104 research outputs found
Design-for-Security vs. Design-for-Testability: A Case Study on DFT Chain in Cryptographic Circuits
Abstract-Relying on a recently developed gate-level information assurance scheme, we formally analyze the security of design-for-test (DFT) scan chains, the industrial standard testing methods for fabricated chips and, for the first time, formally prove that a circuit with scan chain inserted can violate security properties. The same security assessment method is then applied to a built-in-self-test (BIST) structure where it is shown that even BIST structures can cause security vulnerabilities. To balance trustworthiness and testability, a new design-for-security (DFS) methodology is proposed which, through the modification of scan chain structure, can achieve high security without compromising the testability of the inserted scan structure. To support the task of secure scan chain insertion, a method of scan chain reshuffling is introduced. Using an AES encryption core as the testing platform, we elaborated the security assessment procedure as well as the DFS technique in balancing security and testability of cryptographic circuits
Execution Integrity with In-Place Encryption
Instruction set randomization (ISR) was initially proposed with the main goal
of countering code-injection attacks. However, ISR seems to have lost its
appeal since code-injection attacks became less attractive because protection
mechanisms such as data execution prevention (DEP) as well as code-reuse
attacks became more prevalent.
In this paper, we show that ISR can be extended to also protect against
code-reuse attacks while at the same time offering security guarantees similar
to those of software diversity, control-flow integrity, and information hiding.
We present Scylla, a scheme that deploys a new technique for in-place code
encryption to hide the code layout of a randomized binary, and restricts the
control flow to a benign execution path. This allows us to i) implicitly
restrict control-flow targets to basic block entries without requiring the
extraction of a control-flow graph, ii) achieve execution integrity within
legitimate basic blocks, and iii) hide the underlying code layout under
malicious read access to the program. Our analysis demonstrates that Scylla is
capable of preventing state-of-the-art attacks such as just-in-time
return-oriented programming (JIT-ROP) and crash-resistant oriented programming
(CROP). We extensively evaluate our prototype implementation of Scylla and show
feasible performance overhead. We also provide details on how this overhead can
be significantly reduced with dedicated hardware support
Hardware Trojan detection using path delay fingerprint.
Abstract-Trusted IC design is a recently emerged topic since fabrication factories are moving worldwide in order to reduce cost. In order to get a low-cost but effective hardware Trojan detection method to complement traditional testing methods, a new behavior-oriented category method is proposed to divide Trojans into two categories: explicit payload Trojan and implicit payload Trojan. This categorization method makes it possible to construct Trojan models and then lower the cost of testing. Path delays of nominal chips are collected to construct a series of fingerprints, each one representing one aspect of the total characteristics of a genuine design. Chips are validated by comparing their delay parameters to the fingerprints. The comparison of path delays makes small Trojan circuits significant from a delay point of view. The experiment's results show that the detection rate on explicit payload Trojans is 100%, while this method should be developed further if used to detect implicit payload Trojans
PDNPulse: Sensing PCB Anomaly with the Intrinsic Power Delivery Network
The ubiquitous presence of printed circuit boards (PCBs) in modern electronic
systems and embedded devices makes their integrity a top security concern. To
take advantage of the economies of scale, today's PCB design and manufacturing
are often performed by suppliers around the globe, exposing them to many
security vulnerabilities along the segmented PCB supply chain. Moreover, the
increasing complexity of the PCB designs also leaves ample room for numerous
sneaky board-level attacks to be implemented throughout each stage of a PCB's
lifetime, threatening many electronic devices. In this paper, we propose
PDNPulse, a power delivery network (PDN) based PCB anomaly detection framework
that can identify a wide spectrum of board-level malicious modifications.
PDNPulse leverages the fact that the PDN's characteristics are inevitably
affected by modifications to the PCB, no matter how minuscule. By detecting
changes to the PDN impedance profile and using the Frechet distance-based
anomaly detection algorithms, PDNPulse can robustly and successfully discern
malicious modifications across the system. Using PDNPulse, we conduct extensive
experiments on seven commercial-off-the-shelf PCBs, covering different design
scales, different threat models, and seven different anomaly types. The results
confirm that PDNPulse creates an effective security asymmetry between attack
and defense
- …