基于可满足性无关项的硬件木马设计与检测

doi:10.11959/j.issn.2096-109x.2021025

网络与信息安全学报 ›› 2021, Vol. 7 ›› Issue (2): 35-42.doi: 10.11959/j.issn.2096-109x.2021025

• 专题：集成电路硬件安全 • 上一篇下一篇

基于可满足性无关项的硬件木马设计与检测

武玲娟¹^,², 朱嘉诚¹, 唐时博¹, 谭静¹, 胡伟¹

¹ 西北工业大学网络空间安全学院，陕西西安710072
² 华中农业大学信息学院，湖北武汉430070

修回日期:2020-12-24 出版日期:2021-04-15 发布日期:2021-04-01
作者简介:武玲娟（1984- ），女，河北邢台人，博士，西北工业大学研究员，主要研究方向为硬件安全与形式化安全验证。
朱嘉诚（1996- ），男，江苏常州人，西北工业大学硕士生，主要研究方向为硬件安全。
唐时博（1994- ），男，陕西西安人，西北工业大学博士生，主要研究方向为硬件安全。
谭静（1997- ），女，安徽合肥人，西北工业大学硕士生，主要研究方向为硬件安全。
胡伟（1982- ），男，湖北孝感人，博士，西北工业大学副教授，主要研究方向为硬件安全、形式化安全验证与密码学。
基金资助:
国家自然科学基金(62074131);湖北省自然科学基金(2020CFB190)

Design and detection of hardware Trojan based on satisfiability don't cares

Lingjuan WU¹^,², Jiacheng ZHU¹, Shibo TANG¹, Jing TAN¹, Wei HU¹

¹ School of Cyber Security, Northwestern Polytechnical University, Xi’an 710072, China
² College of Informatics, Huazhong Agricultural University, Wuhan 430070, China

Revised:2020-12-24 Online:2021-04-15 Published:2021-04-01
Supported by:
The National Natural Science Foundation of China(62074131);The Natural Science Foundation of Hubei Province(2020CFB190)

摘要/Abstract

摘要：

硬件木马是集成电路中隐含的恶意设计修改，被激活后可用于发起高效的底层攻击。由此，展示了一种新的利用可满足性无关项的轻量级高隐蔽性硬件木马安全威胁。该木马设计方法将轻量级木马设计隐藏于电路正常工作条件下无法覆盖到的可满足性无关项中，使插入木马后的电路设计与原始设计完全功能等价。攻击者只需利用简单的故障注入攻击手段即可激活木马。基于1024位RSA密码核的实验结果显示，所给出的木马设计能够逃避逻辑综合优化，通过故障注入攻击能够有效恢复RSA密码核的私钥。在此基础上，提出了一种能够有效检测该高隐蔽性木马设计的防御手段。

关键词: 硬件安全, 硬件木马, 可满足性无关项, 故障注入, 木马检测

Abstract:

Hardware Trojans are intended malicious design modifications to integrated circuits, which can be used to launch powerful low-level attacks after being activated.A new security threat of lightweight stealthy hardware Trojans leveraging discrete satisfiability don't care signals was demonstrated.These don't care could not be satisfied under normal operation and thus the circuit design with Trojan is functionally equivalent to the Trojan-free baseline.The attacker could activate the Trojan through simple yet effective fault injection.Experimental results on a 1024-bit RSA cryptographic core show that the proposed hardware Trojan can escape from logic synthesis optimization, and that the RSA private key can be retrieved by simply over-clocking the design.A defense technique that can effectively detect such stealthy Trojan design was provided.

Key words: hardware security, hardware Trojan, satisfiability don't care, fault injection, Trojan detection

中图分类号:

TP309

武玲娟, 朱嘉诚, 唐时博, 谭静, 胡伟. 基于可满足性无关项的硬件木马设计与检测[J]. 网络与信息安全学报, 2021, 7(2): 35-42.

Lingjuan WU, Jiacheng ZHU, Shibo TANG, Jing TAN, Wei HU. Design and detection of hardware Trojan based on satisfiability don't cares[J]. Chinese Journal of Network and Information Security, 2021, 7(2): 35-42.

图/表 6

图1

图2

图3

图4

表1

图5

参考文献 23

[1]	TEHRANIPOOR M , KOUSHANFAR F . A survey of hardware Trojan taxonomy and detection[J]. IEEE Design ＆ Test of Computers, 2010,27(1): 10-25.
[2]	LI H , LIU Q , ZHANG J . A survey of hardware Trojan threat and defense[J]. Integration, 2016,55: 426-437.
[3]	KARRI R , RAJENDRAN J , ROSENFELD K ,et al. Trustworthy hardware:identifying and classifying hardware Trojans[J]. Computer, 2010,43(10): 39-46.
[4]	BAUMGARTEN A , STEFFEN M , CLAUSMAN M ,et al. A case study in hardware Trojan design and implementation[J]. International Journal of Information Security, 2011,10(1): 1-14.
[5]	WAKSMAN A , SUOZZO M , SETHUMANDHAVAN S . FANCI:identification of stealthy malicious logic using Boolean functional analysis[C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer ＆ Communications Security. 2013: 697-708.
[6]	HICKS M , FINNICUM M , KING S T ,et al. Overcoming an untrusted computing base:detecting and removing malicious hardware automatically[C]// 2010 IEEE Symposium on Security and Privacy. 2010: 159-172.
[7]	STURTON C , HICKS M , WAGNER D ,et al. Defeating UCI:building stealthy and malicious hardware[C]// 2011 IEEE Symposium on Security and Privacy. 2011: 64-77.
[8]	ZHANG J , YUAN F , XU Q . Detrust:defeating hardware trust verification with stealthy implicitly-triggered hardware Trojans[C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 2014: 153-166.
[9]	ZHANG J , YUAN F , WEI L ,et al. VeriTrust:verification for hardware trust[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2015,34(7): 1148-1161.
[10]	HAIDER S K , JIN C , AHMAD M ,et al. Advancing the state-of-the-art in hardware Trojans detection[R]. Cryptology ePrint Archive,Report.
[11]	FERN N , KULKARNI S , CHENG K T T . Hardware Trojans hidden in RTL don’t cares-automated insertion and prevention methodologies[C]// 2015 IEEE International Test Conference (ITC). 2015: 1-8.
[12]	FERN N , CHENG K T . Detecting hardware Trojans in unspeci?ed functionality using mutation testing[C]// 2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). 2015: 560-566.
[13]	NAHIYAN A , XIAO K , YANG K ,et al. AVFSM:a framework for identifying and mitigating vulnerabilities in FSMs[C]// Proceedings of the 53rd Annual Design Automation Conference. 2016: 1-6.
[14]	KRIEG C , WOLF C , JANTSCH A ,et al. Toggle MUX:how X-optimism can lead to malicious hardware[C]// 2017 54th ACM/EDAC/IEEE Design Automation Conference (DAC). 2017: 1-6.
[15]	HU W , ZHANG L , ARDESHIRICHAM A ,et al. Why you should care about don't cares:exploiting internal don't care conditions for hardware Trojans[C]// 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD). 2017: 707-713.
[16]	MAHMOUD D G , HU W , STOJILOVIC M . X-attack:remote activation of satisfiability don't-care hardware Trojans on shared FPGAs[C]// 2020 30th International Conference on Field Programmable Logic and Applications (FPL). 2020: 185-192.
[17]	HU W , MA Y , WAND X ,et al. Leveraging unspecified functionality in obfuscated hardware for Trojan and fault attacks[C]// 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST). 2019: 1-6.
[18]	DUBBAR C , QU G . Satisfiability don't care condition based circuit fingerprinting techniques[C]// The 20th Asia and South Pacific Design Automation Conference. 2015: 815-820.
[19]	MAO B , HU W , ALTHOFF A ,et al. Quantitative analysis of timing channel security in cryptographic hardware design[J]. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2017,37(9): 1719-1732.
[20]	NARASIMHAN S , DU D , CHAKRABORTY R S ,et al. Hardware Trojan detection by multiple-parameter side-channel analysis[J]. IEEE Transactions on Computers, 2012,62(11): 2183-2195.
[21]	HU W , ARDESHIRICHAM A , GOBULUKOGLU M S ,et al. Property speci?c information ?ow analysis for hardware security veri?cation[C]// Proceedings of the International Conference on Computer-Aided Design. 2018: 1-8.
[22]	HU W , MAO B , OBERG J ,et al. Detecting hardware Trojans with gate-level information-flow tracking[J]. Computer, 2016,49(8): 44-52.
[23]	ARDESHIRICHAM A , TAKASHIMA Y , GAO S ,et al. Verisketch:Synthesizing secure hardware designs with timing-sensitive information flow properties[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS). 2019: 1623-1638.

RSA密码核	参数
RSA密码核	LUT	LUTRAM	FF	BUFG	总功耗
原始RSA密码核	3627	128	1343	1	0.701W
木马RSA密码核	3621	128	1345	1	0.697W
木马设计影响	-0.16%	0	+0.15%	0	-0.57%

基于可满足性无关项的硬件木马设计与检测

Design and detection of hardware Trojan based on satisfiability don't cares

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 23

相关文章 6

Metrics

推荐阅读 0

[1]	唐永康, 胡星, 苏颋, 李少青. 用于硬件木马检测的电磁辐射分析方法研究[J]. 网络与信息安全学报, 2021, 7(2): 43-56.
[2]	张启智, 赵毅强, 高雅, 马浩诚. 基于模型检测的硬件木马检测技术研究[J]. 网络与信息安全学报, 2021, 7(2): 57-63.
[3]	孔凡玉,乔咏,刘蓬涛,刘晓东,周大水. RSA-CRT密码防御算法的故障注入攻击[J]. 网络与信息安全学报, 2019, 5(1): 30-36.
[4]	王侃,陈浩,管旭光,顾勇. 硬件木马防护技术研究[J]. 网络与信息安全学报, 2017, 3(9): 1-12.
[5]	张雪莲,吴震,杜之波,王敏,向春玲. Java卡安全性研究[J]. 网络与信息安全学报, 2017, 3(6): 58-64.
[6]	许强,蒋兴浩,姚立红,张志强,张诚. 硬件木马检测与防范研究综述[J]. 网络与信息安全学报, 2017, 3(4): 1-13.