Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel Engineering

  • Lang Lin
  • Markus Kasper
  • Tim Güneysu
  • Christof Paar
  • Wayne Burleson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5747)


The general trend in semiconductor industry to separate design from fabrication leads to potential threats from untrusted integrated circuit foundries. In particular, malicious hardware components can be covertly inserted at the foundry to implement hidden backdoors for unauthorized exposure of secret information. This paper proposes a new class of hardware Trojans which intentionally induce physical side-channels to convey secret information. We demonstrate power side-channels engineered to leak information below the effective noise power level of the device. Two concepts of very small implementations of Trojan side-channels (TSC) are introduced and evaluated with respect to their feasibility on Xilinx FPGAs. Their lightweight implementations indicate a high resistance to detection by conventional test and inspection methods. Furthermore, the proposed TSCs come with a physical encryption property, so that even a successful detection of the artificially introduced side-channel will not allow unhindered access to the secret information.


Trojan Hardware Side-Channel Analysis Covert Channel Trojan Side-Channel Hardware Trojan Detection 


  1. 1.
    High Performance Microchip Supply, Annual Report by the Defense Science Board (2008),
  2. 2.
    McCormack, R.: It’s Like Putting A Band-Aid On A Bullet Hole, Manufacturing & Technology News (2008),
  3. 3.
    King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), pp. 1–8 (2008)Google Scholar
  4. 4.
    Güneysu, T., Kasper, T., Novotný, M., Paar, C., Rupp, A.: Cryptanalysis with COPACOBANA. IEEE Transactions on Computers 57(11), 1498–1513 (2008)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Chen, Z., Guo, X., Nagesh, R., Reddy, A., Gora, M., Maiti, A.: Hardware Trojan Designs on BASYS FPGA Board. In: Embedded System Challenge Contest in Cyber Security Awareness Week, CSAW (2008)Google Scholar
  6. 6.
    Kiamilev, F., Hoover, R.: Demonstration of Hardware Trojans. In: DEFCON 16, Las Vegas (2008)Google Scholar
  7. 7.
    Wang, X., Tehranipoor, M., Plusquellic, J.: Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions. In: 1st IEEE International Workshop on Hardware-Oriented Security and Trust (HOST), pp. 15–19 (2008)Google Scholar
  8. 8.
    Soden, J.M., Anderson, R.E., Henderson, C.L.: IC Failure Analysis: Magic, Mystery, and Science. IEEE Design & Test of Computers 14, 59–69 (1997)CrossRefGoogle Scholar
  9. 9.
    Banga, M., Hsiao, M.S.: A Region Based Approach for the Identification of Hardware Trojans. In: 1st IEEE International Workshop on Hardware-Oriented Security and Trust (HOST), pp. 40–47 (2008)Google Scholar
  10. 10.
    Chakraborty, R., Paul, S., Bhunia, S.: On-Demand Transparency for Improving Hardware Trojan Detectability. In: 1st IEEE International Workshop on Hardware-Oriented Security and Trust (HOST), pp. 48–50 (2008)Google Scholar
  11. 11.
    Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., Sunar, B.: Trojan Detection using IC Fingerprinting. In: IEEE Symposium on Security and Privacy, pp. 296–310 (2007)Google Scholar
  12. 12.
    Fukunaga, K.: Introduction to Statistical Pattern Recognition, 2nd edn. Computer Science and Scientific Computing Series. Academic Press, London (1990)zbMATHGoogle Scholar
  13. 13.
    Rad, R.M., Wang, X., Tehranipoor, M., Plusquellic, J.: Power supply signal calibration techniques for improving detection resolution to hardware Trojans. In: International Conference on Computer-Aided Design (ICCAD), pp. 632–639 (2008)Google Scholar
  14. 14.
    Jin, Y., Makris, Y.: Hardware Trojan Detection Using Path Delay Fingerprint. In: 1st IEEE International Workshop on Hardware-Oriented Security and Trust (HOST), pp. 51–57 (2008)Google Scholar
  15. 15.
    Kocher, P., Jaffe, J., Jun, B.: Differential Power Analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  16. 16.
    Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  17. 17.
    Shamir, A., Tromer, E.: Acoustic cryptanalysis, online proof of concept,
  18. 18.
    Resarch Center for Information Security (RCIS): Side-channel Attack Standard Evaluation Board (SASEBO),
  19. 19.
    Proakis, J.: Digital communications, 4th edn. McGraw-Hill, New York (2000)zbMATHGoogle Scholar
  20. 20.
    Gierlichs, B., Lemke-Rust, K., Paar, C.: Templates vs. Stochastic Methods. In: Goubin, L., Matsui, M. (eds.) CHES 2006. LNCS, vol. 4249, pp. 15–29. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
    Rajski, J., Tyszer, J.: Primitive polynomials over GF(2) of degree up to 660 with uniformly distributed coefficients. Journal of Electronic Testing: theory and applications, 645–657 (2003)Google Scholar
  22. 22.
    Standaert, F., Oldenzeel, L., Samyde, D., Quisquater, J.: Power analysis of FPGAs: how practical is the attack? In: Y. K. Cheung, P., Constantinides, G.A. (eds.) FPL 2003. LNCS, vol. 2778, pp. 701–711. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Ors, S., Oswald, E., Preneel, B.: Power-analysis attacks on an FPGA - first experimental results. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 35–50. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Lang Lin
    • 1
  • Markus Kasper
    • 2
  • Tim Güneysu
    • 2
  • Christof Paar
    • 1
    • 2
  • Wayne Burleson
    • 1
  1. 1.Department of Electrical and Computer EngineeringUniversity of MassachusettsAmherstUSA
  2. 2.Horst Görtz Institute for IT SecurityRuhr University BochumGermany

Personalised recommendations