to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan...
Transcript of to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan...
![Page 1: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/1.jpg)
How to Attack the IoT with Hardware Trojans
Janet Lackey under CC license
hardwear.io Den Haag, September 22, 2017
Christof PaarRuhr Universität Bochum & University of Massachusetts Amherst
![Page 2: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/2.jpg)
• Georg Becker
• Pawel Swierczynski
• Marc Fyrbiak
Acknowledgement
![Page 3: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/3.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 4: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/4.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 5: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/5.jpg)
Hardware TrojansMalicious change or addition to an IC that adds or remove functionality, or reduces reliability
Many rather unpleasant “applications”
![Page 6: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/6.jpg)
Hardware Trojans & the Scientific Community
015 17 18
32 3415
4768
133
167199
0
50
100
150
200
250
2007 2008 2009 2010 2011 2012
Publications w/ „Hardware Trojans“ or„malicious Hardware“(Google Scholar, Aug 2013)
only titlein paper
![Page 7: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/7.jpg)
Trojan Injection & Adversaries Scenarios
ManufacturingMalicious factory, esp. off‐shore (foreign Government)
Design Manipulation 3rd party IP‐cores malicious employee
During shipmentcf. NSA’s interdiction
Built‐inbackdoors etc.
DoD scenario 2005
not‐so‐unlikely 2013
![Page 8: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/8.jpg)
Where are we with “real” HW Trojans?
No true hardware Trojan observed in the wild
Vast majority of publications focus on detection
All examples from academia
![Page 9: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/9.jpg)
Our Thoughts
1. Designing Trojan could be fun too
2. Especially those that go undetected
![Page 10: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/10.jpg)
Simple Example: Inverter Trojan
Let’s modify an inverter so that it always outputs “1” (VDD) without visible changes.
A Y A Y
VDD
GND
VDD
GND
A Y0 11 0
![Page 11: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/11.jpg)
PMOS Transistor Trojan
N‐well(connected to VDD)
P‐dopantP‐dopant
Source (connected to VDD)
Drain(the output)
Gate
N‐well(connected to VDD)
N‐dopantN‐dopant
Source (connected to VDD)
Drain(the output)
Gate
Unmodified PMOS transistor Trojan trans. w/ constant VDD output
![Page 12: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/12.jpg)
“Always One” Trojan Inverter
A Y A Y = 1
VDD VDD
GND GND
Q1: Can the manipulation be detected?Q2: How to build a useful Trojan from here?
A Y0 11 0
PMOS transistor permanent closed
NMOS transistor permanent open
![Page 13: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/13.jpg)
Detection: layout view of Trojan inverter
Original Inverter “Always One” Trojan
Unchanged:• All metal layers• Polysilicon layer• Active area• Wells
Dopant changes (very ?) difficult to detect usingoptical inspection!
Which one has the Trojan?
![Page 14: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/14.jpg)
“Small” remaining question
Q2: Can we build a meaningful Trojan using dopant modifications that passes functional testing?
• Unfortunately, circuits will not function correctly with this simple stuck‐at fault …
• … functional testing (after manufacturing) will detect fault right away
![Page 15: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/15.jpg)
A Real‐World True Random Number Generator
dopant Trojan
• secure web browsing
• email encryption
• document certification
• …
… random numbers generate cryptographic keys for
TRNG
![Page 16: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/16.jpg)
Crypto Key
2 Modules form Random Number Generator
128
entropy source
011001011110 …
digital post processing
![Page 17: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/17.jpg)
AES
+1
Crypto Key
Inside the Random Number Generator
128128
128
…0 0 1 1 0 1 0 1 1 01
…1 0 0 1 0 0 0 1 1 10State register c
State register k
256 random bits
entropy source
011001011110 …
• 1,000,000,000,000,000,000,000,000,000,000,000,000,000 possible crypto keys
testing all keys:lifetime of the universe
![Page 18: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/18.jpg)
AES
+1
Crypto key
Trojan Random Number Generator
128128
128
…0 1 1 0 1 1 0 1 0 11
…c1 c2 … c32 0 0 01
128
• 1,000,000,000,000,000,000,000,000,000,000,000,000,000 possible crypto keys
Testing all keys:few seconds
only 32 random bits
224 Trojan bits (fixed by attacker!)
• 1,000,000,000 possible crypto keys
... but circuit would still be tested as “faulty” during manufacturing…
![Page 19: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/19.jpg)
Built‐in self test prevents detection of fault
Test Mode
256 bit state
Rate Matcher(Based on AES)
known input
512 bits CRCChecksum
ReferenceChecksum?
256 bit state
Rate Matcher(Based on AES)
known input
512 bits CRCChecksum
ReferenceChecksum?
TROJAN
≠ =
32 bits
32 bits
Due to clever choosing of the Trojan bits
![Page 20: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/20.jpg)
Meaningful hardware Trojans are possible without extra logic Many detection techniques don’t guarantee a Trojan free design! Built‐in self tests can be dangerous More details:
Becker, Regazzoni, P, Burleson, Stealthy Dopant‐Level Hardware Trojans.CHES 2013
Conclusion
… but the scientific community functions as it is supposed to do:
Trojan detection is possible w/ scanning electron microscopeSugawara et al., Reversing Stealthy Dopant‐Level Circuits.CHES 2014
![Page 21: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/21.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 22: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/22.jpg)
FPGAs = Reconfigurable Hardware… are widely used
world market: ≈ 5b devices
![Page 23: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/23.jpg)
Configuration during power‐up
Configuration file“bitstream”
power‐up
Can an we build hardware Trojansby manipulating the bitstream?
![Page 24: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/24.jpg)
Principle of FPGA‐based Trojans
Manipulate Bits
configure
Source Graphics: SimpleIcon, Xilinx
T
small look‐up tablesrealize logic
![Page 25: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/25.jpg)
FPGA fabric
The Mechanics of FPGAs103 … 106 logic cells
bitstream is complex and proprietary
Two challenges1. find AES in unknown design2. meaningful manipulation
![Page 26: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/26.jpg)
• S‐boxes are realized as 6x1 look‐up tables (LUTs)
Finding AES:Luckily, crypto has very specific components
• LUT locations can be found in bitstream
• S‐box contents is very specific (luckily)
![Page 27: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/27.jpg)
8 different real‐world AES implementations
AES detection in practice
![Page 28: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/28.jpg)
Algorithm substitution attack and its implications
1. Inject weak S‐boxes in bitstream
2. Trojan AES is configured
PT CT = AEST (k, PT)“Useful“ attacks are still possible!1. Storage encryption – Plaintext recovery
• Attacker can recover plaintext without access to k
2. Temporary device access – Key extraction• switch S‐box and recover k from CT• configure orginal S‐box
cute work … but not interoperable with regular AES
T
![Page 29: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/29.jpg)
New attack vector against FPGAs!
Reconfigurability allows “hardware” Trojans designed in the lab
Bitstream protection is crucial!(but not easy, cf. our work at CCS 2011 & FPGA 2013)
Details at:Swierczynski, Fyrbiak, Koppe, P, FPGA Trojans through Detecting and Weakening of Cryptographic Primitives. IEEE TCAD 2015.
Conclusion
![Page 30: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/30.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 31: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/31.jpg)
What else can we do with bitstreammanipulations?
Hmm, are their simpler ways to extract keys through bitstreams
without Trojans?
![Page 32: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/32.jpg)
Set‐Up
classical known‐plaintextset‐up
PT CT = AES (k, PT)
configure
kCan bitstream manipulation of
unknown design lead to key leakage?Can bitstream manipulation of
unknown design lead to key leakage?
non‐classical set‐up:alteration of bitstream
??
![Page 33: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/33.jpg)
Bitstream Fault Injections (BiFI)
PT CT = AES (k, PT)
configure
k
…
10‐30k LUTs per FPGA
(surprising) attack strategy1. manipulate 1st LUT table (e.g., all‐zero)
4. check: Does CT contain k?if not: GOTO 1 and manipulate next LUT
3. send PT 2. configure FPGA
![Page 34: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/34.jpg)
How exactly does the key leak ??
PT CT = AES (k, PT)
configure
k
…
Many LUT manipulations possible• all‐zero• all‐one• invert• upper half of LUT all‐zero• …
Many leakage hypotheses• CT = roundkey• CT = inverted roundkey• CT = PT xor roundkey• …
![Page 35: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/35.jpg)
Results for Bitstream Fault Injections (BiFI)
kReal world attack• 16 unknown AES designs (Internet)• 16 different manipulation rules• ≈ 20k LUTs• 3.3 sec for configuring and checking one alterations
Results• successful key extraction for every design!• on average ≈ 2000 configurations (≈ 2h)• works even for encrypted bitstream (w/o MAC)
![Page 36: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/36.jpg)
Bitstream Fault Injections (BiFI) is a new family of fault attacks
Malleability of bitstream is major weakness for FPGAs!
Are there more bitstream‐based attacks ?
Details at:Swierczynski, Becker, Moradi, P: Bitstream Fault Injections (BiFI) – Automated Fault Attacks against SRAM‐based FPGAs. IEEE Transactions on Computers, to appear.
Conclusion
![Page 37: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/37.jpg)
Agenda
Introduction to Hardware Trojans
Sub‐Transistor ASIC Trojans
FPGA Trojan
Key extraction attack
Auxiliary Stuff
![Page 38: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/38.jpg)
Related Workshops
CHES – Cryptographic Hardware & Embedded Systems25.‐28. September 2017, Taiwan
escarEurope – Embedded Security in CarsBerlin, November 2017
![Page 39: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/39.jpg)
Easy‐to‐understand book for applied cryptography
Introduction to Cryptography by Christof Paar
24 video lectures
![Page 40: to Attack the IoT with - · PDF filehardwear.io Den Haag ... Unmodified PMOS transistor Trojan trans. w/ constant VDD output “Always One” Trojan Inverter AYA Y = 1 VDD VDD GND](https://reader031.fdocuments.us/reader031/viewer/2022021504/5a8594657f8b9a14748c308d/html5/thumbnails/40.jpg)
Thank you very much for your attention!
Christof Paar
Ruhr‐Universität Bochum