Subgraph Matching with Set Similarity in a Large Graph Database-IEEE PRJECTS 2015-2016
Efficient Control-Flow Subgraph Matching for Detecting Hardware...
Transcript of Efficient Control-Flow Subgraph Matching for Detecting Hardware...
EfficientControl-FlowSubgraphMatchingforDetectingHardwareTrojansinRTLModelsL.Piccolboni1,2,A.Menon2,andG.Pravadelli21 ColumbiaUniversity,NewYork,NY,USA
2 UniversityofVerona,Verona,Italy
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojans
HardwareTrojan
TriggerLogic
activates themaliciousbehaviorunderspecificconditions
• AHardwareTrojanisdefinedasamaliciousandintentional alterationofanintegratedcircuitthatresultsinundesiredbehaviors
1/21
PayloadLogic
implements theactualmaliciousbehavior
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 2/21
HardwareTrojansLimitationsinCurrentMethodologies
• SeveralmethodologieshavebeenproposedtodetectTrojansatRegister-TransferLevel(RTL)
• Nevertheless,therearestillsomelimitations:
1. Manualeffortfromdesignersisrequired
2. Theyfocusonaspecifictypeofthreat,e.g.,aparticularpayloadoratrigger
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 3 /21
Contributions
• WeproposeaverificationapproachbasedonaControl-FlowSubgraphMatchingAlgorithm
DesignUnderVerification
(DUV)
HardwareTrojanLibrary
ExtractionAlgorithm• GetControl-FlowGraphs(CFGs)fromDUVandHTs
DetectionAlgorithm• SearchinstancesoftheTrojanCFGsintheDUV
HardwareTrojanReport
1
2 3
RTLVerilog/VHDL RTLVerilog/VHDL
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 4 /21
BackgroundControl-FlowGraphs(CFGs)
• WebuildaCFGforeachprocess oftheDUV/HT
• basicblock(node)=itisasequenceofinstructionswithoutanybranch
• edge =connectstheblockb1 withb2iftheblockb1 canbeexecutedafterb2 inatleastoneDUV/HTexecutions
b
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
BackgroundControl-FlowGraphs(CFGs)
firstbasicblockoftheprocess
e1
s1
b2 b3
b4 b5
lastbasicblockoftheprocess
4 /21
• WebuildaCFGforeachprocess oftheDUV/HT
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
BackgroundControl-FlowGraphs(CFGs)
Branchrule:• leftiftrue• rightiffalse
e1
s1
b2 b3
b4 b5
4 /21
• WebuildaCFGforeachprocess oftheDUV/HT
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
BackgroundControl-FlowGraphs(CFGs)
if(reset)
if(c==1)
a=1b++
a=1b =0
a++b =0
codeassociatedwiththebasic
blocks
e1
s1
b2 b3
b4 b5
4 /21
• WebuildaCFGforeachprocess oftheDUV/HT
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibrary
DesignUnderVerification
(DUV)
HardwareTrojanLibrary
ExtractionAlgorithm• GetControl-FlowGraphs(CFGs)fromDUVandHTs
DetectionAlgorithm• SearchinstancesoftheTrojanCFGsintheDUV
HardwareTrojanReport
1RTLVerilog/VHDL RTLVerilog/VHDL
5/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibrary
• WedefinedaHardwareTrojan(HT)LibrarythatincludestheRTLimplementationsofknownHTtriggersandtheircamouflagedvariants
5/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryTrigger#1:CheatCodes
• Acheatcodeisavalue(orsequenceofvalues)thattriggersthepayloadwhenobservedinaregister
6/21
if(reset)
if(c1)
if(c2 &v1)
s1
e1
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
b1
e2
s2
b2 b3
b4
b6
b5
b7
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 7 /21
HardwareTrojanLibraryTrigger#2:DeadMachines
• Adeadmachinecodetriggersthepayloadwhenspecificstate-basedconditionsaresatisfied
if(reset)
s1
e1 case1
case2
resetvars
b1
e2
s2
b2 b3
if(cond)trigger=1
b4
b7 b6
b5
b4
case3
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 8 /21
HardwareTrojanLibraryTrigger#3:TickingTimebombs
• Atickingtimebombtriggersthepayloadwhenacertainnumberofclockcycles hasbeenpassed
if(reset)
if(cnt==N)s1
e1
trigger=1
b2
e2
s2
b3 b4
b5 b6b1
if(reset)
cnt=0
++cnt
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
9/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
if(reset)
if(c1)s1
e1
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
b1
e2
s2
b2 b3
b4
b6
b5
b7
Extensiondirectives:
1. parametrizable1
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
s1
e1
b1
e2
s2
b2 b3
b4
b6
b5
b7
Extensiondirectives:
1. parametrizable12. bound-number10
if(reset)
if(c1)
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
s1
e1
b1
e2
s2
b2 b3
b4
b6
b5
b7
Extensiondirectives:
1. parametrizable12. bound-number103. add-basic-blocks2
b8 b9$1 $2
if(reset)
if(c1)
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
s1
e1
b1
e2
s2
b2 b3
b4
b6
b5
b7
Extensiondirectives:
1. parametrizable12. bound-number103. add-basic-blocks24. add-edge(b7,$1)
b8 b9$1 $2
if(reset)
if(c1)
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
s1
e1
b1
e2
s2
b2 b3
b4
b6
b5
Extensiondirectives:
1. parametrizable12. bound-number103. add-basic-blocks24. add-edge(b7,$1)5. add-edge(b7,$2)6. add-edge($1,e2)7. add-edge($2,e2)
b7
b8 b9$1 $2
if(reset)
if(c1)
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
s1
e1
b1
e2
s2
b2 b3
b4
b6
b5
Extensiondirectives:
1. parametrizable12. bound-number103. add-basic-blocks24. add-edge(b7,$1)5. add-edge(b7,$2)6. add-edge($1,e2)7. add-edge($2,e2)8. drop-edge(b7,e2)
b7
b8 b9$1 $2
if(reset)
if(c1)
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
Extensiondirectives:
1. parametrizable12. bound-number103. add-basic-blocks24. add-edge(b7,$1)5. add-edge(b7,$2)6. add-edge($1,e2)7. add-edge($2,e2)8. drop-edge(b7,e2)9. old-source-blockb7
source
s1
e1
b1
s2
b2 b3
b4
b6
b5
b7
b8 b9$1
if(reset)
if(c1)
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
e2
$2
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryHandlingCamouflagedVariants
• Weneedanautomaticwaytoextendsuchbasicimplementationstofindcamouflagedvariants
Extensiondirectives:
1. parametrizable12. bound-number103. add-basic-blocks24. add-edge(b7,$1)5. add-edge(b7,$2)6. add-edge($1,e2)7. add-edge($2,e2)8. drop-edge(b7,e2)9. old-source-blockb710. up-source-block$2
source
s1
e1
b1
s2
b2 b3
b4
b6
b5
b7
b8 b9$1
if(reset)
if(c1)
trigger=v1 & v2
v1 =1
v2 =1
v1 =0v2 =0
e2
$2
9/21
if(c2 &v1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanLibraryProsandCons
• WedefinedaHardwareTrojan(HT)LibrarythatincludestheRTLimplementationsofknownHTtriggersandtheircamouflagedvariants
Pros Cons• Uniqueverificationapproach
• EasytoextendtheapproachfornewhardwareTrojans
• Easytocustomizethelibrarytotheneedsoftheuser
• NeedoftheimplementationsofthehardwareTrojans
• OnlythehardwareTrojansinthelibraryortheirvariationscanbedetected
• Uniqueverificationapproach
10/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 11/21
HardwareTrojanDetectionExtractionAlgorithm
2
DesignUnderVerification
(DUV)
HardwareTrojanLibrary
ExtractionAlgorithm• GetControl-FlowGraphs(CFGs)fromDUVandHTs
DetectionAlgorithm• SearchinstancesoftheTrojanCFGsintheDUV
HardwareTrojanReport
RTLVerilog/VHDL RTLVerilog/VHDL
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 11/21
HardwareTrojanDetectionExtractionAlgorithm
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 11/21
HardwareTrojanDetectionExtractionAlgorithm
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
s1
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 11/21
HardwareTrojanDetectionExtractionAlgorithm
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
s1
if(reset==1)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 11/21
HardwareTrojanDetectionExtractionAlgorithm
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
s1
b2b1
if(reset==1)trig<=0
if(value==N)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 11/21
HardwareTrojanDetectionExtractionAlgorithm
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
s1
b2b1
b4b3
if(reset==1)trig<=0
trig<=1
trig<=0
if(value==N)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 11/21
HardwareTrojanDetectionExtractionAlgorithm
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
s1
e1
b2b1
if(reset==1)trig<=0
b4b3trig<=1
trig<=0
if(value==N)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 12/21
HardwareTrojanDetectionExtractionAlgorithm:Probabilities
• Tocalculatetheprobabilitiesassociatedwiththearcs,weuseanapproachbasedonaSMTsolver
SMTSolver
[A.Cimattietal.,“TheMathSAT5SMTSolver”]
Condition NumberofModels
• Scalability?YES,conditionsaresimpleenough!• Plus,simpleconditionsareshort-circuited
e.g.,var==Nà Numberofmodels=1
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 12/21
HardwareTrojanDetectionExtractionAlgorithm:Probabilities
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
s1
e1
b2b1
if(reset==1)trig<=0
b4b3trig<=1
trig<=0
if(value==N)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 12/21
HardwareTrojanDetectionExtractionAlgorithm:Probabilities
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
0.5 0.5s1
e1
b2b1
if(reset==1)trig<=0
b4b3trig<=1
trig<=0
if(value==N)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 12/21
HardwareTrojanDetectionExtractionAlgorithm:Probabilities
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
0.5 0.5
0~ 1~
s1
e1
b2b1
if(reset==1)trig<=0
b4b3trig<=1
trig<=0
if(value==N)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 12/21
HardwareTrojanDetection
module Trigger(input reset,input [127:0]value,output trig);
always@(reset,value)begin
if (reset==1)begintrig<=0;
endelseif (value==N) begintrig<=1;
endelsebegintrig<=0;
endend
parameter N=128’hffff_ffff_...._ffff;
ExtractionAlgorithm:Probabilities
0.5 0.5
0~ 1~
1
1
1
s1
e1
b2b1
if(reset==1)trig<=0
b4b3trig<=1
trig<=0
if(value==N)
~
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
3
DesignUnderVerification
(DUV)
HardwareTrojanLibrary
ExtractionAlgorithm• GetControl-FlowGraphs(CFGs)fromDUVandHTs
DetectionAlgorithm• SearchinstancesoftheTrojanCFGsintheDUV
HardwareTrojanReport
RTLVerilog/VHDL RTLVerilog/VHDL
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
s1
e1
b2b1
if(reset==1)trig<=0
b4b3trig<=1
trig<=0
if(value==N)
Trigger
0.5 0.5
0~ 1~
1
1
1
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
Trigger
s1
e1
b2b1
b4b3
0.5 0.5
0~ 1~
1
1
1
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
Trigger
s1
e1
b2b1
b4b3
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
s1
b2b1
b4b3
Abstracted Trigger
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
s1
e1
b2b1
if(reset==1)t =0
b4b3
0.5 0.5
0.75
1
b4 b4 b4b4
DUV
0.25
1~0~
1 11
1
0.5
0.5
…
…
…t =1
…
if(c1 |c2)
if(v1 ==K)
s1
b2b1
b4b3
Abstracted Trigger
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
s1
b2b1
b4b3
b4 b4 b4b4
AbstractedDUV
s1
b2b1
b4b3
Abstracted Trigger
searchthetriggerintheDUV
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
s1
b2b1
b4b3
b4 b4 b4b4
AbstractedDUV
s1
b2b1
b4b3
Abstracted Trigger
searchthetriggerintheDUV
Match#1
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 13/21
HardwareTrojanDetectionDetectionAlgorithm
s1
b1
b4
b4 b4 b4b4
AbstractedDUV
s1
b2b1
b4b3
Abstracted Trigger
searchthetriggerintheDUV
b3
b2
Match#2
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 14/21
HardwareTrojanDetectionDetectionAlgorithm:Confidence
• SomeHardwareTrojanscanbesimilartoactuallegalcode:weneedtogiveaconfidencevalueforeachmatchreturnedbythedetectionalg.
• Theconfidencevalueisintherange[0,1]
• 1à highestconfidencethatisaTrojan
• Foreachmatchweevaluate4conditionsc1,c2,c3 andc4 à confidenceisalinearcombinationofthoseconditions(weightsvarywithtriggers)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 15/21
HardwareTrojanDetectionDetectionAlgorithm:Confidence
c1:presenceofvariableswithknownbehavior
if(reset)
if(cnt==N)s1
e1
trigger=1
b2
e2
s2
b2 b3
b4 b5b1
if(!reset)
cnt=0
++cnt
TriggerintheHTLibrary
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 15/21
HardwareTrojanDetectionDetectionAlgorithm:Confidence
c1:presenceofvariableswithknownbehavior
if(reset)
if(var==N)s1
e1
b2
e2
s2
b2 b3
b4 b5b1
if(!reset)
var=0
MatchintheDUV
itissimilartoacounter!
var+=k
HardwareTrojanDetectionDetectionAlgorithm:Confidence
c2:presenceofsuspiciousresetlogics
TriggerintheHTLibrary
b6
s1
MatchintheDUV
b50.5
if(reset)
if(reset)b1
• Sameresetmechanismoftheprocess?• Suspiciousvariablesarereset?
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 16/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanDetectionDetectionAlgorithm:Confidence
c3:averagedistanceoftheprobabilities
TriggerintheHTLibrary
b7b6
b9b8
s1
b2b1
b4b3
MatchintheDUV
b5 0.5 0.5
0.0010.999
0.5 0.5
0.5 0.5
confidence= 1– [|0.5- 0.5|+|0.5- 0.5|+|0.5- 0.001|+|0.5- 0.999|]=0.002
17/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanDetectionDetectionAlgorithm:Confidence
c3:averagedistanceoftheprobabilities
TriggerintheHTLibrary
b7b6
b9b8
s1
b2b1
b4b3
MatchintheDUV
b5 0.5 0.5
0.0010.999
0.5 0.5
0.01 0.99
confidence= 1– [|0.5- 0.5|+|0.5- 0.5|+|0.01- 0.001|+|0.99- 0.999|]=0.892
17/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
HardwareTrojanDetectionDetectionAlgorithm:Confidence
c4:isthereapayload thatisaffinetothetrigger?
HardwareTrojanLibrary
RTLVerilog/VHDLAddedknown
implementationsofHTpayloads
• ThepayloadsaresearchedaswellintheDUV• Arethereamatchedpayloadandmatchedtriggerthatsharesomevariables?
18/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 19/21
ExperimentalResults
• WeverifiedtheeffectivenessofourapproachbyconsideringtheTrust-HUBBenchmarksandtheCryptoplatform (componentfromOpenCores)
• WecreatedaHTLibrarythatincludesthesametypesofHTs (butnotthesamecode)oftheHTsthathavebeenincludedinthebenchmarks
• ThegoalhereistoshowthatourverificationapproachcanhelpuserstodistinguishHTs
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 19/21
ExperimentalResults
Cheat codes
Name Blocks Edges
Cheat-T001 4 4
Cheat-T002 5 6
Cheat-T003 6 7
Cheat-T004 16 21
Cheat-T005 11 14
Cheat-T006 11 14
Timebombs
Name Blocks Edges
Time-T001 13 16
Time-T002 14 19
Time-T003 12 15
Time-T004 6 7
Time-T005 14 17
Deadmachines
Name Blocks Edges
Mach-T001 10 11
Mach-T002 11 13
HTLibrary(Triggers)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 19/21
ExperimentalResults
Payloads
Name Effect Blocks Edges
Payload-T001 Infor.leakage 16 21
Payload-T002 IncreasePower 8 9
Payload-T003 CovertChannel 10 13
Payload-T004 Leakage Current 12 15
Payload-T005 Modifymemory 7 7
Payload-T006 Modifyoutput 7 7
HTLibrary(Payloads)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 19/21
ExperimentalResults
Trust-HUB Benchmarks
Name #Diff.Instances
Min.#Blocks
Max.#Blocks
Min.#Edges
Max.#Edges
AES 16 2101 2150 3160 3236
RS232 10 130 159 184 233
BasicRSA 4 81 93 119 139
CharacteristicsofBenchmarks
Cryptoplatform(CPU+memory +5cryptocores)
Name #Diff.Instances
Min.#Blocks
Max.#Blocks
Min.#Edges
Max.#Edges
Crypto 6 4402 4424 6503 6537
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 19/21
ExperimentalResultsQuantitativeEvaluation
Trust-HUB Benchmarks
Family [A] [B] [C] [C]* This workAES 3/18 9/18 0/18 18/18 18/18
RS232 0/10 0/10 9/10 10/10 10/10
BasicRSA 0/4 2/4 4/4 4/4 4/4
Aà [J.Rajendranetal.,“DetectingMaliciousModificationsofDatainThird-PartyIntellectualPropertyCores”,DAC‘15]
Bà [J.Rajendranetal.,“FormalSecurityVerificationofThird-PartyIntellectualPropertyCoresfor InformationLeakage”,VLSID’16]
Cà [S.K.Haideretal.,“HaTCh:HardwareTrojanCatcher”,‘14]*Assumingtheyareactivatedduringthelearningphase
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea 19/21
ExperimentalResultsQualitativeEvaluation
ProposedApproach forTrust-HUBBenchmarks
Name Matches ConfHT ConfMAX False+ Time(s)
AES-T800 9 0.93 0.65 0 5.04
AES-T1400 81 0.99 0.69 0 4.85
AES-T1900 11 0.97 0.72 0 4.82
RS232-T100 7 0.36 0.50 2 4.12
BasicRSA-T100 4 0.25 0.25 3 1.13
(Fullresultsinthepaperorintheposter)
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
ExperimentalResults
ProposedApproach forCryptoplatform
Name Matches ConfHT ConfMAX False+ Time(s)
Crypto-T000 23 N/A 0.35 N/A 11.80
Crypto-T100 34 0.81 0.39 0 12.88
- 34 0.72 0.39 0 12.88
Crypto-T200 31 0.96 0.71 0 13.43
Crypto-T300 42 0.88 0.29 0 15.03
Crypto-T400 34 0.90 0.50 0 15.67
QualitativeEvaluation
19/21
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea
Conclusions
20/21
• WepresentedanautomaticapproachforthedetectionofhardwareTrojansatRTL
1. Ourapproachisgeneral:itadoptsanapproachindependentfromthespecifichardwareTrojan
2. Ourapproachisextendible: newTrojanscanbeeasilyaddedtotheHardwareTrojanLibrary
3. Ourapproachisfast:ittakesonlyfewsecondstofindhardwareTrojansinlargeDUVs
Speaker:LucaPiccolboniColumbiaUniversity,NY,USA
UniversityofVerona,Verona,Italy
Questions?
EfficientControl-FlowSubgraphMatchingforDetectingHardwareTrojansinRTLModels
ACM/IEEECODES+ISSS2017,Seoul,SouthKorea