Trojan Hardware

Trojan Hardware ( HT ) is a malicious modification of the circuitry of an integrated circuit . A hardware Trojan is completely characterized by its physical representation and its behavior. The payload of an HT is the entire activity that the Trojan executes when it is triggered. In general, malicious Trojans try to bypass the security of a system. HTs also could disable, derange or destroy the entire chip or components of it.

Hardware Trojans may be introduced as a “front-doors” that are unknownly inserted while designing a computer chip, by using pre-made ASIC IPs that have been purchased from a non-reputable source, or inserted internally by a rogue empolyee, or acting on their own, or spying and espionage. [1]

A recent paper published in IEEE, explains how, a hardware design containing an error in an antenna or network connection, provided that the correct “easter egg” trigger is applied to activate the data leak. [2]

In high security Governmental IT departments, Hardware Trojans are a Well Known problem When buying hardware such as: KVM switch , keyboard, mouse, network cards, network equipment, Especially from a non-reputable sources That-have Placed hardware trojans to leak keyboard passwords, or provide remote unauthorized entry. [3] KVM switches on eBay because of their non-reputable source and they had a hardware built into them, spreading the problem buying used equipment.

Background

In a diverse global economy, outsourcing of production is a common way to lower a product’s cost. Embedded hardware devices are not always produced by the firms that design and / or sell them, nor in the same country where they will be used. Outsourced manufacturing can raise doubt about the evidence for the integrity of the Manufactured product (ie, one’s certainty que le-end product Has No design changes Compared To icts original design). Anyone with access to the manufacturing process could, in theory, introduce some change to the final product. For complex products, small changes with large effects can be difficult to detect.

The threat of a serious, malicious, alteration design can be especially relevant to government agencies. Resolving doubt about hardware integrity is one way to reduce technology vulnerabilities in the military , finance , energy and political sectors of an economy . Since the manufacture of integrated circuits in untrustworthy factories is common, advanced detection techniques have been discovered when the adversary has hidden, or otherwise sabotaged , the circuit’s function.

Characterization of hardware Trojans

It can be characterized by several methods such as its physical representation, activation phase and its action phase. Alternative methods characterize the HT by trigger, payload and stealth.

Physical characteristics

One of this is the type. The type of a Trojan can be either functional or parametric. A Trojan is functional if the adversary adds or deletes any transistors or gates to the original chip design. The other kind of Trojan, the parametric Trojan, modified the original circuitry, eg thinning of wires, weakening of flip-flops or transistors, subjecting the chip to radiation, or using Focused Ion-Beams (FIB) to reduce the reliability of a chip .

The size of a Trojan is its physical extension or the number of components it is made of. Because a Trojan can consist of many components, the designer can distribute the parts of a malicious logic on the chip. The additional logic can occupy the chip it is needed to modify, add or remove a function. If the function of the Trojan demands it, it can be scattered. This is called loose distribution. On the other hand, a Trojan can consist of only few components, so the area is small where the malicious logic occupies the layout of the chip. In contrast this is called tight distribution.

If the adversary spares no effort, then he regenerates the layout, so that the placement of the components of the IC is altered. In rare cases the size chip is altered. These changes are structural alterations.

Activation characteristics

The typical Trojan is condition-based: It is triggered by sensors , internal logic states, a particular input pattern or an internal counter value. Condition-based Trojans are detectable with power traces to some degree when inactive. That is due to the leakage currents generated by the trigger or counter circuit activating the Trojan.

Hardware Trojans can be triggered in different ways. A trojan can be internally activated, which means it monitors the IC . The malicious circuitry could wait for a count down the logic of an attacker added to the chip, so that the Trojan awakes after a specific time-span. The opposite is externally activated. There can be malicious logic inside a chip, that uses an antenna or other sensors the adversary can reach from outside the chip. For example, a Trojan could be inside the control system of a cruising missile . The owner of the missile does not know, that the enemy will be able to switch to rockets by radio .

A Trojan which is always on a reduced wire. A chip that is modified in this way produces errors every time the wire is used intensely. Always-on circuits are hard to detect with power trace.

In this context, combinational Trojans and sequential Trojans are distinguished. A combinational Trojan monitors internal signals until a specific condition happens. A sequential Trojan is also an internally activated condition-based circuit, but it monitors the internal signals and searches for a specific state or condition like the combinational Trojans do.

Cryptographic key extraction

Trojan without detecting the Trojan requires that the Trojan uses a random signal or some cryptographic implementation itself.

To avoid storing a cryptographic key in the Trojan itself, a physical unclonable function can be used. [4] Physical unclonable functions are small in size and can be an identical layout while the cryptographic properties are different

Action characteristics

Could not modify the chip’s function or changes the chip’s parametric properties (eg provokes a process delay). Confidential information can also be transmitted to the adversary (transmission of key information).

Peripheral device hardware Trojans

A Relatively new threat vector to networks and network endpoints is a HT Appearing as a physical peripheral device That Is designed to interact with the network endpoint using the approved peripheral device’s communication protocol. For example, a USB keyboard that hides all the endpoints using end-to-end communication using the unintended USB channels. Once sensitive data is ex-filtrated from the target network endpoint to the HT, the HT can process the data and decide what to do with it: store it to memory for later physical retrieval of the HT or possibly ex-filtrate it to the internet using the endpoint as a pivot. [5] [6]

Potential of threat

A common Trojan is a passive victim, but the activation can cause a fatal damage. If a Trojan is activated the device can be changed, the device can be destroyed, or it can be broken. Trojans are stealthy, which means the precondition for activation is a very rare event. Traditional testing techniques are not sufficient. A manufacturing error occurs at a random position while it is vulnerable to detection.

Detection

Physical inspection

First, the molding process is cut to reveal the circuitry. Then, the engineer repeatedly scans the surface while grinding the layers of the chip. There are several operations to scan the circuitry. Typical visual inspection methods are: scanning optical microscopy (SOM), scanning electron microscopy (SEM), [7] pico-second imaging circuit analysis (PICA), voltage contrast imaging (VCI), light induced voltage alteration (LIVA) or charge induced voltage alteration(CIVA). To compare the floor plan of the chip has to be compared with the image of the actual chip. This is still quite challenging to do. To detect trojan hardware which include (crypto) keys which are different, an image can be taken to reveal the different structure on the chip. The only known hardware trojan using a single crypto keys but having the same structure is. [8] This property enhances the undetectability of the trojan.

Functional testing

This detection method stimulates the input of a chip and monitors the output to detect manufacturing faults. If the logic values ​​of the output do not match the real pattern, then a defect or a Trojan could be found.

Built-in tests

Built-in self-test (BIST) and Design For Test (DFT) add-on techniques (circuit logic) to the chip to verify that the chip, as built, implements its functional specification. The extra logic monitors input stimulus signals and internal memory or states, Generally by computing checksums or by Exposing internal registers via a customized technical scanning. Where BFT-enabled chips incorporates custom test-pattern generators. BIST functionality often exists to perform at-speed (high speed) where it is not possible to use DFT capabilities. Both methods are originally developed to detect errors, but also have the potential to detect some of the effects of malicious logic, or to be exploited by malicious logic to covertly inspect remote state within the chip.

Consider how DFT recognizes unintended logic. When driven by DFT inputs, a genuine chip chips has a familiar signature, but a defective or altered chip displays an unexpected signature. The signature may be of any number of data from the chip: an entire scan chain or intermediate data result. In a Trojan-detection context, DFT logic can be considered as an encryption algorithm: using the DFT as a key to a message derived from the behavior of the design under test. In an intrusion-avoidance context, BIST or DFT functions are typically disabled (by hardware-reconfiguration) outside of a manufacturing environment because of their access to the internal state.

Side channel analyzes

Every device that is electrically active emits different signals like magnetic and electric fields. Those signals, which are caused by the electric activity, can be analyzed to gain information about the state and the data which the device processes. Advanced methods to measure these side-effects have been developed and they are very sensitive ( side-channel attack ). Hence, it is possible to detect tightly coupled Trojans via measurement of these analog signals. The measured values ​​can be used as a signature for the analyzed device. It is also common that a set of measured values ​​is evaluated to avoid measurement errors or other inaccuracies.

See also

  • Hardware obfuscation
  • FDIV
  • Kill switch
  • Physical unclonable function (PUF)
  • Hardware backdoor
  • Hardware security

External links

  • Seminar Covert Channels and Embedded Forensics
  • ‘Trust-hub’ website

Further reading

  • Mainak Banga and Michael S. Hsiao: A Region Based Approach for the Identification of Hardware Trojans, Bradley Department of Electrical and Computer Engineering, Virginia Tech., Host’08, 2008
  • AL D’Souza and M. Hsiao: Error diagnosis of sequential circuits using region-based models, Proceedings of the IEEE VLSI Design Conference, January, 2001, pp. 103-108.
  • C. Fagot, O. Gascuel, P. Girard and C. Landrault: On Calculating Efficient LFSR Seeds for Built-In Self Test, Proc. Of European Test Workshop, 1999, pp 7-14
  • G. Hetherington, T. Fryars, N. Tamarapalli, M. Kassab, A. Hassan and J. Rajski: Logic BIST for large industrial designs, real issues and case studies, ITC, 1999, pp. 358-367
  • WT Cheng, M. Sharma, T. Rinderknecht and C. Hill: Signature Based Diagnosis for Logic BIST, ITC 2006, Oct. 2006, pp. 1-9
  • Rajat Subhra Chakraborty, Somnath Paul and Swarup Bhunia: On-Demand Transparency for Improving Hardware Trojan Detectability, Department of Electrical Engineering and Computer Science, Case Western Reserve University, Cleveland, OH, USA
  • Yier Jin and Yiorgos Makris: Hardware Trojan Detection Using Path Delay Fingerprint, Yale University Department of Electrical Engineering, New Haven
  • Reza Rad, Mohammad Tehranipoor and Jim Morequellic: Sensitivity Analysis to Hardware Trojans using Transient Signals Power Supply, 1st IEEE International Workshop on Hardware-Oriented Security and Trust (HOST’08), 2008
  • Dakshi Agrawal, Selcuk Baktir, Deniz Karakoyunlu, Pankaj Rohatgi and Berk Sunar: Trojan Detection using IC Fingerprinting, IBM TJ Watson Research Center, Yorktown Heights, Electrical & Computer Engineering Worcester Polytechnic Institute, Worcester, Massachusetts, Nov 10, 2006
  • P. Song, F. Stellari, D. Pfeiffer, J. Culp, A. Weger, A. Bonnoit, B. Wisnieff, T. Taubenblatt: MARVEL – Malicious Alteration Recognition and Verification by Emission of Light, IEEE Int. Symp. on Hardware-Oriented Security and Trust (HOST), pp. 117-121, 2011
  • Xiaoxiao Wang, Mohammad Tehranipoor and Jim Morequellic: Detecting Malicious Inclusions in Secure Hardware, Challenges and Solutions, 1st IEEE International Workshop on Hardware-Oriented Security and Trust (HOST’08), 2008
  • Miron Abramovici and Paul Bradley: Integrated Circuit Security – New Threats and Solutions
  • Zheng Gong and Mark X. Makkes: Hardware Trojan Side-Channels Based on Unclonable Physical Functions – Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication 2011, Reading Notes in Computer Science 6633, P294-303.
  • Vasilios Mavroudis, Andrea Cerulli, Petr Svenda, Dan Cvrcek, Dusan Klinec, George Danezis. A Touch of Evil: High-Assurance Cryptographic Hardware from Untrusted Components. 24th ACM Conference on Computer and Communications Security, Dallas, TX, Oct 30th-Nov 3rd 2017.

References

  1. Jump up^ Detecting Hardware Trojans with GateLevel InformationFlow Tracking, Wei Hu et al, IEEE publication, 2015
  2. Jump up^ Detecting Hardware Trojans with GateLevel InformationFlow Tracking, Wei Hu et al, IEEE publication, 2015
  3. Jump up^ Building Hardware Hardware at Home, BlackHat Asia 2014
  4. Jump up^ Zeng Gong and Mark X. Makkes “Hardware Trojan side-channels based on physical unclonable functions”, WISTP 2011, LNCS 6633 pp.293-303doi:10.1007 / 978-3-642-21040-2_21
  5. Jump up^ J. Clark, S. Leblanc, S. Knight, Compromise through USB-based Trojan Hardware Device, Future Generation Computer Systems (2010) (In Press). doi:10.1016 / juture.2010.04.008
  6. Jump up^ John Clark, Sylvain Leblanc, Scott Knight, “Trojan Hardware Device Based on USB Unintended Channels,” Network and System Security, International Conference on, pp. 1-8, 2009 Third International Conference on Network and System Security, 2009.doi:10.1109 / NSS.2009.48
  7. Jump up^ Swapp, Susan. “Scanning Electron Microscopy (SEM)” . University of Wyoming.
  8. Jump up^ Zeng Gong and Mark X. Makkes “Hardware Trojan side-channels based on physical unclonable functions”, WISTP 2011, LNCS 6633 pp.293-303doi:10.1007 / 978-3-642-21040-2_21

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright computerforum.eu 2018
Shale theme by Siteturner