عنوان مقاله
آشکارسازی Trojan (تروجان) با استفاده از آثار IC
فهرست مطالب
چکیده
مقدمه
Trojan و نشت از کانال جانبی
نظریه تشخیص و آشکارسازیTrojan
راه اندازی آزمایش
نتیجه گیری
بخشی از مقاله
IC های بکار رفته در تحلیل
در بسیاری از سیستم ها، مدارهای RSA کاربرد داشته و برای مهاجمین از ارزش بسیار بالایی برخوردار می باشند. Trojan اضافه شده به این مدارها در واقع یک شمارشگر ساده یا مقایسه کننده بود. درTrojan متکی بر شمارشگر، مدار Trojan چرخه ساعت را شمارش کرده و بعد از نیل به آستانه IC را از کار می اندازد. در مورد Trojan متکی بر مقایسه کننده، مدار Trojan داده های گذرگاه یا رجیستر را بر مبنای مقدار ثابتی باهم مقایسه کرده و در صورت انطباق ، روند محاسبه را تغییر می دهد.
کلمات کلیدی:
Trojan Detection using IC Fingerprinting∗ Dakshi Agrawal1 Selc¸uk Baktır1,2,† Deniz Karakoyunlu2,† Pankaj Rohatgi1 Berk Sunar2,† 1 IBM T. J. Watson Research Center P. O. Box 218 Yorktown Heights, NY 10598 2 Electrical & Computer Engineering Worcester Polytechnic Institute Worcester, Massachusetts, 01609 Abstract Hardware manufacturers are increasingly outsourcing their IC fabrication work overseas due to their much lower cost structure. This poses a significant security risk for ICs used for critical military and business applications. Attackers can exploit this loss of control to substitute Trojan ICs for genuine ones or insert a Trojan circuit into the design or mask used for fabrication. We show that a technique borrowed from side-channel cryptanalysis can be used to mitigate this problem. Our approach uses noise modeling to construct a set of fingerprints for an IC family utilizing sidechannel information such as power, temperature, and electromagnetic (EM) profiles. The set of fingerprints can be developed using a few ICs from a batch and only these ICs would have to be invasively tested to ensure that they were all authentic. The remaining ICs are verified using statistical tests against the fingerprints. We describe the theoretical framework and present preliminary experimental results to show that this approach is viable by presenting results obtained by using power simulations performed on representative circuits with several different Trojan circuitry. These results show that Trojans that are 3–4 orders of magnitude smaller than the main circuit can be detected by signal processing techniques. While scaling our technique to detect even smaller Trojans in complex ICs with tens or hundreds of millions of transistors would require certain modifications to the IC design process, our results provide a starting point to address this important problem. ∗This work was supported in part by a DARPA seedling grant under contract: Wyle Labs 19041.0C.25-111S, Stable IC Sensors and IC Fingerprinting. †These authors’ work was supported in part by the NSF-CAREER Award ANI-0133297. 1. Introduction 1.1. Problem Statement Economic and market forces have driven most hardware manufacturers to outsource their IC fabrication to ever cheaper fabrication facilities abroad. As a result, the majority of the ICs available today are being manufactured at fabrication facilities in low-cost countries around the globe. While outsourcing of IC fabrication reduces the cost significantly, it also makes it much easier for an attacker to compromise the IC supply chain for sensitive commercial and defense applications. For example, the attacker could substitute Trojan ICs for genuine ICs during transit or subvert the fabrication process itself by implanting additional Trojan circuitry into the IC mask. Such Trojans could be designed to be hard (or nearly impossible) to detect by purely functional testing, yet be capable of inflicting catastrophic damage. For example, a Trojan circuit could be designed so that it monitors for a specific but rare trigger condition, e.g., a specific bit pattern in received data packet or on a bus, or until a timer reaches a particular value. Once triggered the Trojan could take actions such as disabling the circuit, leaking secrets or creating glitches to compromise the integrity and security of the larger system to which the IC belongs. For example, a simple yet destructive Trojan in an RSA [24] circuit could wait for a trigger condition and then insert a fault in the CRT inversion step of an RSA signature computation leading to the compromise of the RSA key [6]. While this threat to the integrity of the IC supply is already a cause for alarm within defense circles in some countries [19, 9, 1], we believe that it should also be a cause for concern for vendors and consumers of commercial grade cryptographic and security critical hardware. Compounding this problem is the fact that currently there are no good, long-term solutions to this problem. While individual ICs
