Hardware Trojans in wireless cryptographic ICs: Silicon demonstration & detection method evaluation

We present a silicon implementation of a hardware Trojan, which is capable of leaking the secret key of a wireless cryptographic integrated circuit (IC) consisting of an Advanced Encryption Standard (AES) core and an Ultra-Wide-Band (UWB) transmitter. With its impact carefully hidden in the transmission specification margins allowed for process variations, this hardware Trojan cannot be detected by production testing methods of either the digital or the analog part of the IC and does not violate the transmission protocol or any system-level specifications. Nevertheless, the informed adversary, who knows what to look for in the transmission power waveform, is capable of retrieving the 128-bit AES key, which is leaked with every 128-bit ciphertext block sent by the UWB transmitter. Using silicon measurements from 40 chips fabricated in TSMC's 0.35μm technology, we also assess the effectiveness of a side channel-based statistical analysis method in detecting this hardware Trojan.

[1]  Kaushik Roy,et al.  Multiple-parameter side-channel analysis: A non-invasive hardware Trojan detection approach , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[2]  Mark Mohammad Tehranipoor,et al.  Power supply signal calibration techniques for improving detection resolution to hardware Trojans , 2008, 2008 IEEE/ACM International Conference on Computer-Aided Design.

[3]  Farinaz Koushanfar,et al.  A Unified Framework for Multimodal Submodular Integrated Circuits Trojan Detection , 2011, IEEE Transactions on Information Forensics and Security.

[4]  Yiorgos Makris,et al.  Hardware Trojans in Wireless Cryptographic ICs , 2010, IEEE Design & Test of Computers.

[5]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[6]  I. Jolliffe Principal Component Analysis , 2002 .

[7]  Mark Mohammad Tehranipoor,et al.  Sensitivity analysis to hardware Trojans using power supply transient signals , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[8]  Farinaz Koushanfar,et al.  High-sensitivity hardware Trojan detection using multimodal characterization , 2013, 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[9]  Sally Adee,et al.  The Hunt For The Kill Switch , 2008, IEEE Spectrum.

[10]  James F. Plusquellic,et al.  REBEL and TDC: Two embedded test structures for on-chip measurements of within-die path delay variations , 2011, 2011 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[11]  N. Moshtagh MINIMUM VOLUME ENCLOSING ELLIPSOIDS , 2005 .

[12]  Swarup Bhunia,et al.  Self-referencing: A Scalable Side-Channel Approach for Hardware Trojan Detection , 2010, CHES.

[13]  Yiorgos Makris,et al.  Hardware Trojan detection using path delay fingerprint , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[14]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  Sherief Reda,et al.  Power Mapping of Integrated Circuits Using AC-Based Thermography , 2013, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[16]  Mark Mohammad Tehranipoor,et al.  Trustworthy Hardware: Identifying and Classifying Hardware Trojans , 2010, Computer.