ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans

2020 IEEE Symposium on Security and Privacy (SP) Pub Date : 2020-05-01 DOI:10.1109/SP40000.2020.00083

Timothy Trippel, K. Shin, K. Bush, Matthew Hicks

{"title":"ICAS: an Extensible Framework for Estimating the Susceptibility of IC Layouts to Additive Trojans","authors":"Timothy Trippel, K. Shin, K. Bush, Matthew Hicks","doi":"10.1109/SP40000.2020.00083","DOIUrl":null,"url":null,"abstract":"The transistors used to construct Integrated Circuits (ICs) continue to shrink. While this shrinkage improves performance and density, it also reduces trust: the price to build leading-edge fabrication facilities has skyrocketed, forcing even nation states to outsource the fabrication of high-performance ICs. Outsourcing fabrication presents a security threat because the black-box nature of a fabricated IC makes comprehensive inspection infeasible. Since prior work shows the feasibility of fabrication-time attackers’ evasion of existing post-fabrication defenses, IC designers must be able to protect their physical designs before handing them off to an untrusted foundry. To this end, recent work suggests methods to harden IC layouts against attack. Unfortunately, no tool exists to assess the effectiveness of the proposed defenses, thus leaving defensive gaps.This paper presents an extensible IC layout security analysis tool called IC Attack Surface (ICAS) that quantifies defensive coverage. For researchers, ICAS identifies gaps for future defenses to target, and enables the quantitative comparison of existing and future defenses. For practitioners, ICAS enables the exploration of the impact of design decisions on an IC’s resilience to fabrication-time attack. ICAS takes a set of metrics that encode the challenge of inserting a hardware Trojan into an IC layout, a set of attacks that the defender cares about, and a completed IC layout and reports the number of ways an attacker can add each attack to the design. While the ideal score is zero, practically, we find that lower scores correlate with increased attacker effort.To demonstrate ICAS’ ability to reveal defensive gaps, we analyze over 60 layouts of three real-world hardware designs (a processor, AES and DSP accelerators), protected with existing defenses. We evaluate the effectiveness of each circuit–defense combination against three representative attacks from the literature. Results show that some defenses are ineffective and others, while effective at reducing the attack surface, leave 10’s to 1000’s of unique attack implementations that an attacker can exploit.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"84 2 1","pages":"1742-1759"},"PeriodicalIF":0.0000,"publicationDate":"2020-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"21","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00083","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 21

Abstract

The transistors used to construct Integrated Circuits (ICs) continue to shrink. While this shrinkage improves performance and density, it also reduces trust: the price to build leading-edge fabrication facilities has skyrocketed, forcing even nation states to outsource the fabrication of high-performance ICs. Outsourcing fabrication presents a security threat because the black-box nature of a fabricated IC makes comprehensive inspection infeasible. Since prior work shows the feasibility of fabrication-time attackers’ evasion of existing post-fabrication defenses, IC designers must be able to protect their physical designs before handing them off to an untrusted foundry. To this end, recent work suggests methods to harden IC layouts against attack. Unfortunately, no tool exists to assess the effectiveness of the proposed defenses, thus leaving defensive gaps.This paper presents an extensible IC layout security analysis tool called IC Attack Surface (ICAS) that quantifies defensive coverage. For researchers, ICAS identifies gaps for future defenses to target, and enables the quantitative comparison of existing and future defenses. For practitioners, ICAS enables the exploration of the impact of design decisions on an IC’s resilience to fabrication-time attack. ICAS takes a set of metrics that encode the challenge of inserting a hardware Trojan into an IC layout, a set of attacks that the defender cares about, and a completed IC layout and reports the number of ways an attacker can add each attack to the design. While the ideal score is zero, practically, we find that lower scores correlate with increased attacker effort.To demonstrate ICAS’ ability to reveal defensive gaps, we analyze over 60 layouts of three real-world hardware designs (a processor, AES and DSP accelerators), protected with existing defenses. We evaluate the effectiveness of each circuit–defense combination against three representative attacks from the literature. Results show that some defenses are ineffective and others, while effective at reducing the attack surface, leave 10’s to 1000’s of unique attack implementations that an attacker can exploit.

查看原文本刊更多论文

ICAS:一个可扩展的框架，用于估计IC布局对加性木马的易感性

用于构建集成电路(ic)的晶体管继续缩小。虽然这种收缩提高了性能和密度，但也降低了信任度:建造尖端制造设施的价格飙升，甚至迫使国家将高性能集成电路的制造外包。外包制造带来了安全威胁，因为制造集成电路的黑箱性质使得全面检查不可行。由于先前的工作表明制造时攻击者逃避现有制造后防御的可行性，因此IC设计师必须能够在将其交给不受信任的代工厂之前保护其物理设计。为此，最近的工作提出了加强IC布局抵御攻击的方法。不幸的是，没有工具来评估所建议的防御的有效性，因此留下了防御空白。本文提出了一种可扩展的集成电路布局安全分析工具——集成电路攻击面(ICAS)，用于量化防御覆盖范围。对于研究人员来说，ICAS确定了未来防御目标的差距，并能够对现有和未来防御进行定量比较。对于从业者来说，ICAS可以探索设计决策对集成电路抗制造时间攻击的弹性的影响。ICAS采用一组指标，这些指标对将硬件木马插入IC布局的挑战、防御者关心的一组攻击和完整的IC布局进行编码，并报告攻击者可以将每种攻击添加到设计中的方法的数量。虽然理想的分数是零，但实际上，我们发现较低的分数与攻击者的努力增加有关。为了展示ICAS揭示防御漏洞的能力，我们分析了三种现实世界硬件设计(处理器，AES和DSP加速器)的60多种布局，并受到现有防御措施的保护。我们从文献中评估了每种电路防御组合对三种代表性攻击的有效性。结果表明，一些防御是无效的，而另一些防御虽然有效地减少了攻击面，但却留下了10到1000个独特的攻击实现，供攻击者利用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2020 IEEE Symposium on Security and Privacy (SP)

自引率

0.00%

发文量