Skip to main content

When Security Goes Into Analog

MathJax TeX Test Page The exponential growth of the integrated circuit (IC) industry results in the rapid globalization of its supply chain. Since a complicated IC design often involves various IP suppliers, fabrication foundries, and testing facilities spanning multiple continents (see Figure 1(a)), it is extremely challenging to track the source of every component and secure the entire supply chain. The sophistication of today's IC development process gives rise to the increasing threats of hardware Trojans (HTs). Until recently, most HTs are deployed as digital circuits, and their detection approaches also follow the same assumption. However, recent seminal works have revealed that analog logic (or even the analog properties of digital circuits) can be leveraged to launch stealthy HT attacks. Due to the lack of model abstraction and formal approach, these analog HTs can evade traditional digital-domain HTs detection and testing methods and thus become especially potent emerging threats to modern electronic systems. In this post, I will first introduce two emerging analog hardware threats: Rowhammer attack and A2 Trojan. Then I will discuss the methods to mitigate such threats.

Figure 1. (a) The simplified supply chain of the IC industry. (b) The mechanism of Rowhammer attacks. (c) The mechanism of A2 Trojan.

1. A2 Trojan:

A2 Trojan, as illustrated in Figure 1(c), is a type of charge-domain Trojans with a small footprint and minimal power impact. It consists of four transistors, two of which are used as complementary switches and the others are implemented as capacitors $C_1$ and $C_2$ respectively. Attackers employ a toggling register as a trigger input to periodically charge $C_2$ and then redistribute the charges among $C_1$ and $C_2$. During the positive phase of a trigger cycle, $M_0$ is closed and $M_1$ is open. The sampling capacitor $C_2$ is charged to $V_{DD}$. In the negative phase, $C_1$ and $C_2$ are shorted together to boost the charges across $C_1$. The result is a steadily rising voltage across $C_{1}$. Once the trigger frequency increases above a threshold, the Trojan payload activates as $C_{1}$'s voltage crosses the detector threshold.

2. Rowhammer Attacks:

Rowhammer is another type of analog attack that exists widely in modern DRAMs. As shown in Figure 1(b), when a wordline, noted as trigger wordline, is activated, due to the parasitic capacitor between wordlines, the adjacent wordline, noted as victim wordline, experiences undesired voltage fluctuation that affects the access transistor and accelerates charge leakage at the store capacitor ($C_S$ in a DRAM cell). As adversaries repeatedly toggle a wordline, the parasitic capacitor between wordlines causes charge disturbances on the adjacent rows by accelerating the charge leakage rate of the memory cells connected to the victim rows. If an affected cell loses too many charges before it is refreshed to the original value, a memory error occurs.

3. Threats Mitigation: Modeling and Detection

Although the mechanisms of these threats seem quite simple, unfortunately, existing HT countermeasures targeting the digital circuits may not be applied to these analog Trojans, because the analog-style behaviors of the circuits are abstracted away during the verification and checking stage of the IC design process. In our previous work, we investigate a systematic method to detect a large class of analog Trojans that act in the charge domain. These analog threats, like A2 Trojans and Rowhammer attacks, create information leakage paths through electrical charge transfer. They utilize subtle analog behaviors of low-level circuits and thus cannot be exposed by HT countermeasures in the digital domain. Adversaries can stealthily insert malicious additions or make use of existing vulnerabilities in the circuits. The key to developing countermeasures for analog attacks is the abstraction of analog/mixed-signal behaviors that can provide an effective measurement metric in detection. Specifically, we identify a charge-domain metric to describe a general form of information leakage paths that are facilitated by capacitor circuits. Depending on whether the capacitors are intentional or parasitic, these charge-domain Trojans can be further classified as charge-sharing and capacitive-coupling. We delve more deeply into the charge-sharing Trojans where switched-capacitor circuits are intentionally inserted to enable charge-domain information leaks. Aided by the new abstraction model, we are able to infer variants of charge-sharing Trojans, among which A2 is but one example.

3.1 Charge Domain Modeling

In our definition, charge-domain Trojans belong to a large class of analog threats whose attacks are launched through malicious and deliberate electrical charge transfers and/or redistribution. They are prevalent in modern digital IC systems because at a fundamental level, each digital bit is stored as charges across a capacitor and the operation of charge-domain Trojans weaponizes the capacitive effects by disturbing the normal charge level of critical nodes. They are often deployed with synergistic hardware and software coordination. A general form of charge-domain Trojans can be described as the electrical charge accumulation across an essential capacitor. Each trigger activity $i$ results in charge disturbance of $\Delta Q(i)$. The charge disturbances accumulate over many iterations of trigger events until they eventually reach a critical value ($Q_{cr})$ to enable the payload circuit and implement the attack, as captured by the following expression:
 \begin{equation}
 |\sum_{i=0}^N\Delta Q(i)| > Q_{cr} \label{eq:Qcr}
\end{equation}
This charge-domain formulation captures a wide range of analog attacks and can be used to describe existing practical analog Trojans. We further divide them into two subclasses---charge-sharing and capacitive-coupling Trojans, according to their distinctive attack models. The former involves insertion or modification of the physical design by the adversaries to enable deliberate charge sharing behaviors, whereas the latter relies on capacitive coupling associated with the parasitics intrinsically residing in the original digital circuits and requires no hardware modifications.

3.2 Model of Capacitive-coupling Trojans

One practical example of the capacitive-coupling Trojans is the Rowhammer attacks. As shown in Figure 1(b), when a wordline, noted as trigger wordline, is activated, due to the parasitic capacitor between wordlines, the adjacent wordline, noted as victim wordline, experiences undesired voltage fluctuation that affects the access transistor and accelerates charge leakage at the store capacitor ($C_S$ in a DRAM cell). To apply our general form general model to Rowhammer attacks, we can identify $C_S$ as the capacitor of interest. %where the charge accumulation happens. Every time the trigger wordline is activated, $\Delta Q(i)=kC_PR_{WL}V_{WL}\mathcal{F}$, where $C_P$ is the parasitic capacitance between the two wordlines, $R_{WL}$ and $V_{WL}$ are the resistance and the voltage of the wordline. Coefficient $k$ is introduced to describe the degree of the capacitive coupling effects, and the stochastic function $\mathcal{F}$ is used to describe the probabilistic charges leakage when the access transistor works in the sub-threshold region. After each DRAM refresh, $C_S$ is initially charged to $V_{DD}$ and the accumulated charge leakage could cause the voltage to drop below the memory threshold ($V_{th}$) resulting in an erroneous bit flip. Therefore, the general model can be rewritten as:
\begin{equation}
   \sum_{i=0}^N(kC_PR_WV_{DD}\mathcal{F}_i)> (V_{DD}-V_{th})C_S
   \label{eq:rh}
\end{equation}
where $Q_{cr}$ is determined by $(V_{DD}-V_{th})C_S$.
Note that this equation correctly captures the main underlying mechanism of Rowhammer, as it shows that if the trigger wordline is activated many times (sufficient large N) during the interval between two refreshes, the cells on victim wordline may incur charge leakage beyond $Q_{cr}$ and experience disturbance errors. Due to its parasitic nature, sneaky paths used by capacitive-coupling Trojans are omnipresent in digital designs and can only be detected by analyzing the extracted netlist from a layout. An efficient method is needed to sort through all the possible leakage paths enabled by parasitic capacitance, identify effective attack mechanisms with high probability, and rule out false-positive instances. In the case of Rowhammer, we believe it can be achieved by properly formulating $\mathcal{F}$ as a stochastic function of device-level process variation and estimating the feasible range of N as a statistical expectation.

3.3 Model of Charge-Sharing Trojans

According to the attack model distinctions, charge-sharing Trojans refer to the subset of charge-domain attacks where dedicated analog circuits need to be inserted to the physical design during back-end or fabrication stages to intentionally create the sneaky paths. The malicious circuits that enable charge sharing often fall into the category of switched capacitor circuits, and one popular manifestation of charge-boosting Trojans is the switched-capacitor based A2 Trojan. To derive the A2 attack mechanism following our general charge-domain formulation, $C_1$ is identified as the essential storage capacitor and after each trigger cycle, the charges across $C_1$ and $C_2$ redistribute. During the positive phase of a trigger cycle, $S_1$ is closed and $S_2$ is open. The sampling capacitor $C_2$ is charged to $V_{DD}$. In the negative phase, $C_1$ and $C_2$ are shorted together to boost the charges across $C_1$. So the general model can be rewritten as:
\begin{equation}
\sum_{i=1}^N\frac{C_1C_2V_{DD}-C_2Q_1(i-1)-C_1Q_{leak}}{C_1+C_2}>C_1V_{th}
\label{eq:q-sh}
\end{equation}
where $Q_1(i-1)$ is the original charges of $C_1$ before the charge sharing (specifically $Q_1(0)= 0$), $Q_{leak}$ is the charge leakage of $C_1$ during each cycle, and $Q_{cr}$ is determined by the threshold voltage ($V_{th}$) of payload circuit.

3.4 Infomation Flow Tracking (IFT) based Detection Method

Based on the previously mentioned charge-domain leakage path mode, we develop an IFT based detection scheme for analog/mixed-signal Trojans. Compared with previous digital-only IFT methods, we design the information flow policy with the consideration of fine-grain charge-domain behaviors. To our knowledge, it is the first IFT solution that can efficiently detect threats from analog/mixed-signal circuits. An automated tool is developed to demonstrate the effectiveness of the information flow tracking on analog Trojans detection in the benchmark which leverages customized information flow policies.
Figure 2. The layout of the microcontroller embedded with several charge-sharing Trojans variants. All Trojans (marked as green) are automatically detected and are distinguished from suspicious capacitors with no threat (marked as red lattice shadow). The threatened signal paths (marked as blue) and registers (marked as red slash shadow) are identified using the proposed IFT policy.
Then the method is validated on an experimental RISC microcontroller design injected with different variants of charge-domain Trojans. We demonstrate that successful detection can be accomplished with an automatic tool which realizes the IFT-based solution, as shown in Figure 2.

Reference:

K.  Yang,  M.  Hicks,  Q.  Dong,  T.  Austin,  and  D.  Sylvester,  “A2: Analog malicious hardware,” in Security and Privacy (SP), 2016 IEEESymposium on.  IEEE, 2016, pp. 18–37.

Y.  Kim,  R.  Daly,  J.  Kim,  C.  Fallin,  J.  H.  Lee,  D.  Lee,  C.  Wilkerson, K. Lai, and O. Mutlu, “Flipping bits in memory without accessing them: An experimental study of dram disturbance errors,” in ACM SIGARCHComputer Architecture News,  vol.  42,  no.  3.IEEE  Press,  2014,  pp.361–372.

X. Guo, H. Zhu, Y. Jin, and X. Zhang, “When capacitors attack:  Formal method driven design and detection of charge-domain trojans,” in Proceedings of the Conference on Design, Automation & Test in Europe, European Design and Automation Association, 2019.

Comments

Post a Comment

Popular posts from this blog

Angr: A Multi-Architecture Binary Analysis Toolkit

This blog is quoted from several angr blogs and documentations, click  here  and  here . angr is a multi-architecture binary analysis toolkit, with the capability to perform dynamic symbolic execution (like Mayhem, KLEE, etc.) and various static analyses on binaries. We've tried to make using angr as pain-free as possible - our goal is to create a user-friendly binary analysis suite, allowing a user to simply start up iPython and easily perform intensive binary analyses with a couple of commands. That being said, binary analysis is complex, which makes angr complex. This documentation is an attempt to help out with that, providing narrative explanation and exploration of angr and its design. Several challenges must be overcome to programmatically analyze a binary. They are, roughly: Loading a binary into the analysis program. Translating a binary into an intermediate representation (IR). Performing the actual analysis. This could be: A partial or full-program static
Post a Comment
Read more

Information Side Channel

By Elaine Cole and Jarek Millburg An information side channel can be used to gain information about the system or data that it processes. A side-channel attack identifies a physical or micro-architectural signal that leaks such desired information and monitors and analyzes that signal as the system operates. While there are many different types of information side channels and even more ways to maliciously exploit them, this blog explores a recent publication that leverages information side channels within IoT devices to aid crime scene investigators in real-time. In this blog, we provide an overview of the general attack procedure, and explore two of the many forms of side channel attacks. Side Channel Attack General Procedure While there are many different forms of side channels, at a high level, a side channel attack requires the following: 1. identify a side channel:  The attacker must first identify  a physical or micro-architectural signal that leaks desired
Post a Comment
Read more

Introduction to SGX and potential attack method

The Overview of SGX What is the SGX? With more and more attack on systems and bigger danger inside the internet. We get a new technology which named The Security Guard Extensions (The SGX). Actually the SGX aimed to separate the whole applications to two parts: secure part and unsecure part. The secure part named enclave. Which is stored in protected memory. Between the enclave and application, there is an interface is implemented. Which is consists of e-calls and o-calls. The e-calls are inside the enclave for calling to the unsecured code. The o-calls are located in the unsecured code for collecting data inside the enclave. The enclave is totally protected which means any access from external are not allowed. Only when the untrusted part of application call the trusted function then the code inside the enclave can see the data. When it returns, the enclave data are still stays in safe memory. figure.1 Actually while the application’s host in pr
Post a Comment
Read more