

#### Insights into the Mind of a Trojan Designer The Challenge to Integrate a Trojan into the Bitstream

Maik Ender, Pawel Swierczynski, Sebastian Wallat, Matthias Wilhelm, Paul M. Knopp, Christof Paar

ASP-DAC 2019

hg EMSEC

22.01.2019







# Hardware Trojan Insertion

Insights into the Mind of a Trojan Designer | ASP-DAC | 22. Jan. 2019







**FPGAs** 



# Database Generation

Bitstream File Format Reverse Engineering Xilinx Spartan-6

#### **Bitstream Mapping**





#### **Bitstream Mapping**





Task: Find the **mapping** between bitstream bits & element configuration

#### **Bitstream Correlation – Basic Idea**



- 2. Create altered netlist
  - 3. Create bitstreams
- 4. Correlate the bitstream differences with the design change
- 5. Retrieve mapping bitstream bit and configuration



RUB

#### **Background: PIPs and Nets**



Wire: Physical static connection between two switch matrixes

Programmable Interconnect Point (PIP): Configures which wires get connected

**Net:** Bunch of PIPs form a net, i.e., multiple pips connect basic elements



Insights into the Mind of a Trojan Designer | ASP-DAC | 22. Jan. 2019

#### **Novelties – PIP Correlation**

- Former methods (Ding et al.) need fully routed nets
  - Requires multiple helper PIPs
  - → Causes additional unwanted changes in bitstream
  - → Requires pre/post-processing



- Our approach: one bitstream with a single PIP
  - Using force options of bitgen and xdl
  - → No pre/post-processing
  - → Less complex



RUB





#### **Bitstream Reverse Engineering – Exemplary Design**







- Design almost fully converted
- Still sufficient for HW Trojan insertion
- Fully automated

#### **Original Design**

#### **Converted Design**





# Hardware Trojan Insertion

Insights into the Mind of a Trojan Designer | ASP-DAC | 22. Jan. 2019

#### **Hardware Trojans**



Malicious changes or additions to a hardware design that adds or remove functionality, or reduces reliability



#### Many rather unpleasant "applications" & hard to mitigate in field







## **Trojanized USB Drive – Scenario (1)**

- Flash drive with AES-encryption on FPGA
- Scenario similar to prior work [1]
  - Trojan insertion successfully verified by means of simulation



RUB

• Attacker scenario: Supply chain attack



# **Trojanized USB Drive – System & Insertion**



#### 1. AES integrity check

- 1. Set the (known) test key
- 2. Test (known) plaintext/ciphertext pairs
- Derive/provide user key to key register 🤍
- 3. Process data encryption

#### Result:

- Attacker can read all encrypted content
- Still passes self-test







# Hardware Trojan Insertion

Insights into the Mind of a Trojan Designer | ASP-DAC | 22. Jan. 2019

#### Conclusion

RUB

- Bitstream Conversion
  - Accelerated mapping database generation
  - Routing reverse engineering can be simplified
- Hardware Trojan Insertion
  - Partial netlist is sufficient
  - Even more complex attacks are possible
- Tamper-proof external self-test is not enough



# Thank You For Your Attention! Any Questions?



### **Reversing Examples – Compression/Tiling**

- If we would save for each bit it's meaning, it would be huge file.
- Compressing by using the FPGA's architecture
- FPGA uses an <u>array</u> of logic blocks
  => Working with offsets



- Reverse the whole CLB
- Reverse only the first bit of each CLB in the Grid
- Position in bitstream is then:
  <offset CLB> + <pos in CLB>
- Saves: space and time (~99%)

RUB

#### **Overview Vulnerable Altera and Xilinx FPGAs**

| RUF |
|-----|
|-----|

| Device Family                  | Introduced | Bitstream Enc./Auth.  | Known Vulnerability        | No integrity/authenticity |
|--------------------------------|------------|-----------------------|----------------------------|---------------------------|
| Xilinx Spartan 3               | 2005       | not supported         | -                          | $\checkmark$              |
| Xilinx Spartan 6               | 2009       | AES-256/HMAC          | [MS16]                     | $\checkmark$              |
| Xilinx Virtex II               | 2001       | 3-DES/no              | [MBKP11]                   | $\checkmark$              |
| Xilinx Virtex 4                | 2005       | AES-256/no            | [MKP12] No ir              | ntegrity 🗸                |
| Xilinx Virtex 5                | 2006       | AES-256/no            | [MKP12])                   | $\checkmark$              |
| Xilinx Virtex 6                | 2009       | AES-256/HMAC          | [MS16])                    | $\checkmark$              |
| Xilinx 7 series                | 2010       | AES-256/HMAC          | [MS16])                    | $\checkmark$              |
| Xilinx UltraSCALE              | 2014       | AES-256 GCM/RSA-2048  | no research reports so far | $\operatorname{unclear}$  |
| Xilinx UltraSCALE <sup>+</sup> | 2015       | AES-256 GCM/RSA-4096  | no research reports so far | unclear                   |
| Altera Stratix II              | 2004       | AES-128               | [MOPS13]                   | $\checkmark$              |
| Altera Stratix III             | 2006       | AES-256               | [SMOP14]                   | $\checkmark$              |
| Altera Stratix IV              | 2008       | <b>AES-256</b>        | no research reports so far | unclear                   |
| Altera Stratix V               | 2010       | AES-256               | no research reports so far | unclear                   |
| Altera Stratix 10              | 2013       | AES-256, SHA-256, PUF | no research reports so far | unclear                   |
| Microsemi FPGAs                | -          | AES-256, SHA-256      | no research reports so far | unclear                   |

Table 1.1: List of Xilinx FPGA families and Altera FPGA devices, which are vulnerable to sidechannel attacks. No side-channel attacks for the UltraSCALE and UltraSCALE<sup>+</sup> family have been reported so far. Note that the Xilinx 7 series includes the Kintex, Artix, and Virtex families

0