Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Hardware Security > Trojans > Flashcards

Trojans Flashcards

1
Q

Hardware Trojan

A

A malicious, intentional addition or modification to the existing circuit
elements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Using Hardware Trojans to

A
  • Change the functionality (e.g., deactivating authentication or
    encryption)
  • Reduce the reliability (e.g., accelerate aging)
  • Leak valuable information (e.g., bypassing the side-channel
    protections, providing backdoors, etc
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Hardware trojan Targets

A

Vulnerability of chips to add/delete/alterations of
circuit structure or through modification of
manufacturing process steps that causes
reliability issues in ICs in applications such as:
- Defense/military application
- Aerospace applications
- Civilian security-critical security
- Financial applications
- Transportation applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

General Structure of a Hardware Trojan

A 
Trigger Logic is responsible for
activation mechanism
- Payload Logic is responsible to the
effect
- A hardware Trojan causes a
malfunction by modifying signal S
to S´
- Activated only under very rare
conditions
- Trojans are stealthy: it evades
detection under conventional postmanufacturing test/validation process.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Insertion Phase- Specification phase:

A

Definition of system’s
characteristics
m For example, a Trojan changes the hardware’s timing
requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Insertion Phase- Design Phase

A

Design gets implemented for the target
technology
- Trojans might be in any of the components that aid the
design (third-party IP blocks and standard cells).
- For example, a standard cell library can be tampered
with Trojans
- Insertion during design&raquo_space; HDL level Trojans
- Combinational and Sequential Trojans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

insertion phase- Fabrication Phase

A

Creation of mask set
and use wafer to create mask
- Changing dopant concentration to increase the aging
(Time Bombs)
- Modifying dopant polarity
- Modifying the layout=chip functionality
m Insertion during fabrication&raquo_space; Layout Trojans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Insertion Phase : Testing phase

A

Modifying automatic test pattern generators&raquo_space; reduce chance

that trojan gets detected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Insertion Phase - Assembly

A

Assemble components on a PCB
- For example, adding unshielded wire&raquo_space; electromagnetic
coupling&raquo_space; side-channel leakage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Abstraction Level- System level:

A

Trojan can a be triggered by system component,

e.g. by specific ASCII input from keyboard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Abstraction Level - RTL level:

A

Manipulating RTL design, e.g., half rounds of

cryptographic implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Abstraction Level- Gate level

A

Trojan consisting of basic gates (AND, XOR, OR) that

monitor the chip’s inner signals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Abstraction Level - Transistor level:

A

insert, remove, change functionality, size&raquo_space; delay and

reliability changes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Abstraction Level - Physical level:

A

change, insert, remove wires&raquo_space; add/remove

connections, change timing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Activation Mechanisms

A

Always on
Triggered
- Internally triggered: time-based or physicalcondition-based; e.g. counter, temperature
threshold
- Externally triggered: triggered by user-input or
component-output

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Payload

A

Change functionality
- e.g., a Trojan might cause an
error detection module to accept inputs that
normally should be rejected

 Downgrade performance (power, delay)
- e.g., insert more buffers to drain battery more quickly

Leak information
- covert and overt channels, all kinds of side-channels,
unused ports, e.g. leak cryptographic key

Denial-of-Service
- exhaust resources, destroy device, disable
device/functionality, alter configuratio

17
Q

Location

A

Random logic

  • insertion into synthesized logic portion of the IC
  • very hard to detect

Processing unit

  • insertion into logic units that are part of a processor
  • e.g., change instruction order

Crypto accelerator
- e.g., leak sensitive information, compromise security, replace
keys

Memory units
- alter content stored in memory

I/O ports
- control over communication

Power supply
- alter voltage, e.g., to cause failures

Clock grid
- e.g., glitches, fault attacks, halt clock

18
Q

Trojans in Cryptographic Engines

A

A Trojan that attempts to leak a secret key from inside a
cryptographic IC through power side-channels using a
technique called malicious off-chip leakage enabled by side
channels (MOLES)

  • Another possibility: The payload could be a mechanism that
    presents dummy keys, predefined by the attacker
19
Q

Trojans in General-Purpose Processors

A
  • An attacker at the fabrication facility can implement a
    backdoor, which can be exploited in the field by a software adversary.
  • The attacker at an untrusted fabrication facility could
    implement a backdoor which disables the secure booting
    mechanism under certain rare conditions or when
    presented with a unique rare input condition in the hands
    of an end-user adversary
20
Q

Hardware Trojan Designs

A

HDL level Trojans&raquo_space; Insertion during design
-Combinational and Sequential Trojans

Layout Trojans&raquo_space; Insertion during fabrication

  • Changing dopant concentration to increase the aging (Time Bombs)
  • Modifying dopant polarity
  • Modifying the layout=chip functionality
21
Q

HDL Level - Combinational Trigger

A

Activation depends on the occurrence of a particular
condition at certain nodes of the circuit (here A = 0
and B=0)

22
Q

HDL Level - Sequential Trigger

A
  • Activation depends on the occurrence of a specific
    sequence of are logic values at internal nodes (timebomb)
  • Synchronous k-bit counter which activates when the
    count reaches 2k−1
23
Q

HDL Level - Asynchronous Trigger

A

Sequential Trojan independent of the system Clock:
- the count is increased not by the clock, but by a rising
transition at the output of an AND gate with inputs
p and q

24
Q

HDL Level - Hybrid Trigger

A
  • Combination of combinational and sequential Trojans: counts
    of both a synchronous and an asynchronous counter
    simultaneously determine the Trojan trigger condition
  • More complex state machines of different types and sizes can
    be used to generate the trigger condition based on a
    sequence of rare events
25
Q

HDL Level - Analog Trigger

A

An analog trigger mechanism where the inserted capacitance
is charged through the resistor if the condition q1= 1, q2= 1
is satisfied, and discharged otherwise, causing the logic
threshold to be crossed after a large number of cycles.

26
Q

Analog payload

A
  • A bridging fault is introduced using an inserted resistor
  • The delay of the path is affected by increasing the
    capacitive load.
27
Q

Analog trigger

A

Using the dedicated temperature sensors on the chip to

trigger the payload!

28
Q

Layout Level - Stealthy Dopant-Level Trojan

A 
- Changing the dopant of
NMOS and PMOS
transistors
- Example: Changing the
dopant of an Inverter to
give out always “1” or “0”
independent of its input
- Successful implementation
on Intel Ivy Bridge’s RNG
and establishing hidden
side channels for AES
29
Q

Layout Level - Diffusion Programmable

Device (DPD)

A

Changing the dopant of
SRAM cells to manipulate
the LUT output to
constant values

30
Q

Pre-Silicon Trojan Detection Methods

A

Code-Coverage analysis
-Completeness of functional verification, identify suspicious signals, validate
trustworthiness of third-party-IP
- e.g., remove unused circuit paths

Formal verification
- e.g., formal proof provided by 3rd party vendor, integrator validates proof

Logic testing using simulation
-Apply different input patterns to activate the trojan

Functional analysis using simulation

  • Apply random input patterns
  • Try to find “nearly-unused logic”
31
Q

Destructive Post-Silicon Trojan Detection

A

Use reverse-engineering to depackage the IC and get
images of each layer of the chip
r&raquo_space; Reconstruct the design and do validation
- Using Scanning Electron Microscope with a golden chip
- Comparing optical images of different chips with layout reveal “the”
additional wires and transistors
- Advantage: - Can find inactive trojans
- Disadvantage: - Expensive and time consuming
- Hardware gets unusable
- Need golden chip

Hardware Security (8 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions