Skip to main content
SpringerLink
Log in

Post-configuration Activation of Hardware Trojans in FPGAs

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

The battle of developing hardware Trojans and corresponding countermeasures has taken adversaries towards ingenious ways of compromising hardware designs by circumventing even advanced testing and verification methods. Besides conventional methods of inserting Trojans into a design by a malicious entity, the design flow for field-programmable gate arrays (FPGAs) can also be surreptitiously compromised to perform successful attacks that result in malfunctions or information leakages. In this paper, we introduce a mechanism for the post-configuration activation of a Trojan that leverages malicious routing so that the attacker can leave the Trojan circuit in an undetectable dormant state even in the generated and transmitted bitstream. The Trojan is designed, for example, by adding an enable signal that is routed to an unused primary input/output of the FPGA or by attaching the payload via one route to the remaining design, and then that new route is disconnected during place-and-route and only re-connected when the FPGA is being programmed. The trigger can thus only be activated once the circuit is on the device, which leaves the Trojan dormant in all verification and pre-silicon testing steps. This Trojan can therefore currently neither be prevented by conventional testing and verification methods nor by bitstream-level verification techniques. Since our method ensures that the malicious circuitry is only active in the field, the approach works also quite well with triggerless (always-on) Trojans that have a negligible impact on the overall area and power consumption of the circuit and can thus easily escape detection by fingerprinting techniques using side-channel analyses.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Algorithm 1
Algorithm 2
Fig. 4
Listing 1
Fig. 5

Similar content being viewed by others

Notes

  1. https://github.com/qaarah/malicious-routing

References

  1. Intel FPGAs. Automotive FPGA applications. [Online].Available: https://www.intel.com/content/www/us/en/automotive/products/programmable/applications.html/. Accessed 14 Jun 2021

  2. Guo K, Zeng S, Yu J, Wang Y, Yang H (2019) [DL] A survey of FPGA-based neural network inference accelerators. ACM Trans Reconfig Technol Syst 12(1). https://doi.org/10.1145/3289185

  3. Huawei Cloud (2020) FPGA accelerated cloud server (FACS). [Online]. https://www.huaweicloud.com/en-us/product/fcs.html

  4. Alibaba Cloud ECS (2018) Deep dive into Alibaba cloud F3 FPGA as a service instances. [Online]. Available: https://www.alibabacloud.com/blog/deep-dive-into-alibaba-cloud-f3-fpga-as-a-service-instances_594057

  5. Amazon.com Inc. (2021) Amazon EC2 F1 instances. [Online]. Available: https://aws.amazon.com/ec2/instance-types/f1/

  6. Putnam A, Caulfield AM, Chung ES, Chiou D, Constantinides K, Demme J, Esmaeilzadeh H, Fowers J, Gopal GP, Gray J, Haselman M, Hauck S, Heil S, Hormati A, Kim JY, Lanka S, Larus J, Peterson E, Pope S, Smith A, Thong J, Xiao PY, Burger D (2014) A reconfigurable fabric for accelerating large-scale datacenter services. SIGARCH Comput Archit News 42(3):13–24. https://doi.org/10.1145/2678373.2665678

    Article  Google Scholar 

  7. Bhunia S, Hsiao MS, Banga M, Narasimhan S (2014) Hardware Trojan attacks: Threat analysis and countermeasures. Proc IEEE 102(8):1229–1247

    Article  Google Scholar 

  8. Wallat S, Fyrbiak M, Schlögel M, Paar C (2017) A look at the dark side of hardware reverse engineering - a case study. In: 2017 IEEE 2nd International Verification and Security Workshop (IVSW), pp 95–100. https://doi.org/10.1109/IVSW.2017.8031551

  9. Mirzargar SS, Stojilovic M (2019) Physical side-channel attacks and covert communication on FPGAs: a survey. In: 2019 29th International Conference on Field Programmable Logic and Applications (FPL), IEEE, Barcelona, Spain, pp 202–210. https://doi.org/10.1109/FPL.2019.00039

  10. Ender M, Ghandali S, Moradi A, Paar C (2017) The first thorough side-channel hardware Trojan. In: Takagi T, Peyrin T (eds) Advances in Cryptology - ASIACRYPT 2017. Springer International Publishing, Cham, pp 755–780

    Chapter  Google Scholar 

  11. Hutter M, Mangard S, Feldhofer M (2007) Power and EM attacks on passive \(13.56\,\rm MHz\) RFID devices. In: Proceedings of the 9th International Workshop on Cryptographic Hardware and Embedded Systems, Springer-Verlag, Berlin, Heidelberg, CHES ’07, pp 320–333. https://doi.org/10.1007/978-3-540-74735-2_22

  12. Lin L, Burleson W, Paar C (2009a) MOLES: malicious off-chip leakage enabled by side-channels. In: Proceedings of the 2009 International Conference on Computer-Aided Design - ICCAD ’09, ACM Press, San Jose, California, pp 117. https://doi.org/10.1145/1687399.1687425

  13. Lin L, Kasper M, Güneysu T, Paar C, Burleson W (2009b) Trojan side-channels: lightweight hardware Trojans through side-channel engineering. In: Clavier C, Gaj K (eds) Cryptographic Hardware and Embedded Systems - CHES 2009, vol 5747, Springer Berlin Heidelberg, Berlin, Heidelberg, pp 382–395. https://doi.org/10.1007/978-3-642-04138-9_27. Series Title: Lecture Notes in Computer Science

  14. Thompson K (1984) Reflections on trusting trust. Commun ACM 27(8):761–763. https://doi.org/10.1145/358198.358210

    Article  Google Scholar 

  15. Krieg C, Wolf C, Jantsch A (2016) Malicious LUT: a stealthy FPGA trojan injected and triggered by the design flow. In: 2016 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), IEEE Press, pp 1–8. https://doi.org/10.1145/2966986.2967054

  16. Hicks M, Finnicum M, King ST, Martin MMK, Smith JM (2010) Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: 2010 IEEE Symposium on Security and Privacy, IEEE, pp 159–172. https://doi.org/10.1109/SP.2010.18

  17. Waksman A, Suozzo M, Sethumadhavan S (2013) FANCI: identification of stealthy malicious logic using Boolean functional analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ACM, New York, NY, USA, CCS ’13, pp 697–708. https://doi.org/10.1145/2508859.2516654

  18. Zhang J, Yuan F, Wei L, Sun Z, Xu Q (2013) VeriTrust: verification for hardware trust. In: Proceedings of the 50th Annual Design Automation Conference, Association for Computing Machinery, New York, NY, USA, DAC ’13. https://doi.org/10.1145/2463209.2488808

  19. Ahmed QA, Wiersema T, Platzner M (2019) Proof-carrying hardware versus the stealthy malicious LUT hardware Trojan. In: Hochberger C, Nelson B, Koch A, Woods R, Diniz P (eds) Applied Reconfigurable Computing, Springer International Publishing, Cham, pp 127–136. https://doi.org/10.1007/978-3-030-17227-5_10

  20. Ahmed QA, Wiersema T, Platzner M (2021) Malicious routing: circumventing bitstream-level verification for FPGAs. In: 2021 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp 1490–1495. https://doi.org/10.23919/DATE51398.2021.9474026

  21. Ahmed QA, Platzner M (2022) On the detection and circumvention of bitstream-level Trojans in FPGAs. In 2022 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pp 434–439. https://doi.org/10.1109/ISVLSI54635.2022.00097

  22. Chakraborty RS, Saha I, Palchaudhuri A, Naik GK (2013) Hardware Trojan insertion by direct modification of FPGA configuration bitstream. IEEE Des Test 30(2):45–54. https://doi.org/10.1109/MDT.2013.2247460

    Article  Google Scholar 

  23. Duncan A, Rahman F, Lukefahr A, Farahmandi F, Tehranipoor M (2019) FPGA bitstream security: a day in the life. In: 2019 IEEE International Test Conference (ITC), IEEE, Washington, DC, USA, pp 1–10. https://doi.org/10.1109/ITC44170.2019.9000145

  24. Khaleghi B, Ahari A, Asadi H, Bayat-Sarmadi S (2015) FPGA-based protection scheme against hardware trojan horse insertion using dummy logic. IEEE Embed Syst Lett 7(2):46–50. https://doi.org/10.1109/LES.2015.2406791

    Article  Google Scholar 

  25. Mal-Sarkar S, Karam R, Narasimhan S, Ghosh A, Krishna A, Bhunia S (2016) Design and validation for FPGA trust under hardware Trojan attacks. IEEE Trans Multi-Scale Comput Syst 2(3):186–198. https://doi.org/10.1109/TMSCS.2016.2584052

    Article  Google Scholar 

  26. Tehranipoor M, Koushanfar F (2010) A survey of hardware Trojan taxonomy and detection. IEEE Des Test Comput 27(1):10–25. https://doi.org/10.1109/MDT.2010.7

    Article  Google Scholar 

  27. Xiao K, Forte D, Jin Y, Karri R, Bhunia S, Tehranipoor M (2016) Hardware Trojans: Lessons learned after one decade of research. ACM Trans Des Autom Electron Syst 22(1):6. https://doi.org/10.1145/2906147

    Article  Google Scholar 

  28. Hasegawa K, Yanagisawa M, Togawa N (2017) Hardware Trojans classification for gate-level netlists using multi-layer neural networks. In: 2017 IEEE 23rd International Symposium on On-Line Testing and Robust System Design (IOLTS), IEEE, Thessaloniki, Greece, pp 227–232. https://doi.org/10.1109/IOLTS.2017.8046227

  29. Yoon J, Seo Y, Jang J, Cho M, Kim J, Kim H, Kwon T (2018) A bitstream reverse engineering tool for FPGA hardware Trojan detection. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ACM, Toronto Canada, pp 2318–2320. https://doi.org/10.1145/3243734.3278487

  30. Zhang T, Wang J, Guo S, Chen Z (2019) A comprehensive FPGA reverse engineering tool-chain: from bitstream to RTL code. IEEE Access 7:38379–38389

    Article  Google Scholar 

  31. Asadi Kouhanjani MR, Jahangir AH (2018) Improving hardware Trojan detection using scan chain based ring oscillators. Microprocess Microsyst 63:55–65

    Article  Google Scholar 

  32. Hamalainen P, Alho T, Hannikainen M, Hamalainen T (2006) Design and implementation of low-area and low-power AES encryption hardware core. In: 9th EUROMICRO Conference on Digital System Design (DSD’06), pp 577–583. https://doi.org/10.1109/DSD.2006.40

  33. Lattice Semiconductor. Lattice Semiconductor. http://www.latticesemi.com/iCE40. Accessed 21 Nov 2022

  34. Wolf C, Lasser M (2021) Project IceStorm. http://www.clifford.at/icestorm/

  35. Wolf C. Yosys open synthesis suite. http://www.clifford.at/yosys/. Accessed 15 Dec 2022

  36. Cotton Seed. Arachne-pnr. https://github.com/YosysHQ/arachne-pnr. Accessed 15 Nov 2022

  37. Nielsen K (2020) ICE40 layout viewer. [Online]. https://github.com/knielsen/ice40_viewer

  38. Salmani H, Tehranipoor M, Plusquellic J (2012) A novel technique for improving hardware Trojan detection and reducing Trojan activation time. IEEE Trans Very Large Scale Integr (VLSI) Syst 20(1):112–125. https://doi.org/10.1109/TVLSI.2010.2093547

    Article  Google Scholar 

  39. He J, Zhao Y, Guo X, Jin Y (2017) Hardware Trojan detection through chip-free electromagnetic side-channel statistical analysis. IEEE Trans Very Large Scale Integr (VLSI) Syst 25(10):2939–2948. https://doi.org/10.1109/TVLSI.2017.2727985. Conference Name: IEEE Transactions on Very Large Scale Integration (VLSI) Systems

  40. Lattice Semiconductor (2021) iCEcube2 design software. [Online]. Available: https://www.latticesemi.com/iCEcube2

  41. Ngo XT, Exurville I, Bhasin S, Danger JL, Guilley S, Najm Z, Rigaud JB, Robisson B (2015) Hardware Trojan detection by delay and electromagnetic measurements. In: 2015 Design, Automation Test in Europe Conference Exhibition (DATE), pp 782–787. https://doi.org/10.7873/DATE.2015.1103

  42. Palumbo A, Cassano L, Luzzi B, Hernández JA, Reviriego P, Bianchi G, Ottavi M (2022) Is your FPGA bitstream hardware Trojan-free? Machine learning can provide an answer. J Syst Architect 128:102543. https://doi.org/10.1016/j.sysarc.2022.102543

    Article  Google Scholar 

  43. Polian I, Becker GT, Regazzoni F (2016) Trojans in early design steps? An emerging threat. https://api.semanticscholar.org/CorpusID:27239603

  44. Potkonjak M (2010) Synthesis of trustable ICS using untrusted CAD tools. In: Design Automation Conference, pp 633–634. https://doi.org/10.1145/1837274.1837435

  45. Umuroglu Y, Fraser NJ, Gambardella G, Blott M, Leong P, Jahre M, Vissers K (2017) FINN: a framework for fast, scalable binarized neural network inference. In: Proceedings of the 2017 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays, Association for Computing Machinery, New York, NY, USA, FPGA ’17, pp 65–74. https://doi.org/10.1145/3020078.3021744

  46. Giri N, Anandakumar NN (2020) Design and analysis of hardware trojan threats in reconfigurable hardware. In: 2020 International Conference on Emerging Trends in Information Technology and Engineering (ic-ETITE), pp 1–5. https://doi.org/10.1109/ic-ETITE47903.2020.227

  47. Salmani H, Tehranipoor MM (2016) Vulnerability analysis of a circuit layout to hardware trojan insertion. IEEE Trans Inf Forensics Secur 11(6):1214–1225. https://doi.org/10.1109/TIFS.2016.2520910

    Article  Google Scholar 

  48. Cruz J, Huang Y, Mishra P, Bhunia S (2018) An automated configurable trojan insertion framework for dynamic trust benchmarks. In: 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp 1598–1603. https://doi.org/10.23919/DATE.2018.8342270

  49. Agrawal D, Baktir S, Karakoyunlu D, Rohatgi P, Sunar B (2007) Trojan detection using IC fingerprinting. In: 2007 IEEE Symposium on Security and Privacy (SP ’07), pp 296–310. https://doi.org/10.1109/SP.2007.36

  50. Miguélez-Gómez N, Rojas-Nastrucci EA (2023) RF fingerprinting: hardware-trustworthiness enhancement in the hardware Trojan era: RF fingerprinting-based countermeasures. IEEE Microwave Mag 24(11):35–52. https://doi.org/10.1109/MMM.2023.3303591

    Article  Google Scholar 

  51. Rad RM, Wang X, Tehranipoor M, Plusquellic J (2008) Power supply signal calibration techniques for improving detection resolution to hardware Trojans. In: 2008 IEEE/ACM International Conference on Computer-Aided Design, IEEE, San Jose, CA, USA, pp 632–639. https://doi.org/10.1109/ICCAD.2008.4681643

  52. Yier Jin, Makris Y (2008) Hardware Trojan detection using path delay fingerprint. In: 2008 IEEE International Workshop on Hardware-Oriented Security and Trust, IEEE, Anaheim, CA, USA, pp 51–57. https://doi.org/10.1109/HST.2008.4559049

  53. Trimberger SM, Moore JJ (2014) FPGA security: motivations, features, and applications. Proc IEEE 102(8):1248–1265. https://doi.org/10.1109/JPROC.2014.2331672, conference Name: Proceedings of the IEEE

Download references

Author information

Authors and Affiliations

  1. Computer Engineering Group, Paderborn University, Warburgerstr. 100, Paderborn, 33098, North Rhine-Westphalia, Germany

    Qazi Arbab Ahmed, Tobias Wiersema & Marco Platzner

Authors
  1. Qazi Arbab Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tobias Wiersema
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Marco Platzner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qazi Arbab Ahmed.

Ethics declarations

Funding

This work has been partially supported by the German Research Foundation (DFG) within the Collaborative Research Centre 901 “On-The-Fly Computing” under the project number 160364472 and “HEC/DAAD Pakistan.”

Competing Interests

The authors declare no competing interests.

Author Contributions

The first author conceived the presented idea and carried out experiments. The second author supported the development of the tool flow. The first author wrote the manuscript, and all authors provided critical feedback and helped shape the research, analysis, and manuscript. All authors discussed the results and contributed to the final manuscript.

Data Availability

https://github.com/qaarah/malicious-routing

Ethics Approval

Not applicable.

Consent to Participate

Not applicable.

Consent for Publication

Not applicable.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Ahmed, Q.A., Wiersema, T. & Platzner, M. Post-configuration Activation of Hardware Trojans in FPGAs. J Hardw Syst Secur (2024). https://doi.org/10.1007/s41635-024-00147-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s41635-024-00147-5

Keywords

Search

Navigation