Your SlideShare is downloading. ×
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur

363

Published on

A glimpse into the top security researches in the top global academia - Prof. Indranil Sengupta, IIT Kharagpur

A glimpse into the top security researches in the top global academia - Prof. Indranil Sengupta, IIT Kharagpur

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
363
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • There are animations. After the 3rd animation, say that this talk with not cover this topic, although we have worked on a solution to perevnt leakage of secret information at the “package and test” phase
  • Here mention that different authors have proposed different Trojan nomenclature, and we are going to elaborate on the last classification based “trigger” and “payload”
  • Mention that hybrid Trojans are particularly difficult to detect. Also mention that many other interesting sequential Trojans have been proposed.
  • Mention that “Trojan Design” is a very active field of research, and they can be of a lot of more varieties. We have just presented a few simple types.
  • Mention that destructive approaches are very expensive with respect to time and cost, and cannot guarantee Trojan detection because only a few ICs from a wafer might have Trojans, while the others might be benign, so destructive testing is not really helpful.
  • Here, say a few words about the scheme by describing the modified state diagram. Talk about the “initialization key sequence”, exponential functional complexity of the scheme, how the Trojan might become more “detectable”, and how the Trojan might become “benign”. Mention use of “unreachable states”, and use of Tetramax in finding them.
  • “DoS” stands for “denial-of-service”
  • Mention that this work would be discussed in greater detail because of the relatively smaller number of works that target logic testing based Trojan detection.
  • Mention the separation of the Trojan infested and Trojan free data points
  • Transcript

    • 1. Hardware Trojan: Threats and Emerging Solutions Prof. Indranil Sen Gupta Professor, Dept. of Computer Science and Engg. IIT Kharagpur E-mail: isg@iitkgp.ac.in TOP 100 CISO AWARDS
    • 2. Outline  Background  Modern IC design and manufacturing  What are Hardware Trojans?  Reality or fantasy?  Trojan taxonomy and examples  Trojan taxonomy  Trojan examples  Trojan detection techniques  General features  Classification of Trojan detection techniques  Challenges  Invasive techniques  Non-invasive techniques • Logic testing • Side-channel analysis  Multi-level Attack  Summary and future research directions 2
    • 3. 3 Background
    • 4. Modern IC Design and Manufacturing 4 IP Tools Std. Cells Models DesignSpecifications Fab Interface Mask Fab Wafer Probe Dice and Package Package Test Deploy and Monitor Trusted Either Untrusted Wafer *http://www.darpa.mil/MTO/solicitations/baa07-24/index.html DARPA’s Model of Hardware Security Threats* Not really Trusted!! Offshore Third-party
    • 5. Effects of Prevalent Practices 5  Prevalence of Intellectual Property (IP) based design  Routine use of CAD tools from EDA vendors  Fabless manufacturing model (trend on the rise)  Outsourcing of manufacturing to offshore fabs  Loss of Control over design and manufacture  Potentially untrusted parties getting involved
    • 6. What are Hardware Trojans ? 6  Malicious modifications to design  Can take place pre or post manufacturing  Inserted by intelligent adversary  Extremely small hardware overhead  Stealthy => difficult to detect  Causes IC to malfunction in-field  Results:  Potentially disastrous consequences  Can affect: • Military installations • Civilian infrastructure (power grid, transportation, etc.) • Communication  Loss of human life and property  Billions of dollars in lost property and infrastructure
    • 7. How Realistic are Hardware Trojans? 7  Do hardware Trojans really exist?  No concrete proof obtained yet  Tampering masks in fab is not easy (highly complex)  Reverse-engineering a single IC can take months  Political issues make it difficult to verify authenticity of fabs  But there is strong evidence they do….  Numerous suspected military and commercial cases (as early as 1976!!)  Reverse-engineering ICs is widely believed to be performed by reputed companies (IBM has patents) *  Highly sophisticated commercial software tools for reverse- engineering available (Chipworks, etc.)**, and academic efforts (Cambridge University)  Tampering at design stage is highly feasible *US Patent #6, 496, 022 B1 by Kash et al **www.chipworks.com
    • 8. Suspected Hardware Trojans 8  Military  Old Trick Threatens the New Weapons” (J. Markoff, NYT, Oct. 2009)  “Hardware Trojans could turn microchips into timebombs” (P. Marks, NS, Jul. 2009)  “Towards Countering the Rise of the Silicon Trojan” (DSTO, Australian Govt., Dec. 2008)  “The Hunt for the Kill Switch” (S. Adee, IEEE Spectrum, May 2008)  “FBI says military had bogus computer gear” (J. Markoff, NYT, May 2008)  “BAA 07-24: TRUST in Integrated Circuits (IC)” (DARPA, Jul. 2007)  Commercial  “Cracking Security Codes: Does it Matter?” (C. Tartette, IEEE Spectrum, Feb. 2010)  “PC Giant Warns of Hardware Trojans” (S. Adee, IEEE Spectrum, May 2008)
    • 9. 9 Trojan Taxonomy and Examples
    • 10. Trojan Taxonomy 10 Banga and Hsiao [HOST’08] Hardware Trojans Combinational Sequential Wang, Tehranipoor and Plusquellic [HOST’08] Physical attribute Activation attribute Action attribute Wolff et al [DATE’08], Jin and Makris [HOST’08] Trigger Payload
    • 11. Trojan Taxonomy (contd.) 11 Trojan Payload Synchronous Asynchronous Rare Sequences Digital Analog On-chip sensors Digital Bridging Delay Activity Analog Trigger Circuit Nodes Other Information Leakage Memory Content Denial-of- Service Hybrid Combinational Sequential Rare value Activity  Taxonomy based on [Chakraborty et al HLDVT’09]  Activation mechanism (trigger) and  Malicious effect (payload)
    • 12. Digital Trojans 12 Combinational Trojan (simplest, most widely studied) Sequential (Synchronous )Trojan (“Time Bomb”) Sequential (Asynchronous)Trojan ER ER* 0 1 2 k-1 CLK Trigger Payload ER ER* 0 1 2 k-1 Trigger Payloadp q A B Cmodified C Trigger Payload HybridTrojansER ER* CLK CLK CLK k2-bit Counter k1-bit Counter
    • 13. Analog Trojans 13 Analog Trojan (activity-triggered) Analog payload Trojan
    • 14. Information Leakage Trojans 14 Side-channel Leakage Based Lin et al [ICCAD’09] Logic-value Based
    • 15. 15 Trojan Detection Techniques
    • 16. General Features 16  Most proposed techniques cannot guarantee Trojan detection  Can only provide confidence levels  Prone to false positives  Do not have resolution to pin-point the Trojan location  No “silver-bullet” technique available  Most techniques assume particular Trojan models  Arbitrarily complex Trojans have not been studied  Most proposed techniques have not been validated experimentally  Based on computer simulations  Mostly ignores experimental sources of error  Many are futuristic (e.g. 3-D IC technology based techniques)  Many have unacceptable design overhead
    • 17. Approaches of Trojan Detection 17 Trojan Detection Approaches Non-destructive Invasive Destructive Preventive Non- invasive Test-timeAssistive Run-time Logic Test Side- channel Non-mainstreamMainstream
    • 18. Why is Trojan Detection Challenging? 18  For logic-testing based methods:  Trigger nodes have low controllability, payload nodes have low observability  Trojans are stealthy  Extremely large number of possible Trojan instances • Combinatorial dependence on number of circuit nodes • For the ISCAS-85 c880 circuit with 451 possible nodes, ~1011 possible Trojans !!  Sequential Trojans extremely difficult to detect  Finite test length and duration  For side-channel analysis based methods:  Modern nanometer processes have large process variation  Susceptible to experimental measurement error  Difficult to detect very small Trojans  Needs a Golden sample …might not be available  For invasive methods:  Design overhead
    • 19. Invasive Techniques 19  Obfuscate the circuit functionality [Chakraborty and Bhunia, ICCAD’09]  Design of stealthy Trojan requires identification of rare nodes  This requires estimation of signal probability at internal nodes  Can obfuscation be applied to make this task difficult?  Prevent free dead space in an IC [Wang et al, HOST’08]  Trojan insertion requires space  Can be overcome using better logic optimization and placement 1. Preventive Techniques S0 O S1 O S2 OK1 K2 S0 I S1 I S2 I S0 N S3 N S2 N S1 N K3 Obfuscated Functionality Original State Space Initialization state space Isolation state space Initialization Key = {K1, K2, K3} S4 N S5 N S3 I Obfuscation state space Normal Functionality Start Invalid Trojan Valid Trojan  Modify STG of circuit  Normal and obfuscated modes of operation  Initialization key sequence required to take circuit to normal mode after power-up  Well-hidden circuit modifications
    • 20. 2. Assistive Techniques 20  On-demand Transparency [Chakraborty et al, HOST’08]  Make system operate in a special mode on demand  Presence of Trojan possibly disrupts operations in the special mode  This changes the expected o/p logic values in the special mode  This leads to the detection of an inserted Trojan (probabilistically)  Limitation: Cannot guarantee Trojan detection
    • 21. Non-invasive Techniques 21  Hardware Approach (DEFENSE) [Abramovici and Bradley, CSIIR’09]  Reconfigurable framework for run-time functionality monitoring  Triggers counter-measures on deviation  Does not mention hardware overhead  Commercially available design tool to implement the methodology 1. Run-time Techniques
    • 22. Run-time Techniques (contd.) 22  Software Approach [McIntyre et al, HOST’09]  Execute identical copies of software on multiple CPUs  Dynamically evaluate individual trust levels (“Trust learning”)  Simulation results show that the system can successfully execute programs in a Trojan-infested environment  Hardware + Software Approach [Bloom et al HOST’09]  “Hardware guard” module outside CPU + enhanced OS  Effectively protects against DoS and privilege escalation attacks  2.2% average performance overhead for SPECint 2006 benchmarks
    • 23. Run-time Techniques (contd.) 23  BlueChip [Hicks et al IEEE Symp. Security and Privacy’10]  Pre-fab: Design is analyzed and “Unused Circuit Identification” (UCI) is used to detect unused circuit blocks which are potential Trojans  Such suspicious modules are replaced by exception generation hardware  When activated, the exception generation hardware delivers the exception to the BlueChip software layer  The software emulates the instruction that generated the exception  Ensures forward progress of program  5% run-time overhead, 1.5% area overhead. 0.5% power overhead for a FPGA-based implementation  Challenge: Based on verification, hence difficult to have complete coverage of the behavior of the circuit
    • 24. 2. Test Techniques 24  Multiple Excitation of Rare Occurrence (MERO) [Chakraborty et al, CHES’09]  Recap: Complete enumeration of all possible Trojans infeasible  Added difficulty of exciting multiple nodes at their rare values  MERO aims to • Enumerate rare nodes in a given netlist • Excite these potential Trojan trigger nodes multiple times to their rare values individually • Generate a compact set of set vectors  The technique bypasses the difficulty of directed test generation to trigger Trojans  Limitations:  Limited to a class of Trojans  Statistical technique => cannot guarantee 100% detection coverage a. Logic-testing based
    • 25. Mathematical Model 25  Method:  Apply test vectors that trigger each node to its rare value at least N times  Assumptions:  An inserted Trojan has a small but non-zero probability of being triggered  Trigger nodes are mutually independent  Trojan trigger probability is product of trigger probability of all trigger nodes  Main inferences of analysis:  Expected number of times of Trojan getting triggered proportional to N  Trojan triggering probability increases if trigger probability of individual trigger nodes increases
    • 26. Design Flow Automation 26 Input: N, q, θ, # of Trojan inst., # of random patterns, circuit netlist Determine rare events on internal nodes RO-Finder Select Trojan instances using Random Sampling Eliminate false Trojans Synospsys TetraMAX Estimate coverage for random patterns TrojanSim Generate optimized patterns MERO Estimate coverage for optimized patterns TrojanSim END Coverage for random patterns Coverage for optimized patterns TrojanSelection List of feasible Trojans Optimized test patterns C program to find Rare Occurrences C program for Trojan Simulation C program for Multiple Excitation of Rare Occurrence testset generation Justification
    • 27. 2 (b). Side-channel Analysis based Techniques 27  IC Fingerprinting [Agrawal et al, IEEE Symp. Security and Privacy’07]  A signature (fingerprint) associated with an IC  Usually path delay or power trace  Usually supplemented by de-noising techniques  Vector selection is important  Can detect Trojans as small as 0.01% of circuit area in presence of ±7.5% process variation  Limitations  Based only on simulation results  Did not conduct actual experiments and measurements  Did not consider experimental noise
    • 28. Current-trace based Techniques 28  Power-supply Transient based [Rad et al, HOST’08]  Signals from multiple ports for several IC instances are calibrated  Statistical characterization  Capable of detecting 50% activated and 30% inactive Trojans  Sustained-vector Technique [Banga and Hsiao, VLSID’09]  Repeat each input vector multiple times  Reduce extraneous toggles  Magnifies power profile differences  Region-based Trojan detection [Banga and Hsiao, HOST’08]  Partition circuits into smaller regions  Generate vectors to excite selected region and minimize activity of other regions  Could detect most Trojans at ±7.5% process variation
    • 29. Path-delay Based Techniques 29  Path-delay Fingerprint [Jin and Makris, HOST’08]  Multiple paths considered  Extensive statistical characterization  Capable of detecting Trojans with 0.13% area, under 7.5% process variation  Gate-level Characterization [Potkonjak et al, DAC’09]  Both path delay and leakage current were considered  Problem formulated as a LPP  Effective for smaller ISCAS-85 circuits  Limitation: Computationally challenging for larger circuits Trojan infested Trojan free (“convex hull”)
    • 30. Multi-level Attack 30  Uses nexus between multiple parties  Only parties which are part of the nexus can benefit  The nexus eases the burden of individual parties  More challenging to detect than Trojans considered so far
    • 31. Multi-level Attack (contd.) 31 ASIC Example FPGA Example
    • 32. Conclusions 32  Modern IC design and manufacturing practices are inherently insecure  Third-party IPs and off-shore manufacturing  Potentially untrusted parties pay a major role  Trend likely to increase  Hardware Trojans are malicious circuit modifications  Small overhead, hugely destructive impact  Difficult to detect by traditional testing means  Great threat to national security  State-of-the-art  Both design and test techniques have been proposed  Effectiveness of the proposed techniques limited to the particular types of Trojans  Most techniques have not been validated experimentally in-field
    • 33. Future Research Directions  The main concern is the lack of a generic technique for Trojan detection  Model-independent Trojan detection ultimate goal  Testing approaches: ◦ combination of logic-testing and side-channel approaches hold most promise  Multi-level attacks pose new challenges  Design approach: ◦ Design for Security is the best bet 33
    • 34. Future Research Directions 34 Design for Security Design Techniques Metrics Automation Education Methodology Software Courses Study Material Degree of security Overheads Circuit Architecture System
    • 35. Security Research at IIT Kharagpur  General security ◦ Securing policy integration in cloud-based collaboration through selection of trust-worthy provider and permission authorization. ◦ Trust based security access control models for MANETs. ◦ Formal analysis of security policy implementations in enterprise networks. ◦ Digital rights management. 35
    • 36.  Cryptography ◦ Block and stream cipher design ◦ Lightweight crypto algorithms ◦ Side-channel attacks ◦ Physically unclonable functions (PUF) ◦ Malicious hardware and their mitigation 36
    • 37. Thank You for your attention!! 37

    ×