Trojans_In_SRAM_BTW14_PPT

Download Report

Transcript Trojans_In_SRAM_BTW14_PPT

Prepared for BTW’2014
Trojans In SRAM
Circuits
Senwen Kan - AMD/SMU
Jennifer Dworak - SMU
Overview
❖
Background
❖
Motivation
❖
Trojan Design
❖
Inserting Trojans in SRAM
❖
Experimental Results
Background
❖
Israeli use of Electronic Warfare in “Operation Orchard” - 2007,
disabled Syrian Air Defense Systems
❖
Some Speculate “Kill Switch”
❖
French Military Contractors have Intentionally built in “Kill Switch” in
their military hardware
❖
What are Trojans
❖
Sequential Vs Combinational
❖
Always on Vs Triggered on some condition
❖
Leakage, Denial-of-Service (DoS)
3
Why SRAMs?
❖
❖
Hard to Detect
❖
Simple SRAM 32X32
❖
32 Entries
❖
32 bit wide
❖
2^37 Terms to Trigger on
Address lines and/or data
Space to Insert
Why SRAMs (Cont)
❖
SRAMs maybe external IP
❖
SRAMs maybe used widely across an SoC, processor
caches, register files, storing exception report, used by
Crypto Units, FPGAs, & so on…
❖
Can’t Synthesize to netlist (exception would be latch
arrays)
❖
Don’t have accurate ATPG Models
Trojan Circuits
❖
Trojan 1
❖
Combinational
❖
DoS
❖
5 Sub Trojans
❖
Once Triggered will Stay on
❖
2 Payload Mechanisms
❖
Tri-Stating
❖
Scrambling
Trojan Circuits (Cont)
❖
Trojan 2
❖
Sequential
❖
DoS
❖
Triggering Mechanism 2 part
❖
Payload is Tri-Stating
Trojan Circuits (Cont)
❖
Trojan 3
❖
Combinational
❖
Always on
❖
DoS
❖
Designed to be evasive
❖
Good Design code:
❖
❖
❖
assign data_in[W:0] = good_data[W:0];
Trojan’ed Design code
❖
assign data_in[0] = good_data[0]^(good_data[W:0]==TrojanKeyWord);
❖
assign data_in[W:1] = good_data[W:1];
Meant to make coverage tools not detect it - at least everything toggled
Trojan Insertion
❖
Selected 4 Types of industrial
SRAMs
❖
2 from OpenSparc Design
Library
❖
❖
TSA - used by TLU for
exceptions
❖
Used by network interface
2 from Internal Design Library
❖
Processor Data Caches
Experimental Results
❖
More Details in the Paper
❖
But Essentially, 5 to 10 million cycles of Randomized
Simulation can’t detect anything
❖
Did 6N BIST Sims, not catching Anything
Q&A