Design-for-Security vs. Design-for-Testability: A Case Study on DFT Chain in Cryptographic Circuits

Abstract-Relying on a recently developed gate-level information assurance scheme, we formally analyze the security of design-for-test (DFT) scan chains, the industrial standard testing methods for fabricated chips and, for the first time, formally prove that a circuit with scan chain inserted can violate security properties. The same security assessment method is then applied to a built-in-self-test (BIST) structure where it is shown that even BIST structures can cause security vulnerabilities. To balance trustworthiness and testability, a new design-for-security (DFS) methodology is proposed which, through the modification of scan chain structure, can achieve high security without compromising the testability of the inserted scan structure. To support the task of secure scan chain insertion, a method of scan chain reshuffling is introduced. Using an AES encryption core as the testing platform, we elaborated the security assessment procedure as well as the DFS technique in balancing security and testability of cryptographic circuits

Execution Integrity with In-Place Encryption

Instruction set randomization (ISR) was initially proposed with the main goal of countering code-injection attacks. However, ISR seems to have lost its appeal since code-injection attacks became less attractive because protection mechanisms such as data execution prevention (DEP) as well as code-reuse attacks became more prevalent. In this paper, we show that ISR can be extended to also protect against code-reuse attacks while at the same time offering security guarantees similar to those of software diversity, control-flow integrity, and information hiding. We present Scylla, a scheme that deploys a new technique for in-place code encryption to hide the code layout of a randomized binary, and restricts the control flow to a benign execution path. This allows us to i) implicitly restrict control-flow targets to basic block entries without requiring the extraction of a control-flow graph, ii) achieve execution integrity within legitimate basic blocks, and iii) hide the underlying code layout under malicious read access to the program. Our analysis demonstrates that Scylla is capable of preventing state-of-the-art attacks such as just-in-time return-oriented programming (JIT-ROP) and crash-resistant oriented programming (CROP). We extensively evaluate our prototype implementation of Scylla and show feasible performance overhead. We also provide details on how this overhead can be significantly reduced with dedicated hardware support

Hardware Trojan detection using path delay fingerprint.

Abstract-Trusted IC design is a recently emerged topic since fabrication factories are moving worldwide in order to reduce cost. In order to get a low-cost but effective hardware Trojan detection method to complement traditional testing methods, a new behavior-oriented category method is proposed to divide Trojans into two categories: explicit payload Trojan and implicit payload Trojan. This categorization method makes it possible to construct Trojan models and then lower the cost of testing. Path delays of nominal chips are collected to construct a series of fingerprints, each one representing one aspect of the total characteristics of a genuine design. Chips are validated by comparing their delay parameters to the fingerprints. The comparison of path delays makes small Trojan circuits significant from a delay point of view. The experiment's results show that the detection rate on explicit payload Trojans is 100%, while this method should be developed further if used to detect implicit payload Trojans

PDNPulse: Sensing PCB Anomaly with the Intrinsic Power Delivery Network

The ubiquitous presence of printed circuit boards (PCBs) in modern electronic systems and embedded devices makes their integrity a top security concern. To take advantage of the economies of scale, today's PCB design and manufacturing are often performed by suppliers around the globe, exposing them to many security vulnerabilities along the segmented PCB supply chain. Moreover, the increasing complexity of the PCB designs also leaves ample room for numerous sneaky board-level attacks to be implemented throughout each stage of a PCB's lifetime, threatening many electronic devices. In this paper, we propose PDNPulse, a power delivery network (PDN) based PCB anomaly detection framework that can identify a wide spectrum of board-level malicious modifications. PDNPulse leverages the fact that the PDN's characteristics are inevitably affected by modifications to the PCB, no matter how minuscule. By detecting changes to the PDN impedance profile and using the Frechet distance-based anomaly detection algorithms, PDNPulse can robustly and successfully discern malicious modifications across the system. Using PDNPulse, we conduct extensive experiments on seven commercial-off-the-shelf PCBs, covering different design scales, different threat models, and seven different anomaly types. The results confirm that PDNPulse creates an effective security asymmetry between attack and defense