SlideShare a Scribd company logo

Hardware Trojans

Rahul Krishnamurthy
Rahul Krishnamurthy

This is a seminar on hardware trojan that i have given during my M.tech. It follows the latest classification of hardware trojans used in research community. 3 latest hardware trojan detection technique and 2 insertion techniques are presented in slides.

TechnologyBusiness
1 of 40
Classification and Detection of Hardware Trojans Rahul Krishnamurthy(2011VLSI06) ABV-Indian Institute of Information Technology and Management Gwalior, Morena Link Road, Gwalior, Madhya Pradesh, INDIA - 474010. December 17, 2012
Contents Contents 1. Introduction 2. Classification of Hardware Trojans 3. Detection Techniques for Hardware Trojans Detection Using Power Analysis Detection by Delay Fingerprint technique Detection using Ring Oscillator Frequency Mechanism 4. Insertion of Hardware Trojans Insertion Technique Bypassing Delay Fingerprint Technique Insertion Technique Bypassing Ring Oscillator Frequency Mechanism 5. Conclusion
Introduction Introduction A Hardware Trojan is a malicious and deliberately stealthy modification made to an electronic device such as an IC. It can change the chips functionality and thereby undermine trust in the systems using that chip. Figure : A simple Hardware trojan
Hypothesis Hypothesis In the classification of Hardware trojan it has been assumed the attacker has the access to all the stages of the IC design. Attacker has the access to the floorplans, layout, netlist and RTL code.
Classification Classification Figure : Hardware trojan Taxonomy
Classification Insertion Phase Insertion Phase At the following phases the malicious alteration can take place. Specification phase– For example, a Trojan at the specification phase might change the hardwares timing requirements. Design phase–Designer can use third-party IP blocks and standard cells. A standard cell library can be infested with Trojans.
Classification Insertion Phase contd.. Insertion Phase contd.. Fabrication Phase–Subtle mask changes can have serious effects. In an extreme case, an adversary can substitute a different mask set. Testing phase–An adversary can change the test vectors to avoid detection of trojan.
Classification Insertion Phase contd.. Insertion Phase contd.. Assembly phase–Developers assemble the tested chip and other hardware components on a printed circuit board (PCB). An unshielded wire can be used for information leakage and fault injection.
Classification Abstraction Phase Abstraction phase The phase at which the alteration occurs. System level–Trojans might be triggered by the target hardware modules-for example, interchanging the ASCII values of the keyboard inputs. Development environment–An attacker can use CAD tools and scripts to insert Trojans. Software Trojans inserted into these CAD tools can mask the effects of the hardware Trojans. For example, a synthesis tool might not reveal a circuits Trojan components to the user.
Classification Abstraction Phase contd.. Abstraction phase contd.. Register-transfer level–At the RTL, chip developers describe each functional module in terms of registers, signals, and Boolean functions. For example, a Trojan implemented at this level might halve the rounds of a cryptographic algorithm by making a round counter to advance in two steps instead of one.
Classification Abstraction Phase contd.. Abstraction phase contd.. Gate level–A Trojan might be a simple comparator consisting of XOR gates that monitor the chips internal signals. Transistor level– A transistor-level Trojan might be a transistor with low gate width that can cause more delay in the critical path.
Classification Abstraction Phase contd.. Abstraction phase contd.. Physical level This level describes all circuit components and their dimensions and locations, Changing the width of the clock grids metal wires in the chip can cause clock skew.
Classification Activation Mechanism Activation Mechanism Always-on– This class covers Trojans that are implemented by modifying the geometries of the chip such that certain nodes or paths in the chip have a higher susceptibility to failure. Internally triggered–An event that occurs within the target device activates an internally triggered Trojan. Figure : Internally Triggered
Classification Activation Mechanism Activation Mechanism Externally triggered Trojan requires external input to the target module to activate. For example, data coming through external interfaces such as RS-232 can trigger a Trojan.
Classification Effects Effects The effects of Trojans on target hardware or systems can range from subtle disturbances to catastrophic system failures. A trojan can cause an error detection module to accept inputs that should be rejected. A Trojan can downgrade performance by intentionally changing device parameters, such as power and delay. A Trojan might leak a cryptographic algorithms secret key through unused RS-232 ports. Denial-of-service Trojans prevent operation of a function or resource. For example causing the processor to ignore the interrupt from a specific peripheral.
Detection Techniques Detection using Power Analysis Detection using Power Analysis The not gate based ring oscillator is used to monitor power. Power supply noise (also known as voltage drop) impacts the delay of gates. 1 f = 2 × n × td Figure : Ring Oscilator
Detection Techniques Detection using Power Analysis Detection using Power Analysis When the voltage drops, the delay of the gates increases. Change in delay impacts the oscillation frequency. For Trojan-inserted ICs, the switching gates in the Trojan would cause small voltage drop on the VDD line and ground bounce on VSS line. Thus, with the same input patterns, the power supply noise affecting the Trojan-free IC and Trojan-inserted IC will differ.
Detection Techniques Detection using Power Analysis Accuracy of single Ring Oscillator Process variations can impact the threshold voltage, channel length, and oxide thickness in circuit gates which, in turn, impacts power supply noise distribution in an IC. These effects may be localized. A single ring oscillator can not distinguish between Trojans and process variations. A ring oscillator placed in one corner of an IC, may not be able to capture noise effects which occur due to a Trojan placed in another corner of the IC.
Detection Techniques Detection using Power Analysis A Network of Ring Oscillators Figure : Ring oscillators distributed in circuit layout
Detection Techniques Detection using Power Analysis A Network of Ring Oscillators One RO is inserted into each grid surrounded by power straps. One multiplexer is used to select a ring oscillator in the network to be enabled during the authentication. Another multiplexer chooses the same ring oscillator to be recorded.
Detection Techniques Detection using Path delay fingerprint Detection using Path delay fingerprint The procedure includes three steps Path delay gathering of nominal chips–Path delay information of sample chips are collected. These chips are then checked whether they are genuine or not using reverse engineering. Fingerprint generation – According to path delays a series of fingerprints are generated. Trojan Detection – All other chips are then operated under same input patterns. Their delay information is then compared to delay fingerprints.
Detection Techniques Detection using Path delay fingerprint Hardware trojan with explicit Payload When the Trojan is triggered, the payload part will alter the value of internal signal. Figure : Explicit Payload This type of Trojan will insert extra delay in some paths passing those signals.
Detection Techniques Detection using Path delay fingerprint Hardware trojan with implicit Payload The implicit payload Trojan does not compromise internal signals but only takes these signals as stimulus of the trigger. The implicit payload may emit radio signals to leak secret information or may destroy the whole chip. Compared to the extra delay inserted by explicit payload Trojan, the added delay here can be smaller and harder to detect. Figure : Implicit Payload
Detection Techniques Detection using Path delay fingerprint Disadvantages It is not effective at detecting small Trojans or implicit Trojans (whose payloads do not connect to the circuit) since the contributions of small Trojans and implicit Trojans to the path delay will be masked by process variations. There are millions of paths in a circuit, it is impossible to obtain 100% test coverage using this technique. Trojans inserted into uncovered paths will not be detected by this technique.
Detection using Ring oscillator frequency Detection using Ring oscillator frequency An attacker can insert malicious gates in non-critical path, such that it does not violate the critical path constraint. Path can be reconfigured into ring oscillators, such that the additional delays caused by trojans can still be measured as changes in ring oscillator’s frequencies.
Detection using Ring oscillator frequency Detection using Ring oscillator frequency Detection using Ring oscillator frequency Figure : C17 embedded with ring oscillators To ensure the detection of an inserted trojan, all the gates must be covered by ring oscillators.
Hardware Trojan Insertion Bypassing Delay fingerprint technique The following trojans were inserted in [ZTT11] Trojan T1 T2 T3 T4 T5 T6 Class DRULP DRULP DRULP DRUPP DRUPP DRTPP Trigger din(1 downto 0) din=4’hf din=4’h8 Reset=1’b0 din( 1 downto 0)=2’b01 timing sequence Payload SP leaked by 7 segement display Secret key leaked by 7 segement display Secret leaked by LD7 in serial 1-stage ring oscillator 3-stage ring osillator clock buffer chain Out of the six trojans, T1,T2,T3 are explicit payload trojans.
Hardware Trojan Insertion Bypassing Delay fingerprint technique T1 is triggered when the last two bits of the input din are 2‘b01. The payload is that the secret plain text (SP) will be leaked over the 7-segment display. If din has a low switching probability, then T1, T2, and T3 will be undetected on the silicon.
Hardware Trojan Insertion Bypassing Delay fingerprint technique Trojans T4, T5, and T6 have implicit payloads. Trojan-inserted ICs will age faster than Trojan-free ICs, or will create hot-spots that can damage circuit components. Random functional test vectors could not detect these Trojans because they do not change the circuits original functionality. The trigger of T6 is a timing sequence → 8’h03, 8’h1c, 8’h23, 1 8’h6c, 8’ha3, 8’hfc. The probability of activating T6 is 48 2
Hardware Trojan Insertion Bypassing Delay fingerprint technique Once T6 is activated, a buffer chain with a clock frequency input will be enabled and increase the temperature of the chip quickly. This Trojan, with an implicit payload, has a negligible effect on the path delay. The path delay trojan detection method is not effective for this type of Trojan.
Hardware Trojan Insertion Bypassing the Ring oscillator detection technique The loops in the circuit are identified. If the loops consist an odd number of inverters, then test vectors will be generated to enable each ring oscillator. Test Pattern–A0,B0,C0,TE0,P1=1011
Hardware Trojan Insertion Bypassing the Ring oscillator detection technique After generating the test patterns, two methods were employed in [ZTT11] to evade the detection:Modelling the Ring oscillator frequency(Hard code attack). Redesigning the floorplan.
Hardware Trojan Insertion Hard Code attack The test vectors provide different frequency values for trojan inserted and trojan free IC’s. Figure : RTL code These test vectors are translated into a logic function in the RTL code.
Hardware Trojan Insertion Hard Code attack contd.. The counter value for each ring oscillator in a Trojan-inserted circuit will always be the same as in the Trojan-free circuit With the look-up table, any kind of Trojan could be inserted into the design without being detected.
Hardware Trojan Insertion Redesigning floorplan Ring oscillators frequency is sensitive to both process variations and the location of its components. Figure : Trojan insertion flow
Hardware Trojan Insertion Hardware Trojan Insertion Redesigning floorplan If the ring oscillator’s frequency in the Trojan–inserted design is larger than its frequency in the Trojan–free design, then the components of that ring oscillator will be placed further away from each other. This increases loop delay and decreases oscillator frequency.
Conclusion Conclusion The insertion of hardware trojans is not limited to just the fabrication stage. The trojans can be inserted at any stage of IC design cycle. The delay fingerprint is ineffective to detect implicit payload trojans. The design can be made resilient to hard code attack by observing the counter values at different voltage levels. The embedded ring oscillator network for power analysis has a large area overhead.
References References Y. Jin, N. Kupp, and Y. Makris, Experiences in hardware trojan design and implementation, Hardware-Oriented Security and Trust, 2009. HOST ’09. IEEE International Workshop on, july 2009, pp. 50 –57. Yier Jin and Y. Makris, Hardware trojan detection using path delay fingerprint, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 51 –57. R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, Trustworthy hardware: Identifying and classifying hardware trojans, Computer 43 (2010), no. 10, 39 –46. J. Rajendran, V. Jyothi, O. Sinanoglu, and R. Karri, Design and analysis of ring oscillator based design-for-trust technique,
References VLSI Test Symposium (VTS), 2011 IEEE 29th, may 2011, pp. 105 –110. J.A. Roy, F. Koushanfar, and I.L. Markov, Extended abstract: Circuit cad tools as a security threat, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 65 –66. M. Tehranipoor, H. Salmani, Xuehui Zhang, Xiaoxiao Wang, R. Karri, J. Rajendran, and K. Rosenfeld, Trustworthy hardware: Trojan detection and design-for-trust challenges, Computer 44 (2011), no. 7, 66 –74. Xuehui Zhang and M. Tehranipoor, Ron: An on-chip ring oscillator network for hardware trojan detection, Design, Automation Test in Europe Conference Exhibition (DATE), 2011, march 2011, pp. 1 –6.
References Xuehui Zhang, N. Tuzzio, and M. Tehranipoor, Red team: Design of intelligent hardware trojans with known defense schemes, Computer Design (ICCD), 2011 IEEE 29th International Conference on, oct. 2011, pp. 309 –312.

Recommended

Hardware trojan detection technique using side channel analysis for hardware ...
Hardware trojan detection technique using side channel analysis for hardware ...Hardware trojan detection technique using side channel analysis for hardware ...
Hardware trojan detection technique using side channel analysis for hardware ...Ashish Maurya
 
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...GeekPwn Keen
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Line coding
Line codingLine coding
Line codingRina Ahire
 
Module 2 ARM CORTEX M3 Instruction Set and Programming
Module 2 ARM CORTEX M3 Instruction Set and ProgrammingModule 2 ARM CORTEX M3 Instruction Set and Programming
Module 2 ARM CORTEX M3 Instruction Set and ProgrammingAmogha Bandrikalli
 
faults in digital systems
faults in digital systemsfaults in digital systems
faults in digital systemsdennis gookyi
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptographyHossain Md Shakhawat
 

Recommended

Hardware trojan detection technique using side channel analysis for hardware ...
Hardware trojan detection technique using side channel analysis for hardware ...Hardware trojan detection technique using side channel analysis for hardware ...
Hardware trojan detection technique using side channel analysis for hardware ...Ashish Maurya
 
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...GeekPwn Keen
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
Line coding
Line codingLine coding
Line codingRina Ahire
 
Module 2 ARM CORTEX M3 Instruction Set and Programming
Module 2 ARM CORTEX M3 Instruction Set and ProgrammingModule 2 ARM CORTEX M3 Instruction Set and Programming
Module 2 ARM CORTEX M3 Instruction Set and ProgrammingAmogha Bandrikalli
 
faults in digital systems
faults in digital systemsfaults in digital systems
faults in digital systemsdennis gookyi
 
Fundamentals of cryptography
Fundamentals of cryptographyFundamentals of cryptography
Fundamentals of cryptographyHossain Md Shakhawat
 
ATmega32-AVR microcontrollers-Part I
ATmega32-AVR microcontrollers-Part IATmega32-AVR microcontrollers-Part I
ATmega32-AVR microcontrollers-Part IVineethMP2
 
Intruders
IntrudersIntruders
Intruderstechn
 
Intel 8051 Programming in C
Intel 8051 Programming in CIntel 8051 Programming in C
Intel 8051 Programming in CSudhanshu Janwadkar
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
DMTM Lecture 13 Representative based clustering
DMTM Lecture 13 Representative based clusteringDMTM Lecture 13 Representative based clustering
DMTM Lecture 13 Representative based clusteringPier Luca Lanzi
 
Timing diagram 8085 microprocessor
Timing diagram 8085 microprocessorTiming diagram 8085 microprocessor
Timing diagram 8085 microprocessorVelalar College of Engineering and Technology
 
Design for Testability
Design for Testability Design for Testability
Design for Testability kumar gavanurmath
 
Unit II Arm7 Thumb Instruction
Unit II Arm7 Thumb InstructionUnit II Arm7 Thumb Instruction
Unit II Arm7 Thumb InstructionDr. Pankaj Zope
 
dft
dftdft
dftNejeh Ferjani
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurationsStudent
 
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)PROIDEA
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Multiplexing
MultiplexingMultiplexing
MultiplexingNeeraj Garwal
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Cryptography
CryptographyCryptography
CryptographySidharth Mohapatra
 
Interrupt in real time system
Interrupt in real time system Interrupt in real time system
Interrupt in real time system ali jawad
 
Vlsi testing
Vlsi testingVlsi testing
Vlsi testingDilip Mathuria
 
Serial Peripheral Interface(SPI)
Serial Peripheral Interface(SPI)Serial Peripheral Interface(SPI)
Serial Peripheral Interface(SPI)Dhaval Kaneria
 
One time Pad Encryption
One time Pad EncryptionOne time Pad Encryption
One time Pad EncryptionAbdullah Mubashar
 
8051 block diagram
8051 block diagram8051 block diagram
8051 block diagramDominicHendry
 
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...idescitation
 
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...TELKOMNIKA JOURNAL
 

More Related Content

What's hot

ATmega32-AVR microcontrollers-Part I
ATmega32-AVR microcontrollers-Part IATmega32-AVR microcontrollers-Part I
ATmega32-AVR microcontrollers-Part IVineethMP2
 
Intruders
IntrudersIntruders
Intruderstechn
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intrudersrajakhurram
 
DMTM Lecture 13 Representative based clustering
DMTM Lecture 13 Representative based clusteringDMTM Lecture 13 Representative based clustering
DMTM Lecture 13 Representative based clusteringPier Luca Lanzi
 
Unit II Arm7 Thumb Instruction
Unit II Arm7 Thumb InstructionUnit II Arm7 Thumb Instruction
Unit II Arm7 Thumb InstructionDr. Pankaj Zope
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurationsStudent
 
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)PROIDEA
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Interrupt in real time system
Interrupt in real time system Interrupt in real time system
Interrupt in real time system ali jawad
 
Serial Peripheral Interface(SPI)
Serial Peripheral Interface(SPI)Serial Peripheral Interface(SPI)
Serial Peripheral Interface(SPI)Dhaval Kaneria
 

What's hot (20)

ATmega32-AVR microcontrollers-Part I
ATmega32-AVR microcontrollers-Part IATmega32-AVR microcontrollers-Part I
ATmega32-AVR microcontrollers-Part I
 
Intruders
IntrudersIntruders
Intruders
 
Intel 8051 Programming in C
Intel 8051 Programming in CIntel 8051 Programming in C
Intel 8051 Programming in C
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
DMTM Lecture 13 Representative based clustering
DMTM Lecture 13 Representative based clusteringDMTM Lecture 13 Representative based clustering
DMTM Lecture 13 Representative based clustering
 
Timing diagram 8085 microprocessor
Timing diagram 8085 microprocessorTiming diagram 8085 microprocessor
Timing diagram 8085 microprocessor
 
Design for Testability
Design for Testability Design for Testability
Design for Testability
 
Unit II Arm7 Thumb Instruction
Unit II Arm7 Thumb InstructionUnit II Arm7 Thumb Instruction
Unit II Arm7 Thumb Instruction
 
dft
dftdft
dft
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurations
 
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
Multiplexing
MultiplexingMultiplexing
Multiplexing
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security
 
Cryptography
CryptographyCryptography
Cryptography
 
Interrupt in real time system
Interrupt in real time system Interrupt in real time system
Interrupt in real time system
 
Vlsi testing
Vlsi testingVlsi testing
Vlsi testing
 
Serial Peripheral Interface(SPI)
Serial Peripheral Interface(SPI)Serial Peripheral Interface(SPI)
Serial Peripheral Interface(SPI)
 
One time Pad Encryption
One time Pad EncryptionOne time Pad Encryption
One time Pad Encryption
 
8051 block diagram
8051 block diagram8051 block diagram
8051 block diagram
 

Similar to Hardware Trojans

Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...idescitation
 
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...TELKOMNIKA JOURNAL
 
Remote authentication via biometrics1
Remote authentication via biometrics1Remote authentication via biometrics1
Remote authentication via biometrics1Omkar Salunke
 
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...奈良先端大 情報科学研究科
 
Hardware Trojan Identification and Detection
Hardware Trojan Identification and DetectionHardware Trojan Identification and Detection
Hardware Trojan Identification and Detectionijcisjournal
 
A network behavior analysis method to detect this writes about a method to ...
A network behavior analysis method to detect this writes about a method to ...A network behavior analysis method to detect this writes about a method to ...
A network behavior analysis method to detect this writes about a method to ...Thang Nguyen
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresIRJET Journal
 
Network border patrol preventing c ongestion collapse(synopsis)
Network border patrol preventing c ongestion collapse(synopsis)Network border patrol preventing c ongestion collapse(synopsis)
Network border patrol preventing c ongestion collapse(synopsis)Mumbai Academisc
 
trojan detection
trojan detectiontrojan detection
trojan detectionSRI NISHITH
 
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...Kevin Mathew
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurPriyanka Aash
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGADesign, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGAVivek Venugopalan
 
Short Range Radar System using Arduino Uno
Short Range Radar System using Arduino UnoShort Range Radar System using Arduino Uno
Short Range Radar System using Arduino UnoIRJET Journal
 
UNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxUNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxdiptijilhare
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...cscpconf
 

Similar to Hardware Trojans (20)

Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
 
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
 
Remote authentication via biometrics1
Remote authentication via biometrics1Remote authentication via biometrics1
Remote authentication via biometrics1
 
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...
 
ROBOTICS - Introduction to Robotics Microcontroller
ROBOTICS - Introduction to Robotics MicrocontrollerROBOTICS - Introduction to Robotics Microcontroller
ROBOTICS - Introduction to Robotics Microcontroller
 
Hardware Trojan Identification and Detection
Hardware Trojan Identification and DetectionHardware Trojan Identification and Detection
Hardware Trojan Identification and Detection
 
J010234960
J010234960J010234960
J010234960
 
A network behavior analysis method to detect this writes about a method to ...
A network behavior analysis method to detect this writes about a method to ...A network behavior analysis method to detect this writes about a method to ...
A network behavior analysis method to detect this writes about a method to ...
 
Verification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP CoresVerification of Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
 
Network border patrol preventing c ongestion collapse(synopsis)
Network border patrol preventing c ongestion collapse(synopsis)Network border patrol preventing c ongestion collapse(synopsis)
Network border patrol preventing c ongestion collapse(synopsis)
 
trojan detection
trojan detectiontrojan detection
trojan detection
 
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
A Robust UART Architecture Based on Recursive Running Sum Filter for Better N...
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGADesign, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
 
Check shavad
Check shavadCheck shavad
Check shavad
 
Short Range Radar System using Arduino Uno
Short Range Radar System using Arduino UnoShort Range Radar System using Arduino Uno
Short Range Radar System using Arduino Uno
 
spy_robot.pptx
spy_robot.pptxspy_robot.pptx
spy_robot.pptx
 
UNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptxUNIT-2 PPT Data link layer.pptx
UNIT-2 PPT Data link layer.pptx
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
 
Ar03302620266
Ar03302620266Ar03302620266
Ar03302620266
 

Recently uploaded

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Hardware Trojans

  • 1. Classification and Detection of Hardware Trojans Rahul Krishnamurthy(2011VLSI06) ABV-Indian Institute of Information Technology and Management Gwalior, Morena Link Road, Gwalior, Madhya Pradesh, INDIA - 474010. December 17, 2012
  • 2. Contents Contents 1. Introduction 2. Classification of Hardware Trojans 3. Detection Techniques for Hardware Trojans Detection Using Power Analysis Detection by Delay Fingerprint technique Detection using Ring Oscillator Frequency Mechanism 4. Insertion of Hardware Trojans Insertion Technique Bypassing Delay Fingerprint Technique Insertion Technique Bypassing Ring Oscillator Frequency Mechanism 5. Conclusion
  • 3. Introduction Introduction A Hardware Trojan is a malicious and deliberately stealthy modification made to an electronic device such as an IC. It can change the chips functionality and thereby undermine trust in the systems using that chip. Figure : A simple Hardware trojan
  • 4. Hypothesis Hypothesis In the classification of Hardware trojan it has been assumed the attacker has the access to all the stages of the IC design. Attacker has the access to the floorplans, layout, netlist and RTL code.
  • 6. Classification Insertion Phase Insertion Phase At the following phases the malicious alteration can take place. Specification phase– For example, a Trojan at the specification phase might change the hardwares timing requirements. Design phase–Designer can use third-party IP blocks and standard cells. A standard cell library can be infested with Trojans.
  • 7. Classification Insertion Phase contd.. Insertion Phase contd.. Fabrication Phase–Subtle mask changes can have serious effects. In an extreme case, an adversary can substitute a different mask set. Testing phase–An adversary can change the test vectors to avoid detection of trojan.
  • 8. Classification Insertion Phase contd.. Insertion Phase contd.. Assembly phase–Developers assemble the tested chip and other hardware components on a printed circuit board (PCB). An unshielded wire can be used for information leakage and fault injection.
  • 9. Classification Abstraction Phase Abstraction phase The phase at which the alteration occurs. System level–Trojans might be triggered by the target hardware modules-for example, interchanging the ASCII values of the keyboard inputs. Development environment–An attacker can use CAD tools and scripts to insert Trojans. Software Trojans inserted into these CAD tools can mask the effects of the hardware Trojans. For example, a synthesis tool might not reveal a circuits Trojan components to the user.
  • 10. Classification Abstraction Phase contd.. Abstraction phase contd.. Register-transfer level–At the RTL, chip developers describe each functional module in terms of registers, signals, and Boolean functions. For example, a Trojan implemented at this level might halve the rounds of a cryptographic algorithm by making a round counter to advance in two steps instead of one.
  • 11. Classification Abstraction Phase contd.. Abstraction phase contd.. Gate level–A Trojan might be a simple comparator consisting of XOR gates that monitor the chips internal signals. Transistor level– A transistor-level Trojan might be a transistor with low gate width that can cause more delay in the critical path.
  • 12. Classification Abstraction Phase contd.. Abstraction phase contd.. Physical level This level describes all circuit components and their dimensions and locations, Changing the width of the clock grids metal wires in the chip can cause clock skew.
  • 13. Classification Activation Mechanism Activation Mechanism Always-on– This class covers Trojans that are implemented by modifying the geometries of the chip such that certain nodes or paths in the chip have a higher susceptibility to failure. Internally triggered–An event that occurs within the target device activates an internally triggered Trojan. Figure : Internally Triggered
  • 14. Classification Activation Mechanism Activation Mechanism Externally triggered Trojan requires external input to the target module to activate. For example, data coming through external interfaces such as RS-232 can trigger a Trojan.
  • 15. Classification Effects Effects The effects of Trojans on target hardware or systems can range from subtle disturbances to catastrophic system failures. A trojan can cause an error detection module to accept inputs that should be rejected. A Trojan can downgrade performance by intentionally changing device parameters, such as power and delay. A Trojan might leak a cryptographic algorithms secret key through unused RS-232 ports. Denial-of-service Trojans prevent operation of a function or resource. For example causing the processor to ignore the interrupt from a specific peripheral.
  • 16. Detection Techniques Detection using Power Analysis Detection using Power Analysis The not gate based ring oscillator is used to monitor power. Power supply noise (also known as voltage drop) impacts the delay of gates. 1 f = 2 × n × td Figure : Ring Oscilator
  • 17. Detection Techniques Detection using Power Analysis Detection using Power Analysis When the voltage drops, the delay of the gates increases. Change in delay impacts the oscillation frequency. For Trojan-inserted ICs, the switching gates in the Trojan would cause small voltage drop on the VDD line and ground bounce on VSS line. Thus, with the same input patterns, the power supply noise affecting the Trojan-free IC and Trojan-inserted IC will differ.
  • 18. Detection Techniques Detection using Power Analysis Accuracy of single Ring Oscillator Process variations can impact the threshold voltage, channel length, and oxide thickness in circuit gates which, in turn, impacts power supply noise distribution in an IC. These effects may be localized. A single ring oscillator can not distinguish between Trojans and process variations. A ring oscillator placed in one corner of an IC, may not be able to capture noise effects which occur due to a Trojan placed in another corner of the IC.
  • 19. Detection Techniques Detection using Power Analysis A Network of Ring Oscillators Figure : Ring oscillators distributed in circuit layout
  • 20. Detection Techniques Detection using Power Analysis A Network of Ring Oscillators One RO is inserted into each grid surrounded by power straps. One multiplexer is used to select a ring oscillator in the network to be enabled during the authentication. Another multiplexer chooses the same ring oscillator to be recorded.
  • 21. Detection Techniques Detection using Path delay fingerprint Detection using Path delay fingerprint The procedure includes three steps Path delay gathering of nominal chips–Path delay information of sample chips are collected. These chips are then checked whether they are genuine or not using reverse engineering. Fingerprint generation – According to path delays a series of fingerprints are generated. Trojan Detection – All other chips are then operated under same input patterns. Their delay information is then compared to delay fingerprints.
  • 22. Detection Techniques Detection using Path delay fingerprint Hardware trojan with explicit Payload When the Trojan is triggered, the payload part will alter the value of internal signal. Figure : Explicit Payload This type of Trojan will insert extra delay in some paths passing those signals.
  • 23. Detection Techniques Detection using Path delay fingerprint Hardware trojan with implicit Payload The implicit payload Trojan does not compromise internal signals but only takes these signals as stimulus of the trigger. The implicit payload may emit radio signals to leak secret information or may destroy the whole chip. Compared to the extra delay inserted by explicit payload Trojan, the added delay here can be smaller and harder to detect. Figure : Implicit Payload
  • 24. Detection Techniques Detection using Path delay fingerprint Disadvantages It is not effective at detecting small Trojans or implicit Trojans (whose payloads do not connect to the circuit) since the contributions of small Trojans and implicit Trojans to the path delay will be masked by process variations. There are millions of paths in a circuit, it is impossible to obtain 100% test coverage using this technique. Trojans inserted into uncovered paths will not be detected by this technique.
  • 25. Detection using Ring oscillator frequency Detection using Ring oscillator frequency An attacker can insert malicious gates in non-critical path, such that it does not violate the critical path constraint. Path can be reconfigured into ring oscillators, such that the additional delays caused by trojans can still be measured as changes in ring oscillator’s frequencies.
  • 26. Detection using Ring oscillator frequency Detection using Ring oscillator frequency Detection using Ring oscillator frequency Figure : C17 embedded with ring oscillators To ensure the detection of an inserted trojan, all the gates must be covered by ring oscillators.
  • 27. Hardware Trojan Insertion Bypassing Delay fingerprint technique The following trojans were inserted in [ZTT11] Trojan T1 T2 T3 T4 T5 T6 Class DRULP DRULP DRULP DRUPP DRUPP DRTPP Trigger din(1 downto 0) din=4’hf din=4’h8 Reset=1’b0 din( 1 downto 0)=2’b01 timing sequence Payload SP leaked by 7 segement display Secret key leaked by 7 segement display Secret leaked by LD7 in serial 1-stage ring oscillator 3-stage ring osillator clock buffer chain Out of the six trojans, T1,T2,T3 are explicit payload trojans.
  • 28. Hardware Trojan Insertion Bypassing Delay fingerprint technique T1 is triggered when the last two bits of the input din are 2‘b01. The payload is that the secret plain text (SP) will be leaked over the 7-segment display. If din has a low switching probability, then T1, T2, and T3 will be undetected on the silicon.
  • 29. Hardware Trojan Insertion Bypassing Delay fingerprint technique Trojans T4, T5, and T6 have implicit payloads. Trojan-inserted ICs will age faster than Trojan-free ICs, or will create hot-spots that can damage circuit components. Random functional test vectors could not detect these Trojans because they do not change the circuits original functionality. The trigger of T6 is a timing sequence → 8’h03, 8’h1c, 8’h23, 1 8’h6c, 8’ha3, 8’hfc. The probability of activating T6 is 48 2
  • 30. Hardware Trojan Insertion Bypassing Delay fingerprint technique Once T6 is activated, a buffer chain with a clock frequency input will be enabled and increase the temperature of the chip quickly. This Trojan, with an implicit payload, has a negligible effect on the path delay. The path delay trojan detection method is not effective for this type of Trojan.
  • 31. Hardware Trojan Insertion Bypassing the Ring oscillator detection technique The loops in the circuit are identified. If the loops consist an odd number of inverters, then test vectors will be generated to enable each ring oscillator. Test Pattern–A0,B0,C0,TE0,P1=1011
  • 32. Hardware Trojan Insertion Bypassing the Ring oscillator detection technique After generating the test patterns, two methods were employed in [ZTT11] to evade the detection:Modelling the Ring oscillator frequency(Hard code attack). Redesigning the floorplan.
  • 33. Hardware Trojan Insertion Hard Code attack The test vectors provide different frequency values for trojan inserted and trojan free IC’s. Figure : RTL code These test vectors are translated into a logic function in the RTL code.
  • 34. Hardware Trojan Insertion Hard Code attack contd.. The counter value for each ring oscillator in a Trojan-inserted circuit will always be the same as in the Trojan-free circuit With the look-up table, any kind of Trojan could be inserted into the design without being detected.
  • 35. Hardware Trojan Insertion Redesigning floorplan Ring oscillators frequency is sensitive to both process variations and the location of its components. Figure : Trojan insertion flow
  • 36. Hardware Trojan Insertion Hardware Trojan Insertion Redesigning floorplan If the ring oscillator’s frequency in the Trojan–inserted design is larger than its frequency in the Trojan–free design, then the components of that ring oscillator will be placed further away from each other. This increases loop delay and decreases oscillator frequency.
  • 37. Conclusion Conclusion The insertion of hardware trojans is not limited to just the fabrication stage. The trojans can be inserted at any stage of IC design cycle. The delay fingerprint is ineffective to detect implicit payload trojans. The design can be made resilient to hard code attack by observing the counter values at different voltage levels. The embedded ring oscillator network for power analysis has a large area overhead.
  • 38. References References Y. Jin, N. Kupp, and Y. Makris, Experiences in hardware trojan design and implementation, Hardware-Oriented Security and Trust, 2009. HOST ’09. IEEE International Workshop on, july 2009, pp. 50 –57. Yier Jin and Y. Makris, Hardware trojan detection using path delay fingerprint, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 51 –57. R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, Trustworthy hardware: Identifying and classifying hardware trojans, Computer 43 (2010), no. 10, 39 –46. J. Rajendran, V. Jyothi, O. Sinanoglu, and R. Karri, Design and analysis of ring oscillator based design-for-trust technique,
  • 39. References VLSI Test Symposium (VTS), 2011 IEEE 29th, may 2011, pp. 105 –110. J.A. Roy, F. Koushanfar, and I.L. Markov, Extended abstract: Circuit cad tools as a security threat, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 65 –66. M. Tehranipoor, H. Salmani, Xuehui Zhang, Xiaoxiao Wang, R. Karri, J. Rajendran, and K. Rosenfeld, Trustworthy hardware: Trojan detection and design-for-trust challenges, Computer 44 (2011), no. 7, 66 –74. Xuehui Zhang and M. Tehranipoor, Ron: An on-chip ring oscillator network for hardware trojan detection, Design, Automation Test in Europe Conference Exhibition (DATE), 2011, march 2011, pp. 1 –6.
  • 40. References Xuehui Zhang, N. Tuzzio, and M. Tehranipoor, Red team: Design of intelligent hardware trojans with known defense schemes, Computer Design (ICCD), 2011 IEEE 29th International Conference on, oct. 2011, pp. 309 –312.