Some generic probabilistic methodologies to identify hardware trojans in arbitrary hardware designs
Given a golden bitstream, verilog design + input/output to serial wrapper
- Differentiate between bitstreams that have trojans
- Identify the trojans, their functionality, and how they are triggered
The bitstreams can be loaded onto a basys3 FPGA dev board for testing
Directory
- Project Directory
- Quickstart
- Motivation
- Methodologies
- Combinational Trojan Detection
- Loading a Bitstream Without Vivado
- Known Issues
- Resources
- References
| Name | Purpose |
|---|---|
| bitfiles | Bitstreams, verilog and design documentation |
| img | Extra docs & demo recordings |
| tests | Input/Output Testing scripts |
| .gitignore | Git configuration file |
| makefile | Rule based scripting file, great for projects |
Dependencies
git clone https://github.com/BarakBinyamin/Trojan-Detection.git && cd Trojan-Detection
make
╔═╗╔═╗╔═╗╔═╗ ╔╦╗┬─┐┌─┐ ┬┌─┐┌┐┌ ╔╦╗┌─┐┌┬┐┌─┐┌─┐┌┬┐┬┌─┐┌┐┌
╠╣ ╠═╝║ ╦╠═╣ ║ ├┬┘│ │ │├─┤│││ ║║├┤ │ ├┤ │ │ ││ ││││
╚ ╩ ╚═╝╩ ╩ ╩ ┴└─└─┘└┘┴ ┴┘└┘ ═╩╝└─┘ ┴ └─┘└─┘ ┴ ┴└─┘┘└┘
Finding hardware trojans in FPGA bitsreams...
Made by Rocky https://linkedin.com/in/barak-binyamin-664a211a1
usage: make <option>
s1 : Collect golden samples using psudorandom input generation for all training/test safe bitstreams
t1 : Run simple tests comparing psudorandom input responses on all training/test trojan bitstreams
TODO Key terms table TODO Project description
This method can be used to detect a combinational trojan
TODO, EQUATIONS for probability of finding combinational trojan
Steps:
- Load Golden Bitstream
- Record output of Pseudorandom Inputs
- Load Bitstream Under Test
- Compare output of Pseudorandom Inputs
Example: TODO GIF
What bits are effected can be derived from which bit positions ever differed from an expected value
The percentage of outputs that differ from expected values could be used to gain information about how many inputs the trigger has. A higher percentage of outputs affected likely means a looser or larger trigger.
looser (input[0] OR input[1]) VS (input[0] AND input[1])
larger (input[0] OR input[1] OR input[2]) VS (input[0] OR input[1])
Associating number accurances of 1's and 0's in bit positions with it's liklyhood to be part of the trigger
This method be used to detect a combinational trojan
- Identify bottle necks (down to one gate) in a design, where is alot of traffic going through
- Use Atlanta to find inputs that should make that gate satified (evaulate to 1)
- This process will make that gate a psudo-output
- Gather expected outputs from the inputs
- Verify tested outputs samples match expected values, if some don't we know there's a higher likelyhood the trojan lies behind that bottleneck
--- Method Not Explored ----
- bitstream train 2, method 1 sometimes returns strange results, it's likely serial coms getting desynchronized
- Wiki: Automatic test pattern generation
- Setup open-ocd and do fpga bitstream upload
- Digilent Forum: easiest way to upload series 7 bitstream to fpga
- Ascii art generator by patorjk
- Making gifs from videos with ffmpeg
- Atlanta ATGP Stuck-At fault testing tool
- Dr. Michael Zuzak, CMPE 361 Intro to Hardware Security Course & Advising, Contact For Resources
- Long lam, Hardware Security Tutorials & Advising, Contact For Resources
- Brent Nelson, Program 7 Series FPGA from a Mac or Linux Without Xilinx, Github Wiki