There are significant and well documented issues with the small and medium unmanned drones (UAS/UAV) remote controlled & soon to be autonomous. These small/medium wing span airplanes can cross boarders flying below ground based radar that can smuggle drugs or weapons (chemical, biological, even nuclear materials) into US, across more than 10,000 miles of open borders. The security threat posed by drones is significant triggering U.S. House of Representatives subcommittee in 2004 to hear testimony regarding the threat from Dennis Gormley of the Monterey Institute of International Studies’ Center for Nonproliferation Studies.
Today’s integrated circuits are vulnerable to hardware Trojans, which are malicious alternation to the circuit, either during design, fabrication or manufacturing. Motion Matters has developed technologies and tools for detecting potential malicious/backdoor logics in hardware IP-core, toward reducing supply-chain vulnerability in embedded computing and system on chip environment. This topic solicits the development of technologies and tools which perform analysis on gate-level netlist of hardware IP-core to identify potentially malicious wires and logics, related to hardware backdoors. Compromise at hardware level is very powerful, difficult to detect and generally not addressable via software running on it. The solicited tool can be used to screen, detect and disqualify components/IP-cores which contain backdoor circuitry. Tactical computing devices often rely on the system-on-chip embedded computing hardware commonly found in embedded computing devices, often used in mobile computing and networking appliances, as the underlying processing infrastructure. Modern large and complex embedded and system-on-chip (VLSI/FPGA circuit) design often integrates large number of pre-designed components, acquired from third parties. These IP-core components are generally delivered as gate-level netlist. Currently, there is no practical way to ensure that these third party components (IP-cores) do not contain any backdoor or malicious circuitry, which can stealthily compromise the design (system) after deployment. Compromise circuitry embedded within the hardware is generally very hard to detect and defeat.
State of the art methodology for verifying VLSI design includes running unit test on the individual component, as well as performing comprehensive regression test on the full-chip (VLSI) design. However, these tests can only address functionality described in the specifications. They rarely uncover the stealthy, out-of-specification malicious logics, which can only be triggered (activated), by hidden, rare and very-specific occasions. A new approach is needed to uncover these elusive circuits. If successful, the tools developed in this PILOT POGRAM can be used to screen these third party IP-cores to ensure that they do not contain any backdoor/malicious logic. They prevent compromised IP-cores from being integrated into the design and enhance the security of the system. PHASE I: Investigate and develop creative methods, techniques for reliably discovering malicious/backdoor logics in hardware IP-core, normally delivered in the form of gate-level-netlist. Develop proof of concept prototype and identify the metrics that determine the prototype’s efficacy. PHASE II: Develop and enhance the prototype into a fully functioning tool. Demonstrate and evaluate the capability of the tool on actual (real world scale) set of benign IP-Cores and IP-cores with malicious-circuit/ backdoor. PHASE III DUAL USE APPLICATIONS: Inclusion of third party IP-cores is a common practice in system-on-chip design and development in private sector and in military industry. These SOCs hardware have been the backbones for embedded and mobile computing devices in the commercial sector as well as in the military uses. System-on-chip (SOC) hardware (semiconductors) is widely used in commercial application such as network appliances and mobile computing. Security and financial motive for the insertion malicious circuits exists in these applications. Commercial chip provider/manufacturers have interest for ensuring that their product is free of malicious circuits. If successful the tool developed within this PILOT POGRAM should find its market in the commercial sector as well as military sector.
Tactical hardware commonly uses system-on-chip (SoC) integrated circuits (ICs) for embedded applications. SoC designers often integrate a variety of pre-designed components acquired from third parties. These so-called IP cores are generally purchased as gate-level netlists. Currently, there is no practical way to ensure that these third-party components do not contain malicious circuitry, typically referred to as a hardware Trojan. Such illicit circuitry can compromise the integrity of the system, altering behavior, allowing backdoor entry, temporarily disabling functionality, or permanently destroying the device. Malicious hardware has two key properties that make it potentially more damaging than malicious software. First, hardware creates a more persistent attack vector. Whereas software vulnerabilities can be fixed via software updates or patches or reimaging, fixing well-crafted hardware-level vulnerabilities would require physically replacing the compromised hardware. Second, hardware is the lowest layer in the computer system, providing malicious hardware with control over the software running above. This low-level control enables sophisticated and stealthy attacks aimed at evading software-based defenses. Such an attack might use a special, or unlikely, event to trigger deeply buried malicious logic which was inserted during design. For example, attackers might introduce a sequence of bytes into the hardware that activates the malicious logic. This logic in turn might escalate privileges, turn off access control checks, or execute arbitrary instructions, providing a path for the malefactor to take control of the machine. The malicious hardware thus provides a foothold for subsequent system-level attacks.
At present, compromised circuitry embedded within an SOC is very difficult to detect and defeat. Needed is a method to prevent the threat of hardware Trojans. Toward this end, Motion Matters is pleased to propose the development of a Hardware Circuit Inspector (HCI) which will be able to analyze gate-level netlists of IP cores for malicious circuits and report the IP core as either approved, fixed or disapproved. The proposed approach is to first reverse engineering the gate-level netlist, converting it into behavioral elements and small circuits, to facilitate the analysis of the associated design logic. The HCI will then use a layered approached that includes an extensive coverage model and an innovative Unused Circuit Identification (UCI) algorithm to determine whether the IP core contains any suspicious circuitry. If necessary, such sections of the gate-level netlist will be isolated. If the presence of malicious code is confirmed, the tool will attempt to replace the malicious code either with exception or block code to neutralize the threat. The tool will also add the code’s signature to its internal database of known threats.
Modern chip design processes closely resemble software design processes. As with software, the growing complexity of hardware designs creates opportunities for hardware security to be compromised. IC designs consist of millions of lines of code and leverage pre-existing libraries, toolkits, and components. Often, these designs use open-source code and/or pre-designed subcomponents from third parties. Aggregated designs are “compiled” (synthesized) and sent to a foundry for fabrication. A typical SoC design cycle is illustrated in Figure 1. Note that the typical designer employs both secure and unsecure design elements.
Modern chip design processes closely resemble software design processes. As with software, the growing complexity of hardware designs creates opportunities for hardware security to be compromised. IC designs consist of millions of lines of code and leverage pre-existing libraries, toolkits, and components. Often, these designs use open-source code and/or pre-designed sub-components from third parties. Aggregated designs are “compiled” (synthesized) and sent to a foundry for fabrication. A typical SoC design cycle is illustrated in Figure 1. Note that the typical designer employs both secure and unsecure design elements.
A typical SoC architecture is shown in Figure 2. SoCs are widely used in automobiles, banking systems, mobile phones, computer peripherals, medical applications, communication networks and, of course, military hardware. As will be noted, a typical design includes a large number of different IP cores; variously designated in Figure 2 as CAN, USB, PWM, Serial Protocol, Timer Counter, ADC, SPI, USART, Ethernet Memories, Data Controller, Flash Programmer, Memory Controllers, Peripheral Bridge, JTAG, ARM processor, etc. In short, the entire chip can be designed by simply integrating a variety of IP cores, the majority of which are purchased by chip manufacturers from third-party vendors. These third-party IP cores represent a serious potential threat. An adversary could, for instance, create a new IP core, or modify an existing IP core, to include malicious circuitry. The adversary could then distribute or license this block to chip designers in the hope that some of them will incorporate it in their designs. If a hardware Trojan remains undetected during final design validation and verification, compromised chips will be shipped to end users and, in the case of military hardware, integrated into tactical systems.
Hardware Trojans are particularly attractive to US adversaries; because they do not require access to the resources necessary to actually fabricate a chip and insert it into a tightly-controlled supply chain. Trojans have minimal overhead and negligible collateral impact on the functionality of the system. A well-designed Trojan can be nearly invisible to any existing analysis method. It can lie dormant within the design, completely inert until it receives some activation signal. With a hardware Trojan in place, an adversary could, for example, remotely bypass encryptions, access restricted data, permanently/temporarily disable/control a device, or steal passwords.