Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA

Vivek Venugopalan
Vivek VenugopalanResearch Scientist at United Technologies Research Center
Design, Implementation and Security Analysis of Hardware Trojan 	

Threats in FPGA
Devu Manikantan Shila andVivekVenugopal {manikad,venugov}@utrc.utc.com
• Hardware Trojan Threats (HTTs) are virus-like stealthy
malicious components that can infect the Integrated
Circuit (IC). 	

• With the increasing practice of outsourcing design
and manufacturing steps, various stages of an IC
lifecycle are vulnerable to attacks; 	

!
!
!
!
!
!
!
!
!
!
• Destructive techniques such as de-packaging, reverse
engineering and imaging of ICs are very expensive and
can be applied to only a selected quantity of ICs. 	

• Non-destructive techniques such as side-channel
analysis (aka post-silicon analysis) detect malicious
intrusions by vetting the physical characteristics of IC
(power consumption, timing variation, temperature,
layout structures) with a trusted reference model.
Adversary model
[1] D. J.Wheeler and R. M. Needham.TEA, a tiny encryption algorithm, 1995. 	

[2] T. Huffmire,et. al,“Moats and drawbridges:An isolation primitive for reconfigurable hardware based systems,” in Security and Privacy, 2007. SP ’07. IEEE Symposium on, May 2007, pp. 281–295.	

[3]Y.Jin,N.Kupp andY.Makris,“Experiences in Hardware Trojan design and implementation,” in Hardware-Oriented Security andTrust, 2009. HOST ’09. IEEE InternationalWorkshop on, 2009, pp. 50–57	

[4] S.Wei, K. Li, F. Koushanfar, and M. Potkonjak,“Hardware trojan horse benchmark via optimal creation and placement of malicious circuitry,” in Design Automation Conference (DAC), 2012 49th ACM/IEEE, 2012.
Implementation and Results
• Our results manifest that using power, timing or utilization, only a maximum of
57% of designed HTTs were detected. 	

•We proposed a novel metric called HTT detectability metric (HDM) that uses a
weighted combination of various physical parameters. 	

•The detection rate of HTTs increased to 86% with HDM. We also determine the
optimal HTT detection threshold that minimizes the summation of false alarm and
missed detection probabilities.	

•We found that the remaining 14% HTTs can be detected by monitoring IP access
activities.
Introduction
Insights and Conclusion
References
• Propose a novel metric for hardware Trojan
detection, termed as HTT detectability metric (HDM)
that leverages a weighted combination of normalized
physical parameters; carry out analytical studies to
derive the optimal detection threshold that minimizes
the summation of false alarm and missed detection
probabilities.	

• Design and implement three hardware Trojans at the
design level in FPGA Root of Trust (RoT) testbed to
defeat the classic trusted hardware model assumptions. DetectionRate(%)
0
25
50
75
100
Power Timing Resource HDM
Detection
System model
Contributions
•The attacker model leads to potential attack surfaces that can
be exploited to successfully leverage an attack, as shown on a
Xilinx Spartan-3AN FPGA development board
• The first testbed consists of a cryptosystem
using the block cipher based on Feistel Networks,
known as the Tiny Encryption Algorithm (TEA).	

• The second testbed is a classic Root of Trust
(RoT) design that consists of a secure memory
and a key guard. The authorized module is
allowed to access the contents of memory only
via a guard module.
Denial of Service HTT
Man-In-The-Middle HTT for beating
the authentication in the system
Component Usage Type of Access
FX2 Expansion Port, Expansion Headers,
USB, Ethernet
Leakage/Trigger Physical
ADC, DAC Leakage Physical
Audio Jack, LEDs, LCD,VGA, RS-232 Leakage Physical/Local
External clock Trigger Remote
Switches, Push Buttons Trigger Physical/Local
Address
Logic
Address
Logic
Response
Generator
Challenge
Generator
Encryption
Response
Generator
Memory
Authorized module Unauthorized module
Guard module
Guard system testbed
TEA Encryption/
Decryption module
Always On HTT
keys
input output
LED
keys
TEA Encryption/
Decryption module
Internal Trigger HTT
keys
input output
LED
keys
sequence
detector
enable leak
TEA Encryption/
Decryption modulekeys
input outputLegitimate User
input trigger
HTT
malformed
input
Address
Logic
Address
Logic
Response
Generator
Challenge
Generator
Encryption
Response
Generator
Memory
Authorized module Unauthorized module Guard module
Man-In-
The-
Middle
HTT
TEA Encryption/
Decryption module
keys
input
output
Denial of Service
HTT
clock
gated
clock
track event
occurrences
enable
Legitimate User HTT
Internal Trigger HTT
Always On Trigger HTT
•The target Spartan-3AN FPGA platform was analyzed to list the
potential leakage points, access points and external triggers an
attacker could utilize to design the Trojan. 	

• Several Trojans were designed and implemented in order to
compromise both testbeds, ranging from internally activated
Trojans to externally activated Trojans. Some HTTs compromised
the device by leaking critical information, while others
compromised by performing a denial of service attack.	

• With optimization, prior to and after the Trojan being inserted,
the footprint on the device was reduced, which helped the power,
timing and utilization profiles match more closely that of the
trusted system. HDM =
mp
i=1 Wi
Oi
Ai
DetectionRate(%)
0
25
50
75
100
Threshold
1 2 3 3.1 3.2 3.3 3.6 4 5
Detection
0
25
50
75
100
Threshold
1 3.1 3.2 3.3 3.6 4 5
PFA+PMD
optimal detection threshold
• HTT detectability metric (HDM)
uses a weighted combination of
normalized physical parameters,
Specification Design Synthesis Production First Ship
• Malicious IP blocks (RTL)	

• 3rd party tools and models	

• Rogue designer	

•Add-on scripts
• IP cloning	

• Modification of bitstream
• Steal and reverse engineer
FPGA design cycle with initial entry points
1 of 1

Recommended

Hardware Trojans by
Hardware TrojansHardware Trojans
Hardware TrojansRahul Krishnamurthy
5.4K views40 slides
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur by
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurSneak Peek into the Future with Prof. Indranil Sengupta, IIT Kharagpur
Sneak Peek into the Future with Prof. Indranil Sengupta, IIT KharagpurPriyanka Aash
1.7K views37 slides
Hardware Trojans By - Anupam Tiwari by
Hardware Trojans By - Anupam TiwariHardware Trojans By - Anupam Tiwari
Hardware Trojans By - Anupam TiwariOWASP Delhi
1.2K views83 slides
Hardware trojan detection technique using side channel analysis for hardware ... by
Hardware trojan detection technique using side channel analysis for hardware ...Hardware trojan detection technique using side channel analysis for hardware ...
Hardware trojan detection technique using side channel analysis for hardware ...Ashish Maurya
850 views32 slides
trojan detection by
trojan detectiontrojan detection
trojan detectionSRI NISHITH
474 views56 slides
Hardware Trojan detection using Clock sweeping method by
Hardware Trojan detection using Clock sweeping methodHardware Trojan detection using Clock sweeping method
Hardware Trojan detection using Clock sweeping methodAshish Maurya
471 views20 slides

More Related Content

What's hot

The IEEE 1149.1 Boundary-scan test standard by
The IEEE 1149.1 Boundary-scan test standardThe IEEE 1149.1 Boundary-scan test standard
The IEEE 1149.1 Boundary-scan test standardJose Manuel Martins Ferreira
2.5K views32 slides
Boundary Scan Basics - x1149 de Keysight by
Boundary Scan Basics - x1149 de KeysightBoundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de KeysightInterlatin
1.3K views44 slides
Jtag presentation by
Jtag presentationJtag presentation
Jtag presentationklinetik
9.4K views21 slides
Predicting and Abusing WPA2/802.11 Group Keys by
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
3.2K views51 slides
JTAG Interface (Intro) by
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)Nitesh Bhatia
3.6K views21 slides
Pin pointpresentation by
Pin pointpresentationPin pointpresentation
Pin pointpresentationLevan Huan
339 views31 slides

What's hot(20)

Boundary Scan Basics - x1149 de Keysight by Interlatin
Boundary Scan Basics - x1149 de KeysightBoundary Scan Basics - x1149 de Keysight
Boundary Scan Basics - x1149 de Keysight
Interlatin1.3K views
Jtag presentation by klinetik
Jtag presentationJtag presentation
Jtag presentation
klinetik9.4K views
Predicting and Abusing WPA2/802.11 Group Keys by vanhoefm
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
vanhoefm3.2K views
JTAG Interface (Intro) by Nitesh Bhatia
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)
Nitesh Bhatia3.6K views
Pin pointpresentation by Levan Huan
Pin pointpresentationPin pointpresentation
Pin pointpresentation
Levan Huan339 views
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC by DefconRussia
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
DefconRussia1.4K views
Test versus security @ IEEE Concept by kodela3
Test versus security @ IEEE ConceptTest versus security @ IEEE Concept
Test versus security @ IEEE Concept
kodela3303 views
Hacking RF based IoT devices by Erez Metula
Hacking RF based IoT devicesHacking RF based IoT devices
Hacking RF based IoT devices
Erez Metula364 views
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S... by Marina Krotofil
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S..."Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
"Man-in-the-SCADA": Anatomy of Data Integrity Attacks in Industrial Control S...
Marina Krotofil1.4K views
Ferns Presentation by LangLin
Ferns PresentationFerns Presentation
Ferns Presentation
LangLin372 views
IRJET- Design and Characteristics of LIZARD Stream Cipher IP Core by IRJET Journal
IRJET- Design and Characteristics of LIZARD Stream Cipher IP CoreIRJET- Design and Characteristics of LIZARD Stream Cipher IP Core
IRJET- Design and Characteristics of LIZARD Stream Cipher IP Core
IRJET Journal13 views
RFID: EPC protocol by Amjed Majid
RFID: EPC protocolRFID: EPC protocol
RFID: EPC protocol
Amjed Majid267 views
Lowering the bar: deep learning for side-channel analysis by Riscure
Lowering the bar: deep learning for side-channel analysisLowering the bar: deep learning for side-channel analysis
Lowering the bar: deep learning for side-channel analysis
Riscure2.6K views
The Building of Pulsed NQR/NMR Spectrometer by IJECEIAES
The Building of Pulsed NQR/NMR Spectrometer The Building of Pulsed NQR/NMR Spectrometer
The Building of Pulsed NQR/NMR Spectrometer
IJECEIAES23 views
Unit 5_interrupt programming_Part 1 by KanchanPatil34
Unit 5_interrupt programming_Part 1Unit 5_interrupt programming_Part 1
Unit 5_interrupt programming_Part 1
KanchanPatil3468 views

Viewers also liked

シールドブックメーカーなの。使い方 by
シールドブックメーカーなの。使い方シールドブックメーカーなの。使い方
シールドブックメーカーなの。使い方fira_ultramarin
544 views21 slides
Planning powerpoint by
Planning powerpointPlanning powerpoint
Planning powerpointm_thompson66
127 views19 slides
NEHA K NASAR CV by
NEHA K NASAR CVNEHA K NASAR CV
NEHA K NASAR CVNEHA K NASAR
131 views5 slides
AkinAkintayo_CVFeb16-02-Doc by
AkinAkintayo_CVFeb16-02-DocAkinAkintayo_CVFeb16-02-Doc
AkinAkintayo_CVFeb16-02-DocAkin Akintayo
210 views3 slides
Ramon O' Vryan D. Vital by
Ramon O' Vryan D. VitalRamon O' Vryan D. Vital
Ramon O' Vryan D. VitalRamon O' Vryan Vital
156 views2 slides
Программный комплекс видеозаписи судебных заседаний by
Программный комплекс видеозаписи судебных заседанийПрограммный комплекс видеозаписи судебных заседаний
Программный комплекс видеозаписи судебных заседанийКРОК
503 views5 slides

Viewers also liked(16)

シールドブックメーカーなの。使い方 by fira_ultramarin
シールドブックメーカーなの。使い方シールドブックメーカーなの。使い方
シールドブックメーカーなの。使い方
fira_ultramarin544 views
AkinAkintayo_CVFeb16-02-Doc by Akin Akintayo
AkinAkintayo_CVFeb16-02-DocAkinAkintayo_CVFeb16-02-Doc
AkinAkintayo_CVFeb16-02-Doc
Akin Akintayo210 views
Программный комплекс видеозаписи судебных заседаний by КРОК
Программный комплекс видеозаписи судебных заседанийПрограммный комплекс видеозаписи судебных заседаний
Программный комплекс видеозаписи судебных заседаний
КРОК503 views
Targeting Humans by Michael King by Michael King
Targeting Humans by Michael KingTargeting Humans by Michael King
Targeting Humans by Michael King
Michael King11.3K views
Экономим на закупках оборудования by КРОК
Экономим на закупках оборудованияЭкономим на закупках оборудования
Экономим на закупках оборудования
КРОК819 views
Transport Layer (L4) of MIPI Unipro - An Introduction by Arrow Devices
Transport Layer (L4) of MIPI Unipro - An IntroductionTransport Layer (L4) of MIPI Unipro - An Introduction
Transport Layer (L4) of MIPI Unipro - An Introduction
Arrow Devices2.4K views
istiklal marşı ve bayrak by mavi_patikli
istiklal marşı ve bayrakistiklal marşı ve bayrak
istiklal marşı ve bayrak
mavi_patikli695 views
MIPI DevCon 2016: MIPI RFFE - Challenging the WiFi/Bluetooth Status Quo by Un... by MIPI Alliance
MIPI DevCon 2016: MIPI RFFE - Challenging the WiFi/Bluetooth Status Quo by Un...MIPI DevCon 2016: MIPI RFFE - Challenging the WiFi/Bluetooth Status Quo by Un...
MIPI DevCon 2016: MIPI RFFE - Challenging the WiFi/Bluetooth Status Quo by Un...
MIPI Alliance1.2K views
Guinea conakry - country profile (2006) by Sérgio Branco
Guinea conakry - country profile (2006)Guinea conakry - country profile (2006)
Guinea conakry - country profile (2006)
Sérgio Branco667 views

Similar to Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec... by
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
2.5K views22 slides
xDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions by
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsxDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsVivek Venugopalan
186 views1 slide
Internet of things security "Hardware Security" by
Internet of things security "Hardware Security"Internet of things security "Hardware Security"
Internet of things security "Hardware Security"Ahmed Mohamed Mahmoud
2.4K views26 slides
Cyber Resilient Systems Representative Solutions for Trustworthy Systems by
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsCyber Resilient Systems Representative Solutions for Trustworthy Systems
Cyber Resilient Systems Representative Solutions for Trustworthy SystemsAgence du Numérique (AdN)
101 views9 slides
Remote authentication via biometrics1 by
Remote authentication via biometrics1Remote authentication via biometrics1
Remote authentication via biometrics1Omkar Salunke
393 views22 slides
Why is it so hard to make secure chips? by
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
980 views59 slides

Similar to Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA(20)

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec... by Kuniyasu Suzaki
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kuniyasu Suzaki2.5K views
xDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions by Vivek Venugopalan
xDEFENSE: An Extended DEFENSE for mitigating Next Generation IntrusionsxDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
xDEFENSE: An Extended DEFENSE for mitigating Next Generation Intrusions
Vivek Venugopalan186 views
Remote authentication via biometrics1 by Omkar Salunke
Remote authentication via biometrics1Remote authentication via biometrics1
Remote authentication via biometrics1
Omkar Salunke393 views
Why is it so hard to make secure chips? by Riscure
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
Riscure980 views
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha by Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha2.3K views
Practical Security Assessments of IoT Devices and Systems by Ollie Whitehouse
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse3.4K views
Industrial Pioneers Days - Machine Learning by VEDLIoT Project
Industrial Pioneers Days - Machine LearningIndustrial Pioneers Days - Machine Learning
Industrial Pioneers Days - Machine Learning
VEDLIoT Project112 views
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S... by Graeme Jenkinson
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Applying Provenance in APT Monitoring and Analysis Practical Challenges for S...
Graeme Jenkinson111 views
Verification of Security for Untrusted Third Party IP Cores by IRJET Journal
Verification of  Security for Untrusted Third Party IP CoresVerification of  Security for Untrusted Third Party IP Cores
Verification of Security for Untrusted Third Party IP Cores
IRJET Journal33 views
Proactive Approach to OT incident response - HOUSECCON 2023 by Chris Sistrunk
Proactive Approach to OT incident response - HOUSECCON 2023Proactive Approach to OT incident response - HOUSECCON 2023
Proactive Approach to OT incident response - HOUSECCON 2023
Chris Sistrunk840 views
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi... by CODE BLUE
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by  Vi...[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by  Vi...
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...
CODE BLUE79 views
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02 by PacSecJP
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP571 views
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam... by CODE BLUE
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE1K views

Recently uploaded

sam_software_eng_cv.pdf by
sam_software_eng_cv.pdfsam_software_eng_cv.pdf
sam_software_eng_cv.pdfsammyigbinovia
9 views5 slides
START Newsletter 3 by
START Newsletter 3START Newsletter 3
START Newsletter 3Start Project
6 views25 slides
SUMIT SQL PROJECT SUPERSTORE 1.pptx by
SUMIT SQL PROJECT SUPERSTORE 1.pptxSUMIT SQL PROJECT SUPERSTORE 1.pptx
SUMIT SQL PROJECT SUPERSTORE 1.pptxSumit Jadhav
22 views26 slides
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx by
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptxlwang78
165 views19 slides
SPICE PARK DEC2023 (6,625 SPICE Models) by
SPICE PARK DEC2023 (6,625 SPICE Models) SPICE PARK DEC2023 (6,625 SPICE Models)
SPICE PARK DEC2023 (6,625 SPICE Models) Tsuyoshi Horigome
36 views218 slides
_MAKRIADI-FOTEINI_diploma thesis.pptx by
_MAKRIADI-FOTEINI_diploma thesis.pptx_MAKRIADI-FOTEINI_diploma thesis.pptx
_MAKRIADI-FOTEINI_diploma thesis.pptxfotinimakriadi
10 views32 slides

Recently uploaded(20)

SUMIT SQL PROJECT SUPERSTORE 1.pptx by Sumit Jadhav
SUMIT SQL PROJECT SUPERSTORE 1.pptxSUMIT SQL PROJECT SUPERSTORE 1.pptx
SUMIT SQL PROJECT SUPERSTORE 1.pptx
Sumit Jadhav 22 views
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx by lwang78
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
lwang78165 views
_MAKRIADI-FOTEINI_diploma thesis.pptx by fotinimakriadi
_MAKRIADI-FOTEINI_diploma thesis.pptx_MAKRIADI-FOTEINI_diploma thesis.pptx
_MAKRIADI-FOTEINI_diploma thesis.pptx
fotinimakriadi10 views
ASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdf by AlhamduKure
ASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdfASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdf
ASSIGNMENTS ON FUZZY LOGIC IN TRAFFIC FLOW.pdf
AlhamduKure6 views
Design of machine elements-UNIT 3.pptx by gopinathcreddy
Design of machine elements-UNIT 3.pptxDesign of machine elements-UNIT 3.pptx
Design of machine elements-UNIT 3.pptx
gopinathcreddy34 views
Design_Discover_Develop_Campaign.pptx by ShivanshSeth6
Design_Discover_Develop_Campaign.pptxDesign_Discover_Develop_Campaign.pptx
Design_Discover_Develop_Campaign.pptx
ShivanshSeth645 views
Web Dev Session 1.pptx by VedVekhande
Web Dev Session 1.pptxWeb Dev Session 1.pptx
Web Dev Session 1.pptx
VedVekhande13 views
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for Growth by Innomantra
BCIC - Manufacturing Conclave -  Technology-Driven Manufacturing for GrowthBCIC - Manufacturing Conclave -  Technology-Driven Manufacturing for Growth
BCIC - Manufacturing Conclave - Technology-Driven Manufacturing for Growth
Innomantra 10 views
fakenews_DBDA_Mar23.pptx by deepmitra8
fakenews_DBDA_Mar23.pptxfakenews_DBDA_Mar23.pptx
fakenews_DBDA_Mar23.pptx
deepmitra816 views
MongoDB.pdf by ArthyR3
MongoDB.pdfMongoDB.pdf
MongoDB.pdf
ArthyR349 views
Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc... by csegroupvn
Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc...Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc...
Design of Structures and Foundations for Vibrating Machines, Arya-ONeill-Pinc...
csegroupvn6 views
Ansari: Practical experiences with an LLM-based Islamic Assistant by M Waleed Kadous
Ansari: Practical experiences with an LLM-based Islamic AssistantAnsari: Practical experiences with an LLM-based Islamic Assistant
Ansari: Practical experiences with an LLM-based Islamic Assistant
M Waleed Kadous7 views
GDSC Mikroskil Members Onboarding 2023.pdf by gdscmikroskil
GDSC Mikroskil Members Onboarding 2023.pdfGDSC Mikroskil Members Onboarding 2023.pdf
GDSC Mikroskil Members Onboarding 2023.pdf
gdscmikroskil59 views

Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA

  • 1. Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA Devu Manikantan Shila andVivekVenugopal {manikad,venugov}@utrc.utc.com • Hardware Trojan Threats (HTTs) are virus-like stealthy malicious components that can infect the Integrated Circuit (IC). • With the increasing practice of outsourcing design and manufacturing steps, various stages of an IC lifecycle are vulnerable to attacks; ! ! ! ! ! ! ! ! ! ! • Destructive techniques such as de-packaging, reverse engineering and imaging of ICs are very expensive and can be applied to only a selected quantity of ICs. • Non-destructive techniques such as side-channel analysis (aka post-silicon analysis) detect malicious intrusions by vetting the physical characteristics of IC (power consumption, timing variation, temperature, layout structures) with a trusted reference model. Adversary model [1] D. J.Wheeler and R. M. Needham.TEA, a tiny encryption algorithm, 1995. [2] T. Huffmire,et. al,“Moats and drawbridges:An isolation primitive for reconfigurable hardware based systems,” in Security and Privacy, 2007. SP ’07. IEEE Symposium on, May 2007, pp. 281–295. [3]Y.Jin,N.Kupp andY.Makris,“Experiences in Hardware Trojan design and implementation,” in Hardware-Oriented Security andTrust, 2009. HOST ’09. IEEE InternationalWorkshop on, 2009, pp. 50–57 [4] S.Wei, K. Li, F. Koushanfar, and M. Potkonjak,“Hardware trojan horse benchmark via optimal creation and placement of malicious circuitry,” in Design Automation Conference (DAC), 2012 49th ACM/IEEE, 2012. Implementation and Results • Our results manifest that using power, timing or utilization, only a maximum of 57% of designed HTTs were detected. •We proposed a novel metric called HTT detectability metric (HDM) that uses a weighted combination of various physical parameters. •The detection rate of HTTs increased to 86% with HDM. We also determine the optimal HTT detection threshold that minimizes the summation of false alarm and missed detection probabilities. •We found that the remaining 14% HTTs can be detected by monitoring IP access activities. Introduction Insights and Conclusion References • Propose a novel metric for hardware Trojan detection, termed as HTT detectability metric (HDM) that leverages a weighted combination of normalized physical parameters; carry out analytical studies to derive the optimal detection threshold that minimizes the summation of false alarm and missed detection probabilities. • Design and implement three hardware Trojans at the design level in FPGA Root of Trust (RoT) testbed to defeat the classic trusted hardware model assumptions. DetectionRate(%) 0 25 50 75 100 Power Timing Resource HDM Detection System model Contributions •The attacker model leads to potential attack surfaces that can be exploited to successfully leverage an attack, as shown on a Xilinx Spartan-3AN FPGA development board • The first testbed consists of a cryptosystem using the block cipher based on Feistel Networks, known as the Tiny Encryption Algorithm (TEA). • The second testbed is a classic Root of Trust (RoT) design that consists of a secure memory and a key guard. The authorized module is allowed to access the contents of memory only via a guard module. Denial of Service HTT Man-In-The-Middle HTT for beating the authentication in the system Component Usage Type of Access FX2 Expansion Port, Expansion Headers, USB, Ethernet Leakage/Trigger Physical ADC, DAC Leakage Physical Audio Jack, LEDs, LCD,VGA, RS-232 Leakage Physical/Local External clock Trigger Remote Switches, Push Buttons Trigger Physical/Local Address Logic Address Logic Response Generator Challenge Generator Encryption Response Generator Memory Authorized module Unauthorized module Guard module Guard system testbed TEA Encryption/ Decryption module Always On HTT keys input output LED keys TEA Encryption/ Decryption module Internal Trigger HTT keys input output LED keys sequence detector enable leak TEA Encryption/ Decryption modulekeys input outputLegitimate User input trigger HTT malformed input Address Logic Address Logic Response Generator Challenge Generator Encryption Response Generator Memory Authorized module Unauthorized module Guard module Man-In- The- Middle HTT TEA Encryption/ Decryption module keys input output Denial of Service HTT clock gated clock track event occurrences enable Legitimate User HTT Internal Trigger HTT Always On Trigger HTT •The target Spartan-3AN FPGA platform was analyzed to list the potential leakage points, access points and external triggers an attacker could utilize to design the Trojan. • Several Trojans were designed and implemented in order to compromise both testbeds, ranging from internally activated Trojans to externally activated Trojans. Some HTTs compromised the device by leaking critical information, while others compromised by performing a denial of service attack. • With optimization, prior to and after the Trojan being inserted, the footprint on the device was reduced, which helped the power, timing and utilization profiles match more closely that of the trusted system. HDM = mp i=1 Wi Oi Ai DetectionRate(%) 0 25 50 75 100 Threshold 1 2 3 3.1 3.2 3.3 3.6 4 5 Detection 0 25 50 75 100 Threshold 1 3.1 3.2 3.3 3.6 4 5 PFA+PMD optimal detection threshold • HTT detectability metric (HDM) uses a weighted combination of normalized physical parameters, Specification Design Synthesis Production First Ship • Malicious IP blocks (RTL) • 3rd party tools and models • Rogue designer •Add-on scripts • IP cloning • Modification of bitstream • Steal and reverse engineer FPGA design cycle with initial entry points