Toward a Comprehensive and Systematic ... - Google Sites

Hardware Trojans – Taxonomy and Detection

Toward a Comprehensive and Systematic Classification of Hardware Trojans Jeyavijayan Rajendran ECE Department Polytechnic Institute of NYU

Cyber Security Club 2011

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection

Outline

Introduction What is a Hardware Trojan? Motivation The Classification of Hardware Trojans Previous Work Contributions and Results The Taxonomy Design Phase Abstraction Level Activation Effects Location

Coverage and Resolution Trojan detection Ring-oscillator based detection What are ring oscillators? NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Introduction What is a Hardware Trojan?

What is a Hardware Trojan?

CRYPTO HARDWARE

TROJAN

A hardware trojan is a malicious and deliberately stealthy modification made to an electronic device such as an IC.

OUTPUT

SELECT

Figure: Simple trojan.

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Motivation The Classification of Hardware Trojans

A Classification is Needed for Mitigation The benefits of categorizing hardware trojans are as follows: I

Enables a systematic study of their characteristics.

I

Detection, mitigation and protection techniques can be developed for each class.

I

Benchmarks can be developed for comparing different detection, mitigation and protection methods for each class.

I

Proactive development of countermeasures for classes that have yet to be observed in the wild.

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Motivation The Classification of Hardware Trojans

Properties of a Taxonomy

A useful taxonomy should meet the following requirements: I

Coverage: The taxonomy should classify all hardware trojans.

I

Resolution: Trojans with significantly different capabilities, or required countermeasures, should be differentiated by the taxonomy.

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Motivation Previous Work

Other Hardware Trojan Taxonomies

I

X. Wang, M. Tehranipoor, et al proposed a taxonomy based on physical, activation, and functional characteristics of a trojan [1, 2].

I

Y. Jin and Y. Makris developed a trojan taxonomy based on their triggering mechanism and leaking mechanism [3].

I

M. Potkonjak, et al proposed that trojans can be classified based on the following properties [4]: damage objectives, components and mechanisms of the attack, insertion phase and mechanism and, triggering mechanism.

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Motivation Previous Work

Limitation of Other Taxonomies.

The previous taxonomies assumed that trojans are inserted only at fabrication phase, but trojans can be inserted at other phases and have different functionalities

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Contributions and Results The Taxonomy

Details of Taxonomy

Hardware trojans can be classified based on five attributes: 1. Phase in the design cycle at which the alteration takes place 2. Hardware abstraction level at which the alteration is made 3. How the trojan is activated 4. General effects 5. Physical location

NYU-Poly CSC 2011


Full Taxonomy Hardware trojans Design Phase

Abstraction Level

Activation

Effects

Location

Specification

System level

Always On

Change function

Processor

Design

Development environment

Triggered

Change specifications

Memory

Fabrication RT level Assembly and Package

Gate level Transistor level

Internally Time Based Physical Cond. Externally User

I/O Leak information Denial of Service

Power Supply Clock

Component Physical level

Figure: Hardware trojan taxonomy based on five different attributes.

NYU-Poly CSC 2011


Design Phase Throughout the development cycle, the design is vulnerable to modifications. I

specification phase – the characteristics of the system are defined I

I

Example: during specification phase, modify the timing requirements.

design phase – functional, logical, timing, and physical constraints are considered as the design is mapped onto the target technology. I

Example: a standard cell library may be infested with trojans.

NYU-Poly CSC 2011


Abstraction Level Trojan circuits can be inserted at various hardware abstraction levels I system level – different hardware modules, interconnections and communication protocols used are defined. I

I

development environment includes synthesis, simulation, verification, and validation tools. I

I

Example: the ASCII values of the inputs from the keyboard can be interchanged.

Example: trojan components in synthesis tool.

register transfer level – each functional module is described in terms of registers, signals, and Boolean functions. I

Example: a trojan implemented at this level might halve the rounds of a cryptographic algorithm. NYU-Poly CSC 2011


Abstraction Level I

gate level – the design is represented as an interconnection of logic gates. I

I

transistors – control over circuit characteristics such as power and timing. I

I

Example: a trojan might be a simple comparator consisting of exclusive-OR gates that monitor the internal signals of the chip.

Example: a transistor with low gate width which can cause more delay in the critical path.

layout level – the dimensions and locations of all circuit components are described. I

Example: changing the width of the metal wires of the clock grids in the chip can cause clock skew. NYU-Poly CSC 2011


Activation Some trojans are designed to be always on; others may remain dormant until triggered. A triggered trojan needs an event – internal or external to be activated. I

internally triggered – trojan is activated by an event that occurs within the target device. I

I

Example: chip temperature crosses 55◦ C, a trojan might be triggered.

externally triggered – The external trigger can be a user input or a component output. I

I

User input – triggers can include push-buttons, switches, keyboards or keywords/phrases in the input data stream. External component – triggers may be from any of the components that interact with the target device. NYU-Poly CSC 2011


Effects Trojans can also be characterized by their undesirable effects. I change of functionality – the target device and can cause subtle errors that may be difficult to detect. I

I

change of specification – intentionally changing device parameters. I

I

Example: cause an error detection module to accept inputs that should be rejected.

Example: a trojan might insert more buffers in the interconnections of the chip and hence consume more power

leak sensitive information – This can occur through both covert and overt channels. I

Example: Information can be leaked by radio frequency, optical, thermal, power and timing side-channels and also via interfaces such as RS-232 and JTAG. NYU-Poly CSC 2011


Effects

I

Denial of service (DoS) – trojans can prevent operation of a function or resource. DoS may be either temporary or permanent. I

Example: a trojan might cause the processor to ignore the interrupt from a specific peripheral.

NYU-Poly CSC 2011


Location A trojan can be inserted in a single component or spread across multiple components. I

Processing units: Trojans might be inserted into the processing units.

I

Memory units: Trojans in the memory blocks and their interface units may be placed under this category.

I

I/O units: Trojans can reside in the peripherals of the chip or within the PCB.

I

Power supply units: Trojans may alter the voltage and current supplied to the chip and cause failure.

I

Clock grids: Trojans in the clock grids change the frequency of the clock and/or insert glitches in the clock. NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Contributions and Results Coverage and Resolution

Trojans Evaluated

I

38 trojans submitted to the 2008 Embedded Systems Challenge

I

18 additional trojans described in previous work.

I

All 56 of the trojans studied are covered by the taxonomy. They occupy 17 classes in the taxonomy.

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Contributions and Results Coverage and Resolution

Potential trojans

Observed trojans

Coverage and Resolution Class � 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Trojan class Specification phase– RTL – external component triggered – leak information – in the I/O unit Design phase – RTL – user input triggered – leak information – in the I/O unit Design phase – RTL – user input triggered – change function – in the memory Design phase – RTL – user input triggered – leak information – in the processor Design phase – RTL – user input triggered – permanently deny service – in the processor Design phase – RTL – user input triggered – permanently deny service – in the I/O unit Design phase – RTL – user input triggered – permanently deny service – in the clock grid Design phase – RTL – user input triggered – permanently deny service – in the power supply grid Design phase – RTL – user input triggered – temporarily deny service – in the processor Design phase – RTL – always on – leak information – in the processor Design phase – RTL – always on – leak information –in the I/O unit Design phase – RTL – physical parameter triggered – permanently deny service – in the processor Design phase – RTL – time triggered – temporarily deny service – in the I/O unit Fabrication phase – transistor level – user input triggered – change function –in the processor Fabrication phase – transistor level – always on – change function – in the processor Fabrication phase – transistor level – time triggered – change function – in the processor Fabrication phase – physical level – always on – change function – in the processor Specification phase – system level– user input triggered – change function – in the processor Specification phase – system level – time triggered – temporarily deny service – in the clock grid Design phase – RTL – physical parameter triggered – change function – in the processor Design phase – RTL – physical parameter triggered – permanently deny service – in the memory Design phase – RTL –time triggered –change function –in the I/O unit Design phase – RTL – time triggered – temporarily deny service – in the memory Assembly and package – system level – external component triggered – leak information – in the I/O unit Assembly and package – system level – external component triggered – permanently deny service – in the power supply Fabrication phase – transistor level – time triggered – permanently deny service – in the clock grid Fabrication phase – transistor level – always on – temporarily deny service –in the clock grid Fabrication phase – physical level – always on – temporarily deny service – in the clock grid Fabrication phase – physical level – physical parameter triggered – permanently deny service – in the power supply

� of trojans 1 12 2 2 2 1 1 1 1 4 9 1 1 12 4 1 1 – – – – – – – – – – – –

TABLE I C LASSES OF TROJANS SUBMITTED TO THE 2008 E MBEDDED S YSTEMS C HALLENGE AND TROJANS THAT ARE DESCRIBED IN PRIOR WORK BASED ON THE PROPOSED TAXONOMY ARE LISTED AS OBSERVED . P OTENTIAL CLASSES OF TROJANS HAVE NOT YET BEEN REPORTED . T HESE TROJAN CLASSES ARE EQUALLY IMPORTANT AND SHOULD BE CONSIDERED WHILE DESIGNING COUNTERMEASURES . NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Summary

Summary

I

Classification is the first step in Mitigation.

I

Hardware trojans are a real and growing threat.

I

The CSAW Embedded Systems Challenge provides a unique space to demonstrate novel attacks and defenses.

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Trojan detection

Trojans Detection

Trojans impact area, power, and delay of the hardware Trojans can be detected by monitoring I

Power profile of the chip

I

Delay of different parts of the circuit

NYU-Poly CSC 2011


Power signature-based detection

To detect Trojans using power-signature I

Develop a golden simulation model of the chip

I

Apply input patterns and obtain the power profile

I

Apply the same input patterns on a fabricated chip and obtain its power profile

I

Compare both of them

I

Any vast change means presence of Trojans

NYU-Poly CSC 2011


Power signature-based detection

I

Power can be measured using the power ports

I

The number of power ports on a chip is limited

I

Hence, additional power ports are needed to be inserted

I

Huge overhead

NYU-Poly CSC 2011


Delay-based detection

I

Every circuit element has a finite delay

I

The total circuit delay is summation of individual delay

5

4

7

3

Figure: Total delay is 5+4+7+3 = 19

NYU-Poly CSC 2011


Delay-based detection I I

Inserting Trojans impact delays Trojans change the individual gate delays

5

3

7

4

3 (a)

6

4

7

3

(b)

Figure: a. Total delay is 5+3+4+7+3 = 22 6= 19 b. Total delay is 6+4+7+3 = 20 NYU-Poly CSC 2011


Delay-based detection

I I

Delay measurements can detect Trojans How to measure delay? I

Ring-oscillators

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Ring-oscillator based detection What are ring oscillators?

What are ring oscillators? I

Ring oscillators are odd number of inverting elements connected back-to-back

I

The frequency of oscillator depends on the delay of individual elements

I

Need to apply non-controlling values to the elements

1

0 5

1 4

7

3

Figure: Total delay is 5+4+7+3 = 19. Frequency of oscillation is

1 2×19

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Ring-oscillator based detection What are ring oscillators?

Ring oscillator-based detection I I I

Inserting Trojans impact delays Trojans change the individual gate delays Frequency of ring oscillator changes

1

1

0

5

3

7

4

3 (a)

1

0 6

1 4

7

3

(b)

Figure: a. Freq of oscillation =

1 2×22

b. Freq of oscillation =

1 2×20 NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Ring-oscillator based detection Our method

Our method I

Convert all paths in a design to ring oscillator paths

I

Apply patterns to excite ring oscillators

I1

I1

O1

TrE1 I2 TrE2 I3 TrE3 I4

O2

TrE4 I5

I2

O1

O2

I3 I4 TrE5 I5

Figure: a. Original circuit b. Modified circuit

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Results CSAW 2009

CSAW 2009 I I

Only one ring oscillator was embedded This method was able to defend against/detect 4/5 attacks in CSAW 2009 Xilinx Spartan FPGA board

JTAG

Interpreter

Receive Data

Frequency counter

Trivium

RS232 UART

Transmit Data

Figure: The CSAW 2009 competition circuit with the ring oscillators to detect Trojans NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Results CSAW 2010

CSAW 2010 I

A circuit with this method was the target for the attackers

I

Nearly 200 trojans were employed on this method

I

Detected 160 trojans

Attacks I

Hardcoding attack – hardcoding the frequency

I

This is impossible in a large circuit as there will be many ring oscillators

I

We developed version 2.0 – changing supply voltage to detect hardcoding attacks

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Credentials

Credentials

I

Ramesh Karri

I

Efstratios Gavas

I

Kurt Rosenfeld

I

Ozgur Sinanoglu

I

Vinayaka Jyothi

I

CSAW 2009 team members

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Questions

Thank You!

Questions???

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Appendix References

References I X. Wang, M. Tehranipoor and J. Plusquellic. Detecting malicious. inclusions in secure hardware: Challenges and solutions Proceedings of the IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 15–19, June 2008. M. Tehranipoor and F. Koushanfar. A Survey of Hardware Trojan Taxonomy and Detection IEEE Design and Test of Computers, vol. 27, no. 1, pp. 10–25, Jan-Feb 2010.

NYU-Poly CSC 2011

Hardware Trojans – Taxonomy and Detection Appendix References

References II Y. Jin and Y. Makris. Hardware trojan detection using path delay fingerprint Proceedings of the IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 51–57, June 2008. M. Potkonjak, A. Nahapetian, M. Nelson, and T. Massey. Hardware trojan horse detection using gate-level characterization Proceedings of the Design Automation Conference, pp. 688–693, 2009.

NYU-Poly CSC 2011