4 research outputs found
Recommended from our members
Stealthy parametric hardware Trojans in VLSI Circuits
Over the last decade, hardware Trojans have gained increasing attention in academia, industry and by government agencies. In order to design reliable countermeasures, it is crucial to understand how hardware Trojans can be built in practice. This is an area that has received relatively scant treatment in the literature. In this thesis, we examine how particularly stealthy parametric Trojans can be introduced to VLSI circuits. Parametric Trojans do not require any additional logic and are purely based on subtle manipulations on the sub-transistor level to modify the parameters of few transistors which makes them very hard to detect.
We introduce a design methodology to insert stealthy parametric hardware Trojans which are based on injecting extremely rare path delay faults into the netlist of the target circuit. As a case study, we apply our method to a 32-bit multiplier circuit resulting in a stealthy Trojan multiplier that computes faulty outputs for specific combinations of input pairs that are applied to the circuit. The multiplier can be used to realize bug attacks, introduced by Biham et al. in 2008. We also extend this concept and show how it can be used to attack ECDH key agreement protocols. Our method is a versatile tool for designing stealthy Trojans for a given circuit and is not restricted to multipliers and the bug attack.
In this thesis we also examine how a stealthy side-channel hardware Trojan can be inserted in a provably-secure side-channel analysis protected implementation. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage leading to successful key recovery attacks. The underlying concept is based on a secure masked hardware implementation which does not exhibit any detectable leakage. However, by running the device at a particular clock frequency one of the requirements of the underlying masking scheme is not fulfilled anymore, and the device\u27s side-channel leakage can be exploited. We apply our technique to a Threshold Implementation of the PRESENT block cipher realized in both FPGA and ASIC. We show that triggering the Trojan makes both FPGA and ASIC prototypes vulnerable to certain SCA attacks.
True random number generators (TRNGs) are an essential component of cryptographic designs, which are used to generate private keys for encryption and authentication, and are used in masking countermeasures. This thesis also presents a mechanism to design a stealthy parametric hardware Trojan for ring oscillator-based TRNGs. When the Trojan is triggered by operation at a specific high temperature the malicious TRNG generates predictable non-random outputs, yet under normal operating conditions it works correctly. Also we elaborate a stochastic model based on Markov Chains by which the attacker can use their knowledge of the Trojan to predict the TRNG outputs
A Design Methodology for Stealthy Parametric Trojans and Its Application to Bug Attacks
Over the last decade, hardware Trojans have gained increasing
attention in academia, industry and by government agencies. In
order to design reliable countermeasures, it is crucial to understand how
hardware Trojans can be built in practice. This is an area that has received
relatively scant treatment in the literature. In this contribution,
we examine how particularly stealthy Trojans can be introduced to a
given target circuit. The Trojans are triggered by violating the delays of
very rare combinational logic paths. These are parametric Trojans, i.e.,
they do not require any additional logic and are purely based on subtle
manipulations on the sub-transistor level to modify the parameters of the
transistors. The Trojan insertion is based on a two-phase approach. In
the rst phase, a SAT-based algorithm identies rarely sensitized paths in
a combinational circuit. In the second phase, a genetic algorithm smartly
distributes delays for each gate to minimize the number of faults caused
by random vectors.
As a case study, we apply our method to a 32-bit multiplier circuit
resulting in a stealthy Trojan multiplier. This Trojan multiplier only
computes faulty outputs if specic combinations of input pairs are applied
to the circuit. The multiplier can be used to realize bug attacks, introduced by Biham et al. In addition to the bug attacks proposed previously, we extend this concept for the specic fault model of the path delay Trojan multiplier and show how it can be used to attack ECDH key agreement protocols.
Our method is a general approach to path delay faults. It is a versatile
tool for designing stealthy Trojans for a given circuit and is not restricted to multipliers and the bug attack