Upload
priyanka-aash
View
371
Download
3
Tags:
Embed Size (px)
DESCRIPTION
A glimpse into the top security researches in the top global academia - Prof. Indranil Sengupta, IIT Kharagpur
Citation preview
Hardware Trojan: Threats and Hardware Trojan: Threats and Emerging SolutionsEmerging Solutions
Prof. Indranil Sen GuptaProfessor, Dept. of Computer Science and Engg.
IIT Kharagpur
E-mail: [email protected]
TOP 100 CISO AWARDS
OutlineOutline Background
Modern IC design and manufacturing What are Hardware Trojans? Reality or fantasy?
Trojan taxonomy and examples Trojan taxonomy Trojan examples
Trojan detection techniques General features Classification of Trojan detection techniques Challenges Invasive techniques Non-invasive techniques• Logic testing • Side-channel analysis
Multi-level Attack
Summary and future research directions2
3
BackgroundBackground
Modern IC Design and ManufacturingModern IC Design and Manufacturing
4
IP ToolsStd. Cells Models
DesignSpecifications Fab Interface Mask Fab
WaferProbe
Dice and Package
PackageTest
Deploy and
Monitor
Trusted
Either
Untrusted
Wafer
*http://www.darpa.mil/MTO/solicitations/baa07-24/index.html
DARPA’s Model of Hardware Security Threats*
Not really Trusted!!
Offshore
Third-party
Effects of Prevalent PracticesEffects of Prevalent Practices
5
Prevalence of Intellectual Property (IP) based design
Routine use of CAD tools from EDA vendors
Fabless manufacturing model (trend on the rise)
Outsourcing of manufacturing to offshore fabs
Loss of Control over design and manufacture
Potentially untrusted parties getting involved
What are What are Hardware Trojans Hardware Trojans ??
6
Malicious modifications to design Can take place pre or post manufacturing Inserted by intelligent adversary Extremely small hardware overhead Stealthy => difficult to detect Causes IC to malfunction in-field
Results: Potentially disastrous consequences Can affect: • Military installations• Civilian infrastructure (power grid, transportation, etc.)• Communication
Loss of human life and property Billions of dollars in lost property and infrastructure
How Realistic are Hardware Trojans?How Realistic are Hardware Trojans?
7
Do hardware Trojans really exist? No concrete proof obtained yet Tampering masks in fab is not easy (highly complex) Reverse-engineering a single IC can take months Political issues make it difficult to verify authenticity of fabs
But there is strong evidence they do…. Numerous suspected military and commercial cases (as early as
1976!!) Reverse-engineering ICs is widely believed to be performed by
reputed companies (IBM has patents) * Highly sophisticated commercial software tools for reverse-
engineering available (Chipworks, etc.)**, and academic efforts (Cambridge University)
Tampering at design stage is highly feasible
*US Patent #6, 496, 022 B1 by Kash et al**www.chipworks.com
Suspected Hardware TrojansSuspected Hardware Trojans
8
Military Old Trick Threatens the New Weapons” (J. Markoff, NYT, Oct. 2009) “Hardware Trojans could turn microchips into timebombs” (P.
Marks, NS, Jul. 2009) “Towards Countering the Rise of the Silicon Trojan” (DSTO,
Australian Govt., Dec. 2008) “The Hunt for the Kill Switch” (S. Adee, IEEE Spectrum, May 2008) “FBI says military had bogus computer gear” (J. Markoff, NYT, May
2008) “BAA 07-24: TRUST in Integrated Circuits (IC)” (DARPA, Jul. 2007)
Commercial “Cracking Security Codes: Does it Matter?” (C. Tartette, IEEE
Spectrum, Feb. 2010) “PC Giant Warns of Hardware Trojans” (S. Adee, IEEE Spectrum,
May 2008)
9
Trojan Taxonomy and ExamplesTrojan Taxonomy and Examples
Trojan TaxonomyTrojan Taxonomy
10
Banga and Hsiao [HOST’08]
Hardware Trojans
Combinational Sequential
Wang, Tehranipoor and Plusquellic [HOST’08]
Physical attribute
Activation attribute
Action attribute
Wolff et al [DATE’08], Jin and Makris [HOST’08]
Trigger Payload
Trojan Taxonomy (contd.)Trojan Taxonomy (contd.)
11
Trojan
Payload
Synchronous
Asynchronous
Rare Sequences
Digital Analog
On-chip sensors
Digital
Bridging
Delay
Activity
Analog
Trigger
Circuit Nodes
Other
Information Leakage
Memory Content
Denial-of-Service
Hybrid
Combinational Sequential
Rare value
Activity
Taxonomy based on [Chakraborty et al HLDVT’09]
Activation mechanism (trigger) and Malicious effect (payload)
Digital TrojansDigital Trojans
12
Combinational Trojan (simplest, most widely studied)
Sequential (Synchronous )Trojan
(“Time Bomb”)
Sequential (Asynchronous) Trojan
ER ER*
0 1 2 k-1
CLK
Trigger
Payload
ER ER*
0 1 2 k-1
Trigger
Payloadpq
AB Cmodified
C
Trigger
Payload
Hybrid Trojans ER ER*
CLK
CLK
CLK
k2-bit Counter
k1-bit Counter
Analog TrojansAnalog Trojans
13
Analog Trojan (activity-triggered)
Analog payload Trojan
Information Leakage TrojansInformation Leakage Trojans
14
Side-channel Leakage Based
Lin et al [ICCAD’09]
Logic-value Based
15
Trojan Detection TechniquesTrojan Detection Techniques
General FeaturesGeneral Features
16
Most proposed techniques cannot guarantee Trojan detection Can only provide confidence levels Prone to false positives Do not have resolution to pin-point the Trojan location
No “silver-bullet” technique available Most techniques assume particular Trojan models Arbitrarily complex Trojans have not been studied
Most proposed techniques have not been validated experimentally Based on computer simulations Mostly ignores experimental sources of error Many are futuristic (e.g. 3-D IC technology based techniques)
Many have unacceptable design overhead
Approaches of Trojan DetectionApproaches of Trojan Detection
17
Trojan Detection Approaches
Non-destructive
Invasive
Destructive
Preventive
Non-invasive
Test-timeAssistive Run-time
Logic Test
Side-channel
Non-mainstreamMainstream
Why is Trojan Detection Challenging?Why is Trojan Detection Challenging?
18
For logic-testing based methods: Trigger nodes have low controllability, payload nodes have
low observability Trojans are stealthy Extremely large number of possible Trojan instances
• Combinatorial dependence on number of circuit nodes• For the ISCAS-85 c880 circuit with 451 possible nodes, ~1011 possible Trojans !!
Sequential Trojans extremely difficult to detect Finite test length and duration
For side-channel analysis based methods: Modern nanometer processes have large process variation Susceptible to experimental measurement error Difficult to detect very small Trojans Needs a Golden sample …might not be available
For invasive methods: Design overhead
Invasive TechniquesInvasive Techniques
19
Obfuscate the circuit functionality [Chakraborty and Bhunia, ICCAD’09]
Design of stealthy Trojan requires identification of rare nodes This requires estimation of signal probability at internal nodes Can obfuscation be applied to make this task difficult?
Prevent free dead space in an IC [Wang et al, HOST’08]
Trojan insertion requires space Can be overcome using better logic optimization and placement
1. 1. Preventive TechniquesPreventive Techniques
S0O S1
O S2OK1 K2
S0I
S1I
S2I
S0N
S3N
S2N
S1N
K3
Obfuscated Functionality
Original State Space
Initialization state space
Isolation state space
Initialization Key = {K1, K2, K3}
S4N
S5N
S3I
Obfuscation state space
Normal Functionality
Start
Invalid Trojan
Valid Trojan
Modify STG of circuit Normal and obfuscated
modes of operation Initialization key
sequence required to take circuit to normal mode after power-up
Well-hidden circuit modifications
2. 2. Assistive TechniquesAssistive Techniques
20
On-demand Transparency [Chakraborty et al, HOST’08]
Make system operate in a special mode on demand Presence of Trojan possibly disrupts operations in the special mode This changes the expected o/p logic values in the special mode This leads to the detection of an inserted Trojan (probabilistically) Limitation: Cannot guarantee Trojan detection
Non-invasive TechniquesNon-invasive Techniques
21
Hardware Approach (DEFENSE) [Abramovici and Bradley, CSIIR’09]
Reconfigurable framework for run-time functionality monitoring Triggers counter-measures on deviation Does not mention hardware overhead Commercially available design tool to implement the methodology
1. 1. Run-time TechniquesRun-time Techniques
Run-time Techniques (contd.)Run-time Techniques (contd.)
22
Software Approach [McIntyre et al, HOST’09]
Execute identical copies of software on multiple CPUs
Dynamically evaluate individual trust levels (“Trust learning”)
Simulation results show that the system can successfully execute programs in a Trojan-infested environment
Hardware + Software Approach [Bloom et al HOST’09]
“Hardware guard” module outside CPU + enhanced OS
Effectively protects against DoS and privilege escalation attacks
2.2% average performance overhead for SPECint 2006 benchmarks
Run-time Techniques (contd.)Run-time Techniques (contd.)
23
BlueChip [Hicks et al IEEE Symp. Security and Privacy’10]
Pre-fab: Design is analyzed and “Unused Circuit Identification” (UCI) is used to detect unused circuit blocks which are potential Trojans
Such suspicious modules are replaced by exception generation hardware
When activated, the exception generation hardware delivers the exception to the BlueChip software layer
The software emulates the instruction that generated the exception Ensures forward progress of program 5% run-time overhead, 1.5% area overhead. 0.5% power overhead
for a FPGA-based implementation Challenge: Based on verification, hence difficult to have complete
coverage of the behavior of the circuit
2. Test Techniques2. Test Techniques
24
Multiple Excitation of Rare Occurrence (MERO) [Chakraborty et al, CHES’09]
Recap: Complete enumeration of all possible Trojans infeasible Added difficulty of exciting multiple nodes at their rare values MERO aims to
• Enumerate rare nodes in a given netlist
• Excite these potential Trojan trigger nodes multiple times to their rare values individually
• Generate a compact set of set vectors
The technique bypasses the difficulty of directed test generation to trigger Trojans
Limitations: Limited to a class of Trojans Statistical technique => cannot guarantee 100% detection coverage
aa. Logic-testing based. Logic-testing based
Mathematical ModelMathematical Model
25
Method: Apply test vectors that trigger each node to its rare value at
least N times
Assumptions: An inserted Trojan has a small but non-zero probability of being
triggered Trigger nodes are mutually independent Trojan trigger probability is product of trigger probability of all
trigger nodes
Main inferences of analysis: Expected number of times of Trojan getting triggered
proportional to N Trojan triggering probability increases if trigger probability of
individual trigger nodes increases
Design Flow AutomationDesign Flow Automation
26
Input: N, q, θ,# of Trojan inst., # of random
patterns, circuit netlist
Determine rare events on internal nodes
RO-Finder
Select Trojan instances using Random Sampling
Eliminate false TrojansSynospsysTetraMAX
Estimate coverage for random patterns TrojanSim
Generate optimized patterns MERO
Estimate coverage for optimized patterns TrojanSim
END
Coverage for random patterns
Coverage for optimized patterns
Tro
jan
Sel
ecti
on
List of feasible Trojans
Optimized test patterns
C program to find Rare Occurrences
C program for Trojan Simulation
C program for Multiple Excitation of Rare Occurrence testset
generation
Justification
2 (b). Side-channel Analysis based 2 (b). Side-channel Analysis based TechniquesTechniques
27
IC Fingerprinting [Agrawal et al, IEEE Symp. Security and Privacy’07]
A signature (fingerprint) associated with an IC Usually path delay or power trace Usually supplemented by de-noising techniques Vector selection is important Can detect Trojans as small as 0.01% of circuit area in
presence of ±7.5% process variation
Limitations Based only on simulation results Did not conduct actual experiments and measurements Did not consider experimental noise
Current-trace based TechniquesCurrent-trace based Techniques
28
Power-supply Transient based [Rad et al, HOST’08]
Signals from multiple ports for several IC instances are calibrated
Statistical characterization Capable of detecting 50% activated and
30% inactive Trojans
Sustained-vector Technique [Banga and Hsiao, VLSID’09]
Repeat each input vector multiple times Reduce extraneous toggles Magnifies power profile differences
Region-based Trojan detection [Banga and Hsiao, HOST’08]
Partition circuits into smaller regions Generate vectors to excite selected region and minimize
activity of other regions Could detect most Trojans at ±7.5% process variation
Path-delay Based TechniquesPath-delay Based Techniques
29
Path-delay Fingerprint [Jin and Makris, HOST’08]
Multiple paths considered Extensive statistical characterization Capable of detecting Trojans with 0.13% area, under 7.5% process
variation
Gate-level Characterization [Potkonjak et al, DAC’09]
Both path delay and leakage current were considered Problem formulated as a LPP Effective for smaller ISCAS-85 circuits Limitation: Computationally challenging for larger circuits
Trojan infested
Trojan free (“convex hull”)
Multi-level AttackMulti-level Attack
30
Uses nexus between multiple parties Only parties which are part of the nexus can benefit The nexus eases the burden of individual parties More challenging to detect than Trojans considered so far
Multi-level Attack (contd.)Multi-level Attack (contd.)
31
ASIC ExampleFPGA Example
ConclusionsConclusions
32
Modern IC design and manufacturing practices are inherently insecure Third-party IPs and off-shore manufacturing Potentially untrusted parties pay a major role Trend likely to increase
Hardware Trojans are malicious circuit modifications Small overhead, hugely destructive impact Difficult to detect by traditional testing means Great threat to national security
State-of-the-art Both design and test techniques have been proposed Effectiveness of the proposed techniques limited to the particular
types of Trojans Most techniques have not been validated experimentally in-field
Future Research DirectionsFuture Research DirectionsThe main concern is the lack of a generic
technique for Trojan detectionModel-independent Trojan detection ultimate goalTesting approaches:
◦ combination of logic-testing and side-channel approaches hold most promise
Multi-level attacks pose new challengesDesign approach:
◦ Design for Security is the best bet
33
Future Research DirectionsFuture Research Directions
34
Design for Security
Design Techniques Metrics Automation Education
Methodology
Software
Courses
StudyMaterial
Degree of security
Overheads
Circuit
Architecture
System
Security Research at IIT Security Research at IIT KharagpurKharagpurGeneral security
◦Securing policy integration in cloud-based collaboration through selection of trust-worthy provider and permission authorization.
◦Trust based security access control models for MANETs.
◦Formal analysis of security policy implementations in enterprise networks.
◦Digital rights management.35
Cryptography◦Block and stream cipher design◦Lightweight crypto algorithms◦Side-channel attacks◦Physically unclonable functions (PUF)◦Malicious hardware and their
mitigation
36
Thank You for your attention!!Thank You for your attention!!
37