Cited By
View all- Gao MBiswas LAsadi NForte D(2024)Detour-RS: Reroute Attack Vulnerability Assessment with Awareness of the Layout and ResourceCryptography10.3390/cryptography80200138:2(13)Online publication date: 6-Apr-2024
T-TER: Defeating A2 Trojans with Targeted Tamper-Evident Routing
Pages 746 - 759
Abstract
Since the inception of the Integrated Circuit (IC), the size of the transistors used to construct them has continually shrunk. While this advancement significantly improves computing capability, fabrication costs have skyrocketed. As a result, most IC designers must now outsource fabrication. Outsourcing, however, presents a security threat: comprehensive post-fabrication inspection is infeasible given the size of modern ICs, so it is nearly impossible to know if the foundry has altered the original design during fabrication (i.e., inserted a hardware Trojan). Defending against a foundry-side adversary is challenging because—even with as few as two gates—hardware Trojans can completely undermine software security. Researchers have attempted to both detect and prevent foundry-side attacks, but all existing defenses are ineffective against additive Trojans with footprints of a few gates or less.
We present Targeted Tamper-Evident Routing (T-TER), a layout-level defense against untrusted foundries, capable of thwarting the insertion of even the stealthiest hardware Trojans. T-TER is directed and routing-centric: it prevents foundry-side attackers from routing Trojan wires to, or directly adjacent to, security-critical wires by shielding them with guard wires. Unlike shield wires commonly deployed for cross-talk reduction, T-TER guard wires pose an additional technical challenge: they must be tamper-evident in both the digital (deletion attacks) and analog (move and jog attacks) domains. We address this challenge by developing a class of designed-in guard wires that are added to the design specifically to protect security-critical wires. T-TER’s guard wires incur minimal overhead, scale with design complexity, and provide tamper-evidence against attacks. We implement automated tools (on top of commercial CAD tools) for deploying guard wires around targeted nets within an open-source System-on-Chip. Lastly, using an existing IC threat assessment toolchain, we show T-TER defeats even the stealthiest known hardware Trojan, with ≈ 1% overhead.
References
[1]
Dakshi Agrawal, Selcuk Baktir, Deniz Karakoyunlu, Pankaj Rohatgi, and Berk Sunar. 2007. Trojan Detection using IC fingerprinting. In IEEE Symposium on Security and Privacy (S&P).
[2]
Yousra Alkabani and Farinaz Koushanfar. 2008. Designer’s hardware Trojan horse. In IEEE International Workshop on Hardware-Oriented Security and Trust (HOST).
[3]
Papa-Sidy Ba, Sophie Dupuis, Manikandan Palanichamy, Giorgio Di Natale, Bruno Rouzeyre, 2016. Hardware Trust through Layout Filling: a Hardware Trojan Prevention Technique. In IEEE Computer Society Annual Symposium on VLSI (ISVLSI).
[4]
Papa-Sidy Ba, Manikandan Palanichamy, Sophie Dupuis, Marie-Lise Flottes, Giorgio Di Natale, and Bruno Rouzeyre. 2015. Hardware Trojan prevention using layout-level design approach. In European Conference on Circuit Theory and Design (ECCTD).
[5]
Halil B Bakoglu. 1990. Circuits, Interconnections, and Packaging for VLSI.
[6]
Josep Balasch, Benedikt Gierlichs, and Ingrid Verbauwhede. 2015. Electromagnetic circuit fingerprints for hardware trojan detection. In IEEE International Symposium on Electromagnetic Compatibility (EMC).
[7]
Mark Beaumont, Bradley Hopkins, and Tristan Newby. 2011. Hardware trojans-prevention, detection, countermeasures (a literature review). Technical Report. Defence Science and Technology Organization Edinburgh (Australia).
[8]
Georg T Becker, Francesco Regazzoni, Christof Paar, and Wayne P Burleson. 2013. Stealthy dopant-level hardware trojans. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES).
[9]
Duane Boning and Sani Nassif. 2000. Models of process variations in device and interconnect. Design of high performance microprocessor circuits (2000).
[10]
Cadence Design Systems. [n. d.]. Innovus Implementation System. https://www.cadence.com/content/cadence-www/global/en_US/home.html.
[11]
Yongming Cai, Zhiyong Wang, Rajen Dias, and Deepak Goyal. 2010. Electro Optical Terahertz Pulse Reflectometry—an innovative fault isolation tool. In Electronic Components and Technology Conference (ECTC), 2010 Proceedings 60th.
[12]
Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia. 2009. Hardware Trojan: Threats and emerging solutions. In IEEE International High Level Design Validation and Test Workshop (HLDVT). IEEE.
[13]
Ming-Kun Chen, Cheng-Chi Tai, and Yu-Jung Huang. 2006. Nondestructive analysis of interconnection in two-die BGA using TDR. IEEE Transactions on Instrumentation and Measurement (2006).
[14]
Domenic Forte, Chongxi Bao, and Ankur Srivastava. 2013. Temperature tracking: An innovative run-time approach for hardware Trojan detection. In IEEE/ACM International Conference on Computer-Aided Design (ICCAD).
[15]
Leonard A Hayden and Vijai K Tripathi. 1994. Characterization and modeling of multiple line interconnections from time domain measurements. IEEE Transactions on Microwave Theory and Techniques (1994).
[16]
Matthew Hicks, Murph Finnicum, Samuel T. King, Milo M. K. Martin, and Jonathan M. Smith. 2010. Overcoming an Untrusted Computing Base: Detecting and Removing Malicious Hardware Automatically. In IEEE Symposium on Security and Privacy (S&P).
[17]
Matthew Hicks, Cynthia Sturton, Samuel T. King, and Jonathan M. Smith. 2015. SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs. In International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS).
[18]
Simon Hollis and Simon W Moore. 2006. RasP: an area-efficient, on-chip network. In 2006 International Conference on Computer Design. IEEE, 63–69.
[19]
Simon J Hollis. 2009. Pulse generation for on-chip data transmission. In 2009 12th Euromicro Conference on Digital System Design, Architectures, Methods and Tools. IEEE, 303–310.
[20]
Yumin Hou, Hu He, Kaveh Shamsi, Yier Jin, Dong Wu, and Huaqiang Wu. 2018. R2D2: Runtime reassurance and detection of A2 trojan. In International Symposium on Hardware Oriented Security and Trust (HOST). IEEE.
[21]
Ching-Wen Hsue and Te-Wen Pan. 1997. Reconstruction of nonuniform transmission lines from time-domain reflectometry. IEEE Transactions on Microwave Theory and Techniques (1997).
[22]
Frank Imeson, Ariq Emtenan, Siddharth Garg, and Mahesh Tripunitara. 2013. Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation. In USENIX Security Symposium.
[23]
Yier Jin, Nathan Kupp, and Yiorgos Makris. 2010. DFTT: Design for Trojan test. In IEEE International Conference on Electronics, Circuits, and Systems (ICECS).
[24]
Yier Jin and Yiorgos Makris. 2008. Hardware Trojan detection using path delay fingerprint. In IEEE International Workshop on Hardware-Oriented Security and Trust (HOST).
[25]
Shane Kelly, Xuehui Zhang, Mohammed Tehranipoor, and Andrew Ferraiuolo. 2015. Detecting hardware trojans using on-chip sensors in an ASIC design. Journal of Electronic Testing 31, 1 (2015), 11–26.
[26]
Samuel T. King, Joseph Tucek, Anthony Cozzie, Chris Grier, Weihang Jiang, and Yuanyuan Zhou. 2008. Designing and Implementing Malicious Hardware. In Proceedings of the Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET).
[27]
Angus I Kingon, Jon-Paul Maria, and SK Streiffer. 2000. Alternative dielectrics to silicon dioxide for memory and logic devices. Nature (2000).
[28]
Raghavan Kumar, Philipp Jovanovic, Wayne Burleson, and Ilia Polian. 2014. Parametric trojans for fault-injection attacks on cryptographic hardware. In Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).
[29]
Mark Lapedus. 2017. Battling Fab Cycle Times. https://semiengineering.com/battling-fab-cycle-times/.
[30]
Mark Lapedus. 2018. Big Trouble At 3nm. https://semiengineering.com/big-trouble-at-3nm/.
[31]
Mark Lapedus. 2018. GF Puts 7nm On Hold. https://semiengineering.com/gf-puts-7nm-on-hold/.
[32]
Jie Li and John Lach. 2008. At-speed delay characterization for IC authentication and Trojan horse detection. In IEEE International Workshop on Hardware-Oriented Security and Trust (HOST).
[33]
Jun Jun Lim, Nor Adila Johari, Subhash C Rustagi, and Narain D Arora. 2014. Characterization of Interconnect Process Variation in CMOS Using Electrical Measurements and Field Solver. IEEE Transactions on Electron Devices (2014).
[34]
Lang Lin, Markus Kasper, Tim Güneysu, Christof Paar, and Wayne Burleson. 2009. Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES).
[35]
Timothy Linscott, Pete Ehrett, Valeria Bertacco, and Todd Austin. 2018. SWAN: mitigating hardware trojans with design ambiguity. In IEEE/ACM International Conference on Computer-Aided Design (ICCAD). IEEE.
[36]
MIT Lincoln Laboratory. [n. d.]. Common Evaluation Platform. https://github.com/mit-ll/CEP.
[37]
Michael Nagel, Alexander Michalski, and Heinrich Kurz. 2011. Contact-free fault location and imaging with on-chip terahertz time-domain reflectometry. Optics Express (2011).
[38]
Seetharam Narasimhan, Xinmu Wang, Dongdong Du, Rajat Subhra Chakraborty, and Swarup Bhunia. 2011. TeSR: A robust temporal self-referencing approach for hardware Trojan detection. In IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).
[39]
C Odegard and C Lambert. 1999. Comparative TDR analysis as a packaging FA tool. In ISTFA 1999: 25 th International Symposium for Testing and Failure Analysis.
[40]
OpenCores.org. [n. d.]. OpenRISC OR1200 Processor. https://github.com/openrisc/or1200.
[41]
Dan L Philen, Ian A White, Jane F Kuhl, and Stephen C Mettler. 1982. Single-mode fiber OTDR: Experiment and theory. IEEE Transactions on Microwave Theory and Techniques (1982).
[42]
Miodrag Potkonjak, Ani Nahapetian, Michael Nelson, and Tammara Massey. 2009. Hardware Trojan horse detection using gate-level characterization. In Proceedings of ACM/IEEE Design Automation Conference (DAC).
[43]
Masoud Rostami, Farinaz Koushanfar, Jeyavijayan Rajendran, and Ramesh Karri. 2013. Hardware Security: Threat Models and Metrics. In Proceedings of the International Conference on Computer-Aided Design (ICCD).
[44]
Yuriy Shiyanovskii, F Wolff, Aravind Rajendran, C Papachristou, D Weyer, and W Clay. 2010. Process reliability based trojans through NBTI and HCI effects. In NASA/ESA Conference on Adaptive Hardware and Systems (AHS).
[45]
D Smolyansky. 2004. Electronic Package Fault Isolation Using TDR. ASM International (2004).
[46]
PI Somlo and DL Hollway. 1969. Microwave Locating Reflectometer. Electronics Letters (1969).
[47]
Ed Sperling. 2018. Design Rule Complexity Rising. https://semiengineering.com/design-rule-complexity-rising/.
[48]
Takeshi Sugawara, Daisuke Suzuki, Ryoichi Fujii, Shigeaki Tawa, Ryohei Hori, Mitsuru Shiozaki, and Takeshi Fujino. 2014. Reversing stealthy dopant-level circuits. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES).
[49]
James Sutherland. 1999. As Edge speeds increase, wires become transmission lines. EDN (1999).
[50]
MY Tay, L Cao, M Venkata, L Tran, W Donna, W Qiu, J Alton, PF Taday, and M Lin. 2012. Advanced fault isolation technique using electro-optical terahertz pulse reflectometry. In Physical and Failure Analysis of Integrated Circuits (IPFA), 2012 19th IEEE International Symposium on the.
[51]
Mohammad Tehranipoor and Farinaz Koushanfar. 2010. A survey of hardware trojan taxonomy and detection. IEEE Design & Test of Computers 27, 1 (2010).
[52]
TeraView. [n. d.]. Electro Optical Terahertz Pulse Reflectometry: The world’s fastest and most accurate fault isolation system.
[53]
Mohit Tiwari, Hassan M.G. Wassel, Bita Mazloom, Shashidhar Mysore, Frederic T. Chong, and Timothy Sherwood. 2009. Complete Information Flow Tracking from the Gates Up. In International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS). 109–120.
[54]
Timothy Trippel, Kang G. Shin, Kevin B. Bush, and Matthew Hicks. 2020. ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans. In IEEE Symposium on Security and Privacy (S&P).
[55]
Timothy Trippel, Kang G. Shin, Kevin B. Bush, and Matthew Hicks. 2021. Bomberman: Defining and Defeating Hardware Ticking Timebombs at Design-time. In To appear in the IEEE Symposium on Security and Privacy (S&P).
[56]
TSMC. 2019. TSMC Fabrication Schedule — 2019. https://www.mosis.com/db/pubf/fsched?ORG=TSMC.
[57]
Denys Vlasenko. [n. d.]. BusyBox. https://www.busybox.net/.
[58]
Adam Waksman, Matthew Suozzo, and Simha Sethumadhavan. 2013. FANCI: identification of stealthy malicious logic using boolean functional analysis. In Proceedings of the ACM SIGSAC Conference on Computer & Communications Security (CCS).
[59]
Huanyu Wang, Qihang Shi, Adib Nahiyan, Domenic Forte, and Mark M Tehranipoor. 2019. A physical design flow against front-side probing attacks by internal shielding. Transactions on Computer-Aided Design of Integrated Circuits and Systems (2019).
[60]
Yujie Wang, Pu Chen, Jiang Hu, and Jeyavijayan JV Rajendran. 2017. Routing perturbation for enhanced security in split manufacturing. In 22nd Asia and South Pacific Design Automation Conference (ASP-DAC). IEEE.
[61]
Stephen Williams. [n. d.]. Icarus Verilog. http://iverilog.icarus.com/.
[62]
Francis Wolff, Chris Papachristou, Swarup Bhunia, and Rajat S Chakraborty. 2008. Towards Trojan-free trusted ICs: Problem analysis and detection scheme. In Proceedings of the ACM Conference on Design, Automation and Test in Europe (DATE).
[63]
Kan Xiao, Domenic Forte, Yier Jin, Ramesh Karri, Swarup Bhunia, and Mohammad Tehranipoor. 2016. Hardware trojans: Lessons learned after one decade of research. Transactions on Design Automation of Electronic Systems (TODAES) (2016).
[64]
Kan Xiao and Mohammed Tehranipoor. 2013. BISA: Built-in self-authentication for preventing hardware Trojan insertion. In IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).
[65]
Kaiyuan Yang, Matthew Hicks, Qing Dong, Todd Austin, and Dennis Sylvester. 2016. A2: Analog malicious hardware. In IEEE Symposium on Security and Privacy (S&P).
[66]
Rui Zhang, Natalie Stanley, Christopher Griggs, Andrew Chi, and Cynthia Sturton. 2017. Identifying Security Critical Properties for the Dynamic Verification of a Processor. In International Conference on Architectural Support for Programming Languages and Operating Systems(ASPLOS).
[67]
Rui Zhang and Cynthia Sturton. 2020. Transys: Leveraging Common Security Properties Across Hardware Designs. In IEEE Symposium on Security and Privacy (S&P).
[68]
Xuehui Zhang and Mohammad Tehranipoor. 2011. RON: An on-chip ring oscillator network for hardware Trojan detection. In 2011 Design, Automation & Test in Europe. IEEE, 1–6.
[69]
Boyou Zhou, Ronen Adato, Mahmoud Zangeneh, Tianyu Yang, Aydan Uyar, Bennett Goldberg, Selim Unlu, and Ajay Joshi. 2015. Detecting hardware trojans using backside optical imaging of embedded watermarks. In Proceedings of IEEE Design Automation Conference (DAC).
Index Terms
- T-TER: Defeating A2 Trojans with Targeted Tamper-Evident Routing
Recommendations
Tamper Evident Microprocessors
SP '10: Proceedings of the 2010 IEEE Symposium on Security and PrivacyMost security mechanisms proposed to date unquestioningly place trust in microprocessor hardware. This trust, however, is misplaced and dangerous because microprocessors are vulnerable to insider attacks that can catastrophically compromise security, ...
A sensitivity analysis of power signal methods for detecting hardware Trojans under real process and environmental conditions
Trust in reference to integrated circuits addresses the concern that the design and/or fabrication of the integrated circuit (IC) may be purposely altered by an adversary. The insertion of a hardware Trojan involves a deliberate and malicious change to ...
Side-channel analysis of MAC-Keccak hardware implementations
HASP '15: Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and PrivacyAs Keccak has been selected as the new SHA-3 standard, Message Authentication Code (MAC) (MAC-Keccak) using a secret key will be widely used for integrity checking and authenticity assurance. Recent works have shown the feasibility of side-channel ...
Comments
Information & Contributors
Information
Published In
July 2023
1066 pages
Copyright © 2023 ACM.
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 10 July 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ASIA CCS '23
Sponsor:
ASIA CCS '23: ACM Asia Conference on Computer and Communications Security
July 10 - 14, 2023
VIC, Melbourne, Australia
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 80Total Downloads
- Downloads (Last 12 months)51
- Downloads (Last 6 weeks)3
Reflects downloads up to 14 Oct 2024
Other Metrics
Citations
Cited By
View all- Gao MBiswas LAsadi NForte D(2024)Detour-RS: Reroute Attack Vulnerability Assessment with Awareness of the Layout and ResourceCryptography10.3390/cryptography80200138:2(13)Online publication date: 6-Apr-2024
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format