Detecting Hardware Trojans: A Tale of Two Techniques Sharad Malik sharad@princeton.edu FMCAD 2015
Hardware Security and Hardware Trojans User apps Each layer trusts all layers below it Kernel Hypervisor • More privilege • Widely used platforms A Hardware Trojan is a • Difficult to patch malicious intentional Firmware more damage modification of an electronic circuit or Hardware design, resulting in undesired behavior 2
Where are the Vulnerabilities? Trusted Untrusted IP Tools Std Cells Models Specification Design Mask Fab Wafer Probe Package Test Deploy [Source: Brian Sharkey, TRUST in Integrated Circuits Program: Briefing to Industry , DARPA MTO, 26 March 2007] 3
A Real Threat? Before/after pictures of a suspected nuclear reactor site Suspicion that a hardware backdoor was exploited to disable the radar system [Sally Adee, The Hunt for the Kill Switch , IEEE Spectrum May 2006] [John Markoff, Old Trick Threatens the Newest Weapons , NY Times, 26 October 2009] 4
Malicious circuits in a design 5
Acknowledgements DARPA IRIS Project •Bruno Dutertre •Burcin Cakir •Wenchao Li •Adria Gascon •Kanika Pasricha •Sanjit Seshia •Dejan Jovanovic •Dillon Reisman •Wei Yang Tan •Maheen Samad •Pramod Subramanyan •Natarajan Shankar •Adriana Susnea •Ashish Tiwari •Nestan Tsiskaridze UC SRI Princeton Berkeley Center for Future Architectures Research (C‐FAR) • Burcin Cakir • Pramod Subramanyan 6
Logical Analysis Statistical Analysis Whitelist Blacklist 7
Netlist Analysis Portfolio Statistical Analysis Logical Analysis Netlist Netlist Common‐support Multibit Register Functional Simulation K‐cut matching analysis Analysis Statistical Correlation Aggregation RF analysis (Weight Computation) Word propagation Counter analysis Normalization/Clustering Module Shift register generation analysis Trojan Detection using Reachability Plots Library Matching Overlap Resolution Reverse engineering using static analyses Abstracted Netlist Abstracted Netlist 8
Logical Analysis for Reverse Engineering 9
Reverse Engineering Objective Register File MUX ALU MUX Instr. Decoder Source: http://miscpartsmanuals2.tpub.com/TM‐9‐1240‐369‐34/TM‐9‐1240‐369‐340115.htm Extract high‐level components from an unstructured and flat netlist 10
Reverse Engineering Portfolio Netlist Netlist Combinational component analyses Common‐support Multibit Register K‐cut matching analysis Analysis Sequential component analyses Aggregation RF analysis 1. Reverse Engineering Digital Circuits Using Functional Word propagation Counter analysis Analysis, [DATE’13] 2. Reverse Engineering Digital Circuits Using Structural and Module Shift register Functional Analysis, [TETC’14] generation analysis 3. Wordrev: Finding word‐level structures in a sea of bit‐level Library Matching gates, [HOST’13] 4. Template‐based circuit Overlap understanding, [FMCAD’14] Resolution Abstracted Netlist Abstracted Netlist 11
General Strategy mux? mux Main Challenge: Netlist is a sea of gates! No information about the boundaries of modules inside it! Identify Potential Module Boundaries BDD/SAT‐Based Analyses to Verify Functionality Output Inferred Modules 12
Bitslice Identification and Aggregation Netlist Netlist Combinational component analyses K‐cut matching Sequential component analyses Aggregation Multiplexers, decoders, demultiplexers, ripple carry adders and subtractors, parity trees, … 13
Bitslice Identification using Cut‐based Matching � �, � � �� � � � �, � � � � � � �, � � �� � ��� • Cuts are computed recursively • Made tractable by enumerating cuts with k ≤ 6 inputs • Group cuts into equivalence classes using permutation independent comparison • BDDs used to represent Boolean functions during matching Cong and Ding, FlowMap , [TCAD’94] Chatterjee et al., Reducing Structural Bias in Technology Mapping , [ICCAD’05] 14
Bitslice Aggregation Group Bitslices With Shared Signals Group Bitslices With Cascading Signals 15
Word Propagation and Module Matching Netlist Netlist Combinational component analyses K‐cut matching Sequential component analyses Aggregation Word propagation Module generation Library Matching 16
Word Propagation and Module Generation Once multibit structures blocks are found, larger bit slices can be identified by forward and backward traversal of the circuit. Given an “output” Given an “output” word, we can word, we can traverse backwards traverse backwards to closely‐related to closely‐related words to find words to find candidate modules candidate modules 17
Library Matching [FMCAD ‘14] c Match candidate modules against a Candidate module B library of common modules such as A adders, ALUs, … Challenges • Permutation and polarity of inputs A Library module B • Setting of control inputs QBF Formulation: Does there exist some setting of the control inputs, and some ordering of the inputs such that for all input values, the candidate and the library module produce the same outputs? 18
Library Matching as QBF [FMCAD ‘14] k Control signals c m M Permutation p n n Data Π inputs X Permutation Network m n Signatures are used to L restrict the search space for the permutations ∃�, � ∀�: � Π �, X , c ≡ L�X� Mohnke and Malik, Permutation and Phase Independent Boolean Comparison, [Integration ‘93] 19
Identifying Register Files Netlist Netlist Combinational component analyses Common‐support K‐cut matching RF analysis analysis Sequential component analyses Aggregation Word propagation Module generation Library Matching 20
The Structure of a Register File Write addr + write enable Register File Register File Write data Read data Read address Register file consists of: • Flip‐flops that store information • Read logic: takes a read address and outputs stored data • Write logic: stores data in the register file 21
Identifying Read Logic dataout addr[2] addr[1] addr[0] FF FF FF FF FF FF FF FF Insight: look for trees of logic where the leaves of the tree are flip‐flops 22
Verifying Identified Read Logic dataout addr[2] addr[1] addr[0] FF FF FF FF FF FF FF FF • Verify there exists some address which propagates each flip‐flop output to the data output • This is done using a BDD‐based analysis 23
Identifying Write Logic • Muxes select between current value and write data • Decoders select the location that is being written to • Easy to find muxes and decoders after we find the flip‐flops 24
Overlap Resolution Netlist Netlist Combinational component analyses Common‐support Multibit Register K‐cut matching analysis Analysis Sequential component analyses Aggregation RF analysis Word propagation Counter analysis Module Shift register generation analysis Library Matching Overlap Resolution Abstracted Netlist Abstracted Netlist 25
Problem: Inferred Modules Overlap dataout addr[2] addr[1] 4‐bit MUX addr[0] FF FF FF FF FF FF FF FF Inferred register file 26
Resolving Overlaps Formulate an Integer‐Linear Program 1. Constraints specify that modules must not overlap 2. Objective is one of the following • Maximize the number of covered gates OR • Minimize the number of modules given a coverage target 27
Experimental Setup Toolchain • Implemented in C++ • MiniSAT 2.2 • CUDD 2.4 • CPLEX 12.5 Designs • Many from OpenCores.org • Size ranges from few hundred to several thousand gates • ITAG1B: 375k gate test case from DARPA 28
Summarizing Inference Results (1/2) • 45‐90% of the gates in these are covered • Runtime is a maximum of a several minutes 29
Summarizing Inference Results (2/2) • Covered ~70% of the large test article (375k gates) • Split the up big design into 7 subcomponents using reset tree; Covered 60‐87% • Entire analysis terminates in an hour 30
Summarizing the Reverse Engineering Efforts Netlist Netlist Combinational component analyses Common‐support Multibit Register K‐cut matching analysis Analysis Sequential component analyses Aggregation RF analysis Word propagation Counter analysis Module Shift register generation analysis A portfolio of inference A portfolio of inference algorithms to identify word‐level algorithms to identify word‐level Library Matching modules from a flat unstructured modules from a flat unstructured netlist! netlist! Overlap Resolution Abstracted Netlist Abstracted Netlist 31
Statistical Analysis of Suspicious Logic 32
Recommend
More recommend
