nach oben

Journal of Hardware and Systems Security

13.03.2024

Post-configuration Activation of Hardware Trojans in FPGAs

verfasst von: Qazi Arbab Ahmed, Tobias Wiersema, Marco Platzner

Erschienen in: Journal of Hardware and Systems Security

Einloggen, um Zugang zu erhalten

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The battle of developing hardware Trojans and corresponding countermeasures has taken adversaries towards ingenious ways of compromising hardware designs by circumventing even advanced testing and verification methods. Besides conventional methods of inserting Trojans into a design by a malicious entity, the design flow for field-programmable gate arrays (FPGAs) can also be surreptitiously compromised to perform successful attacks that result in malfunctions or information leakages. In this paper, we introduce a mechanism for the post-configuration activation of a Trojan that leverages malicious routing so that the attacker can leave the Trojan circuit in an undetectable dormant state even in the generated and transmitted bitstream. The Trojan is designed, for example, by adding an enable signal that is routed to an unused primary input/output of the FPGA or by attaching the payload via one route to the remaining design, and then that new route is disconnected during place-and-route and only re-connected when the FPGA is being programmed. The trigger can thus only be activated once the circuit is on the device, which leaves the Trojan dormant in all verification and pre-silicon testing steps. This Trojan can therefore currently neither be prevented by conventional testing and verification methods nor by bitstream-level verification techniques. Since our method ensures that the malicious circuitry is only active in the field, the approach works also quite well with triggerless (always-on) Trojans that have a negligible impact on the overall area and power consumption of the circuit and can thus easily escape detection by fingerprinting techniques using side-channel analyses.

https://github.com/qaarah/malicious-routing

Intel FPGAs. Automotive FPGA applications. [Online].Available: https://www.intel.com/content/www/us/en/automotive/products/programmable/applications.html/. Accessed 14 Jun 2021

Guo K, Zeng S, Yu J, Wang Y, Yang H (2019) [DL] A survey of FPGA-based neural network inference accelerators. ACM Trans Reconfig Technol Syst 12(1). https://doi.org/10.1145/3289185

Huawei Cloud (2020) FPGA accelerated cloud server (FACS). [Online]. https://www.huaweicloud.com/en-us/product/fcs.html

Alibaba Cloud ECS (2018) Deep dive into Alibaba cloud F3 FPGA as a service instances. [Online]. Available: https://www.alibabacloud.com/blog/deep-dive-into-alibaba-cloud-f3-fpga-as-a-service-instances_594057

Amazon.com Inc. (2021) Amazon EC2 F1 instances. [Online]. Available: https://aws.amazon.com/ec2/instance-types/f1/

Putnam A, Caulfield AM, Chung ES, Chiou D, Constantinides K, Demme J, Esmaeilzadeh H, Fowers J, Gopal GP, Gray J, Haselman M, Hauck S, Heil S, Hormati A, Kim JY, Lanka S, Larus J, Peterson E, Pope S, Smith A, Thong J, Xiao PY, Burger D (2014) A reconfigurable fabric for accelerating large-scale datacenter services. SIGARCH Comput Archit News 42(3):13–24. https://doi.org/10.1145/2678373.2665678CrossRef

Bhunia S, Hsiao MS, Banga M, Narasimhan S (2014) Hardware Trojan attacks: Threat analysis and countermeasures. Proc IEEE 102(8):1229–1247CrossRef

Wallat S, Fyrbiak M, Schlögel M, Paar C (2017) A look at the dark side of hardware reverse engineering - a case study. In: 2017 IEEE 2nd International Verification and Security Workshop (IVSW), pp 95–100. https://doi.org/10.1109/IVSW.2017.8031551

Mirzargar SS, Stojilovic M (2019) Physical side-channel attacks and covert communication on FPGAs: a survey. In: 2019 29th International Conference on Field Programmable Logic and Applications (FPL), IEEE, Barcelona, Spain, pp 202–210. https://doi.org/10.1109/FPL.2019.00039

10.

Ender M, Ghandali S, Moradi A, Paar C (2017) The first thorough side-channel hardware Trojan. In: Takagi T, Peyrin T (eds) Advances in Cryptology - ASIACRYPT 2017. Springer International Publishing, Cham, pp 755–780CrossRef

11.

Hutter M, Mangard S, Feldhofer M (2007) Power and EM attacks on passive \(13.56\,\rm MHz\) RFID devices. In: Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems, Springer-Verlag, Berlin, Heidelberg, CHES ’07, pp 320–333. https://doi.org/10.1007/978-3-540-74735-2_22

12.

Lin L, Burleson W, Paar C (2009a) MOLES: malicious off-chip leakage enabled by side-channels. In: Proceedings of the 2009 International Conference on Computer-Aided Design - ICCAD ’09, ACM Press, San Jose, California, pp 117. https://doi.org/10.1145/1687399.1687425

13.

Lin L, Kasper M, Güneysu T, Paar C, Burleson W (2009b) Trojan side-channels: lightweight hardware Trojans through side-channel engineering. In: Clavier C, Gaj K (eds) Cryptographic Hardware and Embedded Systems - CHES 2009, vol 5747, Springer Berlin Heidelberg, Berlin, Heidelberg, pp 382–395. https://doi.org/10.1007/978-3-642-04138-9_27. Series Title: Lecture Notes in Computer Science

14.

Thompson K (1984) Reflections on trusting trust. Commun ACM 27(8):761–763. https://doi.org/10.1145/358198.358210CrossRef

15.

Krieg C, Wolf C, Jantsch A (2016) Malicious LUT: a stealthy FPGA trojan injected and triggered by the design flow. In: 2016 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), IEEE Press, pp 1–8. https://doi.org/10.1145/2966986.2967054

16.

Hicks M, Finnicum M, King ST, Martin MMK, Smith JM (2010) Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: 2010 IEEE Symposium on Security and Privacy, IEEE, pp 159–172. https://doi.org/10.1109/SP.2010.18

17.

Waksman A, Suozzo M, Sethumadhavan S (2013) FANCI: identification of stealthy malicious logic using Boolean functional analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ACM, New York, NY, USA, CCS ’13, pp 697–708. https://doi.org/10.1145/2508859.2516654

18.

Zhang J, Yuan F, Wei L, Sun Z, Xu Q (2013) VeriTrust: verification for hardware trust. In: Proceedings of the 50th Annual Design Automation Conference, Association for Computing Machinery, New York, NY, USA, DAC ’13. https://doi.org/10.1145/2463209.2488808

19.

Ahmed QA, Wiersema T, Platzner M (2019) Proof-carrying hardware versus the stealthy malicious LUT hardware Trojan. In: Hochberger C, Nelson B, Koch A, Woods R, Diniz P (eds) Applied Reconfigurable Computing, Springer International Publishing, Cham, pp 127–136. https://doi.org/10.1007/978-3-030-17227-5_10

20.

Ahmed QA, Wiersema T, Platzner M (2021) Malicious routing: circumventing bitstream-level verification for FPGAs. In: 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp 1490–1495. https://doi.org/10.23919/DATE51398.2021.9474026

21.

Ahmed QA, Platzner M (2022) On the detection and circumvention of bitstream-level Trojans in FPGAs. In 2022 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pp 434–439. https://doi.org/10.1109/ISVLSI54635.2022.00097

22.

Chakraborty RS, Saha I, Palchaudhuri A, Naik GK (2013) Hardware Trojan insertion by direct modification of FPGA configuration bitstream. IEEE Des Test 30(2):45–54. https://doi.org/10.1109/MDT.2013.2247460CrossRef

23.

Duncan A, Rahman F, Lukefahr A, Farahmandi F, Tehranipoor M (2019) FPGA bitstream security: a day in the life. In: 2019 IEEE International Test Conference (ITC), IEEE, Washington, DC, USA, pp 1–10. https://doi.org/10.1109/ITC44170.2019.9000145

24.

Khaleghi B, Ahari A, Asadi H, Bayat-Sarmadi S (2015) FPGA-based protection scheme against hardware trojan horse insertion using dummy logic. IEEE Embed Syst Lett 7(2):46–50. https://doi.org/10.1109/LES.2015.2406791CrossRef

25.

Mal-Sarkar S, Karam R, Narasimhan S, Ghosh A, Krishna A, Bhunia S (2016) Design and validation for FPGA trust under hardware Trojan attacks. IEEE Trans Multi-Scale Comput Syst 2(3):186–198. https://doi.org/10.1109/TMSCS.2016.2584052CrossRef

26.

Tehranipoor M, Koushanfar F (2010) A survey of hardware Trojan taxonomy and detection. IEEE Des Test Comput 27(1):10–25. https://doi.org/10.1109/MDT.2010.7CrossRef

27.

Xiao K, Forte D, Jin Y, Karri R, Bhunia S, Tehranipoor M (2016) Hardware Trojans: Lessons learned after one decade of research. ACM Trans Des Autom Electron Syst 22(1):6. https://doi.org/10.1145/2906147CrossRef

28.

Hasegawa K, Yanagisawa M, Togawa N (2017) Hardware Trojans classification for gate-level netlists using multi-layer neural networks. In: 2017 IEEE 23rd International Symposium on On-Line Testing and Robust System Design (IOLTS), IEEE, Thessaloniki, Greece, pp 227–232. https://doi.org/10.1109/IOLTS.2017.8046227

29.

Yoon J, Seo Y, Jang J, Cho M, Kim J, Kim H, Kwon T (2018) A bitstream reverse engineering tool for FPGA hardware Trojan detection. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ACM, Toronto Canada, pp 2318–2320. https://doi.org/10.1145/3243734.3278487

30.

Zhang T, Wang J, Guo S, Chen Z (2019) A comprehensive FPGA reverse engineering tool-chain: from bitstream to RTL code. IEEE Access 7:38379–38389CrossRef

31.

Asadi Kouhanjani MR, Jahangir AH (2018) Improving hardware Trojan detection using scan chain based ring oscillators. Microprocess Microsyst 63:55–65CrossRef

32.

Hamalainen P, Alho T, Hannikainen M, Hamalainen T (2006) Design and implementation of low-area and low-power AES encryption hardware core. In: 9th EUROMICRO Conference on Digital System Design (DSD’06), pp 577–583. https://doi.org/10.1109/DSD.2006.40

33.

Lattice Semiconductor. Lattice Semiconductor. http://www.latticesemi.com/iCE40. Accessed 21 Nov 2022

34.

Wolf C, Lasser M (2021) Project IceStorm. http://www.clifford.at/icestorm/

35.

Wolf C. Yosys open synthesis suite. http://www.clifford.at/yosys/. Accessed 15 Dec 2022

36.

Cotton Seed. Arachne-pnr. https://github.com/YosysHQ/arachne-pnr. Accessed 15 Nov 2022

37.

Nielsen K (2020) ICE40 layout viewer. [Online]. https://github.com/knielsen/ice40_viewer

38.

Salmani H, Tehranipoor M, Plusquellic J (2012) A novel technique for improving hardware Trojan detection and reducing Trojan activation time. IEEE Trans Very Large Scale Integr (VLSI) Syst 20(1):112–125. https://doi.org/10.1109/TVLSI.2010.2093547CrossRef

39.

He J, Zhao Y, Guo X, Jin Y (2017) Hardware Trojan detection through chip-free electromagnetic side-channel statistical analysis. IEEE Trans Very Large Scale Integr (VLSI) Syst 25(10):2939–2948. https://doi.org/10.1109/TVLSI.2017.2727985. Conference Name: IEEE Transactions on Very Large Scale Integration (VLSI) Systems

40.

Lattice Semiconductor (2021) iCEcube2 design software. [Online]. Available: https://www.latticesemi.com/iCEcube2

41.

Ngo XT, Exurville I, Bhasin S, Danger JL, Guilley S, Najm Z, Rigaud JB, Robisson B (2015) Hardware Trojan detection by delay and electromagnetic measurements. In: 2015 Design, Automation Test in Europe Conference Exhibition (DATE), pp 782–787. https://doi.org/10.7873/DATE.2015.1103

42.

Palumbo A, Cassano L, Luzzi B, Hernández JA, Reviriego P, Bianchi G, Ottavi M (2022) Is your FPGA bitstream hardware Trojan-free? Machine learning can provide an answer. J Syst Architect 128:102543. https://doi.org/10.1016/j.sysarc.2022.102543CrossRef

43.

Polian I, Becker GT, Regazzoni F (2016) Trojans in early design steps? An emerging threat. https://api.semanticscholar.org/CorpusID:27239603

44.

Potkonjak M (2010) Synthesis of trustable ICS using untrusted CAD tools. In: Design Automation Conference, pp 633–634. https://doi.org/10.1145/1837274.1837435

45.

Umuroglu Y, Fraser NJ, Gambardella G, Blott M, Leong P, Jahre M, Vissers K (2017) FINN: a framework for fast, scalable binarized neural network inference. In: Proceedings of the 2017 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays, Association for Computing Machinery, New York, NY, USA, FPGA ’17, pp 65–74. https://doi.org/10.1145/3020078.3021744

46.

Giri N, Anandakumar NN (2020) Design and analysis of hardware trojan threats in reconfigurable hardware. In: 2020 International Conference on Emerging Trends in Information Technology and Engineering (ic-ETITE), pp 1–5. https://doi.org/10.1109/ic-ETITE47903.2020.227

47.

Salmani H, Tehranipoor MM (2016) Vulnerability analysis of a circuit layout to hardware trojan insertion. IEEE Trans Inf Forensics Secur 11(6):1214–1225. https://doi.org/10.1109/TIFS.2016.2520910CrossRef

48.

Cruz J, Huang Y, Mishra P, Bhunia S (2018) An automated configurable trojan insertion framework for dynamic trust benchmarks. In: 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp 1598–1603. https://doi.org/10.23919/DATE.2018.8342270

49.

Agrawal D, Baktir S, Karakoyunlu D, Rohatgi P, Sunar B (2007) Trojan detection using IC fingerprinting. In: 2007 IEEE Symposium on Security and Privacy (SP ’07), pp 296–310. https://doi.org/10.1109/SP.2007.36

50.

Miguélez-Gómez N, Rojas-Nastrucci EA (2023) RF fingerprinting: hardware-trustworthiness enhancement in the hardware Trojan era: RF fingerprinting-based countermeasures. IEEE Microwave Mag 24(11):35–52. https://doi.org/10.1109/MMM.2023.3303591CrossRef

51.

Rad RM, Wang X, Tehranipoor M, Plusquellic J (2008) Power supply signal calibration techniques for improving detection resolution to hardware Trojans. In: 2008 IEEE/ACM International Conference on Computer-Aided Design, IEEE, San Jose, CA, USA, pp 632–639. https://doi.org/10.1109/ICCAD.2008.4681643

52.

Yier Jin, Makris Y (2008) Hardware Trojan detection using path delay fingerprint. In: 2008 IEEE International Workshop on Hardware-Oriented Security and Trust, IEEE, Anaheim, CA, USA, pp 51–57. https://doi.org/10.1109/HST.2008.4559049

53.

Trimberger SM, Moore JJ (2014) FPGA security: motivations, features, and applications. Proc IEEE 102(8):1248–1265. https://doi.org/10.1109/JPROC.2014.2331672, conference Name: Proceedings of the IEEE

Titel: Post-configuration Activation of Hardware Trojans in FPGAs
verfasst von: Qazi Arbab Ahmed
Tobias Wiersema
Marco Platzner
Publikationsdatum: 13.03.2024
Verlag: Springer International Publishing
Erschienen in: Journal of Hardware and Systems Security
Print ISSN: 2509-3428
Elektronische ISSN: 2509-3436
DOI: https://doi.org/10.1007/s41635-024-00147-5

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.