Synthesis of hardware sandboxes for Trojan mitigation in systems on chip

2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST) Pub Date : 2017-05-01 DOI:10.1109/HST.2017.7951836

C. Bobda, Taylor J. L. Whitaker, C. Kamhoua, K. Kwiat, L. Njilla

{"title":"Synthesis of hardware sandboxes for Trojan mitigation in systems on chip","authors":"C. Bobda, Taylor J. L. Whitaker, C. Kamhoua, K. Kwiat, L. Njilla","doi":"10.1109/HST.2017.7951836","DOIUrl":null,"url":null,"abstract":"In this work, we propose a design flow for automatic generation of hardware sandboxes purposed for IP security in trusted system-on-chips (SoCs). Our tool CAPSL, the Component Authentication Process for Sandboxed Layouts, is capable of detecting trojan activation and nullifying possible damage to a system at run-time, avoiding complex pre-fabrication and pre-deployment testing for trojans. Our approach captures the behavioral properties of non-trusted IPs, typically from a third-party or components off the shelf (COTS), with the formalism of interface automata and the Property Specification Language's sequential extended regular expressions (SERE). Using the concept of hardware sandboxing, we translate the property specifications to checker automata and partition an untrusted sector of the system, with included virtualized resources and controllers, to isolate sandbox-system interactions upon deviation from the behavioral checkers. Our design flow is verified with benchmarks from Trust-Hub.org, which show 100% trojan detection with reduced checker overhead compared to other run-time verification techniques.","PeriodicalId":190635,"journal":{"name":"2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","volume":"16 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HST.2017.7951836","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

In this work, we propose a design flow for automatic generation of hardware sandboxes purposed for IP security in trusted system-on-chips (SoCs). Our tool CAPSL, the Component Authentication Process for Sandboxed Layouts, is capable of detecting trojan activation and nullifying possible damage to a system at run-time, avoiding complex pre-fabrication and pre-deployment testing for trojans. Our approach captures the behavioral properties of non-trusted IPs, typically from a third-party or components off the shelf (COTS), with the formalism of interface automata and the Property Specification Language's sequential extended regular expressions (SERE). Using the concept of hardware sandboxing, we translate the property specifications to checker automata and partition an untrusted sector of the system, with included virtualized resources and controllers, to isolate sandbox-system interactions upon deviation from the behavioral checkers. Our design flow is verified with benchmarks from Trust-Hub.org, which show 100% trojan detection with reduced checker overhead compared to other run-time verification techniques.

查看原文本刊更多论文

在芯片系统中合成硬件沙盒以缓解木马威胁

在这项工作中，我们提出了一种自动生成硬件沙箱的设计流程，目的是在可信片上系统（SoC）中实现 IP 安全。我们的工具 CAPSL（用于沙箱布局的组件验证流程）能够检测木马激活，并在运行时消除可能对系统造成的破坏，从而避免复杂的预制和部署前木马测试。我们的方法利用接口自动机的形式主义和属性规范语言的顺序扩展正则表达式（SERE）捕捉非信任 IP 的行为属性，这些 IP 通常来自第三方或现成组件（COTS）。利用硬件沙箱的概念，我们将属性规范转化为校验自动机，并划分出系统的非信任区域，其中包括虚拟化资源和控制器，以便在偏离行为校验时隔离沙箱与系统之间的交互。我们的设计流程通过 Trust-Hub.org 提供的基准进行了验证，结果显示，与其他运行时验证技术相比，木马检测率达到 100%，同时降低了检查器开销。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)

自引率

0.00%

发文量