Rahul Krishnamurthy, profile picture
Uploaded byRahul Krishnamurthy
6,038 views

Hardware Trojans

The document provides an in-depth analysis of hardware trojans, including their classification, insertion techniques, and detection methods. It discusses various phases where trojans can be inserted, such as specification, design, and fabrication, and highlights the challenges in detecting them with techniques like power analysis and delay fingerprinting. The paper concludes that hardware trojan insertion can occur at any stage of the IC design cycle and calls attention to the ineffectiveness of certain detection methods for implicit payload trojans.

Embed presentation

Classification and Detection of Hardware Trojans Rahul Krishnamurthy(2011VLSI06) ABV-Indian Institute of Information Technology and Management Gwalior, Morena Link Road, Gwalior, Madhya Pradesh, INDIA - 474010. December 17, 2012
Contents Contents 1. Introduction 2. Classification of Hardware Trojans 3. Detection Techniques for Hardware Trojans Detection Using Power Analysis Detection by Delay Fingerprint technique Detection using Ring Oscillator Frequency Mechanism 4. Insertion of Hardware Trojans Insertion Technique Bypassing Delay Fingerprint Technique Insertion Technique Bypassing Ring Oscillator Frequency Mechanism 5. Conclusion
Introduction Introduction A Hardware Trojan is a malicious and deliberately stealthy modification made to an electronic device such as an IC. It can change the chips functionality and thereby undermine trust in the systems using that chip. Figure : A simple Hardware trojan
Hypothesis Hypothesis In the classification of Hardware trojan it has been assumed the attacker has the access to all the stages of the IC design. Attacker has the access to the floorplans, layout, netlist and RTL code.
Classification Classification Figure : Hardware trojan Taxonomy
Classification Insertion Phase Insertion Phase At the following phases the malicious alteration can take place. Specification phase– For example, a Trojan at the specification phase might change the hardwares timing requirements. Design phase–Designer can use third-party IP blocks and standard cells. A standard cell library can be infested with Trojans.
Classification Insertion Phase contd.. Insertion Phase contd.. Fabrication Phase–Subtle mask changes can have serious effects. In an extreme case, an adversary can substitute a different mask set. Testing phase–An adversary can change the test vectors to avoid detection of trojan.
Classification Insertion Phase contd.. Insertion Phase contd.. Assembly phase–Developers assemble the tested chip and other hardware components on a printed circuit board (PCB). An unshielded wire can be used for information leakage and fault injection.
Classification Abstraction Phase Abstraction phase The phase at which the alteration occurs. System level–Trojans might be triggered by the target hardware modules-for example, interchanging the ASCII values of the keyboard inputs. Development environment–An attacker can use CAD tools and scripts to insert Trojans. Software Trojans inserted into these CAD tools can mask the effects of the hardware Trojans. For example, a synthesis tool might not reveal a circuits Trojan components to the user.
Classification Abstraction Phase contd.. Abstraction phase contd.. Register-transfer level–At the RTL, chip developers describe each functional module in terms of registers, signals, and Boolean functions. For example, a Trojan implemented at this level might halve the rounds of a cryptographic algorithm by making a round counter to advance in two steps instead of one.
Classification Abstraction Phase contd.. Abstraction phase contd.. Gate level–A Trojan might be a simple comparator consisting of XOR gates that monitor the chips internal signals. Transistor level– A transistor-level Trojan might be a transistor with low gate width that can cause more delay in the critical path.
Classification Abstraction Phase contd.. Abstraction phase contd.. Physical level This level describes all circuit components and their dimensions and locations, Changing the width of the clock grids metal wires in the chip can cause clock skew.
Classification Activation Mechanism Activation Mechanism Always-on– This class covers Trojans that are implemented by modifying the geometries of the chip such that certain nodes or paths in the chip have a higher susceptibility to failure. Internally triggered–An event that occurs within the target device activates an internally triggered Trojan. Figure : Internally Triggered
Classification Activation Mechanism Activation Mechanism Externally triggered Trojan requires external input to the target module to activate. For example, data coming through external interfaces such as RS-232 can trigger a Trojan.
Classification Effects Effects The effects of Trojans on target hardware or systems can range from subtle disturbances to catastrophic system failures. A trojan can cause an error detection module to accept inputs that should be rejected. A Trojan can downgrade performance by intentionally changing device parameters, such as power and delay. A Trojan might leak a cryptographic algorithms secret key through unused RS-232 ports. Denial-of-service Trojans prevent operation of a function or resource. For example causing the processor to ignore the interrupt from a specific peripheral.
Detection Techniques Detection using Power Analysis Detection using Power Analysis The not gate based ring oscillator is used to monitor power. Power supply noise (also known as voltage drop) impacts the delay of gates. 1 f = 2 × n × td Figure : Ring Oscilator
Detection Techniques Detection using Power Analysis Detection using Power Analysis When the voltage drops, the delay of the gates increases. Change in delay impacts the oscillation frequency. For Trojan-inserted ICs, the switching gates in the Trojan would cause small voltage drop on the VDD line and ground bounce on VSS line. Thus, with the same input patterns, the power supply noise affecting the Trojan-free IC and Trojan-inserted IC will differ.
Detection Techniques Detection using Power Analysis Accuracy of single Ring Oscillator Process variations can impact the threshold voltage, channel length, and oxide thickness in circuit gates which, in turn, impacts power supply noise distribution in an IC. These effects may be localized. A single ring oscillator can not distinguish between Trojans and process variations. A ring oscillator placed in one corner of an IC, may not be able to capture noise effects which occur due to a Trojan placed in another corner of the IC.
Detection Techniques Detection using Power Analysis A Network of Ring Oscillators Figure : Ring oscillators distributed in circuit layout
Detection Techniques Detection using Power Analysis A Network of Ring Oscillators One RO is inserted into each grid surrounded by power straps. One multiplexer is used to select a ring oscillator in the network to be enabled during the authentication. Another multiplexer chooses the same ring oscillator to be recorded.
Detection Techniques Detection using Path delay fingerprint Detection using Path delay fingerprint The procedure includes three steps Path delay gathering of nominal chips–Path delay information of sample chips are collected. These chips are then checked whether they are genuine or not using reverse engineering. Fingerprint generation – According to path delays a series of fingerprints are generated. Trojan Detection – All other chips are then operated under same input patterns. Their delay information is then compared to delay fingerprints.
Detection Techniques Detection using Path delay fingerprint Hardware trojan with explicit Payload When the Trojan is triggered, the payload part will alter the value of internal signal. Figure : Explicit Payload This type of Trojan will insert extra delay in some paths passing those signals.
Detection Techniques Detection using Path delay fingerprint Hardware trojan with implicit Payload The implicit payload Trojan does not compromise internal signals but only takes these signals as stimulus of the trigger. The implicit payload may emit radio signals to leak secret information or may destroy the whole chip. Compared to the extra delay inserted by explicit payload Trojan, the added delay here can be smaller and harder to detect. Figure : Implicit Payload
Detection Techniques Detection using Path delay fingerprint Disadvantages It is not effective at detecting small Trojans or implicit Trojans (whose payloads do not connect to the circuit) since the contributions of small Trojans and implicit Trojans to the path delay will be masked by process variations. There are millions of paths in a circuit, it is impossible to obtain 100% test coverage using this technique. Trojans inserted into uncovered paths will not be detected by this technique.
Detection using Ring oscillator frequency Detection using Ring oscillator frequency An attacker can insert malicious gates in non-critical path, such that it does not violate the critical path constraint. Path can be reconfigured into ring oscillators, such that the additional delays caused by trojans can still be measured as changes in ring oscillator’s frequencies.
Detection using Ring oscillator frequency Detection using Ring oscillator frequency Detection using Ring oscillator frequency Figure : C17 embedded with ring oscillators To ensure the detection of an inserted trojan, all the gates must be covered by ring oscillators.
Hardware Trojan Insertion Bypassing Delay fingerprint technique The following trojans were inserted in [ZTT11] Trojan T1 T2 T3 T4 T5 T6 Class DRULP DRULP DRULP DRUPP DRUPP DRTPP Trigger din(1 downto 0) din=4’hf din=4’h8 Reset=1’b0 din( 1 downto 0)=2’b01 timing sequence Payload SP leaked by 7 segement display Secret key leaked by 7 segement display Secret leaked by LD7 in serial 1-stage ring oscillator 3-stage ring osillator clock buffer chain Out of the six trojans, T1,T2,T3 are explicit payload trojans.
Hardware Trojan Insertion Bypassing Delay fingerprint technique T1 is triggered when the last two bits of the input din are 2‘b01. The payload is that the secret plain text (SP) will be leaked over the 7-segment display. If din has a low switching probability, then T1, T2, and T3 will be undetected on the silicon.
Hardware Trojan Insertion Bypassing Delay fingerprint technique Trojans T4, T5, and T6 have implicit payloads. Trojan-inserted ICs will age faster than Trojan-free ICs, or will create hot-spots that can damage circuit components. Random functional test vectors could not detect these Trojans because they do not change the circuits original functionality. The trigger of T6 is a timing sequence → 8’h03, 8’h1c, 8’h23, 1 8’h6c, 8’ha3, 8’hfc. The probability of activating T6 is 48 2
Hardware Trojan Insertion Bypassing Delay fingerprint technique Once T6 is activated, a buffer chain with a clock frequency input will be enabled and increase the temperature of the chip quickly. This Trojan, with an implicit payload, has a negligible effect on the path delay. The path delay trojan detection method is not effective for this type of Trojan.
Hardware Trojan Insertion Bypassing the Ring oscillator detection technique The loops in the circuit are identified. If the loops consist an odd number of inverters, then test vectors will be generated to enable each ring oscillator. Test Pattern–A0,B0,C0,TE0,P1=1011
Hardware Trojan Insertion Bypassing the Ring oscillator detection technique After generating the test patterns, two methods were employed in [ZTT11] to evade the detection:Modelling the Ring oscillator frequency(Hard code attack). Redesigning the floorplan.
Hardware Trojan Insertion Hard Code attack The test vectors provide different frequency values for trojan inserted and trojan free IC’s. Figure : RTL code These test vectors are translated into a logic function in the RTL code.
Hardware Trojan Insertion Hard Code attack contd.. The counter value for each ring oscillator in a Trojan-inserted circuit will always be the same as in the Trojan-free circuit With the look-up table, any kind of Trojan could be inserted into the design without being detected.
Hardware Trojan Insertion Redesigning floorplan Ring oscillators frequency is sensitive to both process variations and the location of its components. Figure : Trojan insertion flow
Hardware Trojan Insertion Hardware Trojan Insertion Redesigning floorplan If the ring oscillator’s frequency in the Trojan–inserted design is larger than its frequency in the Trojan–free design, then the components of that ring oscillator will be placed further away from each other. This increases loop delay and decreases oscillator frequency.
Conclusion Conclusion The insertion of hardware trojans is not limited to just the fabrication stage. The trojans can be inserted at any stage of IC design cycle. The delay fingerprint is ineffective to detect implicit payload trojans. The design can be made resilient to hard code attack by observing the counter values at different voltage levels. The embedded ring oscillator network for power analysis has a large area overhead.
References References Y. Jin, N. Kupp, and Y. Makris, Experiences in hardware trojan design and implementation, Hardware-Oriented Security and Trust, 2009. HOST ’09. IEEE International Workshop on, july 2009, pp. 50 –57. Yier Jin and Y. Makris, Hardware trojan detection using path delay fingerprint, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 51 –57. R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, Trustworthy hardware: Identifying and classifying hardware trojans, Computer 43 (2010), no. 10, 39 –46. J. Rajendran, V. Jyothi, O. Sinanoglu, and R. Karri, Design and analysis of ring oscillator based design-for-trust technique,
References VLSI Test Symposium (VTS), 2011 IEEE 29th, may 2011, pp. 105 –110. J.A. Roy, F. Koushanfar, and I.L. Markov, Extended abstract: Circuit cad tools as a security threat, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 65 –66. M. Tehranipoor, H. Salmani, Xuehui Zhang, Xiaoxiao Wang, R. Karri, J. Rajendran, and K. Rosenfeld, Trustworthy hardware: Trojan detection and design-for-trust challenges, Computer 44 (2011), no. 7, 66 –74. Xuehui Zhang and M. Tehranipoor, Ron: An on-chip ring oscillator network for hardware trojan detection, Design, Automation Test in Europe Conference Exhibition (DATE), 2011, march 2011, pp. 1 –6.
References Xuehui Zhang, N. Tuzzio, and M. Tehranipoor, Red team: Design of intelligent hardware trojans with known defense schemes, Computer Design (ICCD), 2011 IEEE 29th International Conference on, oct. 2011, pp. 309 –312.

More Related Content

PPTX
Chacha ppt
byVikramSingh1378
 
PPTX
Hardware Security
byMani Rathnam
 
PPTX
introduction to Embedded System Security
byAdel Barkam
 
PPTX
Security in embedded systems
byRaghav S
 
PDF
Introduction to Multi Party Computation
byVineet Kumar
 
PPT
Live data collection_from_windows_system
byMaceni Muse
 
PPTX
Trusted systems
byahmad abdelhafeez
 
PDF
Formal Verification
byIlia Levin
 
Chacha ppt
byVikramSingh1378
 
Hardware Security
byMani Rathnam
 
introduction to Embedded System Security
byAdel Barkam
 
Security in embedded systems
byRaghav S
 
Introduction to Multi Party Computation
byVineet Kumar
 
Live data collection_from_windows_system
byMaceni Muse
 
Trusted systems
byahmad abdelhafeez
 
Formal Verification
byIlia Levin
 

What's hot

PPTX
Hardware Trojans By - Anupam Tiwari
byOWASP Delhi
 
PPTX
trojan detection
bySRI NISHITH
 
PPTX
Hardware security
byRajKumar4943
 
ODP
Side channel attacks
byStefan Fodor
 
PPT
security in wireless sensor networks
byVishnu Kudumula
 
PPTX
Csma cd and csma-ca
bykazim Hussain
 
PPT
GSM Technology
byAvanitrambadiya
 
PDF
Network security 10EC832 vtu notes
byJayanth Dwijesh H P
 
PPTX
Packet sniffing
byShyama Bhuvanendran
 
PPTX
System security
byinvertis university
 
PPT
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
byPriyanka Aash
 
PDF
Transposition cipher
byAntony Alex
 
PDF
HIGH SPEED NETWORKS
byKathirvel Ayyaswamy
 
PPTX
Satellite ppt
byDivya Shukla
 
PPT
Basic Concepts of information security.ppt
byZaheer720515
 
PPTX
Network Security
byManoj Singh
 
PPT
Level sensitive scan design(LSSD) and Boundry scan(BS)
byPraveen Kumar
 
PDF
Network security & cryptography full notes
bygangadhar9989166446
 
PPTX
Infrared lan's
byMadhusudhan G
 
PPTX
Power delay profile,delay spread and doppler spread
byManish Srivastava
 
Hardware Trojans By - Anupam Tiwari
byOWASP Delhi
 
trojan detection
bySRI NISHITH
 
Hardware security
byRajKumar4943
 
Side channel attacks
byStefan Fodor
 
security in wireless sensor networks
byVishnu Kudumula
 
Csma cd and csma-ca
bykazim Hussain
 
GSM Technology
byAvanitrambadiya
 
Network security 10EC832 vtu notes
byJayanth Dwijesh H P
 
Packet sniffing
byShyama Bhuvanendran
 
System security
byinvertis university
 
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
byPriyanka Aash
 
Transposition cipher
byAntony Alex
 
HIGH SPEED NETWORKS
byKathirvel Ayyaswamy
 
Satellite ppt
byDivya Shukla
 
Basic Concepts of information security.ppt
byZaheer720515
 
Network Security
byManoj Singh
 
Level sensitive scan design(LSSD) and Boundry scan(BS)
byPraveen Kumar
 
Network security & cryptography full notes
bygangadhar9989166446
 
Infrared lan's
byMadhusudhan G
 
Power delay profile,delay spread and doppler spread
byManish Srivastava
 

Similar to Hardware Trojans

PDF
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
byidescitation
 
PDF
Hardware trojan detection technique using side channel analysis for hardware ...
byAshish Maurya
 
PDF
Hardware Trojan.ppt.pdfisthe hardware teojan
byc15126531
 
PDF
Hardware Trojan detection using Clock sweeping method
byAshish Maurya
 
PDF
presentation_DRDO
byAnimesh Basak Chowdhury
 
PDF
Hardware Trojan Identification and Detection
byijcisjournal
 
PDF
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
byVivek Venugopalan
 
PDF
Verification of Security for Untrusted Third Party IP Cores
byIRJET Journal
 
PDF
Exploring Hardware Security
bySpeck&Tech
 
PDF
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
byTELKOMNIKA JOURNAL
 
PDF
Tdffffffffffffffffffffffffffffffffffffffehranipoor.pdf
byRamithaDevi
 
PDF
Hta t17
bySelectedPresentations
 
PDF
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
byPROIDEA
 
PDF
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
byPriyanka Aash
 
PDF
An approach to containing computer viruses
byUltraUploader
 
PDF
9 exurville
byMuzammal Shafique
 
PDF
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...
by奈良先端大 情報科学研究科
 
PPTX
Vishwanath rakesh ece 561
byRAKESH_CSU
 
DOC
Report_Honeypots_Trojans_Spyware
byShan Kumar
 
PDF
Amos-Mitchell Poster
byKory Mitchell
 
Breaching of Ring Oscillator Based Trojan Detection and Prevention in Physica...
byidescitation
 
Hardware trojan detection technique using side channel analysis for hardware ...
byAshish Maurya
 
Hardware Trojan.ppt.pdfisthe hardware teojan
byc15126531
 
Hardware Trojan detection using Clock sweeping method
byAshish Maurya
 
presentation_DRDO
byAnimesh Basak Chowdhury
 
Hardware Trojan Identification and Detection
byijcisjournal
 
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
byVivek Venugopalan
 
Verification of Security for Untrusted Third Party IP Cores
byIRJET Journal
 
Exploring Hardware Security
bySpeck&Tech
 
Detection of Malicious Circuitry Using Transition Probability Based Node Redu...
byTELKOMNIKA JOURNAL
 
Tdffffffffffffffffffffffffffffffffffffffehranipoor.pdf
byRamithaDevi
 
Hta t17
bySelectedPresentations
 
CONFidence 2018: Who and why should fear hardware trojans? (Adam Kostrzewa)
byPROIDEA
 
Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers
byPriyanka Aash
 
An approach to containing computer viruses
byUltraUploader
 
9 exurville
byMuzammal Shafique
 
Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware...
by奈良先端大 情報科学研究科
 
Vishwanath rakesh ece 561
byRAKESH_CSU
 
Report_Honeypots_Trojans_Spyware
byShan Kumar
 
Amos-Mitchell Poster
byKory Mitchell
 

Recently uploaded

PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
final.pdf
byomarbishtawi04
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
final.pdf
byomarbishtawi04
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 

Hardware Trojans

  • 1.
    Classification and Detectionof Hardware Trojans Rahul Krishnamurthy(2011VLSI06) ABV-Indian Institute of Information Technology and Management Gwalior, Morena Link Road, Gwalior, Madhya Pradesh, INDIA - 474010. December 17, 2012
  • 2.
    Contents Contents 1. Introduction 2. Classificationof Hardware Trojans 3. Detection Techniques for Hardware Trojans Detection Using Power Analysis Detection by Delay Fingerprint technique Detection using Ring Oscillator Frequency Mechanism 4. Insertion of Hardware Trojans Insertion Technique Bypassing Delay Fingerprint Technique Insertion Technique Bypassing Ring Oscillator Frequency Mechanism 5. Conclusion
  • 3.
    Introduction Introduction A Hardware Trojanis a malicious and deliberately stealthy modification made to an electronic device such as an IC. It can change the chips functionality and thereby undermine trust in the systems using that chip. Figure : A simple Hardware trojan
  • 4.
    Hypothesis Hypothesis In the classificationof Hardware trojan it has been assumed the attacker has the access to all the stages of the IC design. Attacker has the access to the floorplans, layout, netlist and RTL code.
  • 5.
  • 6.
    Classification Insertion Phase Insertion Phase Atthe following phases the malicious alteration can take place. Specification phase– For example, a Trojan at the specification phase might change the hardwares timing requirements. Design phase–Designer can use third-party IP blocks and standard cells. A standard cell library can be infested with Trojans.
  • 7.
    Classification Insertion Phase contd.. InsertionPhase contd.. Fabrication Phase–Subtle mask changes can have serious effects. In an extreme case, an adversary can substitute a different mask set. Testing phase–An adversary can change the test vectors to avoid detection of trojan.
  • 8.
    Classification Insertion Phase contd.. InsertionPhase contd.. Assembly phase–Developers assemble the tested chip and other hardware components on a printed circuit board (PCB). An unshielded wire can be used for information leakage and fault injection.
  • 9.
    Classification Abstraction Phase Abstraction phase Thephase at which the alteration occurs. System level–Trojans might be triggered by the target hardware modules-for example, interchanging the ASCII values of the keyboard inputs. Development environment–An attacker can use CAD tools and scripts to insert Trojans. Software Trojans inserted into these CAD tools can mask the effects of the hardware Trojans. For example, a synthesis tool might not reveal a circuits Trojan components to the user.
  • 10.
    Classification Abstraction Phase contd.. Abstractionphase contd.. Register-transfer level–At the RTL, chip developers describe each functional module in terms of registers, signals, and Boolean functions. For example, a Trojan implemented at this level might halve the rounds of a cryptographic algorithm by making a round counter to advance in two steps instead of one.
  • 11.
    Classification Abstraction Phase contd.. Abstractionphase contd.. Gate level–A Trojan might be a simple comparator consisting of XOR gates that monitor the chips internal signals. Transistor level– A transistor-level Trojan might be a transistor with low gate width that can cause more delay in the critical path.
  • 12.
    Classification Abstraction Phase contd.. Abstractionphase contd.. Physical level This level describes all circuit components and their dimensions and locations, Changing the width of the clock grids metal wires in the chip can cause clock skew.
  • 13.
    Classification Activation Mechanism Activation Mechanism Always-on–This class covers Trojans that are implemented by modifying the geometries of the chip such that certain nodes or paths in the chip have a higher susceptibility to failure. Internally triggered–An event that occurs within the target device activates an internally triggered Trojan. Figure : Internally Triggered
  • 14.
    Classification Activation Mechanism Activation Mechanism Externallytriggered Trojan requires external input to the target module to activate. For example, data coming through external interfaces such as RS-232 can trigger a Trojan.
  • 15.
    Classification Effects Effects The effects ofTrojans on target hardware or systems can range from subtle disturbances to catastrophic system failures. A trojan can cause an error detection module to accept inputs that should be rejected. A Trojan can downgrade performance by intentionally changing device parameters, such as power and delay. A Trojan might leak a cryptographic algorithms secret key through unused RS-232 ports. Denial-of-service Trojans prevent operation of a function or resource. For example causing the processor to ignore the interrupt from a specific peripheral.
  • 16.
    Detection Techniques Detection usingPower Analysis Detection using Power Analysis The not gate based ring oscillator is used to monitor power. Power supply noise (also known as voltage drop) impacts the delay of gates. 1 f = 2 × n × td Figure : Ring Oscilator
  • 17.
    Detection Techniques Detection usingPower Analysis Detection using Power Analysis When the voltage drops, the delay of the gates increases. Change in delay impacts the oscillation frequency. For Trojan-inserted ICs, the switching gates in the Trojan would cause small voltage drop on the VDD line and ground bounce on VSS line. Thus, with the same input patterns, the power supply noise affecting the Trojan-free IC and Trojan-inserted IC will differ.
  • 18.
    Detection Techniques Detection usingPower Analysis Accuracy of single Ring Oscillator Process variations can impact the threshold voltage, channel length, and oxide thickness in circuit gates which, in turn, impacts power supply noise distribution in an IC. These effects may be localized. A single ring oscillator can not distinguish between Trojans and process variations. A ring oscillator placed in one corner of an IC, may not be able to capture noise effects which occur due to a Trojan placed in another corner of the IC.
  • 19.
    Detection Techniques Detection usingPower Analysis A Network of Ring Oscillators Figure : Ring oscillators distributed in circuit layout
  • 20.
    Detection Techniques Detection usingPower Analysis A Network of Ring Oscillators One RO is inserted into each grid surrounded by power straps. One multiplexer is used to select a ring oscillator in the network to be enabled during the authentication. Another multiplexer chooses the same ring oscillator to be recorded.
  • 21.
    Detection Techniques Detection usingPath delay fingerprint Detection using Path delay fingerprint The procedure includes three steps Path delay gathering of nominal chips–Path delay information of sample chips are collected. These chips are then checked whether they are genuine or not using reverse engineering. Fingerprint generation – According to path delays a series of fingerprints are generated. Trojan Detection – All other chips are then operated under same input patterns. Their delay information is then compared to delay fingerprints.
  • 22.
    Detection Techniques Detection usingPath delay fingerprint Hardware trojan with explicit Payload When the Trojan is triggered, the payload part will alter the value of internal signal. Figure : Explicit Payload This type of Trojan will insert extra delay in some paths passing those signals.
  • 23.
    Detection Techniques Detection usingPath delay fingerprint Hardware trojan with implicit Payload The implicit payload Trojan does not compromise internal signals but only takes these signals as stimulus of the trigger. The implicit payload may emit radio signals to leak secret information or may destroy the whole chip. Compared to the extra delay inserted by explicit payload Trojan, the added delay here can be smaller and harder to detect. Figure : Implicit Payload
  • 24.
    Detection Techniques Detection usingPath delay fingerprint Disadvantages It is not effective at detecting small Trojans or implicit Trojans (whose payloads do not connect to the circuit) since the contributions of small Trojans and implicit Trojans to the path delay will be masked by process variations. There are millions of paths in a circuit, it is impossible to obtain 100% test coverage using this technique. Trojans inserted into uncovered paths will not be detected by this technique.
  • 25.
    Detection using Ringoscillator frequency Detection using Ring oscillator frequency An attacker can insert malicious gates in non-critical path, such that it does not violate the critical path constraint. Path can be reconfigured into ring oscillators, such that the additional delays caused by trojans can still be measured as changes in ring oscillator’s frequencies.
  • 26.
    Detection using Ringoscillator frequency Detection using Ring oscillator frequency Detection using Ring oscillator frequency Figure : C17 embedded with ring oscillators To ensure the detection of an inserted trojan, all the gates must be covered by ring oscillators.
  • 27.
    Hardware Trojan Insertion BypassingDelay fingerprint technique The following trojans were inserted in [ZTT11] Trojan T1 T2 T3 T4 T5 T6 Class DRULP DRULP DRULP DRUPP DRUPP DRTPP Trigger din(1 downto 0) din=4’hf din=4’h8 Reset=1’b0 din( 1 downto 0)=2’b01 timing sequence Payload SP leaked by 7 segement display Secret key leaked by 7 segement display Secret leaked by LD7 in serial 1-stage ring oscillator 3-stage ring osillator clock buffer chain Out of the six trojans, T1,T2,T3 are explicit payload trojans.
  • 28.
    Hardware Trojan Insertion BypassingDelay fingerprint technique T1 is triggered when the last two bits of the input din are 2‘b01. The payload is that the secret plain text (SP) will be leaked over the 7-segment display. If din has a low switching probability, then T1, T2, and T3 will be undetected on the silicon.
  • 29.
    Hardware Trojan Insertion BypassingDelay fingerprint technique Trojans T4, T5, and T6 have implicit payloads. Trojan-inserted ICs will age faster than Trojan-free ICs, or will create hot-spots that can damage circuit components. Random functional test vectors could not detect these Trojans because they do not change the circuits original functionality. The trigger of T6 is a timing sequence → 8’h03, 8’h1c, 8’h23, 1 8’h6c, 8’ha3, 8’hfc. The probability of activating T6 is 48 2
  • 30.
    Hardware Trojan Insertion BypassingDelay fingerprint technique Once T6 is activated, a buffer chain with a clock frequency input will be enabled and increase the temperature of the chip quickly. This Trojan, with an implicit payload, has a negligible effect on the path delay. The path delay trojan detection method is not effective for this type of Trojan.
  • 31.
    Hardware Trojan Insertion Bypassingthe Ring oscillator detection technique The loops in the circuit are identified. If the loops consist an odd number of inverters, then test vectors will be generated to enable each ring oscillator. Test Pattern–A0,B0,C0,TE0,P1=1011
  • 32.
    Hardware Trojan Insertion Bypassingthe Ring oscillator detection technique After generating the test patterns, two methods were employed in [ZTT11] to evade the detection:Modelling the Ring oscillator frequency(Hard code attack). Redesigning the floorplan.
  • 33.
    Hardware Trojan Insertion HardCode attack The test vectors provide different frequency values for trojan inserted and trojan free IC’s. Figure : RTL code These test vectors are translated into a logic function in the RTL code.
  • 34.
    Hardware Trojan Insertion HardCode attack contd.. The counter value for each ring oscillator in a Trojan-inserted circuit will always be the same as in the Trojan-free circuit With the look-up table, any kind of Trojan could be inserted into the design without being detected.
  • 35.
    Hardware Trojan Insertion Redesigningfloorplan Ring oscillators frequency is sensitive to both process variations and the location of its components. Figure : Trojan insertion flow
  • 36.
    Hardware Trojan Insertion HardwareTrojan Insertion Redesigning floorplan If the ring oscillator’s frequency in the Trojan–inserted design is larger than its frequency in the Trojan–free design, then the components of that ring oscillator will be placed further away from each other. This increases loop delay and decreases oscillator frequency.
  • 37.
    Conclusion Conclusion The insertion ofhardware trojans is not limited to just the fabrication stage. The trojans can be inserted at any stage of IC design cycle. The delay fingerprint is ineffective to detect implicit payload trojans. The design can be made resilient to hard code attack by observing the counter values at different voltage levels. The embedded ring oscillator network for power analysis has a large area overhead.
  • 38.
    References References Y. Jin, N.Kupp, and Y. Makris, Experiences in hardware trojan design and implementation, Hardware-Oriented Security and Trust, 2009. HOST ’09. IEEE International Workshop on, july 2009, pp. 50 –57. Yier Jin and Y. Makris, Hardware trojan detection using path delay fingerprint, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 51 –57. R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, Trustworthy hardware: Identifying and classifying hardware trojans, Computer 43 (2010), no. 10, 39 –46. J. Rajendran, V. Jyothi, O. Sinanoglu, and R. Karri, Design and analysis of ring oscillator based design-for-trust technique,
  • 39.
    References VLSI Test Symposium(VTS), 2011 IEEE 29th, may 2011, pp. 105 –110. J.A. Roy, F. Koushanfar, and I.L. Markov, Extended abstract: Circuit cad tools as a security threat, Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on, june 2008, pp. 65 –66. M. Tehranipoor, H. Salmani, Xuehui Zhang, Xiaoxiao Wang, R. Karri, J. Rajendran, and K. Rosenfeld, Trustworthy hardware: Trojan detection and design-for-trust challenges, Computer 44 (2011), no. 7, 66 –74. Xuehui Zhang and M. Tehranipoor, Ron: An on-chip ring oscillator network for hardware trojan detection, Design, Automation Test in Europe Conference Exhibition (DATE), 2011, march 2011, pp. 1 –6.
  • 40.
    References Xuehui Zhang, N.Tuzzio, and M. Tehranipoor, Red team: Design of intelligent hardware trojans with known defense schemes, Computer Design (ICCD), 2011 IEEE 29th International Conference on, oct. 2011, pp. 309 –312.