12.4 Hardware-assisted Security

Time	Label	Presentation Title Authors
16:00	12.4.1	HARDWARE-ASSISTED ROOTKIT DETECTION VIA ON-LINE STATISTICAL FINGERPRINTING OF PROCESS EXECUTION Speaker: Yiorgos Makris, University of Texas at Dallas, US Authors: Liwei Zhou and Yiorgos Makris, The University of Texas at Dallas, US Abstract Kernel rootkits generally attempt to maliciously tamper kernel objects and surreptitiously distort program execution flow. Herein, we introduce a hardware-assisted hierarchical on-line system which detects such kernel rootkits by identifying deviation of dynamic intra-process execution profiles based on architecture-level semantics captured directly in hardware. The underlying key insight is that, in order to take effect, malicious manipulation of kernel objects must distort the execution flow of benign processes, thereby leaving abnormal traces in architecture-level semantics. While traditional detection methods rely on software modules to collect such traces, their implementations are susceptible to being compromised through software attacks. In contrast, our detection system maintains immunity to software attacks by resorting to hardware for trace collection. The proposed method is demonstrated on a Linux-based operating system running on a 32-bit x86 architecture, implemented in Simics. Experimental results, using real-world kernel rootkits, corroborate the effectiveness of this method, while a predictive 45nm PDK is used to evaluate hardware overhead. Download Paper (PDF; Only available from the DATE venue WiFi)
16:30	12.4.2	SECURING CONDITIONAL BRANCHES IN THE PRESENCE OF FAULT ATTACKS Speaker: Robert Schilling, Graz University of Technology, AT Authors: Robert Schilling¹, Mario Werner² and Stefan Mangard² ¹Graz University of Technology / Know Center GmbH, AT; ²Graz University of Technology, AT Abstract In typical software, many comparisons and subsequent branch operations are highly critical in terms of security. Examples include password checks, signature checks, secure boot, and user privilege checks. For embedded devices, these security-critical branches are a preferred target of fault attacks as a single bit flip or skipping a single instruction can lead to complete access to a system. In the past, numerous redundancy schemes have been proposed in order to provide control-flow-integrity (CFI) and to enable error detection on processed data. However, current countermeasures for general purpose software do not provide protection mechanisms for conditional branches. Hence, critical branches are in practice often simply duplicated. We present a generic approach to protect conditional branches, which links an encoding-based comparison result with the redundancy of CFI protection mechanisms. The presented approach can be used for all types of data encodings and CFI mechanisms and maintains their error-detection capabilities throughout all steps of a conditional branch. We demonstrate our approach by realizing an encoded comparison based on AN-codes, which is a frequently used encoding scheme to detect errors on data during arithmetic operations. We extended the LLVM compiler so that standard code and conditional branches can be protected automatically and analyze its security. Our design shows that the overhead in terms of size and runtime is lower than state-of-the-art duplication schemes. Download Paper (PDF; Only available from the DATE venue WiFi)
17:00	12.4.3	TOWARDS PROVABLY-SECURE PERFORMANCE LOCKING Speaker: Abhrajit Sengupta, Texas A&M University, US Authors: Monir Zaman¹, Abhrajit Sengupta², Danqing Liu³, Ozgur Sinanoglu⁴, Yiorgos Makris¹ and Jeyavijayan Rajendran³ ¹The University of Texas at Dallas, US; ²New York University, US; ³Texas A&M University, US; ⁴New York University Abu Dhabi, AE Abstract Locking the functionality of an integrated circuit (IC) thwarts attacks such as intellectual property (IP) piracy, hardware Trojans, overbuilding, and counterfeiting. Although functional locking has been extensively investigated, locking the performance of an IC has been little explored. In this paper, we develop provably-secure performance locking, where only on applying the correct key the IC shows superior performance; for an incorrect key, the performance of the IC degrades significantly. This leads to a new business model, where the companies can design a single IC capable of different performances for different users. We develop mathematical definitions of security and theoretically, and experimentally prove the security against the state-of-the-art-attacks. We implemented performance locking on a FabScalar microprocessor, achieving a degradation in instructions per clock cycle (IPC) of up to 77% on applying an incorrect key, with an overhead of 0.6%, 0.2%, and 0% for area, power, and delay, respectively. Download Paper (PDF; Only available from the DATE venue WiFi)
17:15	12.4.4	AN AUTOMATED CONFIGURABLE TROJAN INSERTION FRAMEWORK FOR DYNAMIC TRUST BENCHMARKS Speaker: Jonathan Cruz, University of Florida, US Authors: Jonathan Cruz, Yuanwen Huang, Prabhat Mishra and Swarup Bhunia, University of Florida, US Abstract Abstract—Malicious hardware modification, also known as hardware Trojan attack, has emerged as a serious security concern for electronic systems. Such attacks compromise the basic premise of hardware root of trust. Over the past decade, significant research efforts have been directed to carefully analyze the trust issues arising from hardware Trojans and to protect against them. This vast body of work often needs to rely on well-defined set of trust benchmarks that can reliably evaluate the effectiveness of the protection methods. In recent past, efforts have been made to develop a benchmark suite to analyze the effectiveness of pre-silicon Trojan detection and prevention methodologies. However, there are only a limited number of Trojan inserted benchmarks available. Moreover, there is an inherent bias as the researcher is aware of Trojan properties such as location and trigger condition since the current benchmarks are static. In order to create an unbiased and robust benchmark suite to evaluate the effectiveness of any protection technique, we have developed a comprehensive framework of automatic hardware Trojan insertion. Given a netlist, the framework will automatically generate a design with single or multiple Trojan instances based user-specified Trojan properties. It allows a wide variety of configurations, such as the type of Trojan, Trojan activation probability, number of triggers, and choice of payload. The tool ensures that the inserted Trojan is a valid one and allow for provisions to optimize the Trojan footprint (area and switching). Experiments demonstrate that a state-ofthe- art Trojan detection technique provides poor efficacy when using benchmarks generated by our tool. This tool is available for download from http://www.trust-hub.org/. Download Paper (PDF; Only available from the DATE venue WiFi)
17:30		End of session

Time

Label

Presentation Title
Authors

16:00

12.4.1

HARDWARE-ASSISTED ROOTKIT DETECTION VIA ON-LINE STATISTICAL FINGERPRINTING OF PROCESS EXECUTION
Speaker:
Yiorgos Makris, University of Texas at Dallas, US
Authors:
Liwei Zhou and Yiorgos Makris, The University of Texas at Dallas, US
Abstract
Kernel rootkits generally attempt to maliciously tamper kernel objects and surreptitiously distort program execution flow. Herein, we introduce a hardware-assisted hierarchical on-line system which detects such kernel rootkits by identifying deviation of dynamic intra-process execution profiles based on architecture-level semantics captured directly in hardware. The underlying key insight is that, in order to take effect, malicious manipulation of kernel objects must distort the execution flow of benign processes, thereby leaving abnormal traces in architecture-level semantics. While traditional detection methods rely on software modules to collect such traces, their implementations are susceptible to being compromised through software attacks. In contrast, our detection system maintains immunity to software attacks by resorting to hardware for trace collection. The proposed method is demonstrated on a Linux-based operating system running on a 32-bit x86 architecture, implemented in Simics. Experimental results, using real-world kernel rootkits, corroborate the effectiveness of this method, while a predictive 45nm PDK is used to evaluate hardware overhead.
Download Paper (PDF; Only available from the DATE venue WiFi)

16:30

12.4.2

SECURING CONDITIONAL BRANCHES IN THE PRESENCE OF FAULT ATTACKS
Speaker:
Robert Schilling, Graz University of Technology, AT
Authors:
Robert Schilling¹, Mario Werner² and Stefan Mangard²
¹Graz University of Technology / Know Center GmbH, AT; ²Graz University of Technology, AT
Abstract
In typical software, many comparisons and subsequent branch operations are highly critical in terms of security. Examples include password checks, signature checks, secure boot, and user privilege checks. For embedded devices, these security-critical branches are a preferred target of fault attacks as a single bit flip or skipping a single instruction can lead to complete access to a system. In the past, numerous redundancy schemes have been proposed in order to provide control-flow-integrity (CFI) and to enable error detection on processed data. However, current countermeasures for general purpose software do not provide protection mechanisms for conditional branches. Hence, critical branches are in practice often simply duplicated. We present a generic approach to protect conditional branches, which links an encoding-based comparison result with the redundancy of CFI protection mechanisms. The presented approach can be used for all types of data encodings and CFI mechanisms and maintains their error-detection capabilities throughout all steps of a conditional branch. We demonstrate our approach by realizing an encoded comparison based on AN-codes, which is a frequently used encoding scheme to detect errors on data during arithmetic operations. We extended the LLVM compiler so that standard code and conditional branches can be protected automatically and analyze its security. Our design shows that the overhead in terms of size and runtime is lower than state-of-the-art duplication schemes.
Download Paper (PDF; Only available from the DATE venue WiFi)

17:00

12.4.3

TOWARDS PROVABLY-SECURE PERFORMANCE LOCKING
Speaker:
Abhrajit Sengupta, Texas A&M University, US
Authors:
Monir Zaman¹, Abhrajit Sengupta², Danqing Liu³, Ozgur Sinanoglu⁴, Yiorgos Makris¹ and Jeyavijayan Rajendran³
¹The University of Texas at Dallas, US; ²New York University, US; ³Texas A&M University, US; ⁴New York University Abu Dhabi, AE
Abstract
Locking the functionality of an integrated circuit (IC) thwarts attacks such as intellectual property (IP) piracy, hardware Trojans, overbuilding, and counterfeiting. Although functional locking has been extensively investigated, locking the performance of an IC has been little explored. In this paper, we develop provably-secure performance locking, where only on applying the correct key the IC shows superior performance; for an incorrect key, the performance of the IC degrades significantly. This leads to a new business model, where the companies can design a single IC capable of different performances for different users. We develop mathematical definitions of security and theoretically, and experimentally prove the security against the state-of-the-art-attacks. We implemented performance locking on a FabScalar microprocessor, achieving a degradation in instructions per clock cycle (IPC) of up to 77% on applying an incorrect key, with an overhead of 0.6%, 0.2%, and 0% for area, power, and delay, respectively.
Download Paper (PDF; Only available from the DATE venue WiFi)

17:15

12.4.4

AN AUTOMATED CONFIGURABLE TROJAN INSERTION FRAMEWORK FOR DYNAMIC TRUST BENCHMARKS
Speaker:
Jonathan Cruz, University of Florida, US
Authors:
Jonathan Cruz, Yuanwen Huang, Prabhat Mishra and Swarup Bhunia, University of Florida, US
Abstract
Abstract—Malicious hardware modification, also known as hardware Trojan attack, has emerged as a serious security concern for electronic systems. Such attacks compromise the basic premise of hardware root of trust. Over the past decade, significant research efforts have been directed to carefully analyze the trust issues arising from hardware Trojans and to protect against them. This vast body of work often needs to rely on well-defined set of trust benchmarks that can reliably evaluate the effectiveness of the protection methods. In recent past, efforts have been made to develop a benchmark suite to analyze the effectiveness of pre-silicon Trojan detection and prevention methodologies. However, there are only a limited number of Trojan inserted benchmarks available. Moreover, there is an inherent bias as the researcher is aware of Trojan properties such as location and trigger condition since the current benchmarks are static. In order to create an unbiased and robust benchmark suite to evaluate the effectiveness of any protection technique, we have developed a comprehensive framework of automatic hardware Trojan insertion. Given a netlist, the framework will automatically generate a design with single or multiple Trojan instances based user-specified Trojan properties. It allows a wide variety of configurations, such as the type of Trojan, Trojan activation probability, number of triggers, and choice of payload. The tool ensures that the inserted Trojan is a valid one and allow for provisions to optimize the Trojan footprint (area and switching). Experiments demonstrate that a state-ofthe- art Trojan detection technique provides poor efficacy when using benchmarks generated by our tool. This tool is available for download from http://www.trust-hub.org/.
Download Paper (PDF; Only available from the DATE venue WiFi)

17:30

End of session