ACM/IEEE CODES + ISSS 2017, Seoul, South Korea Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L. Piccolboni 1,2 , A. Menon 2 , and G. Pravadelli 2 1 Columbia University, New York, NY, USA 2 University of Verona, Verona, Italy
Hardware Trojans • A Hardware Trojan is defined as a malicious and intentional alteration of an integrated circuit that results in undesired behaviors Hardware Trojan Trigger Logic Payload Logic activates the malicious behavior implements the actual under specific conditions malicious behavior ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 1 / 21
Hardware Trojans Limitations in Current Methodologies • Several methodologies have been proposed to detect Trojans at Register-Transfer Level (RTL) • Nevertheless, there are still some limitations: 1. Manual effort from designers is required 2. They focus on a specific type of threat, e.g., a particular payload or a trigger ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 2 / 21
Contributions • We propose a verification approach based on a Control-Flow Subgraph Matching Algorithm RTL Verilog/VHDL RTL Verilog/VHDL 1 Design Under Hardware Hardware Verification Trojan Trojan (DUV) Library Report 2 3 Extraction Algorithm Detection Algorithm • Get Control-Flow Graphs • Search instances of the (CFGs) from DUV and HTs Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 3 / 21
Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT • basic block (node) = it is a sequence b of instructions without any branch • edge = connects the block b 1 with b 2 if the block b 1 can be executed after b 2 in at least one DUV/HT executions ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21
Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT first basic block of the process s 1 b 2 b 3 b 4 b 5 last basic block of the process e 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21
Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT Branch rule: s 1 • left if true b 2 b 3 • right if false b 4 b 5 e 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21
Background Control-Flow Graphs (CFGs) • We build a CFG for each process of the DUV/HT if (reset) a = 1 s 1 if (c == 1) b = 0 code associated b 2 b 3 with the basic b 4 b 5 blocks a++ a = 1 b = 0 b++ e 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21
Hardware Trojan Library RTL Verilog/VHDL RTL Verilog/VHDL 1 Design Under Hardware Hardware Verification Trojan Trojan (DUV) Library Report Extraction Algorithm Detection Algorithm • Get Control-Flow Graphs • Search instances of the (CFGs) from DUV and HTs Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 5 / 21
Hardware Trojan Library • We defined a Hardware Trojan (HT) Library that includes the RTL implementations of known HT triggers and their camouflaged variants ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 5 / 21
Hardware Trojan Library Trigger #1: Cheat Codes • A cheat code is a value (or sequence of values) that triggers the payload when observed in a register if (reset) trigger = s 2 s 1 v 1 & v 2 if (c 1 ) b 2 b 3 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 6 / 21
Hardware Trojan Library Trigger #2: Dead Machines • A dead machine code triggers the payload when specific state-based conditions are satisfied trigger = 1 if (reset) if (cond) s 2 s 1 b 2 b 3 b 4 b 1 reset vars b 4 b 5 e 1 case 1 b 7 b 6 case 2 case 3 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 7 / 21
Hardware Trojan Library Trigger #3: Ticking Timebombs • A ticking timebomb triggers the payload when a certain number of clock cycles has been passed if (reset) ++cnt if (reset) s 2 s 1 if (cnt == N) b 3 b 4 b 1 b 2 b 5 b 6 cnt = 0 e 1 trigger = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 8 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) b 2 b 3 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 e 1 v 1 = 1 b 6 b 7 v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 5. add-edge (b 7 , $2) e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 5. add-edge (b 7 , $2) e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) 8. drop-edge (b 7 , e 2 ) v 2 = 1 b 8 b 9 $2 $1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 source 5. add-edge (b 7 , $2) e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) 8. drop-edge (b 7 , e 2 ) v 2 = 1 b 8 b 9 $2 $1 9. old-source-block b 7 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Handling Camouflaged Variants • We need an automatic way to extend such basic implementations to find camouflaged variants trigger = if (reset) Extension directives: v 1 & v 2 s 2 s 1 1. parametrizable 1 if (c 1 ) 2. bound-number 10 b 2 b 3 3. add-basic-blocks 2 if (c 2 & v 1 ) b 1 v 1 = 0 4. add-edge (b 7 , $1) v 2 = 0 b 4 b 5 5. add-edge (b 7 , $2) source e 1 6. add-edge ($1, e 2 ) v 1 = 1 b 6 b 7 7. add-edge ($2, e 2 ) 8. drop-edge (b 7 , e 2 ) v 2 = 1 b 8 b 9 $2 $1 9. old-source-block b 7 10. up-source-block $2 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21
Hardware Trojan Library Pros and Cons • We defined a Hardware Trojan (HT) Library that includes the RTL implementations of known HT triggers and their camouflaged variants Pros Cons • Unique verification approach • Unique verification approach • Easy to extend the approach • Need of the implementations for new hardware Trojans of the hardware Trojans • Easy to customize the library • Only the hardware Trojans in to the needs of the user the library or their variations can be detected ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 10 / 21
Hardware Trojan Detection Extraction Algorithm RTL Verilog/VHDL RTL Verilog/VHDL Design Under Hardware Hardware Verification Trojan Trojan (DUV) Library Report 2 Extraction Algorithm Detection Algorithm • Get Control-Flow Graphs • Search instances of the (CFGs) from DUV and HTs Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21
Recommend
More recommend