Given the increasing complexity of modern electronics and the cost of fabrication, entities from around the globe have become more heavily involved in all phases of the electronics supply chain. In this environment, hardware Trojans (i.e., malicious modifications or inclusions made by untrusted third parties) pose major security concerns, especially for those integrated circuits (ICs) and systems used in critical applications and cyber infrastructure. While hardware Trojans have been explored significantly in academia over the last decade, there remains room for improvement. In this article, we examine the research on hardware Trojans from the last decade and attempt to capture the lessons learned. A comprehensive adversarial model taxonomy is introduced and used to examine the current state of the art. Then the past countermeasures and publication trends are categorized based on the adversarial model and topic. Through this analysis, we identify what has been covered and the important problems that are underinvestigated. We also identify the most critical lessons for those new to the field and suggest a roadmap for future hardware Trojan research.

https://dl.acm.org/doi/pdf/10.1145/2906147

Hardware Trojans: Lessons Learned after One Decade of Research

IEEE transactions on very large scale integration (VLSI) systems

The computer systems security arms race between attackers and defenders are largely taken place in the domain of software systems, but as hardware complexity and design processes have envolved, novel and potent hardware-based security threats are now possible. This article presents Unused Circuit Identification (UCI), an approach for detecting suspicious circuits during design time, and BlueChip, a hybrid hardware/software approach to detaching suspicious circuits and making up for UCI classifier errors during runtime.

Overcoming an untrusted computing base: detecting and removing malicious hardware automatically

While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party -- often overseas -- to fabricate their design. To guard against shipping chips with errors (intentional or otherwise) chip design companies rely on post-fabrication testing. Unfortunately, this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester. In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before effecting a chip's functionality). In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transition between digital values. When the capacitors fully charge, they deploy an attack that forces a victim flip-flop to a desired value. We weaponize this attack into a remotely-controllable privilege escalation by attaching the capacitor to a wire controllable and by selecting a victim flip-flop that holds the privilege bit for our processor. We implement this attack in an OR1200 processor and fabricate a chip. Experimental results show that our attacks work, show that our attacks elude activation by a diverse set of benchmarks, and suggest that our attacks evade known defenses.

A2: Analog Malicious Hardware

Research in the field of hardware Trojans has seen significant growth in the past decade. However, standard benchmarks to evaluate hardware Trojans and their detection are lacking. To this end, we have developed a suite of Trojans and ‘trust benchmarks’ (i.e., benchmark circuits with a hardware Trojan inserted in them) that can be used by researchers in the community to compare and contrast various Trojan detection techniques. In this paper, we present a comprehensive vulnerability analysis flow at various levels of abstraction of digital-design, that has been utilized to create these trust benchmarks. Further, we present a detailed evaluation of our benchmarks in terms of metrics such as Trojan detectability, and in the context of different attack models. Finally, we discuss future work such as automatic Trojan insertion into any arbitrary circuit.

Benchmarking of Hardware Trojans and Maliciously Affected Circuits

Due to design and fabrication outsourcing to foundries, the problem of malicious modifications to integrated circuits known as hardware Trojans has attracted attention in academia as well as industry. To reduce the risks associated with Trojans, researchers have proposed different approaches to detect them. Among these approaches, test-time detection approaches have drawn the greatest attention and most approaches assume the existence of a “golden model”. Prior works suggest using reverse-engineering to identify such Trojan-free ICs for the golden model but they did not state how to do this efficiently. In this paper, we propose an innovative and robust reverseengineering approach to identify the Trojan-free ICs. We adapt a well-studied machine learning method, one-class support vector machine, to solve our problem. Simulation results using state-of-the-art tools on several publicly available circuits show that our approach can detect hardware Trojans with high accuracy rate across different modeling and algorithm parameters.

On application of one-class SVM to reverse engineering-based hardware Trojan detection

Due to design and fabrication outsourcing to foundries, the problem of malicious modifications to integrated circuits (ICs), also known as hardware Trojans (HTs), has attracted attention in academia as well as industry. To reduce the risks associated with Trojans, researchers have proposed different approaches to detect them. Among these approaches, test-time detection approaches have drawn the greatest attention. Many test-time approaches assume the existence of a Trojan-free (TF) chip/model also known as “golden model.” Prior works suggest using reverse engineering (RE) to identify such TF ICs for the golden model. However, they did not state how to do this efficiently. In fact, RE is a very costly process which consumes lots of time and intensive manual effort. It is also very error prone. In this paper, we propose an innovative and robust RE scheme to identify the TF ICs. We reformulate the Trojan-detection problem as clustering problem. We then adapt a widely used machine learning method, ${K}$ -means clustering, to solve our problem. Simulation results using state-of-the-art tools on several publicly available circuits show that the proposed approach can detect HTs with high accuracy rate. A comparison of this approach with our previously proposed approach [1] is also conducted. Both the limitations and application scenarios of the two methods are discussed in detail.

On Reverse Engineering-Based Hardware Trojan Detection

The hardware Trojan threat has motivated development of Trojan detection schemes at all stages of the integrated circuit (IC) lifecycle. While the majority of existing schemes focus on ICs at test-time, there are many unique advantages offered by post-deployment/run-time Trojan detection. However, run-time approaches have been underutilized with prior work highlighting the challenges of implementing them with limited hardware resources. In this paper, we propose innovative low-overhead approaches for run-time Trojan detection which exploit the thermal sensors already available in many modern systems to detect deviations in power/thermal profiles caused by Trojan activation. Simulation results using state-of-the-art tools on publicly available Trojan benchmarks verify that our approaches can detect active Trojans quickly and with few false positives.

Temperature tracking: an innovative run-time approach for hardware Trojan detection

The hardware Trojan threat has motivated development of Trojan detection schemes at all stages of the integrated circuit (IC) lifecycle. While the majority of existing schemes focus on ICs at test-time, there are many unique advantages offered by post-deployment/run-time Trojan detection. However, run-time approaches have been underutilized with prior work highlighting the challenges of implementing them with limited hardware resources. In this paper, we propose three innovative low-overhead approaches for run-time Trojan detection which exploit the thermal sensors already available in many modern systems to detect deviations in power/thermal profiles caused by Trojan activation. The first one is a local sensor-based approach that uses information from thermal sensors together with hypothesis testing to make a decision. The second one is a global approach that exploits correlation between sensors and maintains track of the ICs thermal profile using a Kalman filter (KF). The third approach incorporates leakage power into the system dynamic model and apply extended KF (EKF) to track ICs thermal profile. Simulation results using state-of-the-art tools on ten publicly available Trojan benchmarks verify that all three proposed approaches can detect active Trojans quickly and with few false positives. Among three approaches, EKF is flawless in terms of the ten benchmarks tested but would require the most overhead.

Temperature Tracking: Toward Robust Run-Time Detection of Hardware Trojans

Physical limit of transistor miniaturization has driven chip design into the third dimension. 3D integration technology emerges as a viable option to improve chip performance and increase device density in a direction orthogonal to costly device scaling. As 3D integration is becoming a promising technology for next-generation chip design, recent years have seen a huge proliferation of research literature exploiting it from a security perspective. This paper presents a survey on the current state of 3D integration technology from a security perspective and summarizes its security opportunities and challenges. We report current research work on 3D integration based security in three major applications: supply chain attack prevention, side-channel attack mitigation, and trustworthy computing system design. The security advantages and opportunities of 3D integration in these security applications are highlighted. Besides, the paper discusses new vulnerabilities risen by 3D integration that require researchers’ attention. Based on the survey result, we summarize the distinct characteristics of 3D ICs and investigate their impacts on security-aware 3D IC designs.

Chongxi Bao

Papers

On application of one-class SVM to reverse engineering-based hardware Trojan detection

On Reverse Engineering-Based Hardware Trojan Detection

Temperature tracking: an innovative run-time approach for hardware Trojan detection

Temperature Tracking: Toward Robust Run-Time Detection of Hardware Trojans

Security and Vulnerability Implications of 3D ICs