Christian Krieg
ABSTRACT
To highlight a potential threat to hardware security, we propose a methodology to derive a trigger signal from the behavior of Verilog simulation models of field-programmable gate array (FPGA) primitives that behave X-optimistic. We demonstrate our methodology with an example trigger that is implemented using Xilinx 7 Series FPGAs. Experimental results show that it is easily possible to create a trigger signal that is '0' in simulation (pre- and post-synthesis), and '1' in hardware. We show that this kind of trigger is neither detectable by formal equivalence checks, nor by recent Trojan detection techniques. As a countermeasure, we propose to carefully reconsider the utilization of X-optimism in FPGA simulation models.
References
- 7 Series FPGAs Configurable Logic Block User Guide. Tech. rep. Xilinx, Inc., Sept. 27, 2016.Google Scholar
- N. Fern, S. Kulkarni, and K. T. T. Cheng. "Hardware Trojans hidden in RTL don't cares --- Automated insertion and prevention methodologies". In: Test Conference (ITC), 2015 IEEE International. 2015, pp. 1--8.Google ScholarCross Ref
- M. Hicks. Personal E-Mail Communication on How UCI treats 'X' input signals. Nov. 18, 2016.Google Scholar
- M. Hicks et al. "Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically". In: Security and Privacy (SP), 2010 IEEE Symposium on. May 2010, pp. 159--172. Google ScholarDigital Library
- W. Hu et al. "Theoretical Fundamentals of Gate Level Information Flow Tracking". In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 30.8 (2011), pp. 1128--1140. Google ScholarDigital Library
- "IEEE Standard Verilog Hardware Description Language". In: IEEE Std 1364-2001 (2001), pp. 1--856.Google Scholar
- Y. Jin. Personal E-Mail communication if FIGHT detects single unused signals. Nov. 19, 2016.Google Scholar
- C. Krieg, C. Wolf, and A. Jantsch. "Malicious LUT: A Stealthy FPGA Trojan Injected and Triggered by the Design Flow". In: Proceedings of the 35th International Conference on Computer-Aided Design. ICCAD '16. Austin, Texas: ACM, 2016, 43:1--43:8. Google ScholarDigital Library
- H. Li, Q. Liu, and J. Zhang. "A survey of hardware Trojan threat and defense". In: Integration, the {VLSI} Journal 55 (2016), pp. 426--437.Google ScholarCross Ref
- D. Sullivan et al. "FIGHT-Metric: Functional Identification of Gate-Level Hardware Trustworthiness". In: Proceedings of the 51st Annual Design Automation Conference. DAC '14. San Francisco, CA, USA: ACM, 2014, 173:1--173:4. Google ScholarDigital Library
- S. Sutherland. "I'm Still In Love With My X!" In: Proceedings of the Design and Verification Conference (DVCon). 2013.Google Scholar
- M. Tiwari et al. "Complete Information Flow Tracking from the Gates Up". In: Proceedings of the 14th International Conference on Architectural Support for Programming Languages and Operating Systems. ASPLOS XIV. Washington, DC, USA: ACM, 2009, pp. 109--120. Google ScholarDigital Library
- R. S. Wahby. Personal conversation regarding detectability of Toggle MUX by Verifiable ASICs approach, and the appicability of Verificable ASICs to the detection of Toggle MUX. Nov. 14, 2016.Google Scholar
- R. S. Wahby et al. "Verifiable ASICs". In: 2016 IEEE Symposium on Security and Privacy (SP). 2016, pp. 759--778.Google ScholarCross Ref
- A. Waksman, M. Suozzo, and S. Sethumadhavan. "FANCI: Identification of Stealthy Malicious Logic Using Boolean Functional Analysis". In: Proceedings of CCS 2013. Authors version. To be published in the Proceedings of the CCS 2013. 2013. Google ScholarDigital Library
- T. F. Wu et al. "TPAD: Hardware Trojan Prevention and Detection for Trusted Integrated Circuits". In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 35.4 (2016), pp. 521--534.Google ScholarCross Ref
- K. Xiao et al. "Hardware Trojans: Lessons Learned After One Decade of Research". In: ACM Trans. Des. Autom. Electron. Syst. 22.1 (May 2016), 6:1--6:23. Google ScholarDigital Library
Comments