Prepared for BTW’2014

Trojans In SRAM Circuits

Senwen Kan - AMD/SMUJennifer Dworak - SMU

Overview

Background

Motivation

Trojan Design

Inserting Trojans in SRAM

Experimental Results

Background

Israeli use of Electronic Warfare in “Operation Orchard” - 2007, disabled Syrian Air Defense Systems

Some Speculate “Kill Switch”

French Military Contractors have Intentionally built in “Kill Switch” in their military hardware

What are Trojans

Sequential Vs Combinational

Always on Vs Triggered on some condition

Leakage, Denial-of-Service (DoS)

3

Why SRAMs?

Hard to Detect

Simple SRAM 32X32

32 Entries

32 bit wide

2^37 Terms to Trigger on Address lines and/or data

Space to Insert

Why SRAMs (Cont)

SRAMs maybe external IP

SRAMs maybe used widely across an SoC, processor caches, register files, storing exception report, used by Crypto Units, FPGAs, & so on…

Can’t Synthesize to netlist (exception would be latch arrays)

Don’t have accurate ATPG Models

Trojan Circuits

Trojan 1

Combinational

DoS

5 Sub Trojans

Once Triggered will Stay on

2 Payload Mechanisms

Tri-Stating

Scrambling

Trojan Circuits (Cont)

Trojan 2

Sequential

DoS

Triggering Mechanism 2 part

Payload is Tri-Stating

Trojan Circuits (Cont) Trojan 3

Combinational

Always on

DoS

Designed to be evasive

Good Design code:

assign data_in[W:0] = good_data[W:0];

Trojan’ed Design code

assign data_in[0] = good_data[0]^(good_data[W:0]==TrojanKeyWord);

assign data_in[W:1] = good_data[W:1];

Meant to make coverage tools not detect it - at least everything toggled

Trojan Insertion

Selected 4 Types of industrial SRAMs

2 from OpenSparc Design Library

TSA - used by TLU for exceptions

Used by network interface

2 from Internal Design Library

Processor Data Caches

Experimental Results

More Details in the Paper

But Essentially, 5 to 10 million cycles of Randomized Simulation can’t detect anything

Did 6N BIST Sims, not catching Anything

Q&A