HARDWARE ATTACK DETECTION AND PREVENTION FOR CHIP SECURITY

Hardware security is a serious emerging concern in chip designs and applications. Due to the globalization of the semiconductor design and fabrication process, integrated circuits (ICs, a.k.a. chips) are becoming increasingly vulnerable to passive and active hardware attacks. Passive attacks on chips result in secret information leaking while active attacks cause IC malfunction and catastrophic system failures. This thesis focuses on detection and prevention methods against active attacks, in particular, hardware Trojan (HT). Existing HT detection methods have limited capability to detect small-scale HTs and are further challenged by the increased process variation. We propose to use differential Cascade Voltage Switch Logic (DCVSL) method to detect small HTs and achieve a success rate of 66% to 98%. This work also presents different fault tolerant methods to handle the active attacks on symmetric-key cipher SIMON, which is a recent lightweight cipher. Simulation results show that our Even Parity Code SIMON consumes less area and power than double modular redundancy SIMON and Reversed-SIMON, but yields a higher fault -detection-failure rate as the number of concurrent faults increases. In addition, the emerging technology, memristor, is explored to protect SIMON from passive attacks. Simulation results indicate that the memristor-based SIMON has a unique power characteristic that adds new challenges on secrete key extraction

Structural Checking Tool Restructure and Matching Improvements

With the rising complexity and size of hardware designs, saving development time and cost by employing third-party intellectual property (IP) into various first-party designs has become a necessity. However, using third-party IPs introduces the risk of adding malicious behavior to the design, including hardware Trojans. Different from software Trojan detection, the detection of hardware Trojans in an efficient and cost-effective manner is an ongoing area of study and has significant complexities depending on the development stage where Trojan detection is leveraged. Therefore, this thesis research proposes improvements to various components of the soft IP analysis methodology utilized by the Structural Checking Tool. The Structural Checking Tool analyzes the register-transfer level (RTL) code of IPs to determine their functionalities and to detect and identify hardware Trojans inserted. The Structural Checking process entails parsing a design to yield a structural representation and assigning assets that encompass 12 different characteristics to the primary ports and internal signals. With coarse-grained asset reassignment based on external and internal signal connections, matching can be performed against trusted IPs to classify the functionality of an unknown soft IP. Further analysis is done using a Golden Reference Library (GRL) containing information about known Trojan-free and Trojan-infested designs and serves as a vital component for unknown soft IP comparison. Following functional identification, the unknown soft IP is run through a fine-grained reassignment strategy to ensure usage of up-to-date GRL assets, and then the matching process is used to determine whether said IP is Trojan-infested or Trojan-free. This necessitates a large GRL while maintaining a balance of computational resources and high accuracy to ensure effective matching

Techniques for Improving Security and Trustworthiness of Integrated Circuits

The integrated circuit (IC) development process is becoming increasingly vulnerable to malicious activities because untrusted parties could be involved in this IC development flow. There are four typical problems that impact the security and trustworthiness of ICs used in military, financial, transportation, or other critical systems: (i) Malicious inclusions and alterations, known as hardware Trojans, can be inserted into a design by modifying the design during GDSII development and fabrication. Hardware Trojans in ICs may cause malfunctions, lower the reliability of ICs, leak confidential information to adversaries or even destroy the system under specifically designed conditions. (ii) The number of circuit-related counterfeiting incidents reported by component manufacturers has increased significantly over the past few years with recycled ICs contributing the largest percentage of the total reported counterfeiting incidents. Since these recycled ICs have been used in the field before, the performance and reliability of such ICs has been degraded by aging effects and harsh recycling process. (iii) Reverse engineering (RE) is process of extracting a circuit’s gate-level netlist, and/or inferring its functionality. The RE causes threats to the design because attackers can steal and pirate a design (IP piracy), identify the device technology, or facilitate other hardware attacks. (iv) Traditional tools for uniquely identifying devices are vulnerable to non-invasive or invasive physical attacks. Securing the ID/key is of utmost importance since leakage of even a single device ID/key could be exploited by an adversary to hack other devices or produce pirated devices. In this work, we have developed a series of design and test methodologies to deal with these four challenging issues and thus enhance the security, trustworthiness and reliability of ICs. The techniques proposed in this thesis include: a path delay fingerprinting technique for detection of hardware Trojans, recycled ICs, and other types counterfeit ICs including remarked, overproduced, and cloned ICs with their unique identifiers; a Built-In Self-Authentication (BISA) technique to prevent hardware Trojan insertions by untrusted fabrication facilities; an efficient and secure split manufacturing via Obfuscated Built-In Self-Authentication (OBISA) technique to prevent reverse engineering by untrusted fabrication facilities; and a novel bit selection approach for obtaining the most reliable bits for SRAM-based physical unclonable function (PUF) across environmental conditions and silicon aging effects

PDNPulse: Sensing PCB Anomaly with the Intrinsic Power Delivery Network

The ubiquitous presence of printed circuit boards (PCBs) in modern electronic systems and embedded devices makes their integrity a top security concern. To take advantage of the economies of scale, today's PCB design and manufacturing are often performed by suppliers around the globe, exposing them to many security vulnerabilities along the segmented PCB supply chain. Moreover, the increasing complexity of the PCB designs also leaves ample room for numerous sneaky board-level attacks to be implemented throughout each stage of a PCB's lifetime, threatening many electronic devices. In this paper, we propose PDNPulse, a power delivery network (PDN) based PCB anomaly detection framework that can identify a wide spectrum of board-level malicious modifications. PDNPulse leverages the fact that the PDN's characteristics are inevitably affected by modifications to the PCB, no matter how minuscule. By detecting changes to the PDN impedance profile and using the Frechet distance-based anomaly detection algorithms, PDNPulse can robustly and successfully discern malicious modifications across the system. Using PDNPulse, we conduct extensive experiments on seven commercial-off-the-shelf PCBs, covering different design scales, different threat models, and seven different anomaly types. The results confirm that PDNPulse creates an effective security asymmetry between attack and defense

Information Leakage Attacks and Countermeasures

The scientific community has been consistently working on the pervasive problem of information leakage, uncovering numerous attack vectors, and proposing various countermeasures. Despite these efforts, leakage incidents remain prevalent, as the complexity of systems and protocols increases, and sophisticated modeling methods become more accessible to adversaries. This work studies how information leakages manifest in and impact interconnected systems and their users. We first focus on online communications and investigate leakages in the Transport Layer Security protocol (TLS). Using modern machine learning models, we show that an eavesdropping adversary can efficiently exploit meta-information (e.g., packet size) not protected by the TLS’ encryption to launch fingerprinting attacks at an unprecedented scale even under non-optimal conditions. We then turn our attention to ultrasonic communications, and discuss their security shortcomings and how adversaries could exploit them to compromise anonymity network users (even though they aim to offer a greater level of privacy compared to TLS). Following up on these, we delve into physical layer leakages that concern a wide array of (networked) systems such as servers, embedded nodes, Tor relays, and hardware cryptocurrency wallets. We revisit location-based side-channel attacks and develop an exploitation neural network. Our model demonstrates the capabilities of a modern adversary but also presents an inexpensive tool to be used by auditors for detecting such leakages early on during the development cycle. Subsequently, we investigate techniques that further minimize the impact of leakages found in production components. Our proposed system design distributes both the custody of secrets and the cryptographic operation execution across several components, thus making the exploitation of leaks difficult

Investigating and Leveraging EM and Backscattering Side Channels for Hardware Security

This dissertation is focused on investigating and leveraging side-channel leakage for hardware security. To help designers address and take advantage of electromagnetic (EM) side channels, two methods for locating the physical sources of EM side channels have been developed. Both methods are used to investigate how the EM side-channel sources change with frequency and program activity. The second half of this dissertation introduces two methods that use side channels for component authentication. The same properties that make side channels such a threat, also make them useful for authenticating electronic components. The first method uses EM side channels for identifying integrated circuits (ICs) installed on a device. Focusing on components already integrated onto a device lets designers authenticate devices assembled by third parties. The second method uses the recently defined backscattering side channel for detecting recycled ICs. Unlike other types of side channels, backscattering is directly affected by the IC aging. Since the backscattering side channel is nondestructive and requires no additional circuitry on the IC, it is low cost. The effect of aging on the side channel is then investigated through simulation and experimentation.Ph.D

Hardware Attacks and Mitigation Techniques

Today, electronic devices have been widely deployed in our daily lives, basic infrastructure such as financial and communication systems, and military systems. Over the past decade, there have been a growing number of threats against them, posing great danger on these systems. Hardware-based countermeasures offer a low-performance overhead for building secure systems. In this work, we investigate what hardware-based attacks are possible against modern computers and electronic devices. We then explore several design and verification techniques to enhance hardware security with primary focus on two areas: hardware Trojans and side-channel attacks. Hardware Trojans are malicious modifications to the original integrated circuits (ICs). Due to the trend of outsourcing designs to foundries overseas, the threat of hardware Trojans is increasing. Researchers have proposed numerous detection methods, which either take place at test-time or monitor the IC for unexpected behavior at run-time. Most of these methods require the possession of a Trojan-free IC, which is hard to obtain. In this work, we propose an innovative way to detect Trojans using reverse-engineering. Our method eliminates the need for a Trojan-free IC. In addition, it avoids the costly and error-prone steps in the reverse-engineering process and achieves significantly good detection accuracy. We also notice that in the current literature, very little effort has been made to design-time strategies that help to make test-time or run-time detection of Trojans easier. To address this issue, we develop techniques that can improve the sensitivity of designs to test-time detection approaches. Experiments show that using our method, we could detect a lot more Trojans with very small power/area overhead and no timing violations. Side-channel attack (SCA) is another form of hardware attack in which the adversary measures some side-channel information such as power, temperature, timing, etc. and deduces some critical information about the underlying system. We first investigate countermeasures for timing SCAs on cache. These attacks have been demonstrated to be able to successfully break many widely-used modern ciphers. Existing hardware countermeasures usually have heavy performance overhead. We innovatively apply 3D integration techniques to solve the problem. We investigate the implication of 3D integration on timing SCAs on cache and propose several countermeasures that utilize 3D integration techniques. Experimental results show that our countermeasures increase system security significantly while still achieving some performance gain over a 2D baseline system. We also investigate the security of Oblivious RAM (ORAM), which is a newly proposed hardware primitive to hide memory access patterns. We demonstrate both through simulations and on FPGA board that timing SCAs can break many ORAM protocols. Some general guidelines in secure ORAM implementations are also provided. We hope that our findings will motivate a new line of research in making ORAMs more secure

Developing Trustworthy Hardware with Security-Driven Design and Verification

Over the past several decades, computing hardware has evolved to become smaller, yet more performant and energy-efficient. Unfortunately these advancements have come at a cost of increased complexity, both physically and functionally. Physically, the nanometer-scale transistors used to construct Integrated Circuits (ICs), have become astronomically expensive to fabricate. Functionally, ICs have become increasingly dense and feature rich to optimize application-specific tasks. To cope with these trends, IC designers outsource both fabrication and portions of Register-Transfer Level (RTL) design. Outsourcing, combined with the increased complexity of modern ICs, presents a security risk: we must trust our ICs have been designed and fabricated to specification, i.e., they do not contain any hardware Trojans. Working in a bottom-up fashion, I initially study the threat of outsourcing fabrication. While prior work demonstrates fabrication-time attacks (modifications) on IC layouts, it is unclear what makes a layout vulnerable to attack. To answer this, in my IC Attack Surface (ICAS) work, I develop a framework that quantifies the security of IC layouts. Using ICAS, I show that modern ICs leave a plethora of both placement and routing resources available for attackers to exploit. Next, to plug these gaps, I construct the first routing-centric defense (T-TER) against fabrication-time Trojans. T-TER wraps security-critical interconnects in IC layouts with tamper-evident guard wires to prevent foundry-side attackers from modifying a design. After hardening layouts against fabrication-time attacks, outsourced designs become the most critical threat. To address this, I develop a dynamic verification technique (Bomberman) to vet untrusted third-party RTL hardware for Ticking Timebomb Trojans (TTTs). By targeting a specific type of Trojan behavior, Bomberman does not suffer from false negatives (missed TTTs), and therefore systematically reduces the overall design-time attack surface. Lastly, to generalize the Bomberman approach to automatically discover other behaviorally-defined classes of malicious logic, I adapt coverage-guided software fuzzers to the RTL verification domain. Leveraging software fuzzers for RTL verification enables IC design engineers to optimize test coverage of third-party designs without intimate implementation knowledge. Overall, this dissertation aims to make security a first-class design objective, alongside power, performance, and area, throughout the hardware development process.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/169761/1/trippel_1.pd