8.2 We are all hackers: design and detection of security attacks

Time	Label	Presentation Title Authors
17:00	8.2.1	AUTOMATED TEST GENERATION FOR TROJAN DETECTION USING DELAY-BASED SIDE CHANNEL ANALYSIS Speaker: Prabhat Mishra, University of Florida, US Authors: Yangdi Lyu and Prabhat Mishra, University of Florida, US Abstract Side-channel analysis is widely used for hardware Trojan detection in integrated circuits by analyzing various side-channel signatures, such as timing, power and path delay. Existing delay-based side-channel analysis techniques have two major bottlenecks: (i) they are not suitable in detecting Trojans since the delay difference between the golden design and a Trojan inserted design is negligible, and (ii) they are not effective in creating robust delay signatures due to reliance on random and ATPG based test patterns. In this paper, we propose an efficient test generation technique to detect Trojans using delay-based side channel analysis. This paper makes two important contributions. (1) We propose an automated test generation algorithm to produce test patterns that are likely to activate trigger conditions, and drastically change critical paths. Compared to existing approaches where delay difference is solely based on extra gates from a small Trojan, the change of critical paths by our approach will lead to significant difference in path delay. (2) We propose a fast and efficient reordering technique to maximize the delay deviation between the golden design and Trojan inserted design. Experimental results demonstrate that our approach significantly outperforms state-of-the-art approaches that rely on ATPG or random test patterns for delay-based side-channel analysis. Download Paper (PDF; Only available from the DATE venue WiFi)
17:30	8.2.2	MICROFLUIDIC TROJAN DESIGN IN FLOW-BASED BIOCHIPS Speaker: Shayan Mohammed, New York University, US Authors: Shayan Mohammed¹, Sukanta Bhattacharjee², Yong-Ak Song², Krishnendu Chakrabarty³ and Ramesh Karri¹ ¹New York University, US; ²New York University Abu Dhabi, AE; ³Duke University, US Abstract Microfluidic technologies find application in various safety-critical fields such as medical diagnostics, drug research, and cell analysis. Recent work has focused on security threats to microfluidic-based cyberphysical systems and defenses. So far the threat analysis has been limited to the cases of tampering with control software/hardware, which is common to most cyberphysical control systems in general; in a sense, such an approach is not exclusive to microfluidics. In this paper, we present a stealthy attack paradigm that uses characteristics exclusive to the microfluidic devices - a microfluidic trojan. The proposed trojan payload is a valve whose height has been perturbed to vary its pressure response. This trojan can be triggered in multiple ways based on time or specific operations. These triggers can occur naturally in a bioassay or added into the controlling software. We showcase the trojan application in carrying out practical attacks - contamination, parameter-tampering, and denial-of-service - on a real-life bioassay implementation. Further, we present guidelines to launch stealthy attacks and to counter them. Download Paper (PDF; Only available from the DATE venue WiFi)
18:00	8.2.3	TOWARDS MALICIOUS EXPLOITATION OF ENERGY MANAGEMENT MECHANISMS Speaker: Safouane Noubir, École Polytechnique de l'Université de Nantes, FR Authors: Safouane Noubir, Maria Mendez Real and Sebastien Pillement, École Polytechnique de l'Université de Nantes, FR Abstract Architectures are becoming more and more complex to keep up with the increase of algorithmic complexity. To fully exploit those architectures, dynamic resources managers are required. The goal of dynamic managers is either to optimize the resource usage (e.g. cores, memory) or to reduce energy consumption under performance constraints. However, performance optimization being their main goal, they have not been designed to be secure and present vulnerabilities. Recently, it has been proven that energy managers can be exploited to cause faults within a processor allowing to steal information from a user device. However, this exploitation is not often possible in current commercial devices. In this work, we show current security vulnerabilities through another type of malicious usage of energy management, experimentation shows that it is possible to remotely lock out a device, denying access to all services and data, requiring for example the user to pay a ransom to unlock it. The main target of this exploit are embedded systems and we demonstrate this work by its implementation on two different commercial ARM-based devices. Download Paper (PDF; Only available from the DATE venue WiFi)
18:30	IP4-1, 551	HIT: A HIDDEN INSTRUCTION TROJAN MODEL FOR PROCESSORS Speaker: Jiaqi Zhang, Tongji University, CN Authors: Jiaqi Zhang¹, Ying Zhang¹, Huawei Li² and Jianhui Jiang³ ¹Tongji University, CN; ²Chinese Academy of Sciences, CN; ³School of Software Engineering, Tongji University, CN Abstract This paper explores an intrusion mechanism to microprocessors using illegal instructions, namely hidden instruction Trojan (HIT). It uses a low-probability sequence consisting of normal instructions as a boot sequence, followed by an illegal instruction to trigger the Trojan. The payload is a hidden interrupt to force the program counter to a specific address. Hence the program at the address has the super privileges. Meanwhile, we use integer programming to minimize the trigger probability of HIT within a given area overhead. The experimental results demonstrate that HIT has an extremely low trigger probability and can survive from the detection of the existing test methods. Download Paper (PDF; Only available from the DATE venue WiFi)
18:31	IP4-2, 658	BITSTREAM MODIFICATION ATTACK ON SNOW 3G Speaker: Michail Moraitis, Royal Institute of Technology KTH, SE Authors: Michail Moraitis and Elena Dubrova, Royal Institute of Technology - KTH, SE Abstract SNOW 3G is one of the core algorithms for confidentiality and integrity in several 3GPP wireless communication standards, including the new Next Generation (NG) 5G. It is believed to be resistant to classical cryptanalysis. In this paper, we show that SNOW 3G can be broken by a fault attack based on bitstream modification. By changing the content of some look-up tables in the bitstream, we reduce the non-linear state updating function of SNOW 3G to a linear one. As a result, it becomes possible to recover the key from a known plaintext-ciphertext pair. To our best knowledge, this is the first successful bitstream modification attack on SNOW 3G. Download Paper (PDF; Only available from the DATE venue WiFi)
18:30		End of session

Time

Label

Presentation Title
Authors

17:00

8.2.1

AUTOMATED TEST GENERATION FOR TROJAN DETECTION USING DELAY-BASED SIDE CHANNEL ANALYSIS
Speaker:
Prabhat Mishra, University of Florida, US
Authors:
Yangdi Lyu and Prabhat Mishra, University of Florida, US
Abstract
Side-channel analysis is widely used for hardware Trojan detection in integrated circuits by analyzing various side-channel signatures, such as timing, power and path delay. Existing delay-based side-channel analysis techniques have two major bottlenecks: (i) they are not suitable in detecting Trojans since the delay difference between the golden design and a Trojan inserted design is negligible, and (ii) they are not effective in creating robust delay signatures due to reliance on random and ATPG based test patterns. In this paper, we propose an efficient test generation technique to detect Trojans using delay-based side channel analysis. This paper makes two important contributions. (1) We propose an automated test generation algorithm to produce test patterns that are likely to activate trigger conditions, and drastically change critical paths. Compared to existing approaches where delay difference is solely based on extra gates from a small Trojan, the change of critical paths by our approach will lead to significant difference in path delay. (2) We propose a fast and efficient reordering technique to maximize the delay deviation between the golden design and Trojan inserted design. Experimental results demonstrate that our approach significantly outperforms state-of-the-art approaches that rely on ATPG or random test patterns for delay-based side-channel analysis.
Download Paper (PDF; Only available from the DATE venue WiFi)

17:30

8.2.2

MICROFLUIDIC TROJAN DESIGN IN FLOW-BASED BIOCHIPS
Speaker:
Shayan Mohammed, New York University, US
Authors:
Shayan Mohammed¹, Sukanta Bhattacharjee², Yong-Ak Song², Krishnendu Chakrabarty³ and Ramesh Karri¹
¹New York University, US; ²New York University Abu Dhabi, AE; ³Duke University, US
Abstract
Microfluidic technologies find application in various safety-critical fields such as medical diagnostics, drug research, and cell analysis. Recent work has focused on security threats to microfluidic-based cyberphysical systems and defenses. So far the threat analysis has been limited to the cases of tampering with control software/hardware, which is common to most cyberphysical control systems in general; in a sense, such an approach is not exclusive to microfluidics. In this paper, we present a stealthy attack paradigm that uses characteristics exclusive to the microfluidic devices - a microfluidic trojan. The proposed trojan payload is a valve whose height has been perturbed to vary its pressure response. This trojan can be triggered in multiple ways based on time or specific operations. These triggers can occur naturally in a bioassay or added into the controlling software. We showcase the trojan application in carrying out practical attacks - contamination, parameter-tampering, and denial-of-service - on a real-life bioassay implementation. Further, we present guidelines to launch stealthy attacks and to counter them.
Download Paper (PDF; Only available from the DATE venue WiFi)

18:00

8.2.3

TOWARDS MALICIOUS EXPLOITATION OF ENERGY MANAGEMENT MECHANISMS
Speaker:
Safouane Noubir, École Polytechnique de l'Université de Nantes, FR
Authors:
Safouane Noubir, Maria Mendez Real and Sebastien Pillement, École Polytechnique de l'Université de Nantes, FR
Abstract
Architectures are becoming more and more complex to keep up with the increase of algorithmic complexity. To fully exploit those architectures, dynamic resources managers are required. The goal of dynamic managers is either to optimize the resource usage (e.g. cores, memory) or to reduce energy consumption under performance constraints. However, performance optimization being their main goal, they have not been designed to be secure and present vulnerabilities. Recently, it has been proven that energy managers can be exploited to cause faults within a processor allowing to steal information from a user device. However, this exploitation is not often possible in current commercial devices. In this work, we show current security vulnerabilities through another type of malicious usage of energy management, experimentation shows that it is possible to remotely lock out a device, denying access to all services and data, requiring for example the user to pay a ransom to unlock it. The main target of this exploit are embedded systems and we demonstrate this work by its implementation on two different commercial ARM-based devices.
Download Paper (PDF; Only available from the DATE venue WiFi)

18:30

IP4-1, 551

HIT: A HIDDEN INSTRUCTION TROJAN MODEL FOR PROCESSORS
Speaker:
Jiaqi Zhang, Tongji University, CN
Authors:
Jiaqi Zhang¹, Ying Zhang¹, Huawei Li² and Jianhui Jiang³
¹Tongji University, CN; ²Chinese Academy of Sciences, CN; ³School of Software Engineering, Tongji University, CN
Abstract
This paper explores an intrusion mechanism to microprocessors using illegal instructions, namely hidden instruction Trojan (HIT). It uses a low-probability sequence consisting of normal instructions as a boot sequence, followed by an illegal instruction to trigger the Trojan. The payload is a hidden interrupt to force the program counter to a specific address. Hence the program at the address has the super privileges. Meanwhile, we use integer programming to minimize the trigger probability of HIT within a given area overhead. The experimental results demonstrate that HIT has an extremely low trigger probability and can survive from the detection of the existing test methods.
Download Paper (PDF; Only available from the DATE venue WiFi)

18:31

IP4-2, 658

BITSTREAM MODIFICATION ATTACK ON SNOW 3G
Speaker:
Michail Moraitis, Royal Institute of Technology KTH, SE
Authors:
Michail Moraitis and Elena Dubrova, Royal Institute of Technology - KTH, SE
Abstract
SNOW 3G is one of the core algorithms for confidentiality and integrity in several 3GPP wireless communication standards, including the new Next Generation (NG) 5G. It is believed to be resistant to classical cryptanalysis. In this paper, we show that SNOW 3G can be broken by a fault attack based on bitstream modification. By changing the content of some look-up tables in the bitstream, we reduce the non-linear state updating function of SNOW 3G to a linear one. As a result, it becomes possible to recover the key from a known plaintext-ciphertext pair. To our best knowledge, this is the first successful bitstream modification attack on SNOW 3G.
Download Paper (PDF; Only available from the DATE venue WiFi)

18:30

End of session