Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
![Design, Implementation and Security Analysis of Hardware Trojan
Threats in FPGA
Devu Manikantan Shila andVivekVenugopal {manikad,venugov}@utrc.utc.com
• Hardware Trojan Threats (HTTs) are virus-like stealthy
malicious components that can infect the Integrated
Circuit (IC).
• With the increasing practice of outsourcing design
and manufacturing steps, various stages of an IC
lifecycle are vulnerable to attacks;
!
!
!
!
!
!
!
!
!
!
• Destructive techniques such as de-packaging, reverse
engineering and imaging of ICs are very expensive and
can be applied to only a selected quantity of ICs.
• Non-destructive techniques such as side-channel
analysis (aka post-silicon analysis) detect malicious
intrusions by vetting the physical characteristics of IC
(power consumption, timing variation, temperature,
layout structures) with a trusted reference model.
Adversary model
[1] D. J.Wheeler and R. M. Needham.TEA, a tiny encryption algorithm, 1995.
[2] T. Huffmire,et. al,“Moats and drawbridges:An isolation primitive for reconfigurable hardware based systems,” in Security and Privacy, 2007. SP ’07. IEEE Symposium on, May 2007, pp. 281–295.
[3]Y.Jin,N.Kupp andY.Makris,“Experiences in Hardware Trojan design and implementation,” in Hardware-Oriented Security andTrust, 2009. HOST ’09. IEEE InternationalWorkshop on, 2009, pp. 50–57
[4] S.Wei, K. Li, F. Koushanfar, and M. Potkonjak,“Hardware trojan horse benchmark via optimal creation and placement of malicious circuitry,” in Design Automation Conference (DAC), 2012 49th ACM/IEEE, 2012.
Implementation and Results
• Our results manifest that using power, timing or utilization, only a maximum of
57% of designed HTTs were detected.
•We proposed a novel metric called HTT detectability metric (HDM) that uses a
weighted combination of various physical parameters.
•The detection rate of HTTs increased to 86% with HDM. We also determine the
optimal HTT detection threshold that minimizes the summation of false alarm and
missed detection probabilities.
•We found that the remaining 14% HTTs can be detected by monitoring IP access
activities.
Introduction
Insights and Conclusion
References
• Propose a novel metric for hardware Trojan
detection, termed as HTT detectability metric (HDM)
that leverages a weighted combination of normalized
physical parameters; carry out analytical studies to
derive the optimal detection threshold that minimizes
the summation of false alarm and missed detection
probabilities.
• Design and implement three hardware Trojans at the
design level in FPGA Root of Trust (RoT) testbed to
defeat the classic trusted hardware model assumptions. DetectionRate(%)
0
25
50
75
100
Power Timing Resource HDM
Detection
System model
Contributions
•The attacker model leads to potential attack surfaces that can
be exploited to successfully leverage an attack, as shown on a
Xilinx Spartan-3AN FPGA development board
• The first testbed consists of a cryptosystem
using the block cipher based on Feistel Networks,
known as the Tiny Encryption Algorithm (TEA).
• The second testbed is a classic Root of Trust
(RoT) design that consists of a secure memory
and a key guard. The authorized module is
allowed to access the contents of memory only
via a guard module.
Denial of Service HTT
Man-In-The-Middle HTT for beating
the authentication in the system
Component Usage Type of Access
FX2 Expansion Port, Expansion Headers,
USB, Ethernet
Leakage/Trigger Physical
ADC, DAC Leakage Physical
Audio Jack, LEDs, LCD,VGA, RS-232 Leakage Physical/Local
External clock Trigger Remote
Switches, Push Buttons Trigger Physical/Local
Address
Logic
Address
Logic
Response
Generator
Challenge
Generator
Encryption
Response
Generator
Memory
Authorized module Unauthorized module
Guard module
Guard system testbed
TEA Encryption/
Decryption module
Always On HTT
keys
input output
LED
keys
TEA Encryption/
Decryption module
Internal Trigger HTT
keys
input output
LED
keys
sequence
detector
enable leak
TEA Encryption/
Decryption modulekeys
input outputLegitimate User
input trigger
HTT
malformed
input
Address
Logic
Address
Logic
Response
Generator
Challenge
Generator
Encryption
Response
Generator
Memory
Authorized module Unauthorized module Guard module
Man-In-
The-
Middle
HTT
TEA Encryption/
Decryption module
keys
input
output
Denial of Service
HTT
clock
gated
clock
track event
occurrences
enable
Legitimate User HTT
Internal Trigger HTT
Always On Trigger HTT
•The target Spartan-3AN FPGA platform was analyzed to list the
potential leakage points, access points and external triggers an
attacker could utilize to design the Trojan.
• Several Trojans were designed and implemented in order to
compromise both testbeds, ranging from internally activated
Trojans to externally activated Trojans. Some HTTs compromised
the device by leaking critical information, while others
compromised by performing a denial of service attack.
• With optimization, prior to and after the Trojan being inserted,
the footprint on the device was reduced, which helped the power,
timing and utilization profiles match more closely that of the
trusted system. HDM =
mp
i=1 Wi
Oi
Ai
DetectionRate(%)
0
25
50
75
100
Threshold
1 2 3 3.1 3.2 3.3 3.6 4 5
Detection
0
25
50
75
100
Threshold
1 3.1 3.2 3.3 3.6 4 5
PFA+PMD
optimal detection threshold
• HTT detectability metric (HDM)
uses a weighted combination of
normalized physical parameters,
Specification Design Synthesis Production First Ship
• Malicious IP blocks (RTL)
• 3rd party tools and models
• Rogue designer
•Add-on scripts
• IP cloning
• Modification of bitstream
• Steal and reverse engineer
FPGA design cycle with initial entry points](https://image.slidesharecdn.com/fpga2014posterv3-161214010053/75/design-implementation-and-security-analysis-of-hardware-trojan-threats-in-fpga-1-2048.jpg?cb=1670209379)
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Hardware Trojan Threats (HTTs) are stealthy components embedded inside integrated circuits (ICs) with an intention to attack and cripple the IC similar to viruses infecting the human body. HTTs are easily introduced into the IC using untrusted tools and unauthenticated intellectual property (IP). Previous efforts have focused essentially on systems being compromised using HTTs and the effectiveness of physical parameters including power consumption, timing variation and utilization for detecting HTTs. Less attention has been devoted to the monitoring of the system to analyze the HTT infection using a combination of affected physical parameters. We propose a novel metric for hardware Trojan detection, termed as HTT detectability metric (HDM) that leverages a weighted combination of normalized physical parameters. As opposed to existing studies, this work investigates a system model from a designer perspective in increasing the security of the device and an adversary model from an attacker perspective exposing and exploiting the vulnerabilities in the device. Based on the models, seven malicious HTTs were designed and implemented on a FPGA testbed to perform a variety of threats ranging from sensitive information leak, denial of service to beat the Root of Trust (RoT). Security analysis on the implemented Trojans clearly showed that existing detection techniques based on physical characteristics such as power consumption, timing variation or utilization does not necessarily capture the existence of HTTs as HTTs can be optimally designed and placed into the hardware that masks within these parameters. Our results showed that using HDM, 86% of the implemented Trojans were detected as opposed to using power, timing and utilization alone.
Recommended
More Related Content
What's hot
What's hot(20)
![[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC](https://cdn.slidesharecdn.com/ss_thumbnails/presentationdefconrussia-160406215741-thumbnail.jpg?width=768&fit=bounds)
Viewers also liked
Viewers also liked(16)
Similar to Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
Similar to Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA(20)
![[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...](https://cdn.slidesharecdn.com/ss_thumbnails/cb22redlightinthefactory-230101083812-47cd3ebb-thumbnail.jpg?width=768&fit=bounds)
Recently uploaded
Recently uploaded(20)
Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA
- 1. Design, Implementation and Security Analysis of Hardware Trojan Threats in FPGA Devu Manikantan Shila andVivekVenugopal {manikad,venugov}@utrc.utc.com • Hardware Trojan Threats (HTTs) are virus-like stealthy malicious components that can infect the Integrated Circuit (IC). • With the increasing practice of outsourcing design and manufacturing steps, various stages of an IC lifecycle are vulnerable to attacks; ! ! ! ! ! ! ! ! ! ! • Destructive techniques such as de-packaging, reverse engineering and imaging of ICs are very expensive and can be applied to only a selected quantity of ICs. • Non-destructive techniques such as side-channel analysis (aka post-silicon analysis) detect malicious intrusions by vetting the physical characteristics of IC (power consumption, timing variation, temperature, layout structures) with a trusted reference model. Adversary model [1] D. J.Wheeler and R. M. Needham.TEA, a tiny encryption algorithm, 1995. [2] T. Huffmire,et. al,“Moats and drawbridges:An isolation primitive for reconfigurable hardware based systems,” in Security and Privacy, 2007. SP ’07. IEEE Symposium on, May 2007, pp. 281–295. [3]Y.Jin,N.Kupp andY.Makris,“Experiences in Hardware Trojan design and implementation,” in Hardware-Oriented Security andTrust, 2009. HOST ’09. IEEE InternationalWorkshop on, 2009, pp. 50–57 [4] S.Wei, K. Li, F. Koushanfar, and M. Potkonjak,“Hardware trojan horse benchmark via optimal creation and placement of malicious circuitry,” in Design Automation Conference (DAC), 2012 49th ACM/IEEE, 2012. Implementation and Results • Our results manifest that using power, timing or utilization, only a maximum of 57% of designed HTTs were detected. •We proposed a novel metric called HTT detectability metric (HDM) that uses a weighted combination of various physical parameters. •The detection rate of HTTs increased to 86% with HDM. We also determine the optimal HTT detection threshold that minimizes the summation of false alarm and missed detection probabilities. •We found that the remaining 14% HTTs can be detected by monitoring IP access activities. Introduction Insights and Conclusion References • Propose a novel metric for hardware Trojan detection, termed as HTT detectability metric (HDM) that leverages a weighted combination of normalized physical parameters; carry out analytical studies to derive the optimal detection threshold that minimizes the summation of false alarm and missed detection probabilities. • Design and implement three hardware Trojans at the design level in FPGA Root of Trust (RoT) testbed to defeat the classic trusted hardware model assumptions. DetectionRate(%) 0 25 50 75 100 Power Timing Resource HDM Detection System model Contributions •The attacker model leads to potential attack surfaces that can be exploited to successfully leverage an attack, as shown on a Xilinx Spartan-3AN FPGA development board • The first testbed consists of a cryptosystem using the block cipher based on Feistel Networks, known as the Tiny Encryption Algorithm (TEA). • The second testbed is a classic Root of Trust (RoT) design that consists of a secure memory and a key guard. The authorized module is allowed to access the contents of memory only via a guard module. Denial of Service HTT Man-In-The-Middle HTT for beating the authentication in the system Component Usage Type of Access FX2 Expansion Port, Expansion Headers, USB, Ethernet Leakage/Trigger Physical ADC, DAC Leakage Physical Audio Jack, LEDs, LCD,VGA, RS-232 Leakage Physical/Local External clock Trigger Remote Switches, Push Buttons Trigger Physical/Local Address Logic Address Logic Response Generator Challenge Generator Encryption Response Generator Memory Authorized module Unauthorized module Guard module Guard system testbed TEA Encryption/ Decryption module Always On HTT keys input output LED keys TEA Encryption/ Decryption module Internal Trigger HTT keys input output LED keys sequence detector enable leak TEA Encryption/ Decryption modulekeys input outputLegitimate User input trigger HTT malformed input Address Logic Address Logic Response Generator Challenge Generator Encryption Response Generator Memory Authorized module Unauthorized module Guard module Man-In- The- Middle HTT TEA Encryption/ Decryption module keys input output Denial of Service HTT clock gated clock track event occurrences enable Legitimate User HTT Internal Trigger HTT Always On Trigger HTT •The target Spartan-3AN FPGA platform was analyzed to list the potential leakage points, access points and external triggers an attacker could utilize to design the Trojan. • Several Trojans were designed and implemented in order to compromise both testbeds, ranging from internally activated Trojans to externally activated Trojans. Some HTTs compromised the device by leaking critical information, while others compromised by performing a denial of service attack. • With optimization, prior to and after the Trojan being inserted, the footprint on the device was reduced, which helped the power, timing and utilization profiles match more closely that of the trusted system. HDM = mp i=1 Wi Oi Ai DetectionRate(%) 0 25 50 75 100 Threshold 1 2 3 3.1 3.2 3.3 3.6 4 5 Detection 0 25 50 75 100 Threshold 1 3.1 3.2 3.3 3.6 4 5 PFA+PMD optimal detection threshold • HTT detectability metric (HDM) uses a weighted combination of normalized physical parameters, Specification Design Synthesis Production First Ship • Malicious IP blocks (RTL) • 3rd party tools and models • Rogue designer •Add-on scripts • IP cloning • Modification of bitstream • Steal and reverse engineer FPGA design cycle with initial entry points