1 / 14

Experiences in Hardware Trojan Design and Implementation

Experiences in Hardware Trojan Design and Implementation. Implementation Environment. Embedded Systems Challenge competition in 2008, hosted by Polytechnic Institute of NYU Cryptographic device code-named Alpha Select the private key : “Key Select” slide switches INI System button

iliana
Download Presentation

Experiences in Hardware Trojan Design and Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Experiencesin Hardware Trojan Design and Implementation

  2. Implementation Environment • Embedded Systems Challenge competition in 2008, hosted by Polytechnic Institute of NYU • Cryptographic device code-named Alpha • Select the private key : “Key Select” slide switches • INI System button • Input plaintext • Encrypt : “Start Encryption” button • Send contents of the buffer out of the RS232Out : “Transmit” button Xilinx ISE Webpack 10.1 XC3S150e-4tq 144 on Diligent Basys development board

  3. Payload • Broadcast to the attacker some internal signals, which are often sensitive data • Compromise the function of the circuits • Destroy the chip

  4. Triggers • The attacker can physically access the device and can give special input to the Trojan directly • The Trojan is triggered internally • No trigger, the Trojan is always activated

  5. Trojan Targets • Unoptimized HDL codes • Significant amounts of redundant logic • Rewrite the HDL code in a more compact way • The on-chip resources saved by this optimization can then be allocated to a Trojan • IP Cores • Not all of the generic functions will be used

  6. Classification Payload Trigger

  7. Implementations : Trojan type1 • By Whom : Attacker with access to input and output device • How : Input “New Heaven” • How : First block of ciphertext replaced by key • Leaking Channel : RS-232 TxD • Area Overhead : +0.8% flip-flops, +6.8% 4-input LUTs • Test Detection : Functional-Unlikely, Power-Likely

  8. Implementations : Trojan type2 • By Whom : Attacker with access to input device • How : Press “F12” key • How : The chip stops working • Leaking Channel : -- • Area Overhead : -9.4% flip-flops, +0.024% 4-input LUTs • Test Detection : Functional-Unlikely, Power-Unlikely

  9. Implementations : Trojan type3 • By Whom : Legitimate user • How : Input “Moscow” • How : “Moscow” is replaced by “Boston” in the output • Leaking Channel : RS-232 TxD • Area Overhead : +3.3% flip-flops, +2.4% 4-input LUTs • Test Detection : Functional-Unlikely, Power-Likely

  10. Implementations : Trojan type4 • By Whom : Legitimate user • How : Input > 1KB data • How : Last block of ciphertext is replaced by key • Leaking Channel : RS-232 TxD • Area Overhead : +0.068% flip-flops, 1.8% 4-input LUTs • Test Detection : Functional-Unlikely, Power-Likely

  11. Implementations : Trojan type5 • By Whom : Legitimate user • How : When key index is changed • How : New key is hidden in the output • Leaking Channel : RS-232 TxD • Area Overhead : +0.75% flip-flops, +1.4% 4-input LUTs • Test Detection : Functional-Nearly Impossible, Power-Unlikely

  12. Implementations : Trojan type6 • By Whom : Legitimate user • How : Transmit > N • How : The chip stops working • Leaking Channel : -- • Area Overhead : +0.34% flip-flops, +0.17% 4-input LUTs • Test Detection : Functional-Nearly Impossible, Power-Unlikely

  13. Implementations : Trojan type7 Trojanabtri Trojancdtri Encrypted Encryption Key Trojan Key Plaintext ------- ------- ------- Ciphertext ------- ------- ------- Encryption Key • By Whom : Attacker (using the Rxd port) • How : Control w/RxD port • How : The chip is controlled by the attacker • Leaking Channel : RS-232-TxD • Area Overhead : -4.4% flip-flops, +4.9% 4-input LUTs • Test Detection : Functional-Nearly Impossible, Power-Unlikely

  14. Implementations : Trojan type8 • By Whom : Attacker with access to the input (without access to the communication channel) • How : Press ‘Caps Lock’ key • How : The ‘Caps Lock’ LED reveals the key • Leaking Channel : Keyboard • Area Overhead : -5.3% flip-flops, +2.6% 4-input LUTs • Test Detection : Functional-Nearly Impossible, Power-Unlikely

More Related