Why We Should Be Worried about Hardware Trojans Janet Lackey under CC - - PowerPoint PPT Presentation

why we should be worried about hardware trojans
SMART_READER_LITE
LIVE PREVIEW

Why We Should Be Worried about Hardware Trojans Janet Lackey under CC - - PowerPoint PPT Presentation

Jan 19, 2024 49 likes •453 views

Why We Should Be Worried about Hardware Trojans Janet Lackey under CC license The Summer Research Institute 2018 EPFL, June 18, 2018 Christof Paar Ruhr Universitt Bochum & University of Massachusetts Amherst Acknowledgement Georg Becker

slide-1
SLIDE 1

Why We Should Be Worried about Hardware Trojans

Janet Lackey under CC license

The Summer Research Institute 2018 EPFL, June 18, 2018

Christof Paar Ruhr Universität Bochum & University of Massachusetts Amherst

slide-2
SLIDE 2
  • Georg Becker
  • Pawel Swierczynski
  • Marc Fyrbiak

Acknowledgement

slide-3
SLIDE 3

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-4
SLIDE 4

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-5
SLIDE 5

Hardware Trojans

Malicious change or addition to an IC that adds or remove functionality, or reduces reliability Many rather unpleasant “applications”

slide-6
SLIDE 6

Hardware Trojans & the Scientific Community

20 19 23 37 36 66 83 110 102 101 17 66 93 152 199 227 310 415 480 577 585

100 200 300 400 500 600 700 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Publications w/ „Hardware Trojans“ or „malicious Hardware“

(Google Scholar, Oct 2017)

  • nly title

in paper

slide-7
SLIDE 7

Trojan Injection & Adversaries Scenarios

  • Manufacturing

Malicious factory, esp. off‐shore (foreign Government)

  • Design Manipulation
  • 3rd party IP‐cores
  • malicious employee
  • During shipment
  • Built‐in

backdoors etc.

DoD scenario 2005 not‐so‐unlikely 2013

Source: Wikipedia

NSA’s interdiction

slide-8
SLIDE 8

Where are we with “real” HW Trojans?

  • No true hardware Trojan observed in the wild
  • Vast majority of publications focus on detection
  • All examples from academia
slide-9
SLIDE 9

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-10
SLIDE 10

Our Thoughts

  • 1. Designing Trojan could be fun too
  • 2. Especially those that go undetected
slide-11
SLIDE 11

Simple Example: Inverter Trojan

Let’s modify an inverter so that it always outputs “1” (VDD) without visible changes.

A Y A Y VDD GND VDD GND A Y 1 1

slide-12
SLIDE 12

PMOS Transistor Trojan

N‐well (connected to VDD) P‐dopant P‐dopant Source (connected to VDD) Drain (the output) Gate N‐well (connected to VDD) N‐dopant N‐dopant Unmodified PMOS transistor Trojan trans. w/ constant VDD output

22nm

slide-13
SLIDE 13

“Always One” Trojan Inverter

A Y A Y = 1 VDD VDD GND GND

Q1: Can the manipulation be detected? Q2: How to build a useful Trojan from here?

A Y 1 1

PMOS transistor permanent closed NMOS transistor permanent open

slide-14
SLIDE 14

Detection: layout view of Trojan inverter

Original Inverter “Always One” Trojan

Unchanged:

  • All metal layers
  • Polysilicon layer
  • Active area
  • Wells

 Dopant changes (very ?) difficult to detect using

  • ptical inspection!

Which one has the Trojan?

slide-15
SLIDE 15

“Small” remaining question

Q2: Can we build a meaningful Trojan using dopant modifications that passes functional testing?

  • Unfortunately, we merely introduce a stuck‐at fault …
  • … functional testing (after manufacturing) will detect fault

right away

slide-16
SLIDE 16

A Real‐World True Random Number Generator

dopant Trojan

  • secure web browsing
  • email encryption
  • document certification

… random numbers generate cryptographic keys for

TRNG

slide-17
SLIDE 17

Crypto Key

2 Modules form Random Number Generator

128

entropy source

011001011110 …

digital post processing

slide-18
SLIDE 18

AES +1 Crypto Key

Inside the Random Number Generator

128 128 128

0 0 1 1 0 1 0 1 1 1

1 0 0 1 0 0 0 1 1 1 State register c State register k

256 random bits

entropy source

011001011110 …

  • 1,000,000,000,000,000,000,000,000,000,000,000,000,000

possible crypto keys

testing all keys: lifetime of the universe

slide-19
SLIDE 19

AES

+1

Crypto key

Trojan Random Number Generator

128 128 128

0 1 1 0 1 1 0 1 0 1 1

c1 c2

c32 0 0 1 128

  • 1,000,000,000,000,000,000,000,000,000,000,000,000,000

possible crypto keys

Testing all keys: few seconds

  • nly 32 random bits

224 Trojan bits (fixed by attacker!)

  • 1,000,000,000

possible crypto keys ... but circuit would still be tested as “faulty” during manufacturing…

slide-20
SLIDE 20

Built‐in self test prevents detection of fault

Test Mode

256 bit state

Digital Post Processing (AES)

known input

512 bits

CRC Checksum Reference Checksum

?

256 bit state

Digital Post Processing (AES)

known input

512 bits

CRC Checksum Reference Checksum

?

TROJAN

≠ =

32 bits 32 bits Due to clever choosing

  • f the Trojan bits
slide-21
SLIDE 21
  • Meaningful hardware Trojans are possible without extra logic
  • Many detection techniques don’t guarantee a Trojan free design!
  • Built‐in self tests can be dangerous
  • More details:

Becker, Regazzoni, P, Burleson, Stealthy Dopant‐Level Hardware Trojans. CHES 2013

Conclusion

… but the scientific community functions as it is supposed to do:

  • Trojan detection is possible w/ scanning electron microscope

Sugawara et al., Reversing Stealthy Dopant‐Level Circuits. CHES 2014

slide-22
SLIDE 22

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-23
SLIDE 23

FPGAs = Reconfigurable Hardware … are widely used

world market: ≈ 5b devices

slide-24
SLIDE 24

Configuration during power‐up

Configuration file “bitstream” power‐up

Can an we build hardware Trojans by manipulating the bitstream?

slide-25
SLIDE 25

Principle of FPGA‐based Trojans

Manipulate Bits configure

Source Graphics: SimpleIcon, Xilinx

T

slide-26
SLIDE 26

FPGA fabric

The Mechanics of FPGAs

103 … 106 logic cells bitstream is complex and proprietary

Two challenges

  • 1. find AES in unknown design
  • 2. meaningful manipulation
slide-27
SLIDE 27
  • S‐boxes are realized as 6x1 look‐up tables (LUTs)

Finding AES: Luckily, crypto has very specific components

  • LUT locations can be „easily“ found in bitstream
  • S‐box contents is very specific (luckily)
slide-28
SLIDE 28

8 different real‐world AES implementations

AES detection in practice

slide-29
SLIDE 29

Algorithm substitution attack and its implications

  • 1. Inject weak S‐boxes in

bitstream

  • 2. Trojan AES

is configured

PT CT = AEST (k, PT) “Useful“ attacks are still possible!

  • 1. Storage encryption – Plaintext recovery
  • Attacker can recover plaintext without access to k
  • 2. Temporary device access – Key extraction
  • switch S‐box and recover k from CT
  • configure orginal S‐box

cute work … but not interoperable with regular AES

T

slide-30
SLIDE 30
  • New attack vector against FPGAs!
  • Reconfigurability allows “hardware” Trojans designed in the lab
  • Bitstream protection is crucial!

(but not easy, cf. our work at CCS 2011 & FPGA 2013)

  • Details at:

Swierczynski, Fyrbiak, Koppe, P, FPGA Trojans through Detecting and Weakening of Cryptographic Primitives. IEEE TCAD 2015.

Conclusion

slide-31
SLIDE 31

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-32
SLIDE 32

What else can we do with bitstream manipulations?

Hmm, are their simpler ways to extract keys from FPGAs without Trojans?

slide-33
SLIDE 33

Set‐Up

classical known‐plaintext set‐up

PT CT = AES (k, PT)

configure

k

Can bitstream manipulation of unknown design lead to key leakage? Can bitstream manipulation of unknown design lead to key leakage?

non‐classical set‐up: alteration of algorithm (via bitstream) ??

slide-34
SLIDE 34

Bitstream Fault Injections (BiFI)

PT CT = AES (k, PT)

configure

k

10‐30k LUTs per FPGA

(surprising) attack strategy

  • 1. manipulate 1st LUT table (e.g., all‐zero)
  • 4. check: Does CT contain k?

if not: GOTO 1 and manipulate next LUT

  • 3. send PT
  • 2. configure FPGA
slide-35
SLIDE 35

How exactly does the key leak ???

PT CT = AES (k, PT)

configure

k

… Many LUT manipulations possible

  • all‐zero
  • all‐one
  • invert
  • upper half of LUT all‐zero

Different leakage types (key hypotheses)

  • CT = roundkey
  • CT = inverted roundkey
  • CT = PT xor roundkey
slide-36
SLIDE 36

Results for Bitstream Fault Injections (BiFI)

k

Real world attack

  • 16 unknown AES designs (Internet)
  • 16 different manipulation rules
  • ≈ 20k LUTs
  • 3.3 sec for configuring and checking one manipulation

Results

  • successful key extraction for every design!
  • n average ≈ 2000 configurations (≈ 2h)
  • works even for encrypted bitstream (w/o MAC)
slide-37
SLIDE 37
  • Bitstream Fault Injections (BiFI) is a new family of fault attacks
  • Malleability of bitstream is major weakness for FPGAs!
  • Are there more bitstream‐based attacks ?
  • Details at:

Swierczynski, Becker, Moradi, P: Bitstream Fault Injections (BiFI) – Automated Fault Attacks against SRAM‐based FPGAs. IEEE Transactions on Computers, March 2018.

Conclusion

slide-38
SLIDE 38

Agenda

  • Introduction to Hardware Trojans
  • Sub‐Transistor ASIC Trojans
  • FPGA Trojan
  • Key extraction attack
  • Auxiliary Stuff
slide-39
SLIDE 39

Relevant Conferences

CHES – Cryptographic Hardware & Embedded Systems Amsterdam, September 9‐12, 2018 escar – Embedded Security in Cars Brussels, November 13‐14, 2018

slide-40
SLIDE 40

Thank you very much for your attention!

Christof Paar