research-article

Soft-HaT: Software-Based Silicon Reprogramming for Hardware Trojan Implementation

Authors:

Md Mahbub Alam,

Domenic Forte, and

Mark TehranipoorAuthors Info & Claims

ACM Transactions on Design Automation of Electronic Systems (TODAES), Volume 25, Issue 4

Article No.: 35, Pages 1 - 22

https://doi.org/10.1145/3396521

Published: 23 June 2020 Publication History

Abstract

A hardware Trojan is a malicious modification to an integrated circuit (IC) made by untrusted third-party vendors, fabrication facilities, or rogue designers. Although existing hardware Trojans are designed to be stealthy, they can, in theory, be detected by post-manufacturing and acceptance tests due to their physical connections to IC logic. Manufacturing tests can potentially trigger the Trojan and propagate its payload to an output. Even if the Trojan is not triggered, the physical connections to the IC can enable detection due to additional side-channel activity (e.g., power consumption). In this article, we propose a novel hardware Trojan design, called Soft-HaT, which only becomes physically connected to other IC logic after activation by a software program. Using an electrically programmable fuse (E-fuse), the hardware can be “re-programmed” remotely. We illustrate how Soft-HaT can be used for offensive applications in system-on-chips. Examples of Soft-HaT attacks are demonstrated on an open source system-on-chip (OrpSoC) and implemented in Virtex-7 FPGA to show their efficacy in terms of stealthiness.

References

[1]

Semiconductor Engineering. 2016. The Benefits of Antifuse OTP. Retrieved May 28, 2020 from http://semiengineering.com/the-benefits-of-antifuse-otp/.

[2]

Jim Aarestad, Dhruva Acharyya, Reza Rad, and Jim Plusquellic. 2010. Detecting Trojans through leakage current analysis using multiple supply pad IDDQs. IEEE Transactions on Information Forensics and Security 5, 4 (2010), 893--904.

Digital Library

[3]

Dakshi Agrawal, Selcuk Baktir, Deniz Karakoyunlu, Pankaj Rohatgi, and Berk Sunar. 2007. Trojan detection using IC fingerprinting. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP’07). IEEE, Los Alamitos, CA, 296--310.

Digital Library

[4]

M. M. Alam, S. Tajik, F. Ganji, M. Tehranipoor, and D. Forte. 2019. RAM-Jam: Remote temperature and voltage fault attack on FPGAs using memory collisions. In Proceedings of the 2019 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC’19). 48--55.

[5]

Davide Baderna, Alessandro Cabrini, Marco Pasotti, and Guido Torelli. 2006. Power efficiency evaluation in Dickson and voltage doubler charge pump topologies. Microelectronics Journal 37, 10 (2006), 1128--1135.

[6]

Eric Balard, Alain Chateau, and Jerome Azema. 2009. Run-time firmware authentication. US Patent 7,539,868.

[7]

Mainak Banga and Michael S. Hsiao. 2009. A novel sustained vector technique for the detection of hardware Trojans. In Proceedings of the 2009 22nd International Conference on VLSI Design. IEEE, Los Alamitos, CA, 327--332.

[8]

Mark Beaumont, Bradley Hopkins, and Tristan Newby. 2011. Hardware Trojans—Prevention, Detection, Countermeasures (a Literature Review). Technical Report. Defence Science and Technology Organization Edinburgh (Australia) Command.

[9]

Georg T. Becker, Francesco Regazzoni, Christof Paar, and Wayne P. Burleson. 2013. Stealthy dopant-level hardware Trojans. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. 197--214.

[10]

Shivam Bhasin, Jean-Luc Danger, Sylvain Guilley, Xuan Thuy Ngo, and Laurent Sauvage. 2013. Hardware Trojan horses in cryptographic IP cores. In Proceedings of the 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC’13). IEEE, Los Alamitos, CA, 15--29.

Digital Library

[11]

Swarup Bhunia, Michael S. Hsiao, Mainak Banga, and Seetharam Narasimhan. 2014. Hardware Trojan attacks: Threat analysis and countermeasures. Proceedings of the IEEE 102, 8 (2014), 1229--1247.

[12]

Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia. 2009. Hardware Trojan: Threats and emerging solutions. In Proceedings of the IEEE International High Level Design Validation and Test Workshop (HLDVT’09). IEEE, Los Alamitos, CA, 166--171.

[13]

Rajat Subhra Chakraborty, Francis Wolff, Somnath Paul, Christos Papachristou, and Swarup Bhunia. 2009. MERO: A statistical approach for hardware Trojan detection. In Cryptographic Hardware and Embedded Systems—CHES 2009. Springer, 396--410.

[14]

Brian P. Deskin, William E. Hall, and David W. Pruden. 2010. Implementing enhanced security features in an ASIC using eFuses. US Patent 7,724,022.

[15]

Farimah Farahmandi, Yuanwen Huang, and Prabhat Mishra. 2017. Trojan localization using symbolic algebra. In Proceedings of the 2017 22nd Asia and South Pacific Design Automation Conference (ASP-DAC’17). IEEE, Los Alamitos, CA, 591--597.

[16]

P. Favrat, P. Deval, and M. J. Declercq. 1998. A high-efficiency CMOS voltage doubler. IEEE Journal of Solid-State Circuits 33, 3 (March 1998), 410--416.

[17]

Jiaji He, Yiqiang Zhao, Xiaolong Guo, and Yier Jin. 2017. Hardware Trojan detection through chip-free electromagnetic side-channel statistical analysis. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 25, 10 (2017), 2939--2948.

Digital Library

[18]

John L. Hennessy and David A. Patterson. 2011. Computer Architecture: A Quantitative Approach. Elsevier.

Digital Library

[19]

Tamzidul Hoque, Seetharam Narasimhan, Xinmu Wang, Sanchita Mal-Sarkar, and Swarup Bhunia. 2017. Golden-free hardware Trojan detection with high sensitivity under process noise. Journal of Electronic Testing 33, 1 (2017), 107--124.

Digital Library

[20]

Yumin Hou, Hu He, Kaveh Shamsi, Yier Jin, Dong Wu, and Huaqiang Wu. 2018. R2D2: Runtime reassurance and detection of A2 Trojan. In Proceedings of the 2018 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’18). IEEE, Los Alamitos, CA.

[21]

Meikei Ieong, Vijay Narayanan, Dinkar Singh, Anna Topol, Victor Chan, and Zhibin Ren. 2006. Transistor scaling with novel materials. Materials Today 9, 6 (2006), 26--31.

[22]

IC Insights. n.d. Home Page. Retrieved May 28, 2020 from http://www.icinsights.com/.

[23]

Yier Jin and Yiorgos Makris. 2008. Hardware Trojan detection using path delay fingerprint. In Proceedings of the 2008 IEEE International Workshop on Hardware-Oriented Security and Trust (HOST’08). IEEE, Los Alamitos, CA, 51--57.

[24]

Petri Mikael Johansson and Per Ståhl. 2011. Secure end-of-life handling of electronic devices. US Patent 8,060,748.

[25]

J. S. Rajesh, Koushik Chakraborty, and Sanghamitra Roy. 2018. Hardware Trojan attacks in SoC and NoC. In The Hardware Trojan War: Attacks, Myths, and Defenses, S. Bhunia and M. M. Tehranipoor (Eds.). Springer International Publishing, 55--74.

[26]

Paul Kocher, Daniel Genkin, Daniel Gruss, Werner Haas, Mike Hamburg, Moritz Lipp, Stefan Mangard, Thomas Prescher, Michael Schwarz, and Yuval Yarom. 2018. Spectre attacks: Exploiting speculative execution. arXiv:1801.01203.

[27]

C. Kothandaraman, Sundar K. Iyer, and Subramanian S. Iyer. 2002. Electrically programmable fuse (eFUSE) using electromigration in silicides. IEEE Electron Device Letters 23, 9 (2002), 523--525.

[28]

Angela Krstic and Kwang-Ting Tim Cheng. 2012. Delay Fault Testing for VLSI Circuits. Vol. 14. Springer Science 8 Business Media.

[29]

S. H. Kulkarni, Z. Chen, B. Srinivasan, B. Pedersen, U. Bhattacharya, and K. Zhang. 2015. Low-voltage metal-fuse technology featuring a 1.6 V-programmable 1T1R bit cell with an integrated 1 V charge pump in 22 nm tri-gate process. In Proceedings of the 2015 Symposium on VLSI Technology (VLSI Technology’15). IEEE, Los Alamitos, CA, C174--C175.

[30]

S. H. Kulkarni, Z. Chen, J. He, L. Jiang, M. B. Pedersen, and K. Zhang. 2010. A 4 kb metal-fuse OTP-ROM macro featuring a 2 V programmable 1.37 μ m² 1T1R bit cell in 32 nm high-k metal-gate CMOS. IEEE Journal of Solid-State Circuits 45, 4 (2010), 863--868.

[31]

MIT Lincoln Laboratory. n.d. Common Evaluation Platform. Retrieved May 28, 2020 from https://github.com/mit-ll/CEP.

[32]

Kexin Li and Shaloo Rakheja. 2019. A unified static-dynamic analytic model for ultra-scaled III-nitride high electron mobility transistors. Journal of Applied Physics 125, 13 (2019), 134503.

[33]

Lang Lin, Wayne Burleson, and Christof Paar. 2009. MOLES: Malicious off-chip leakage enabled by side-channels. In Proceedings of the 2009 International Conference on Computer-Aided Design. ACM, New York, NY, 117--122.

Digital Library

[34]

Moritz Lipp, Michael Schwarz, Daniel Gruss, Thomas Prescher, Werner Haas, Stefan Mangard, Paul Kocher, Daniel Genkin, Yuval Yarom, and Mike Hamburg. 2018. Meltdown. arXiv:1801.01207.

[35]

Bongani Christopher Mabuza. 2012. Charge Pumps and Floating Gate Devices for Switching Applications. Ph.D. Dissertation. University of Pretoria.

[36]

Amr M. Mohsen, Esmat Z. Hamdy, and John L. McCullum. 1989. Programmable low impedance anti-fuse element. US Patent 4,823,181.

[37]

Adib Nahiyan, Mehdi Sadi, Rahul Vittal, Gustavo Contreras, Domenic Forte, and Mark Tehranipoor. 2017. Hardware Trojan detection through information flow security verification. In Proceedings of the 2017 IEEE International Test Conference (ITC’17). IEEE, Los Alamitos, CA, 1--10.

[38]

Adib Nahiyan and Mark Tehranipoor. 2017. Code coverage analysis for IP trust verification. In Hardware IP Security and Trust. Springer, 53--72.

[39]

Adib Nahiyan, Kan Xiao, Kun Yang, Yier Jin, Domenic Forte, and Mark Tehranipoor. 2016. AVFSM: A framework for identifying and mitigating vulnerabilities in FSMs. In Proceedings of the 2016 53rd ACM/EDAC/IEEE Design Automation Conference (DAC’16). IEEE, Los Alamitos, CA, 1--6.

Digital Library

[40]

Seetharam Narasimhan, Xinmu Wang, Dongdong Du, Rajat Subhra Chakraborty, and Swarup Bhunia. 2011. TeSR: A robust temporal self-referencing approach for hardware Trojan detection. In Proceedings of the 2011 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’11). IEEE, Los Alamitos, CA, 71--74.

[41]

Nahmsuk Oh, Peivand Fallah-Tehrani, and Alireza Kasnavi. 2011. Generation of engineering change order (ECO) constraints for use in selecting ECO repair techniques. US Patent 7,962,876.

[42]

OpenCores.org. n.d. OpenRISC OR1200 Processor. Retrieved May 28, 2020 from http://opencores.org/or1k/OR1200/OpenRISC/Processor.

[43]

Jungmin Park, Xiaolin Xu, Yier Jin, Domenic Forte, and Mark Tehranipoor. 2018. Power-based side-channel instruction-level disassembler. In Proceedings of the 55th Annual Design Automation Conference. ACM, New York, NY, 119.

Digital Library

[44]

Jeyavijayan Rajendran, Efstratios Gavas, Jorge Jimenez, Vikram Padman, and Ramesh Karri. 2010. Towards a comprehensive and systematic classification of hardware Trojans. In Proceedings of the 2010 IEEE International Symposium on Circuits and Systems (ISCAS’10). IEEE, Los Alamitos, CA, 1871--1874.

[45]

Jeyavijayan Rajendran, Huan Zhang, Ozgur Sinanoglu, and Ramesh Karri. 2013. High-level synthesis for security and trust. In Proceedings of the 2013 IEEE 19th InternationalOn-Line Testing Symposium (IOLTS’13). IEEE, Los Alamitos, CA, 232--233.

[46]

N. Robson, J. Safran, C. Kothandaraman, A. Cestero, X. Chen, R. Rajeevakumar, A. Leslie, D. Moy, T. Kirihata, and S. Iyer. 2007. Electrically programmable fuse (eFUSE): From memory redundancy to autonomic chips. In Proceedings of the 2007 IEEE Custom Integrated Circuits Conference. 799--804.

[47]

Masoud Rostami, Farinaz Koushanfar, and Ramesh Karri. 2014. A primer on hardware security: Models, methods, and metrics. Proceedings of the IEEE 102, 8 (2014), 1283--1295.

[48]

Hassan Salmani and Mohammed Tehranipoor. 2013. Analyzing circuit vulnerability to hardware Trojan insertion at the behavioral level. In Proceedings of the 2013 IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT’13). IEEE, Los Alamitos, CA, 190--195.

[49]

Hassan Salmani, Mohammad Tehranipoor, and Ramesh Karri. 2013. On design vulnerability analysis and trust benchmarks development. In Proceedings of the 2013 IEEE 31st International Conference on Computer Design (ICCD’13). IEEE, Los Alamitos, CA, 471--474.

[50]

Bicky Shakya, Tony He, Hassan Salmani, Domenic Forte, Swarup Bhunia, and Mark Tehranipoor. 2017. Benchmarking of hardware Trojans and maliciously affected circuits. Journal of Hardware and Systems Security 1, 1 (2017), 85--102.

[51]

Yuriy Shiyanovskii, F. Wolff, Aravind Rajendran, C. Papachristou, D. Weyer, and W. Clay. 2010. Process reliability based Trojans through NBTI and HCI effects. In Proceedings of the 2010 NASA/ESA Conference on Adaptive Hardware and Systems (AHS’10). IEEE, Los Alamitos, CA, 215--222.

[52]

Oliver Soll, Thomas Korak, Michael Muehlberghuber, and Michael Hutter. 2014. EM-based detection of hardware Trojans on FPGAs. In Proceedings of the 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’14). IEEE, Los Alamitos, CA, 84--87.

[53]

J. A. Starzyk, Ying-Wei Jan, and Fengjing Qiu. 2001. A DC-DC charge pump design based on voltage doublers. IEEE Transactions on Circuits and Systems I: Fundamental Theory and Applications 48, 3 (March 2001), 350--359.

[54]

Takeshi Sugawara, Daisuke Suzuki, Ryoichi Fujii, Shigeaki Tawa, Ryohei Hori, Mitsuru Shiozaki, and Takeshi Fujino. 2014. Reversing stealthy dopant-level circuits. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems. 112--126.

Digital Library

[55]

William R. Tonti. 2008. eFuse design and reliability. In Integrated Reliability Workshop Final Report. IEEE, Los Alamitos, CA,114.

[56]

Adam Waksman, Matthew Suozzo, and Simha Sethumadhavan. 2013. FANCI: Identification of stealthy malicious logic using Boolean functional analysis. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, 697--708.

Digital Library

[57]

Jieh-Tsorng Wu and Kuen-Long Chang. 1998. MOS charge pumps for low-voltage operation. IEEE Journal of Solid-State Circuits 33, 4 (1998), 592--597.

[58]

Tony F. Wu, Karthik Ganesan, Yunqing Alexander Hu, H.-S. Philip Wong, S. Simon Wong, and Subhasish Mitra. 2016. TPAD: Hardware Trojan prevention and detection for trusted integrated circuits.IEEE Transactions on CAD of Integrated Circuits and Systems 35, 4 (2016), 521--534.

[59]

K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor. 2016. Hardware Trojans: Lessons learned after one decade of research. ACM Transactions on Design Automation of Electronic Systems 22, 1 (May 2016), Article 6, 23 pages.

Digital Library

[60]

Kan Xiao, Domenic Forte, Yier Jin, Ramesh Karri, Swarup Bhunia, and M. Tehranipoor. 2016. Hardware Trojans: Lessons learned after one decade of research. ACM Transactions on Design Automation of Electronic Systems 22, 1 (2016), 6.

Digital Library

[61]

Kan Xiao and Mohammed Tehranipoor. 2013. BISA: Built-in self-authentication for preventing hardware Trojan insertion. In Proceedings of the 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’13). IEEE, Los Alamitos, CA, 45--50.

[62]

Xilinx. n.d. Virtex-7. Retrieved May 28, 2020 from https://www.xilinx.com/products/boards-and-kits/dk-v7-vc709-g.html.

[63]

Kaiyuan Yang, Matthew Hicks, Qing Dong, Todd Austin, and Dennis Sylvester. 2016. A2: Analog malicious hardware. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP’16). IEEE, Los Alamitos, CA, 18--37.

Cited By

Sadi MTalukder BMishty KRahman M(2023)Attacking Deep Learning AI Hardware with Universal Adversarial PerturbationInformation10.3390/info1409051614:9(516)Online publication date: 19-Sep-2023
https://doi.org/10.3390/info14090516
Gupta NDesai MWijtvliet MRai SKumar AOshana R(2022)DELTAProceedings of the 59th ACM/IEEE Design Automation Conference10.1145/3489517.3530666(787-792)Online publication date: 10-Jul-2022
https://dl.acm.org/doi/10.1145/3489517.3530666

Index Terms

Soft-HaT: Software-Based Silicon Reprogramming for Hardware Trojan Implementation
1. Security and privacy
  1. Security in hardware
    1. Hardware attacks and countermeasures
      1. Malicious design modifications

Recommendations

Hardware trojans in 3-D ICs due to NBTI effects and countermeasure

Going vertical as in 3-D IC design, reduces the distance between vertical active silicon dies, allowing more dies to be placed closer to each other. However, putting 2-D IC into three-dimensional structure leads to thermal accumulation due to closer ...
Read More
Red team vs. blue team hardware trojan analysis: detection of a hardware trojan on an actual ASIC
HASP '13: Proceedings of the 2nd International Workshop on Hardware and Architectural Support for Security and Privacy

We infiltrate the ASIC development chain by inserting a small denial-of-service (DoS) hardware Trojan at the fabrication design phase into an existing VLSI circuit, thereby simulating an adversary at a semiconductor foundry. Both the genuine and the ...
Read More
Fault attack on AES via hardware Trojan insertion by dynamic partial reconfiguration of FPGA over ethernet
WESS '14: Proceedings of the 9th Workshop on Embedded Systems Security

We describe a novel methodology to exploit the widely used Dynamic Partial Reconfiguration (DPR) support in Field Programmable Gate Arrays (FPGAs) to implant a hardware Trojan in an Advanced Encryption Standard (AES) encryption circuit implemented on a ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Design Automation of Electronic Systems

ACM Transactions on Design Automation of Electronic Systems Volume 25, Issue 4

July 2020

153 pages

ISSN:1084-4309

EISSN:1557-7309

DOI:10.1145/3402047

Editor:
X. Sharon Hu
University of Notre Dame, USA

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 23 June 2020

Online AM: 07 May 2020

Accepted: 01 April 2020

Revised: 01 January 2020

Received: 01 August 2019

Published in TODAES Volume 25, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
401
Total Downloads

Downloads (Last 12 months)27
Downloads (Last 6 weeks)2

Other Metrics

View Author Metrics

Citations

Cited By

Sadi MTalukder BMishty KRahman M(2023)Attacking Deep Learning AI Hardware with Universal Adversarial PerturbationInformation10.3390/info1409051614:9(516)Online publication date: 19-Sep-2023
https://doi.org/10.3390/info14090516
Gupta NDesai MWijtvliet MRai SKumar AOshana R(2022)DELTAProceedings of the 59th ACM/IEEE Design Automation Conference10.1145/3489517.3530666(787-792)Online publication date: 10-Jul-2022
https://dl.acm.org/doi/10.1145/3489517.3530666

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents