Amplitude-Modulating Analog/RF Hardware Trojans in Wireless Networks: Risks and Remedies

We investigate the risk posed by amplitude-modulating analog/RF hardware Trojans in wireless networks and propose a defense mechanism to mitigate the threat. First, we introduce the operating principles of amplitude-modulating analog/RF hardware Trojan circuits and we theoretically analyze their performance characteristics. Subject to channel conditions and hardware Trojan design restrictions, this analysis seeks to determine the impact of these malicious circuits on the legitimate communication and to understand the capabilities of the covert channel that they establish in practical wireless networks, by characterizing its error probability. Next, we present the implementation of two hardware Trojan examples on a Wireless Open-Access Research Platform (WARP)-based experimental setup. These examples reside in the analog and the RF circuitry of an 802.11a/g transmitter, respectively, where they manipulate the transmitted signal characteristics to leak their payload bits. Using these examples, we demonstrate (i) attack robustness, i.e., ability of the rogue receiver to successfully retrieve the leaked data, and (ii) attack inconspicuousness, i.e., ability of the hardware Trojan circuits to evade detection by existing defense methods. Lastly, we propose a defense mechanism that is capable of detecting analog/RF hardware Trojans in WiFi transceivers. The proposed defense, termed Adaptive Channel Estimation (ACE), leverages channel estimation capabilities of Orthogonal Frequency Division Multiplexing (OFDM) systems to robustly expose the Trojan activity in the presence of channel fading and device noise. Effectiveness of the ACE defense has been verified through experiments conducted in actual channel conditions, namely over-the-air and in the presence of interference.

[1]  Degang Chen,et al.  Performance enhancement induced Trojan states in op-amps, their detection and removal , 2015, 2015 IEEE International Symposium on Circuits and Systems (ISCAS).

[2]  Yiorgos Makris,et al.  Hardware Trojans in Analog, Mixed-Signal, and RF ICs , 2018 .

[3]  Georg Sigl,et al.  Side Channel Attacks on Smartphones and Embedded Devices Using Standard Radio Equipment , 2015, COSADE.

[4]  Geoffrey Ye Li,et al.  Channel Estimation for OFDM , 2014, IEEE Communications Surveys & Tutorials.

[5]  Aria Nosratinia,et al.  ACE: Adaptive channel estimation for detecting analog/RF trojans in WLAN transceivers , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[6]  Fei Peng,et al.  Adaptive Modulation and Coding for IEEE 802.11n , 2007, 2007 IEEE Wireless Communications and Networking Conference.

[7]  Rogerio C. Manso Performance analysis of M-QAM with Viterbi soft-decision decoding , 2003 .

[8]  Yu Liu,et al.  Concurrent hardware Trojan detection in wireless cryptographic ICs , 2015, 2015 IEEE International Test Conference (ITC).

[9]  Fatih Karabacak,et al.  Detection of malicious hardware components in mobile platforms , 2016, 2016 17th International Symposium on Quality Electronic Design (ISQED).

[10]  Farinaz Koushanfar,et al.  A Timing Channel Spyware for the CSMA/CA Protocol , 2013, IEEE Transactions on Information Forensics and Security.

[11]  Randall L. Geiger,et al.  A hardware Trojan embedded in the Inverse Widlar reference generator , 2015, 2015 IEEE 58th International Midwest Symposium on Circuits and Systems (MWSCAS).

[12]  Farinaz Koushanfar,et al.  A Survey of Hardware Trojan Taxonomy and Detection , 2010, IEEE Design & Test of Computers.

[13]  Thomas P. Hayes,et al.  Screaming Channels: When Electromagnetic Side Channels Meet Radio Transceivers , 2018, CCS.

[14]  Aria Nosratinia,et al.  Silicon Demonstration of Hardware Trojan Design and Detection in Wireless Cryptographic ICs , 2017, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[15]  Yiorgos Makris,et al.  Hardware Trojan detection using path delay fingerprint , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[16]  Sule Ozev,et al.  Enabling unauthorized RF transmission below noise floor with no detectable impact on primary communication performance , 2015, 2015 IEEE 33rd VLSI Test Symposium (VTS).

[17]  M. Tehranipoor,et al.  Hardware Trojans: Lessons Learned after One Decade of Research , 2016, TODE.

[18]  Ramesh Karri,et al.  A Primer on Hardware Security: Models, Methods, and Metrics , 2014, Proceedings of the IEEE.

[19]  Christof Paar,et al.  MOLES: Malicious off-chip leakage enabled by side-channels , 2009, 2009 IEEE/ACM International Conference on Computer-Aided Design - Digest of Technical Papers.

[20]  Yiorgos Makris,et al.  Information flow tracking in analog/mixed-signal designs through proof-carrying hardware IP , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[21]  Michael S. Hsiao,et al.  Hardware Trojan Attacks: Threat Analysis and Countermeasures , 2014, Proceedings of the IEEE.

[22]  Dirk Grunwald,et al.  Secret Agent Radio: Covert Communication through Dirty Constellations , 2012, Information Hiding.

[23]  Yu Liu,et al.  Hardware Trojans in wireless cryptographic ICs: Silicon demonstration & detection method evaluation , 2013, 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[24]  Matthias Hollick,et al.  Practical covert channels for WiFi systems , 2015, 2015 IEEE Conference on Communications and Network Security (CNS).

[25]  Yiorgos Makris,et al.  Hardware Trojans in Wireless Cryptographic ICs , 2010, IEEE Design & Test of Computers.

[26]  Randall L. Geiger,et al.  Hardware Trojans embedded in the dynamic operation of analog and mixed-signal circuits , 2015, 2015 National Aerospace and Electronics Conference (NAECON).

[27]  Yu Liu,et al.  Hardware Trojan detection through golden chip-free statistical side-channel fingerprinting , 2014, 2014 51st ACM/EDAC/IEEE Design Automation Conference (DAC).

[28]  Aria Nosratinia,et al.  Demonstrating and Mitigating the Risk of an FEC-Based Hardware Trojan in Wireless Networks , 2019, IEEE Transactions on Information Forensics and Security.

[29]  Berk Sunar,et al.  Trojan Detection using IC Fingerprinting , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).