1 / 11

Trojans In SRAM Circuits

Prepared for BTW ’ 2014. Trojans In SRAM Circuits. Senwen Kan - AMD/SMU Jennifer Dworak - SMU. Overview. Background Motivation Trojan Design Inserting Trojans in SRAM Experimental Results. Background.

phoebe-stanley
Download Presentation

Trojans In SRAM Circuits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Prepared for BTW’2014 Trojans In SRAM Circuits Senwen Kan - AMD/SMU Jennifer Dworak - SMU

  2. Overview • Background • Motivation • Trojan Design • Inserting Trojans in SRAM • Experimental Results

  3. Background • Israeli use of Electronic Warfare in “Operation Orchard” - 2007, disabled Syrian Air Defense Systems • Some Speculate “Kill Switch” • French Military Contractors have Intentionally built in “Kill Switch” in their military hardware • What are Trojans • Sequential Vs Combinational • Always on Vs Triggered on some condition • Leakage, Denial-of-Service (DoS) 3

  4. Why SRAMs? • Hard to Detect • Simple SRAM 32X32 • 32 Entries • 32 bit wide • 2^37 Terms to Trigger on Address lines and/or data • Space to Insert

  5. Why SRAMs (Cont) • SRAMs maybe external IP • SRAMs maybe used widely across an SoC, processor caches, register files, storing exception report, used by Crypto Units, FPGAs, & so on… • Can’t Synthesize to netlist (exception would be latch arrays) • Don’t have accurate ATPG Models

  6. Trojan Circuits • Trojan 1 • Combinational • DoS • 5 Sub Trojans • Once Triggered will Stay on • 2 Payload Mechanisms • Tri-Stating • Scrambling

  7. Trojan Circuits (Cont) • Trojan 2 • Sequential • DoS • Triggering Mechanism 2 part • Payload is Tri-Stating

  8. Trojan Circuits (Cont) • Trojan 3 • Combinational • Always on • DoS • Designed to be evasive • Good Design code: • assign data_in[W:0] = good_data[W:0]; • Trojan’ed Design code • assign data_in[0] = good_data[0]^(good_data[W:0]==TrojanKeyWord); • assign data_in[W:1] = good_data[W:1]; • Meant to make coverage tools not detect it - at least everything toggled

  9. Trojan Insertion • Selected 4 Types of industrial SRAMs • 2 from OpenSparc Design Library • TSA - used by TLU for exceptions • Used by network interface • 2 from Internal Design Library • Processor Data Caches

  10. Experimental Results • More Details in the Paper • But Essentially, 5 to 10 million cycles of Randomized Simulation can’t detect anything • Did 6N BIST Sims, not catching Anything

  11. Q&A

More Related