At-speed delay characterization for IC authentication and Trojan Horse detection
09 Jun 2008-pp 8-14
TL;DR: This paper discusses how a technique for precisely measuring the combinational delay of an arbitrarily large number of register-to-register paths internal to the functional portion of the IC can be used to provide the desired authentication and design alteration detection.
Abstract: New attacker scenarios involving integrated circuits (ICs) are emerging that pose a tremendous threat to national security. Concerns about overseas fabrication facilities and the protection of deployed ICs have given rise to methods for IC authentication (ensuring that an IC being used in a system has not been altered, replaced, or spoofed) and hardware Trojan Horse (HTH) detection (ensuring that an IC fabricated in a nonsecure facility contains the desired functionality and nothing more), but significant additional work is required to quell these treats. This paper discusses how a technique for precisely measuring the combinational delay of an arbitrarily large number of register-to-register paths internal to the functional portion of the IC can be used to provide the desired authentication and design alteration (including HTH implantation) detection. This low-cost delay measurement technique does not affect the main IC functionality and can be performed at-speed at both test-time and run-time.
Citations
More filters
TL;DR: A classification of hardware Trojans and a survey of published techniques for Trojan detection are presented.
Abstract: Editor's note:Today's integrated circuits are vulnerable to hardware Trojans, which are malicious alterations to the circuit, either during design or fabrication. This article presents a classification of hardware Trojans and a survey of published techniques for Trojan detection.
1,227 citations
Cites background or methods from "At-speed delay characterization for..."
...Li and Lach proposed a delay-based physical unclonable function (PUF) for hardware Trojan detection.(16) This method uses a sweeping-clock-delay measurement technique to measure selected register-to-register path delays....
[...]
...For example, any change in the circuit physical layout or from moving components in the circuit would potentially change the circuit parasitics parameters and could be detected by on-chip structures.(10,16) PUFs represent one such structure....
[...]
20 Nov 2009
TL;DR: The threat posed by hardware Trojans and the methods of deterring them are analyzed, a Trojan taxonomy, models of Trojan operations and a review of the state-of-the-art Trojan prevention and detection techniques are presented.
Abstract: Malicious modification of hardware during design or fabrication has emerged as a major security concern. Such tampering (also referred to as Hardware Trojan) causes an integrated circuit (IC) to have altered functional behavior, potentially with disastrous consequences in safety-critical applications. Conventional design-time verification and post-manufacturing testing cannot be readily extended to detect hardware Trojans due to their stealthy nature, inordinately large number of possible instances and large variety in structure and operating mode. In this paper, we analyze the threat posed by hardware Trojans and the methods of deterring them. We present a Trojan taxonomy, models of Trojan operations and a review of the state-of-the-art Trojan prevention and detection techniques. Next, we discuss the major challenges associated with this security concern and future research needs to address them.
398 citations
Cites background from "At-speed delay characterization for..."
...The trigger mechanism can also be hybrid, where the counts of both a synchronous and an asynchronous counter simultaneously determine the Trojan trigger condition, as shown in Fig....
[...]
...In general, it is more challenging to detect sequential Trojans using conventional test generation and application, because it requires satisfying a sequence of rare conditions at internal circuit nodes to activate them....
[...]
04 Nov 2013
TL;DR: FANCI is a tool that flags suspicious wires, in a design, which have the potential to be malicious, which FANCI uses scalable, approximate, boolean functional analysis to detect these wires.
Abstract: Hardware design today bears similarities to software design. Often vendors buy and integrate code acquired from third-party organizations into their designs, especially in embedded/system-on-chip designs. Currently, there is no way to determine if third-party designs have built-in backdoors that can compromise security after deployment.The key observation we use to approach this problem is that hardware backdoors incorporate logic that is nearly-unused, i.e. stealthy. The wires used in stealthy backdoor circuits almost never influence the outputs of those circuits. Typically, they do so only when triggered using external inputs from an attacker. In this paper, we present FANCI, a tool that flags suspicious wires, in a design, which have the potential to be malicious. FANCI uses scalable, approximate, boolean functional analysis to detect these wires.Our examination of the TrustHub hardware backdoor benchmark suite shows that FANCI is able to flag all suspicious paths in the benchmarks that are associated with backdoors. Unlike prior work in the area, FANCI is not hindered by incomplete test suite coverage and thus is able to operate in practice without false negatives. Furthermore, FANCI reports low false positive rates: less than 1% of wires are reported as suspicious in most cases. All TrustHub designs were analyzed in a day or less. We also analyze a backdoor-free out-of-order microprocessor core to demonstrate applicability beyond benchmarks.
329 citations
TL;DR: This article examines the research on hardware Trojans from the last decade and attempts to capture the lessons learned and identifies the most critical lessons for those new to the field and suggests a roadmap for future hardware Trojan research.
Abstract: Given the increasing complexity of modern electronics and the cost of fabrication, entities from around the globe have become more heavily involved in all phases of the electronics supply chain. In this environment, hardware Trojans (i.e., malicious modifications or inclusions made by untrusted third parties) pose major security concerns, especially for those integrated circuits (ICs) and systems used in critical applications and cyber infrastructure. While hardware Trojans have been explored significantly in academia over the last decade, there remains room for improvement. In this article, we examine the research on hardware Trojans from the last decade and attempt to capture the lessons learned. A comprehensive adversarial model taxonomy is introduced and used to examine the current state of the art. Then the past countermeasures and publication trends are categorized based on the adversarial model and topic. Through this analysis, we identify what has been covered and the important problems that are underinvestigated. We also identify the most critical lessons for those new to the field and suggest a roadmap for future hardware Trojan research.
315 citations
Cites background from "At-speed delay characterization for..."
...Ring oscillator (RO) structures [Rajendran et al. 2011], shadow registers [Li and Lach 2008], and delay elements [Ramdas et al. 2014] on a set of selected short paths are inserted for path delay measurements....
[...]
20 Aug 2013
TL;DR: An extremely stealthy approach for implementing hardware Trojans below the gate level is proposed, and their impact on the security of the target device is evaluated and their detectability and their effects on security are evaluated.
Abstract: In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical-infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how difficult it would be in practice to implement one.
In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against "golden chips". We demonstrate the effectiveness of our approach by inserting Trojans into two designs -- a digital post-processing derived from Intel's cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation -- and by exploring their detectability and their effects on security.
276 citations
Cites methods from "At-speed delay characterization for..."
...The most popular method is using the power side-channel for Trojan detection [1] but other side-channels such as time [11, 25], electro-magnetics(EM) and heat have been proposed as well....
[...]
References
More filters
04 Jun 2007
TL;DR: This work presents PUF designs that exploit inherent delay characteristics of wires and transistors that differ from chip to chip, and describes how PUFs can enable low-cost authentication of individual ICs and generate volatile secret keys for cryptographic operations.
Abstract: Physical Unclonable Functions (PUFs) are innovative circuit primitives that extract secrets from physical characteristics of integrated circuits (ICs). We present PUF designs that exploit inherent delay characteristics of wires and transistors that differ from chip to chip, and describe how PUFs can enable low-cost authentication of individual ICs and generate volatile secret keys for cryptographic operations.
2,014 citations
"At-speed delay characterization for..." refers background or methods in this paper
...This is also the basis of much of the work that has been done on PUFs, which are functions that map a set of challenges to responses that are generated from, and hence reflect, the unique physical characteristics of each device [3][4][10]....
[...]
...A number of PUF designs [4][10] have been implemented to show the feasibility of IC authentication using PUFs, most of which are circuit-delay-based silicon PUF designs....
[...]
Proceedings Article•
01 Jan 2007
1,944 citations
18 Nov 2002
TL;DR: It is argued that a complex integrated circuit can be viewed as a silicon PUF and a technique to identify and authenticate individual integrated circuits (ICs) is described.
Abstract: We introduce the notion of a Physical Random Function (PUF). We argue that a complex integrated circuit can be viewed as a silicon PUF and describe a technique to identify and authenticate individual integrated circuits (ICs).We describe several possible circuit realizations of different PUFs. These circuits have been implemented in commodity Field Programmable Gate Arrays (FPGAs). We present experiments which indicate that reliable authentication of individual FPGAs can be performed even in the presence of significant environmental variations.We describe how secure smart cards can be built, and also briefly describe how PUFs can be applied to licensing and certification applications.
1,644 citations
"At-speed delay characterization for..." refers background or methods in this paper
...This is also the basis of much of the work that has been done on PUFs, which are functions that map a set of challenges to responses that are generated from, and hence reflect, the unique physical characteristics of each device [3][4][10]....
[...]
...A number of PUF designs [4][10] have been implemented to show the feasibility of IC authentication using PUFs, most of which are circuit-delay-based silicon PUF designs....
[...]
20 May 2007
TL;DR: These results show that Trojans that are 3-4 orders of magnitude smaller than the main circuit can be detected by signal processing techniques and provide a starting point to address this important problem.
Abstract: Hardware manufacturers are increasingly outsourcing their IC fabrication work overseas due to their much lower cost structure. This poses a significant security risk for ICs used for critical military and business applications. Attackers can exploit this loss of control to substitute Trojan ICs for genuine ones or insert a Trojan circuit into the design or mask used for fabrication. We show that a technique borrowed from side-channel cryptanalysis can be used to mitigate this problem. Our approach uses noise modeling to construct a set of fingerprints/or an IC family utilizing side- channel information such as power, temperature, and electromagnetic (EM) profiles. The set of fingerprints can be developed using a few ICs from a batch and only these ICs would have to be invasively tested to ensure that they were all authentic. The remaining ICs are verified using statistical tests against the fingerprints. We describe the theoretical framework and present preliminary experimental results to show that this approach is viable by presenting results obtained by using power simulations performed on representative circuits with several different Trojan circuitry. These results show that Trojans that are 3-4 orders of magnitude smaller than the main circuit can be detected by signal processing techniques. While scaling our technique to detect even smaller Trojans in complex ICs with tens or hundreds of millions of transistors would require certain modifications to the IC design process, our results provide a starting point to address this important problem.
741 citations
"At-speed delay characterization for..." refers background in this paper
...proposed a side-channel-based approach that extracts non-functional circuit information, including path delays, power consumption, and electromagnetic emanation profiles, that constitutes a “fingerprint” for every individual IC [1]....
[...]
TL;DR: This work presents a DVS approach that uses dynamic detection and correction of circuit timing errors to tune processor supply voltage and eliminate the need for voltage margins.
Abstract: Dynamic voltage scaling is one of the more effective and widely used methods for power-aware computing. We present a DVS approach that uses dynamic detection and correction of circuit timing errors to tune processor supply voltage and eliminate the need for voltage margins
383 citations