2023
Sengupta, Anirban; Chaurasia, Rahul; Anshul, Aditya
Robust Security of Hardware Accelerators Using Protein Molecular Biometric Signature and Facial Biometric Encryption Key Journal Article
In: IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 31, no. 6, pp. 826–839, 2023.
@article{Sengupta2023,
title = {Robust Security of Hardware Accelerators Using Protein Molecular Biometric Signature and Facial Biometric Encryption Key},
author = {Anirban Sengupta and Rahul Chaurasia and Aditya Anshul},
url = {https://doi.org/10.1109/tvlsi.2023.3265559},
doi = {10.1109/tvlsi.2023.3265559},
year = {2023},
date = {2023-06-01},
journal = {IEEE Transactions on Very Large Scale Integration (VLSI) Systems},
volume = {31},
number = {6},
pages = {826–839},
publisher = {Institute of Electrical and Electronics Engineers (IEEE)},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
2022
Cruz, Jonathan; Posada, Christopher; Masna, Naren Vikram Raj; Chakraborty, Prabuddha; Gaikwad, Pravin; Bhunia, Swarup
A Framework for Automated Exploration of Trojan Attack Space in FPGA Netlists Miscellaneous
2022.
@misc{cruz2022TRIT-DS,
title = {A Framework for Automated Exploration of Trojan Attack Space in FPGA Netlists},
author = {Jonathan Cruz and Christopher Posada and Naren Vikram Raj Masna and Prabuddha Chakraborty and Pravin Gaikwad and Swarup Bhunia},
url = {https://www.techrxiv.org/articles/preprint/A_Framework_for_Automated_Exploration_of_Trojan_Attack_Space_in_FPGA_Netlists/20224140},
doi = {10.36227/techrxiv.20224140.v1},
year = {2022},
date = {2022-07-07},
urldate = {2022-07-07},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
Cruz, Jonathan; Gaikwad, Pravin; Nair, Abhishek; Chakraborty, Prabuddha; Bhunia, Swarup
Automatic Hardware Trojan Insertion using Machine Learning Journal Article
In: arXiv preprint arXiv:2204.08580, 2022.
BibTeX | Tags:
@article{cruz2022MIMIC,
title = {Automatic Hardware Trojan Insertion using Machine Learning},
author = {Jonathan Cruz and Pravin Gaikwad and Abhishek Nair and Prabuddha Chakraborty and Swarup Bhunia},
year = {2022},
date = {2022-01-01},
journal = {arXiv preprint arXiv:2204.08580},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
2021
Hu, Yinghua; Zhang, Yuke; Yang, Kaixin; Chen, Dake; Beerel, Peter A.; Nuzzo, Pierluigi
Fun-SAT: Functional Corruptibility-Guided SAT-Based Attack on Sequential Logic Encryption Proceedings Article
In: 2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), IEEE, 2021.
Abstract | Links | BibTeX | Tags: Extract Design Secrets, IP Piracy, Overproduction, Reverse Engineering Attacks, Vulnerability Detection
@inproceedings{Hu2021,
title = {Fun-SAT: Functional Corruptibility-Guided SAT-Based Attack on Sequential Logic Encryption},
author = {Yinghua Hu and Yuke Zhang and Kaixin Yang and Dake Chen and Peter A. Beerel and Pierluigi Nuzzo},
url = {https://doi.org/10.1109/host49136.2021.9702267},
doi = {10.1109/host49136.2021.9702267},
year = {2021},
date = {2021-12-01},
booktitle = {2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
publisher = {IEEE},
abstract = {The SAT attack has shown to be efficient against most combinational logic encryption methods. It can be extended to attack sequential logic encryption techniques by leveraging circuit unrolling and model checking methods. However, with no guidance on the number of times that a circuit needs to be unrolled to find the correct key, the attack tends to solve many time-consuming Boolean satisfiability (SAT) and model checking problems, which can significantly hamper its efficiency. In this paper, we introduce Fun-SAT, a functional corruptibility-guided SAT-based attack that can significantly decrease the SAT solving and model checking time of a SAT-based attack on sequential encryption by efficiently estimating the minimum required number of circuit unrollings. Fun-SAT relies on a notion of functional corruptibility for encrypted sequential circuits and its relationship with the required number of circuit unrollings in a SAT-based attack. Numerical results show that Fun-SAT can be, on average, 90× faster than previous attacks against state-of-the-art encryption methods, when both attacks successfully complete before a one-day time-out. Moreover, Fun-SAT completes before the time-out on many more circuits.},
keywords = {Extract Design Secrets, IP Piracy, Overproduction, Reverse Engineering Attacks, Vulnerability Detection},
pubstate = {published},
tppubtype = {inproceedings}
}
The SAT attack has shown to be efficient against most combinational logic encryption methods. It can be extended to attack sequential logic encryption techniques by leveraging circuit unrolling and model checking methods. However, with no guidance on the number of times that a circuit needs to be unrolled to find the correct key, the attack tends to solve many time-consuming Boolean satisfiability (SAT) and model checking problems, which can significantly hamper its efficiency. In this paper, we introduce Fun-SAT, a functional corruptibility-guided SAT-based attack that can significantly decrease the SAT solving and model checking time of a SAT-based attack on sequential encryption by efficiently estimating the minimum required number of circuit unrollings. Fun-SAT relies on a notion of functional corruptibility for encrypted sequential circuits and its relationship with the required number of circuit unrollings in a SAT-based attack. Numerical results show that Fun-SAT can be, on average, 90× faster than previous attacks against state-of-the-art encryption methods, when both attacks successfully complete before a one-day time-out. Moreover, Fun-SAT completes before the time-out on many more circuits.
Yang, Shuo; Paul, Shubhra Deb; Bhunia, Swarup
Hands-on Learning of Hardware and Systems Security Journal Article
In: ASEE, vol. 9, no. 2, pp. 1-25, 2021.
Abstract | Links | BibTeX | Tags: Hardware Hacking Board
@article{Yang2021HandsOn,
title = {Hands-on Learning of Hardware and Systems Security},
author = {Shuo Yang and Shubhra Deb Paul and Swarup Bhunia},
url = {https://advances.asee.org/hands-on-learning-of-hardware-and-systems-security/
https://drive.google.com/file/d/1CQBGZnjjRzIG98iXiKTInjkveGcK_UdN/view},
year = {2021},
date = {2021-04-01},
journal = {ASEE},
volume = {9},
number = {2},
pages = {1-25},
abstract = {Hardware security is one of the most researched areas in the field of security. It focuses on discovering and understanding attacks and countermeasures for electronic hardware that provides the “root-of-trust” for modern computing systems upon which the software stack is built. The increasing reliance on electronic devices in our everyday life has also escalated the risks of experiencing security threats on these technologies. Students today are exposed to these devices and thus require a hands-on learning experience to be aware of the threats, solutions, and future research challenges in hardware security. Currently, there are limited opportunities for students to learn and understand hardware security. A significant factor limiting exposure to these topics is the lack of an accessible, low-cost, flexible, and ready-made platform for training students on the innards of a computing system and the spectrum of security issues/solutions at the hardware-level. In this paper, we introduce the motivation and efforts behind a course named “Hands-on Hardware Security.” The Department of Electrical and Computer Engineering at the University of Florida has been offering this course for the past three years in providing experiential learning of hardware security through a set of well-designed experiments performed on a custom hardware module. We also present, in detail, the idea of a custom-designed, easy-to-understand, flexible hardware module with fundamental building blocks that can emulate a computer system and create a network of connected devices. We refer to the module as “HaHa SEP” (Hardware Hacking Security Education Platform), and it encourages students to learn and exercise “ethical hacking,” a critical concept in the hardware security field. It is the first and only known lab course offered online, where students can perform ethical hacking of a computing system using a dedicated hardware module. This paper also provides a brief introduction to the experiments performed using this module, highlighting their significance in the field of Hardware Security. Finally, it concludes with a compilation of course evaluation survey results discussing the success of this course in engaging students’ interest in the subject matter and determining the accomplishment of maintaining a balance between their expectation and the effort required towards the course.},
keywords = {Hardware Hacking Board},
pubstate = {published},
tppubtype = {article}
}
Hardware security is one of the most researched areas in the field of security. It focuses on discovering and understanding attacks and countermeasures for electronic hardware that provides the “root-of-trust” for modern computing systems upon which the software stack is built. The increasing reliance on electronic devices in our everyday life has also escalated the risks of experiencing security threats on these technologies. Students today are exposed to these devices and thus require a hands-on learning experience to be aware of the threats, solutions, and future research challenges in hardware security. Currently, there are limited opportunities for students to learn and understand hardware security. A significant factor limiting exposure to these topics is the lack of an accessible, low-cost, flexible, and ready-made platform for training students on the innards of a computing system and the spectrum of security issues/solutions at the hardware-level. In this paper, we introduce the motivation and efforts behind a course named “Hands-on Hardware Security.” The Department of Electrical and Computer Engineering at the University of Florida has been offering this course for the past three years in providing experiential learning of hardware security through a set of well-designed experiments performed on a custom hardware module. We also present, in detail, the idea of a custom-designed, easy-to-understand, flexible hardware module with fundamental building blocks that can emulate a computer system and create a network of connected devices. We refer to the module as “HaHa SEP” (Hardware Hacking Security Education Platform), and it encourages students to learn and exercise “ethical hacking,” a critical concept in the hardware security field. It is the first and only known lab course offered online, where students can perform ethical hacking of a computing system using a dedicated hardware module. This paper also provides a brief introduction to the experiments performed using this module, highlighting their significance in the field of Hardware Security. Finally, it concludes with a compilation of course evaluation survey results discussing the success of this course in engaging students’ interest in the subject matter and determining the accomplishment of maintaining a balance between their expectation and the effort required towards the course.
Yasaei, Rozhin; Yu, Shih-Yuan; Faruque, Mohammad Abdullah Al
GNN4TJ: Graph Neural Networks for Hardware Trojan Detection at Register Transfer Level Proceedings Article
In: 2021 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 1504-1509, 2021, ISSN: 1558-1101.
Abstract | Links | BibTeX | Tags: Design For Trust
@inproceedings{Yasaei2021DATEGNN,
title = {GNN4TJ: Graph Neural Networks for Hardware Trojan Detection at Register Transfer Level},
author = {Rozhin Yasaei and Shih-Yuan Yu and Mohammad Abdullah Al Faruque},
doi = {10.23919/DATE51398.2021.9474174},
issn = {1558-1101},
year = {2021},
date = {2021-02-01},
booktitle = {2021 Design, Automation Test in Europe Conference Exhibition (DATE)},
pages = {1504-1509},
abstract = {The time to market pressure and resource constraints has pushed System-on-Chip (SoC) designers toward outsourcing the design and using third-party Intellectual Property (IP). It has created an opportunity for rogue entities in the Integrated Circuit (IC) supply chain to insert malicious circuits in the hardware design, known as Hardware Trojans (HT). HT detection is a major hardware security challenge, and its early discovery is crucial because postponing the removal of HT to late in design or after the fabrication process would be very expensive. Current works suffer from several shortcomings such as reliance on a golden HT-free reference, unable to identify all types of HTs or unknown ones, burdening the designer with the manual review of code, or scalability issues. To overcome these limitations, we propose GNN4TJ, a novel golden reference-free HT detection method in the register transfer level (RTL) based on Graph Neural Network (GNN). GNN4TJ represents the hardware design as its intrinsic data structure, a graph, and generates the data flow graphs for RTL codes. We utilize GNN to extract the features from DFG, learn the circuit's behavior, and identify the presence of HT, in a fully automated pipeline. We evaluate our model on a dataset that we create by expanding the Trusthub [1] HT benchmarks. The results demonstrate that GNN4TJ detects unknown HT with 97% recall (true positive rate) very fast in 21.1ms.},
keywords = {Design For Trust},
pubstate = {published},
tppubtype = {inproceedings}
}
The time to market pressure and resource constraints has pushed System-on-Chip (SoC) designers toward outsourcing the design and using third-party Intellectual Property (IP). It has created an opportunity for rogue entities in the Integrated Circuit (IC) supply chain to insert malicious circuits in the hardware design, known as Hardware Trojans (HT). HT detection is a major hardware security challenge, and its early discovery is crucial because postponing the removal of HT to late in design or after the fabrication process would be very expensive. Current works suffer from several shortcomings such as reliance on a golden HT-free reference, unable to identify all types of HTs or unknown ones, burdening the designer with the manual review of code, or scalability issues. To overcome these limitations, we propose GNN4TJ, a novel golden reference-free HT detection method in the register transfer level (RTL) based on Graph Neural Network (GNN). GNN4TJ represents the hardware design as its intrinsic data structure, a graph, and generates the data flow graphs for RTL codes. We utilize GNN to extract the features from DFG, learn the circuit's behavior, and identify the presence of HT, in a fully automated pipeline. We evaluate our model on a dataset that we create by expanding the Trusthub [1] HT benchmarks. The results demonstrate that GNN4TJ detects unknown HT with 97% recall (true positive rate) very fast in 21.1ms.
Reimann, Lennart M.; Hanel, Luca; Sisejkovic, Dominik; Merchant, Farhad; Leupers, Rainer
QFlow: Quantitative Information Flow for Security-Aware Hardware Design in Verilog Proceedings Article
In: IEEE International Conference on Computer Design, 2021.
Abstract | Links | BibTeX | Tags: Design For Trust
@inproceedings{reimann2021qflow,
title = {QFlow: Quantitative Information Flow for Security-Aware Hardware Design in Verilog},
author = {Lennart M. Reimann and Luca Hanel and Dominik Sisejkovic and Farhad Merchant and Rainer Leupers},
url = {https://arxiv.org/abs/2109.02379},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
booktitle = {IEEE International Conference on Computer Design},
abstract = {The enormous amount of code required to design modern hardware implementations often leads to critical vulnerabilities being overlooked. Especially vulnerabilities that compromise the confidentiality of sensitive data, such as cryptographic keys, have a major impact on the trustworthiness of an entire system. Information flow analysis can elaborate whether information from sensitive signals flows towards outputs or untrusted components of the system. But most of these analytical strategies rely on the non-interference property, stating that the untrusted targets must not be influenced by the source's data, which is shown to be too inflexible for many applications. To address this issue, there are approaches to quantify the information flow between components such that insignificant leakage can be neglected. Due to the high computational complexity of this quantification, approximations are needed, which introduce mispredictions. To tackle those limitations, we reformulate the approximations. Further, we propose a tool QFlow with a higher detection rate than previous tools. It can be used by non-experienced users to identify data leakages in hardware designs, thus facilitating a security-aware design process.},
keywords = {Design For Trust},
pubstate = {published},
tppubtype = {inproceedings}
}
The enormous amount of code required to design modern hardware implementations often leads to critical vulnerabilities being overlooked. Especially vulnerabilities that compromise the confidentiality of sensitive data, such as cryptographic keys, have a major impact on the trustworthiness of an entire system. Information flow analysis can elaborate whether information from sensitive signals flows towards outputs or untrusted components of the system. But most of these analytical strategies rely on the non-interference property, stating that the untrusted targets must not be influenced by the source's data, which is shown to be too inflexible for many applications. To address this issue, there are approaches to quantify the information flow between components such that insignificant leakage can be neglected. Due to the high computational complexity of this quantification, approximations are needed, which introduce mispredictions. To tackle those limitations, we reformulate the approximations. Further, we propose a tool QFlow with a higher detection rate than previous tools. It can be used by non-experienced users to identify data leakages in hardware designs, thus facilitating a security-aware design process.
Yasaei, Rozhin; -, Shih; Naeini, Emad Kasaeyan; Faruque, Mohammad Abdullah Al
GNN4IP: Graph Neural Network for Hardware Intellectual Property Piracy Detection Journal Article
In: CoRR, vol. abs/2107.09130, 2021.
Abstract | Links | BibTeX | Tags: Design For Trust
@article{Yasaei2021GNN,
title = {GNN4IP: Graph Neural Network for Hardware Intellectual Property
Piracy Detection},
author = {Rozhin Yasaei and Shih - and Emad Kasaeyan Naeini and Mohammad Abdullah Al Faruque},
url = {https://arxiv.org/abs/2107.09130},
year = {2021},
date = {2021-01-01},
journal = {CoRR},
volume = {abs/2107.09130},
abstract = {Aggressive time-to-market constraints and enormous hardware design and fabrication costs have pushed the semiconductor industry toward hardware Intellectual Properties (IP) core design. However, the globalization of the integrated circuits (IC) supply chain exposes IP providers to theft and illegal redistribution of IPs. Watermarking and fingerprinting are proposed to detect IP piracy. Nevertheless, they come with additional hardware overhead and cannot guarantee IP security as advanced attacks are reported to remove the watermark, forge, or bypass it. In this work, we propose a novel methodology, GNN4IP, to assess similarities between circuits and detect IP piracy. We model the hardware design as a graph and construct a graph neural network model to learn its behavior using the comprehensive dataset of register transfer level codes and gate-level netlists that we have gathered. GNN4IP detects IP piracy with 96% accuracy in our dataset and recognizes the original IP in its obfuscated version with 100% accuracy.},
keywords = {Design For Trust},
pubstate = {published},
tppubtype = {article}
}
Aggressive time-to-market constraints and enormous hardware design and fabrication costs have pushed the semiconductor industry toward hardware Intellectual Properties (IP) core design. However, the globalization of the integrated circuits (IC) supply chain exposes IP providers to theft and illegal redistribution of IPs. Watermarking and fingerprinting are proposed to detect IP piracy. Nevertheless, they come with additional hardware overhead and cannot guarantee IP security as advanced attacks are reported to remove the watermark, forge, or bypass it. In this work, we propose a novel methodology, GNN4IP, to assess similarities between circuits and detect IP piracy. We model the hardware design as a graph and construct a graph neural network model to learn its behavior using the comprehensive dataset of register transfer level codes and gate-level netlists that we have gathered. GNN4IP detects IP piracy with 96% accuracy in our dataset and recognizes the original IP in its obfuscated version with 100% accuracy.
Moghaddas, Yasamin; Nguyen, Tommy; Yu, Shih-Yuan; Yasaei, Rozhin; Faruque, Mohammad Abdullah Al
Technical Report for HW2VEC -- A Graph Learning Tool for Automating Hardware Security Miscellaneous
2021.
Abstract | BibTeX | Tags: Design For Trust
@misc{moghaddas2021technical,
title = {Technical Report for HW2VEC -- A Graph Learning Tool for Automating Hardware Security},
author = {Yasamin Moghaddas and Tommy Nguyen and Shih-Yuan Yu and Rozhin Yasaei and Mohammad Abdullah Al Faruque},
year = {2021},
date = {2021-01-01},
abstract = {In this technical report, we present HW2VEC [11], an open-source graph learning tool for hardware security, and its implementation details (Figure 1). HW2VEC provides toolboxes for graph representation extraction in the form of Data Flow Graphs (DFGs) or Abstract Syntax Trees (ASTs) from hardware designs at RTL and GLN levels. Besides, HW2VEC also offers graph learning tools for representing hardware designs in vectors that preserve both structural features and behavioral features. To the best of our knowledge, HW2VEC is the first open-source research tool that supports applying graph learning methods to hardware designs in different abstraction levels for hardware security. We organize the remainder of this technical report as follows: Section 2 introduces the architecture of HW2VEC; Section 3 gives information about the use-case implementations; Section 4 provides the experimental results and demonstrates the performance of HW2VEC for two hardware security applications: HT detection and IP piracy detection; finally, Section 5 will conclude this report.},
keywords = {Design For Trust},
pubstate = {published},
tppubtype = {misc}
}
In this technical report, we present HW2VEC [11], an open-source graph learning tool for hardware security, and its implementation details (Figure 1). HW2VEC provides toolboxes for graph representation extraction in the form of Data Flow Graphs (DFGs) or Abstract Syntax Trees (ASTs) from hardware designs at RTL and GLN levels. Besides, HW2VEC also offers graph learning tools for representing hardware designs in vectors that preserve both structural features and behavioral features. To the best of our knowledge, HW2VEC is the first open-source research tool that supports applying graph learning methods to hardware designs in different abstraction levels for hardware security. We organize the remainder of this technical report as follows: Section 2 introduces the architecture of HW2VEC; Section 3 gives information about the use-case implementations; Section 4 provides the experimental results and demonstrates the performance of HW2VEC for two hardware security applications: HT detection and IP piracy detection; finally, Section 5 will conclude this report.
-, Shih; Yasaei, Rozhin; Zhou, Qingrong; Nguyen, Tommy; Faruque, Mohammad Abdullah Al
HW2VEC: A Graph Learning Tool for Automating Hardware Security Journal Article
In: CoRR, vol. abs/2107.12328, 2021.
Abstract | Links | BibTeX | Tags: Design For Trust
@article{Yu2021HW2VEC,
title = {HW2VEC: A Graph Learning Tool for Automating Hardware Security},
author = {Shih - and Rozhin Yasaei and Qingrong Zhou and Tommy Nguyen and Mohammad Abdullah Al Faruque},
url = {https://arxiv.org/abs/2107.12328},
year = {2021},
date = {2021-01-01},
journal = {CoRR},
volume = {abs/2107.12328},
abstract = {The time-to-market pressure and continuous growing complexity of hardware designs have promoted the globalization of the Integrated Circuit (IC) supply chain. However, such globalization also poses various security threats in each phase of the IC supply chain. Although the advancements of Machine Learning (ML) have pushed the frontier of hardware security, most conventional ML-based methods can only achieve the desired performance by manually finding a robust feature representation for circuits that are non-Euclidean data. As a result, modeling these circuits using graph learning to improve design flows has attracted research attention in the Electronic Design Automation (EDA) field. However, due to the lack of supporting tools, only a few existing works apply graph learning to resolve hardware security issues. To attract more attention, we propose HW2VEC, an open-source graph learning tool that lowers the threshold for newcomers to research hardware security applications with graphs. HW2VEC provides an automated pipeline for extracting a graph representation from a hardware design in various abstraction levels (register transfer level or gate-level netlist). Besides, HW2VEC users can automatically transform the non-Euclidean hardware designs into Euclidean graph embeddings for solving their problems. In this paper, we demonstrate that HW2VEC can achieve state-of-the-art performance on two hardware security-related tasks: Hardware Trojan Detection and Intellectual Property Piracy Detection. We provide the time profiling results for the graph extraction and the learning pipelines in HW2VEC.},
keywords = {Design For Trust},
pubstate = {published},
tppubtype = {article}
}
The time-to-market pressure and continuous growing complexity of hardware designs have promoted the globalization of the Integrated Circuit (IC) supply chain. However, such globalization also poses various security threats in each phase of the IC supply chain. Although the advancements of Machine Learning (ML) have pushed the frontier of hardware security, most conventional ML-based methods can only achieve the desired performance by manually finding a robust feature representation for circuits that are non-Euclidean data. As a result, modeling these circuits using graph learning to improve design flows has attracted research attention in the Electronic Design Automation (EDA) field. However, due to the lack of supporting tools, only a few existing works apply graph learning to resolve hardware security issues. To attract more attention, we propose HW2VEC, an open-source graph learning tool that lowers the threshold for newcomers to research hardware security applications with graphs. HW2VEC provides an automated pipeline for extracting a graph representation from a hardware design in various abstraction levels (register transfer level or gate-level netlist). Besides, HW2VEC users can automatically transform the non-Euclidean hardware designs into Euclidean graph embeddings for solving their problems. In this paper, we demonstrate that HW2VEC can achieve state-of-the-art performance on two hardware security-related tasks: Hardware Trojan Detection and Intellectual Property Piracy Detection. We provide the time profiling results for the graph extraction and the learning pipelines in HW2VEC.
Faezi, Sina; Yasaei, Rozhin; Barua, Anomadarshi; Faruque, Mohammad Abdullah Al
Brain-Inspired Golden Chip Free Hardware Trojan Detection Journal Article
In: IEEE Transactions on Information Forensics and Security, vol. 16, pp. 2697–2708, 2021.
Abstract | Links | BibTeX | Tags: Side Channel Analysis
@article{Faezi2021Brain,
title = {Brain-Inspired Golden Chip Free Hardware Trojan Detection},
author = {Sina Faezi and Rozhin Yasaei and Anomadarshi Barua and Mohammad Abdullah Al Faruque},
url = {https://doi.org/10.1109/tifs.2021.3062989},
doi = {10.1109/tifs.2021.3062989},
year = {2021},
date = {2021-01-01},
journal = {IEEE Transactions on Information Forensics and Security},
volume = {16},
pages = {2697--2708},
publisher = {Institute of Electrical and Electronics Engineers (IEEE)},
abstract = {Since 2007, the use of side-channel measurements for detecting Hardware Trojan (HT) has been extensively studied. However, the majority of works either rely on a golden chip, or they rely on methods that are not robust against subtle acceptable changes that would occur over the life-cycle of an integrated circuit (IC). In this paper, we propose using a brain-inspired architecture called Hierarchical Temporal Memory (HTM) for HT detection. Similar to the human brain, our proposed solution is resilient against <italic>natural</italic> changes that might happen in the side-channel measurements while being able to accurately detect abnormal behavior of the chip when the HT gets triggered. We use a self-referencing method for HT detection, which eliminates the need for the golden chip. The effectiveness of our approach is evaluated using TrustHub benchmarks, which shows 92.20% detection accuracy on average.},
keywords = {Side Channel Analysis},
pubstate = {published},
tppubtype = {article}
}
Since 2007, the use of side-channel measurements for detecting Hardware Trojan (HT) has been extensively studied. However, the majority of works either rely on a golden chip, or they rely on methods that are not robust against subtle acceptable changes that would occur over the life-cycle of an integrated circuit (IC). In this paper, we propose using a brain-inspired architecture called Hierarchical Temporal Memory (HTM) for HT detection. Similar to the human brain, our proposed solution is resilient against <italic>natural</italic> changes that might happen in the side-channel measurements while being able to accurately detect abnormal behavior of the chip when the HT gets triggered. We use a self-referencing method for HT detection, which eliminates the need for the golden chip. The effectiveness of our approach is evaluated using TrustHub benchmarks, which shows 92.20% detection accuracy on average.
Chakraborty, Prabuddha; Cruz, Jonathan; Alaql, Abdulrahman; Bhunia, Swarup
SAIL: Analyzing Structural Artifacts of Logic Locking using Machine Learning Journal Article
In: IEEE Transactions on Information Forensics and Security, pp. 1-1, 2021, ISSN: 1556-6021.
Abstract | Links | BibTeX | Tags:
@article{Chakraborty2021SAIL,
title = {SAIL: Analyzing Structural Artifacts of Logic Locking using Machine Learning},
author = {Prabuddha Chakraborty and Jonathan Cruz and Abdulrahman Alaql and Swarup Bhunia},
doi = {10.1109/TIFS.2021.3096028},
issn = {1556-6021},
year = {2021},
date = {2021-01-01},
journal = {IEEE Transactions on Information Forensics and Security},
pages = {1-1},
abstract = {Obfuscation or Logic locking (LL) is a technique for protecting hardware intellectual property (IP) blocks against diverse threats, including IP theft, reverse engineering, and malicious modifications. State-of-the-art locking techniques primarily focus on securing a design from unauthorized usage by disabling correct functionality – they often do not directly address hiding design intent through structural transformations. They rely on the synthesis tool to introduce structural changes. We observe that this process is insufficient as the resulting changes in circuit topology are: (1) local and (2) predictable. In this paper, we analyze the structural transformations introduced by LL and introduce a potential attack, called SAIL, that can exploit structural artifacts introduced by LL. SAIL uses machine learning (ML) guided structural recovery that exposes a critical vulnerability in these techniques. Through this attack, we demonstrate that the gate-level structure of a locked design can be retrieved in most parts through a systematic set of steps. The proposed attack is applicable to most forms of logic locking, and significantly more powerful than existing attacks, e.g., SAT-based attacks, since it does not require the availability of golden functional responses (e.g., an unlocked IC). Evaluation on benchmark circuits shows that we can recover an average of about 92%, up to 97%, transformations (Top-10 R-Metric) introduced by logic locking. We show that this attack is scalable, flexible, and versatile. Additionally, to evaluate the SAIL attack resilience of a locked design, we present the SIVA-Metric that is fast in terms of computation speed and does not require any training. We also propose possible mitigation steps for incorporating SAIL resilience into a locked design.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Obfuscation or Logic locking (LL) is a technique for protecting hardware intellectual property (IP) blocks against diverse threats, including IP theft, reverse engineering, and malicious modifications. State-of-the-art locking techniques primarily focus on securing a design from unauthorized usage by disabling correct functionality – they often do not directly address hiding design intent through structural transformations. They rely on the synthesis tool to introduce structural changes. We observe that this process is insufficient as the resulting changes in circuit topology are: (1) local and (2) predictable. In this paper, we analyze the structural transformations introduced by LL and introduce a potential attack, called SAIL, that can exploit structural artifacts introduced by LL. SAIL uses machine learning (ML) guided structural recovery that exposes a critical vulnerability in these techniques. Through this attack, we demonstrate that the gate-level structure of a locked design can be retrieved in most parts through a systematic set of steps. The proposed attack is applicable to most forms of logic locking, and significantly more powerful than existing attacks, e.g., SAT-based attacks, since it does not require the availability of golden functional responses (e.g., an unlocked IC). Evaluation on benchmark circuits shows that we can recover an average of about 92%, up to 97%, transformations (Top-10 R-Metric) introduced by logic locking. We show that this attack is scalable, flexible, and versatile. Additionally, to evaluate the SAIL attack resilience of a locked design, we present the SIVA-Metric that is fast in terms of computation speed and does not require any training. We also propose possible mitigation steps for incorporating SAIL resilience into a locked design.
Sengupta, Anirban; Rathor, Mahendra
Facial Biometric for Securing Hardware Accelerators Journal Article
In: IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 29, no. 1, pp. 112-123, 2021, ISSN: 1557-9999.
Abstract | Links | BibTeX | Tags: IP Protection
@article{Sengupta2021Facial,
title = {Facial Biometric for Securing Hardware Accelerators},
author = {Anirban Sengupta and Mahendra Rathor},
doi = {10.1109/TVLSI.2020.3029245},
issn = {1557-9999},
year = {2021},
date = {2021-01-01},
journal = {IEEE Transactions on Very Large Scale Integration (VLSI) Systems},
volume = {29},
number = {1},
pages = {112-123},
abstract = {This article presents a novel facial biometrics-based hardware security methodology to secure hardware accelerators [such as digital signal processing (DSP) and multimedia intellectual property (IP) cores] against ownership threats/IP piracy. In this approach, an IP vendor's facial biometrics is first converted into a corresponding facial signature representing digital template, followed by embedding facial signature's digital template into the design in the form of secret biometric constraints, thereby generating a secured hardware accelerator design. The results report the following qualitative and quantitative analysis of the proposed biometric fingerprint approach: 1) impact of five different facial biometrics constraints on probability of coincidence (Pc) metric (indicating strength of digital evidence). The proposed approach achieves a very low Pc value in the range of 1.54E-5 to 2.01E-5; 2) impact of different facial feature set of a facial biometric image on total number of generated secret constraints and Pc. As evident, for all facial feature sets implemented, Pc ranges between 3.31E-4 and 2.01E-5; and 3) comparative analysis of proposed approach with recent work, for different DSP applications and five different facial biometric images, in terms of Pc. As evident, the proposed approach achieves significantly lower Pc, compared with recent work.},
keywords = {IP Protection},
pubstate = {published},
tppubtype = {article}
}
This article presents a novel facial biometrics-based hardware security methodology to secure hardware accelerators [such as digital signal processing (DSP) and multimedia intellectual property (IP) cores] against ownership threats/IP piracy. In this approach, an IP vendor's facial biometrics is first converted into a corresponding facial signature representing digital template, followed by embedding facial signature's digital template into the design in the form of secret biometric constraints, thereby generating a secured hardware accelerator design. The results report the following qualitative and quantitative analysis of the proposed biometric fingerprint approach: 1) impact of five different facial biometrics constraints on probability of coincidence (Pc) metric (indicating strength of digital evidence). The proposed approach achieves a very low Pc value in the range of 1.54E-5 to 2.01E-5; 2) impact of different facial feature set of a facial biometric image on total number of generated secret constraints and Pc. As evident, for all facial feature sets implemented, Pc ranges between 3.31E-4 and 2.01E-5; and 3) comparative analysis of proposed approach with recent work, for different DSP applications and five different facial biometric images, in terms of Pc. As evident, the proposed approach achieves significantly lower Pc, compared with recent work.
Sisejkovic, Dominik; Merchant, Farhad; Reimann, Lennart M; Srivastava, Harshit; Hallawa, Ahmed; Leupers, Rainer
Challenging the Security of Logic Locking Schemes in the Era of Deep Learning: A Neuroevolutionary Approach Journal Article
In: J. Emerg. Technol. Comput. Syst., vol. 17, no. 3, 2021, ISSN: 1550-4832.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{10.1145/3431389,
title = {Challenging the Security of Logic Locking Schemes in the Era of Deep Learning: A Neuroevolutionary Approach},
author = {Dominik Sisejkovic and Farhad Merchant and Lennart M Reimann and Harshit Srivastava and Ahmed Hallawa and Rainer Leupers},
url = {https://doi.org/10.1145/3431389},
doi = {10.1145/3431389},
issn = {1550-4832},
year = {2021},
date = {2021-01-01},
journal = {J. Emerg. Technol. Comput. Syst.},
volume = {17},
number = {3},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Logic locking is a prominent technique to protect the integrity of hardware designs throughout the integrated circuit design and fabrication flow. However, in recent years, the security of locking schemes has been thoroughly challenged by the introduction of various deobfuscation attacks. As in most research branches, deep learning is being introduced in the domain of logic locking as well. Therefore, in this article we present SnapShot, a novel attack on logic locking that is the first of its kind to utilize artificial neural networks to directly predict a key bit value from a locked synthesized gate-level netlist without using a golden reference. Hereby, the attack uses a simpler yet more flexible learning model compared to existing work. Two different approaches are evaluated. The first approach is based on a simple feedforward fully connected neural network. The second approach utilizes genetic algorithms to evolve more complex convolutional neural network architectures specialized for the given task. The attack flow offers a generic and customizable framework for attacking locking schemes using machine learning techniques. We perform an extensive evaluation of SnapShot for two realistic attack scenarios, comprising both reference combinational and sequential benchmark circuits as well as silicon-proven RISC-V core modules. The evaluation results show that SnapShot achieves an average key prediction accuracy of 82.60% for the selected attack scenario, with a significant performance increase of 10.49 percentage points compared to the state of the art. Moreover, SnapShot outperforms the existing technique on all evaluated benchmarks. The results indicate that the security foundation of common logic locking schemes is built on questionable assumptions. Based on the lessons learned, we discuss the vulnerabilities and potentials of logic locking uncovered by SnapShot. The conclusions offer insights into the challenges of designing future logic locking schemes that are resilient to machine learning attacks.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Logic locking is a prominent technique to protect the integrity of hardware designs throughout the integrated circuit design and fabrication flow. However, in recent years, the security of locking schemes has been thoroughly challenged by the introduction of various deobfuscation attacks. As in most research branches, deep learning is being introduced in the domain of logic locking as well. Therefore, in this article we present SnapShot, a novel attack on logic locking that is the first of its kind to utilize artificial neural networks to directly predict a key bit value from a locked synthesized gate-level netlist without using a golden reference. Hereby, the attack uses a simpler yet more flexible learning model compared to existing work. Two different approaches are evaluated. The first approach is based on a simple feedforward fully connected neural network. The second approach utilizes genetic algorithms to evolve more complex convolutional neural network architectures specialized for the given task. The attack flow offers a generic and customizable framework for attacking locking schemes using machine learning techniques. We perform an extensive evaluation of SnapShot for two realistic attack scenarios, comprising both reference combinational and sequential benchmark circuits as well as silicon-proven RISC-V core modules. The evaluation results show that SnapShot achieves an average key prediction accuracy of 82.60% for the selected attack scenario, with a significant performance increase of 10.49 percentage points compared to the state of the art. Moreover, SnapShot outperforms the existing technique on all evaluated benchmarks. The results indicate that the security foundation of common logic locking schemes is built on questionable assumptions. Based on the lessons learned, we discuss the vulnerabilities and potentials of logic locking uncovered by SnapShot. The conclusions offer insights into the challenges of designing future logic locking schemes that are resilient to machine learning attacks.
Sengupta, Anirban
Key-triggered Hash-chaining based Encoded Hardware Steganography for Securing DSP Hardware Accelerators Book Forthcoming
Forthcoming, ISBN: 978-1-83953-306-8.
BibTeX | Tags: IP Protection
@book{Sengupta2021Key-triggered,
title = {Key-triggered Hash-chaining based Encoded Hardware Steganography for Securing DSP Hardware Accelerators},
author = {Anirban Sengupta},
isbn = {978-1-83953-306-8},
year = {2021},
date = {2021-01-01},
keywords = {IP Protection},
pubstate = {forthcoming},
tppubtype = {book}
}
Sengupta, Anirban
Cryptography driven IP steganography for DSP Hardware Accelerators Book Forthcoming
Forthcoming, ISBN: 978-1-83953-306-8.
BibTeX | Tags: IP Protection
@book{Sengupta2021Cryptography,
title = {Cryptography driven IP steganography for DSP Hardware Accelerators},
author = {Anirban Sengupta},
isbn = {978-1-83953-306-8},
year = {2021},
date = {2021-01-01},
keywords = {IP Protection},
pubstate = {forthcoming},
tppubtype = {book}
}
Zhu, Huifeng; Guo, Xiaolong; Jin, Yier; Zhang, Xuan
PCBench: Benchmarking of Board-Level Hardware Attacks and Trojans Proceedings Article Forthcoming
In: IEEE/ACM Asia and South Pacific Design Automation Conference, Forthcoming.
Abstract | BibTeX | Tags: PCB Trust Verification
@inproceedings{Zhu2021PCBench,
title = {PCBench: Benchmarking of Board-Level Hardware Attacks and Trojans},
author = {Huifeng Zhu and Xiaolong Guo and Yier Jin and Xuan Zhang},
year = {2021},
date = {2021-01-01},
booktitle = {IEEE/ACM Asia and South Pacific Design Automation Conference},
abstract = {Most modern electronic systems are hosted by printed circuit boards (PCBs), making them a ubiquitous system component that can take many different shapes and forms. In order to achieve a high level
of economy of scale, the global supply chain of electronic systems has evolved into disparate segments for the design, fabrication, assembly, and testing of PCB boards and their various associated
components. As a consequence, the modern PCB supply chain exposes many vulnerabilities along its different stages, allowing adversaries to introduce malicious alterations to facilitate board-level attacks.
As an emerging hardware threat, the attack and defense techniques at the board level have not yet been systemically explored and thus require a thorough and comprehensive investigation. In
the absence of standard board-level attack benchmark, current research on perspective countermeasures is likely to be evaluated on proprietary variants of ad-hoc attacks, preventing credible and
verifiable comparison among different techniques. Upon this request, in this paper, we will systematically define and categorize a broad range of board-level attacks. For the first time, the attack
vectors and construction rules for board-level attacks are developed. A practical and reliable board-level attack benchmark generation scheme is also developed, which can be used to produce references
for evaluating countermeasures. Finally, based on the proposed approach, we have created a comprehensive set of board-level attack benchmarks for open-source release.},
keywords = {PCB Trust Verification},
pubstate = {forthcoming},
tppubtype = {inproceedings}
}
Most modern electronic systems are hosted by printed circuit boards (PCBs), making them a ubiquitous system component that can take many different shapes and forms. In order to achieve a high level
of economy of scale, the global supply chain of electronic systems has evolved into disparate segments for the design, fabrication, assembly, and testing of PCB boards and their various associated
components. As a consequence, the modern PCB supply chain exposes many vulnerabilities along its different stages, allowing adversaries to introduce malicious alterations to facilitate board-level attacks.
As an emerging hardware threat, the attack and defense techniques at the board level have not yet been systemically explored and thus require a thorough and comprehensive investigation. In
the absence of standard board-level attack benchmark, current research on perspective countermeasures is likely to be evaluated on proprietary variants of ad-hoc attacks, preventing credible and
verifiable comparison among different techniques. Upon this request, in this paper, we will systematically define and categorize a broad range of board-level attacks. For the first time, the attack
vectors and construction rules for board-level attacks are developed. A practical and reliable board-level attack benchmark generation scheme is also developed, which can be used to produce references
for evaluating countermeasures. Finally, based on the proposed approach, we have created a comprehensive set of board-level attack benchmarks for open-source release.
of economy of scale, the global supply chain of electronic systems has evolved into disparate segments for the design, fabrication, assembly, and testing of PCB boards and their various associated
components. As a consequence, the modern PCB supply chain exposes many vulnerabilities along its different stages, allowing adversaries to introduce malicious alterations to facilitate board-level attacks.
As an emerging hardware threat, the attack and defense techniques at the board level have not yet been systemically explored and thus require a thorough and comprehensive investigation. In
the absence of standard board-level attack benchmark, current research on perspective countermeasures is likely to be evaluated on proprietary variants of ad-hoc attacks, preventing credible and
verifiable comparison among different techniques. Upon this request, in this paper, we will systematically define and categorize a broad range of board-level attacks. For the first time, the attack
vectors and construction rules for board-level attacks are developed. A practical and reliable board-level attack benchmark generation scheme is also developed, which can be used to produce references
for evaluating countermeasures. Finally, based on the proposed approach, we have created a comprehensive set of board-level attack benchmarks for open-source release.
Zeng, Wei; Davoodi, Azadeh; Topaloglu, Rasit Onur
ObfusX: Routing Obfuscation with Explanatory Analysis of A Machine Learning Attack Proceedings Article
In: IEEE/ACM Asia and South Pacific Design Automation Conference, 2021.
Abstract | Links | BibTeX | Tags: Obfuscation
@inproceedings{zeng2021obfusx,
title = {ObfusX: Routing Obfuscation with Explanatory Analysis of A Machine Learning Attack},
author = {Wei Zeng and Azadeh Davoodi and Rasit Onur Topaloglu},
url = {https://dl.acm.org/doi/10.1145/3394885.3431600},
doi = {10.1145/3394885.3431600},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
booktitle = {IEEE/ACM Asia and South Pacific Design Automation Conference},
abstract = {This is the first work that incorporates recent advancements in "explainability" of machine learning (ML) to build a routing obfuscator called ObfusX. We adopt a recent metric---the SHAP value---which explains to what extent each layout feature can reveal each unknown connection for a recent ML-based split manufacturing attack model. The unique benefits of SHAP-based analysis include the ability to identify the best candidates for obfuscation, together with the dominant layout features which make them vulnerable. As a result, ObfusX can achieve better hit rate (97% lower) while perturbing significantly fewer nets when obfuscating using a via perturbation scheme, compared to prior work. When imposing the same wirelength limit using a wire lifting scheme, ObfusX performs significantly better in performance metrics (e.g., 2.4 times more reduction on average in percentage of netlist recovery).},
keywords = {Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
This is the first work that incorporates recent advancements in "explainability" of machine learning (ML) to build a routing obfuscator called ObfusX. We adopt a recent metric---the SHAP value---which explains to what extent each layout feature can reveal each unknown connection for a recent ML-based split manufacturing attack model. The unique benefits of SHAP-based analysis include the ability to identify the best candidates for obfuscation, together with the dominant layout features which make them vulnerable. As a result, ObfusX can achieve better hit rate (97% lower) while perturbing significantly fewer nets when obfuscating using a via perturbation scheme, compared to prior work. When imposing the same wirelength limit using a wire lifting scheme, ObfusX performs significantly better in performance metrics (e.g., 2.4 times more reduction on average in percentage of netlist recovery).
2020
F, Muhammad Arsath K; Ganesan, Vinod; Bodduna, Rahul; Rebeiro, Chester
PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance Journal Article
In: 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2020.
Links | BibTeX | Tags: SCA Attacks, Side Channel Analysis
@article{arsath2020param,
title = {PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance},
author = {Muhammad Arsath K F and Vinod Ganesan and Rahul Bodduna and Chester Rebeiro},
url = {http://dx.doi.org/10.1109/HOST45689.2020.9300263},
doi = {10.1109/host45689.2020.9300263},
year = {2020},
date = {2020-12-01},
journal = {2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
publisher = {IEEE},
keywords = {SCA Attacks, Side Channel Analysis},
pubstate = {published},
tppubtype = {article}
}
F, Muhammad Arsath K; Ganesan, Vinod; Bodduna, Rahul; Rebeiro, Chester
PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance Proceedings Article
In: 2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 23-34, 2020.
Abstract | Links | BibTeX | Tags: Side Channel Analysis
@inproceedings{KPARAM2020,
title = {PARAM: A Microprocessor Hardened for Power Side-Channel Attack Resistance},
author = {Muhammad Arsath K F and Vinod Ganesan and Rahul Bodduna and Chester Rebeiro},
doi = {10.1109/HOST45689.2020.9300263},
year = {2020},
date = {2020-12-01},
booktitle = {2020 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {23-34},
abstract = {The power consumption of a microprocessor is a huge channel for information leakage. While the most popular exploitation of this channel is to recover cryptographic keys from embedded devices, other applications such as mobile app fingerprinting, reverse engineering of firmware, and password recovery are growing threats. Countermeasures proposed so far are tuned to specific applications, such as crypto-implementations. They are not scalable to the large number and variety of applications that typically run on a general purpose microprocessor.In this paper, we investigate the design of a microprocessor, called PARAM with increased resistance to power based sidechannel attacks. To design PARAM, we start with identifying the most leaking modules in an open-source RISC V processor. We evaluate the leakage in these modules and then add suitable countermeasures. The countermeasures depend on the cause of leakage in each module and can vary from simple modifications of the HDL code ensuring secure translation by the EDA tools, to obfuscating data and address lines thus breaking correlation with the processor's power consumption. The resultant processor is instantiated on the SASEBO-GIII FPGA board and found to resist Differential Power Analysis even after one million power traces. Compared to contemporary countermeasures for power side-channel attacks, overheads in area and frequency are minimal.},
keywords = {Side Channel Analysis},
pubstate = {published},
tppubtype = {inproceedings}
}
The power consumption of a microprocessor is a huge channel for information leakage. While the most popular exploitation of this channel is to recover cryptographic keys from embedded devices, other applications such as mobile app fingerprinting, reverse engineering of firmware, and password recovery are growing threats. Countermeasures proposed so far are tuned to specific applications, such as crypto-implementations. They are not scalable to the large number and variety of applications that typically run on a general purpose microprocessor.In this paper, we investigate the design of a microprocessor, called PARAM with increased resistance to power based sidechannel attacks. To design PARAM, we start with identifying the most leaking modules in an open-source RISC V processor. We evaluate the leakage in these modules and then add suitable countermeasures. The countermeasures depend on the cause of leakage in each module and can vary from simple modifications of the HDL code ensuring secure translation by the EDA tools, to obfuscating data and address lines thus breaking correlation with the processor's power consumption. The resultant processor is instantiated on the SASEBO-GIII FPGA board and found to resist Differential Power Analysis even after one million power traces. Compared to contemporary countermeasures for power side-channel attacks, overheads in area and frequency are minimal.
Yavuz, Tuba; Bai, Ken (Yihang)
Analyzing system software components using API model guided symbolic execution Journal Article
In: Automated Software Engineering, 2020, ISSN: 1573-7535.
Abstract | Links | BibTeX | Tags: Software Assurance
@article{Yavuz2020b,
title = {Analyzing system software components using API model guided symbolic execution},
author = {Tuba Yavuz and Ken (Yihang) Bai},
url = {https://doi.org/10.1007/s10515-020-00276-5},
doi = {10.1007/s10515-020-00276-5},
issn = {1573-7535},
year = {2020},
date = {2020-09-19},
journal = {Automated Software Engineering},
abstract = {Analyzing real-world software is challenging due to complexity of the software frameworks or APIs they depend on. In this paper, we present a tool, PROMPT, that facilitates the analysisof software components using API model guided symbolic execution. PROMPT has a specification component, PROSE, that lets users define an API model, which consists of a set of data constraints and life-cycle rules that define control-flow constraints among sequentially composed API functions. Given a PROSE model and a software component, PROMPT symbolically executes the component while enforcing the specified API Wmodel. PROMPT has been implemented on top of the KLEE symbolic execution engine and has been applied to Linux device drivers from the video, sound, and network subsystems and to some vulnerable components of BlueZ, the implementation of the Bluetooth protocol stack for the Linux kernel. PROMPT detected two new and four known memory vulnerabilities in some of the analyzed system software components.},
keywords = {Software Assurance},
pubstate = {published},
tppubtype = {article}
}
Analyzing real-world software is challenging due to complexity of the software frameworks or APIs they depend on. In this paper, we present a tool, PROMPT, that facilitates the analysisof software components using API model guided symbolic execution. PROMPT has a specification component, PROSE, that lets users define an API model, which consists of a set of data constraints and life-cycle rules that define control-flow constraints among sequentially composed API functions. Given a PROSE model and a software component, PROMPT symbolically executes the component while enforcing the specified API Wmodel. PROMPT has been implemented on top of the KLEE symbolic execution engine and has been applied to Linux device drivers from the video, sound, and network subsystems and to some vulnerable components of BlueZ, the implementation of the Bluetooth protocol stack for the Linux kernel. PROMPT detected two new and four known memory vulnerabilities in some of the analyzed system software components.
Albartus, Nils; Hoffmann, Max; Temme, Sebastian; Azriel, Leonid; Paar, Christof
DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering Journal Article
In: IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2020, no. 4, pp. 309-336, 2020.
Abstract | Links | BibTeX | Tags:
@article{Albartus2020dana,
title = {DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering},
author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar},
url = {https://tches.iacr.org/index.php/TCHES/article/view/8685},
doi = {10.13154/tches.v2020.i4.309-336},
year = {2020},
date = {2020-08-01},
journal = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
volume = {2020},
number = {4},
pages = {309-336},
abstract = {<p>Reverse engineering of integrated circuits, i.e., understanding the internals of Integrated Circuits (ICs), is required for many benign and malicious applications. Examples of the former are detection of patent infringements, hardware Trojans or Intellectual Property (IP)-theft, as well as interface recovery and defect analysis, while malicious applications include IP-theft and finding insertion points for hardware Trojans. However, regardless of the application, the reverse engineer initially starts with a large unstructured netlist, forming an incomprehensible sea of gates.<br>This work presents DANA, a generic, technology-agnostic, and fully automated dataflow analysis methodology for flattened gate-level netlists. By analyzing the flow of data between individual Flip Flops (FFs), DANA recovers high-level registers. The key idea behind DANA is to combine independent metrics based on structural and control information with a powerful automated architecture. Notably, DANA works without any thresholds, scenario-dependent parameters, or other “magic” values that the user must choose. We evaluate DANA on nine modern hardware designs, ranging from cryptographic co-processors, over CPUs, to the OpenTitan, a stateof- the-art System-on-Chip (SoC), which is maintained by the lowRISC initiative with supporting industry partners like Google and Western Digital. Our results demonstrate almost perfect recovery of registers for all case studies, regardless whether they were synthesized as FPGA or ASIC netlists. Furthermore, we explore two applications for dataflow analysis: we show that the raw output of DANA often already allows to identify crucial components and high-level architecture features and also demonstrate its applicability for detecting simple hardware Trojans.<br>Hence, DANA can be applied universally as the first step when investigating unknown netlists and provides major guidance for human analysts by structuring and condensing the otherwise incomprehensible sea of gates. Our implementation of DANA and all synthesized netlists are available as open source on GitHub.</p>},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
<p>Reverse engineering of integrated circuits, i.e., understanding the internals of Integrated Circuits (ICs), is required for many benign and malicious applications. Examples of the former are detection of patent infringements, hardware Trojans or Intellectual Property (IP)-theft, as well as interface recovery and defect analysis, while malicious applications include IP-theft and finding insertion points for hardware Trojans. However, regardless of the application, the reverse engineer initially starts with a large unstructured netlist, forming an incomprehensible sea of gates.<br>This work presents DANA, a generic, technology-agnostic, and fully automated dataflow analysis methodology for flattened gate-level netlists. By analyzing the flow of data between individual Flip Flops (FFs), DANA recovers high-level registers. The key idea behind DANA is to combine independent metrics based on structural and control information with a powerful automated architecture. Notably, DANA works without any thresholds, scenario-dependent parameters, or other “magic” values that the user must choose. We evaluate DANA on nine modern hardware designs, ranging from cryptographic co-processors, over CPUs, to the OpenTitan, a stateof- the-art System-on-Chip (SoC), which is maintained by the lowRISC initiative with supporting industry partners like Google and Western Digital. Our results demonstrate almost perfect recovery of registers for all case studies, regardless whether they were synthesized as FPGA or ASIC netlists. Furthermore, we explore two applications for dataflow analysis: we show that the raw output of DANA often already allows to identify crucial components and high-level architecture features and also demonstrate its applicability for detecting simple hardware Trojans.<br>Hence, DANA can be applied universally as the first step when investigating unknown netlists and provides major guidance for human analysts by structuring and condensing the otherwise incomprehensible sea of gates. Our implementation of DANA and all synthesized netlists are available as open source on GitHub.</p&gt;
Rathor, Mahendra; Sengupta, Anirban
IP Core Steganography Using Switch Based Key-Driven Hash-Chaining and Encoding for Securing DSP Kernels Used in CE Systems Journal Article
In: IEEE Transactions on Consumer Electronics, vol. 66, no. 3, pp. 251-260, 2020, ISSN: 1558-4127.
Abstract | Links | BibTeX | Tags: IP Protection
@article{9129810,
title = {IP Core Steganography Using Switch Based Key-Driven Hash-Chaining and Encoding for Securing DSP Kernels Used in CE Systems},
author = {Mahendra Rathor and Anirban Sengupta},
doi = {10.1109/TCE.2020.3006050},
issn = {1558-4127},
year = {2020},
date = {2020-08-01},
journal = {IEEE Transactions on Consumer Electronics},
volume = {66},
number = {3},
pages = {251-260},
abstract = {Intellectual property (IP) core of digital signal processing (DSP) kernels act as hardware accelerators in consumer electronics (CE) systems. However due to rising threats of cloning and counterfeiting to an IP core, security remains an important subject of research for these hardware accelerators. This paper presents a novel key-driven hash-chaining based hardware steganography for securing such IP cores used in CE systems. The proposed approach is capable to implant secret invisible stego-marks in design using hash-chaining process that incorporates switches, strong large stego-keys, multiple encoding algorithms and hash blocks. The methodology proposed provides massive security against IP cloning and counterfeiting while incurring nominal design overhead (<; 0.3 %). The results of the proposed approach on comparison with state of the art indicated significantly stronger digital evidence (lower probability of co-incidence), stronger key size (in bits) and lower design cost using proposed stego-marks. Further, from an attacker's perspective, the proposed steganography increases an attacker's effort manifold during decoding the valid stego-key value (for generating/extracting original secret stego-mark), compared to existing approaches.},
keywords = {IP Protection},
pubstate = {published},
tppubtype = {article}
}
Intellectual property (IP) core of digital signal processing (DSP) kernels act as hardware accelerators in consumer electronics (CE) systems. However due to rising threats of cloning and counterfeiting to an IP core, security remains an important subject of research for these hardware accelerators. This paper presents a novel key-driven hash-chaining based hardware steganography for securing such IP cores used in CE systems. The proposed approach is capable to implant secret invisible stego-marks in design using hash-chaining process that incorporates switches, strong large stego-keys, multiple encoding algorithms and hash blocks. The methodology proposed provides massive security against IP cloning and counterfeiting while incurring nominal design overhead (<; 0.3 %). The results of the proposed approach on comparison with state of the art indicated significantly stronger digital evidence (lower probability of co-incidence), stronger key size (in bits) and lower design cost using proposed stego-marks. Further, from an attacker's perspective, the proposed steganography increases an attacker's effort manifold during decoding the valid stego-key value (for generating/extracting original secret stego-mark), compared to existing approaches.
Hoque, Tamzidul; Yang, Shuo; Bhattacharyay, Aritra; Cruz, Jonathan; Bhunia, Swarup
An Automated Framework for Board-level Trojan Benchmarking Miscellaneous
2020.
Abstract | Links | BibTeX | Tags: PCB Trust Verification
@misc{Hoque2020b,
title = {An Automated Framework for Board-level Trojan Benchmarking},
author = {Tamzidul Hoque and Shuo Yang and Aritra Bhattacharyay and Jonathan Cruz and Swarup Bhunia},
url = {https://arxiv.org/abs/2003.12632},
year = {2020},
date = {2020-03-27},
abstract = {Economic and operational advantages have led the supply chain of printed circuit boards (PCBs) to incorporate various untrusted entities. Any of the untrusted entities are capable of introducing malicious alterations to facilitate a functional failure or leakage of secret information during field operation. While researchers have been investigating the threat of malicious modification within the scale of individual microelectronic components, the possibility of a board-level malicious manipulation has essentially been unexplored. In the absence of standard benchmarking solutions, prospective countermeasures for PCB trust assurance are likely to utilize homegrown representation of the attacks that undermines their evaluation and does not provide scope for comparison with other techniques. In this paper, we have developed the first-ever benchmarking solution to facilitate an unbiased and comparable evaluation of countermeasures applicable to PCB trust assurance. Based on a taxonomy tailored for PCB-level alterations, we have developed high-level Trojan models. From these models, we have generated a custom pool of board-level Trojan designs of varied complexity and functionality. We have also developed a tool-flow for automatically inserting these Trojans into various PCB designs and generate the Trojan benchmarks (i.e., PCB designs with Trojan). The tool-based Trojan insertion facilitate a comprehensive evaluation against large number of diverse Trojan implementations and application of data mining for trust verification. Finally, with experimental measurements from a fabricated PCB, we analyze the stealthiness of the Trojan designs.},
keywords = {PCB Trust Verification},
pubstate = {published},
tppubtype = {misc}
}
Economic and operational advantages have led the supply chain of printed circuit boards (PCBs) to incorporate various untrusted entities. Any of the untrusted entities are capable of introducing malicious alterations to facilitate a functional failure or leakage of secret information during field operation. While researchers have been investigating the threat of malicious modification within the scale of individual microelectronic components, the possibility of a board-level malicious manipulation has essentially been unexplored. In the absence of standard benchmarking solutions, prospective countermeasures for PCB trust assurance are likely to utilize homegrown representation of the attacks that undermines their evaluation and does not provide scope for comparison with other techniques. In this paper, we have developed the first-ever benchmarking solution to facilitate an unbiased and comparable evaluation of countermeasures applicable to PCB trust assurance. Based on a taxonomy tailored for PCB-level alterations, we have developed high-level Trojan models. From these models, we have generated a custom pool of board-level Trojan designs of varied complexity and functionality. We have also developed a tool-flow for automatically inserting these Trojans into various PCB designs and generate the Trojan benchmarks (i.e., PCB designs with Trojan). The tool-based Trojan insertion facilitate a comprehensive evaluation against large number of diverse Trojan implementations and application of data mining for trust verification. Finally, with experimental measurements from a fabricated PCB, we analyze the stealthiness of the Trojan designs.
Srivastava, Milind; SLPSK, Patanjali; Roy, Indrani; Rebeiro, Chester; Hazra, Aritra; Bhunia, Swarup
SOLOMON: An Automated Framework for Detecting Fault Attack Vulnerabilities in Hardware Proceedings Article
In: Design, Automation, and Test in Europe Conference Exhibition (DATE), pp. 310-313, DATE IEEE, 2020, ISBN: 978-3-9819263-4-7.
Abstract | Links | BibTeX | Tags: Fault Injection Attacks
@inproceedings{Srivastava2020b,
title = {SOLOMON: An Automated Framework for Detecting Fault Attack Vulnerabilities in Hardware},
author = {Milind Srivastava and Patanjali SLPSK and Indrani Roy and Chester Rebeiro and Aritra Hazra and Swarup Bhunia},
url = {https://ieeexplore.ieee.org/document/9116380},
doi = {10.23919/DATE48585.2020.9116380},
isbn = {978-3-9819263-4-7},
year = {2020},
date = {2020-03-09},
booktitle = {Design, Automation, and Test in Europe Conference Exhibition (DATE)},
pages = {310-313},
publisher = {IEEE},
organization = {DATE},
abstract = {Fault attacks are potent physical attacks on crypto-devices. A single fault injected during encryption can reveal the cipher's secret key. In a hardware realization of an encryption algorithm, only a tiny fraction of the gates is exploitable by such an attack. Finding these vulnerable gates has been a manual and tedious task requiring considerable expertise. In this paper, we propose SOLOMON, the first automatic fault attack vulnerability detection framework for hardware designs. Given a cipher implementation, either at RTL or gate-level, SOLOMON uses formal methods to map vulnerable regions in the cipher algorithm to specific locations in the hardware thus enabling targeted countermeasures to be deployed with much lesser overheads. We demonstrate the efficacy of the SOLOMON framework using three ciphers: AES, CLEFIA, and Simon.},
keywords = {Fault Injection Attacks},
pubstate = {published},
tppubtype = {inproceedings}
}
Fault attacks are potent physical attacks on crypto-devices. A single fault injected during encryption can reveal the cipher's secret key. In a hardware realization of an encryption algorithm, only a tiny fraction of the gates is exploitable by such an attack. Finding these vulnerable gates has been a manual and tedious task requiring considerable expertise. In this paper, we propose SOLOMON, the first automatic fault attack vulnerability detection framework for hardware designs. Given a cipher implementation, either at RTL or gate-level, SOLOMON uses formal methods to map vulnerable regions in the cipher algorithm to specific locations in the hardware thus enabling targeted countermeasures to be deployed with much lesser overheads. We demonstrate the efficacy of the SOLOMON framework using three ciphers: AES, CLEFIA, and Simon.
K, Keerthi; Roy, Indrani; Rebeiro, Chester; Hazra, Aritra; Bhunia, Swarup
FEDS: Comprehensive Fault Attack Exploitability Detection for Software Implementations of Block Ciphers Journal Article
In: IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2020, no. 2, pp. 272-299, 2020.
Abstract | Links | BibTeX | Tags: Fault Injection Attacks
@article{Keerthi2020,
title = {FEDS: Comprehensive Fault Attack Exploitability Detection for Software Implementations of Block Ciphers},
author = {Keerthi K and Indrani Roy and Chester Rebeiro and Aritra Hazra and Swarup Bhunia},
url = {https://tches.iacr.org/index.php/TCHES/article/view/8552},
doi = {https://doi.org/10.13154/tches.v2020.i2.272-299},
year = {2020},
date = {2020-03-02},
journal = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
volume = {2020},
number = {2},
pages = { 272-299},
abstract = {Fault injection attacks are one of the most powerful forms of cryptanalytic attacks on ciphers. A single precisely injected fault during the execution of a cipher like the AES, can completely reveal the key within a few milliseconds. Software implementations of ciphers, therefore, need to be thoroughly evaluated for such attacks. In recent years, automated tools have been developed to perform these evaluations. These tools either work on the cipher algorithm or on their implementations. Tools that work at the algorithm level can provide a comprehensive assessment of fault attack vulnerability for different fault attacks and with different fault models. Their application is, however, restricted because every realization of the cipher has unique vulnerabilities. On the other hand, tools that work on cipher implementations have a much wider application but are often restricted by the range of fault attacks and the number of fault models they can evaluate.
In this paper, we propose a framework, called FEDS, that uses a combination of compiler techniques and model checking to merge the advantages of both, algorithmic level tools as well as implementation level tools. Like the algorithmic level tools, FEDS can provide a comprehensive assessment of fault attack exploitability considering a wide range of fault attacks and fault models. Like implementation level tools, FEDS works with implementations, therefore has wide applications. We demonstrate the versatility of FEDS by evaluating seven different implementations of AES (including bitsliced implementation) and implementations of CLEFIA and CAMELLIA for Differential Fault Attacks. The framework automatically identifies exploitable instructions in all implementations. Further, we present an application of FEDS in a Fault Attack Aware Compiler, that can automatically identify and protect exploitable regions of the code. We demonstrate that the compiler can generate significantly more efficient code than a naïvely protected equivalent while maintaining the same level of protection.},
keywords = {Fault Injection Attacks},
pubstate = {published},
tppubtype = {article}
}
Fault injection attacks are one of the most powerful forms of cryptanalytic attacks on ciphers. A single precisely injected fault during the execution of a cipher like the AES, can completely reveal the key within a few milliseconds. Software implementations of ciphers, therefore, need to be thoroughly evaluated for such attacks. In recent years, automated tools have been developed to perform these evaluations. These tools either work on the cipher algorithm or on their implementations. Tools that work at the algorithm level can provide a comprehensive assessment of fault attack vulnerability for different fault attacks and with different fault models. Their application is, however, restricted because every realization of the cipher has unique vulnerabilities. On the other hand, tools that work on cipher implementations have a much wider application but are often restricted by the range of fault attacks and the number of fault models they can evaluate.
In this paper, we propose a framework, called FEDS, that uses a combination of compiler techniques and model checking to merge the advantages of both, algorithmic level tools as well as implementation level tools. Like the algorithmic level tools, FEDS can provide a comprehensive assessment of fault attack exploitability considering a wide range of fault attacks and fault models. Like implementation level tools, FEDS works with implementations, therefore has wide applications. We demonstrate the versatility of FEDS by evaluating seven different implementations of AES (including bitsliced implementation) and implementations of CLEFIA and CAMELLIA for Differential Fault Attacks. The framework automatically identifies exploitable instructions in all implementations. Further, we present an application of FEDS in a Fault Attack Aware Compiler, that can automatically identify and protect exploitable regions of the code. We demonstrate that the compiler can generate significantly more efficient code than a naïvely protected equivalent while maintaining the same level of protection.
In this paper, we propose a framework, called FEDS, that uses a combination of compiler techniques and model checking to merge the advantages of both, algorithmic level tools as well as implementation level tools. Like the algorithmic level tools, FEDS can provide a comprehensive assessment of fault attack exploitability considering a wide range of fault attacks and fault models. Like implementation level tools, FEDS works with implementations, therefore has wide applications. We demonstrate the versatility of FEDS by evaluating seven different implementations of AES (including bitsliced implementation) and implementations of CLEFIA and CAMELLIA for Differential Fault Attacks. The framework automatically identifies exploitable instructions in all implementations. Further, we present an application of FEDS in a Fault Attack Aware Compiler, that can automatically identify and protect exploitable regions of the code. We demonstrate that the compiler can generate significantly more efficient code than a naïvely protected equivalent while maintaining the same level of protection.
Potluri, Seetal; Aysu, Aydin; Kumar, Akash
SeqL: Secure Scan-Locking for IP Protection Proceedings Article
In: 2020 21st International Symposium on Quality Electronic Design (ISQED), pp. 7-13, 2020, ISSN: 1948-3287.
Abstract | Links | BibTeX | Tags: IP Protection
@inproceedings{Potluri2020SeqL,
title = {SeqL: Secure Scan-Locking for IP Protection},
author = {Seetal Potluri and Aydin Aysu and Akash Kumar},
doi = {10.1109/ISQED48828.2020.9136991},
issn = {1948-3287},
year = {2020},
date = {2020-03-01},
booktitle = {2020 21st International Symposium on Quality Electronic Design (ISQED)},
pages = {7-13},
abstract = {Existing logic-locking attacks are known to successfully decrypt functionally correct key of a locked combinational circuit. It is possible to extend these attacks to real-world Silicon-based Intellectual Properties (IPs, which are sequential circuits) through scan-chains by selectively initializing the combinational logic and analyzing the responses. In this paper, we propose SeqL, which achieves functional isolation and locks selective flip-flop functional-input/scan-output pairs, thus rendering the decrypted key functionally incorrect. We conduct a formal study of the scan-locking problem and demonstrate automating our proposed defense on any given IP. We show that SeqL hides functionally correct keys from the attacker, thereby increasing the likelihood of the decrypted key being functionally incorrect. When tested on pipelined combinational benchmarks (ISCAS, MCNC), sequential benchmarks (ITC) and a fully-fledged RISC-V CPU, SeqL gave 100% resilience to a broad range of state-of-the-art attacks including SAT [1], Double-DIP [2], HackTest [3], SMT [4], FALL [5], Shift-and-Leak [6] and Multi-cycle attacks [7].},
keywords = {IP Protection},
pubstate = {published},
tppubtype = {inproceedings}
}
Existing logic-locking attacks are known to successfully decrypt functionally correct key of a locked combinational circuit. It is possible to extend these attacks to real-world Silicon-based Intellectual Properties (IPs, which are sequential circuits) through scan-chains by selectively initializing the combinational logic and analyzing the responses. In this paper, we propose SeqL, which achieves functional isolation and locks selective flip-flop functional-input/scan-output pairs, thus rendering the decrypted key functionally incorrect. We conduct a formal study of the scan-locking problem and demonstrate automating our proposed defense on any given IP. We show that SeqL hides functionally correct keys from the attacker, thereby increasing the likelihood of the decrypted key being functionally incorrect. When tested on pipelined combinational benchmarks (ISCAS, MCNC), sequential benchmarks (ITC) and a fully-fledged RISC-V CPU, SeqL gave 100% resilience to a broad range of state-of-the-art attacks including SAT [1], Double-DIP [2], HackTest [3], SMT [4], FALL [5], Shift-and-Leak [6] and Multi-cycle attacks [7].
Karfa, Chandan; Chouksey, Ramanuj; Pilato, Christian; Garg, Siddharth; Karri, Ramesh
Is Register Transfer Level Locking Secure? Proceedings Article
In: 2020 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 550-555, 2020, ISSN: 1558-1101.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@inproceedings{Karfa2020rtl,
title = {Is Register Transfer Level Locking Secure?},
author = {Chandan Karfa and Ramanuj Chouksey and Christian Pilato and Siddharth Garg and Ramesh Karri},
doi = {10.23919/DATE48585.2020.9116261},
issn = {1558-1101},
year = {2020},
date = {2020-03-01},
booktitle = {2020 Design, Automation Test in Europe Conference Exhibition (DATE)},
pages = {550-555},
abstract = {Register Transfer Level (RTL) locking seeks to prevent intellectual property (IP) theft of a design by locking the RTL description that functions correctly on the application of a key. This paper evaluates the security of a state-of-the-art RTL locking scheme using a satisfiability modulo theories (SMT) based algorithm to retrieve the secret key. The attack first obtains the high-level behavior of the locked RTL, and then use an SMT based formulation to find so-called distinguishing input patterns (DIP)1 The attack methodology has two main advantages over the gate-level attacks. First, since the attack handles the design at the RTL, the method scales to large designs. Second, the attack does not apply separate unlocking strategies for the combinational and sequential parts of a design; it handles both styles via a unifying abstraction. We demonstrate the attack on locked RTL generated by TAO [1], a state-of-the-art RTL locking solution. Empirical results show that we can partially or completely break designs locked by TAO.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Register Transfer Level (RTL) locking seeks to prevent intellectual property (IP) theft of a design by locking the RTL description that functions correctly on the application of a key. This paper evaluates the security of a state-of-the-art RTL locking scheme using a satisfiability modulo theories (SMT) based algorithm to retrieve the secret key. The attack first obtains the high-level behavior of the locked RTL, and then use an SMT based formulation to find so-called distinguishing input patterns (DIP)1 The attack methodology has two main advantages over the gate-level attacks. First, since the attack handles the design at the RTL, the method scales to large designs. Second, the attack does not apply separate unlocking strategies for the combinational and sequential parts of a design; it handles both styles via a unifying abstraction. We demonstrate the attack on locked RTL generated by TAO [1], a state-of-the-art RTL locking solution. Empirical results show that we can partially or completely break designs locked by TAO.
Lyu, Yangdi; Mishra, Prabhat
Automated Test Generation for Trojan Detection using Delay-based Side Channel Analysis Proceedings Article
In: 2020 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 1031–1036, IEEE 2020, ISSN: 1558-1101.
Abstract | Links | BibTeX | Tags: Side Channel
@inproceedings{lyu2020automated1,
title = {Automated Test Generation for Trojan Detection using Delay-based Side Channel Analysis},
author = {Yangdi Lyu and Prabhat Mishra},
doi = {10.23919/DATE48585.2020.9116461},
issn = {1558-1101},
year = {2020},
date = {2020-03-01},
booktitle = {2020 Design, Automation & Test in Europe Conference & Exhibition (DATE)},
pages = {1031--1036},
organization = {IEEE},
abstract = {Side-channel analysis is widely used for hardware Trojan detection in integrated circuits by analyzing various side-channel signatures, such as timing, power and path delay. Existing delay-based side-channel analysis techniques have two major bottlenecks: (i) they are not suitable in detecting Trojans since the delay difference between the golden design and a Trojan inserted design is negligible, and (ii) they are not effective in creating robust delay signatures due to reliance on random and ATPG based test patterns. In this paper, we propose an efficient test generation technique to detect Trojans using delay-based side channel analysis. This paper makes two important contributions. (1) We propose an automated test generation algorithm to produce test patterns that are likely to activate trigger conditions, and change critical paths. Compared to existing approaches where delay difference is solely based on extra gates from a small Trojan, the change of critical paths by our approach will lead to significant difference in path delay. (2) We propose a fast and efficient reordering technique to maximize the delay deviation between the golden design and Trojan inserted design. Experimental results demonstrate that our approach significantly outperforms state-of-the-art approaches that rely on ATPG or random test patterns for delay-based side-channel analysis.},
keywords = {Side Channel},
pubstate = {published},
tppubtype = {inproceedings}
}
Side-channel analysis is widely used for hardware Trojan detection in integrated circuits by analyzing various side-channel signatures, such as timing, power and path delay. Existing delay-based side-channel analysis techniques have two major bottlenecks: (i) they are not suitable in detecting Trojans since the delay difference between the golden design and a Trojan inserted design is negligible, and (ii) they are not effective in creating robust delay signatures due to reliance on random and ATPG based test patterns. In this paper, we propose an efficient test generation technique to detect Trojans using delay-based side channel analysis. This paper makes two important contributions. (1) We propose an automated test generation algorithm to produce test patterns that are likely to activate trigger conditions, and change critical paths. Compared to existing approaches where delay difference is solely based on extra gates from a small Trojan, the change of critical paths by our approach will lead to significant difference in path delay. (2) We propose a fast and efficient reordering technique to maximize the delay deviation between the golden design and Trojan inserted design. Experimental results demonstrate that our approach significantly outperforms state-of-the-art approaches that rely on ATPG or random test patterns for delay-based side-channel analysis.
He, Jiaji; Ma, Haocheng; Guo, Xiaolong; Zhao, Yiqiang; Jin, Yier
Design for EM Side-Channel Security through Quantitative Assessment of RTL Implementations Proceedings Article
In: 2020 25th Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 62-67, IEEE, Beijing, China , 2020.
Abstract | Links | BibTeX | Tags: Side Channel
@inproceedings{He2020,
title = {Design for EM Side-Channel Security through Quantitative Assessment of RTL Implementations},
author = {Jiaji He and Haocheng Ma and Xiaolong Guo and Yiqiang Zhao and Yier Jin },
url = {http://cadforassurance.org/wp-content/uploads/jiaji2020design.pdf},
doi = {10.1109/ASP-DAC47756.2020.9045426},
year = {2020},
date = {2020-01-13},
booktitle = {2020 25th Asia and South Pacific Design Automation Conference (ASP-DAC)},
pages = {62-67},
publisher = {IEEE},
address = {Beijing, China },
abstract = {Electromagnetic (EM) side-channel attacks aim at extracting secret information from cryptographic hardware implementations. Countermeasures have been proposed at the device level, register-transfer level (RTL), and layout level, though efficient, there are still requirements for quantitative assessment of the hardware implementations' resistance against EM side-channel attacks. In this paper, we propose a design for EM side-channel security evaluation and optimization framework based on the t-test evaluation results derived from RTL hardware implementations. Different implementations of the same cryptographic algorithm are evaluated under different hypothesis leakage models considering the driven capabilities of logic components, and the evaluation results are validated with side-channel attacks on FPGA platform. Experimental results prove the feasibility of the proposed side-channel leakage evaluation method at the pre-silicon stage. The remedies and suggested security design rules are also discussed.},
keywords = {Side Channel},
pubstate = {published},
tppubtype = {inproceedings}
}
Electromagnetic (EM) side-channel attacks aim at extracting secret information from cryptographic hardware implementations. Countermeasures have been proposed at the device level, register-transfer level (RTL), and layout level, though efficient, there are still requirements for quantitative assessment of the hardware implementations' resistance against EM side-channel attacks. In this paper, we propose a design for EM side-channel security evaluation and optimization framework based on the t-test evaluation results derived from RTL hardware implementations. Different implementations of the same cryptographic algorithm are evaluated under different hypothesis leakage models considering the driven capabilities of logic components, and the evaluation results are validated with side-channel attacks on FPGA platform. Experimental results prove the feasibility of the proposed side-channel leakage evaluation method at the pre-silicon stage. The remedies and suggested security design rules are also discussed.
Xu, Nuo; Liu, Qi; Liu, Tao; Liu, Zihao; Guo, Xiaochen; Wen, Wujie
Stealing your data from compressed machine learning models Proceedings Article
In: 2020 57th ACM/IEEE Design Automation Conference (DAC), pp. 1–6, IEEE 2020.
Abstract | Links | BibTeX | Tags: Extract Design Secrets
@inproceedings{xu2020stealing,
title = {Stealing your data from compressed machine learning models},
author = {Nuo Xu and Qi Liu and Tao Liu and Zihao Liu and Xiaochen Guo and Wujie Wen},
doi = {10.1109/DAC18072.2020.9218633},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
booktitle = {2020 57th ACM/IEEE Design Automation Conference (DAC)},
pages = {1--6},
organization = {IEEE},
abstract = {Machine learning models have been widely deployed in many real-world tasks. When a non-expert data holder wants to use a third-party machine learning service for model training, it is critical to preserve the confidentiality of the training data. In this paper, we for the first time explore the potential privacy leakage in a scenario that a malicious ML provider offers data holder customized training code including model compression which is essential in practical deployment The provider is unable to access the training process hosted by the secured third party, but could inquire models when they are released in public. As a result, adversary can extract sensitive training data with high quality even from these deeply compressed models that are tailored for resource-limited devices. Our investigation shows that existing compressions like quantization, can serve as a defense against such an attack, by degrading the model accuracy and memorized data quality simultaneously. To overcome this defense, we take an initial attempt to design a simple but stealthy quantized correlation encoding attack flow from an adversary perspective. Three integrated components-data pre-processing, layer-wise data-weight correlation regularization, data-aware quantization, are developed accordingly. Extensive experimental results show that our framework can preserve the evasiveness and effectiveness of stealing data from compressed models.},
keywords = {Extract Design Secrets},
pubstate = {published},
tppubtype = {inproceedings}
}
Machine learning models have been widely deployed in many real-world tasks. When a non-expert data holder wants to use a third-party machine learning service for model training, it is critical to preserve the confidentiality of the training data. In this paper, we for the first time explore the potential privacy leakage in a scenario that a malicious ML provider offers data holder customized training code including model compression which is essential in practical deployment The provider is unable to access the training process hosted by the secured third party, but could inquire models when they are released in public. As a result, adversary can extract sensitive training data with high quality even from these deeply compressed models that are tailored for resource-limited devices. Our investigation shows that existing compressions like quantization, can serve as a defense against such an attack, by degrading the model accuracy and memorized data quality simultaneously. To overcome this defense, we take an initial attempt to design a simple but stealthy quantized correlation encoding attack flow from an adversary perspective. Three integrated components-data pre-processing, layer-wise data-weight correlation regularization, data-aware quantization, are developed accordingly. Extensive experimental results show that our framework can preserve the evasiveness and effectiveness of stealing data from compressed models.
Hoque, Tamzidul; Cruz, Jonathan; Chakraborty, Prabuddha; Bhunia, Swarup
TReC: Trojan-Resilient Computing in Untrusted Processors using Software Variants Conference
GOMACTech-2020 Conference, 2020.
BibTeX | Tags: Attack Resilience
@conference{Hoque2020TReC,
title = {TReC: Trojan-Resilient Computing in Untrusted Processors using Software Variants},
author = {Tamzidul Hoque and Jonathan Cruz and Prabuddha Chakraborty and Swarup Bhunia},
year = {2020},
date = {2020-01-01},
booktitle = {GOMACTech-2020 Conference},
keywords = {Attack Resilience},
pubstate = {published},
tppubtype = {conference}
}
Nair, Abhishek; SLPSK, Patanjali; Rebeiro, Chester; Bhunia, Swarup
SIGNED: A Challenge-Response Based Interrogation Scheme for Simultaneous Watermarking and Trojan Detection Miscellaneous
2020.
Links | BibTeX | Tags: IC Trust Verification
@misc{nair2020signed,
title = {SIGNED: A Challenge-Response Based Interrogation Scheme for Simultaneous Watermarking and Trojan Detection},
author = {Abhishek Nair and Patanjali SLPSK and Chester Rebeiro and Swarup Bhunia},
url = {https://arxiv.org/abs/2010.05209},
year = {2020},
date = {2020-01-01},
keywords = {IC Trust Verification},
pubstate = {published},
tppubtype = {misc}
}
Santikellur, Pranesh; Chakraborty, Rajat Subhra
A Computationally Efficient Tensor Regression Network based Modeling Attack on XOR Arbiter PUF and its Variants Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, pp. 1-1, 2020, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Attack Resillience
@article{Santikellur2020Computb,
title = {A Computationally Efficient Tensor Regression Network based Modeling Attack on XOR Arbiter PUF and its Variants},
author = {Pranesh Santikellur and Rajat Subhra Chakraborty},
doi = {10.1109/TCAD.2020.3032624},
issn = {1937-4151},
year = {2020},
date = {2020-01-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
pages = {1-1},
abstract = {XOR Arbiter PUF (XOR APUF), where the outputs of multiple APUFs are XOR-ed, has proven to be more robust to machine learning based modeling attacks. The reported successful modeling attacks for XOR APUF either employ auxiliary side-channel or reliability information, or require enormous computational effort. This robustness is primarily due to the difficulty in learning the unknown internal delay parameter terms in the mathematical model of a XOR APUF, and the robustness increases as the number of APUFs being XOR-ed increases. In this paper, we employ a novel machine learning based modeling technique called efficient CANDECOMP/PARAFAC-Tensor Regression Network (CP-TRN), a variant of CP-decomposition based tensor regression network, to reduce the computational resource requirement of model building attacks on XOR APUF. We theoretically prove the reduction in computational complexity, as well as give supporting experimental results. In addition, our proposed technique does not require any auxiliary information, and is robust to noisy training data. The proposed technique allowed us to successfully model 64-bit 8-XOR APUF and 128-bit 7-XOR APUF on a single desktop workstation, with high prediction accuracy. Further, we extend the proposed modeling attack technique to XOR APUF variants, e.g. Lightweight Secure PUF (LSPUF), which rely on input challenge transformation. The modeling accuracy results obtained by us for the LSPUF are comparable with those obtained by applying other state-of-the-art techniques, while requiring less training data.},
keywords = {Attack Resillience},
pubstate = {published},
tppubtype = {article}
}
XOR Arbiter PUF (XOR APUF), where the outputs of multiple APUFs are XOR-ed, has proven to be more robust to machine learning based modeling attacks. The reported successful modeling attacks for XOR APUF either employ auxiliary side-channel or reliability information, or require enormous computational effort. This robustness is primarily due to the difficulty in learning the unknown internal delay parameter terms in the mathematical model of a XOR APUF, and the robustness increases as the number of APUFs being XOR-ed increases. In this paper, we employ a novel machine learning based modeling technique called efficient CANDECOMP/PARAFAC-Tensor Regression Network (CP-TRN), a variant of CP-decomposition based tensor regression network, to reduce the computational resource requirement of model building attacks on XOR APUF. We theoretically prove the reduction in computational complexity, as well as give supporting experimental results. In addition, our proposed technique does not require any auxiliary information, and is robust to noisy training data. The proposed technique allowed us to successfully model 64-bit 8-XOR APUF and 128-bit 7-XOR APUF on a single desktop workstation, with high prediction accuracy. Further, we extend the proposed modeling attack technique to XOR APUF variants, e.g. Lightweight Secure PUF (LSPUF), which rely on input challenge transformation. The modeling accuracy results obtained by us for the LSPUF are comparable with those obtained by applying other state-of-the-art techniques, while requiring less training data.
Santikellur, Pranesh; Chakraborty, Rajat Subhra
A Computationally Efficient Tensor Regression Network based Modeling Attack on XOR Arbiter PUF and its Variants Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, pp. 1-1, 2020, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Attack Resilience
@article{Santikellur2020Computationally,
title = {A Computationally Efficient Tensor Regression Network based Modeling Attack on XOR Arbiter PUF and its Variants},
author = {Pranesh Santikellur and Rajat Subhra Chakraborty},
doi = {10.1109/TCAD.2020.3032624},
issn = {1937-4151},
year = {2020},
date = {2020-01-01},
urldate = {2020-01-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
pages = {1-1},
abstract = {XOR Arbiter PUF (XOR APUF), where the outputs of multiple APUFs are XOR-ed, has proven to be more robust to machine learning based modeling attacks. The reported successful modeling attacks for XOR APUF either employ auxiliary side-channel or reliability information, or require enormous computational effort. This robustness is primarily due to the difficulty in learning the unknown internal delay parameter terms in the mathematical model of a XOR APUF, and the robustness increases as the number of APUFs being XOR-ed increases. In this paper, we employ a novel machine learning based modeling technique called efficient CANDECOMP/PARAFAC-Tensor Regression Network (CP-TRN), a variant of CP-decomposition based tensor regression network, to reduce the computational resource requirement of model building attacks on XOR APUF. We theoretically prove the reduction in computational complexity, as well as give supporting experimental results. In addition, our proposed technique does not require any auxiliary information, and is robust to noisy training data. The proposed technique allowed us to successfully model 64-bit 8-XOR APUF and 128-bit 7-XOR APUF on a single desktop workstation, with high prediction accuracy. Further, we extend the proposed modeling attack technique to XOR APUF variants, e.g. Lightweight Secure PUF (LSPUF), which rely on input challenge transformation. The modeling accuracy results obtained by us for the LSPUF are comparable with those obtained by applying other state-of-the-art techniques, while requiring less training data.},
keywords = {Attack Resilience},
pubstate = {published},
tppubtype = {article}
}
XOR Arbiter PUF (XOR APUF), where the outputs of multiple APUFs are XOR-ed, has proven to be more robust to machine learning based modeling attacks. The reported successful modeling attacks for XOR APUF either employ auxiliary side-channel or reliability information, or require enormous computational effort. This robustness is primarily due to the difficulty in learning the unknown internal delay parameter terms in the mathematical model of a XOR APUF, and the robustness increases as the number of APUFs being XOR-ed increases. In this paper, we employ a novel machine learning based modeling technique called efficient CANDECOMP/PARAFAC-Tensor Regression Network (CP-TRN), a variant of CP-decomposition based tensor regression network, to reduce the computational resource requirement of model building attacks on XOR APUF. We theoretically prove the reduction in computational complexity, as well as give supporting experimental results. In addition, our proposed technique does not require any auxiliary information, and is robust to noisy training data. The proposed technique allowed us to successfully model 64-bit 8-XOR APUF and 128-bit 7-XOR APUF on a single desktop workstation, with high prediction accuracy. Further, we extend the proposed modeling attack technique to XOR APUF variants, e.g. Lightweight Secure PUF (LSPUF), which rely on input challenge transformation. The modeling accuracy results obtained by us for the LSPUF are comparable with those obtained by applying other state-of-the-art techniques, while requiring less training data.
Alaql, Abdulrahman; Bhunia, Swarup
Scalable Attack-Resistant Obfuscation of Logic Circuits Miscellaneous
2020.
@misc{alaql2020scalable,
title = {Scalable Attack-Resistant Obfuscation of Logic Circuits},
author = {Abdulrahman Alaql and Swarup Bhunia},
url = {https://arxiv.org/abs/2010.15329},
year = {2020},
date = {2020-01-01},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
MIT-LL,
Common Evaluation Platform (CEP) Miscellaneous
2020.
Abstract | Links | BibTeX | Tags:
@misc{mitlincolnlaboratory,
title = {Common Evaluation Platform (CEP)},
author = {MIT-LL},
url = {https://github.com/mit-ll/CEP},
year = {2020},
date = {2020-01-01},
journal = {GitHub},
abstract = {The Common Evaluation Platform (CEP) is intended as a surrogate System on a Chip (SoC) allowing users to test a variety of tools and techniques. Test vectors are provided to ensure the underlying functionality is maintained even after modification.
Additional information on the objectives of the CEP may be found in ./CEP_SecEvalTargets.pdf.
The CEP is based on the SiFive U500 Platform which leverages the UCB Rocket Chip. Much of the design is described in Chisel (https://github.com/freechipsproject/chisel3), a domain specific extension to Scala tailored towards constructing hardware. The output of the Chisel generators is synthesizable verilog.
Currently, the test platform for the CEP is the Xilinx VC-707 FPGA Development Board. Longer term plans include migrating to other platforms with the eventual goal of taping out an ASIC.},
keywords = {},
pubstate = {published},
tppubtype = {misc}
}
The Common Evaluation Platform (CEP) is intended as a surrogate System on a Chip (SoC) allowing users to test a variety of tools and techniques. Test vectors are provided to ensure the underlying functionality is maintained even after modification.
Additional information on the objectives of the CEP may be found in ./CEP_SecEvalTargets.pdf.
The CEP is based on the SiFive U500 Platform which leverages the UCB Rocket Chip. Much of the design is described in Chisel (https://github.com/freechipsproject/chisel3), a domain specific extension to Scala tailored towards constructing hardware. The output of the Chisel generators is synthesizable verilog.
Currently, the test platform for the CEP is the Xilinx VC-707 FPGA Development Board. Longer term plans include migrating to other platforms with the eventual goal of taping out an ASIC.
Additional information on the objectives of the CEP may be found in ./CEP_SecEvalTargets.pdf.
The CEP is based on the SiFive U500 Platform which leverages the UCB Rocket Chip. Much of the design is described in Chisel (https://github.com/freechipsproject/chisel3), a domain specific extension to Scala tailored towards constructing hardware. The output of the Chisel generators is synthesizable verilog.
Currently, the test platform for the CEP is the Xilinx VC-707 FPGA Development Board. Longer term plans include migrating to other platforms with the eventual goal of taping out an ASIC.
Rathor, Mahendra; Sengupta, Anirban
Design Flow of Secured N-Point DFT Application Specific Processor Using Obfuscation and Steganography Journal Article
In: IEEE Letters of the Computer Society, vol. 3, no. 1, pp. 13-16, 2020, ISSN: 2573-9689.
Abstract | Links | BibTeX | Tags: IP Protection
@article{Rathor2020Design,
title = {Design Flow of Secured N-Point DFT Application Specific Processor Using Obfuscation and Steganography},
author = {Mahendra Rathor and Anirban Sengupta},
doi = {10.1109/LOCS.2020.2973586},
issn = {2573-9689},
year = {2020},
date = {2020-01-01},
journal = {IEEE Letters of the Computer Society},
volume = {3},
number = {1},
pages = {13-16},
abstract = {An N-point Discrete Fourier Transform (DFT) has wide application such as speech signal amplitude/phase/frequency spectrum analysis and solving complex numerical problems etc. However a N-point DFT Application Specific Processor (ASP) can be prone to several hardware threats such as reverse engineering, counterfeiting, cloning and fraudulent ownership. This letter proposes a novel design flow of secured N-point DFT application specific processor using high-level transformation based structural obfuscation and crypto-steganography. The proposed design methodology integrates both obfuscation and steganography to yield a robust secured N-point DFT application specific processor design that is capable of achieving 75.28 percent obfuscation at gate-level structure and 99.5 percent enhanced in security w.r.t key-size than recent hardware steganography approach.},
keywords = {IP Protection},
pubstate = {published},
tppubtype = {article}
}
An N-point Discrete Fourier Transform (DFT) has wide application such as speech signal amplitude/phase/frequency spectrum analysis and solving complex numerical problems etc. However a N-point DFT Application Specific Processor (ASP) can be prone to several hardware threats such as reverse engineering, counterfeiting, cloning and fraudulent ownership. This letter proposes a novel design flow of secured N-point DFT application specific processor using high-level transformation based structural obfuscation and crypto-steganography. The proposed design methodology integrates both obfuscation and steganography to yield a robust secured N-point DFT application specific processor design that is capable of achieving 75.28 percent obfuscation at gate-level structure and 99.5 percent enhanced in security w.r.t key-size than recent hardware steganography approach.
Sengupta, Anirban; Rathor, Mahendra
Structural Obfuscation and Crypto-Steganography-Based Secured JPEG Compression Hardware for Medical Imaging Systems Journal Article
In: IEEE Access, vol. 8, pp. 6543-6565, 2020, ISSN: 2169-3536.
Abstract | Links | BibTeX | Tags: IP Protection
@article{Sengupta2020Structural,
title = {Structural Obfuscation and Crypto-Steganography-Based Secured JPEG Compression Hardware for Medical Imaging Systems},
author = {Anirban Sengupta and Mahendra Rathor},
doi = {10.1109/ACCESS.2019.2963711},
issn = {2169-3536},
year = {2020},
date = {2020-01-01},
journal = {IEEE Access},
volume = {8},
pages = {6543-6565},
abstract = {In modern healthcare technology involving diagnosis through medical imaging systems, compression and data transmission play a pivotal role. Medical imaging systems play an indispensable role in several medical applications where camera/scanners generate compressed images about a patient's internal organ and may further transmit it over the internet for remote diagnosis. However, tampered or corrupted compressed medical images may result in wrong diagnosis of diseases leading to fatal consequences. This paper aims to secure the underlying JPEG compression processor used in medical imaging systems that generates the compressed medical images for diagnosis. The proposed work targets to secure the JPEG compression processor against well-acknowledged threats such as counterfeiting/cloning and Trojan insertion using double line of defense through integration of robust structural obfuscation and hardware steganography. The second line of defense incorporates stego-key based hardware steganography that augments the following: non-linear bit manipulation using S-box (confusion property), diffusion property, alphabetic encryption, alphabet substitution, byte concatenation mode, bit-encoding (converting into stego-constraints) and embedding constraints. The results of the proposed approach achieve robust security in terms of significant strength of obfuscation, strong stego-key size (775 bits for JPEG compression processor and 610 bits for JPEG DCT core) and probability of coincidence of 9.89e-8, at nominal design cost.},
keywords = {IP Protection},
pubstate = {published},
tppubtype = {article}
}
In modern healthcare technology involving diagnosis through medical imaging systems, compression and data transmission play a pivotal role. Medical imaging systems play an indispensable role in several medical applications where camera/scanners generate compressed images about a patient's internal organ and may further transmit it over the internet for remote diagnosis. However, tampered or corrupted compressed medical images may result in wrong diagnosis of diseases leading to fatal consequences. This paper aims to secure the underlying JPEG compression processor used in medical imaging systems that generates the compressed medical images for diagnosis. The proposed work targets to secure the JPEG compression processor against well-acknowledged threats such as counterfeiting/cloning and Trojan insertion using double line of defense through integration of robust structural obfuscation and hardware steganography. The second line of defense incorporates stego-key based hardware steganography that augments the following: non-linear bit manipulation using S-box (confusion property), diffusion property, alphabetic encryption, alphabet substitution, byte concatenation mode, bit-encoding (converting into stego-constraints) and embedding constraints. The results of the proposed approach achieve robust security in terms of significant strength of obfuscation, strong stego-key size (775 bits for JPEG compression processor and 610 bits for JPEG DCT core) and probability of coincidence of 9.89e-8, at nominal design cost.
Nahiyan, Adib; Park, Jungmin; He, Miao; Iskander, Yousef; Farahmandi, Farimah; Forte, Domenic; Tehranipoor, Mark
SCRIPT: A CAD Framework for Power Side-channel Vulnerability Assessment Using Information Flow Tracking and Pattern Generation Journal Article
In: ACM Trans. Des. Autom. Electron. Syst., vol. 25, no. 3, pp. 1–27, 2020, ISSN: 1084-4309.
Abstract | Links | BibTeX | Tags: Side Channel
@article{nahiyan2020script,
title = {SCRIPT: A CAD Framework for Power Side-channel Vulnerability Assessment Using Information Flow Tracking and Pattern Generation},
author = {Adib Nahiyan and Jungmin Park and Miao He and Yousef Iskander and Farimah Farahmandi and Domenic Forte and Mark Tehranipoor},
url = {https://doi.org/10.1145/3383445},
doi = {10.1145/3383445},
issn = {1084-4309},
year = {2020},
date = {2020-01-01},
journal = {ACM Trans. Des. Autom. Electron. Syst.},
volume = {25},
number = {3},
pages = {1--27},
publisher = {ACM New York, NY, USA},
abstract = {Power side-channel attacks (SCAs) have been proven to be effective at extracting secret keys from hardware implementations of cryptographic algorithms. Ideally, the power side-channel leakage (PSCL) of hardware designs of a cryptographic algorithm should be evaluated as early as the pre-silicon stage (e.g., gate level). However, there has been little effort in developing computer-aided design (CAD) tools to accomplish this. In this article, we propose an automated CAD framework called SCRIPT to evaluate information leakage through side-channel analysis. SCRIPT starts by defining the underlying properties of the hardware implementation that can be exploited by side-channel attacks. It then utilizes information flow tracking (IFT) to identify registers that exhibit those properties and, therefore, leak information through the side-channel. Here, we develop an IFT-based side-channel vulnerability metric (SCV) that is utilized by SCRIPT for PSCL assessment. SCV is conceptually similar to the traditionally used signal-to-noise ratio (SNR) metric. However, unlike SNR, which requires thousands of traces from silicon measurements, SCRIPT utilizes formal methods to generate SCV-guided patterns/plaintexts, allowing us to derive SCV using only a few patterns (ideally as low as two) at gate level. SCV estimates PSCL vulnerability at pre-silicon stage based on the number of plaintexts required to attain a specific SCA success rate. The integration of IFT and pattern generation makes SCRIPT efficient, accurate, and generic to be applied to any hardware design. We validate the efficacy of the SCRIPT framework by demonstrating that it can effectively and accurately determine SCA success rates for different AES designs at pre-silicon stage. SCRIPT is orders of magnitude more efficient than traditional pre-silicon PSCL assessment (SNR-based), with an average evaluation time of 15 minutes; whereas, traditional PSCL assessment at pre-silicon stage would require more than a month. We also analyze the PSCL characteristic of the multiplication unit of RISC processor using SCRIPT to demonstrate SCRIPT’s applicability.},
keywords = {Side Channel},
pubstate = {published},
tppubtype = {article}
}
Power side-channel attacks (SCAs) have been proven to be effective at extracting secret keys from hardware implementations of cryptographic algorithms. Ideally, the power side-channel leakage (PSCL) of hardware designs of a cryptographic algorithm should be evaluated as early as the pre-silicon stage (e.g., gate level). However, there has been little effort in developing computer-aided design (CAD) tools to accomplish this. In this article, we propose an automated CAD framework called SCRIPT to evaluate information leakage through side-channel analysis. SCRIPT starts by defining the underlying properties of the hardware implementation that can be exploited by side-channel attacks. It then utilizes information flow tracking (IFT) to identify registers that exhibit those properties and, therefore, leak information through the side-channel. Here, we develop an IFT-based side-channel vulnerability metric (SCV) that is utilized by SCRIPT for PSCL assessment. SCV is conceptually similar to the traditionally used signal-to-noise ratio (SNR) metric. However, unlike SNR, which requires thousands of traces from silicon measurements, SCRIPT utilizes formal methods to generate SCV-guided patterns/plaintexts, allowing us to derive SCV using only a few patterns (ideally as low as two) at gate level. SCV estimates PSCL vulnerability at pre-silicon stage based on the number of plaintexts required to attain a specific SCA success rate. The integration of IFT and pattern generation makes SCRIPT efficient, accurate, and generic to be applied to any hardware design. We validate the efficacy of the SCRIPT framework by demonstrating that it can effectively and accurately determine SCA success rates for different AES designs at pre-silicon stage. SCRIPT is orders of magnitude more efficient than traditional pre-silicon PSCL assessment (SNR-based), with an average evaluation time of 15 minutes; whereas, traditional PSCL assessment at pre-silicon stage would require more than a month. We also analyze the PSCL characteristic of the multiplication unit of RISC processor using SCRIPT to demonstrate SCRIPT’s applicability.
Surabhi, Virinchi Roy; Krishnamurthy, Prashanth; Amrouch, Hussam; Basu, Kanad; Henkel, Jörg; Karri, Ramesh; Khorrami, Farshad
Hardware Trojan Detection Using Controlled Circuit Aging Journal Article
In: IEEE Access, vol. 8, pp. 77415–77434, 2020, ISSN: 2169-3536.
Abstract | Links | BibTeX | Tags: Hardware Trojans
@article{surabhi2020hardware,
title = {Hardware Trojan Detection Using Controlled Circuit Aging},
author = {Virinchi Roy Surabhi and Prashanth Krishnamurthy and Hussam Amrouch and Kanad Basu and Jörg Henkel and Ramesh Karri and Farshad Khorrami},
doi = {10.1109/ACCESS.2020.2989735},
issn = {2169-3536},
year = {2020},
date = {2020-01-01},
journal = {IEEE Access},
volume = {8},
pages = {77415--77434},
publisher = {IEEE},
abstract = {This paper reports a novel approach that uses transistor aging in an integrated circuit (IC) to detect hardware Trojans. When a transistor is aged, it results in delays along several paths of the IC. This increase in delay results in timing violations that reveal as timing errors at the output of the IC during its operation. We present experiments using aging-aware standard cell libraries to illustrate the usefulness of the technique in detecting hardware Trojans. Combining IC aging with over-clocking produces a pattern of bit errors at the IC output by the induced timing violations. We use machine learning to learn the bit error distribution at the output of a clean IC. We differentiate the divergence in the pattern of bit errors because of a Trojan in the IC from this baseline distribution. We simulate the golden IC and show robustness to IC-to-IC manufacturing variations. The approach is effective and can detect a Trojan even if we place it far off the critical paths. Results on benchmarks from the Trust-hub show a detection accuracy of ≥ 99%.},
keywords = {Hardware Trojans},
pubstate = {published},
tppubtype = {article}
}
This paper reports a novel approach that uses transistor aging in an integrated circuit (IC) to detect hardware Trojans. When a transistor is aged, it results in delays along several paths of the IC. This increase in delay results in timing violations that reveal as timing errors at the output of the IC during its operation. We present experiments using aging-aware standard cell libraries to illustrate the usefulness of the technique in detecting hardware Trojans. Combining IC aging with over-clocking produces a pattern of bit errors at the IC output by the induced timing violations. We use machine learning to learn the bit error distribution at the output of a clean IC. We differentiate the divergence in the pattern of bit errors because of a Trojan in the IC from this baseline distribution. We simulate the golden IC and show robustness to IC-to-IC manufacturing variations. The approach is effective and can detect a Trojan even if we place it far off the critical paths. Results on benchmarks from the Trust-hub show a detection accuracy of ≥ 99%.
Lyu, Yangdi; Mishra, Prabhat
Automated Trigger Activation by Repeated Maximal Clique Sampling Proceedings Article
In: 2020 25th Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 482–487, IEEE 2020, ISSN: 2153-697X.
Abstract | Links | BibTeX | Tags: Hardware Trojans
@inproceedings{lyu2020automated2,
title = {Automated Trigger Activation by Repeated Maximal Clique Sampling},
author = {Yangdi Lyu and Prabhat Mishra},
doi = {10.1109/ASP-DAC47756.2020.9045449},
issn = {2153-697X},
year = {2020},
date = {2020-01-01},
booktitle = {2020 25th Asia and South Pacific Design Automation Conference (ASP-DAC)},
pages = {482--487},
organization = {IEEE},
abstract = {Hardware Trojans are serious threat to security and reliability of computing systems. It is hard to detect these malicious implants using traditional validation methods since an adversary is likely to hide them under rare trigger conditions. While existing statistical test generation methods are promising for Trojan detection, they are not suitable for activating extremely rare trigger conditions in stealthy Trojans. To address the fundamental challenge of activating rare triggers, we propose a new test generation paradigm by mapping trigger activation problem to clique cover problem. The basic idea is to utilize a satisfiability solver to construct a test corresponding to each maximal clique. This paper makes two fundamental contributions: 1) it proves that the trigger activation problem can be mapped to clique cover problem, 2) it proposes an efficient test generation algorithm to activate trigger conditions by repeated maximal clique sampling. Experimental results demonstrate that our approach is scalable and it outperforms state-of-the-art approaches by several orders-of-magnitude in detecting stealthy Trojans.},
keywords = {Hardware Trojans},
pubstate = {published},
tppubtype = {inproceedings}
}
Hardware Trojans are serious threat to security and reliability of computing systems. It is hard to detect these malicious implants using traditional validation methods since an adversary is likely to hide them under rare trigger conditions. While existing statistical test generation methods are promising for Trojan detection, they are not suitable for activating extremely rare trigger conditions in stealthy Trojans. To address the fundamental challenge of activating rare triggers, we propose a new test generation paradigm by mapping trigger activation problem to clique cover problem. The basic idea is to utilize a satisfiability solver to construct a test corresponding to each maximal clique. This paper makes two fundamental contributions: 1) it proves that the trigger activation problem can be mapped to clique cover problem, 2) it proposes an efficient test generation algorithm to activate trigger conditions by repeated maximal clique sampling. Experimental results demonstrate that our approach is scalable and it outperforms state-of-the-art approaches by several orders-of-magnitude in detecting stealthy Trojans.
Lyu, Yangdi; Mishra, Prabhat
Scalable Activation of Rare Triggers in Hardware Trojans by Repeated Maximal Clique Sampling Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, pp. 1-1, 2020, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Hardware Trojans
@article{lyu2020scalable,
title = {Scalable Activation of Rare Triggers in Hardware Trojans by Repeated Maximal Clique Sampling},
author = {Yangdi Lyu and Prabhat Mishra},
doi = {10.1109/TCAD.2020.3019984},
issn = {1937-4151},
year = {2020},
date = {2020-01-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
pages = {1-1},
abstract = {Hardware Trojans are serious threat to security and reliability of computing systems. It is hard to detect these malicious implants using traditional validation methods since an adversary is likely to hide them under rare trigger conditions. While existing statistical test generation methods are promising for Trojan detection, they are not suitable for activating extremely rare trigger conditions in stealthy Trojans. To address the fundamental challenge of activating rare triggers, we propose a new test generation paradigm for Trigger Activation by Repeated Maximal Clique sampling (TARMAC). The basic idea is to utilize a satisfiability modulo theories (SMT) solver to construct a test corresponding to each maximal clique. This paper makes three fundamental contributions: (1) it proves that the trigger activation problem can be mapped to clique cover problem, and the test vectors generated by covering maximal cliques are complete and compact, (2) it proposes efficient test generation algorithms to activate trigger conditions by repeated maximal clique sampling, and (3) it outlines an efficient mechanism to run the clique sampling in parallel to significantly improve the scalability of our test generation framework. Experimental results demonstrate that our proposed approach is scalable and it outperforms state-of-the-art approaches by several orders-of-magnitude in detecting stealthy Trojans.},
keywords = {Hardware Trojans},
pubstate = {published},
tppubtype = {article}
}
Hardware Trojans are serious threat to security and reliability of computing systems. It is hard to detect these malicious implants using traditional validation methods since an adversary is likely to hide them under rare trigger conditions. While existing statistical test generation methods are promising for Trojan detection, they are not suitable for activating extremely rare trigger conditions in stealthy Trojans. To address the fundamental challenge of activating rare triggers, we propose a new test generation paradigm for Trigger Activation by Repeated Maximal Clique sampling (TARMAC). The basic idea is to utilize a satisfiability modulo theories (SMT) solver to construct a test corresponding to each maximal clique. This paper makes three fundamental contributions: (1) it proves that the trigger activation problem can be mapped to clique cover problem, and the test vectors generated by covering maximal cliques are complete and compact, (2) it proposes efficient test generation algorithms to activate trigger conditions by repeated maximal clique sampling, and (3) it outlines an efficient mechanism to run the clique sampling in parallel to significantly improve the scalability of our test generation framework. Experimental results demonstrate that our proposed approach is scalable and it outperforms state-of-the-art approaches by several orders-of-magnitude in detecting stealthy Trojans.
Kuruvila, Abraham Peedikayil; Kundu, Shamik; Basu, Kanad
Defending Hardware-based Malware Detectors against Adversarial Attacks Journal Article
In: arXiv preprint arXiv:2005.03644, 2020.
Abstract | Links | BibTeX | Tags: Attack Resillience
@article{Kuruvila2020b,
title = {Defending Hardware-based Malware Detectors against Adversarial Attacks},
author = {Abraham Peedikayil Kuruvila and Shamik Kundu and Kanad Basu},
url = {https://arxiv.org/pdf/2005.03644.pdf},
year = {2020},
date = {2020-01-01},
journal = {arXiv preprint arXiv:2005.03644},
abstract = {In the era of Internet of Things (IoT), Malware has been proliferating exponentially over the past decade. Traditional anti-virus software are ineffective against modern complex Malware. In order to address this challenge, researchers have proposed Hardware-assisted Malware Detection (HMD) using Hardware Performance Counters (HPCs). The HPCs are used to train a set of Machine learning (ML) classifiers, which in turn, are used to distinguish benign programs from Malware. Recently, adversarial attacks have been designed by introducing perturbations in the HPC traces using an adversarial sample predictor to misclassify a program for specific HPCs. These attacks are designed with the basic assumption that the attacker is aware of the HPCs being used to detect Malware. Since modern processors consist of hundreds of HPCs, restricting to only a few of them for Malware detection aids the attacker. In this paper, we propose a Moving target defense (MTD) for this adversarial attack by designing multiple ML classifiers trained on different sets of HPCs. The MTD randomly selects a classifier; thus, confusing the attacker about the HPCs or the number of classifiers applied. We have developed an analytical model which proves that the probability of an attacker to guess the perfect HPC-classifier combination for MTD is extremely low (in the range of 10^-1864 for a system with 20 HPCs). Our experimental results prove that the proposed defense is able to improve the classification accuracy of HPC traces that have been modified through an adversarial sample generator by up to 31.5%, for a near perfect (99.4%) restoration of the original accuracy.},
keywords = {Attack Resillience},
pubstate = {published},
tppubtype = {article}
}
In the era of Internet of Things (IoT), Malware has been proliferating exponentially over the past decade. Traditional anti-virus software are ineffective against modern complex Malware. In order to address this challenge, researchers have proposed Hardware-assisted Malware Detection (HMD) using Hardware Performance Counters (HPCs). The HPCs are used to train a set of Machine learning (ML) classifiers, which in turn, are used to distinguish benign programs from Malware. Recently, adversarial attacks have been designed by introducing perturbations in the HPC traces using an adversarial sample predictor to misclassify a program for specific HPCs. These attacks are designed with the basic assumption that the attacker is aware of the HPCs being used to detect Malware. Since modern processors consist of hundreds of HPCs, restricting to only a few of them for Malware detection aids the attacker. In this paper, we propose a Moving target defense (MTD) for this adversarial attack by designing multiple ML classifiers trained on different sets of HPCs. The MTD randomly selects a classifier; thus, confusing the attacker about the HPCs or the number of classifiers applied. We have developed an analytical model which proves that the probability of an attacker to guess the perfect HPC-classifier combination for MTD is extremely low (in the range of 10^-1864 for a system with 20 HPCs). Our experimental results prove that the proposed defense is able to improve the classification accuracy of HPC traces that have been modified through an adversarial sample generator by up to 31.5%, for a near perfect (99.4%) restoration of the original accuracy.
Zuzak, Michael; Srivastava, Ankur
ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design Proceedings Article
In: International Symposium on Memory Systems (MEMSYS), 2020.
BibTeX | Tags: Evaluation of Obfuscation
@inproceedings{Zuzak2020,
title = {ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design},
author = {Michael Zuzak and Ankur Srivastava},
year = {2020},
date = {2020-01-01},
booktitle = {International Symposium on Memory Systems (MEMSYS)},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Rajarathnam, Rachel Selina; Lin, Yibo; Jin, Yier; Pan, David Z.
ReGDS: A Reverse Engineering Framework from GDSII to Gate-level Netlist Journal Article
In: Hardware-Oriented Security and Trust (HOST), 2020.
Abstract | Links | BibTeX | Tags: IP Protection
@article{Rajarathnam2020,
title = {ReGDS: A Reverse Engineering Framework from GDSII to Gate-level Netlist},
author = {Rachel Selina Rajarathnam and Yibo Lin and Yier Jin and David Z. Pan},
url = {http://cadforassurance.org/wp-content/uploads/rachel2020regds.pdf},
year = {2020},
date = {2020-01-01},
journal = {Hardware-Oriented Security and Trust (HOST)},
abstract = {With many fabless companies outsourcing integrated circuit (IC) fabrication, the extent of design information recoverable by any third-party foundry remains clouded. While traditional reverse engineering schemes from the layout employ expensive high-resolution imaging techniques to recover design information, the extent of design information that can be recovered by the foundry remains ambiguous. To address this ambiguity, we propose ReGDS, a layout reverse engineering (RE) framework, posing as an inside-foundry attack to acquire original design intent. Our framework uses the layout, in GDSII format, and the technology library to extract the transistor-level connectivity information, and exploits unique relationship-based matching to identify logic gates and thereby, recover the original gate-level netlist. Employing circuits ranging from few hundreds to millions of transistors, we validate the scalability of our framework and demonstrate 100% recovery of the original design from the layout. To further validate the effectiveness of the framework in the presence of obfuscation schemes, we apply ReGDS to layouts of conventional XOR/MUX locked circuits and successfully recover the obfuscated netlist. By applying the Boolean SATisfiability (SAT) attack on the recovered obfuscated netlist, one can recover the entire key and, thereby, retrieve the original design intent. Thus ReGDS results in accelerated acquisition of the gate-level netlist by the attacker, in comparison to imaging-based RE schemes. Our experiments unearth the potential threat of possible intellectual property (IP) piracy at any third-party foundry.},
keywords = {IP Protection},
pubstate = {published},
tppubtype = {article}
}
With many fabless companies outsourcing integrated circuit (IC) fabrication, the extent of design information recoverable by any third-party foundry remains clouded. While traditional reverse engineering schemes from the layout employ expensive high-resolution imaging techniques to recover design information, the extent of design information that can be recovered by the foundry remains ambiguous. To address this ambiguity, we propose ReGDS, a layout reverse engineering (RE) framework, posing as an inside-foundry attack to acquire original design intent. Our framework uses the layout, in GDSII format, and the technology library to extract the transistor-level connectivity information, and exploits unique relationship-based matching to identify logic gates and thereby, recover the original gate-level netlist. Employing circuits ranging from few hundreds to millions of transistors, we validate the scalability of our framework and demonstrate 100% recovery of the original design from the layout. To further validate the effectiveness of the framework in the presence of obfuscation schemes, we apply ReGDS to layouts of conventional XOR/MUX locked circuits and successfully recover the obfuscated netlist. By applying the Boolean SATisfiability (SAT) attack on the recovered obfuscated netlist, one can recover the entire key and, thereby, retrieve the original design intent. Thus ReGDS results in accelerated acquisition of the gate-level netlist by the attacker, in comparison to imaging-based RE schemes. Our experiments unearth the potential threat of possible intellectual property (IP) piracy at any third-party foundry.
Hoque, Tamzidul; Chakraborty, Rajat Subhra; Bhunia, Swarup
Hardware Obfuscation and Logic Locking: A Tutorial Introduction Journal Article
In: IEEE Design Test, pp. 1-1, 2020, ISSN: 2168-2364.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{9050810,
title = {Hardware Obfuscation and Logic Locking: A Tutorial Introduction},
author = {Tamzidul Hoque and Rajat Subhra Chakraborty and Swarup Bhunia},
doi = {10.1109/MDAT.2020.2984224},
issn = {2168-2364},
year = {2020},
date = {2020-01-01},
journal = {IEEE Design Test},
pages = {1-1},
abstract = {Hardware obfuscation relates to the transformation of design to protect it against reverse engineering, piracy, and malicious alteration. It typically aims at both locking a design based on a secret key as well as hiding the design intent through structural transformation. In this article, we provide a tutorial introduction to hardware obfuscation highlighting the motivation, key concepts, the emerging landscape of obfuscation methods, and their merits as well as shortcomings.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Hardware obfuscation relates to the transformation of design to protect it against reverse engineering, piracy, and malicious alteration. It typically aims at both locking a design based on a secret key as well as hiding the design intent through structural transformation. In this article, we provide a tutorial introduction to hardware obfuscation highlighting the motivation, key concepts, the emerging landscape of obfuscation methods, and their merits as well as shortcomings.
Hoque, Tamzidul; SLPSK, Patanjali; Bhunia, Swarup
Trust Issues in Microelectronics: The Concerns and the Countermeasures Journal Article
In: IEEE Consumer Electronics Magazine, pp. 1-1, 2020, ISSN: 2162-2256.
Abstract | Links | BibTeX | Tags: Trust Issues
@article{9090969,
title = {Trust Issues in Microelectronics: The Concerns and the Countermeasures},
author = {Tamzidul Hoque and Patanjali SLPSK and Swarup Bhunia},
doi = {10.1109/MCE.2020.2988048},
issn = {2162-2256},
year = {2020},
date = {2020-01-01},
journal = {IEEE Consumer Electronics Magazine},
pages = {1-1},
abstract = {The semiconductor industry is constantly striving to improve the performance, reliability, and cost of electronic devices. The growing complexity in the design process of microelectronics coupled with the requirement of significant investment in research and development means that there is hardly any entity in the industry that is capable of acquiring the state-of-the-art technologies for all facets of the development process across myriad niche device technologies. Therefore, for economic and practical reasons, the modern electronic supply chain relies on several different vendors that specialize in a specific area of the design and fabrication process. From a security perspective, this distributed manufacturing process violates the trust of the underlying hardware as any entity in the supply chain could maliciously modify the design. This poses a significant concern, especially for government, military applications, and consumer electronic products handling private and critical data during the acquisition of untrusted microelectronic designs and components. Hence, trust has emerged as a crucial constraint that the various steps in the microelectronic manufacturing process should consider in order to ensure that no malicious functionality exists in the hardware. In the last decade, several works have proposed steps both to establish and verify trust in microelectronics. However, not all threat models are adequately covered, and the solutions are pertinent to a limited category of devices. In this paper, we present the challenges in establishing trust in today’s distributed supply chain environment by discussing the attack models at each step of the manufacturing process. We also shed light on the existing solutions that try to address these threats and discuss their limitations. Finally, we elaborate on one of the existing supply chain standards where trust verification is still infeasible and identify avenues for future research.},
keywords = {Trust Issues},
pubstate = {published},
tppubtype = {article}
}
The semiconductor industry is constantly striving to improve the performance, reliability, and cost of electronic devices. The growing complexity in the design process of microelectronics coupled with the requirement of significant investment in research and development means that there is hardly any entity in the industry that is capable of acquiring the state-of-the-art technologies for all facets of the development process across myriad niche device technologies. Therefore, for economic and practical reasons, the modern electronic supply chain relies on several different vendors that specialize in a specific area of the design and fabrication process. From a security perspective, this distributed manufacturing process violates the trust of the underlying hardware as any entity in the supply chain could maliciously modify the design. This poses a significant concern, especially for government, military applications, and consumer electronic products handling private and critical data during the acquisition of untrusted microelectronic designs and components. Hence, trust has emerged as a crucial constraint that the various steps in the microelectronic manufacturing process should consider in order to ensure that no malicious functionality exists in the hardware. In the last decade, several works have proposed steps both to establish and verify trust in microelectronics. However, not all threat models are adequately covered, and the solutions are pertinent to a limited category of devices. In this paper, we present the challenges in establishing trust in today’s distributed supply chain environment by discussing the attack models at each step of the manufacturing process. We also shed light on the existing solutions that try to address these threats and discuss their limitations. Finally, we elaborate on one of the existing supply chain standards where trust verification is still infeasible and identify avenues for future research.
2019
Portillo, Jason; Meade, Travis; Hacker, John; Zhang, Shaojie; Jin, Yier
RERTL: Finite State Transducer Logic Recovery at Register Transfer Level Proceedings Article
In: 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 1-6, ASIAN-HOST IEEE, Xi'an, P.R. China, 2019.
Abstract | Links | BibTeX | Tags: Reverse Engineering
@inproceedings{Portillo2019,
title = {RERTL: Finite State Transducer Logic Recovery at Register Transfer Level},
author = {Jason Portillo and Travis Meade and John Hacker and Shaojie Zhang and Yier Jin},
url = {https://ieeexplore.ieee.org/document/9006699},
doi = {10.1109/AsianHOST47458.2019.9006699},
year = {2019},
date = {2019-12-16},
booktitle = {2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {1-6},
publisher = {IEEE},
address = {Xi'an, P.R. China},
organization = {ASIAN-HOST },
series = {ASIAN-HOST 19},
abstract = {Increasingly complex Intellectual Property (IP) design, coupled with shorter Time-To-Market (TTM), breeds flaws at various levels of the Integrated Circuit (IC) production. With access to IPs at all stages of production, design defects can easily be found and corrected, i.e., knowledge of the Register Transfer Level (RTL) code allows for the option of easy defect detection. However, third-party IPs are typically delivered as hard IPs or gate-level netlists, which complicates the defect detection process. The inaccessibility of source RTL code and the lack of RTL recovery tools make the task of finding high-level security flaws in logic intractable. Upon this request, in this paper, we present an RTL recovery tool suite named RERTL that leverages advanced graph algorithms including Lengauer-Tarjan's dominator tree and Euler tour tree technique to assist in netlist analysis. Supported by RERTL, logical states and their interactions are recovered from the initial design in the format of gate-level netlists. After the recovery of state interaction, RERTL further converts the full design into human-readable RTL. A series of netlist case studies were examined using RERTL covering benign logic structures, designs with accidental defects, and designs with deliberate backdoors. The experimental results show that all of our designs at various complexities were recoverable within seconds.},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {inproceedings}
}
Increasingly complex Intellectual Property (IP) design, coupled with shorter Time-To-Market (TTM), breeds flaws at various levels of the Integrated Circuit (IC) production. With access to IPs at all stages of production, design defects can easily be found and corrected, i.e., knowledge of the Register Transfer Level (RTL) code allows for the option of easy defect detection. However, third-party IPs are typically delivered as hard IPs or gate-level netlists, which complicates the defect detection process. The inaccessibility of source RTL code and the lack of RTL recovery tools make the task of finding high-level security flaws in logic intractable. Upon this request, in this paper, we present an RTL recovery tool suite named RERTL that leverages advanced graph algorithms including Lengauer-Tarjan's dominator tree and Euler tour tree technique to assist in netlist analysis. Supported by RERTL, logical states and their interactions are recovered from the initial design in the format of gate-level netlists. After the recovery of state interaction, RERTL further converts the full design into human-readable RTL. A series of netlist case studies were examined using RERTL covering benign logic structures, designs with accidental defects, and designs with deliberate backdoors. The experimental results show that all of our designs at various complexities were recoverable within seconds.
Ma, Haocheng; He, Jiaji; Liu, Yanjiang; Zhao, Yiqiang; Jin, Yier
CAD4EM-P: Security-Driven Placement Tools for Electromagnetic Side Channel Protection Proceedings Article
In: 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 1-6, IEEE, Xi'an, P.R. China, 2019.
Abstract | Links | BibTeX | Tags: Side Channel
@inproceedings{Ma2019,
title = {CAD4EM-P: Security-Driven Placement Tools for Electromagnetic Side Channel Protection},
author = {Haocheng Ma and Jiaji He and Yanjiang Liu and Yiqiang Zhao and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/haocheng1019cad4emp.pdf},
doi = {10.1109/AsianHOST47458.2019.9006705},
year = {2019},
date = {2019-12-16},
booktitle = {2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {1-6},
publisher = {IEEE},
address = {Xi'an, P.R. China},
abstract = {Side-Channel Analysis (SCA) attacks are major threats to hardware security. Upon this security threat, various countermeasures at different design layers have been proposed against SCA attacks. These approaches often introduce significant performance overheads and impose high requirements of side-channel security backgrounds to IC designers. In this paper, we propose an automatic computer-aided design (CAD) tool that can enhance the circuit resistance against electromagnetic (EM) SCA attacks. This new tool will guide a security-driven placement process and can be seamlessly integrated into the modern IC design flow. The protected IC design will be resilient to SCA attacks with the negligible area and power overheads. In order to develop this tool, we first investigate the root-cause of EM leakage at the layout level and mathematically demonstrate the feasibility of security-driven placement through the EM leakage modeling. We then identify that the correlation between the data under the protection and the EM leakage can be significantly reduced through a data-dependent register's reallocation. Simulation results on cryptographic circuits prove the effectiveness of both the constructed EM leakage model and the EM model-based CAD tool for EM security.},
keywords = {Side Channel},
pubstate = {published},
tppubtype = {inproceedings}
}
Side-Channel Analysis (SCA) attacks are major threats to hardware security. Upon this security threat, various countermeasures at different design layers have been proposed against SCA attacks. These approaches often introduce significant performance overheads and impose high requirements of side-channel security backgrounds to IC designers. In this paper, we propose an automatic computer-aided design (CAD) tool that can enhance the circuit resistance against electromagnetic (EM) SCA attacks. This new tool will guide a security-driven placement process and can be seamlessly integrated into the modern IC design flow. The protected IC design will be resilient to SCA attacks with the negligible area and power overheads. In order to develop this tool, we first investigate the root-cause of EM leakage at the layout level and mathematically demonstrate the feasibility of security-driven placement through the EM leakage modeling. We then identify that the correlation between the data under the protection and the EM leakage can be significantly reduced through a data-dependent register's reallocation. Simulation results on cryptographic circuits prove the effectiveness of both the constructed EM leakage model and the EM model-based CAD tool for EM security.