Visible to the public Malicious LUT: A Stealthy FPGA Trojan Injected and Triggered by the Design Flow

TitleMalicious LUT: A Stealthy FPGA Trojan Injected and Triggered by the Design Flow
Publication TypeConference Paper
Year of Publication2016
AuthorsKrieg, Christian, Wolf, Clifford, Jantsch, Axel
Conference NameProceedings of the 35th International Conference on Computer-Aided Design
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4466-1
Keywordscommand injection attacks, composability, injection, injection attacks, Metrics, pubcrawl, Resiliency
Abstract

We present a novel type of Trojan trigger targeted at the field-programmable gate array (FPGA) design flow. Traditional triggers base on rare events, such as rare values or sequences. While in most cases these trigger circuits are able to hide a Trojan attack, exhaustive functional simulation and testing will reveal the Trojan due to violation of the specification. Our trigger behaves functionally and formally equivalent to the hardware description language (HDL) specification throughout the entire FPGA design flow, until the design is written by the place-and-route tool as bitstream configuration file . From then, Trojan payload is always on. We implement the trigger signal using a 4-input lookup table (LUT), each of the inputs connecting to the same signal. This lets us directly address the least significant bit (LSB) and most significant bit (MSB) of the LUT. With the remaining 14 bits, we realize a "magic" unary operation. This way, we are able to implement 16 different Triggers. We demonstrate the attack with a simple example and discuss the effectiveness of the recent detection techniques unused circuit identification (UCI), functional analysis for nearly-unused circuit identification (FANCI) and VeriTrust in order to reveal our trigger.

URLhttp://doi.acm.org/10.1145/2966986.2967054
DOI10.1145/2966986.2967054
Citation Keykrieg_malicious_2016