Design of Hardware with Quantifiable Security against Reverse Engineering

Semiconductors are a 412 billion dollar industry and integrated circuits take on important roles in human life, from everyday use in smart-devices to critical applications like healthcare and aviation. Saving today\u27s hardware systems from attackers can be a huge concern considering the budget spent on designing these chips and the sensitive information they may contain. In particular, after fabrication, the chip can be subject to a malicious reverse engineer that tries to invasively figure out the function of the chip or other sensitive data. Subsequent to an attack, a system can be subject to cloning, counterfeiting, or IP theft. This dissertation addresses some issues concerning the security of hardware systems in such scenarios. First, the issue of privacy risks from approximate computing is investigated in Chapter 2. Simulation experiments show that the erroneous outputs produced on each chip instance can reveal the identity of the chip that performed the computation, which jeopardizes user privacy. The next two chapters deal with camouflaging, which is a technique to prevent reverse engineering from extracting circuit information from the layout. Chapter 3 provides a design automation method to protect camouflaged circuits against an adversary with prior knowledge about the circuit\u27s viable functions. Chapter 4 provides a method to reverse engineer camouflaged circuits. The proposed reverse engineering formulation uses Boolean Satisfiability (SAT) solving in a way that incorporates laser fault injection and laser voltage probing capabilities to figure out the function of an aggressively camouflaged circuit with unknown gate functions and connections. Chapter 5 addresses the challenge of secure key storage in hardware by proposing a new key storage method that applies threshold-defined behavior of memory cells to store secret information in a way that achieves a high degree of protection against invasive reverse engineering. This approach requires foundry support to encode the secrets as threshold voltage offsets in transistors. In Chapter 6, a secret key storage approach is introduced that does not rely on a trusted foundry. This approach only relies on the foundry to fabricate the hardware infrastructure for key generation but not to encode the secret key. The key is programmed by the IP integrator or the user after fabrication via directed accelerated aging of transistors. Additionally, this chapter presents the design of a working hardware prototype on PCB that demonstrates this scheme. Finally, chapter 7 concludes the dissertation and summarizes possible future research

Stealthy parametric hardware Trojans in VLSI Circuits

Over the last decade, hardware Trojans have gained increasing attention in academia, industry and by government agencies. In order to design reliable countermeasures, it is crucial to understand how hardware Trojans can be built in practice. This is an area that has received relatively scant treatment in the literature. In this thesis, we examine how particularly stealthy parametric Trojans can be introduced to VLSI circuits. Parametric Trojans do not require any additional logic and are purely based on subtle manipulations on the sub-transistor level to modify the parameters of few transistors which makes them very hard to detect. We introduce a design methodology to insert stealthy parametric hardware Trojans which are based on injecting extremely rare path delay faults into the netlist of the target circuit. As a case study, we apply our method to a 32-bit multiplier circuit resulting in a stealthy Trojan multiplier that computes faulty outputs for specific combinations of input pairs that are applied to the circuit. The multiplier can be used to realize bug attacks, introduced by Biham et al. in 2008. We also extend this concept and show how it can be used to attack ECDH key agreement protocols. Our method is a versatile tool for designing stealthy Trojans for a given circuit and is not restricted to multipliers and the bug attack. In this thesis we also examine how a stealthy side-channel hardware Trojan can be inserted in a provably-secure side-channel analysis protected implementation. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage leading to successful key recovery attacks. The underlying concept is based on a secure masked hardware implementation which does not exhibit any detectable leakage. However, by running the device at a particular clock frequency one of the requirements of the underlying masking scheme is not fulfilled anymore, and the device\u27s side-channel leakage can be exploited. We apply our technique to a Threshold Implementation of the PRESENT block cipher realized in both FPGA and ASIC. We show that triggering the Trojan makes both FPGA and ASIC prototypes vulnerable to certain SCA attacks. True random number generators (TRNGs) are an essential component of cryptographic designs, which are used to generate private keys for encryption and authentication, and are used in masking countermeasures. This thesis also presents a mechanism to design a stealthy parametric hardware Trojan for ring oscillator-based TRNGs. When the Trojan is triggered by operation at a specific high temperature the malicious TRNG generates predictable non-random outputs, yet under normal operating conditions it works correctly. Also we elaborate a stochastic model based on Markov Chains by which the attacker can use their knowledge of the Trojan to predict the TRNG outputs

HIGH FIDELITY MEASUREMENT OF BIOELECTRICAL SIGNALS

Previous research regarding the acquisition and electrical characterization of bio- electrical signals of both noninvasive “oriundis in vivo”, generally associated with elec- tromyography (EMG), electrocardiography (EKG), or electroencephalography (EEG), and active “oriundis ex vivo et vitro” material characterization, generally associated with bioimpedance spectroscopy (BIS); while successfully providing beneficial results, was ul- timately plagued with a variety of intrinsic electrical distortions [1] [2]. Conversely, the frequent manifestation of such distortions resulted in an investigation into the nature of their occurrence, which subsequently resulted in my research into the nature of such dis- tortions, the conditions in which they occur, useful techniques to model and minimize their impact, and the underlying methodology needed to obtain the highest fidelity possi- ble when acquiring such measurements. Furthermore, the techniques developed are then applied to both noninvasively obtained “oriundis in vivo” and active “oriundis ex vivo et vitro” applied bioelectrical signals, and the compensated measurements are compared with the uncompensated measurements obtained within the previously mentioned research

Ultrasensitive detection of toxocara canis excretory-secretory antigens by a nanobody electrochemical magnetosensor assay.

peer reviewedHuman Toxocariasis (HT) is a zoonotic disease caused by the migration of the larval stage of the roundworm Toxocara canis in the human host. Despite of being the most cosmopolitan helminthiasis worldwide, its diagnosis is elusive. Currently, the detection of specific immunoglobulins IgG against the Toxocara Excretory-Secretory Antigens (TES), combined with clinical and epidemiological criteria is the only strategy to diagnose HT. Cross-reactivity with other parasites and the inability to distinguish between past and active infections are the main limitations of this approach. Here, we present a sensitive and specific novel strategy to detect and quantify TES, aiming to identify active cases of HT. High specificity is achieved by making use of nanobodies (Nbs), recombinant single variable domain antibodies obtained from camelids, that due to their small molecular size (15kDa) can recognize hidden epitopes not accessible to conventional antibodies. High sensitivity is attained by the design of an electrochemical magnetosensor with an amperometric readout with all components of the assay mixed in one single step. Through this strategy, 10-fold higher sensitivity than a conventional sandwich ELISA was achieved. The assay reached a limit of detection of 2 and15 pg/ml in PBST20 0.05% or serum, spiked with TES, respectively. These limits of detection are sufficient to detect clinically relevant toxocaral infections. Furthermore, our nanobodies showed no cross-reactivity with antigens from Ascaris lumbricoides or Ascaris suum. This is to our knowledge, the most sensitive method to detect and quantify TES so far, and has great potential to significantly improve diagnosis of HT. Moreover, the characteristics of our electrochemical assay are promising for the development of point of care diagnostic systems using nanobodies as a versatile and innovative alternative to antibodies. The next step will be the validation of the assay in clinical and epidemiological contexts