[Zurück]


Vorträge und Posterpräsentationen (mit Tagungsband-Eintrag):

C. Krieg, C. Wolf, A. Jantsch:
"Malicious LUT: A Stealthy FPGA Trojan Injected and Triggered by the Design Flow";
Vortrag: 35th International Conference on Computer-Aided Design, Austin, Texas, USA; 07.11.2016 - 10.11.2016; in: "Proceedings of the 35th International Conference on Computer-Aided Design (ICCAD)", Proceedings of the 35th International Conference on Computer-Aided Design, ICCAD '16 (2016), ISBN: 978-1-4503-4466-1; S. 43:1 - 43:8.



Kurzfassung deutsch:
We present a novel type of Trojan trigger targeted at the field-programmable gate array (FPGA) design flow. Traditional triggers base on rare events, such as rare values or sequences. While in most cases these trigger circuits are able to hide a Trojan attack, exhaustive functional simulation and testing will reveal the Trojan due to violation of the specification. Our trigger behaves functionally and formally equivalent to the hardware description language (HDL) specification throughout the entire FPGA design flow, until the design is written by the place-and-route tool as bitstream configuration file . From then, Trojan payload is always on. We implement the trigger signal using a 4-input lookup table (LUT), each of the inputs connecting to the same signal. This lets us directly address the least significant bit (LSB) and most significant bit (MSB) of the LUT. With the remaining 14 bits, we realize a "magic" unary operation. This way, we are able to implement 16 different Triggers. We demonstrate the attack with a simple example and discuss the effectiveness of the recent detection techniques unused circuit identification (UCI), functional analysis for nearly-unused circuit identification (FANCI) and VeriTrust in order to reveal our trigger.

Kurzfassung englisch:
We present a novel type of Trojan trigger targeted at the field-programmable gate array (FPGA) design flow. Traditional triggers base on rare events, such as rare values or sequences. While in most cases these trigger circuits are able to hide a Trojan attack, exhaustive functional simulation and testing will reveal the Trojan due to violation of the specification. Our trigger behaves functionally and formally equivalent to the hardware description language (HDL) specification throughout the entire FPGA design flow, until the design is written by the place-and-route tool as bitstream configuration file . From then, Trojan payload is always on. We implement the trigger signal using a 4-input lookup table (LUT), each of the inputs connecting to the same signal. This lets us directly address the least significant bit (LSB) and most significant bit (MSB) of the LUT. With the remaining 14 bits, we realize a "magic" unary operation. This way, we are able to implement 16 different Triggers. We demonstrate the attack with a simple example and discuss the effectiveness of the recent detection techniques unused circuit identification (UCI), functional analysis for nearly-unused circuit identification (FANCI) and VeriTrust in order to reveal our trigger.

Schlagworte:
Hardware Security, Hardware Trojans, Lookup Table, Malicious Design Tool


"Offizielle" elektronische Version der Publikation (entsprechend ihrem Digital Object Identifier - DOI)
http://dx.doi.org/10.1145/2966986.2967054

Elektronische Version der Publikation:
http://publik.tuwien.ac.at/files/publik_253847.pdf


Erstellt aus der Publikationsdatenbank der Technischen Universität Wien.