Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models

Size: px

Start display at page:

Download "Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models"

Lenard Jones
6 years ago
Views:

1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models L. Piccolboni 1,2, A. Menon 2, and G. Pravadelli 2 1 Columbia University, New York, NY, USA 2 University of Verona, Verona, Italy

Hardware Trojans A Hardware Trojan is defined as a

circuit that results in undesired behaviors Hardware

malicious behavior under specific conditions implements

2 Hardware Trojans A Hardware Trojan is defined as a malicious and intentional alteration of an integrated circuit that results in undesired behaviors Hardware Trojan Trigger Logic Payload Logic activates the malicious behavior under specific conditions implements the actual malicious behavior ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 1 / 21

3 Hardware Trojans Limitations in Current Methodologies Several methodologies have been proposed to detect Trojans at Register-Transfer Level (RTL) Nevertheless, there are still some limitations: 1. Manual effort from designers is required 2. They focus on a specific type of threat, e.g., a particular payload or a trigger ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 2 / 21

Extraction Algorithm Detection Algorithm

4 Contributions We propose a verification approach based on a Control-Flow Subgraph Matching Algorithm RTL Verilog/VHDL Design Under Verification (DUV) RTL Verilog/VHDL Hardware Trojan Library 1 Hardware Trojan Report 2 3 Extraction Algorithm Detection Algorithm Get Control-Flow Graphs Search instances of the (CFGs) from DUV and HTs Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 3 / 21

5 Background Control-Flow Graphs (CFGs) We build a CFG for each process of the DUV/HT basic block (node) = it is a sequence of instructions without any branch edge = connects the block with b 2 if the block can be executed after b 2 in at least one DUV/HT executions b ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

6 Background Control-Flow Graphs (CFGs) We build a CFG for each process of the DUV/HT first basic block of the process b 2 b 3 b 4 b 5 e 1 last basic block of the process ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

7 Background Control-Flow Graphs (CFGs) We build a CFG for each process of the DUV/HT b 2 b 3 b 4 b 5 Branch rule: left if true right if false e 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

8 Background Control-Flow Graphs (CFGs) We build a CFG for each process of the DUV/HT if (reset) a = 1 b = 0 a = 1 b++ b 2 b 3 b 4 b 5 e 1 if (c == 1) a++ b = 0 code associated with the basic blocks ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 4 / 21

Hardware Trojan Library RTL Verilog/VHDL Design Under Verification (DUV) RTL Verilog/VHDL Hardware Trojan Library 1 Hardware Trojan Report Extraction Algorithm Get

9 Hardware Trojan Library RTL Verilog/VHDL Design Under Verification (DUV) RTL Verilog/VHDL Hardware Trojan Library 1 Hardware Trojan Report Extraction Algorithm Get Control-Flow Graphs (CFGs) from DUV and HTs Detection Algorithm Search instances of the Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 5 / 21

10 Hardware Trojan Library We defined a Hardware Trojan (HT) Library that includes the RTL implementations of known HT triggers and their camouflaged variants ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 5 / 21

11 Hardware Trojan Library Trigger #1: Cheat Codes A cheat code is a value (or sequence of values) that triggers the payload when observed in a register trigger = v 1 & v 2 s 2 if (reset) if (c 1 ) v 1 = 0 v 2 = 0 b 2 b 3 b 4 b 5 if (c 2 & v 1 ) e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 6 / 21

12 Hardware Trojan Library Trigger #2: Dead Machines A dead machine code triggers the payload when specific state-based conditions are satisfied trigger = 1 if (cond) if (reset) s 2 reset vars b 2 b 3 b 4 e 1 case 1 b 4 b 5 case 2 b 7 b 6 case 3 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 7 / 21

13 Hardware Trojan Library Trigger #3: Ticking Timebombs A ticking timebomb triggers the payload when a certain number of clock cycles has been passed ++cnt if (reset) if (reset) s 2 if (cnt == N) b 2 b 3 b 4 e 1 cnt = 0 trigger = 1 b 5 b 6 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 8 / 21

14 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

15 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants trigger = v 1 & v 2 if (reset) Extension directives: s 2 if (c 1 ) 1. parametrizable 1 v 1 = 0 v 2 = 0 b 2 b 3 b 4 b 5 if (c 2 & v 1 ) e 1 v 1 = 1 b 6 b 7 v 2 = 1 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

16 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants e 1 trigger = v 1 & v 2 v 1 = 0 v 2 = 0 v 1 = 1 v 2 = 1 s 2 b 2 b 3 b 4 if (reset) b 6 if (c 1 ) b 5 if (c 2 & v 1 ) b 7 Extension directives: 1. parametrizable 1 2. bound-number 10 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

17 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants e 1 trigger = v 1 & v 2 v 1 = 0 v 2 = 0 v 1 = 1 v 2 = 1 s 2 b 2 b 3 b 4 if (reset) b 6 if (c 1 ) b 5 if (c 2 & v 1 ) b 7 $1 b 8 b 9 $2 Extension directives: 1. parametrizable 1 2. bound-number add-basic-blocks 2 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

18 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants e 1 trigger = v 1 & v 2 v 1 = 0 v 2 = 0 v 1 = 1 v 2 = 1 s 2 b 2 b 3 b 4 if (reset) b 6 if (c 1 ) b 5 if (c 2 & v 1 ) b 7 $1 b 8 b 9 $2 Extension directives: 1. parametrizable 1 2. bound-number add-basic-blocks 2 4. add-edge (b 7, $1) e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

19 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants e 1 trigger = v 1 & v 2 v 1 = 0 v 2 = 0 v 1 = 1 v 2 = 1 s 2 b 2 b 3 b 4 if (reset) b 6 if (c 1 ) b 5 if (c 2 & v 1 ) b 7 $1 b 8 b 9 $2 Extension directives: 1. parametrizable 1 2. bound-number add-basic-blocks 2 4. add-edge (b 7, $1) 5. add-edge (b 7, $2) 6. add-edge ($1, e 2 ) 7. add-edge ($2, e 2 ) e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

20 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants e 1 trigger = v 1 & v 2 v 1 = 0 v 2 = 0 v 1 = 1 v 2 = 1 s 2 b 2 b 3 b 4 if (reset) b 6 if (c 1 ) b 5 if (c 2 & v 1 ) b 7 $1 b 8 b 9 $2 Extension directives: 1. parametrizable 1 2. bound-number add-basic-blocks 2 4. add-edge (b 7, $1) 5. add-edge (b 7, $2) 6. add-edge ($1, e 2 ) 7. add-edge ($2, e 2 ) 8. drop-edge (b 7, e 2 ) e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

21 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants e 1 trigger = v 1 & v 2 v 1 = 0 v 2 = 0 v 1 = 1 v 2 = 1 s 2 b 2 b 3 b 4 e 2 if (reset) b 6 $1 if (c 1 ) b 5 if (c 2 & v 1 ) b 7 b 8 b 9 source $2 Extension directives: 1. parametrizable 1 2. bound-number add-basic-blocks 2 4. add-edge (b 7, $1) 5. add-edge (b 7, $2) 6. add-edge ($1, e 2 ) 7. add-edge ($2, e 2 ) 8. drop-edge (b 7, e 2 ) 9. old-source-block b 7 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

22 Hardware Trojan Library Handling Camouflaged Variants We need an automatic way to extend such basic implementations to find camouflaged variants e 1 trigger = v 1 & v 2 v 1 = 0 v 2 = 0 v 1 = 1 v 2 = 1 s 2 b 2 b 3 b 4 e 2 if (reset) b 6 $1 if (c 1 ) b 5 if (c 2 & v 1 ) b 7 b 8 b 9 source $2 Extension directives: 1. parametrizable 1 2. bound-number add-basic-blocks 2 4. add-edge (b 7, $1) 5. add-edge (b 7, $2) 6. add-edge ($1, e 2 ) 7. add-edge ($2, e 2 ) 8. drop-edge (b 7, e 2 ) 9. old-source-block b up-source-block $2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 9 / 21

23 Hardware Trojan Library Pros and Cons We defined a Hardware Trojan (HT) Library that includes the RTL implementations of known HT triggers and their camouflaged variants Pros Unique verification approach Easy to extend the approach for new hardware Trojans Easy to customize the library to the needs of the user Cons Unique verification approach Need of the implementations of the hardware Trojans Only the hardware Trojans in the library or their variations can be detected ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 10 / 21

24 Hardware Trojan Detection Extraction Algorithm RTL Verilog/VHDL Design Under Verification (DUV) RTL Verilog/VHDL Hardware Trojan Library Hardware Trojan Report 2 Extraction Algorithm Get Control-Flow Graphs (CFGs) from DUV and HTs Detection Algorithm Search instances of the Trojan CFGs in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

25 Hardware Trojan Detection Extraction Algorithm module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; end end ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

26 Hardware Trojan Detection Extraction Algorithm module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; end end ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

27 Hardware Trojan Detection Extraction Algorithm module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; end end if (reset == 1) ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

28 Hardware Trojan Detection Extraction Algorithm module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; end end trig <= 0 if (reset == 1) b 2 if (value == N) ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

29 Hardware Trojan Detection Extraction Algorithm module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; trig <= 1 end end trig <= 0 b 3 if (reset == 1) if (value == N) b 2 b 4 trig <= 0 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

30 Hardware Trojan Detection Extraction Algorithm module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; trig <= 1 end end trig <= 0 b 3 e 1 if (reset == 1) if (value == N) b 2 b 4 trig <= 0 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 11 / 21

Hardware Trojan Detection Extraction Algorithm: Probabilities To

approach based on a SMT solver Condition SMT Solver [A. Cimatti et al.

, var == N à Number of models = 1 Number of Models Scalability?

31 Hardware Trojan Detection Extraction Algorithm: Probabilities To calculate the probabilities associated with the arcs, we use an approach based on a SMT solver Condition SMT Solver [A. Cimatti et al., The MathSAT5 SMT Solver ] e.g., var == N à Number of models = 1 Number of Models Scalability? YES, conditions are simple enough! Plus, simple conditions are short-circuited ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 12 / 21

32 Hardware Trojan Detection Extraction Algorithm: Probabilities module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; trig <= 1 end end trig <= 0 b 3 e 1 if (reset == 1) if (value == N) b 2 b 4 trig <= 0 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 12 / 21

33 Hardware Trojan Detection Extraction Algorithm: Probabilities module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; trig <= 1 end end trig <= ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 12 / 21 b 3 e 1 if (reset == 1) b 2 if (value == N) b 4 trig <= 0

34 Hardware Trojan Detection Extraction Algorithm: Probabilities module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; trig <= 1 end end trig <= ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 12 / 21 ~ 0 b 3 e 1 if (reset == 1) b 2 if (value == N) ~ 1 b 4 trig <= 0

35 Hardware Trojan Detection Extraction Algorithm: Probabilities module Trigger (input reset, input [127:0] value, output trig); parameter N = 128 hffff_ffff_..._ffff; value) begin if (reset == 1) begin trig <= 0; end else if (value == N) begin trig <= 1; end else begin trig <= 0; trig <= 1 end end trig <= ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 12 / 21 1 ~ 0 ~ b 3 e 1 1 if (reset == 1) b 2 1 if (value == N) ~ 1 b 4 trig <= 0

36 Hardware Trojan Detection Detection Algorithm RTL Verilog/VHDL Design Under Verification (DUV) RTL Verilog/VHDL Hardware Trojan Library Hardware Trojan Report Extraction Algorithm Get Control-Flow Graphs (CFGs) from DUV and HTs Detection Algorithm Search instances of the Trojan CFGs in the DUV 3 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

37 Hardware Trojan Detection Detection Algorithm trig <= 0 1 trig <= ~ 0 e 1 if (reset == 1) b 2 b 3 b 4 1 Trigger if (value == N) ~ 1 trig <= 0 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

38 Hardware Trojan Detection Detection Algorithm ~ 0 b 2 ~ 1 1 b 3 b 4 1 e 1 1 Trigger ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

39 Hardware Trojan Detection Detection Algorithm b 2 b 3 b 4 e 1 Trigger ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

40 Hardware Trojan Detection Detection Algorithm b 2 b 3 b 4 Abstracted Trigger ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

41 Hardware Trojan Detection Detection Algorithm t = 0 if (reset == 1) b 2 if (c 1 c 2 ) 0.25 if (v 1 == K) b 3 b 2 b b 3 ~ 0 b 4 ~ 1 Abstracted Trigger b 4 b 4 b 4 b e 1 DUV 1 t = 1 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

42 Hardware Trojan Detection Detection Algorithm b 2 b 2 b 3 b 4 b 3 b 4 Abstracted Trigger b 4 b 4 b 4 b 4 Abstracted DUV search the trigger in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

43 Hardware Trojan Detection Detection Algorithm Match #1 b 2 b 2 b 3 b 4 b 3 b 4 Abstracted Trigger b 4 b 4 b 4 b 4 Abstracted DUV search the trigger in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

44 Hardware Trojan Detection Detection Algorithm Match #2 b 2 b 2 b 3 b 4 b 3 b 4 Abstracted Trigger b 4 b 4 b 4 b 4 Abstracted DUV search the trigger in the DUV ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 13 / 21

45 Hardware Trojan Detection Detection Algorithm: Confidence Some Hardware Trojans can be similar to actual legal code: we need to give a confidence value for each match returned by the detection alg. The confidence value is in the range [0, 1] 1 à highest confidence that is a Trojan For each match we evaluate 4 conditions c 1, c 2, c 3 and c 4 à confidence is a linear combination of those conditions (weights vary with triggers) ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 14 / 21

46 Hardware Trojan Detection Detection Algorithm: Confidence c 1 : presence of variables with known behavior Trigger in the HT Library ++cnt if (!reset) if (reset) s 2 if (cnt == N) b 2 b 2 b 3 e 1 cnt = 0 trigger = 1 b 4 b 5 e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 15 / 21

reset) if (reset) s 2 if (var == N) b 2 b 2 b 3 e 1 var = 0 b 4 b 5 it

47 Hardware Trojan Detection Detection Algorithm: Confidence c 1 : presence of variables with known behavior Match in the DUV var += k if (!reset) if (reset) s 2 if (var == N) b 2 b 2 b 3 e 1 var = 0 b 4 b 5 it is similar to a counter! e 2 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 15 / 21

48 Hardware Trojan Detection Detection Algorithm: Confidence c 2 : presence of suspicious reset logics Match in the DUV Trigger in the HT Library b if (reset) b 6 if (reset) Same reset mechanism of the process? Suspicious variables are reset? ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 16 / 21

49 Hardware Trojan Detection Detection Algorithm: Confidence c 3 : average distance of the probabilities Match in the DUV Trigger in the HT Library 0.5 b b b b b 8 b 9 b 3 b 4 confidence = 1 [ ] = ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 17 / 21

50 Hardware Trojan Detection Detection Algorithm: Confidence c 3 : average distance of the probabilities Match in the DUV Trigger in the HT Library 0.5 b b b b b 8 b 9 b 3 b 4 confidence = 1 [ ] = ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 17 / 21

51 Hardware Trojan Detection Detection Algorithm: Confidence c 4 : is there a payload that is affine to the trigger? RTL Verilog/VHDL Hardware Trojan Library Added known implementations of HT payloads The payloads are searched as well in the DUV Are there a matched payload and matched trigger that share some variables? ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 18 / 21

52 Experimental Results We verified the effectiveness of our approach by considering the Trust-HUB Benchmarks and the Cryptoplatform (component from OpenCores) We created a HT Library that includes the same types of HTs (but not the same code) of the HTs that have been included in the benchmarks The goal here is to show that our verification approach can help users to distinguish HTs ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 19 / 21

53 Experimental Results HT Library (Triggers) Cheat codes Name Blocks Edges Cheat-T Cheat-T Cheat-T Cheat-T Cheat-T Cheat-T Timebombs Name Blocks Edges Time-T Time-T Time-T Time-T Time-T Dead machines Name Blocks Edges Mach-T Mach-T ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 19 / 21

54 Experimental Results HT Library (Payloads) Payloads Name Effect Blocks Edges Payload-T001 Infor. leakage Payload-T002 Increase Power 8 9 Payload-T003 Covert Channel Payload-T004 Leakage Current Payload-T005 Modify memory 7 7 Payload-T006 Modify output 7 7 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 19 / 21

55 Experimental Results Characteristics of Benchmarks Name # Diff. Instances Min. # Blocks Trust-HUB Benchmarks Max. # Blocks Min. # Edges Max. # Edges AES RS BasicRSA Name Cryptoplatform (CPU + memory + 5 crypto cores) # Diff. Instances Min. # Blocks Max. # Blocks Min. # Edges Max. # Edges Crypto ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 19 / 21

56 Experimental Results Quantitative Evaluation Trust-HUB Benchmarks Family [A] [B] [C] [C]* This work AES 3/18 9/18 0/18 18/18 18/18 RS232 0/10 0/10 9/10 10/10 10/10 BasicRSA 0/4 2/4 4/4 4/4 4/4 A à [J. Rajendran et al., Detecting Malicious Modifications of Data in Third-Party Intellectual Property Cores, DAC 15] B à [J. Rajendran et al., Formal Security Verification of Third-Party Intellectual Property Cores for Information Leakage, VLSID 16] C à [S. K. Haider et al., HaTCh: Hardware Trojan Catcher, 14] * Assuming they are activated during the learning phase ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 19 / 21

57 Experimental Results Qualitative Evaluation Proposed Approach for Trust-HUB Benchmarks Name Matches Conf HT Conf MAX False+ Time (s) AES-T AES-T AES-T RS232-T BasicRSA-T (Full results in the paper or in the poster) ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 19 / 21

58 Experimental Results Qualitative Evaluation Proposed Approach for Cryptoplatform Name Matches Conf HT Conf MAX False+ Time (s) Crypto-T N/A 0.35 N/A Crypto-T Crypto-T Crypto-T Crypto-T ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 19 / 21

59 Conclusions We presented an automatic approach for the detection of hardware Trojans at RTL 1. Our approach is general: it adopts an approach independent from the specific hardware Trojan 2. Our approach is extendible: new Trojans can be easily added to the Hardware Trojan Library 3. Our approach is fast: it takes only few seconds to find hardware Trojans in large DUVs ACM/IEEE CODES + ISSS 2017, Seoul, South Korea 20 / 21

60 ACM/IEEE CODES + ISSS 2017, Seoul, South Korea Efficient Control-Flow Subgraph Matching for Detecting Hardware Trojans in RTL Models Questions? Speaker: Luca Piccolboni Columbia University, NY, USA University of Verona, Verona, Italy

HaTCh: State-of-the-Art in Hardware Trojan Detection

CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 9a HaTCh follows http://arxiv.org/abs/1605.08413 and https://eprint.iacr.org/2014/943.pdf HaTCh: State-of-the-Art in Hardware Trojan Detection Marten