How to Attack the IoT with Hardware Trojans Janet Lackey under CC - - PowerPoint PPT Presentation

how to attack the iot with hardware trojans
SMART_READER_LITE
LIVE PREVIEW

How to Attack the IoT with Hardware Trojans Janet Lackey under CC - - PowerPoint PPT Presentation

Jun 17, 2023 205 likes •619 views

How to Attack the IoT with Hardware Trojans Janet Lackey under CC license hardwear.io Den Haag, September 22, 2017 Christof Paar Ruhr Universitt Bochum & University of Massachusetts Amherst Acknowledgement Georg Becker Pawel

slide-1
SLIDE 1

How to Attack the IoT with Hardware Trojans

Janet Lackey under CC license

hardwear.io Den Haag, September 22, 2017

Christof Paar Ruhr Universität Bochum & University of Massachusetts Amherst

slide-2
SLIDE 2
  • Georg Becker
  • Pawel Swierczynski
  • Marc Fyrbiak

Acknowledgement

slide-3
SLIDE 3

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-4
SLIDE 4

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-5
SLIDE 5

Hardware Trojans

Malicious change or addition to an IC that adds or remove functionality, or reduces reliability Many rather unpleasant “applications”

slide-6
SLIDE 6

Hardware Trojans & the Scientific Community

15 17 18 32 34 15 47 68 133 167 199 50 100 150 200 250 2007 2008 2009 2010 2011 2012

Publications w/ „Hardware Trojans“ or „malicious Hardware“

(Google Scholar, Aug 2013)

  • nly title

in paper

slide-7
SLIDE 7

Trojan Injection & Adversaries Scenarios

  • Manufacturing

Malicious factory, esp. off‐shore (foreign Government)

  • Design Manipulation
  • 3rd party IP‐cores
  • malicious employee
  • During shipment
  • cf. NSA’s interdiction
  • Built‐in

backdoors etc.

DoD scenario 2005 not‐so‐unlikely 2013

slide-8
SLIDE 8

Where are we with “real” HW Trojans?

  • No true hardware Trojan observed in the wild
  • Vast majority of publications focus on detection
  • All examples from academia
slide-9
SLIDE 9

Our Thoughts

  • 1. Designing Trojan could be fun too
  • 2. Especially those that go undetected
slide-10
SLIDE 10

Simple Example: Inverter Trojan

Let’s modify an inverter so that it always outputs “1” (VDD) without visible changes.

A Y A Y VDD GND VDD GND A Y 1 1

slide-11
SLIDE 11

PMOS Transistor Trojan

N‐well (connected to VDD) P‐dopant P‐dopant Source (connected to VDD) Drain (the output) Gate N‐well (connected to VDD) N‐dopant N‐dopant Source (connected to VDD) Drain (the output) Gate Unmodified PMOS transistor Trojan trans. w/ constant VDD output

slide-12
SLIDE 12

“Always One” Trojan Inverter

A Y A Y = 1 VDD VDD GND GND

Q1: Can the manipulation be detected? Q2: How to build a useful Trojan from here?

A Y 1 1

PMOS transistor permanent closed NMOS transistor permanent open

slide-13
SLIDE 13

Detection: layout view of Trojan inverter

Original Inverter “Always One” Trojan

Unchanged:

  • All metal layers
  • Polysilicon layer
  • Active area
  • Wells

 Dopant changes (very ?) difficult to detect using

  • ptical inspection!

Which one has the Trojan?

slide-14
SLIDE 14

“Small” remaining question

Q2: Can we build a meaningful Trojan using dopant modifications that passes functional testing?

  • Unfortunately, circuits will not function correctly with this

simple stuck‐at fault …

  • … functional testing (after manufacturing) will detect fault

right away

slide-15
SLIDE 15

A Real‐World True Random Number Generator

dopant Trojan

  • secure web browsing
  • email encryption
  • document certification

… random numbers generate cryptographic keys for

TRNG

slide-16
SLIDE 16

Crypto Key

2 Modules form Random Number Generator

128

entropy source

011001011110 …

digital post processing

slide-17
SLIDE 17

AES +1 Crypto Key

Inside the Random Number Generator

128 128 128

0 0 1 1 0 1 0 1 1 1

1 0 0 1 0 0 0 1 1 1 State register c State register k

256 random bits

entropy source

011001011110 …

  • 1,000,000,000,000,000,000,000,000,000,000,000,000,000

possible crypto keys

testing all keys: lifetime of the universe

slide-18
SLIDE 18

AES

+1

Crypto key

Trojan Random Number Generator

128 128 128

0 1 1 0 1 1 0 1 0 1 1

c1 c2

c32 0 0 1 128

  • 1,000,000,000,000,000,000,000,000,000,000,000,000,000

possible crypto keys

Testing all keys: few seconds

  • nly 32 random bits

224 Trojan bits (fixed by attacker!)

  • 1,000,000,000

possible crypto keys ... but circuit would still be tested as “faulty” during manufacturing…

slide-19
SLIDE 19

Built‐in self test prevents detection of fault

Test Mode

256 bit state

Rate Matcher

(Based on AES)

known input

512 bits

CRC Checksum Reference Checksum

?

256 bit state

Rate Matcher

(Based on AES)

known input

512 bits

CRC Checksum Reference Checksum

?

TROJAN

≠ =

32 bits 32 bits Due to clever choosing

  • f the Trojan bits
slide-20
SLIDE 20
  • Meaningful hardware Trojans are possible without extra logic
  • Many detection techniques don’t guarantee a Trojan free design!
  • Built‐in self tests can be dangerous
  • More details:

Becker, Regazzoni, P, Burleson, Stealthy Dopant‐Level Hardware Trojans. CHES 2013

Conclusion

… but the scientific community functions as it is supposed to do:

  • Trojan detection is possible w/ scanning electron microscope

Sugawara et al., Reversing Stealthy Dopant‐Level Circuits. CHES 2014

slide-21
SLIDE 21

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-22
SLIDE 22

FPGAs = Reconfigurable Hardware … are widely used

world market: ≈ 5b devices

slide-23
SLIDE 23

Configuration during power‐up

Configuration file “bitstream” power‐up

Can an we build hardware Trojans by manipulating the bitstream?

slide-24
SLIDE 24

Principle of FPGA‐based Trojans

Manipulate Bits configure

Source Graphics: SimpleIcon, Xilinx

T

small look‐up tables realize logic

slide-25
SLIDE 25

FPGA fabric

The Mechanics of FPGAs

103 … 106 logic cells bitstream is complex and proprietary

Two challenges

  • 1. find AES in unknown design
  • 2. meaningful manipulation
slide-26
SLIDE 26
  • S‐boxes are realized as 6x1 look‐up tables (LUTs)

Finding AES: Luckily, crypto has very specific components

  • LUT locations can be found in bitstream
  • S‐box contents is very specific (luckily)
slide-27
SLIDE 27

8 different real‐world AES implementations

AES detection in practice

slide-28
SLIDE 28

Algorithm substitution attack and its implications

  • 1. Inject weak S‐boxes in

bitstream

  • 2. Trojan AES

is configured

PT CT = AEST (k, PT) “Useful“ attacks are still possible!

  • 1. Storage encryption – Plaintext recovery
  • Attacker can recover plaintext without access to k
  • 2. Temporary device access – Key extraction
  • switch S‐box and recover k from CT
  • configure orginal S‐box

cute work … but not interoperable with regular AES

T

slide-29
SLIDE 29
  • New attack vector against FPGAs!
  • Reconfigurability allows “hardware” Trojans designed in the lab
  • Bitstream protection is crucial!

(but not easy, cf. our work at CCS 2011 & FPGA 2013)

  • Details at:

Swierczynski, Fyrbiak, Koppe, P, FPGA Trojans through Detecting and Weakening of Cryptographic Primitives. IEEE TCAD 2015.

Conclusion

slide-30
SLIDE 30

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-31
SLIDE 31

What else can we do with bitstream manipulations?

Hmm, are their simpler ways to extract keys through bitstreams without Trojans?

slide-32
SLIDE 32

Set‐Up

classical known‐plaintext set‐up

PT CT = AES (k, PT)

configure

k

Can bitstream manipulation of unknown design lead to key leakage? Can bitstream manipulation of unknown design lead to key leakage?

non‐classical set‐up: alteration of bitstream ??

slide-33
SLIDE 33

Bitstream Fault Injections (BiFI)

PT CT = AES (k, PT)

configure

k

10‐30k LUTs per FPGA

(surprising) attack strategy

  • 1. manipulate 1st LUT table (e.g., all‐zero)
  • 4. check: Does CT contain k?

if not: GOTO 1 and manipulate next LUT

  • 3. send PT
  • 2. configure FPGA
slide-34
SLIDE 34

How exactly does the key leak ??

PT CT = AES (k, PT)

configure

k

… Many LUT manipulations possible

  • all‐zero
  • all‐one
  • invert
  • upper half of LUT all‐zero

Many leakage hypotheses

  • CT = roundkey
  • CT = inverted roundkey
  • CT = PT xor roundkey
slide-35
SLIDE 35

Results for Bitstream Fault Injections (BiFI)

k

Real world attack

  • 16 unknown AES designs (Internet)
  • 16 different manipulation rules
  • ≈ 20k LUTs
  • 3.3 sec for configuring and checking one alterations

Results

  • successful key extraction for every design!
  • n average ≈ 2000 configurations (≈ 2h)
  • works even for encrypted bitstream (w/o MAC)
slide-36
SLIDE 36
  • Bitstream Fault Injections (BiFI) is a new family of fault attacks
  • Malleability of bitstream is major weakness for FPGAs!
  • Are there more bitstream‐based attacks ?
  • Details at:

Swierczynski, Becker, Moradi, P: Bitstream Fault Injections (BiFI) – Automated Fault Attacks against SRAM‐based FPGAs. IEEE Transactions on Computers, to appear.

Conclusion

slide-37
SLIDE 37

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-38
SLIDE 38

Related Workshops

CHES – Cryptographic Hardware & Embedded Systems 25.‐28. September 2017, Taiwan escarEurope – Embedded Security in Cars Berlin, November 2017

slide-39
SLIDE 39

Easy‐to‐understand book for applied cryptography

Introduction to Cryptography by Christof Paar 24 video lectures

slide-40
SLIDE 40

Thank you very much for your attention!

Christof Paar Ruhr‐Universität Bochum