Soft-HaT

A hardware Trojan is a malicious modification to an integrated circuit (IC) made by untrusted third-party vendors, fabrication facilities, or rogue designers. Although existing hardware Trojans are designed to be stealthy, they can, in theory, be detected by post-manufacturing and acceptance tests due to their physical connections to IC logic. Manufacturing tests can potentially trigger the Trojan and propagate its payload to an output. Even if the Trojan is not triggered, the physical connections to the IC can enable detection due to additional side-channel activity (e.g., power consumption). In this article, we propose a novel hardware Trojan design, called Soft-HaT, which only becomes physically connected to other IC logic after activation by a software program. Using an electrically programmable fuse (E-fuse), the hardware can be “re-programmed” remotely. We illustrate how Soft-HaT can be used for offensive applications in system-on-chips. Examples of Soft-HaT attacks are demonstrated on an open source system-on-chip (OrpSoC) and implemented in Virtex-7 FPGA to show their efficacy in terms of stealthiness.

[1]  Swarup Bhunia,et al.  The Hardware Trojan War Attacks, Myths, and Defenses , 2018 .

[2]  Guido Torelli,et al.  Power efficiency evaluation in Dickson and voltage doubler charge pump topologies , 2006, Microelectron. J..

[3]  Domenic Forte,et al.  RAM-Jam: Remote Temperature and Voltage Fault Attack on FPGAs using Memory Collisions , 2019, 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).

[4]  Sylvain Guilley,et al.  Hardware Trojan Horses in Cryptographic IP Cores , 2013, 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography.

[5]  Hu He,et al.  R2D2: Runtime reassurance and detection of A2 Trojan , 2018, 2018 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[6]  David A. Patterson,et al.  Computer Architecture: A Quantitative Approach , 1969 .

[7]  M. Tehranipoor,et al.  Hardware Trojans: Lessons Learned after One Decade of Research , 2016, TODE.

[8]  Yiorgos Makris,et al.  Hardware Trojan detection using path delay fingerprint , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[9]  Anna W. Topol,et al.  Transistor scaling with novel materials , 2006 .

[10]  Jeyavijayan Rajendran,et al.  High-level synthesis for security and trust , 2013, 2013 IEEE 19th International On-Line Testing Symposium (IOLTS).

[11]  Mark Mohammad Tehranipoor,et al.  On design vulnerability analysis and trust benchmarks development , 2013, 2013 IEEE 31st International Conference on Computer Design (ICCD).

[12]  Mark Tehranipoor,et al.  Code Coverage Analysis for IP Trust Verification , 2017 .

[13]  Michael S. Hsiao,et al.  Hardware Trojan Attacks: Threat Analysis and Countermeasures , 2014, Proceedings of the IEEE.

[14]  Christof Paar,et al.  MOLES: Malicious off-chip leakage enabled by side-channels , 2009, 2009 IEEE/ACM International Conference on Computer-Aided Design - Digest of Technical Papers.

[15]  M. C. Bhuvaneswari,et al.  Delay Fault Testing of VLSI Circuits , 2018, Test Generation of Crosstalk Delay Faults in VLSI Circuits.

[16]  Mark Mohammad Tehranipoor,et al.  AVFSM: A framework for identifying and mitigating vulnerabilities in FSMs , 2016, 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[17]  Christos A. Papachristou,et al.  MERO: A Statistical Approach for Hardware Trojan Detection , 2009, CHES.

[18]  Ramesh Karri,et al.  A Primer on Hardware Security: Models, Methods, and Metrics , 2014, Proceedings of the IEEE.

[19]  Domenic Forte,et al.  Power-based Side-Channel Instruction-level Disassembler , 2018, 2018 55th ACM/ESDA/IEEE Design Automation Conference (DAC).

[20]  Simha Sethumadhavan,et al.  FANCI: identification of stealthy malicious logic using boolean functional analysis , 2013, CCS.

[21]  S. Rakheja,et al.  A unified static-dynamic analytic model for ultra-scaled III-nitride high electron mobility transistors , 2019, Journal of Applied Physics.

[22]  Mark R. Beaumont,et al.  Hardware Trojans - Prevention, Detection, Countermeasures (A Literature Review) , 2011 .

[23]  Jieh-Tsorng Wu,et al.  MOS charge pumps for low-voltage operation , 1998, IEEE J. Solid State Circuits.

[24]  S.K. Iyer,et al.  Electrically programmable fuse (eFUSE) using electromigration in silicides , 2002, IEEE Electron Device Letters.

[25]  Swarup Bhunia,et al.  Golden-Free Hardware Trojan Detection with High Sensitivity Under Process Noise , 2017, J. Electron. Test..

[26]  K. Zhang,et al.  Low-voltage metal-fuse technology featuring a 1.6V-programmable 1T1R bit cell with an integrated 1V charge pump in 22nm tri-gate process , 2015, 2015 Symposium on VLSI Technology (VLSI Technology).

[27]  Sanghamitra Roy,et al.  Hardware Trojan Attacks in SoC and NoC , 2018 .

[28]  Mark Mohammad Tehranipoor,et al.  BISA: Built-in self-authentication for preventing hardware Trojan insertion , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[29]  Yiqiang Zhao,et al.  Hardware Trojan Detection Through Chip-Free Electromagnetic Side-Channel Statistical Analysis , 2017, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[30]  Dennis Sylvester,et al.  A2: Analog Malicious Hardware , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[31]  Dhruva Acharyya,et al.  Detecting Trojans Through Leakage Current Analysis Using Multiple Supply Pad ${I}_{\rm DDQ}$s , 2010, IEEE Transactions on Information Forensics and Security.

[32]  Janusz A. Starzyk,et al.  A DC-DC charge pump design based on voltage doublers , 2001 .

[33]  Mark Mohammad Tehranipoor,et al.  Hardware trojan detection through information flow security verification , 2017, 2017 IEEE International Test Conference (ITC).

[34]  Michel Declercq,et al.  A high-efficiency CMOS voltage doubler , 1998, IEEE J. Solid State Circuits.

[35]  PlusquellicJim,et al.  Detecting Trojans through leakage current analysis using multiple supply pad IDDQS , 2010 .

[36]  Mark Mohammad Tehranipoor,et al.  Analyzing circuit vulnerability to hardware Trojan insertion at the behavioral level , 2013, 2013 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFTS).

[37]  Prabhat Mishra,et al.  Trojan localization using symbolic algebra , 2019, 2017 22nd Asia and South Pacific Design Automation Conference (ASP-DAC).

[38]  Christof Paar,et al.  Stealthy dopant-level hardware Trojans: extended version , 2013, Journal of Cryptographic Engineering.

[39]  Michael S. Hsiao,et al.  A Novel Sustained Vector Technique for the Detection of Hardware Trojans , 2009, 2009 22nd International Conference on VLSI Design.

[40]  Swarup Bhunia,et al.  Hardware Trojan: Threats and emerging solutions , 2009, 2009 IEEE International High Level Design Validation and Test Workshop.

[41]  Mark Mohammad Tehranipoor,et al.  Benchmarking of Hardware Trojans and Maliciously Affected Circuits , 2017, Journal of Hardware and Systems Security.

[42]  H.-S. Philip Wong,et al.  TPAD: Hardware Trojan Prevention and Detection for Trusted Integrated Circuits , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[43]  Michael Hamburg,et al.  Spectre Attacks: Exploiting Speculative Execution , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[44]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[45]  Swarup Bhunia,et al.  TeSR: A robust Temporal Self-Referencing approach for Hardware Trojan detection , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[46]  Bongani Christopher Mabuza Charge pumps and floating gate devices for switching applications , 2013 .

[47]  Jeyavijayan Rajendran,et al.  Towards a comprehensive and systematic classification of hardware Trojans , 2010, Proceedings of 2010 IEEE International Symposium on Circuits and Systems.

[48]  Christos A. Papachristou,et al.  Process reliability based trojans through NBTI and HCI effects , 2010, 2010 NASA/ESA Conference on Adaptive Hardware and Systems.

[49]  W.R. Tonti,et al.  eFuse Design and Reliability , 2008, 2008 IEEE International Integrated Reliability Workshop Final Report.

[50]  Daisuke Suzuki,et al.  Reversing stealthy dopant-level circuits , 2014, Journal of Cryptographic Engineering.

[51]  Jun He,et al.  A 4 kb Metal-Fuse OTP-ROM Macro Featuring a 2 V Programmable 1.37 $\mu$ m$^{2}$ 1T1R Bit Cell in 32 nm High-k Metal-Gate CMOS , 2010, IEEE Journal of Solid-State Circuits.

[52]  Michael Hutter,et al.  EM-based detection of hardware trojans on FPGAs , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[53]  Xiang Chen,et al.  Electrically Programmable Fuse (eFUSE): From Memory Redundancy to Autonomic Chips , 2007, 2007 IEEE Custom Integrated Circuits Conference.