FLATS: Filling Logic and Testing Spatially for FPGA Authentication and Tamper Detection

Duncan, Adam R.; Skipper, Grant; Stern, Andrew; Nahiyan, Adib; Rahman, Fahim; Lukefahr, Andrew; Tehranipoor, Mohammad; Swany, Martin

doi:10.1109/hst.2019.8741025

Cited by 8 publications

(4 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The work relies on the attack being unable to identify which portion of the FPGA will be utilized correctly. In [8], the authors fill the partial utilized LUTs for built-in self-test and tampering detection. Trojan detection schemes aim to identify malicious logic using run-time detection or static analysis.…”

Section: B Fpga Trojan Countermeasuresmentioning

confidence: 99%

“…However, solutions that insert dummy logic in partially used LUTs with no effect on the output [6] may be easily identified and removed. More appropriate solutions for using partially utilized LUTs will make the output a function of all inputs [5] or include a self-test suite with expected responses [8] which will make removal more difficult. We note that these solutions would need to be extended for other exploitable primitives.…”

Section: B Countermeasuresmentioning

confidence: 99%

See 1 more Smart Citation

A Framework for Automated Exploration of Trojan Attack Space in FPGA Netlists

Cruz

Posada

Masna

et al. 2023

IEEE Trans. Comput.

View full text Add to dashboard Cite

Field Programmable Gate Arrays (FPGAs) provide a flexible compute platform for quick prototyping or hardware acceleration in diverse application domains. However, similar to the global semiconductor life-cycle in the modern supply chain, FPGA-based product development includes processes and interactions with potentially untrusted parties outside the traditional scrutiny of a completely in-house development cycle. An untrusted party or software can maliciously alter a hardware intellectual property (IP) block mapped to an FPGA device during various stages of the FPGA life-cycle. Such malicious alterations, also known as hardware Trojan attacks, have garnered significant research into their detection and prevention in the context of application-specific integrated circuit (ASIC) design flow. However, Trojan attacks in FPGAs have not enjoyed this same attention. Designers often rely on mapping ASICspecific solutions and evaluation benchmarks to the FPGA domain, which leaves much of the FPGA-specific Trojan space uncovered. We note that the distinctive business model as well as the architectural configurations of FPGAs present unique opportunities for Trojan attacks to an adversary. To this end, we introduce a framework to automatically explore the hardware Trojan attack space in FPGA netlists. It is capable of inserting different types of FPGA-specific Trojans in a netlist enabling rapid exploration of potential Trojan attacks in an FPGA design: soft-template, monolithic, and distributed dark silicon. Soft template Trojans use behavioral templates with random synthesis constraints to increase Trojan structural diversity. Monolithic and distributed dark silicon Trojans use the under-utilized input space (FPGA dark silicon) in FPGA primitives to realize Trojans with effectively zero area and power footprint. Further optimizations are also presented to remove any potential delay impact. We evaluate our framework by generating over 1300 Trojan-inserted benchmarks using each of the introduced FPGA Trojan classes and comparing the impact on utilization, delay, and power.

show abstract

Section: B Fpga Trojan Countermeasuresmentioning

confidence: 99%

Section: B Countermeasuresmentioning

confidence: 99%

A Framework for Automated Exploration of Trojan Attack Space in FPGA Netlists

Cruz

Posada

Masna

et al. 2023

IEEE Trans. Comput.

View full text Add to dashboard Cite

show abstract

“…It has been shown that the key used for encrypting the bitstream on recent SRAM-based FPGAs can be extracted using SCA techniques [3]- [6]. With the extracted key at hand, the bitstream can be decrypted, modified, and stored as a replacement for the original bitstream [17]. Although bitstream extraction from flash-based FPGAs might not be possible, the adversary could still be able to reprogram certain parts of the configuration or even replace the entire chip containing her malicious version of the design.…”

Section: Introductionmentioning

confidence: 99%

“…For instance, photon emission (PE) analysis can be used to compare dynamic and static emissions with the chip layout [16] or emissions from a golden chip [15]. Furthermore, adding oscillators with inputs from the design that act as beacons can facilitate the detection of tampering attempts, especially when cheaper infrared imaging is used [17]. However, such an approach increases the resource consumption of the design considerably in many cases and might not be able to detect all possible changes in LUT configurations.…”

Section: Introductionmentioning

confidence: 99%

Trojan Awakener: Detecting Dormant Malicious Hardware Using Laser Logic State Imaging

Krachenfels¹,

Seifert²,

Tajik³

2021

Preprint

View full text Add to dashboard Cite

The threat of hardware Trojans (HTs) and their detection is a widely studied field. While the effort for inserting a Trojan into an application-specific integrated circuit (ASIC) can be considered relatively high, especially when trusting the chip manufacturer, programmable hardware is vulnerable to Trojan insertion even after the product has been shipped or during usage. At the same time, detecting dormant HTs with small or zero-overhead triggers and payloads on these platforms is still a challenging task, as the Trojan might not get activated during the chip verification using logical testing or physical measurements. In this work, we present a novel Trojan detection approach based on a technique known from integrated circuit (IC) failure analysis, capable of detecting virtually all classes of dormant Trojans. Using laser logic state imaging (LLSI), we show how supply voltage modulations can awaken inactive Trojans, making them detectable using laser voltage imaging techniques. Therefore, our technique does not require triggering the Trojan. To support our claims, we present two case studies on 28 nm SRAM-and flash-based field-programmable gate arrays (FPGAs). We demonstrate how to detect with high confidence small changes in sequential and combinatorial logic as well as in the routing configuration of FPGAs in a non-invasive manner. Finally, we discuss the practical applicability of our approach on dormant analog Trojans in ASICs.

show abstract