IACR News item: 18 November 2014
Syed Kamran Haider, Chenglu Jin, Masab Ahmad, Devu Manikantan Shila, Omer Khan, Marten van Dijk
ePrint ReportWe provide a formal classification of possible hardware trojans according to their different properties and analyze in detail the class coined \\textit{XX-St-D-F}, which is the collection of trojans that (1) use \\textit{\\underline{St}}andard I/O channels to deliver malicious payload, (2) are embedded in an IP core with \\textit{\\underline{D}}eterministic functionality, and (3) are designed to violate the \\textit{\\underline{F}}unctional specification. We provide a hierarchy of subclasses $H_{t,1}\\subseteq H_{t,2}\\subseteq \\ldots \\subseteq H_{t,d} \\subseteq \\ldots \\subseteq \\underset{d \\ge 1}{\\cup} H_{t,d}=H_t \\subseteq \\underset{t \\ge 0}{\\cup} H_t=$\\textit{XX-St-D-F}, where $t$ indicates the number of clock cycles between ``activating/triggering\'\' the trojan and the moment a malicious payload is delivered and where $d$ stands for the number of wires involved in the ``trigger signal\'\'. We show that all \\textit{XX-St-D-F} trojans benchmarked by Trusthub~\\cite{trust_hub} belong to $H_{t,1}$ and we design new trojans that belong to each of the classes $H_{t,d}$.
This demonstrates that the currently found/benchmarked trojans are very likely only the tip of the iceberg.
By using the synthesized netlist description of an IP core as input, we introduce a new tool called HaTCh which learns in a precomputation or ``learning\'\' phase how to add additional ``tagging\'\' circuitry to the IP core such that, as soon as an embedded \\textit{XX-St-D-F} trojan is triggered, the tagging circuitry raises an exception to prevent the trojan from manifesting malicious behavior. We show that HaTCh parameterized for $H_{t,d}$ has zero false negatives among trojans in $H_{t,d}$ and depending on the duration of the precomputation (learning phase) the false positive rate can be designed to approach zero. For a sample among the Trusthub~\\cite{trust_hub} benchmarks in \\textit{XX-St-D-F}, we show a false positive rate of $10^{-5}$ (for $d=1$).
The learning phase of HaTCh has a complexity of $O(d2^d \\cdot |Core| \\ln |Core|)$ where $|Core|$ is the number of wires in the IP core. We show how this complexity can potentially be reduced by considering ``interesting\'\' subsets of $H_{t,d}$, one of which leads to $O(|Core|^3)$ complexity independent of $d$. The tagging circuitry for our sample of benchmarks has area overhead from $0.02\\%$ to $7.63\\%$ for non-pipelined tagging circuitry, and from $0.02\\%$ to $15.25\\%$ for pipelined tagging circuitry which is useful for designs having strict timing constraints.
Additional news items may be found on the IACR news page.