Abstract
Integrated Circuits (ICs) are sensible to a wide range of (passive, active, invasive, non-invasive) physical attacks. In this context, Hardware Trojans (HTs), that are malicious modifications of a circuit by an untrusted manufacturer, are one of the most challenging threats to mitigate. HTs aim to alter the functionality of the infected chip in a malicious way, e.g. under specific conditions known by the adversary. Fault attacks are a typical attack vector. However, for a HT to be exploitable by an adversary, it also has to be stealthy. For example, a HT that would directly inject exploitable faults in a block cipher may be spotted by analyzing its functional behavior (i.e. the positions and the distribution of the faulty values appearing). In this paper, we propose a stealthy HT instance leading to successful and hidden Statistical Fault Attacks (SFA). More precisely, the faults are injected when the chip is running under condition for which metastabilty occurs (i.e. with a increased clock frequency), leading to the apparition faults at random positions within the target implementation. In addition, an internal bit is set to a value known only by the adversary, allowing him to perform efficient SFA. Compared to classical SFA, the HT uses its control on the target to circumvent behavioral detection tests. Indeed, it also adds computation errors in the early rounds of the target cipher which are not exploitable via SFA.
Similar content being viewed by others
References
Aarestad, J., Acharyya, D., Rad, R. M., Plusquellic, J.: Detecting Trojans through leakage current analysis using multiple supply pad i(ddq) s. IEEE Trans. Inf. Forensics Secur 5 (4), 893–904 (2010). https://doi.org/10.1109/TIFS.2010.2061228
Ali, S., Mukhopadhyay, D., Tunstall, M.: Differential fault analysis of AES: towards reaching its limits. J. Cryptogr. Eng. 3(2), 73–97 (2013). https://doi.org/10.1007/s13389-012-0046-y
Balasch, J., Gierlichs, B., Verbauwhede, I.: Electromagnetic circuit fingerprints for hardware Trojan detection, pp 246–251. https://doi.org/10.1109/ISEMC.2015.7256167(2015)
Beaumont, M. R., Hopkins, B. D., Newby, T.: Hardware Trojans - prevention, detection countermeasures (a literature review) (2011)
Bellizia, D., Bongiovanni, S., Monsurró, P., Scotti, G., Trifiletti, A.: Univariate power analysis attacks exploiting static dissipation of nanometer CMOS VLSI circuits for cryptographic applications. IEEE Trans. Emerging Topics Comput. 5(3), 329–339 (2017). https://doi.org/10.1109/TETC.2016.2563322
Bellizia, D., Bronchain, O., Cassiers, G., Grosso, V., Guo, C., Momin, C., Pereira, O., Peters, T., Standaert, F.: Mode-level vs. implementation-level physical security in symmetric cryptography - A practical guide through the leakage-resistance jungle. In: Micciancio, D., Ristenpart, T. (eds.) Advances in Cryptology - CRYPTO 2020 - 40th Annual International Cryptology Conference, CRYPTO 2020, Santa Barbara, CA, USA, August 17-21, 2020, Proceedings, Part I. Lecture Notes in Computer Science. https://doi.org/10.1007/978-3-030-56784-2_13, vol. 12170, pp 369–400. Springer (2020)
Biham, E., Shamir, A.: Differential fault analysis of secret key cryptosystems. In: CRYPTO (1997)
Boneh, D., DeMillo, R. A., Lipton, R. J.: On the importance of checking cryptographic protocols for faults (extended abstract). In: EUROCRYPT (1997)
Chakraborty, R. S., Narasimhan, S., Bhunia, S.: Hardware Trojan: Threats and emerging solutions. In: IEEE International High Level Design Validation and Test Workshop, HLDVT 2009, San Francisco, CA, USA, 4-6 November 2009. https://doi.org/10.1109/HLDVT.2009.5340158, pp 166–171 (2009)
Clavier, C.: Secret external encodings do not prevent transient fault analysis. In: CHES (2007)
Daemen, J., Rijmen, V.: The block cipher Rijndael. Lecture Notes in computer Science 1820, 277–284 (1998). https://doi.org/10.1007/10721064_26
Dobraunig, C., Eichlseder, M., Korak, T., Mangard, S., Mendel, F., Primas, R.: Sifa: Exploiting ineffective fault inductions on symmetric cryptography. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018, 547–572 (2018)
Dziembowski, S., Faust, S., Standaert, F.: Private circuits III: hardware Trojan-resilience via testing amplification. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016. https://doi.org/10.1145/2976749.2978419, pp 142–153 (2016)
Ender, M., Ghandali, S., Moradi, A., Paar, C.: The first thorough side-channel hardware Trojan. In: ASIACRYPT (1). Lecture Notes in Computer Science, vol. 10624, pp 755–780. Springer (2017)
Fuhr, T., Jaulmes, É., Lomné, V., Thillard, A.: Fault attacks on aes with faulty ciphertexts only. 2013 Workshop on Fault Diagnosis and Tolerance in Cryptography, pp. 108–118 (2013)
Ghalaty, N. F., Yuce, B., Taha, M. M. I., Schaumont, P.: Differential fault intensity analysis. In: Tria, A., Choi, D. (eds.) 2014 Workshop on Fault Diagnosis and Tolerance in Cryptography, FDTC 2014, Busan, South Korea, September 23, 2014. https://doi.org/10.1109/FDTC.2014.15, pp 49–58. IEEE Computer Society (2014)
Ghandali, S., Becker, G.T., Holcomb, D., Paar, C.: A design methodology for stealthy parametric Trojans and its application to bug attacks. In: Cryptographic Hardware and Embedded Systems - CHES 2016 - 18th International Conference, Santa Barbara, CA, USA, August 17-19, 2016, Proceedings. https://doi.org/10.1007/978-3-662-53140-2_30, pp 625–647 (2016)
Giraud, C.: DFA on AES. In: Advanced Encryption Standard - AES, 4th International Conference, AES 2004, Bonn, Germany, May 10-12, 2004, Revised Selected and Invited Papers. https://doi.org/10.1007/11506447_4, pp 27–41 (2004)
Jin, Y., Kupp, N., Makris, Y.: Experiences in hardware Trojan design and implementation. In: Tehranipoor, M., Plusquellic, J. (eds.) IEEE International Workshop on Hardware-Oriented Security and Trust, HOST 2009, San Francisco, CA, USA, July 27, 2009. Proceedings, pp 50–57 (2009), https://doi.org/10.1109/HST.2009.5224971
Karimi, N., Moos, T., Moradi, A.: Exploring the effect of device aging on static power analysis attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019 (3), 233–256 (2019). https://doi.org/10.13154/tches.v2019.i3.233-256
King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET ’08, San Francisco, CA, USA, April 15, 2008, Proceedings. http://www.usenix.org/events/leet08/tech/full_papers/king/king.pdf (2008)
Li, Y., Sakiyama, K., Gomisawa, S., Fukunaga, T., Takahashi, J., Ohta, K.: Fault sensitivity analysis. In: Cryptographic Hardware and Embedded Systems, CHES 2010, 12th International Workshop, Santa Barbara, CA, USA, August 17-20, 2010. Proceedings. https://doi.org/10.1007/978-3-642-15031-9_22, pp 320–334 (2010)
Lin, L., Burleson, W. P., Paar, C.: MOLES: malicious off-chip leakage enabled by side-channels. In: Roychowdhury, J.S. (ed.) 2009 International Conference on Computer-Aided Design, ICCAD 2009, San Jose, CA, USA, November 2-5, 2009. https://doi.org/10.1145/1687399.1687425, pp 117–122. ACM (2009)
Lin, L., Kasper, M., Güneysu, T., Paar, C., Burleson, W.: Trojan side-channels: Lightweight hardware Trojans through side-channel engineering. In: Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings. https://doi.org/10.1007/978-3-642-04138-9_27, pp 382–395 (2009)
Matsui, M.: Linear cryptanalysis method for DES cipher. In: Advances in Cryptology - EUROCRYPT ’93, Workshop on the Theory and Application of of Cryptographic Techniques, Lofthus, Norway, May 23-27, 1993, Proceedings. https://doi.org/10.1007/3-540-48285-7_33, pp 386–397 (1993)
Moos, T.: Static power SCA of sub-100 nm CMOS asics and the insecurity of masking schemes in low-noise environments. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019(3), 202–232 (2019). https://doi.org/10.13154/tches.v2019.i3.202-232
Narasimhan, S., Du, D., Chakraborty, R., Paul, S., Wolff, F., Papachristou, C., Roy, K., Bhunia, S.: Multiple-parameter side-channel analysis: A non-invasive hardware Trojan detection approach, pp. 13–18. https://doi.org/10.1109/HST.2010.5513122 (2010)
Ngo, X.T., Exurville, I., Bhasin, S., Danger, J., Guilley, S., Najm, Z., Rigaud, J., Robisson, B.: Hardware Trojan detection by delay and electromagnetic measurements. In: Nebel, W., Atienza, D. (eds.) Proceedings of the 2015 Design, Automation & Test in Europe Conference & Exhibition, DATE 2015, Grenoble, France, March 9-13, 2015. http://dl.acm.org/citation.cfm?id=2755931, pp 782–787. ACM (2015)
Piret, G., Quisquater, J.: A differential fault attack technique against SPN structures, with application to the AES and KHAZAD. In: Cryptographic Hardware and Embedded Systems - CHES 2003, 5th International Workshop, Cologne, Germany, September 8-10, 2003, Proceedings. https://doi.org/10.1007/978-3-540-45238-6_7, pp 77–88 (2003)
Robertson, J., Riley, M.: The big hack: How China used a tiny chip to infiltrate U.S. companies. Bloomberg (2018)
Tehranipoor, M., Koushanfar, F.: A survey of hardware Trojan taxonomy and detection. Design and Test of Computers, IEEE 27, 10–25 (2010). https://doi.org/10.1109/MDT.2010.7
Waksman, A., Sethumadhavan, S.: Silencing hardware backdoors. In: IEEE Symposium on Security and Privacy, pp 49–63. IEEE Computer Society (2011)
Wang, X., Tehranipoor, M., Plusquellic, J.: Detecting malicious inclusions in secure hardware: Challenges and solutions. In: IEEE International Workshop on Hardware-Oriented Security and Trust, HOST 2008, Anaheim, CA, USA, June 9, 2008. Proceedings, pp 15–19 (2008), https://doi.org/10.1109/HST.2008.4559039
Xiao, K., Zhang, X., Tehranipoor, M. M.: A clock sweeping technique for detecting hardware Trojans impacting circuits delay. IEEE Design and Test 30, 26–34 (2013)
Acknowledgments
François-Xavier Standaert is Senior Research Associate of the Belgian Fund for Scientific Research (FNRS-F.R.S.). This work has been funded in part by EU and the Walloon Region through the ERC Project 724725 (SWORD) and the Wallinov TRUSTEYE project.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Momin, C., Bronchain, O. & Standaert, FX. A stealthy Hardware Trojan based on a Statistical Fault Attack. Cryptogr. Commun. 13, 587–600 (2021). https://doi.org/10.1007/s12095-021-00480-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-021-00480-4