Hardware Trojan Threat Taxonomies 2017-2020

Hardware Trojan Threat Taxonomies (2017-2020)

Kotsis Alexios

1. Introduction

In cybersecurity,there is always a new or unknown threat lurking around the corner. In our report, we are taking a closer look at Hardware Trojan Attacks, also commonly referred to as "HT." A Hardware Trojan is a form of a backdoor attack.

According to researchers, the minuscule HT is inserted into a processor, giving the threat attacker the ability to take full control and trigger privilege escalation of hardware and eventually gain complete access to the target's operating system. [7].

This kind of attack is possible based on the way a Hardware Trojan is created. HT's are mostly a maliciously modified version of an integrated circuits system. The Hardware Trojans payload is what the Trojan executes once it is activated. Hardware Trojans are designed to bypass security mechanisms in place to prevent malicious attacks, gaining critical data from its target, leaking it through radio emission.

Hardware Trojans differ from software Trojan. The main differences are presented in the following table. ICs. The modifications by Hardware Trojans make it so unpredictable and undetectable at times because, by design, it can prevent network systems from detecting it and can execute the attack. In our group project, we will Taxonomize and expand upon the damage that can be done by Hardware Trojans, assesses how this major security threat can be detected, as well as explore countermeasures that can be implemented to thwart this attack.

2. Technical I- Taxonomy of Hardware Trojan and Classification 2017-2018

In 2008 the first hardware Trojan taxonomy was proposed based on three primary categories and six attributes, which were based on the Action, Activation, and Physical as in Figure 1. The further classification was based on the way the Trojan operates as combinational or sequential, as in figure 2. In the period 2017-2018, this classification was improved because Hardware Trojans became more complicated and are now based on six categories presented in Figure 3 as follows:

- Insertion Phase
- Abstraction Level
- Activation Mechanism
- Location
- Effects
- Physical Characteristics

Abbildung in dieser Leseprobe nicht enthalten

Figure 1 Taxonomy of Hardware Trojan 2008

These six categories include many more attributes and are based on two essential criteria:

- Resolution separating the different abilities of the Trojans
- Coverage classifying all-any trojans

Abbildung in dieser Leseprobe nicht enthalten

Figure 2 Hardware Trojan operation

By further analyzing the categories, the insertion phase relates to all the various stages of how vulnerable to malicious modification is the circuit while it is designed and fabricated. The specific period starts with the way the hardware characteristics are defined up to the assembly of the integrated circuit while placed on a PCB (printed circuit board).

The insertion phase [2] can be described by the following stages:

- Specification
- Design
- Fabrication
- Testing
- Assembly and package

Abbildung in dieser Leseprobe nicht enthalten

Figure 3 Taxonomy of Hardware Trojan 2017-2018

During the insertion phase, the Trojan can be inserted by altering the design specification as temperature to lower the design dependability. Tampering can also be done during design and fabrication by adding more gates in the netlist or by altering the masks. If the tampering is done in the testing phase, the opponent may manipulate and change the testing to prevent the detection of the inserted Trojan. Finally, during Assemble, interconnections between chips, which are unprotected, are vulnerable to Trojans even though the chips are by themselves to be trusted. Let's suppose we can have an unshielded wire connection. Then this could transmit electromagnetic on-air with which the opponent can exploit for pieces of information.

The abstraction level relates to all the stages of development of the integrated circuit before it is fabricated. When the circuit is designed, all the different designs are considered ranging from internal locations of the IC and physical dimensions up to communication protocols and interconnections used while designing the PCB.

The abstraction phase 2 can be described by the following stages:

System
- Development Environment
- Register transfer
- Gate
- Layout
- Physical

The abstraction determines the way the Trojan is implemented. At the system, the design is determined by the interconnections and modules between them, and the opponent can alter the modules' interactions and interfaces. In the development environment, the adversary can make use of the scripting languages and CAD tools and insert the Trojan inside the modules. At the register transfer level, the design of the module is described in terms of Boolean functions, registers, and signals. At the gates level, the black actor can inject the Trojan and decide where the interconnection and gates of the design should be installed. At the layout level, the presence of Trojans can be determined on variations of power consumption and apparent delay characteristics. Atthe physical level, locations, dimensions, and circuit components are determined. The PCB design layout can have dead space,and the hardware Trojan can be inserted there without any physical alteration of the board.

The activation mechanism details the waythe hardware trojan is triggered. The method of Trojan triggers varies from external triggers using input data streams or internal sequential counters, or on some occasions, trojans are always activated, and they are continually leaking information using Electromagnetic Radiation.

The activation phase [2] can be described by the following stages:

- Always On
- Triggered
- Internally
- Time-Based
- Physical condition based
- Externally
- Use Input
- Component output

Hardware Trojans can get conditionally activated or may always function. |Conditional Trojans are seeking distinct triggers which can be externally or internally to launch while the ones that always operate are energized the moment the hosting designs are activated. The externally triggered hardware Trojans can track components outputs or user inputs and energized the moment these activation conditions are the required ones. The internally triggered are usually time-based and can be activated if specific conditions are met as per example a certain temperature level.

The location category details the exact position inside the integrated circuit where the Trojan can be placed. This category varies from just a single Trojan with a specific target to compromise and curries out a fault injection attack (per example, the system clock) up to multiple Trojans executing a distributed attack and carry out various components to variate the way the instructions are executed.

The location phase [2] can be described by the following stages:

- Processor
- Memory
- Input/output
- Power supply
- Clock layout

A hardware Trojan can be injected either in one part of the design circuit or many. If the Trojan is inserted into the processor, it can take control of the data path units or the controller. If it is injected into memory, it can block read/write processes to the memory or change stored values. If it is inserted into multiple chips, it can disturb interfaces and me/O procedures. If it is embedded in the power supply, it could modify voltage and current levels. If it is injected into the clock layout, it can suspend the clock tree and cause some modules to function correctly or disable them entirely [4].

The effects category details the results that come out when the Trojan is being executed and delivers its payload. This can be a complete failure or consumption of the hardware components and resources up to small errors as a change in the way the hardware functions, which is almost impossible to detect with reasonable means.

The effects phase [2] can be described by the following stages:

- Change the functionality
- Degrade performance
- Leak information
- Denial of Service

The Hardware Trojans effects can alter the PCB's functionality by changing the data path the processor is using. They can also degrade performance or, by changing the design parameters, can reduce the PCB's reliability. In case we have an encoded or cryptographic processor with a secret key, this information may be leaked. It can also create a Denial of Service at a specific time, causing a complete malfunction if the hardware.

The physical characteristics of Trojans are based on different hardware alterations and can be described by the following stages:

- Distribution
- Size
- Type
- Functional
- Parametric
- Structure
- Layout Change
- Layout the same

The distribution is the way the Trojan cells are placed in the circuit and how tight or loose they are. The size is determined by the volume of removed or added gates/transistors. The hardware Trojan can be functional, which describes the deletion or addition of gates/transistors in the IC circuit, or parametric by modifying design parameters or wire thickness. With the structure, we indicate any alterations on the circuit layout so the Trojan cells can be installed.

3. Technical II- Taxonomy of Hardware Trojan and Classification 2019-2020

Following the initial taxonomy of the previous years, it became apparent that a new taxonomy was needed based on various aspects as activation properties, triggering procedures (internal or external), action characteristics, physical activation, payload mechanisms (digital or analog) location, and threats. So, it was suggested a new taxonomy is in order now to be based on six categories presented in Figure 4 6 as follows:

- Physical
- Insertion phase
- Activation
- Payload
- Threats
- Location

The physical is based on the trojan attributes, which are further analyzed into type, size, distribution, and structure. The model distinguishes Trojans into parametric and functional classes by the modification of existing wires in the parametric category or by adding or removing gates in the functional category.

Abbildung in dieser Leseprobe nicht enthalten

Figure 4 Taxonomy od Hardware Trojans 2019­2020

The size of the hardware Trojan varies with the number of components that are to be added or deleted in the chip. A high probability of activation usually is an advantage of smaller Trojans. The distribution specifies where the Trojan is located in the chip. We can have a tight distribution if the Trojan's parts are in the vicinity of the chip's physical layout and a loose distribution if the Trojan is dispersed in multiple locations in the chip's layout. By structure, the Trojan should avoid detection by not altering the circuit's layout[5].

The insertion is the phase of the Trojan installation while the integrated circuit is designed and fabricated. The different phases at this point are the initial specifications, the final design, the IC manufacture, the last testing, and the final assembly and package.

The activation depends on specific events that may occur outside or inside the system. Some Trojans are always on and do not require a trigger to be activated. Others require an external or internal stimulus such as temperature humidity etc. In other cases, an internal counter is present, which will enable the Trojan at a specific time. The main goal of all of the above is to keep the Trojan undetected.

The payload can be analyzed into Digital and Analog. Both depend on the trigger, which recognizes the expected conditions, activates the payload, and starts the Trojan. The Digital Trojans can alter memory contents or logical values at internal nodes. The analog Trojan can change the circuit's parameters such as noise, power, performance, etc. Digital Trojans can be categorized as modifying Circuit logic or modifying memory content, while the analog can be classified as a bridging, delay,or excess activity.

The Hardware Trojans can also be categorized according to the kind of threat they pose. These can be a degrade of performance, a Denial of Service (DoS), or information leakage. A threat is also a possible modification on the specifications or the functions of the chip by removing or adding logic in addition to various parametric properties such as delay.

The physical location of the Trojan on the integrated circuit can also taxonomize the HT based on clock layout, I/O, power supply memory or processor.

In the last year, further Taxonomy has been created based on Trojan's effects and activation mechanism 4. This taxonomy is presented in Figure 5. The Hardware Trojan can be classified according to trigger or payload, and each one of them can be categorized according to their construction to be either Digital or Analog.

The trigger digital can be Sequential or combinational type. The sequential can be either synchronous or asynchronous or hybrid or with a rare sequence. The combinational can have only rare node value. The trigger analog can depend on on-chip sensors or voltage. The analog Trojans, also known as reliability Trojans, van create accelerated aging of the circuit's components resulting in integrated circuits with a shorter lifetime. This aging causes a reduction of reliability of the CMOS transistors such as HCI (hot carrier injection) or NBTI (negative bias temperature instability). Finding those analog Trojans is a challenging task because these tiny alterations can evade post-fabrication reliability tests.

Abbildung in dieser Leseprobe nicht enthalten

Figure 5 Taxonomy based on Trigger and Payload

The payload, as the trigger, can be categorized as digital, analog, and others. By other, we mean an information leakage attack transmitted with a radio signal or using an RS-232 or a USB port. It can also be a side-channel attack leaking information through thermal radiation or the power trace or an output of an LED. It can also be a DoS attack using the unavailability of the circuit. The analog hardware overhead, power, and delay are to be considered along with Circuit nodes and memory content of the digital.

4. Taxonomy of Hardware Trojan Countermeasures

We can classify the detection methods in three categories: Visual detection techniques, logic testing, and side-channel analysis.

The Visual Detection Methods is classified as detection methods that utilize imaging for malicious insertions in chip identification. These techniques include using X-ray imaging, scanning optical microscopy (SOM), scanning electron microscopy (SEM), and picosecond imaging circuit analysis (PICA), among others. The methods can be expensive in cost and analysis time. But these techniques are confronted witha lack of resolution to decipher logic/ transistor/interconnect level information, first due to the obstruction by the stack of metal layers in modern FPGAs. The effectiveness of the imaging techniques is expected to reduce significantly due to technology scaling. The de-layering of ICs, which appears more effective, however, may,in turn,render an FPGA non­functional. Due to the limitations above, imaging analysis may not be a viable Trojan detection technique.

Logic-Based testing is a Standard logic testing of FPGAs by automatic test pattern generation (ATPG) tools used for detecting faults. All the programmable logic blocks can be tested to function correctly without faults by using input vectors. Since there is a big difference between Trojan models and fault models, there is a need for a better approach to detect Trojans. For the larger combinational and sequential Trojans, this can be a useful approach to cause partial activation of Trojans for detection using side-channel techniques detection. Just as these features are used to counter run-time failures in FPGAs, so can they be used to counter against FPGA hardware and design Trojans. In the case of FPGA hardware, reconfigurability allows the activation of several nodes in the logic blocks through different logic values. This can be coupled with dynamic run-time reconfigurability to improve the level of security.

Abbildung in dieser Leseprobe nicht enthalten

Figure 6 Taxonomy of Hardware Trojans Countermeasures

The Side-Channel Analysis comes as a support to the Logic-based testing, which can be ineffective for activating large combinational or sequential Trojans, due to the extremely large number of possible trigger nodes. The measurement and analysis of information obtained from an IC's side-channels are involved by the Side-Channel. The proposition of Side-channel analysis has a previous consideration as a powerful detection technique of malicious insertions in an IC. The Trojans That cause physical damage by creating electrical conflicts are detectable using side-channel analysis because these Trojans result in a large current flow through the power supply. Unlike Logic-Based testing, the advantage of Side-Channel analysis is that a Trojan does not have to become active for detection; it merely needs to cause switching in the Trojan to consume dynamic power.

Further Trojan Countermeasures Taxonomy can be made based on:

- Trojan Detection
- DiF (Design for Trust)
- Split Manufacturing for Trust

5. FPGA Hardware Trojan Taxonomy

The field-programmable gate arrays (FPGA) are integrated circuits (IC) that consist of an array of logic blocks and distributed interconnect structures, which can be programmable and reprogrammable multiple times post-manufacturing to implement logic functions. Before, FPGAs were used only as prototypes for implementing ASIC designs on hardware for functional verification. Recently, FPGAs have been used for encryption and secure processing due to the efficient implementation of cryptographic algorithms. The augmenting use of FPGAs in diverse and critical applications has given motivation to designers to consider the security of these devices. In this actual context, security is referring to protecting against Intellectual Property (IP) Malicious alterations to the design are still possible at several stages of design flow in FPGAs.

6. Hardware Trojan Attacks In FPGA

Before we describe the taxonomy of the hardware Trojans in reconfigurable hardware, we should understand why these Trojans can be inserted in the foundry. The Reconfigurable hardware consists of a regular array of identical reprogrammable cells and modules that are connected through a distributed programmable interconnect structure. The proposed Trojan models and detection methods could be applicable to multiple programmable logic devices, but we will focus on hardware Trojans in the widely used SRAM-based FPGAs. Programmability in FPGAs can be utilized to modify the logic and electrical properties of a system. Even if we know this programmability could give flexibility to designers to implement their designs following their requirements rapidly, this can be exploited by an opponent to conduct attacks that could cause malfunction, leak sensitive information, and could even cause physical damage.

An FPGA taxonomy is based on the creation method and the point of entry, as shown in Figure 6. The FPGA Trojans, based on the point of entry, can be classified as:

- Prefabrication
- Fabrication
- Post-Fabrication

If the classification is based on the creation method, they are:

- Functional Trojan
- Parametric Trojan
- LRT (Life Span Reduction) Trojan
- Bitstream Trojan
- CAD tool Trojan

Abbildung in dieser Leseprobe nicht enthalten

Figure 7 FPGA Hardware Trojans Taxonomy based on the point of Entry and Creation Method

7. Activation Characteristics:

Trojans can be classified into two subcategories designated as condition-based and always-on, based on the activation characteristics. The Always-on Trojans are always active, and they perform their defined role of malfunction or releasing confidential information. This category of Trojans could possibly not be inserted by a smart adversary because they can be easily detectable during conventional testing. The Condition-based FPGA Trojans, on the opposite side, will wait until a specific condition is met prior to be active and cause malfunction. On this level, Trojans could be categorized as logic-based and sensor-based (e.g., temperature, delay). Logic-based FPGA Trojans could be categorized into IP dependent and IP independent subcategories, on the lowest level.

Fort the IP-dependent Trojans, which is a subclass of Trojans that could trigger signals depending on the design implemented in the device. A malicious circuit can be inserted by an opponent, and it will monitor the logic values of several nodes like configuration logic, outputs of logic modules, or lookup table (LUT) values. When triggered, this type of Trojan can cause a malfunction in different ways, for example, by altering the values stored in LUTs or configuration cells in the interconnect network to cause incorrect routing between logic blocks, or writing random values into the embedded memory. Given the growing scope of the FPGA domain, IP-dependent Trojans are a practical threat that must be considered for hardware assurance.

With the IP-Independent Trojans, a smart attacker can insert Trojans that have their conditions of activation independent of the final design. Such Trojans could be inserted to change the functionality of critical modules of the device. Let say, for example, Virtex-II, Xilinx Spartan-3, Virtex-II Pro FPGAs contain a separate module for managing clock known as the digital clock manager (DCM). This module contains a delay-locked loop (DLL) for reconditioning clock signals. A basic Trojan design could easily increment an n-bit counter each clock edge until a specific number is reached, and then it will modify the configuration to produce a faster clock. This, in return, could cause the critical path logic to fail in a sequential circuit.

8. Payload Characteristics:

There are two subcategories of the Trojans in the Malfunction category, according to whether they cause logical malfunction or physical malfunction. The Trojans presented in the previous sections cause logic malfunction by modifying the values in the LUTs, that cause undesired routing between two logic modules, etc.

The specific designation of Trojans to inflict physical damage, will create electrical conflicts at the I/O ports or create at the programmable interconnects. These Trojans are like the MELT viruses, with the exception that Trojans that can cause physical destruction may also be inserted in the foundry. Many high-end FPGAs such as Xilinx's Virtex4 and Virtex5, and Altera's StratixII and StratixIII offer bitstream encryption to prevent unauthorized cloning of the bitstream. The delivery of the IP by the hardware Trojans can be conducted in two ways: first, by leaking the decryption key, or by leaking the design itself. The insertion of the extraneous circuit in the foundry can be done attacker with the intention to tap the wires connecting the nonvolatile memory and decryptor module. The encrypted bitstream can be stolen by eavesdropping the connection between an FPGA's programming ports and the external device storing the encrypted bitstream. This can be done when an adversary is in possession of the FPGA device loaded with the design. In other cases, a Trojan may fake a request to the external device to send the programming data to the FPGA.

9. Trojans in CLB/EMB:

The logic blocks (CLBs) configurable of FPGA and the embedded memory blocks are extremely flexible, but they require a configuration that is important to implement the desired functions. This can seriously damage the memory or the logic integration density in FPGA, which makes it more amenable for Trojan insertion. From the output of other CLBs can be produced the triggering condition, or alternatively can be derived from the output of other functional units. Like a CLB, an EMB is also capable of executing functionalities like a shift register, FIFO, etc. in addition to acting as Random-Access Memory. The control circuitry decides between a normal read operation and shift register operation inside the EMBs.

10. Conclusion

Hardware Trojans can be categorized in various ways. The most simplistic classification will be Physical, Activation, and Action. Physical attributes can be broken down further into type, size, distribution, and structure. Activation is what activates a Trojan and causes it to be disruptive, usually externally or internally. Action is the identification of the disruptiveness caused by the Trojan.

In the period 2017-2018, taxonomy was based on six categories as insertion phase, abstraction level, activation mechanism, location, effects, and physical characteristics. In the latest period, the 2019-2020 taxonomy is based in six modified categories as physical, insertion phase, activation, payload, threats, and location. A variation of taxonomy can be found on payload and trigger, which can be either analog or digital.

The taxonomy of Hardware Trojan regenerates as the discovery of new attacks are taking place. Instead of protection, it is essential to consider Trojan detection methodologies, functional testing, and built- in self-test techniques. The taxonomy identifies the characteristics of Trojans and is useful in defining and creating protection through detection methods. The conventional methods of detection of HT are side­channel analysis, which is primarily chip-level resolutions and architectural-level Trojan detection resolutions. Side-channel analysis is the standard procedure used for HT detection as it focuses mainly on measuring signals. It can include path delays and power. Functional testing is beneficial when trying to regulate trigger configurations of conditional trojans. Built-in self-test techniques are able to identify manufacturing faults and are frequent in many chips. If a malicious logic is detected during these tests, a bad checksum result is given. This study concludes the understanding of HT, taxonomy of HT countermeasures, and FPGA HT trojan taxonomy.

References

1. Kan Xiao and Mohammed Tehranipoor, “Tutorial: Hardware Trojan Insertion on FPGA” https://www.trust- hub.org/downloads/resource/hardware_platform/FPG A/Tutorial_for_Hardware_Trojan_Insertion_on_FPG A.pdf

2. “ Trojan Taxonomy”, https://www.trust- hub.org/downloads/resource/pdf/Taxonomy.pdf

3. Michael Hsiao, Seetharam Narasimhan August 2019 "Hardware Trojan Attacks: Threat Analysis and Countermeasures" https://www.researchgate.net/publication/264124590 _Hardware_Trojan_Attacks_Threat_Analysis_and_C ountermeasures

4. Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia, December 2009 "Hardware Trojan: Threats and Emerging Solutions," DOI: 10.1109/HLDVT.2009.5340158 • Source: IEEE Xplore

5. Swarup Bhunia-Mark M. "The Hardware Trojan War Attacks, Myths, and Defenses" TehranipoorSpringer International Publishing AG

6. ENISA, European Union Agency for Cybersecurity, A Novel and Stealthy Hardware Trojan/Attack, https://www.enisa.europa.eu/publications/info- notes/a-novel-and-stealthy-hardware-trojan-attack

7. Rooney, Catherine, et al. “Creation and Detection of Hardware Trojans Using Non-Invasive Off-The- Shelf Technologies.” Electronics, vol. 7, no. 7, 2018, p. 124., doi:10.3390/electronics7070124.

8. Tehranipoor, Mark M, and Farinaz Koushanfar. “A Survey of Hardware Trojan Taxonomy and Detection.” IEEE Design and Test of Computers, Mar. 2010, pp. 1-17., doi:10.1109/MDT.2010.7.

9. Bhunia, Swarup, et al. “Hardware Trojan Attacks: Threat Analysis and Countermeasures.” Proceedings of the IEEE, vol. 102, no. 8, 2014, pp. 1229-1247., doi:10.1109/jproc.2014.2334493.

10. Beaumont, Mark R. et al. “Hardware Trojans - Prevention, Detection, Countermeasures (A Literature Review).” (2011).

11. Bhunia, Swarup et al. “Hardware Trojan Attacks: Threat Analysis and Countermeasures.” Proceedings of the IEEE 102 (2014): 1229-1247.

12. Sanchita Mal-Sarkar Cleveland State University, s.malsarkar@csuohio.edu; Robert Karam University of Florida; Seetharam Narasimhan Case Western Reserve University; Anandaroop Ghosh Case Western Reserve University; Aswin Krishna, https://engagedscholarship.csuohio.edu/cgi/viewcont ent.cgi?article=1420&context=enece_facpub

Tables

Abbildung in dieser Leseprobe nicht enthalten

Figures

Abbildung in dieser Leseprobe nicht enthalten

Figure 1 Taxonomy of Hardware Trojan 2008

Abbildung in dieser Leseprobe nicht enthalten

Figure 2 Hardware Trojan operation

Abbildung in dieser Leseprobe nicht enthalten

Figure 3 Taxonomy of Hardware Trojan 2017-2018

Abbildung in dieser Leseprobe nicht enthalten

Figure 4 Taxonomy od Hardware Trojans 2019-20120

Abbildung in dieser Leseprobe nicht enthalten

Figure 5 Taxonomy based on Trigger and Payload

Abbildung in dieser Leseprobe nicht enthalten

Figure 6 Taxonomy of Hardware Trojans Countermeasures

Abbildung in dieser Leseprobe nicht enthalten

Figure 7 FPGA Hardware Trojans based on Point of Entry and Creation Method

[...]