research-article

Public Access

Exploiting the analog properties of digital circuits for malicious hardware

Authors:

Dennis SylvesterAuthors Info & Claims

Communications of the ACM, Volume 60, Issue 9

Pages 83 - 91

https://doi.org/10.1145/3068776

Published: 23 August 2017 Publication History

All formats PDF

Abstract

While the move to smaller transistors has been a boon for performance it has dramatically increased the cost to fabricate chips using those smaller transistors. This forces the vast majority of chip design companies to trust a third party---often overseas---to fabricate their design. To guard against shipping chips with errors (intentional or otherwise) chip design companies rely on post-fabrication testing. Unfortunately, this type of testing leaves the door open to malicious modifications since attackers can craft attack triggers requiring a sequence of unlikely events, which will never be encountered by even the most diligent tester. In this paper, we show how a fabrication-time attacker can leverage analog circuits to create a hardware attack that is small (i.e., requires as little as one gate) and stealthy (i.e., requires an unlikely trigger sequence before affecting a chip's functionality). In the open spaces of an already placed and routed design, we construct a circuit that uses capacitors to siphon charge from nearby wires as they transit between digital values. When the capacitors are fully charged, they deploy an attack that forces a victim flip-flop to a desired value. We weaponize this attack into a remotely controllable privilege escalation by attaching the capacitor to a controllable wire and by selecting a victim flip-flop that holds the privilege bit for our processor. We implement this attack in an OR1200 processor and fabricate a chip. Experimental results show that the purposed attack works. It eludes activation by a diverse set of benchmarks and evades known defenses.

References

[1]

Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B. Trojan detection using IC fingerprinting. In Symposium on Security and Privacy (S&P, Washington, DC, 2007). IEEE Computer Society, 296--310.

Digital Library

[2]

Becker, G.T., Regazzoni, F., Paar, C., Burleson, W.P. Stealthy dopant-level hardware Trojans. In International Conference on Cryptographic Hardware and Embedded Systems (CHES, Berlin, Heidelberg, 2013). Springer-Verlag, 197--214.

Digital Library

[3]

Forte, D., Bao, C., Srivastava, A. Temperature tracking: An innovative run-time approach for hardware Trojan detection. In International Conference on Computer-Aided Design (ICCAD, 2013). IEEE, 532--539.

Digital Library

[4]

Guthaus, M.R., Ringenberg, J.S., Ernst, D., Austin, T.M., Mudge, T., Brown, R.B. MiBench: A free, commercially representative embedded benchmark suite. In Workshop on Workload Characterization (Washington D.C., 2001). IEEE Computer Society, 3--14.

Digital Library

[5]

Hicks, M., Finnicum, M., King, S.T., Martin, M.M.K., Smith, J.M. Overcoming an untrusted computing base: Detecting and removing malicious hardware automatically. USENIX;login 35, 6 (Dec. 2010), 31--41.

[6]

Hicks, M., Sturton, C., King, S.T., Smith, J.M. Specs: A lightweight runtime mechanism for protecting software from security-critical processor bugs. In Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS, Istanbul, Turkey, 2015). ACM, 517--529.

Digital Library

[7]

Jin, Y., Makris, Y. Hardware Trojan detection using path delay fingerprint. In Hardware-Oriented Security and Trust (HOST, Washington, DC, 2008). IEEE Computer Society, 51--57.

Digital Library

[8]

Kelly, S.,Zhang, X., Tehranipoor, M., Ferraiuolo, A. Detecting hardware Trojans using on-chip sensors in an ASIC design. Journal of Electronic Testing 31, 1 (Feb. 2015), 11--26.

Digital Library

[9]

King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W.n., Zhou, Y. Designing and implementing malicious hardware. In Workshop on Large-Scale Exploits and Emergent Threats, volume 1 of LEET (USENIX Association, Apr. 2008).

Digital Library

[10]

Kumar, R., Jovanovic, P., Burleson, W., Polian, I. Parametric Trojans for fault-injection attacks on cryptographic hardware. In Workshop on Fault Diagnosis and Tolerance in Cryptography (IEEE, FDT, 2014), 18--28.

Digital Library

[11]

Li, J., Lach, J. At-speed delay characterization for IC authentication and Trojan horse detection. In Hardware-Oriented Security and Trust (HOST, Washington, DC, 2008). IEEE Computer Society, 8--14.

Digital Library

[12]

Li, M.-L., Ramachandran, P., Sahoo, S.K., Adve, S.V., Adve, V.S., Zhou, Y. Understanding the propagation of hard errors to software and implications for resilient system design. In International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS, Seattle, WA, Mar. 2008). ACM, 265--276.

Digital Library

[13]

Narasimhan, S., Wang, X., Du, D., Chakraborty, R.S., Bhunia, S. TeSR: A robust temporal self-referencing approach for hardware Trojan detection. In Hardware-Oriented Security and Trust (HOST, San Diego, CA, June 2011). IEEE Computer Society, 71--74.

[14]

OpenCores.org. OpenRISC OR1200 processor.

[15]

Potkonjak, M., Nahapetian, A., Nelson, M., Massey, T. Hardware Trojan horse detection using gate-level characterization. In Design Automation Conference, volume 46 of DAC (2009), 688--693.

Digital Library

[16]

Rostami, M., Koushanfar, F., Rajendran, J., Karri, R. Hardware security: Threat models and metrics. In Proceedings of the International Conference on Computer-Aided Design (ICCAD, San Jose, CA, 2013). IEEE Press, 819--823.

Digital Library

[17]

Sugawara, T., Suzuki, D., Fujii, R., Tawa, S., Hori, R., Shiozaki, M., Fujino, T. Reversing stealthy dopant-level circuits. In International Conference on Cryptographic Hardware and Embedded Systems (CHES, New York, NY, 2014). Springer-Verlag, 112--126.

Digital Library

[18]

S.S. Technology. Why node shrinks are no longer offsetting equipment costs, (online webpage, Oct. 2012).

[19]

Waksman A., Sethumadhavan, S. Silencing hardware backdoors. In IEEE Security and Privacy (S&P, Oakland, CA, May 2011). IEEE Computer Society.

Digital Library

[20]

Wang, X., Narasimhan, S., Krishna, A., Mal-Sarkar, T., Bhunia, S. Sequential hardware trojan: Side-channel aware design and placement. In Computer Design (ICCD), 2011 IEEE 29th International Conference on (IEEE, Oct 2011), 297--300.

Digital Library

[21]

Yang, K., Hicks, M., Dong, Q., Austin, T., Sylvester, D. A2: Analog malicious hardware. In 2016 IEEE Symposium on Security and Privacy (SP) (May 2016). IEEE Computer Society, 18--37.

Cited By

Liu ZLin FWang CShen YBa ZLu LXu WRen K(2023)CamRadarProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35695056:4(1-25)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3569505
He GDong CHuang XGuo WLiu XHo TMohsenin TZhao WChen YMutlu O(2020)HTcatcher: Finite State Machine and Feature Verifcation for Large-scale Neuromorphic Computing SystemsProceedings of the 2020 on Great Lakes Symposium on VLSI10.1145/3386263.3406955(415-420)Online publication date: 7-Sep-2020
https://dl.acm.org/doi/10.1145/3386263.3406955
Iavich MBocu RIashvili GGnatyuk S(2020)Novel Method of Hardware Security Problems Identification2020 IEEE International Conference on Problems of Infocommunications. Science and Technology (PIC S&T)10.1109/PICST51311.2020.9467966(427-431)Online publication date: 6-Oct-2020
https://doi.org/10.1109/PICST51311.2020.9467966
Show More Cited By

Index Terms

Exploiting the analog properties of digital circuits for malicious hardware
1. Hardware
  1. Hardware test
    1. Analog, mixed-signal and radio frequency test
  2. Robustness

Recommendations

Designing and implementing malicious hardware
LEET'08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats

Hidden malicious circuits provide an attacker with a stealthy attack vector. As they occupy a layer below the entire software stack, malicious circuits can bypass traditional defensive techniques. Yet current work on trojan circuits considers only ...
Codes and circuits for secure hardware design
CMOS Digital Integrated Circuits Analysis & Design

Comments

Information & Contributors

Information

Published In

cover image Communications of the ACM

Communications of the ACM Volume 60, Issue 9

September 2017

94 pages

ISSN:0001-0782

EISSN:1557-7317

DOI:10.1145/3134526

Editor:
Andrew A. Chien
Association for Computing Machinery, New York, NY

Issue’s Table of Contents

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2017

Published in CACM Volume 60, Issue 9

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed

Funding Sources

MARCO
C-FAR
DARPA
National Science Foundation

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
13,883
Total Downloads

Downloads (Last 12 months)383
Downloads (Last 6 weeks)69

Reflects downloads up to 22 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu ZLin FWang CShen YBa ZLu LXu WRen K(2023)CamRadarProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/35695056:4(1-25)Online publication date: 11-Jan-2023
https://dl.acm.org/doi/10.1145/3569505
He GDong CHuang XGuo WLiu XHo TMohsenin TZhao WChen YMutlu O(2020)HTcatcher: Finite State Machine and Feature Verifcation for Large-scale Neuromorphic Computing SystemsProceedings of the 2020 on Great Lakes Symposium on VLSI10.1145/3386263.3406955(415-420)Online publication date: 7-Sep-2020
https://dl.acm.org/doi/10.1145/3386263.3406955
Iavich MBocu RIashvili GGnatyuk S(2020)Novel Method of Hardware Security Problems Identification2020 IEEE International Conference on Problems of Infocommunications. Science and Technology (PIC S&T)10.1109/PICST51311.2020.9467966(427-431)Online publication date: 6-Oct-2020
https://doi.org/10.1109/PICST51311.2020.9467966
Tripathi A(2020)The economics of hardware trojans: An expert’s opinionJournal of Information Technology Case and Application Research10.1080/15228053.2020.1824878(1-16)Online publication date: 11-Nov-2020
https://doi.org/10.1080/15228053.2020.1824878
Ludwig MLippmann BUnverricht N(2020)Enabling Trust for Advanced Semiconductor Solutions Based on Physical Layout VerificationIntelligent System Solutions for Auto Mobility and Beyond10.1007/978-3-030-65871-7_7(87-103)Online publication date: 11-Dec-2020
https://doi.org/10.1007/978-3-030-65871-7_7
Singla ALippmann BGraeb H(2019)Verification of Physical Chip Layouts Using GDSII Design Data2019 IEEE 4th International Verification and Security Workshop (IVSW)10.1109/IVSW.2019.8854432(55-60)Online publication date: Jul-2019
https://doi.org/10.1109/IVSW.2019.8854432
Sayakkara ALe-Khac NScanlon M(2019)A survey of electromagnetic side-channel attacks and discussion on their case-progressing potential for digital forensicsDigital Investigation10.1016/j.diin.2019.03.002Online publication date: Mar-2019
https://doi.org/10.1016/j.diin.2019.03.002

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents