Embed Size (px)
Citation preview
Tutorial: Hardware Trojan Insertion on FPGA
Kan Xiao and Mohammed Tehranipoor Department of Electrical & Computer Engineering
University of Connecticut 1. Introduction To lower the cost of IC design and fabrication, the supply chain of the semiconductor industry has been distributed around the world. As the complexity of ICs increases, more and more highly specialized companies become involved in the IC fabrication process to improve efficiency and manufacturability, providing attackers (adversaries?) with more opportunities to make malicious inclusions and alterations. This is a serious problem for security-critical applications, such as military, transportation and financial systems. Some Trojans can be inserted into a design if any untrusted tools or IP blocks are used. Other Trojans can be implanted by modifying the layout of the design during GDSII development and fabrication. Trojans in ICs may cause malfunctions, lower reliability, leak confidential information to adversaries or even destroy the system under specifically designed conditions. Detecting these malicious inclusions and alterations is extremely difficult, due to the following characteristics of Trojans: First, Trojans are small compared to the designs they have altered, which makes attributes of Trojan-inserted ICs almost the same as those of Trojan-free ICs. Second, Trojans can be kept dormant during most of their operation, and be activated under very specific conditions. Third, a Trojan's behavior is unknown. Thus, it would be challenging to devise a Trojan detection technique that can target all types of Trojans. 2. FPGA Board and ISE Tool This tutorial describes the flow to insert Trojan into a design and implement the design onto FPGAs. The FPGA board I use in this tutorial is Basys™2 Spartan-3E FPGA Board from Digilent Inc. (http://www.digilentinc.com/Products/Detail.cfm?NavPath=2,400,790&Prod=BASYS2). The Design tool is ISE WebPACK 14.1 which is a free design suite which can be downloaded from Xilinx official websites (http://www.xilinx.com/support/download/index.htm). If you want to know more about Xilinx FPGA design flow, there are some helpful tutorials available on the Xilinx website (http://www.xilinx.com/support/documentation/dt_ise14-1_tutorials.htm). Note that this tutorial is based on the flow presented in the In-depth ISE tutorial. You can refer to it for more detail information. 3. Trojan Design for Different Detection Approaches In general, hardware Trojan detection approaches can be divided into two categories: full Trojan activation approaches and side-channel analysis approaches. The first approach tries to activate Trojans by applying test vectors and comparing responses with the correct results.
Side-channel signal analysis has been developed to detect hardware Trojans by measuring circuit parameters, such as power (transient and leakage current) and delay. In this tutorial, we only talk about the hardware Trojans which are implanted by modifying the layout of the design during GDSII development and fabrication. Unlike with ASICs, it is very difficult to insert a Hardware Trojan into an unused LUT in FPGAs because we lack knowledge of the internal structure of an FPGA and cannot completely control placement and routing by using the available design suites from Xilinx. Fortunately, we can design the hardware Trojan according to our requirements and objectives. In order to evaluate different Trojan detection approaches, different Trojan insertion methods are used. In general, the complexity of Trojan design likes: full Trojan activation < power-based Trojan detection < delay-based Trojan detection. The Trojan design flow for different detection methods will be presented in the next section. 3.1 Trojans for Full Trojan Activation For full Trojan activation approach, only functional testing is performed. We just care about the function instead of the layout, so it is the easiest one. First, I will explain how to design and implement the Trojan-free circuits on an FPGA. Then I will describe how to implement Trojan-inserted circuits on an FPGA. 3.1.1 Trojan-free Design Implementation To implement Trojan-free design on FPGA, we just need to use the basic implementation flow. In this subsection, I will go through the entire flow for an example. The example design we use can be downloaded with this tutorial. Starting ISE: To start the ISE software, double-click the ISE project navigator icon on your desktop, or select Start > All Program > Xilinx ISE Design Suite 14.1 > ISE Design Tools > Project Navigator. Creating a New Project: To create a new project, do the following: a) Select File > New Project. A new window wizard appears. b) Choose Location and give project a name c) Choose HDL as the Top-level source type, and click Next.
The neww project wizard--- Devvice Properti
Figure 1
ies page apppears.
d) Selec The new
ct required i
w project wi
nformation
zard--- Proj
as shown in
ect summa
Figure 2
n Figure 2, a
ry appears.
and click Neext.
Click Fi AddingFor this macro, ause eacown desHDL filecreate afollows: a) Selecyour prob) Selec T c
nish and th
g Sources: hierarchica
and add a Cch type of designs. es must be aa new sourc
ct Project >oject directoct the followTop.v c6288.v
he new proje
al design, yoCORE Geneesign macro
added to thece and type
> Add Sourcory) wing files fro
ect is create
ou will examerator softwo. All proced
e project bethe HDL co
ce (or Add
m the proje
Figure 3
ed.
mine HDL fileware core andures used
efore they caode in it. You
Copy of So
ct directory
es, correct snd a clockingin the tutori
an be synthu will add so
ource so th
, and click O
syntax errorg module. Yal can be us
esized. Othource files t
at all HDL f
Open.
rs, create anYou will creased later fo
herwise, youto the projec
files will be c
n HDL ate and r your
u need to ct as
copied to
mc) In theassocia
The Hieproject, the HierInstantiamark.
mode_switce Adding Soted library is
erarchy panewith the as
rarchy paneated compo
ch.v ource Files ds work, and
e in the Dessociated en
e using the fonents with n
dialog box, vd click OK.
sign panel dntity or modufollowing syno entity or
verify that th
Figure 4
displays all oule names.ntax: instanmodule dec
he files are
of the sourcEach sourc
nce name-enclaration are
associated
ce files currece design unntity name- e displayed
with All, tha
ently added nit is represe(file name).with a ques
at the
to the ented in . stion
Check HSelect TProcessIf there summar
SynthSo far ywill syntonly usetype (ED Enter SSynthesaccordina) In theb) In thec) The S
HDL ErrorsTop file in thses pane asis an error, ry and the li
hesizing tyou have bethesize the e XST. The DIF or NGC
Synthesis Osis options eng to the nee Hierarchy e ProcessesSynthesis O
s: he Hierarchys shown in Fthe “ERROine number
the Desigeen using Xidesign usinsynthesis to
C) for the Xil
Options: enable you teeds of the dpane of the
s pane, righOptions wind
y pane, andFigure 5. R” messageof the synta
gn linx Synthes
ng either XSool uses theinx impleme
to modify thdesign. To ee Project Nat-click the S
dow will app
Figure 5
double clic
e in the Conax problem.
sis TechnolST, Synplify,e design’s Hentation too
he behavior enter syntheavigator DesSynthesize pear.
ck Check Sy
nsole indica.
ogy (XST) f or Precisio
HDL code anols.
of the synthesis optionssign panel, sprocess, an
yntax in Syn
ates the failu
for syntax con software.nd generate
hesis tool tos, do the follselect top mnd select Pr
nthesize-XS
ure and prov
checking. Ne In this tuto
es a suppor
o make optimlowing:
module (top.rocess Pro
ST in the
vides a
ext, you rial, we rted netlist
mizations
.v). perties.
d) Click SynthesNow yonetlist, da) In theb) In the
ImpleCreatinThe UsefacilitateEditor aplacemeTo launca) In theb) In theConstraOur exa Assign We canand editsoftware
OK after ch
sizing the Du are readydo the followe Hierarchy e Processes
menting g Timing Cer Constraine of this file,and PlanAheent constraich the Conse Hierarchy e Processesaints. ample is a c
I/O Locatio use a text et the pin loce will write t
hanging opt
Design: y to synthesiwing: pane, selec
s pane, dou
the DesConstraintsnts File (UC, graphical tead softwarents. straints Editpane of the
s pane, exp
ombinationa
ons: editor to ed
cations and the constrai
tions.
ize your des
ct top moduble-click the
ign s: CF) is a text tools are proe are graph
tor, do the foe Project naand User C
al circuit, so
it I/O locatioarea group nts to the p
Figure 6
sign. To tak
ule (top.v). e Synthesiz
file that canovided to crhical tools th
ollowing: vigator Des
Constraints
o we do not
on constrainconstraints roject UCF.
ke the HDL c
ze process.
n be edited dreate and edhat enable y
sign panel, ss, and doubl
need to set
nts directly o defined in t
code and ge
directly withdit constrainyou to enter
select the toe-click Crea
t timing con
or use the Pthe NGD file
enerate a co
h a text editonts. The Contiming and
op module (tate Timing
straints.
PlanAhead te. The Plan
ompatible
or. To nstraints I/O and
top.v).
o add Ahead
Adding a) Selecyour prob) Selec If you wa) In theb) In the(PlanAhI/O pin precomm
This pro
the UCF is ct Project > oject directoct the top.uc
want to assige Hierarchy e Processeshead) - Posplanning ca
mended that
ocess launc
same as adAdd Source
ory) cf, and click
gn pins usinpane of the
s pane, expst-Synthesin be perform the proces
hes the Pla
dding other e (or Add C
k Open.
g PlanAheae Project naand User Cis. med either ps be run po
nAhead sof
source file:opy of Sour
ad, do the fovigator Des
Constraints
pre- or postst-synthesis
Figure 7
ftware in Fig
rce so that a
ollowing: sign panel, ss, and doubl
t-synthesis. s.
gure 8.
all HDL files
select the toe-click I/O P
Whenever
s will be cop
op module (tPin Plannin
possible, it
pied to
top.v). ng
is
c) In theassignmd) You ceach Pie) After top.ucf ff) To ex SpecifyThe impdesign. a) In theb) In the
e I/O Port taments for thecan type then in the desthe pins are
file. it the PlanA
ying OptionplementationTo set the i
e View panee Hierarchy
ab, expand te in_port ane location insign. (All thee locked do
Ahead softw
ns: n propertiesimplementae of the Projpane, selec
the in_port and out_port sn the Site fiee informationwn, select F
ware, select
s control howation propertject Navigatct the top m
Figure 8
and out_porsignals.
eld, I/O stann can be fouFile > Save
File > Exit.
w the softwaties, do the tion Design
module (top.v
rt under All
dard, Vcco,und in the U Project. Th
are maps, pfollowing: panel, sele
v).
ports. You w
, Drive StrenUCF we provhe changes
places, route
ect Impleme
will now cre
ngth Slew tyvided.)
s are saved
es, and opti
entation.
eate pin
ype for
in the
imizes a
c) In thePropertd) Ensue) Set p
f) Click O GeneraAfter ancreated a) In theb) In thePropertc) In thed) Chan
e Processesties. re that you
properties yo
OK to exit t
ating Progranalyzing the
for downloae Hierarchy e Processesties. e Process Pnge the PFG
s pane, right
have set thou want.
he Process
amming Fildesign, you
ading to a tapane of the
s pane, righ
Properties diGA Start-Up
t-click the Im
e Property d
Properties
le: u need to crarget devicee Project nat-click Gene
ialog box, c Clock prop
mplementa
display leve
Figure 9
dialog box.
reate confige or for formvigator Deserate Progr
lick the Starperty from C
ation Desig
el to Advanc
uration datamatting into asign panel, sramming F
rtup OptionCCLK to JTA
n process, a
ced.
a. A configua PROM proselect the toile, and sele
ns categoryAG Clock.
and select P
uration bitstrogramming
op module (tect Process
y.
Process
ream is file. top.v). s
e) Click f) In thethis des
DownTo startTo startin the P
SpecifyIn iMPAprograma) Selec
OK. Processes
sign.
loading t iMPACT: t iMPACT frorocesses pa
ying BoundACT, creatinm. To select ct File > Ne
panel, dou
Program om Project ane in the D
dary-Scan Cg a new proBoundary-Sw Project.
ble-click Ge
m on FPG
Navigator, dDesign pane
Configuratioject includeScan Mode
Figure 10
enerate Pro
GA
double-clickel, as shown
Figure 11
on Mode:es specifyin, do the follo
0
ogramming
k Manage Cn in Figure 1
1
g the configowing:
g File to crea
Configuration11.
guration mo
ate a bitstre
n Project (iM
de and the
eam of
MPACT)
device to
b) In thec) In the(JTAG)d) Ensuselectede) Make
Performa) Rightb) Rightbrowse c) Right
e Automatice Welcome . re that Autod. e sure turn o
ming Boundt-click on thet-click on theand select
t-click on the
cally create ato iMPACT
omatically
on the powe
dary-Scan e xc3s100ee xc3s100ethe programe xc3s100e
and save a dialog box,
connect to
er of FPGA
Operationse device, ande device, andmming file (. device aga
project dial select Con
o a cable an
board, and
Figure 12
s: d select Ged select Asbit) generat
ain, and sele
og box, selenfigure Dev
nd identify
Click OK.
2
et Device IDsign New Cted in step.ect Program
ect Yes. vices using
Boundary-
D. Configurati
m.
Boundary
-Scan chain
ion File. Yo
-Scan
n is
ou need to
3.1.2 TrThe proimplemecode, antrigger T 3.2 TrojAn FPGcircuits all LUTscurrents Since TTrojan ceasiest Trojan gIf the Tr
rojan-Insertocedure to iment Trojan-fnd then repTrojan inside
jans for PoGA can be u
based on trs are alreads.
rojan gates can be deteway is to us
gates. If therojan is enab
ted Designmplement Tfree circuits eat the entie, the faulty
ower-basedsed to verify
ransient or ddy in the FPG
may creatected by mease one switc Trojan is dbled, it can
n ImplemenTrojan-insert
presented ire flow until
y result indu
d Detection y power-basdynamic powGA and we
e additional asuring the ch on the boisabled, it wproduce sw
Figure 13
ntation t circuits on in 3.1.1. We downloadinced by the
Approachsed detectiower. Leakagcannot rem
switching atransient cu
oard to contwill be alwaywitching acti
3
FPGA is the simply neeng to FPGATrojan will b
on approachge power is
move them o
activities whurrent fromtrol an enabys quiet no vities when
he same as ed to insert
A board. By be detected
hes which dvery difficu
or eliminate
en proper pa power pin
ble signal whmatter whatit is partiall
the proceduthe Trojan iproviding pa
d.
detect Trojanult to detect,
their leakag
patterns are n. On the FPhich can ent patterns ay activated.
ure to in HDL atterns to
n-inserted because ge
applied, PGA, the able re applied. . By using
this metthe sam
Therefo14. Whethe Troj 3.3 TrojFor delacapacitadesignsFPGA. Tintercon 3.3.1 Im
(Do th
We neewill be rnets so code, wcan iden How to The syn
lu e
thod, we came layout.
ore, one enaen you enabans, it is a T
jans for Deay-based Trances inducs, one with TTherefore, mnnections be
mplement T
e same thin
ed to pay attrenamed or that we can
we need to kntify and rem
set don’t tntax for prev
library ieuse ieee.s
entity tes
n guarantee
able signal isble Trojans,Trojan-free
elay-based rojan detectced by TrojaTrojans and my strategyetween Troj
Trojan-Inser
ng, need to
tention to thoptimized d
n still find thkeep all netsmove them
touch attribventing optim
eee; std_logic_
st is port
e that both T
s required to the circuit bFPGA.
Detection Mtion methodan gates and
the other wy is to get a Tans LUTs a
rted Design
keep nets d
e method oduring synthem after sy
s which conin layout to
bute: mization in
_1164.all;
t( a: iy :
Trojan-free
Figure 14
o be addedbecomes a
Method , the changd their interc
without. It is Trojan-inse
and the origi
n
during synth
of inserting thesis, we shynthesis. Thunect betweeobtain our
Exemplar is
;
in std_logout std_l
and Trojan-
4
to the origiTrojan-inse
e of path deconnectionsvery difficulrted design inal design
hesis)
he delay-bahould set theus, when wen Trojans aTrojan-free
s as follows
gic; logic);
-inserted cir
nal design, erted FPGA.
elay results s. We need lt to control first, and thto obtain th
ased Trojane do not toue start to deand originaldesign.
:
rcuits have e
as shown in. When you
from the extwo identicawire routing
hen disconne Trojan-fre
. Since manuch attributeesign Trojanl circuits so
exactly
n Figure disable
xtra al g on an nect the ee design.
ny nets e for these ns in HDL that we
attribute preserve_signal : boolean; end test; architecture beh of test is
signal b : std_logic; attribute preserve_signal of b : signal is true;
begin b <= not a; y <= not b;
end beh; There are two highlighted commands in the example above which are needed to assure signal b will not be optimized during synthesis. Note that “don’t touch” operation is only valid in VHDL. Thus, for the module with Trojan, we need to use VHDL code to keep these nets. To implement on FPGA: After completing Trojan-inserted design, the implementation procedure is the same as presented in 3.1.1. Finally, the Trojan-inserted design is programmed on an FPGA. 3.3.2 Trojan-free Design Implementation We already implemented the Trojan-inserted design on an FPGA so far. What we need to do is to disconnect the nets between Trojans and the original circuit. This task should be done in FPGA editor. To start FPGA editor: To launch FPGA editor, Select Tools > FPGA Editor > Post-Place & Route. This process launches the FPGA editor software as shown in Figure 15.
ChangeBefore wa) Selecb) Expac) Click
e Edit Modewe make anct File > Ma
and Edit MoOK.
e: ny changes,ain Propertiode, and sel
, we need toies, Main Plect Read W
Figure 15
o change throperties wi
Write.
5
e edit modeindow appe
e. ear.
Modify a) Expastring “tb) Click c) Doubclick De
Routing: and to selectr” in their naApply and
ble-click to sesign_unde
t All Nets aame. all specifie
select the neer_Test/tr01
and then Typ
d nets are let you want 1, the net is
Figure 16
pe *tr* in Na
isted in the to change ishown in th
6
ame Filter t
table belowin the table.he array win
to search al
w. . For exampndow and hi
l nets conta
ple, when weighlighted in
aining
e double-n red.
d) Selecct Tools > RRoute > Unroute to un
Figure 17
Figure 18
route the ne
7
8
et which is iindicated by
y the green
line.
ManualIf the faconnectthese geis show
l Routing: nout of the t to other geenuine gaten in Figure
unroute netenuine gateses. We take 20.
t is 1, it is dos besides thnet Design
Figure 19
one. If it is mhe Trojan gan_under_Te
9
more than 1ates. Therefest/n777 for
, that meanfore, we neer example. T
ns this net aed to manuaThe origina
lso ally route l routing
a) Doubb) Selecc) If the means toutput pDesign_Design_
If you ar
ble-click the ct Tools > Rnet is selec
this is an inpport and two_Under_Te_Under_Te
re not sure w
net to selecRoute > Uncted, we canput port. Oto input portsest/n775 (leest/n470 (rig
which is wh
ct it. route to unn see the triherwise, it is, since its faft) is Trojanght) to assu
hich, you ca
Figure 20
route the neiangle at eas an output
fanout is 2. Sn gate, we o
re original f
Figure 21
n double-cli
0
et. ach pin. The
pin. We seSuppose thnly need to functionality
1
ick the cell.
e triangle poe that this ne gates in croute two p
y.
A new wind
ointing to thenet connectscell ports in cell
dow appear
e cell s to one
rs.
You can
d) After select oselect inbetweenports, yo
n check inte
you locate one input ponput port firsn two ports ou need to d
erconnection
the ports yoort triangle, ast, manual r(one input pdo this mult
ns inside an
ou will routeas shown inrouting will fport and onetiple times to
Figure 22
nd check the
Figure 23
e, you click tn Figure 24. fail. Please e output poro connect a
2
e boolean e
3
to select theYou must fnote that mrt) every tim
all input port
quation by c
e output porfollow this seanual routin
me. If there ats.
click F=.
rt triangle anequence. If ng can only are several
nd then you work input
Select >> Route > MManual Rouute, these twFigure 24
wo ports are
Figure 25
4 e routed.
5
Save ana) Repeb) Selecc) Selec Generaa) In theb) In thePropertc) In thed) Chan
e) Click f) In thethis des DownloAfter dodelay-ba
nd exit: eat the previct File > Savct File > Exi
ate Programe Hierarchy e Processesties. e Process Pnge the PFG
OK. Processes
sign.
oading on townloading tased Trojan
ious procesve. it.
mming File pane of the
s pane, righ
Properties diGA Start-Up
panel, dou
the FPGA: the programn is done.
ss until the T
Again: e Project nat-click Gene
ialog box, c Clock prop
ble-click Ge
m on the FP
Trojans are
vigator Deserate Progr
lick the Starperty from C
Figure 26
enerate Pro
GA by using
disconnecte
sign panel, sramming F
rtup OptionCCLK to JTA
6
ogramming
g method in
ed from the
select the toile, and sele
ns categoryAG Clock.
g File to crea
n 3.1.1, the
original des
op module (tect Process
y.
ate a bitstre
implementa
sign.
top.v). s
eam of
ation for
