Dormant Hardware Trojan Detection Using Back-Scattering Side Channels

Abstract

Malicious hardware changes, a.k.a. hardware Trojans, are an increasingly important concern because the hardware usually provides the base layer of security and trust that all software layers depend and build on. In other words, a hardware Trojan allows the attacker to redefine the functionality of the processor such that even completely secure and trusted software, when it executes on a Trojan-infested hardware, implements the malicious behavior desired by theattacker. For example, a processor chip intended for datacenter systems may contain a hardware Trojan (HT) that allows a specific sequence of ordinary instructions, to provide the program with administrator-level access to the system. At a later point the attacker can purchase processing time in a datacenter, then use trigger the Trojan to obtain hypervisor-level permissions and subsequently completely compromise programs executed by other customers of the datacenter. In a vehicle or a weapon system, a Trojan may look for a specific set of values (such as an image, GPS coordinates, movement pattern, etc.) and, upon observing it, disable the system, cause it to catastrophically misbehave, or allow it to be taken over by the attacker. Unfortunately, hardware Trojans have already been discovered in actual military-grade chips, and the problem is getting worse as the supply chain for chips becomes increasingly sophisticated and globally distributed, providing potential attackers an ever-increasing set of opportunities to compromise a point in a chip~s supply chain and insert hardware Trojans into that chip.Detection of Trojans in actual chips would ideally be done by non-destructive testing, i.e. without destroying the chip that is subjected to testing, require no costly changes to the design of the chip itself, and would find even stealthy Trojans that occupy little chip area and exhibit little electronic activity. Existing non-destructive and chip-modification-free methods typically rely on observing the chip~s power consumption, electromagnetic field fluctuation around the chip, etc. Unfortunately, such signals have limited bandwidth (i.e. they carry only limited information about on-chip activity), and they are a combination of all activity on the chip, so the part of the signal caused by a stealthy Trojan is very small compared to the overall signal caused by all of the ~good~ activity on the entire chip.This project will leverage our new non-destructive post-silicon side-channel based HT detection technique, which uses a new side channel based on signal back-scattering to develop new detection system and techniques that will allow us to understand what are the limits of backscattering sidechannels when used for detection of dormant hardware Trojans as well as test the possibility of HT detection without golden sample.

Document Details

Document Type

DoD Grant Award

Publication Date

Aug 15, 2019

Source ID

N000141912287

Entities

Tags