grids in the chip can cause clock skew. ... keyboards or keywords/phrases in the input data stream. ... Memory units: Tr
Hardware Trojans – Taxonomy and Detection
Toward a Comprehensive and Systematic Classification of Hardware Trojans Jeyavijayan Rajendran ECE Department Polytechnic Institute of NYU
Cyber Security Club 2011
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection
Outline
Introduction What is a Hardware Trojan? Motivation The Classification of Hardware Trojans Previous Work Contributions and Results The Taxonomy Design Phase Abstraction Level Activation Effects Location
Coverage and Resolution Trojan detection Ring-oscillator based detection What are ring oscillators? NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Introduction What is a Hardware Trojan?
What is a Hardware Trojan?
CRYPTO HARDWARE
TROJAN
A hardware trojan is a malicious and deliberately stealthy modification made to an electronic device such as an IC.
OUTPUT
SELECT
Figure: Simple trojan.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Motivation The Classification of Hardware Trojans
A Classification is Needed for Mitigation The benefits of categorizing hardware trojans are as follows: I
Enables a systematic study of their characteristics.
I
Detection, mitigation and protection techniques can be developed for each class.
I
Benchmarks can be developed for comparing different detection, mitigation and protection methods for each class.
I
Proactive development of countermeasures for classes that have yet to be observed in the wild.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Motivation The Classification of Hardware Trojans
Properties of a Taxonomy
A useful taxonomy should meet the following requirements: I
Coverage: The taxonomy should classify all hardware trojans.
I
Resolution: Trojans with significantly different capabilities, or required countermeasures, should be differentiated by the taxonomy.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Motivation Previous Work
Other Hardware Trojan Taxonomies
I
X. Wang, M. Tehranipoor, et al proposed a taxonomy based on physical, activation, and functional characteristics of a trojan [1, 2].
I
Y. Jin and Y. Makris developed a trojan taxonomy based on their triggering mechanism and leaking mechanism [3].
I
M. Potkonjak, et al proposed that trojans can be classified based on the following properties [4]: damage objectives, components and mechanisms of the attack, insertion phase and mechanism and, triggering mechanism.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Motivation Previous Work
Limitation of Other Taxonomies.
The previous taxonomies assumed that trojans are inserted only at fabrication phase, but trojans can be inserted at other phases and have different functionalities
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Details of Taxonomy
Hardware trojans can be classified based on five attributes: 1. Phase in the design cycle at which the alteration takes place 2. Hardware abstraction level at which the alteration is made 3. How the trojan is activated 4. General effects 5. Physical location
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Full Taxonomy Hardware trojans Design Phase
Abstraction Level
Activation
Effects
Location
Specification
System level
Always On
Change function
Processor
Design
Development environment
Triggered
Change specifications
Memory
Fabrication RT level Assembly and Package
Gate level Transistor level
Internally Time Based Physical Cond. Externally User
I/O Leak information Denial of Service
Power Supply Clock
Component Physical level
Figure: Hardware trojan taxonomy based on five different attributes.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Design Phase Throughout the development cycle, the design is vulnerable to modifications. I
specification phase – the characteristics of the system are defined I
I
Example: during specification phase, modify the timing requirements.
design phase – functional, logical, timing, and physical constraints are considered as the design is mapped onto the target technology. I
Example: a standard cell library may be infested with trojans.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Abstraction Level Trojan circuits can be inserted at various hardware abstraction levels I system level – different hardware modules, interconnections and communication protocols used are defined. I
I
development environment includes synthesis, simulation, verification, and validation tools. I
I
Example: the ASCII values of the inputs from the keyboard can be interchanged.
Example: trojan components in synthesis tool.
register transfer level – each functional module is described in terms of registers, signals, and Boolean functions. I
Example: a trojan implemented at this level might halve the rounds of a cryptographic algorithm. NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Abstraction Level I
gate level – the design is represented as an interconnection of logic gates. I
I
transistors – control over circuit characteristics such as power and timing. I
I
Example: a trojan might be a simple comparator consisting of exclusive-OR gates that monitor the internal signals of the chip.
Example: a transistor with low gate width which can cause more delay in the critical path.
layout level – the dimensions and locations of all circuit components are described. I
Example: changing the width of the metal wires of the clock grids in the chip can cause clock skew. NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Activation Some trojans are designed to be always on; others may remain dormant until triggered. A triggered trojan needs an event – internal or external to be activated. I
internally triggered – trojan is activated by an event that occurs within the target device. I
I
Example: chip temperature crosses 55◦ C, a trojan might be triggered.
externally triggered – The external trigger can be a user input or a component output. I
I
User input – triggers can include push-buttons, switches, keyboards or keywords/phrases in the input data stream. External component – triggers may be from any of the components that interact with the target device. NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Effects Trojans can also be characterized by their undesirable effects. I change of functionality – the target device and can cause subtle errors that may be difficult to detect. I
I
change of specification – intentionally changing device parameters. I
I
Example: cause an error detection module to accept inputs that should be rejected.
Example: a trojan might insert more buffers in the interconnections of the chip and hence consume more power
leak sensitive information – This can occur through both covert and overt channels. I
Example: Information can be leaked by radio frequency, optical, thermal, power and timing side-channels and also via interfaces such as RS-232 and JTAG. NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Effects
I
Denial of service (DoS) – trojans can prevent operation of a function or resource. DoS may be either temporary or permanent. I
Example: a trojan might cause the processor to ignore the interrupt from a specific peripheral.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy
Location A trojan can be inserted in a single component or spread across multiple components. I
Processing units: Trojans might be inserted into the processing units.
I
Memory units: Trojans in the memory blocks and their interface units may be placed under this category.
I
I/O units: Trojans can reside in the peripherals of the chip or within the PCB.
I
Power supply units: Trojans may alter the voltage and current supplied to the chip and cause failure.
I
Clock grids: Trojans in the clock grids change the frequency of the clock and/or insert glitches in the clock. NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results Coverage and Resolution
Trojans Evaluated
I
38 trojans submitted to the 2008 Embedded Systems Challenge
I
18 additional trojans described in previous work.
I
All 56 of the trojans studied are covered by the taxonomy. They occupy 17 classes in the taxonomy.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Contributions and Results Coverage and Resolution
Potential trojans
Observed trojans
Coverage and Resolution Class � 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
Trojan class Specification phase– RTL – external component triggered – leak information – in the I/O unit Design phase – RTL – user input triggered – leak information – in the I/O unit Design phase – RTL – user input triggered – change function – in the memory Design phase – RTL – user input triggered – leak information – in the processor Design phase – RTL – user input triggered – permanently deny service – in the processor Design phase – RTL – user input triggered – permanently deny service – in the I/O unit Design phase – RTL – user input triggered – permanently deny service – in the clock grid Design phase – RTL – user input triggered – permanently deny service – in the power supply grid Design phase – RTL – user input triggered – temporarily deny service – in the processor Design phase – RTL – always on – leak information – in the processor Design phase – RTL – always on – leak information –in the I/O unit Design phase – RTL – physical parameter triggered – permanently deny service – in the processor Design phase – RTL – time triggered – temporarily deny service – in the I/O unit Fabrication phase – transistor level – user input triggered – change function –in the processor Fabrication phase – transistor level – always on – change function – in the processor Fabrication phase – transistor level – time triggered – change function – in the processor Fabrication phase – physical level – always on – change function – in the processor Specification phase – system level– user input triggered – change function – in the processor Specification phase – system level – time triggered – temporarily deny service – in the clock grid Design phase – RTL – physical parameter triggered – change function – in the processor Design phase – RTL – physical parameter triggered – permanently deny service – in the memory Design phase – RTL –time triggered –change function –in the I/O unit Design phase – RTL – time triggered – temporarily deny service – in the memory Assembly and package – system level – external component triggered – leak information – in the I/O unit Assembly and package – system level – external component triggered – permanently deny service – in the power supply Fabrication phase – transistor level – time triggered – permanently deny service – in the clock grid Fabrication phase – transistor level – always on – temporarily deny service –in the clock grid Fabrication phase – physical level – always on – temporarily deny service – in the clock grid Fabrication phase – physical level – physical parameter triggered – permanently deny service – in the power supply
� of trojans 1 12 2 2 2 1 1 1 1 4 9 1 1 12 4 1 1 – – – – – – – – – – – –
TABLE I C LASSES OF TROJANS SUBMITTED TO THE 2008 E MBEDDED S YSTEMS C HALLENGE AND TROJANS THAT ARE DESCRIBED IN PRIOR WORK BASED ON THE PROPOSED TAXONOMY ARE LISTED AS OBSERVED . P OTENTIAL CLASSES OF TROJANS HAVE NOT YET BEEN REPORTED . T HESE TROJAN CLASSES ARE EQUALLY IMPORTANT AND SHOULD BE CONSIDERED WHILE DESIGNING COUNTERMEASURES . NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Summary
Summary
I
Classification is the first step in Mitigation.
I
Hardware trojans are a real and growing threat.
I
The CSAW Embedded Systems Challenge provides a unique space to demonstrate novel attacks and defenses.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Trojan detection
Trojans Detection
Trojans impact area, power, and delay of the hardware Trojans can be detected by monitoring I
Power profile of the chip
I
Delay of different parts of the circuit
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Trojan detection
Power signature-based detection
To detect Trojans using power-signature I
Develop a golden simulation model of the chip
I
Apply input patterns and obtain the power profile
I
Apply the same input patterns on a fabricated chip and obtain its power profile
I
Compare both of them
I
Any vast change means presence of Trojans
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Trojan detection
Power signature-based detection
I
Power can be measured using the power ports
I
The number of power ports on a chip is limited
I
Hence, additional power ports are needed to be inserted
I
Huge overhead
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Trojan detection
Delay-based detection
I
Every circuit element has a finite delay
I
The total circuit delay is summation of individual delay
5
4
7
3
Figure: Total delay is 5+4+7+3 = 19
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Trojan detection
Delay-based detection I I
Inserting Trojans impact delays Trojans change the individual gate delays
5
3
7
4
3 (a)
6
4
7
3
(b)
Figure: a. Total delay is 5+3+4+7+3 = 22 6= 19 b. Total delay is 6+4+7+3 = 20 NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Trojan detection
Delay-based detection
I I
Delay measurements can detect Trojans How to measure delay? I
Ring-oscillators
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Ring-oscillator based detection What are ring oscillators?
What are ring oscillators? I
Ring oscillators are odd number of inverting elements connected back-to-back
I
The frequency of oscillator depends on the delay of individual elements
I
Need to apply non-controlling values to the elements
1
0 5
1 4
7
3
Figure: Total delay is 5+4+7+3 = 19. Frequency of oscillation is
1 2×19
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Ring-oscillator based detection What are ring oscillators?
Ring oscillator-based detection I I I
Inserting Trojans impact delays Trojans change the individual gate delays Frequency of ring oscillator changes
1
1
0
5
3
7
4
3 (a)
1
0 6
1 4
7
3
(b)
Figure: a. Freq of oscillation =
1 2×22
b. Freq of oscillation =
1 2×20 NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Ring-oscillator based detection Our method
Our method I
Convert all paths in a design to ring oscillator paths
I
Apply patterns to excite ring oscillators
I1
I1
O1
TrE1 I2 TrE2 I3 TrE3 I4
O2
TrE4 I5
I2
O1
O2
I3 I4 TrE5 I5
Figure: a. Original circuit b. Modified circuit
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Results CSAW 2009
CSAW 2009 I I
Only one ring oscillator was embedded This method was able to defend against/detect 4/5 attacks in CSAW 2009 Xilinx Spartan FPGA board
JTAG
Interpreter
Receive Data
Frequency counter
Trivium
RS232 UART
Transmit Data
Figure: The CSAW 2009 competition circuit with the ring oscillators to detect Trojans NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Results CSAW 2010
CSAW 2010 I
A circuit with this method was the target for the attackers
I
Nearly 200 trojans were employed on this method
I
Detected 160 trojans
Attacks I
Hardcoding attack – hardcoding the frequency
I
This is impossible in a large circuit as there will be many ring oscillators
I
We developed version 2.0 – changing supply voltage to detect hardcoding attacks
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Credentials
Credentials
I
Ramesh Karri
I
Efstratios Gavas
I
Kurt Rosenfeld
I
Ozgur Sinanoglu
I
Vinayaka Jyothi
I
CSAW 2009 team members
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Questions
Thank You!
Questions???
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Appendix References
References I X. Wang, M. Tehranipoor and J. Plusquellic. Detecting malicious. inclusions in secure hardware: Challenges and solutions Proceedings of the IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 15–19, June 2008. M. Tehranipoor and F. Koushanfar. A Survey of Hardware Trojan Taxonomy and Detection IEEE Design and Test of Computers, vol. 27, no. 1, pp. 10–25, Jan-Feb 2010.
NYU-Poly CSC 2011
Hardware Trojans – Taxonomy and Detection Appendix References
References II Y. Jin and Y. Makris. Hardware trojan detection using path delay fingerprint Proceedings of the IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 51–57, June 2008. M. Potkonjak, A. Nahapetian, M. Nelson, and T. Massey. Hardware trojan horse detection using gate-level characterization Proceedings of the Design Automation Conference, pp. 688–693, 2009.
NYU-Poly CSC 2011