Hardware Security Training, Hands-on!

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

This is the first book dedicated to hands-on hardware security training. It includes a number of modules to demonstrate attacks on hardware devices and to assess the efficacy of the countermeasure techniques. This book aims to provide a holistic hands-on training to upper-level undergraduate engineering students, graduate students, security researchers, practitioners, and industry professionals, including design engineers, security engineers, system architects, and chief security officers. All the hands-on experiments presented in this book can be implemented on readily available Field Programmable Gate Array (FPGA) development boards, making it easy for academic and industry professionals to replicate the modules at low cost. This book enables readers to gain experiences on side-channel attacks, fault-injection attacks, optical probing attack, PUF, TRNGs, odometer, hardware Trojan insertion and detection, logic locking insertion and assessment, and more.

Author(s): Mark Tehranipoor, N. Nalla Anandakumar, Farimah Farahmandi
Publisher: Springer
Year: 2023

Language: English
Pages: 330
City: Cham

Preface
Acknowledgments
Contents
About the Authors
Acronyms
1 Physical Unclonable Functions (PUFs)
1.1 Introduction
1.2 Background
1.2.1 RO PUF
1.2.2 MiniZed Board Introduction
1.2.3 FPGA Development Procedure
1.3 PUF Performance Metrics
1.4 Implementation Details of the RO PUF
1.5 Performance Analysis and Discussion
1.5.1 Randomness, Uniqueness, and Reliability
1.5.2 NIST Statistical Test
1.5.3 Entropy Estimation
1.6 Conclusion
References
2 True Random Number Generator (TRNG)
2.1 Introduction
2.2 Background
2.2.1 Sources of Entropy
2.2.2 Ring Oscillator-Based TRNG
2.3 RO-Based TRNG Implementation
2.4 Measures of the Quality of Randomness
2.4.1 Entropy Estimation
2.4.2 Restart Experiment
2.4.3 Statistical Evaluation of the Output
2.5 Conclusion
References
3 Recycled Chip Detection Using RO-Based Odometer
3.1 Introduction
3.2 Background
3.2.1 Motivations and General Flow
3.2.2 Counterfeit Threats
3.3 Recycled FPGA Detection
3.4 FPGA Development Procedure
3.5 Recycled Chip Detection Experiments
3.5.1 Experimental FPGA Platform
3.5.2 Experimental Flow
3.6 Conclusion
References
4 Recycled FPGA Detection
4.1 Introduction
4.2 Background
4.2.1 Look-Up Table Structure
4.2.2 RO Path Formation Using XNOR and XOR Logic
4.2.3 Aging Mechanism
4.3 Classification Using Supervised and Unsupervised Methods
4.3.1 Supervised Classification Method
4.3.2 Unsupervised Classification Method
4.4 The Setup for the Experiment
4.4.1 Bitstream Generation
4.4.2 Bitstream Loading
4.4.3 Capturing Output
4.5 Capturing RO Frequencies and Recycled FPGA Detection
4.5.1 Visualization of RO Frequencies
4.5.2 Analysis Using Machine Learning
4.5.2.1 Supervised Learning Method
4.5.2.2 Unsupervised Learning Method
4.6 Conclusion
References
5 Hardware Trojan Insertion
5.1 Introduction
5.2 Hardware Trojan Attacks
5.2.1 Modern Chip Design Flow and Threat Model
5.2.2 Hardware Trojan Insertion
5.3 Trojan-Infected Implementation on FPGA
5.3.1 FPGA Development Flow
5.3.2 Experimental Setup
5.3.3 Trojan-Infected Design
5.3.4 Compiling Target Design and Trigger Trojan
5.4 Bitstream Tampering for Trojan Triggering
5.4.1 FPGA Bitstream Format Preliminaries
5.4.2 Bitstream Tampering Enabling Trojan Trigger
5.5 Conclusion
References
6 Hardware Trojan Detection
6.1 Introduction
6.2 Hardware Trojan Detection
6.2.1 Overview of Hardware Trojan
6.2.2 Pre-silicon Hardware Trojan Detection
6.2.2.1 Code Coverage Analysis
6.2.2.2 Formal Verification
6.2.2.3 Structural Analysis
6.2.2.4 Logic Testing
6.2.2.5 Functional Analysis
6.2.3 Post-silicon Hardware Trojan Detection
6.2.4 Destructive Method
6.2.5 Nondestructive Method
6.3 Hardware Trojan Detection Experiment
6.3.1 Experimental Setup
6.3.2 Experimental Steps
6.4 Conclusion
References
7 Security Verification
7.1 Introduction
7.2 Background: Writing Properties
7.3 SoC Security Verification Using Property Checking
7.3.1 Security Asset Identification
7.3.2 Threat Model Identification
7.3.3 Generating Security Properties
7.4 Experimental Setup
7.4.1 AES Design
7.4.2 Security Property Development for Verification
7.4.3 Property-to-Assertion Conversion
7.4.4 Compiling Target Design and Property Verification
7.4.5 Tool 1: JasperGold Security Path Verification (SPV)
7.4.6 Tool 2: JasperGold Formal Property Verification
7.5 Conclusion
References
8 Power Analysis Attacks on AES
8.1 Introduction
8.2 Power Analysis Attacks
8.2.1 Power Consumption Characteristics of CMOS
8.2.2 Simple Power Analysis (SPA)
8.2.3 Differential Power Analysis (DPA)
8.2.4 Correlation Power Analysis (CPA)
8.3 AES Implementation on FPGA
8.3.1 Field-Programmable Logic Arrays
8.3.2 AES Algorithm Overview
8.4 Experiment Setup
8.4.1 Hardware and Software
8.4.2 Firmware Setup
8.4.3 Hardware Setup
8.4.3.1 CW305 Default Setup
8.4.3.2 Connect a CW305 board to a ChipWhisperer-Lite/Pro board
8.5 Power Measurements on the AES Chip
8.5.1 AES Bitstream Generation
8.5.2 Capture a Power Trace
8.6 Performing AES CPA Attack
8.6.1 CPA Attack Steps
8.7 Conclusion
References
9 EM Side-Channel Attack on AES
9.1 Introduction
9.2 Background
9.2.1 Measuring EM Radiation
9.2.2 Typical EM Side-Channel Attacks
9.3 Implementation Details of Investigated AES Design
9.4 Measurement Setup
9.5 EM Measurements on the AES Chip
9.5.1 Tool Setup
9.5.2 Capture an EM Trace
9.6 Performing Correlation Electromagnetic Analysis (CEMA) Attack
9.7 Conclusion
References
10 Logic-Locking Insertion and Assessment
10.1 Introduction
10.2 Background
10.2.1 Logic Locking
10.2.2 The Threat Model for Logic Locking
10.3 Review of Existing Logic-Locking Solutions
10.3.1 Combinational Locking
10.3.1.1 Elementary Logic-Locking Solutions
10.3.1.2 LUT and Routing Obfuscation
10.3.1.3 Point Function-Based Logic Locking
10.3.1.4 Combinational Cyclic Obfuscation
10.3.1.5 Sequential Obfuscation
10.3.1.6 Scan Obfuscation
10.3.1.7 Parametric Logic Locking
10.3.1.8 Locking at Higher Level of Abstraction
10.4 Experimental Demonstration
10.4.1 Experimental Setup
10.4.2 Locking Gate Insertion
10.4.3 Random Locking Gate Insertion
10.4.3.1 Fault Analysis-Based Key Gate Insertion
10.4.3.2 Security Evaluation
10.4.4 Equivalency Checking
10.5 Conclusion
References
11 Clock Glitch Fault Attack on FSM in AES Controller
11.1 Introduction
11.2 Background
11.2.1 Fault Models
11.2.2 Clock Glitching
11.2.3 Brief Description of AES
11.2.4 Clock Glitch Attack on FSM in AES Controller
11.2.5 ChipWhisperer CW305 Board
11.3 Experimental Setup
11.4 Performing Clock Glitch Attacks
11.4.1 Performing Clock Glitch Attack
11.4.2 Glitch Explorer
11.4.3 Results
11.5 Conclusion
References
12 Voltage Glitch Attack on an FPGA AES Implementation
12.1 Introduction
12.2 Background
12.2.1 Voltage Glitches
12.2.2 Fault Models
12.2.3 Brief Description of AES
12.2.4 Voltage Glitch Attack on FSM in AES Controller
12.2.5 ChipWhisperer CW305 Board
12.3 Experimental Setup
12.3.1 Hardware Setup
12.3.2 Software Setup
12.4 Performing Voltage Glitch Attacks
12.4.1 Steps in Performing Voltage Glitch Attacks
12.4.2 Starting the Voltage Glitch Attack
12.4.3 Results
12.5 Conclusion
References
13 Laser Fault Injection Attack (FIA)
13.1 Introduction
13.2 Laser Fault Injection Attacks
13.2.1 Analysis of Laser Beams on MOSFETs
13.2.2 Exploitation of Laser Attacks
13.3 Device Under Test (DUT) Circuit on FPGA
13.3.1 Field Programmable Logic Arrays
13.3.2 Device Under Test (DUT)
13.4 Experimental Setup
13.4.1 Hardware and Software
13.4.2 Hardware Setup
13.4.2.1 Diode Laser
13.4.2.2 Spider Tool
13.4.2.3 AC701 Artix-7 Evaluation Board
13.4.3 DUT Bitstream Generation
13.4.4 Hardware Connection
13.4.5 Placement of the FPGA
13.4.6 Fault Injection Attack
13.4.6.1 Fault Injection by Inspector
13.4.7 Bitflip Observation
13.5 Conclusion
References
14 Optical Probing Attack on Logic Locking
14.1 Introduction
14.2 Background
14.2.1 Optical Probing Overview
14.2.2 Logic Locking
14.3 Experiment Setup
14.3.1 Programming the Sample
14.3.2 Sample Preparation
14.3.3 Measurement Setup
14.4 Performing the Attack
14.4.1 Attack on Combinational Logic Locking
14.4.2 Attack on Sequential Logic Locking
14.5 Conclusion
References
15 Universal Fault Sensor
15.1 Introduction
15.2 Background
15.3 FTC Sensor
15.4 Hardware Implementation Setup
15.4.1 Hardware and Software
15.4.2 Bitstream Generation
15.4.3 Capturing Output
15.5 Results and Analysis
15.5.1 EM Attack Analysis
15.5.2 Voltage Glitch Attack Analysis
15.5.3 Clock Glitch Attack Analysis
15.5.4 Proximity Analysis
15.6 Conclusion
References
16 Scanning Electron Microscope Training
16.1 Introduction
16.2 Background
16.2.1 Scanning Electron Microscopy
16.2.2 Beam Interaction
16.2.3 Display and Record System
16.2.4 Specimen Preparation
16.3 Setting Up the Experiment for Image Acquisition with the SEM
16.3.1 Sample Preparation
16.3.2 Sample Loading Inside the SEM
16.3.3 SEM Image Acquisition
16.3.3.1 Turning on the Electron Beam
16.3.3.2 Imaging Mode
16.3.3.3 Beam Intensity, Brightness, and Contrast
16.3.3.4 Magnification, Focus, and Scan Speed
16.3.3.5 Working Distance
16.3.3.6 Column Centering (Wobbler Effect)
16.3.3.7 Stigmatism Correction
16.3.3.8 Image Acquisition
16.4 Hardware Trojan (HT) Detection in ICs Using SEM Images
16.4.1 Equipment and Software Needed for This Work
16.4.2 Prerequisites
16.4.3 Experimental Setup for HT Detection in ICs Using SEM
16.4.3.1 Procedure
16.4.3.2 Sample Preparation
16.4.4 FIB and SEM Imaging
16.4.4.1 FIB Delayering
16.4.4.2 SEM Imaging
16.4.5 Trojan Detection System
16.4.5.1 Pre-processing
16.4.6 Cell Extraction
16.4.7 Synthetic Cell Image Generation
16.4.8 Logical Cell Recognition
16.5 Conclusion
References
Index