Abstract
Traditional verification methods and metrics attempt to answer the question: does my design correctly perform the intended specified functionality? The question this chapter addresses is: does my design perform malicious functionality in addition to the intended functionality? Malicious functionality inserted into a chip is called a Hardware Trojan. In this chapter we address a less studied but extremely stealthy class of Trojan: Trojans which do not rely on rare triggering conditions to stay hidden, but instead only alter the logic functions of design signals which have unspecified behavior, meaning the Trojan never violates the design specification. In this chapter we define dangerous unspecified functionality in terms of information leakage and provide examples of how Trojans only modifying RTL don’t cares and on-chip bus functionality during idle bus cycles can completely undermine system security. We present a method for preventing Trojans in RTL don’t cares, and a methodology based on mutation testing applicable to any design type and abstraction level to identify dangerous unspecified functionality beyond RTL don’t cares.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
M. Dale, Verification crisis: managing complexity in SoC designs. EE Times (2001) [Online]. Available: http://www.eetimes.com/document.asp?doc_id=1215507
S. Adee, The hunt for the kill switch. IEEE Spectr. 45 (5), 34–39 (2008)
S. Mitra, H.-S.P. Wong, S. Wong, The Trojan-proof chip. IEEE Spectr. 52 (2), 46–51 (2015)
Y. Shiyanovskii, F. Wolff, A. Rajendran, C. Papachristou, D. Weyer, W. Clay, Process reliability based trojans through NBTI and HCI effects, in 2010 NASA/ESA Conference on Adaptive Hardware and Systems (AHS) (IEEE, Anaheim, 2010), pp. 215–222
L.-W. Kim, J.D. Villasenor, Ç.K. Koç, A Trojan-resistant system-on-chip bus architecture, in Proceedings of the 28th IEEE Conference on Military Communications. Ser. MILCOM’09 (2009), pp. 2452–2457
S.T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, Y. Zhou, Designing and implementing malicious hardware, in Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (LEET) (USENIX Association, Berkeley, CA, 2008), pp. 5:1–5:8
L. Lin, W. Burleson, C. Paar, Moles: malicious off-chip leakage enabled by side-channels, in 2009 IEEE/ACM International Conference on Computer-Aided Design - Digest of Technical Papers, November (2009), pp. 117–122
G.T. Becker, F. Regazzoni, C. Paar, W.P. Burleson, Stealthy dopant-level hardware trojans, in Cryptographic Hardware and Embedded Systems (CHES). Ser. Lecture Notes in Computer Science, vol. 8086, ed. by G. Bertoni, J.-S. Coron (Springer, Berlin, Heidelberg, 2013), pp. 197–214
M. Tehranipoor, F. Koushanfar, A survey of hardware trojan taxonomy and detection. IEEE Des. Test Comput. 27 (1), 10–25 (2010)
R.S. Chakraborty, S. Narasimhan, S. Bhunia, Hardware trojan: threats and emerging solutions, in High Level Design Validation and Test Workshop, 2009. HLDVT 2009. IEEE International (IEEE, San Francisco, 2009), pp. 166–171
C. Krieg, A. Dabrowski, H. Hobel, K. Krombholz, E. Weippl, Hardware malware. Synth. Lect. Inf. Secur. Priv. Trust 4 (2), 1–115 (2013)
A. Waksman, S. Sethumadhavan, Silencing hardware backdoors, in Proceedings of the 2011 IEEE Symposium on Security and Privacy, Ser. SP’11 (2011), pp. 49–63
S.S. Ali, R.S. Chakraborty, D. Mukhopadhyay, S. Bhunia, Multi-level attacks: an emerging security concern for cryptographic hardware, in 2011 Design, Automation Test in Europe (2011), pp. 1–4
S. Bhasin, J.L. Danger, S. Guilley, X.T. Ngo, L. Sauvage, Hardware Trojan horses in cryptographic IP cores, in 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC), August (2013), pp. 15–29
D. Agrawal, et al., Trojan detection using IC fingerprinting, in IEEE Symposium on Security and Privacy, 2007
A. Waksman, M. Suozzo, S. Sethumadhavan, FANCI: Identification of stealthy malicious logic using Boolean functional analysis, in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS’13 (ACM, New York, 2013), pp. 697–708
D. Sullivan, J. Biggers, G. Zhu, S. Zhang, Y. Jin, FIGHT-metric: functional identification of gate-level hardware trustworthiness, in Proceedings of the 51st Annual Design Automation Conference, DAC’14 (ACM, New York, 2014), pp. 173:1–173:4
J. Zhang, F. Yuan, L. Wei, Z. Sun, Q. Xu, VeriTrust: verification for hardware trust, in Proceedings of the 50th Annual Design Automation Conference, DAC’13 (ACM, 2013), pp. 61:1–61:8
M. Hicks, et al., Overcoming an untrusted computing base: detecting and removing malicious hardware automatically, in Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP’10 (IEEE Computer Society, Washington, 2010), pp. 159–172
N. Fern, S. Kulkarni, K.-T. Cheng, Hardware Trojans hidden in RTL don’t cares - Automated insertion and prevention methodologies, in Test Conference (ITC), IEEE International, October (2015), pp. 1–8
N. Fern, K.-T. Cheng, Detecting hardware trojans in unspecified functionality using mutation testing, in Proceedings of the IEEE/ACM International Conference on Computer-Aided Design, ICCAD’15 (IEEE Press, Piscataway, 2015), pp. 560–566
N. Fern, I. San, Ç.K. Koç, K.T. Cheng, Hardware Trojans in incompletely specified on-chip bus systems, in 2016 Design, Automation Test in Europe Conference Exhibition (DATE), March (2016), pp. 527–530
R.A. Bergamaschi, D. Brand, L. Stok, M. Berkelaar, S. Prakash, Efficient use of large don’t cares in high-level and logic synthesis, in 1995 IEEE/ACM International Conference on Computer-Aided Design, 1995. ICCAD-95. Digest of Technical Papers, November (1995), pp. 272–278
M. Turpin, The dangers of living with an x (bugs hidden in your verilog), in Boston Synopsys Users Group (SNUG), October 2003
L. Piper, V. Vimjam, X-propagation woes: masking bugs at RTL and unnecessary debug at the netlist, in Design and Verification Conference and Exhibition (DVCon), 2012
H.Z. Chou, H. Yu, K.H. Chang, D. Dobbyn, S.Y. Kuo, Finding reset nondeterminism in rtl designs - scalable x-analysis methodology and case study, in 2010 Design, Automation Test in Europe Conference Exhibition (DATE 2010), March (2010), pp. 1494–1499
Cadence conformal equivalence checker [Online]. Available: http://www.cadence.com/products/ld/equivalence_checker
M. Turpin, Solving verilog x-issues by sequentially comparing a design with itself. you’ll never trust unix diff again! in Boston Synopsys Users Group (SNUG), 2005
A.R. Bradley, SAT-based model checking without unrolling, in Verification, Model Checking, and Abstract Interpretation (Springer, Berlin/Heidelberg 2011), pp. 70–87
G. Cabodi, S. Nocco, S. Quer, Improving SAT-based bounded model checking by means of BDD-based approximate traversals, in Design, Automation and Test in Europe Conference and Exhibition, 2003 (2003), pp. 898–903
J.W. Bos, J.A. Halderman, N. Heninger, J. Moore, M. Naehrig, E. Wustrow, Elliptic curve cryptography in practice, in Financial Cryptography and Data Security (Springer, 2014), pp. 157–175
C. Rebeiro and D. Mukhopadhyay, High performance elliptic curve crypto-processor for FPGA platforms, in 12th IEEE VLSI Design and Test Symposium, 2008
ABC [Online]. Available: http://www.eecs.berkeley.edu/~alanmi/abc/
Atrenta spyglass lint tool [Online]. Available: http://www.atrenta.com/pg/2/
Y. Jia and M. Harman, An analysis and survey of the development of mutation testing. IEEE Trans. Softw. Eng. 37 (5), 649–678 (2011)
B. Breech, M. Tegtmeyer, L. Pollock, An attack simulator for systematically testing program-based security mechanisms, in 2006 17th International Symposium on Software Reliability Engineering, November (2006), pp. 136–145
N. Bombieri, F. Fummi, G. Pravadelli, M. Hampton, F. Letombe, Functional qualification of tlm verification, in 2009 Design, Automation Test in Europe Conference Exhibition, April (2009), pp. 190–195
P. Lisherness, K.T. Cheng, Scemit: a systemc error and mutation injection tool, in Design Automation Conference (DAC), 2010 47th ACM/IEEE, June (2010), pp. 228–233
N. Bombieri, F. Fummi, G. Pravadelli, A mutation model for the systemC TLM 2.0 communication interfaces, in 2008 Design, Automation and Test in Europe, March (2008), pp. 396–401
Synopsys certitude [Online]. Available: https://www.synopsys.com/TOOLS/VERIFICATION/FUNCTIONALVERIFICATION/Pages/certitude-ds.aspx
P. Lisherness, N. Lesperance, K.T. Cheng, Mutation analysis with coverage discounting, in Design, Automation Test in Europe Conference Exhibition (DATE), 2013, March (2013), pp. 31–34
UART 16550 core [Online]. Available: http://opencores.org/project,uart16550
Wishbone bus [Online]. Available: http://opencores.org/opencores,wishbone
S. Pasricha, N. Dutt, On-Chip Communication Architectures: System on Chip Interconnect (Morgan Kaufmann Publishers Inc., Burlington, 2008)
AMBA AXI and ACE Protocol Specification, Issue E, ARM, 2013
L.-W. Kim, J.D. Villasenor, A system-on-chip bus architecture for thwarting integrated circuit Trojan horses, in IEEE Transactions on VLSI Systems 19 (10), 1921–1926 (2011)
DS768: LogiCORE IP AXI Interconnect (v1.02.a), Xilinx Inc., March 2011
Axi4 bfm [Online]. Available: https://github.com/sjaeckel/axi-bfm
Amba 4 axi4, axi4-lite and axi4-stream protocol assertions bp063 release note (r0p1-00rel0), ARM [Online]. Available: https://silver.arm.com/browse/BP063
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Fern, N., Cheng, KT. (2017). Verification and Trust for Unspecified IP Functionality. In: Mishra, P., Bhunia, S., Tehranipoor, M. (eds) Hardware IP Security and Trust. Springer, Cham. https://doi.org/10.1007/978-3-319-49025-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-49025-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49024-3
Online ISBN: 978-3-319-49025-0
eBook Packages: EngineeringEngineering (R0)