ATTRITION: Attacking Static Hardware Trojan Detection Techniques Using Reinforcement Learning

Stealthy hardware Trojans (HTs) inserted during the fabrication of integrated circuits can bypass the security of critical infrastructures. Although researchers have proposed many techniques to detect HTs, several critical limitations exist, including: (i) a low success rate of HT detection, (ii) high algorithmic complexity, and (iii) a large number of test patterns. Furthermore, as we show in this work the most pertinent drawback of prior (including state-of-the-art) detection techniques stems from an incorrect evaluation methodology, i.e., they assume that an adversary inserts HTs randomly. Such inappropriate adversarial assumptions enable detection techniques to claim high HT detection accuracy, leading to a "false sense of security." To the best of our knowledge, despite more than a decade of research on detecting HTs inserted during fabrication, there have been no concerted efforts to perform a systematic evaluation of HT detection techniques. In this paper, we play the role of a realistic adversary and question the efficacy of HT detection techniques by developing an automated, scalable, and practical attack framework, ATTRITION, using reinforcement learning (RL). ATTRITION evades eight detection techniques (published in premier security venues, well-cited in academia, etc.) across two HT detection categories, showcasing its agnostic behavior. ATTRITION achieves average attack success rates of 47x and 211x compared to randomly inserted HTs against state-of-the-art logic testing and side channel techniques. To demonstrate ATTRITION's ability in evading detection techniques, we evaluate different designs ranging from the widely-used academic suites (ISCAS-85, ISCAS-89) to larger designs such as the open-source MIPS and mor1kx processors to AES and a GPS module. Additionally, we showcase the impact of ATTRITION generated HTs through two case studies (privilege escalation and kill switch) on mor1kx processor. We envision that our work, along with our released HT benchmarks and models fosters the development of better HT detection techniques.

[1]  J. Rajendran,et al.  DETERRENT: detecting trojans using reinforcement learning , 2022, DAC.

[2]  O. Sinanoglu,et al.  Benchmarking Security Closure of Physical Layouts: ISPD 2022 Contest , 2022, ISPD.

[3]  Abdel-Hameed A. Badawy,et al.  Hardware Trojan Insertion Using Reinforcement Learning , 2022, ACM Great Lakes Symposium on VLSI.

[4]  Xiapu Luo,et al.  Structural Attack against Graph Based Android Malware Detection , 2021, CCS.

[5]  Prabhat Mishra,et al.  Scalable Activation of Rare Triggers in Hardware Trojans by Repeated Maximal Clique Sampling , 2021, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[6]  Kang G. Shin,et al.  Bomberman: Defining and Defeating Hardware Ticking Timebombs at Design-time , 2021, 2021 IEEE Symposium on Security and Privacy (SP).

[7]  Prabhat Mishra,et al.  Automated Test Generation for Hardware Trojan Detection using Reinforcement Learning , 2021, 2021 26th Asia and South Pacific Design Automation Conference (ASP-DAC).

[8]  P. Mishra,et al.  MaxSense , 2021 .

[9]  Lan Zhang,et al.  Semantics-Preserving Reinforcement Learning Attack Against Graph Neural Networks for Malware Detection , 2020, IEEE Transactions on Dependable and Secure Computing.

[10]  Hong Zhao,et al.  Applying Chaos Theory for Runtime Hardware Trojan Monitoring and Detection , 2020, IEEE Transactions on Dependable and Secure Computing.

[11]  Kang G. Shin,et al.  ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[12]  Prabhat Mishra,et al.  Automated Trigger Activation by Repeated Maximal Clique Sampling , 2020, 2020 25th Asia and South Pacific Design Automation Conference (ASP-DAC).

[13]  Máire O'Neill,et al.  An Improved Automatic Hardware Trojan Generation Platform , 2019, 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[14]  Vijay Janapa Reddi,et al.  Deep Reinforcement Learning for Cyber Security , 2019, IEEE Transactions on Neural Networks and Learning Systems.

[15]  Liang Xiao,et al.  IoT Security Techniques Based on Machine Learning: How Do IoT Devices Use AI to Enhance Security? , 2018, IEEE Signal Processing Magazine.

[16]  Swarup Bhunia,et al.  An automated configurable Trojan insertion framework for dynamic trust benchmarks , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[17]  Rishabh Singh,et al.  Deep Reinforcement Fuzzing , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[18]  Jeyavijayan Rajendran,et al.  Provably-Secure Logic Locking: From Theory To Practice , 2017, CCS.

[19]  Yiqiang Zhao,et al.  Hardware Trojan Detection Through Chip-Free Electromagnetic Side-Channel Statistical Analysis , 2017, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[20]  Alec Radford,et al.  Proximal Policy Optimization Algorithms , 2017, ArXiv.

[21]  H. Salmani,et al.  Benchmarking of Hardware Trojans and Maliciously Affected Circuits , 2017, J. Hardw. Syst. Secur..

[22]  Swarup Bhunia,et al.  MERS: Statistical Test Generation for Side-Channel Analysis based Trojan Detection , 2016, CCS.

[23]  Dennis Sylvester,et al.  A2: Analog Malicious Hardware , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[24]  Debdeep Mukhopadhyay,et al.  Improved Test Pattern Generation for Hardware Trojan Detection Using Genetic Algorithm and Boolean Satisfiability , 2015, CHES.

[25]  Chip-Hong Chang,et al.  A Cluster-Based Distributed Active Current Sensing Circuit for Hardware Trojan Detection , 2014, IEEE Transactions on Information Forensics and Security.

[26]  Jie Zhang,et al.  DeTrust: Defeating Hardware Trust Verification with Stealthy Implicitly-Triggered Hardware Trojans , 2014, CCS.

[27]  Ramesh Karri,et al.  A Primer on Hardware Security: Models, Methods, and Metrics , 2014, Proceedings of the IEEE.

[28]  Michael S. Hsiao,et al.  Hardware Trojan Attacks: Threat Analysis and Countermeasures , 2014, Proceedings of the IEEE.

[29]  Ronald P. Cocchi,et al.  Circuit camouflage integration for hardware IP protection , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[30]  Mark Mohammad Tehranipoor,et al.  On design vulnerability analysis and trust benchmarks development , 2013, 2013 IEEE 31st International Conference on Computer Design (ICCD).

[31]  Simha Sethumadhavan,et al.  FANCI: identification of stealthy malicious logic using boolean functional analysis , 2013, CCS.

[32]  Ankur Srivastava,et al.  Temperature tracking: An innovative run-time approach for hardware Trojan detection , 2013, 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[33]  Christof Paar,et al.  Stealthy dopant-level hardware Trojans: extended version , 2013, Journal of Cryptographic Engineering.

[34]  Siddharth Garg,et al.  Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation , 2013, USENIX Security Symposium.

[35]  Jie Zhang,et al.  VeriTrust: Verification for hardware trust , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[36]  Rajesh K. Gupta,et al.  Accurate Characterization of the Variability in Power Consumption in Modern Mobile Processors , 2012, HotPower.

[37]  Sergei Skorobogatov,et al.  Breakthrough Silicon Scanning Discovers Backdoor in Military Chip , 2012, CHES.

[38]  Miodrag Potkonjak,et al.  This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination. IEEE TRANSACTIONS ON VERY LARGE SCALE INTEGRATION (VLSI) SYSTEMS 1 Scalable Hardware Trojan Diagnosis , 2022 .

[39]  Mark Mohammad Tehranipoor,et al.  Layout-Aware Switching Activity Localization to Enhance Hardware Trojan Detection , 2012, IEEE Transactions on Information Forensics and Security.

[40]  Swarup Bhunia,et al.  TeSR: A robust Temporal Self-Referencing approach for Hardware Trojan detection , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[41]  David A. Wagner,et al.  Defeating UCI: Building Stealthy and Malicious Hardware , 2011, 2011 IEEE Symposium on Security and Privacy.

[42]  Joseph Zambreno,et al.  A case study in hardware Trojan design and implementation , 2011, International Journal of Information Security.

[43]  Swarup Bhunia,et al.  Self-referencing: A Scalable Side-Channel Approach for Hardware Trojan Detection , 2010, CHES.

[44]  Milo M. K. Martin,et al.  Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically , 2010, 2010 IEEE Symposium on Security and Privacy.

[45]  Christos A. Papachristou,et al.  MERO: A Statistical Approach for Hardware Trojan Detection , 2009, CHES.

[46]  Tim Güneysu,et al.  Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering , 2009, CHES.

[47]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[48]  Jie Li,et al.  At-speed delay characterization for IC authentication and Trojan Horse detection , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[49]  Michael S. Hsiao,et al.  A region based approach for the identification of hardware Trojans , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[50]  Yiorgos Makris,et al.  Hardware Trojan detection using path delay fingerprint , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[51]  Sally Adee,et al.  The Hunt For The Kill Switch , 2008, IEEE Spectrum.

[52]  Farinaz Koushanfar,et al.  Active Hardware Metering for Intellectual Property Protection and Security , 2007, USENIX Security Symposium.

[53]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[54]  Jing Yang,et al.  Reinforcement Learning Enabled Intelligent Energy Attack in Green IoT Networks , 2022, IEEE Transactions on Information Forensics and Security.

[55]  P. Mishra,et al.  MaxSense: Side-channel Sensitivity Maximization for Trojan Detection Using Statistical Test Patterns , 2021, ACM Trans. Design Autom. Electr. Syst..

[56]  Nada Golmie,et al.  On deep reinforcement learning security for Industrial Internet of Things , 2021, Comput. Commun..

[57]  Srikanth V. Krishnamurthy,et al.  SyzVegas: Beating Kernel Fuzzing Odds with Reinforcement Learning , 2021, USENIX Security Symposium.

[58]  Marco Wiering,et al.  Adversarial Reinforcement Learning in a Cyber Security Simulation , 2017, ICAART.

[59]  Siddharth Garg,et al.  Integrated Circuit (IC) Decamouflaging: Reverse Engineering Camouflaged ICs within Minutes , 2015, NDSS.

[60]  Richard S. Sutton,et al.  Reinforcement Learning: An Introduction , 1998, IEEE Trans. Neural Networks.

[61]  Linda M. Wills,et al.  Reverse Engineering , 1996, Springer US.