HARDWARE TROJAN ATTACKS: THREAT ANALYSIS AND LOW-COST COUNTERMEASURES THROUGH GOLDEN-FREE DETECTION AND SECURE DESIGN by XINMU WANG Submitted in partial fulfillment of the requirements For the degree of Doctor of Philosophy Dissertation Adviser: Dr. Swarup Bhunia Department of Electrical Engineering and Computer Science CASE WESTERN RESERVE UNIVERSITY January, 2014 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis/dissertation of Xinmu Wang candidate for the Doctor of Philosophy degree*. Swarup Bhunia (signed) (chair of the committee) Christos Papachristou Francis Merat Andy Podgurski (date) September 04, 2013 *We also certify that written approval has been obtained for any proprietary material contained therein. ii TABLE OF CONTENTS Page LIST OF TABLES :::::::::::::::::::::::::::::::: v LIST OF FIGURES ::::::::::::::::::::::::::::::: vi 1 Introduction :::::::::::::::::::::::::::::::::: 1 2 Hardware Trojan Design ::::::::::::::::::::::::::: 5 2.1 Introduction ::::::::::::::::::::::::::::::: 5 2.2 Background ::::::::::::::::::::::::::::::: 6 2.3 Effective Hardware Trojan Design Techniques :::::::::::: 7 2.3.1 Sequential Hardware Trojan :::::::::::::::::: 7 2.3.2 Side-Channel Aware Trojan Placement in Gate-Level Circuit Netlist :::::::::::::::::::::::::::::: 20 2.4 Summary :::::::::::::::::::::::::::::::: 23 3 Hardware Trojan Attack in Embedded Memory :::::::::::::: 24 3.1 Introduction ::::::::::::::::::::::::::::::: 24 3.2 Background ::::::::::::::::::::::::::::::: 26 3.2.1 SRAM Fault Models :::::::::::::::::::::: 26 3.2.2 SRAM Testing Algorithms ::::::::::::::::::: 28 3.3 Trojan Attacks in SRAM Array :::::::::::::::::::: 32 3.3.1 Trojan Trigger Mechanism ::::::::::::::::::: 32 3.3.2 Trojan Type 1: Resistive Short/Bridge :::::::::::: 36 3.3.3 Trojan Type 2: Resistive Open :::::::::::::::: 40 3.3.4 Feasibility Verification ::::::::::::::::::::: 44 3.4 Simulation Results ::::::::::::::::::::::::::: 49 3.4.1 Trojan Type 1: Short :::::::::::::::::::::: 49 3.4.2 Trojan Type 1: Bridge ::::::::::::::::::::: 52 iii Page 3.4.3 Trojan Type 2: Open :::::::::::::::::::::: 55 3.5 Discussion :::::::::::::::::::::::::::::::: 57 3.6 Summary :::::::::::::::::::::::::::::::: 58 4 Temporal Self-Referencing (TeSR) for Sequential Trojans Detection ::: 59 4.1 Introduction ::::::::::::::::::::::::::::::: 59 4.2 Background and Scope ::::::::::::::::::::::::: 62 4.2.1 Related Work :::::::::::::::::::::::::: 62 4.2.2 Scope of the proposed Trojan detection approach :::::: 64 4.3 Motivational Examples ::::::::::::::::::::::::: 65 4.4 TeSR Methodology ::::::::::::::::::::::::::: 68 4.4.1 Test Generation ::::::::::::::::::::::::: 71 4.4.2 Circuit Characterization :::::::::::::::::::: 74 4.4.3 Trojan Detection Sensitivity :::::::::::::::::: 75 4.4.4 Role of Scan Chain ::::::::::::::::::::::: 76 4.4.5 DfS for Detecting Transition-Proof Trojans :::::::::: 79 4.4.6 Summary of Test Considerations ::::::::::::::: 82 4.5 Results :::::::::::::::::::::::::::::::::: 83 4.5.1 Test Setup :::::::::::::::::::::::::::: 83 4.5.2 Simulation Results ::::::::::::::::::::::: 85 4.5.3 Experimental Validation :::::::::::::::::::: 88 4.6 Summary :::::::::::::::::::::::::::::::: 90 5 Side-Channel Analysis based Reverse Engineering (SCARE) for Post-Silicon Validation ::::::::::::: 91 5.1 Introduction ::::::::::::::::::::::::::::::: 91 5.2 Background ::::::::::::::::::::::::::::::: 93 5.3 Methodology :::::::::::::::::::::::::::::: 94 5.4 Case Study: DLX Processor :::::::::::::::::::::: 102 5.5 Summary :::::::::::::::::::::::::::::::: 105 iv Page 6 Design for SoC Security ::::::::::::::::::::::::::: 107 6.1 Introduction ::::::::::::::::::::::::::::::: 107 6.2 Background of IIP and Embedded Core Test ::::::::::::: 111 6.2.1 Infrastructure IP :::::::::::::::::::::::: 111 6.2.2 IEEE 1500 Standard :::::::::::::::::::::: 111 6.3 Overview of IIPS :::::::::::::::::::::::::::: 113 6.4 Design of IIPS Security Functions ::::::::::::::::::: 116 6.4.1 Attack Models and Mitigation Strategies ::::::::::: 116 6.4.2 Security Primitive Design ::::::::::::::::::: 120 6.5 Test Protocol under IEEE Std. 1500 ::::::::::::::::: 128 6.5.1 Wrapper Operation Modes ::::::::::::::::::: 128 6.5.2 SoC-Level IIPS Test Protocol ::::::::::::::::: 130 6.6 Results :::::::::::::::::::::::::::::::::: 133 6.6.1 IIPS Functional Validation ::::::::::::::::::: 134 6.6.2 SoC Authentication and Hardware Trojan Detection :::: 136 6.6.3 Hardware Overhead ::::::::::::::::::::::: 139 6.6.4 Experimental Validation :::::::::::::::::::: 140 6.7 Discussion :::::::::::::::::::::::::::::::: 142 6.7.1 Flexibility :::::::::::::::::::::::::::: 142 6.7.2 Scalability :::::::::::::::::::::::::::: 142 6.7.3 Configurability ::::::::::::::::::::::::: 143 6.8 Summary :::::::::::::::::::::::::::::::: 143 7 Conclusion and Future Work ::::::::::::::::::::::::: 145 REFERENCES :::::::::::::::::::::::::::::::::: 147 v LIST OF TABLES Table Page 2.1 Area/Power Overhead of Sequential Trojans of Same Functionality but Varying Implementations :::::::::::::::::::::::::: 13 2.2 Hardware Overhead Incurred by the Trojans ::::::::::::::: 19 2.3 Measured RO Frequency Changes for Different Trojans ::::::::: 22 2.4 Impact of Different Trojan Configurations (as shown in Fig. 2.7) on RO Frequency, 70nm PTM @1V, 25◦C :::::::::::::::::::: 23 3.1 Implemented Trojans of Type 1. :::::::::::::::::::::: 39 3.2 Implemented Trojans of Type 2. :::::::::::::::::::::: 44 3.3 Impact of Trojan Ts QB Vss x (x2f2,3,4g) on a 32x64 SRAM array. : 52 3.4 Impact of two other type-1(Short) Trojans on a 32x64 SRAM array. :: 53 3.5 Payload of Trojan Tb QB QB x (x2f2,3,4g). ::::::::::::::: 54 3.6 Impact of untriggered Trojan Tb QB QB x (x2f2,3,4g) on a 32x64 SRAM array. :::::::::::::::::::::::::::::::::::: 54 3.7 Impact of untriggered Trojan To QB Vdd on a 32x64 SRAM array. :: 57 4.1 Difference metric and Test Length for three designs with three types of Trojan instances. :::::::::::::::::::::::::::::: 86 6.1 Control values for wrapper boundary cell. :::::::::::::::: 130 6.2 Hardware overhead of IIPS w.r.t. two example SoCs. :::::::::: 140 6.3 IIPS overhead in FPGA platform. ::::::::::::::::::::: 141 6.4 Hardware Trojan detection results on FPGA. :::::::::::::: 141 vi LIST OF FIGURES Figure Page 2.1 Sequential Trojan model and Trojan state diagram. ::::::::::: 8 2.2 Four sequential Trojan design examples. ::::::::::::::::: 8 2.3 State diagram of a sequential Trojan with sequential and combinational logic sharing with original circuit. ::::::::::::::::::::: 12 2.4 Various trigger and payload conditions for the proposed Trojan inserted in an embedded processor. ::::::::::::::::::::::::: 14 2.5 (a) Trojan trigger mechanism; (b) state transition diagram for the sequen- tial Trojan. ::::::::::::::::::::::::::::::::: 16 2.6 Hard macro creation flow for the FPGA platform [40]. ::::::::: 20 2.7 Different payload insertion approaches: (a) stitching an extra gate (XOR) inside a delay path; (b) replacing an existing gate (e.g. NOT by XOR) and resizing; (c) stitching a gate outside built-in RO path; (d) inserting a NMOS pull-down transistor as payload; and (e) inserting the payload inside a master-slave FF. :::::::::::::::::::::::::: 21 3.1 Common data backgrounds used in SRAM testing. ::::::::::: 31 3.2 Hardware Trojan attack in SRAM array: (a) a general model; (b) effective defect types. ::::::::::::::::::::::::::::::::: 32 3.3 Data patterns that can be leveraged by Trojan trigger mechanisms. :: 34 3.4 Trojans causing v-cell node shorted to Vss: (a) triggered by 2-cell data pattern/& a word line; (b) triggered by 3-cell data pattern/& a word line. 37 3.5 Trojans causing v-cell pull-up path broken: (a) controlled by one node; (b) controlled by two nodes. :::::::::::::::::::::::: 40 3.6 Implemented Trojans of type 2. :::::::::::::::::::::: 41 3.7 Layout of Trojans causing short defects in a compact SRAM array: (a) Ts BL Vss 2 WL; (b) Ts QB Vss 2 WL. ::::::::::::::::: 45 3.8 Layout of Trojans causing bridge defects in a compact SRAM array: (a) Tb BLB BL 2 WL; (b) Tb QB QB 3 WL. :::::::::::::::: 46 vii Figure Page 3.9 Layout of Trojans causing open defects in a compact SRAM array: (a) To Q(B) Vdd WL; (b) To Q(B) Vdd WL QB. :::::::::::::: 47 3.10 Hold-SNM of the v-cell while Trojan is on. :::::::::::::::: 51 3.11 Read-SNM of the v-cell while Trojan is on. :::::::::::::::: 52 3.12 Trojans cause read-destructive fault (RDF) in the v-cell during read-0 operation. :::::::::::::::::::::::::::::::::: 52 3.13 Trojans cause shifted write-0 trip point and degraded logic-1 voltage at QB. ::::::::::::::::::::::::::::::::::::: 53 3.14 Trojans cause write-0 failure (RDF) in the v-cell. :::::::::::: 53 3.15 Trojan Tb QB QB 2 causes coupling faults in the v-cells: (a) with 2ns clock period; (b) with 3ns clock period. :::::::::::::::::: 55 3.16 Trojan To Q VDD 2 causes (a) data retention fault; (b) read-after-write dynamic faults. ::::::::::::::::::::::::::::::: 56 3.17 Type-2 Trojans with WL as part of the trigger condition cause temporary negative SNM in the v-cell. :::::::::::::::::::::::: 57 4.1 (a) Sequential Trojan model and examples: (b) Synchronous Counter, (c) Rarely-triggered Finite State Machine (FSM), (d) MOLES Trojan [3]. 60 4.2 Comparison of challenges and scope of different Trojan detection approaches. 62 4.3 (a) Circuit-level parameter variations can be due to inter-die or intra-die variations in device parameters. (b) The effect of process variations on the average transient current can mask the effect of a Trojan circuit. : 66 4.4 Effectiveness of temporal self-referencing