research-article

Leaking Wireless ICs via Hardware Trojan-Infected Synchronization

Authors:

Alán Rodrigo Díaz-Rizo,

Hassan Aboushady,

Haralampos-G. StratigopoulosAuthors Info & Claims

IEEE Transactions on Dependable and Secure Computing, Volume 20, Issue 5

Pages 3845 - 3859

https://doi.org/10.1109/TDSC.2022.3218507

Published: 01 September 2023 Publication History

Abstract

We propose a Hardware Trojan (HT) attack in wireless Integrated Circuits (ICs) that aims at leaking sensitive information within a legitimate transmission. The HT is hidden inside the transmitter modulating the sensitive information into the preamble of each transmitted frame which is used for the synchronization of the transmitter with the receiver. The data leakage does not affect synchronization and is imperceptible by the inconspicuous nominal receiver as it does not incur any performance penalty in the communication. A knowledgeable rogue receiver, however, can recover the data using signal processing that is too expensive and impractical to be used during run-time in nominal receivers. The HT mechanism is designed at circuit-level and is embedded entirely into the digital section of the RF transceiver having a tiny footprint. The proposed HT attack is demonstrated with measurements on a hardware platform. We demonstrate the stealthiness of the attack, i.e., its ability to evade defenses based on testing and run-time monitoring, and the robustness of the attack, i.e., the ability of the rogue receiver to recover the leaked information even under unfavorable channel conditions.

References

[1]

M. Tehranipoor and F. Koushanfar, “A survey of hardware Trojan taxonomy and detection,” IEEE Des. Test Comput., vol. 27, no. 1, pp. 10–25, Jan./Feb. 2010.

Digital Library

[2]

R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, “Trustworthy hardware: Identifying and classifying hardware Trojans,” Comput., vol. 43, no. 10, pp. 39–46, Oct. 2010.

Digital Library

[3]

S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan, “Hardware Trojan attacks: Threat analysis and countermeasures,” Proc. IEEE, vol. 102, no. 8, pp. 1229–1247, Aug. 2014.

[4]

K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor, “Hardware Trojans: Lessons learned after one decade of research,” ACM Trans. Des. Autom. Electron. Syst., vol. 22, no. 1, pp. 6:1–6:23, Dec. 2016.

[5]

S. Bhunia and M. M. Tehranipoor, Eds., The Hardware Trojan War: Attacks, Myths, and Defenses, Berlin, Germany: Springer, 2018.

[6]

A. Jain, Z. Zhou, and U. Guin, “Survey of recent developments for hardware Trojan detection,” in Proc. IEEE Int. Symp. Circuits Syst., 2021, pp. 1–5.

[7]

Y. Shiyanovskii, F. Wolff, A. Rajendran, C. Papachristou, D. Weyer, and W. Clay, “Process reliability based Trojans through NBTI and HCI effects,” in Proc. NASA/ESA Conf. Adaptive Hardware Syst., 2010, pp. 215–222.

[8]

L. Lin, T. Güneysu, M. Kasper, C. Paar, and W. Burleson, Trojan Side-Channels: Lightweight Hardware Trojans Through Side-Channel Engineering, Berlin, Germany: Springer, 2009.

[9]

G. T. Becker, F. Regazzoni, C. Paar, and W. P. Burleson, “Stealthy dopant-level hardware Trojans: Extended version,” J. Cryptographic Eng., vol. 4, no. 1, pp. 19–31, Apr. 2014.

[10]

K. Yang, M. Hicks, Q. Dong, T. Austin, and D. Sylvester, “A2: Analog malicious hardware,” in Proc. IEEE Symp. Secur. Privacy, 2016, pp. 18–37.

[11]

X. Guo, H. Zhu, Y. Jin, and X. Zhang, “When capacitors attack: Formal method driven design and detection of charge-domain Trojans,” in Proc. Des. Automat. Test Eur. Conf. Exhib., 2019, pp. 1727–1732.

[12]

Y. Kim et al., “Flipping bits in memory without accessing them: An experimental study of DRAM disturbance errors,” in Proc. IEEE/ACM Int. Symp. Comput. Architecture, 2014, pp. 361–372.

[13]

C. Kison, O. M. Awad, M. Fyrbiak, and C. Paar, “Security implications of intentional capacitive crosstalk,” IEEE Trans. Inf. Forensics Secur., vol. 14, no. 12, pp. 3246–3258, Dec. 2019.

Digital Library

[14]

K. Nagarajan, M. N. I. Khan, and S. Ghosh, “ENTT: A family of emerging NVM-based Trojan triggers,” in Proc. IEEE Int. Symp. Hardware-Oriented Secur. Trust, 2019, pp. 51–60.

[15]

Z. Liu, Y. Li, Y. Duan, R. L. Geiger, and D. Chen, “Identification and break of positive feedback loops in Trojan states vulnerable circuits,” in Proc. IEEE Int. Symp. Circuits Syst., 2014, pp. 289–292.

[16]

X. Cao, Q. Wang, R. L. Geiger, and D. J. Chen, “A hardware Trojan embedded in the inverse Widlar reference generator,” in Proc. IEEE 58th Int. Midwest Symp. Circuits Syst., 2015, pp. 1–4.

[17]

Q. Wang, R. L. Geiger, and D. Chen, “Hardware Trojans embedded in the dynamic operation of analog and mixed-signal circuits,” in Proc. Nat. Aerosp. Electron. Conf., 2015, pp. 155–158.

[18]

C. Cai and D. Chen, “Performance enhancement induced Trojan states in op-amps, their detection and removal,” in Proc. IEEE Int. Symp. Circuits Syst., 2015, pp. 3020–3023.

[19]

Q. Wang, D. Chen, and R. L. Geiger, “Transparent side channel trigger mechanism on analog circuits with PAAST hardware Trojans,” in Proc. IEEE Int. Symp. Circuits Syst., 2018, pp. 1–4.

[20]

M. Elshamy, G. Di Natale, A. Pavlidis, M. Louërat, and H.-G. Stratigopoulos, “Hardware Trojan attacks in analog/mixed-signal ICs via the test access mechanism,” in Proc. IEEE Eur. Test Symp., 2020, pp. 1–6.

[21]

M. Elshamy et al., “Digital-to-analog hardware Trojan attacks,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 69, no. 2, pp. 573–586, Feb. 2022.

[22]

N. Kiyavash, F. Koushanfar, T. P. Coleman, and M. Rodrigues, “A timing channel spyware for the CSMA/CA protocol,” IEEE Trans. Inf. Forensics Security, vol. 8, no. 3, pp. 477–487, Mar. 2013.

Digital Library

[23]

A. Dutta, D. Saha, D. Grunwald, and D. Sicker, “Secret agent radio: Covert communication through dirty constellations,” in Proc. Int. Workshop Inf. Hiding, M. Kirchner and D. Ghosal, Eds., Berlin, Germany: Springer, 2013, pp. 160–175.

[24]

J. Classen, M. Schulz, and M. Hollick, “Practical covert channels for WiFi systems,” in Proc. IEEE Conf. Commun. Netw. Secur., 2015, pp. 209–217.

[25]

Z. Hijaz and V. S. Frost, “Exploiting OFDM systems for covert communication,” in Proc. IEEE Mil. Commun. Conf., 2010, pp. 2149–2155.

[26]

S. Grabski and K. Szczypiorski, “Steganography in OFDM symbols of fast IEEE 802.11n networks,” in Proc. IEEE Secur. Privacy Workshops, 2013, pp. 158–164.

[27]

K. S. Subraman, A. Antonopoulos, A. A. Abotabl, A. Nosratinia, and Y. Makris, “Demonstrating and mitigating the risk of an FEC-based hardware Trojan in wireless networks,” IEEE Trans. Inf. Forensics Secur., vol. 14, no. 10, pp. 2720–2734, Oct. 2019.

Digital Library

[28]

Y. Jin and Y. Makris, “Hardware Trojans in wireless cryptographic ICs,” IEEE Des. Test Comput., vol. 27, no. 1, pp. 26–35, Jan./Feb. 2010.

Digital Library

[29]

Y. Liu, Y. Jin, A. Nosratinia, and Y. Makris, “Silicon demonstration of hardware Trojan design and detection in wireless cryptographic ICs,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 25, no. 4, pp. 1506–1519, Apr. 2017.

Digital Library

[30]

K. S. Subramani, N. Helal, A. Antonopoulos, A. Nosratinia, and Y. Makris, “Amplitude-modulating analog/RF hardware Trojans in wireless networks: Risks and remedies,” IEEE Trans. Inf. Forensics Secur., vol. 15, pp. 3497–3510, Apr. 2020.

Digital Library

[31]

S. Chang, G. Bhat, U. Ogras, B. Bakkaloglu, and S. Ozev, “Detection mechanisms for unauthorized wireless transmissions,” ACM Trans. Des. Automat. Electron. Syst., vol. 23, no. 6, pp. 70:1–70:21, Nov. 2018.

[32]

K. Sankhe et al., “Impairment shift keying: Covert signaling by deep learning of controlled radio imperfections,” in Proc. IEEE Mil. Commun. Conf., 2019, pp. 598–603.

[33]

Nuand, “SDR bladeRF 2.0 micro xA9.” Accessed: Oct. 10, 2020. [Online]. Available: https://bit.ly/3z2QV1N

[34]

C. Kapatsori, Y. Liu, A. Antonopoulos, and Y. Makris, “Hardware Dithering: A run-time method for Trojan neutralization in wireless cryptographic ICs,” in Proc. IEEE Int. Test Conf., 2018, pp. 1–7.

[35]

M. Fyrbiak et al., “HAL—The missing piece of the puzzle for hardware reverse engineering, Trojan detection and insertion,” IEEE Trans. Dependable Secure Comput., vol. 16, no. 3, pp. 498–510, May/Jun. 2019.

[36]

IEEE standard for information technology—telecommunications and information exchange between systems local and metropolitan area networks—specific requirements - part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications, IEEE Standard 802.11–2016 (Revision of IEEE Std 802.11-2012), pp. 1–3534, 2016.

[37]

T. M. Schmidl and D. C. Cox, “Robust frequency and timing synchronization for OFDM,” IEEE Trans. Commun., vol. 45, no. 12, pp. 1613–1621, Dec. 1997.

[38]

Nuand, “Open-source IEEE 802.11 compatible software defined radio VHDL modem (bladeRF-wiphy).” Accessed: Jan. 15, 2021. [Online]. Available: https://github.com/Nuand/bladeRF-wiphy/

[39]

X. Zhang and M. Tehranipoor, “Case study: Detecting hardware Trojans in third-party digital IP cores,” in Proc. IEEE Int. Symp. Hardware-Oriented Secur. Trust, 2011, pp. 67–70.

[40]

R. S. Chakraborty, F. Wolff, S. Paul, C. Papachristou, and S. Bhunia, MERO: A Statistical Approach for Hardware Trojan Detection, Berlin, Germany: Springer, 2009.

[41]

A. Waksman, M. Suozzo, and S. Sethumadhavan, “FANCI: Identification of stealthy malicious logic using boolean functional analysis,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2013, pp. 697–708.

[42]

H. Salmani, “COTD: Reference-free hardware Trojan detection and recovery based on controllability and observability in gate-level netlist,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 2, pp. 338–350, Feb. 2017.

Digital Library

[43]

M. A. Nourian, M. Fazeli, and D. Hely, “Hardware Trojan detection using an advised genetic algorithm based logic testing,” J. Electron. Testing Theory Appl., vol. 34, no. 4, pp. 461–470, Aug. 2018.

Digital Library

[44]

S. K. Haider, C. Jin, M. Ahmad, D. M. Shila, O. Khan, and M. van Dijk, “Advancing the state-of-the-art in hardware Trojans detection,” IEEE Trans. Dependable Secure Comput., vol. 16, no. 1, pp. 18–32, Jan./Feb. 2019.

Digital Library

[45]

V. R. Surabhi et al., “Hardware Trojan detection using controlled circuit aging,” IEEE Access, vol. 8, pp. 77415–77434, 2020.

[46]

V. R. Surabhi, P. Krishnamurthy, H. Amrouch, J. Henkel, R. Karri, and F. Khorrami, “Exposing hardware Trojans in embedded platforms via short-term aging,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 39, no. 11, pp. 3519–3530, Nov. 2020.

[47]

M. Hicks, M. Finnicum, S. T. King, M. M. K. Martin, and J. M. Smith, “Overcoming an untrusted computing base: Detecting and removing malicious hardware automatically,” in Proc. IEEE Symp. Secur. Privacy, 2010, pp. 159–172.

[48]

A. C. Myers and B. Liskov, “A decentralized model for information flow control,” in Proc. 16th ACM Symp. Operating Syst. Princ., 1997, pp. 129–142.

[49]

X. Li et al., “Sapper: A language for hardware-level security policy enforcement,” in Proc. 19th Int. Conf. Architectural Support Program. Lang. Operating Syst., 2014, pp. 97–112.

[50]

Y. Jin, X. Guo, R. G. Dutta, M.-M. Bidmeshki, and Y. Makris, “Data secrecy protection through information flow tracking in proof-carrying hardware IP—Part I: Framework fundamentals,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 10, pp. 2416–2429, Oct. 2017.

Digital Library

[51]

M.-M. Bidmeshki, X. Guo, R. G. Dutta, Y. Jin, and Y. Makris, “Data secrecy protection through information flow tracking in proof-carrying hardware IP—Part II: Framework automation,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 10, pp. 2430–2443, Oct. 2017.

Digital Library

[52]

M. M. Bidmeshki, A. Antonopoulos, and Y. Makris, “Proof-carrying hardware-based information flow tracking in analog/mixed-signal designs,” IEEE Trans. Emerg. Sel. Topics Circuits Syst., vol. 11, no. 2, pp. 415–427, Jun. 2021.

[53]

K. Xiao, D. Forte, and M. Tehranipoor, “A novel built-in self-authentication technique to prevent inserting hardware Trojans,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 33, no. 12, pp. 1778–1791, Dec. 2014.

[54]

J. A. Roy, F. Koushanfar, and I. L. Markov, “Ending piracy of integrated circuits,” Computer, vol. 43, no. 10, pp. 30–38, Oct. 2010.

Digital Library

[55]

K. Shamsi, M. Li, K. Plaks, S. Fazzari, D. Z. Pan, and Y. Jin, “IP protection and supply chain security through logic obfuscation: A systematic overview,” ACM Trans. Des. Automat. Electron. Syst., vol. 24, no. 6, pp. 65:1–65:36, Sep. 2019.

[56]

A. Chakraborty et al., “Keynote: A disquisition on logic locking,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 39, no. 10, pp. 1952–1972, Oct. 2020.

[57]

J. Leonhard et al., “Digitally-assisted mixed-signal circuit security,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 41, no. 8, pp. 2449–2462, Aug. 2022.

Digital Library

[58]

M. Elshamy, A. Sayed, M.-M. Louërat, H. Aboushady, and H.-G. Stratigopoulos, “Locking by untuning: A lock-less approach for analog and mixed-signal IC security,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 29, no. 12, pp. 2130–2142, Dec. 2021.

[59]

A. R. Díaz-Rizo, J. Leonhard, H. Aboushady, and H. Stratigopoulos, “RF transceiver security against piracy attacks,” IEEE Trans. Circuits Syst., II, Exp. Briefs, vol. 69, no. 7, pp. 3169–3173, Jul. 2022.

[60]

A. R. Díaz-Rizo, H. Aboushady, and H.-G. Stratigopoulos, “Anti-piracy design of RF transceivers,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 70, no. 1, pp. 492–505, Jan. 2023.

[61]

J. Rajendran, M. Sam, O. Sinanoglu, and R. Karri, “Security analysis of integrated circuit camouflaging,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2013, pp. 709–720.

[62]

A. Vijayakumar, V. C. Patil, D. E. Holcomb, C. Paar, and S. Kundu, “Physical design obfuscation of hardware: A comprehensive investigation of device and logic-level techniques,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 1, pp. 64–77, Jan. 2017.

Digital Library

[63]

J. Leonhard, A. Sayed, M.-M. Louërat, H. Aboushady, and H.-G. Stratigopoulos, “Analog and mixed-signal IC security via sizing camouflaging,” IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst., vol. 40, no. 5, pp. 822–835, May 2021.

[64]

Y. Wang, P. Chen, J. Hu, G. Li, and J. Rajendran, “The cat and mouse in split manufacturing,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 26, no. 5, pp. 805–817, May 2018.

[65]

T. D. Perez and S. Pagliarini, “A survey on split manufacturing: Attacks, defenses, and challenges,” IEEE Access, vol. 8, pp. 184013–184035, 2020.

[66]

T. Sugawara et al., “Reversing stealthy dopant-level circuits,” J. Cryptographic Eng., vol. 5, no. 2, pp. 85–94, Jun. 2015.

[67]

B. Lippmann et al., “Integrated flow for reverse engineering of nanoscale technologies,” in Proc. 24th Asia South Pacific Des. Automat. Conf., 2019, pp. 82–89.

[68]

F. Stellari, P. Song, A. J. Weger, J. Culp, A. Herbert, and D. Pfeiffer, “Verification of untrusted chips using trusted layout and emission measurements,” in Proc. IEEE Int. Symp. Hardware-Oriented Secur. Trust, 2014, pp. 19–24.

[69]

O. Söll, T. Korak, M. Muehlberghuber, and M. Hutter, “EM-based detection of hardware Trojans on FPGAs,” in Proc. IEEE Int. Symp. Hardware-Oriented Secur. Trust, 2014, pp. 84–87.

[70]

X. T. Ngo, Z. Najm, S. Bhasin, S. Guilley, and J.-L. Danger, “Method taking into account process dispersion to detect hardware Trojan horse by side-channel analysis,” J. Cryptographic Eng., vol. 6, no. 3, pp. 239–247, Sep. 2016.

[71]

J. He, Y. Zhao, X. Guo, and Y. Jin, “Hardware Trojan detection through chip-free electromagnetic side-channel statistical analysis,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 25, no. 10, pp. 2939–2948, Oct. 2017.

Digital Library

[72]

Y. Tang, S. Li, L. Fang, X. Hu, and J. Chen, “Golden-chip-free hardware Trojan detection through quiescent thermal maps,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 27, no. 12, pp. 2872–2883, Dec. 2019.

[73]

L. N. Nguyen, C.-L. Cheng, M. Prvulovic, and A. Zajić, “Creating a backscattering side channel to enable detection of dormant hardware Trojans,” IEEE Trans. Very Large Scale Integr. (VLSI) Syst., vol. 27, no. 7, pp. 1561–1574, Jul. 2019.

[74]

A. Stern, D. Mehta, S. Tajik, U. Guin, F. Farahmandi, and M. Tehranipoor, “SPARTA-COTS: A laser probing approach for sequential Trojan detection in COTS integrated circuits,” in Proc. IEEE Phys. Assurance Inspection Electron., 2020, pp. 1–6.

[75]

S. Narasimhan, W. Yueh, X. Wang, S. Mukhopadhyay, and S. Bhunia, “Improving IC security against Trojan attacks through integration of security monitors,” IEEE Des. Test Comput., vol. 29, no. 5, pp. 37–46, Oct. 2012.

[76]

D. Forte, C. Bao, and A. Srivastava, “Temperature tracking: An innovative run-time approach for hardware Trojan detection,” in Proc. IEEE/ACM Int. Conf. Comput.-Aided Des., 2013, pp. 532–539.

[77]

A. Pavlidis, E. Faehn, M.-M. M. Louërat, and H.-G. Stratigopoulos, “Run-time hardware Trojan detection in analog and mixed-signal ICs,” in Proc. IEEE 40th VLSI Test Symp., 2022, pp. 1–8.

Cited By

Clements JLao Y(2024)Reliable Hardware Watermarks for Deep Learning SystemsIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2024.336024032:4(752-762)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1109/TVLSI.2024.3360240
Chaudhuri JBhattacharya MChakrabarty K(2024)DAWN: Efficient Trojan Detection in Analog Circuits Using Circuit Watermarking and Neural TwinsIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.338494843:10(2930-2943)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1109/TCAD.2024.3384948

Recommendations

Hardware emulation of wireless communication fading channels
Reconfigurable signal processing and hardware architecture for broadband wireless communications

This paper proposes a broadband wireless transceiver which can be reconfigured to any type of cyclic-prefix (CP) -based communication systems, including orthogonal frequency-division multiplexing (OFDM), single-carrier cyclic-prefix (SCCP) system, ...
Silicon Demonstration of Hardware Trojan Design and Detection in Wireless Cryptographic ICs

Using silicon measurements from 40 chips fabricated in Taiwan Semiconductor Manufacturing Company’s (TSMC’s) 0.35- $\mu \text{m}$ technology, we demonstrate the operation of two hardware Trojans, which leak the secret key of a wireless cryptographic integrated circuit ...

Comments

Information & Contributors

Information

Published In

cover image IEEE Transactions on Dependable and Secure Computing

IEEE Transactions on Dependable and Secure Computing Volume 20, Issue 5

Sept.-Oct. 2023

885 pages

ISSN:1545-5971

Issue’s Table of Contents

1545-5971 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 September 2023

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Clements JLao Y(2024)Reliable Hardware Watermarks for Deep Learning SystemsIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2024.336024032:4(752-762)Online publication date: 1-Apr-2024
https://dl.acm.org/doi/10.1109/TVLSI.2024.3360240
Chaudhuri JBhattacharya MChakrabarty K(2024)DAWN: Efficient Trojan Detection in Analog Circuits Using Circuit Watermarking and Neural TwinsIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.338494843:10(2930-2943)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1109/TCAD.2024.3384948

View Options

View options

Figures

Tables

Media

View Issue’s Table of Contents