability allows “hardware” Trojans designed in the lab
  • Bitstream protection is crucial!

(but not easy, cf. our work at CCS 2011 & FPGA 2013)

  • Details at:

Swierczynski, Fyrbiak, Koppe, P, FPGA Trojans through Detecting and Weakening of Cryptographic Primitives. IEEE TCAD 2015.

Conclusion

slide-15
SLIDE 15

16.05.2017 15

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff

What else can we do with bitstreams?

So, bitstream manipulation allows Trojan insertion ... Hmm, are their other/simpler ways to extract keys through bitstreams?

slide-16
SLIDE 16

16.05.2017 16

Set‐Up

classical known‐plaintext set‐up

PT CT = AES (k, PT)

configure

k

Can bitstream manipulation of unknown design lead to key leakage? Can bitstream manipulation of unknown design lead to key leakage?

non‐classical set‐up: Alteration of bitstream

Bitstream Fault Injections (BiFI)

PT CT = AES (k, PT)

configure

k

10‐30k LUTs per FPGA

(surprising) attack strategy

  • 1. manipulate 1st LUT table (e.g., all‐zero)
  • 4. check: Does CT contain k?

if not: GOTO 1 and manipulate next LUT

  • 3. send PT
  • 2. configure FPGA
slide-17
SLIDE 17

16.05.2017 17

How exactly does the key leak ??

PT CT = AES (k, PT)

configure

k

… Many LUT manipulations possible

  • all‐zero
  • all‐one
  • invert
  • upper half of LUT all‐zero

Many leakage hypotheses

  • CT = roundkey
  • CT = inverted roundkey
  • CT = PT xor roundkey

Results for Bitstream Fault Injections (BiFI)

k

Real world attack

  • 16 unknown AES designs (Internet)
  • 16 different manipulation rules
  • ≈ 20k LUTs
  • 3.3 sec for configuring and checking one alterations

Results

  • successful key extraction for every design!
  • n average ≈ 2000 configurations (≈ 2h)
  • works even for encrypted bitstream (w/o MAC)
slide-18
SLIDE 18

16.05.2017 18

  • Bitstream Fault Injections (BiFI) is a new family of fault attacks
  • Malleability of bitstream is major weakness for FPGAs!
  • Are there more bitstream‐based attacks ?
  • Details at:

Swierczynski, Becker, Moradi, P: Bitstream Fault Injections (BiFI) – Automated Fault Attacks against SRAM‐based FPGAs. IEEE Transactions on Computers, to appear.

Conclusion

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-19
SLIDE 19

16.05.2017 19

Related Workshops

escarUSA – Embedded Security in Cars Ann Arbor, June 2017 CHES – Cryptographic Hardware & Embedded Systems 25.‐28. September 2017, Taiwan escarEurope – Embedded Security in Cars Berlin, November 2017

Easy‐to‐understand book for applied cryptography

Introduction to Cryptography by Christof Paar 24 video lectures

slide-20
SLIDE 20

16.05.2017 20

Thank you very much for your attention!

Christof Paar Ruhr‐Universität Bochum