HAL—The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion

Hardware manipulations pose a serious threat to numerous systems, ranging from a myriad of smart-X devices to military systems. In many attack scenarios an adversary merely has access to the low-level, potentially obfuscated gate-level netlist. In general, the attacker possesses minimal information and faces the costly and time-consuming task of reverse engineering the design to identify security-critical circuitry, followed by the insertion of a meaningful hardware Trojan. These challenges have been considered only in passing by the research community. The contribution of this work is threefold: First, we present $\sf {HAL}$HAL, a comprehensive reverse engineering and manipulation framework for gate-level netlists. $\sf {HAL}$HAL allows automating defensive design analysis (e.g., including arbitrary Trojan detection algorithms with minimal effort) as well as offensive reverse engineering and targeted logic insertion. Second, we present a novel static analysis Trojan detection technique $\sf {ANGEL}$ANGEL which considerably reduces the false-positive detection rate of the detection technique $\sf {FANCI}$FANCI. Furthermore, we demonstrate that $\sf {ANGEL}$ANGEL is capable of automatically detecting Trojans obfuscated with $\sf {DeTrust}$DeTrust. Third, we demonstrate how a malicious party can semi-automatically inject hardware Trojans into third-party designs. We present reverse engineering algorithms to disarm and trick cryptographic self-tests, and subtly leak cryptographic keys without any a priori knowledge of the design's internal workings.

[1]  Ashish Tiwari,et al.  Reverse Engineering Digital Circuits Using Structural and Functional Analyses , 2014, IEEE Transactions on Emerging Topics in Computing.

[2]  Sanjit A. Seshia,et al.  Reverse engineering circuits using behavioral pattern mining , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[3]  Qiang Wu,et al.  Deriving an NCD file from an FPGA bitstream: Methodology, architecture and evaluation , 2013, Microprocess. Microsystems.

[4]  Dirk Koch,et al.  BITMAN: A tool and API for FPGA bitstream manipulations , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[5]  Ashish Tiwari,et al.  Template-based circuit understanding , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[6]  John P. Hayes,et al.  Unveiling the ISCAS-85 Benchmarks: A Case Study in Reverse Engineering , 1999, IEEE Des. Test Comput..

[7]  Bah-Hwee Gwee,et al.  Extracting functional modules from flattened gate-level netlist , 2012, 2012 International Symposium on Communications and Information Technologies (ISCIT).

[8]  Jie Zhang,et al.  DeTrust: Defeating Hardware Trust Verification with Stealthy Implicitly-Triggered Hardware Trojans , 2014, CCS.

[9]  Omer Khan,et al.  Advancing the State-of-the-Art in Hardware Trojans Detection , 2019, IEEE Transactions on Dependable and Secure Computing.

[10]  Swarup Bhunia,et al.  HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection , 2009, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[11]  Milo M. K. Martin,et al.  Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically , 2010, 2010 IEEE Symposium on Security and Privacy.

[12]  Simha Sethumadhavan,et al.  FANCI: identification of stealthy malicious logic using boolean functional analysis , 2013, CCS.

[13]  Christof Paar,et al.  Interdiction in practice—Hardware Trojan against a high-security USB flash drive , 2016, Journal of Cryptographic Engineering.

[14]  Farinaz Koushanfar,et al.  Active Hardware Metering for Intellectual Property Protection and Security , 2007, USENIX Security Symposium.

[15]  Christof Paar,et al.  A Design Methodology for Stealthy Parametric Trojans and Its Application to Bug Attacks , 2016, CHES.

[16]  Yuanyuan Zhou,et al.  Designing and Implementing Malicious Hardware , 2008, LEET.

[17]  Swarup Bhunia,et al.  Introduction to Hardware Obfuscation: Motivation, Methods and Evaluation , 2017 .

[18]  Lionel Torres,et al.  Security Trends for FPGAS: From Secured to Secure Reconfigurable Systems , 2011 .

[19]  Jeyavijayan Rajendran,et al.  A red team/blue team assessment of functional analysis methods for malicious circuit identification , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[20]  Shaojie Zhang,et al.  Netlist reverse engineering for high-level functionality reconstruction , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[21]  Farinaz Koushanfar,et al.  A Survey of Hardware Trojan Taxonomy and Detection , 2010, IEEE Design & Test of Computers.

[22]  Jean-Baptiste Note,et al.  From the bitstream to the netlist , 2008, FPGA '08.

[23]  Christof Paar,et al.  Physical Security Evaluation of the Bitstream Encryption Mechanism of Altera Stratix II and Stratix III FPGAs , 2015, TRETS.

[24]  Mark Mohammad Tehranipoor,et al.  A Survey on Chip to System Reverse Engineering , 2016, JETC.

[25]  Jie Zhang,et al.  VeriTrust: Verification for hardware trust , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[26]  Stephen M. Trimberger,et al.  FPGA Security: Motivations, Features, and Applications , 2014, Proceedings of the IEEE.

[27]  Tim Güneysu,et al.  Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering , 2009, CHES.

[28]  Dennis Sylvester,et al.  A2: Analog Malicious Hardware , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[29]  Christof Paar,et al.  Bitstream Fault Injections (BiFI)–Automated Fault Attacks Against SRAM-Based FPGAs , 2018, IEEE Transactions on Computers.

[30]  Jean-Luc Danger,et al.  Security Trends for FPGAS , 2011 .

[31]  Christof Paar,et al.  A look at the dark side of hardware reverse engineering - a case study , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[32]  Sergei Skorobogatov,et al.  In the blink of an eye: There goes your AES key , 2012, IACR Cryptol. ePrint Arch..

[33]  Bah-Hwee Gwee,et al.  A highly efficient method for extracting FSMs from flattened gate-level netlist , 2010, Proceedings of 2010 IEEE International Symposium on Circuits and Systems.

[34]  Peter M. Athanas,et al.  An Analysis of Implanted Antennas in Xilinx FPGAs , 2011, 2011 International Conference on Reconfigurable Computing and FPGAs.

[35]  Mark Mohammad Tehranipoor,et al.  On design vulnerability analysis and trust benchmarks development , 2013, 2013 IEEE 31st International Conference on Computer Design (ICCD).

[36]  Christof Paar,et al.  Physical Design Obfuscation of Hardware: A Comprehensive Investigation of Device and Logic-Level Techniques , 2019, IEEE Transactions on Information Forensics and Security.

[37]  Sorin A. Huss,et al.  Bil: A tool-chain for bitstream reverse-engineering , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[38]  Jeyavijayan Rajendran,et al.  Security analysis of integrated circuit camouflaging , 2013, CCS.

[39]  Sedat Akleylek,et al.  Security requirements for cryptographic modules , 2013 .

[40]  Hassan Salmani,et al.  COTD: Reference-Free Hardware Trojan Detection and Recovery Based on Controllability and Observability in Gate-Level Netlist , 2017, IEEE Transactions on Information Forensics and Security.

[41]  Christof Paar,et al.  Stealthy dopant-level hardware Trojans: extended version , 2013, Journal of Cryptographic Engineering.

[42]  Michael S. Hsiao,et al.  Hardware Trojan Attacks: Threat Analysis and Countermeasures , 2014, Proceedings of the IEEE.

[43]  Alessandro Barenghi,et al.  On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs , 2011, CCS '11.

[44]  Kris Gaj,et al.  ATHENa - Automated Tool for Hardware EvaluatioN: Toward Fair and Comprehensive Benchmarking of Cryptographic Hardware Using FPGAs , 2010, 2010 International Conference on Field Programmable Logic and Applications.

[45]  Ashish Tiwari,et al.  WordRev: Finding word-level structures in a sea of bit-level gates , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[46]  Sharad Malik,et al.  Reverse engineering digital circuits using functional analysis , 2013, 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[47]  Christof Paar,et al.  Hardware reverse engineering: Overview and open challenges , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[48]  Tim Kerins,et al.  A Cautionary Note on Weak Implementations of Block Ciphers , 2006 .

[49]  Ramesh Karri,et al.  A Primer on Hardware Security: Models, Methods, and Metrics , 2014, Proceedings of the IEEE.

[50]  Travis Meade,et al.  Gate-Level Netlist Reverse Engineering Tool Set for Functionality Recovery and Malicious Logic Detection , 2016 .

[51]  Jeyavijayan Rajendran,et al.  Blue team red team approach to hardware trust assessment , 2011, 2011 IEEE 29th International Conference on Computer Design (ICCD).

[52]  Christof Paar,et al.  FPGA Trojans Through Detecting and Weakening of Cryptographic Primitives , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[53]  Sharad Malik,et al.  Hardware Trojan detection for gate-level ICs using signal correlation based clustering , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[54]  Santiago Sánchez-Solano,et al.  AES T-Box tampering attack , 2015, Journal of Cryptographic Engineering.

[55]  Dick James,et al.  The State-of-the-Art in IC Reverse Engineering , 2009, CHES.