Skip to main content

Probabilistic Hardware Trojan Attacks on Multiple Layers of Reconfigurable Network Infrastructure

Abstract

Over the past decades, there has been an exponential growth in the number of connected devices, often without well-thought out security mechanisms in place for the relevant network standards and protocols. As a result, security loopholes have been discovered and widely exploited for these vulnerable connected devices, often with devastating consequences. As a countermeasure to these attacks, subsequently some of these original network standards have been enhanced with addition of security features, e.g., the original insecure Ethernet protocol (IEEE 802.3) was supplemented by the IEEE 802.1AE Media Access Control Security (MACSec) standard. In this paper, we present a network packet redirection attack on reconfigurable network devices, specifically a MACSec-enabled NetFPGA-SUME based Ethernet switch, as well as on a NetFPGA-SUME based IPv4 router, by means of Hardware Trojan (HT) insertion. Our HT design is probabilistic in its functionality, with multi-level trigger mechanism. In the MAC layer attack, an activated HT redirects a frame to an incorrect port leading to possible eavesdropping by a malicious attacker as well as denial-of-service, while in the network layer attack, upon activation it forwards all IP packets through a sub-optimal router port causing a denial-of-service attack on the receiver. The proposed HT evades most state-of-the-art HT detection schemes, while having very low resource footprint. We present the complete architecture, detailed description of the mode of operation, and implementation of the HT, with promising experimental results.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

References

  1. Kiravuo T, Sarela M, Manner J (2013) A survey of ethernet LAN security. IEEE Commun Surv Tut 15(3):1477–1491

    Article  Google Scholar 

  2. Chen H, Chen Y, Summerville DH (2011) A survey on the application of FPGAs for network infrastructure security

  3. The NetFPGA Project. (2018) https://netfpga.org/

  4. Zilberman N, Audzevich Y, Kalogeridou G, Manihatty-Bojan N, Zhang J, Moore A (2015) netFPGA Rapid prototyping of networking devices in open source. SIGCOMM Comput Commun Rev 45(4):363–364

    Article  Google Scholar 

  5. Lockwood JW, et al. (2020) The field programmable port extender (FPX). https://www.arl.wustl.edu/projects/fpx/

  6. Ibanez S, Brebner G, McKeown N, Zilberman N (2019) The p4→netFPGA Workflow for line-rate packet processing. In: Proceedings of the 2019 ACM/SIGDA international symposium on field-programmable gate arrays, FPGA ’19, pages 1–9, New York, NY, USA. Association for Computing Machinery

  7. Xiao K, Forte D, Jin Y, Karri R, Bhunia S, Tehranipoor M (2016) Hardware Trojans: Lessons learned after one decade of research. ACM Trans Des Autom Electron Syst 22(1):6:1–6:23

    Article  Google Scholar 

  8. IEEE Standard for local and metropolitan area networks–port-based network access control (2010) IEEE Std 802.1X-2010 (Revision Of IEEE Std 802.1X-2004). 1–205

  9. Govindan V, Koteshwara S, Das A, Parhi KK, Chakraborty RS (2019) ProTro: a probabilistic counter based hardware trojan attack on FPGA based MACSec enabled ethernet switch. In: Bhasin S, Mendelson A, Mridul M. Nandi (eds) Security, privacy, and applied cryptography engineering. pp 159–175

  10. Hicks M, Finnicum M, King ST, Martin MMK, Smith JM (2010) Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: 2010 IEEE symposium on security and privacy. pp 159–172

  11. Zhang J, Yuan F, Wei L, Sun Z, Xu Q (2013) VeriTrust: Verification for hardware trust. In: 2013 50th ACM/EDAC/IEEE design automation conference (DAC). pp 1–8

  12. Haider SK, Jin C, Ahmad M, Shila DM, Khan O, van Dijk M (2019) Advancing the state-of-the-art in hardware trojans detection. IEEE Trans Depend Secure Comput 16(1):18–32

    Article  Google Scholar 

  13. Chakraborty RS, Narasimhan S, Bhunia S (2009) Hardware Trojan: threats and emerging solutions. In: Proc IEEE international high level design validation and test workshop (HLDVT’09). pp 166–171

  14. Bhunia S, Abramovici M, Agrawal D, Bradley P, Hsiao M, Plusquellic J, Tehranipoor M (2013) Protection against hardware trojan attacks: towards a comprehensive solution. IEEE Design Test 30 (3):6–17

    Article  Google Scholar 

  15. Chakraborty RS, Wolff F, Paul S, Papachristou C, Bhunia S (2009) MERO: A statistical approach for hardware trojan detection. In: Cryptographic hardware and embedded systems-CHES 2009, pp 396–410. Springer

  16. Guo X, Dutta RG, Jin Y, Farahmandi F, Mishra P (2015) Pre-silicon security verification and validation: A formal perspective. In: 2015 52nd ACM/EDAC/IEEE design automation conference (DAC). pp 1–6

  17. Rajendran J, Dhandayuthapany AM, Vedula V, Karri R (2016) Formal security verification of third party intellectual property cores for information leakage. In: 2016 29th International conference on VLSI design and 2016 15th international conference on embedded systems (VLSID). pp 547–552

  18. Cruz J, Farahmandi F, Ahmed A, Mishra P (2018) Hardware trojan detection using ATPG and model checking. In: 2018 31st International conference on vlsi design and 2018 17th international conference on embedded systems (VLSID). pp 91–96

  19. Waksman A, Suozzo S, Sethumadhavan S (2013) FANCI: Identification of stealthy malicious logic using boolean functional analysis. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, CCS ’13. pp 697–708

  20. Sturton C, Hicks M, Wagner D, King ST (2011) Defeating UCI: building stealthy and malicious hardware. In: 2011 IEEE symposium on security and privacy. pp 64–77

  21. Zhang J, Yuan F, Xu Q (2014) DeTrust: defeating hardware trust verification with stealthy implicitly-triggered hardware Trojans. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, CCS ’14, ACM. pp. 153–166

  22. Krieg C, Wolf C, Jantsch A (2016) Malicious LUT: a stealthy FPGA Trojan injected and triggered by the design flow. In: In 2016 IEEE/ACM international conference on computer-aided design (ICCAD). pp 1–8

  23. Haider SK, Jin C, van Dijk M (2016) Advancing the state-of-the-art in hardware trojans design. arXiv:1605.08413

  24. Wang X, Tehranipoor M, Plusquellic J (2008) Detecting malicious inclusions in secure hardware challenges and solutions. In: IEEE International workshop on hardware-oriented security and trust (HOST’08). pp 15–19

  25. Dupuis S, Natale GD, Flottes M, Rouzeyre B (2013) On the effectiveness of hardware trojan horse detection via side-channel analysis. Inf Sec J A Global Perspective 22(5–6):226–236

    Article  Google Scholar 

  26. Jin Y, Makris Y (2008) Hardware trojan detection using path delay fingerprint. In: Proceedings of the IEEE International workshop on hardware-oriented security and trust (HOST’08). pp 51–57

  27. Narasimhan S, Du D, Chakraborty RS, Paul S, Wolff F, Papachristou C, Roy K, Bhunia S (2010) Multiple-parameter side-channel analysis: a non-invasive hardware trojan detection approach. In: Proceedings of the IEEE international symposium on hardware-oriented security and trust (HOST’10). pp 13–18

  28. Salmani H, Tehranipoor M, Plusquellic J (2010) A Layout-aware approach for improving localized switching to detect hardware trojans in integrated circuits. In: In IEEE International workshop on information forensics and security (WIFS’10). pp 1–6

  29. Kitsos P, Stefanidis K, Voyiatzis AG (2016) TERO-based detection of hardware trojans on FPGA implementation of the AES algorithm. In: In euromicro conference on digital system design (DSD’16). pp 678–681

  30. Govindan V, Chakraborty RS, Santikellur P, Chaudhary AK (2018) A hardware trojan attack on FPGA based cryptographic key generation impact and detection. J Hardware Sys Sec 2:225–239

    Article  Google Scholar 

  31. Tessier R, Wolf T, Kekai H, Chandrikakutty H (2015) Reconfigurable Network Router Security. In: Reconfigurable logic: architecture, tools, and applications. pp 375–395

  32. NetFPGA SUME’s reference switch design. (2018) https://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Learning-Switchhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Learning-Switchhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Learning-Switch

  33. IEEE Standard for Local and Metropolitan Area Networks (2006) Media access control (MAC) security. IEEE Std 802.1AE-2006. 1–150

  34. Koteshwara S, Das A, Parhi KK (2017) FPGA Implementation and comparison of AES-GCM and Deoxys authenticated encryption schemes. In: 2017 IEEE International symposium on circuits and systems (ISCAS). pp 1–4

  35. Gibb G (2010) NetFPGA Reference Router Decision Diagram. https://github.com/netFPGA/netfpga/blob/master/projects/reference_router/doc/DecisionDiagram.pdf

  36. NetFPGA SUME’s reference router design. (2018) https://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Routerhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Routerhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Router

  37. Rostami M, Koushanfar F, Karri R (2014) A primer on hardware security models, methods, and metrics. Proc IEEE 102(8):1283–1295

    Article  Google Scholar 

  38. Chakraborty RS, Saha I, Palchaudhuri A, Naik GK (2013) Hardware trojan insertion by direct modification of FPGA configuration bitstream. IEEE Design Test 30(2):45–54

    Article  Google Scholar 

  39. Johnson AP, Saha S, Chakraborty RS, Mukhopadhyay D, Gören S (2014) Fault attack on AES via hardware trojan insertion by dynamic partial reconfiguration of FPGA over ethernet. In: Proceedings of the 9th workshop on embedded systems security, WESS’14, pp 1:1–1:8

  40. Ender M, Moradi A, Paars C (2020) The unpatchable silicon: a full break of the bitstream encryption of Xilinx 7-Series FPGAs. In: 29th USENIX security symposium (USENIX Security 20), Boston, MA. USENIX Association

  41. CISCO Ethernet Encryption for High Speed WAN deployments. (2018) https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdfhttps://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdfhttps://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf

  42. Riley N, Zilles C (2006) Probabilistic counter updates for predictor hysteresis and bias. IEEE Comput Archit Lett 5(1):18–21

    Google Scholar 

  43. Dice D, Lev Y, Moir M (2013) Scalable statistics counters. In: Proceedings of the twenty-fifth annual ACM symposium on parallelism in algorithms and architectures, SPAA ’13, pages 43–52, New York, NY, USA. ACM

  44. Shah D, Iyer S, Prahhakar B, McKeown N (2002) Maintaining statistics counters in router line cards. IEEE Micro 22(1):76–81

    Article  Google Scholar 

  45. Juniper Junos OS System Statistics. (2018) https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-system-statistics.html

  46. Zhang J, Xu Q (2013) On hardware Trojan design and implementation at register-transfer level. In: 2013 IEEE international symposium on hardware-oriented security and trust (HOST). pp 107–112

  47. Tehranipoor M, Karri R, Koushanfar F, Potkonjak M (2019) Trust-hub Available:http://trust-hub.org

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Rajat Subhra Chakraborty.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

A preliminary version of this work was presented at the International Conference on Security, Privacy and Applied Cryptographic Engineering 2019 (SPACE’19). The current version additionally describes a different probabilistic Hardware Trojan attack for the Network Layer that affects IPv4 routing.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Mukherjee, R., Govindan, V., Koteshwara, S. et al. Probabilistic Hardware Trojan Attacks on Multiple Layers of Reconfigurable Network Infrastructure. J Hardw Syst Secur 4, 343–360 (2020). https://doi.org/10.1007/s41635-020-00107-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-020-00107-9

Keywords

  • Denial-of-service
  • Ethernet switch
  • Hardware trojan
  • IPv4 router
  • MACSec
  • NetFPGA
  • Network security