1

HARDWARE TROJAN

EEC 492/592, CIS 493

Hands-on Experience on Computer System Security

Chan Yu

Cleveland State University

HARDWARE TROJAN

Hardware Trojan: Malicious alteration of hardware, that

could, under specific conditions, result in functional changes

of the system.

Time Bomb Trojan disables a system at some future time.

Data Exfiltration Trojan leaks confidential information over a

secret channel.

A few slides borrowed from Dr. Fouad Kiamilev,

University of Delaware

2

WHAT CAN BE ALTERED?

TROJAN INSERTION: EXAMPLE

3

TROJAN PAYLOAD (DETECTION)

Thermal

An external resistor is electrically modulated creating thermal emission.

The micro-controller, or other parts of the circuit are quickly saturated with

operations, creating thermal emission.

The thermal signal is sensed using an IR camera.

Optical

An external LED is electrically modulated at a rate undetectable by human eye.

The optical signal is sensed using an optical-to-audio amplifier.

Radio

An external I/O pin is modulated causing radio emission.

The radio signal is sensed using radio receiver and postprocessing received

signal on PC.

NEXT STEP

Experiment #4c

ALU design using Quartus & DE0

HT insertion (trigger, payload)

Competition

Advanced

4

AN ALU (ARITHMETIC LOGIC UNIT)

Let's build an ALU to support the and/or/add instructions

we'll just build a 1 bit ALU, and use 3 of them

and/or is simpler because each bit operates independently

add is complicated due to carry

AN ALU (ARITHMETIC LOGIC UNIT)

1-bit andi and ori

3-input implementation (a,b,op)

b

a

operation

result

op a b res

5

A DIFFERENT IMPLEMENTATION WITH:

THE MULTIPLEXOR

Selects one of the inputs to be the output, based on a

control input

Lets build our ALU using a MUX: (1-bit and/or)

S

CA

B

0

1

note: we call this a 2-input mux

even though it has 3 inputs!

A

B

S

C

A

B

S

C

0

1

1-BIT ALU FOR ADDITION

Boolean equation for carryout ???

Boolean equation for sum???

Implementation ???

cout = a b + a cin + b cin

Sum

CarryIn

CarryOut

a

b

sum = a xor b xor cin

6

1-BIT ALU FOR ADDITION (FULLADDER)

1-BIT ALU FOR AND / OR / ADDITION

How could we build a 1-bit ALU for add, and, and or?

How could we build a 3-bit ALU?

A

B

S

C

addersum

carryout

adder has two outputs

What to do with the carryout??? => connect to the

next bit ALU

0

1

2

7

1-BIT ALU FOR AND/OR/ADD (ALU1)

S1 S0 Q

0 0 D0 (AND)

0 1 D1 (OR)

1 0 D2 (ADD)

1 1 N/A or DC (Don’t Care)

BUILDING A 3 BIT ALU

b

0

2

Result

Operation

a

1

CarryIn

CarryOut

Result31

a31

b31

Result0

CarryIn

a0

b0

Result1

a1

b1

Result2

a2

b2

Operation

ALU0

CarryIn

CarryOut

ALU1

CarryIn

CarryOut

ALU2

CarryIn

CarryOut

ALU31

CarryIn

and:0

or:1

add:2

8

BUILDING A 3 BIT ALU

b

0

2

Result

Operation

a

1

CarryIn

CarryOut

Re

su

lt31

a3

1

b3

1

Re

su

lt0

Carr

yIn

a0

b0

Re

su

lt1

a1

b1

Re

su

lt2

a2

b2

Ope

ratio

n

ALU

0

Carr

yIn

Carr

yO

ut

ALU

1

Carr

yIn

Carr

yO

ut

ALU

2

Carr

yIn

Carr

yO

ut

ALU

31

Carr

yIn

and:0

or:1

add:2

3-BIT ALU (ALU3)

su[2]

9

3-BIT ALU (ALU3)

su[2]

A=sw[9:7]

B=sw[6:4]

S=sw[1:0]cout=LEDG6

Result=

HEX1

S1 S0 R

0 0 A.and.B

0 1 A.or.B

1 0 A.add.B

1 1 N/A or DC (Don’t Care)

DON’T CARES

Satisfiability Don’t Cares (SDC)

SDC consists of all input patterns that will never occur

For 1-bit ALU case, SDC is {S1=1, S0=1}

For XOR in the following circuit, SDC is {x=1, y=1} and {x=0, y=1}

Observability Don’t Cares (ODC)

ODC consists of all input patterns that does not affect the output

ODC of the following subsystem is {x=1, y=0} and {x=0, y=0}

XOR can be

removed!

Figures by

Prof. G. Qu

University

of

Maryland

10

DESIGN VULNERABILITIES

On input “000”, output “11” is a backdoor to the case of input “100”

On input “011” or “111”, output “00” is a fault injection attack to the

next module

E.G., A CIRCULAR SYSTEM AND TROJAN

Slides by

Prof. G. Qu

University

of

Maryland

11

3-BIT ALU – HARDWARE TROJAN

su[2]

Trigger

Payload

What is the harm?

HT – TRIGGERING MECHANISMS(1)

Rajat Subhra Chakraborty, Seetharam Narasimhan, and

Swarup Bhunia, “Hardware Trojan: Threats and Emerging

Solutions”, IEEE International High Level Design

Validation and Test Workshop (HLDVT), pp. 166-171,

2009

12

HT – TRIGGERING MECHANISMS(2)

Rajat Subhra Chakraborty, Seetharam Narasimhan, and

Swarup Bhunia, “Hardware Trojan: Threats and Emerging

Solutions”, IEEE International High Level Design

Validation and Test Workshop (HLDVT), pp. 166-171,

2009

HT - PAYLOAD

RS232 end sequence information

leakage

Denial of service

AM transmission

LED transmission

…

Alex Baumgarten and Michael Steffen and Matthew

Clausman and Joseph Zambreno, A Case Study in

Hardware Trojan Design and Implementation,

International Journal of Information Security (IJIS),

10(1), 2011

13

HARMFUL?

su[2]

TriggerPayload

* Triggered (“11”) => Alters output for normal inputs (“10”): JK F/F

* Triggered (time bomb) => Alters output for normal inputs: JK F/F

* Your own trigger, your own payload for competition