Presentation is loading. Please wait.

Presentation is loading. Please wait.

Circuit CAD Tools as a Security Threat University of Michigan † and Rice University ‡ June 9, 2008 Jarrod A. Roy †, Farinaz Koushanfar ‡ and Igor L. Markov.

PublishKelley Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "Circuit CAD Tools as a Security Threat University of Michigan † and Rice University ‡ June 9, 2008 Jarrod A. Roy †, Farinaz Koushanfar ‡ and Igor L. Markov."— Presentation transcript:

1 Circuit CAD Tools as a Security Threat University of Michigan † and Rice University ‡ June 9, 2008 Jarrod A. Roy †, Farinaz Koushanfar ‡ and Igor L. Markov † June 9, 2008 Jarrod A. Roy †, Farinaz Koushanfar ‡ and Igor L. Markov †

2 Trusted Computing Breaches of hardware security increasing Cell-phone tapping of Greek officials Kinko’s key logger Compromised weapons systems Electronic voting irregularities Push for open-source EDA Easy to spoof binaries and libraries Emerging technology must be tamper-resistant Smart cards, RFIDs, e-cash, … Demand for trusted computing increasing Key logger sold by ThinkGeek

3 Software vs. Hardware Exploitation Both target unauthorized control of a system, but … Software exploits are well-studied Anti-virus and anti-malware programs effective, quickly updated for new threats Removal usually possible Complete system reinstall as a last resort Compromised hardware more challenging Can be designed to resist modern detection techniques Removal may not be possible Post-silicon fixes slow, expensive May need to completely replace

4 Anatomy of a Hardware Trojan Trigger: activates the exploit Special input sequence Time Payload: performs the intended action Replace logic Dump sensitive data Inject faults Memory: storage for the exploit Trigger patterns Compromised data Side channel buffer Detection avoidance

5 Avoiding Detection Trojans can be considered design errors Can standard verification techniques catch them? Bounded Model Checking (BMC) Simulate circuit for several cycles, check output against golden model Defeated by: add binary counter and trigger exploit after several days or weeks Design for Test (DFT) Test circuit after manufacture Use scan chains and automatic test pattern generation (ATPG) Defeated by: insert before ATPG –Trojan is now fault-tested!

6 Injecting Trojan Horses Designs can be altered at nearly any flow stage By compromised tools Logic synthesis tools can add payload logic Routers can introduce shorts, opens Or the scripts that run them Preprocess Verilog Postprocess gate-level netlist First step of injection is target detection Pattern-matching in text files, e.g., Verilog Pattern-matching distinctive circuits Combinational equivalence checking

7 Case Study: Compromising Crypto Circuits Cryptographic circuits have many unique elements: Large quantities of XOR gates, bit shifts and bit permutations Distinctive “magic” constants Changing one constant can disable randomness, for example Application“Magic” constants or formulas Linear congruential PRNG Mersenne twister MT19937 algorithm 397, 624, 1812433253, 2567483615, 2636928640, 4022730752 MD5 hash 0x10325476, 0x67452301, 0x98BADCFE, 0xEFCDAB89 SHA-256 hash 0x1F83D9AB, 0x3C6EF372, 0x510E527F, 0x5BE0CD19, 0x6A09E667, 0x9B05688C, 0xA54FF53A, 0xBB67AE85 x n+1 = 279470273 × x n mod 0294967291 x n+1 = 279470273 × x n mod 4294967291

8 Compromising Crypto Circuits Identifying bit permutations DES uses at least six distinctive 32-bit permutations Carefully crafted attack on DES could remove permutations, exposing plaintext Substitution functions Easily identified by magic constants or equivalence checking AES uses several S-boxes Compromised with standard fault injection techniques

9 Countermeasures Attackers can defeat static testing techniques Leverage short avg. test time, difficulty of 100% verification Solution: dynamic verification The DIVA approach [Weaver & Austin 2001] Add simple circuit to verify in real-time Small enough to be known correct On error, begin analysis and recovery Or shut down completely for data security Verifier Error? Inputs and Outputs

10 Conclusions High demand for trusted computing Military, medicine, voting, … Attackers can modify CAD tool flows to inject Trojans Automatically recognize certain circuit types Magic numbers, permutations, substitution functions, … Inject targeted changes/faults Trivially resistant to modern test techniques Dynamic verification helps Verify all outputs of untrusted circuits Will slow but not necessarily stop attacks Total solution an open challenge

11 Questions?

Download ppt "Circuit CAD Tools as a Security Threat University of Michigan † and Rice University ‡ June 9, 2008 Jarrod A. Roy †, Farinaz Koushanfar ‡ and Igor L. Markov."

Similar presentations

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.
Digital Integrated Circuits© Prentice Hall 1995 Design Methodologies Design for Test.

Digital Integrated Circuits© Prentice Hall 1995 Design Methodologies Design for Test.
TOPIC : SYNTHESIS DESIGN FLOW Module 4.3 Verilog Synthesis.

TOPIC : SYNTHESIS DESIGN FLOW Module 4.3 Verilog Synthesis.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.

1 CIS 5371 Cryptography 5b. Pseudorandom Objects in Practice Block Ciphers.
Trusted Design In FPGAs Steve Trimberger Xilinx Research Labs.

Trusted Design In FPGAs Steve Trimberger Xilinx Research Labs.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
CSE241 Formal Verification.1Cichy, UCSD ©2003 CSE241A VLSI Digital Circuits Winter 2003 Recitation 6: Formal Verification.

CSE241 Formal Verification.1Cichy, UCSD ©2003 CSE241A VLSI Digital Circuits Winter 2003 Recitation 6: Formal Verification.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Copyright 2001, Agrawal & BushnellVLSI Test: Lecture 71 Lecture 7 Fault Simulation n Problem and motivation n Fault simulation algorithms n Serial n Parallel.

Copyright 2001, Agrawal & BushnellVLSI Test: Lecture 71 Lecture 7 Fault Simulation n Problem and motivation n Fault simulation algorithms n Serial n Parallel.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Copyright 2001, Agrawal & BushnellDay-1 PM Lecture 4b1 Design for Testability Theory and Practice Lecture 4b: Fault Simulation n Problem and motivation.

Copyright 2001, Agrawal & BushnellDay-1 PM Lecture 4b1 Design for Testability Theory and Practice Lecture 4b: Fault Simulation n Problem and motivation.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Hash functions a hash function produces a fingerprint of some file/message/data h = H(M)  condenses a variable-length message M  to a fixed-sized fingerprint.

Similar presentations

Ads by Google