ABSTRACT
Globalization of the system-on-chip (SoC) design flow has created opportunities for rogue elements in the intellectual property (IP) vendor companies to insert malicious circuits (a.k.a. hardware Trojans) into their IPs. We propose to formally verify third party IPs (3PIPs) for unauthorized corruption of critical data such as secret key. Our approach develops properties to identify corruption of critical registers. Furthermore, we describe two attacks where computations can be performed on corrupted data without corrupting the critical register. We develop additional properties to detect such attacks. We validate our technique using Trojans in 8051 and RISC processors and AES designs from Trust-Hub.
- "Defense Science Board (DSB) study on High Performance Microchip Supply," http://www.acq.osd.mil/dsb/reports/ADA435563.pdf, 2005.Google Scholar
- S. Bhunia, M. Hsiao, M. Banga, and S. Narasimhan, "Hardware Trojan Attacks: Threat Analysis and Countermeasures," Proceedings of the IEEE, vol. 102, no. 8, pp. 1229--1247, 2014.Google ScholarCross Ref
- M. Tehranipoor and F. Koushanfar, "A Survey of Hardware Trojan Taxonomy and Detection," IEEE Design and Test of Computers, vol. 27, no. 1, pp. 10--25, 2010. Google ScholarDigital Library
- X. Zhang and M. Tehranipoor, "Case study: Detecting hardware Trojans in third-party digital IP cores," IEEE Intentional Symposium on Hardware Oriented Security and Trust, pp. 67--70, 2011.Google Scholar
- M. Banga and M. Hsiao, "Trusted RTL: Trojan detection methodology in pre-silicon designs," IEEE International Symposium on Hardware-Oriented Security and Trust, pp. 56--59, 2010.Google Scholar
- J. Jou and C. J. Liu, "Coverage analysis techniques for HDL design validation," IEEE Asia Pacific Conference on Chip Design Languages, 1999.Google Scholar
- H. Salmani and M. Tehranipoor, "Analyzing circuit vulnerability to hardware Trojan insertion at the behavioral level," IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems, pp. 190--195, 2013.Google Scholar
- A. Waksman, M. Suozzo, and S. Sethumadhavan, "FANCI: Identification of Stealthy Malicious Logic Using Boolean Functional Analysis," ACM Conference on Computer and Communications Security, pp. 697--708, 2013. Google ScholarDigital Library
- J. Zhang, F. Yuan, L. Wei, Z. Sun, and Q. Xu, "VeriTrust: Verification for hardware trust," IEEE/ACM Design Automation Conference, pp. 1--8, 2013. Google ScholarDigital Library
- J. Zhang, F. Yuan, and Q. Xu, "DeTrust: Defeating Hardware Trust Verification with Stealthy Implicitly-Triggered Hardware Trojans," ACM Conference on Computer and Communications Security, pp. 153--166, 2014. Google ScholarDigital Library
- E. Love, Y. Jin, and Y. Makris, "Proof-Carrying Hardware Intellectual Property: A Pathway to Trusted Module Acquisition," IEEE Trans. on Information Forensics and Security, vol. 7, no. 1, pp. 25--40, 2012. Google ScholarDigital Library
- Y. Jin and Y. Makris, "Proof carrying-based information flow tracking for data secrecy protection and hardware trust," IEEE VLSI Test Symposium, pp. 252--257, 2012.Google Scholar
- Y. Jin and Y. Makris, "A proof-carrying based framework for trusted microprocessor IP," IEEE/ACM International Conference on Computer-Aided Design, pp. 824--829, 2013. Google ScholarDigital Library
- Jasper, "JasperGold: Security Path Verification App," http://www.jasper-da.com/products/jaspergold-apps/security_path_verification_app, 2014.Google Scholar
- P. Subramanyan and D. Arora, "Formal verification of taint-propagation security properties in a commercial SoC design," Design, Automation and Test in Europe Conference and Exhibition, pp. 1--2, 2014. Google ScholarDigital Library
- M. Tehranipoor, R. Karri, F. Koushanfar, and M. Potkonjak, "Trusthub," http://trust-hub.org.Google Scholar
- Microchip Technology, "PIC16F84A Data sheet," ww1.microchip.com/downloads/en/DeviceDoc/35007b.pdf, 2001.Google Scholar
- J. Woodcock, P. G. Larsen, J. Bicarregui, and J. Fitzgerald, "Formal Methods: Practice and Experience," ACM Computing Surveys, vol. 41, no. 4, pp. 19:1--19:36, 2009. Google ScholarDigital Library
- A. Pnueli, "The temporal semantics of concurrent programs," Semantics of Concurrent Computation, vol. 70, pp. 1--20, 1979. Google ScholarDigital Library
- "Cadence: Smv," http://www.cadence.com/products/fv/pages/default.aspx, 2005.Google Scholar
- A. Biere, A. Cimatti, E. Clarke, and Y. Zhu, "Symbolic Model Checking without BDDs," Tools and Algorithms for the Construction and Analysis of Systems, vol. 1579, pp. 193--207, 1999. Google ScholarDigital Library
- L. Feiten, M. Sauer, T. Schubert, A. Czutro, E. Bohl, I. Polian, and B. Becker, "#SAT-based vulnerability analysis of security components --- A Case Study," IEEE International Symposium on Defect and Fault Tolerance in VLSI and Nanotechnology Systems, pp. 49--54, 2012. Google ScholarDigital Library
- H. Eldib, C. Wang, and P. Schaumont, "SMT-Based Verification of Software Countermeasures against Side-Channel Attacks," International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 62--77, 2014.Google Scholar
- A. Waksman and S. Sethumadhavan, "Silencing Hardware Backdoors," IEEE Symposium on Security and Privacy, pp. 49--63, 2011. Google ScholarDigital Library
- V. Boppana, S. Rajan, K. Takayama, and M. Fujita, "Model Checking Based on Sequential ATPG," Computer Aided Verification, vol. 1633, pp. 418--430, 1999. Google ScholarDigital Library
- J. Abraham and V. Vedula, "Verifying properties using sequential ATPG {IC design}," International Test Conference, pp. 194--202, 2002. Google ScholarDigital Library
- Synopsys, "Tetramax ATPG," http://www.synopsys.com/Tools/Implementation/RTLSynthesis/Test/Pages/TetraMAXATPG.aspx, 2014.Google Scholar
- M. Prasad, P. Chong, and K. Keutzer, "Why is ATPG easy?" IEEE/ACM Design Automation Conference, pp. 22--28, 1999. Google ScholarDigital Library
Index Terms
- Detecting malicious modifications of data in third-party intellectual property cores
Recommendations
Digital Watermarking for Detecting Malicious Intellectual Property Cores in NoC Architectures
System-on-chip (SoC) developers utilize intellectual property (IP) cores from third-party vendors due to increasing design complexity, cost, as well as time-to-market constraints. A typical SoC consists of a wide variety of IP cores [such as processor, ...
Detecting malicious files using non-signature-based methods
Malware or malicious code intends to harm the computer systems without the knowledge of system users. Malware are unknowingly installed by naïve users while browsing the internet. Once installed, the malicious programs perform unintentional activities ...
Comments