Christian Krieg
ABSTRACT
We present a novel type of Trojan trigger targeted at the field-programmable gate array (FPGA) design flow. Traditional triggers base on rare events, such as rare values or sequences. While in most cases these trigger circuits are able to hide a Trojan attack, exhaustive functional simulation and testing will reveal the Trojan due to violation of the specification. Our trigger behaves functionally and formally equivalent to the hardware description language (HDL) specification throughout the entire FPGA design flow, until the design is written by the place-and-route tool as bitstream configuration file . From then, Trojan payload is always on. We implement the trigger signal using a 4-input lookup table (LUT), each of the inputs connecting to the same signal. This lets us directly address the least significant bit (LSB) and most significant bit (MSB) of the LUT. With the remaining 14 bits, we realize a "magic" unary operation. This way, we are able to implement 16 different Triggers. We demonstrate the attack with a simple example and discuss the effectiveness of the recent detection techniques unused circuit identification (UCI), functional analysis for nearly-unused circuit identification (FANCI) and VeriTrust in order to reveal our trigger.
References
- M. S. Anderson, C. J. G. North, and K. K. Yiu. Towards Countering the Rise of the Silicon Trojan. Tech. rep. Dec. 2008.Google Scholar
- R. S. Chakraborty et al. "Hardware Trojan Insertion by Direct Modification of FPGA Configuration Bitstream". In: IEEE Design Test 30.2 (2013), pp. 45--54.Google ScholarCross Ref
- R. Chakraborty, S. Narasimhan, and S. Bhunia. "Hardware Trojan: Threats and emerging solutions". In: High Level Design Validation and Test Workshop, 2009. HLDVT 2009. IEEE International. 2009, pp. 166--171.Google ScholarCross Ref
- S. Drimer. Security for volatile FPGAs. Tech. rep. University of Cambridge, 2009.Google Scholar
- M. Hicks et al. "Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically". In: Security and Privacy (SP), 2010 IEEE Symposium on. May 2010, pp. 159 --172. Google ScholarDigital Library
- R. Joyce. Talk: Disrupting Nation State Hackers. Talk given at USENIX Enigma Security Conference. Jan. 27, 2016.Google Scholar
- B. Khaleghi et al. "FPGA-Based Protection Scheme against Hardware Trojan Horse Insertion Using Dummy Logic". In: IEEE Embedded Systems Letters 7.2 (2015), pp. 46--50.Google ScholarCross Ref
- S. T. King et al. "Designing and implementing malicious hardware". In: LEET'08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. San Francisco, California: USENIX Association, 2008, pp. 1--8. Google ScholarDigital Library
- C. Krieg, M. Rathmair, and F. Schupfer. "A Process for the Detection of Design-Level Hardware Trojans Using Verification Methods". In: Proceedings of the 11th IEEE International Conference on Embedded Software and Systems (ICESS 2014). Aug. 2014, pp. 741--746. Google ScholarDigital Library
- C. Peikari and A. Chuvakin. Security Warrior. Ed. by M. Loukides. O'Reilly Media, Inc., 2004. Google ScholarDigital Library
- M. Rathmair, F. Schupfer, and C. Krieg. "Applied formal methods for hardware Trojan detection". In: Circuits and Systems (ISCAS), 2014 IEEE International Symposium on. 2014, pp. 169--172.Google ScholarCross Ref
- J. Roy, F Koushanfar, and I. Markov. "Extended abstract: Circuit CAD tools as a security threat". In: Hardware-Oriented Security and Trust, 2008. HOST 2008. IEEE International Workshop on. 2008, pp. 65--66. Google ScholarDigital Library
- C. Seed. Arachne-pnr. url: https://github.com/cseed/arachne-pnr.Google Scholar
- C. Sturton et al. "Defeating UCI: Building Stealthy and Malicious Hardware". In: Proc. IEEE Symp. Security and Privacy (SP). 2011, pp. 64--77. Google ScholarDigital Library
- M Tehranipoor and F Koushanfar. "A Survey of Hardware Trojan Taxonomy and Detection". In: Design Test of Computers, IEEE 27.1 (2010), pp. 10--25. Google ScholarDigital Library
- K. Thompson. "Reflections on Trusting Trust". In: Commun. ACM 27.8 (Aug. 1984), pp. 761--763. Google ScholarDigital Library
- S. Trimberger. "Trusted Design in FPGAs". In: Design Automation Conference, 2007. DAC '07. 44th ACM/IEEE. 2007, pp. 5--8. Google ScholarDigital Library
- A. Waksman, M. Suozzo, and S. Sethumadhavan. "FANCI: Identification of Stealthy Malicious Logic Using Boolean Functional Analysis". In: Proceedings of CCS 2013. Authors version. To be published in the Proceedings of the CCS 2013. 2013. Google ScholarDigital Library
- C. Wolf. Project IceStorm. url: http://www.clifford.at/icestorm/.Google Scholar
- C. Wolf. Yosys Open SYnthesis Suite. http://www.clifford.at/yosys/. url: http://www.clifford.at/yosys/ (visited on 03/10/2016).Google Scholar
- C. Wolf and J. Glaser. "Yosys - A Free Verilog Synthesis Suite". In: Proceedings of the 21st Austrian Workshop on Microelectronics (Austrochip). 2013.Google Scholar
- J. Zhang et al. "VeriTrust: Verification for Hardware Trust". In: Computer-Aided Design of Integrated Circuits and Systems, IEEE Transactions on 34.7 (2015), pp. 1148--1161.Google ScholarCross Ref
- J. Zhang, F. Yuan, and Q. Xu. "DeTrust: Defeating Hardware Trust Verification with Stealthy Implicitly-Triggered Hardware Trojans". In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. CCS '14. Scottsdale, Arizona, USA: ACM, 2014, pp. 153--166. Google ScholarDigital Library
Comments