MOLES: Malicious off-chip leakage enabled by side-channels

Economic incentives have driven the semiconductor industry to separate design from fabrication in recent years. This trend leads to potential vulnerabilities from untrusted circuit foundries to covertly implant malicious hardware Trojans into a genuine design. Hardware Trojans provide back doors for on-chip manipulation, or leak secret information off-chip once the compromised IC is deployed in the field. This paper explores the design space of hardware Trojans and proposes a novel technique, “Malicious Off-chip Leakage Enabled by Side-channels” (MOLES), which employs power side-channels to convey secret information off-chip. An experimental MOLES circuit is designed with fewer than 50 gates and is embedded into an Advanced Encryption Standard (AES) cryptographic circuit in a predictive 45nm CMOS technology model. Engineered by a spread-spectrum technique, the MOLES technique is capable of leaking multi-bit information below the noise power level of the host IC to evade evaluators' detections. In addition, a generalized methodology for a class of MOLES circuits and design verification by statistical correlation analysis are presented. The goal of this work is to demonstrate the potential threats of MOLES on embedded system security. Nevertheless, MOLES could be constructively used for hardware authentication, fingerprinting and IP protection.

[1]  Farinaz Koushanfar,et al.  Extended abstract: Designer’s hardware Trojan horse , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[2]  Leee/acm International Conference On Computer-aided Design Digest Of Technical Papers , 1993, Proceedings of 1993 International Conference on Computer Aided Design (ICCAD).

[3]  Richard E. Anderson,et al.  IC Failure Analysis: Magic, Mystery, and Science , 1997, IEEE Des. Test Comput..

[4]  Michael S. Hsiao,et al.  A region based approach for the identification of hardware Trojans , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[5]  Stefan Mangard,et al.  Power and EM Attacks on Passive 13.56 MHz RFID Devices , 2007, CHES.

[6]  RajskiJanusz,et al.  Primitive Polynomials Over GF(2) of Degree up to 660 with Uniformly Distributed Coefficients , 2003 .

[7]  Daniel E. Holcomb,et al.  Initial SRAM State as a Fingerprint and Source of True Random Numbers for RFID Tags , 2007 .

[8]  Mark Mohammad Tehranipoor,et al.  Power supply signal calibration techniques for improving detection resolution to hardware Trojans , 2008, 2008 IEEE/ACM International Conference on Computer-Aided Design.

[9]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[10]  Tim Güneysu,et al.  Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering , 2009, CHES.

[11]  Sally Adee,et al.  The Hunt For The Kill Switch , 2008, IEEE Spectrum.

[12]  Sri Parameswaran,et al.  MUTE-AES: A multiprocessor architecture to prevent power analysis based side channel attack of the AES algorithm , 2008, 2008 IEEE/ACM International Conference on Computer-Aided Design.

[13]  Yiorgos Makris,et al.  Hardware Trojan detection using path delay fingerprint , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[14]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[15]  Yiorgos Makris,et al.  Experiences in Hardware Trojan design and implementation , 2009, 2009 IEEE International Workshop on Hardware-Oriented Security and Trust.

[16]  Siva Sai Yerubandi,et al.  Differential Power Analysis , 2002 .

[17]  Xiaoxiao Wang,et al.  Power supply signal calibration techniques for improving detection resolution to hardware Trojans , 2008, ICCAD 2008.

[18]  Wayne P. Burleson,et al.  Analysis and mitigation of process variation impacts on Power-Attack Tolerance , 2009, 2009 46th ACM/IEEE Design Automation Conference.

[19]  Ingrid Verbauwhede,et al.  A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation , 2004, Proceedings Design, Automation and Test in Europe Conference and Exhibition.

[20]  Janusz Rajski,et al.  Primitive Polynomials Over GF(2) of Degree up to 660 with Uniformly Distributed Coefficients , 2003, J. Electron. Test..

[21]  Yuanyuan Zhou,et al.  Designing and Implementing Malicious Hardware , 2008, LEET.

[22]  Mark Mohammad Tehranipoor,et al.  Detecting malicious inclusions in secure hardware: Challenges and solutions , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[23]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[24]  Pankaj Rohatgi,et al.  Template Attacks , 2002, CHES.

[25]  Swarup Bhunia,et al.  On-demand transparency for improving hardware Trojan detectability , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[26]  Yu (Kevin) Cao,et al.  What is Predictive Technology Model (PTM)? , 2009, SIGD.