@article{52686, author = {{Ahmed, Qazi Arbab and Wiersema, Tobias and Platzner, Marco}}, issn = {{2509-3428}}, journal = {{Journal of Hardware and Systems Security}}, keywords = {{General Engineering, Energy Engineering and Power Technology}}, publisher = {{Springer Science and Business Media LLC}}, title = {{{Post-configuration Activation of Hardware Trojans in FPGAs}}}, doi = {{10.1007/s41635-024-00147-5}}, year = {{2024}}, } @inproceedings{44194, author = {{Ahmed, Qazi Arbab and Awais, Muhammad and Platzner, Marco}}, booktitle = {{The 24th International Symposium on Quality Electronic Design (ISQED'23), San Francisco, Califorina USA}}, location = {{San Fransico CA 94023-0607, USA}}, title = {{{MAAS: Hiding Trojans in Approximate Circuits}}}, year = {{2023}}, } @phdthesis{29769, abstract = {{Wettstreit zwischen der Entwicklung neuer Hardwaretrojaner und entsprechender Gegenmaßnahmen beschreiten Widersacher immer raffiniertere Wege um Schaltungsentwürfe zu infizieren und dabei selbst fortgeschrittene Test- und Verifikationsmethoden zu überlisten. Abgesehen von den konventionellen Methoden um einen Trojaner in eine Schaltung für ein Field-programmable Gate Array (FPGA) einzuschleusen, können auch die Entwurfswerkzeuge heimlich kompromittiert werden um einen Angreifer dabei zu unterstützen einen erfolgreichen Angriff durchzuführen, der zum Beispiel Fehlfunktionen oder ungewollte Informationsabflüsse bewirken kann. Diese Dissertation beschäftigt sich hauptsächlich mit den beiden Blickwinkeln auf Hardwaretrojaner in rekonfigurierbaren Systemen, einerseits der Perspektive des Verteidigers mit einer Methode zur Erkennung von Trojanern auf der Bitstromebene, und andererseits derjenigen des Angreifers mit einer neuartigen Angriffsmethode für FPGA Trojaner. Für die Verteidigung gegen den Trojaner ``Heimtückische LUT'' stellen wir die allererste erfolgreiche Gegenmaßnahme vor, die durch Verifikation mittels Proof-carrying Hardware (PCH) auf der Bitstromebene direkt vor der Konfiguration der Hardware angewendet werden kann, und präsentieren ein vollständiges Schema für den Entwurf und die Verifikation von Schaltungen für iCE40 FPGAs. Für die Gegenseite führen wir einen neuen Angriff ein, welcher bösartiges Routing im eingefügten Trojaner ausnutzt um selbst im fertigen Bitstrom in einem inaktiven Zustand zu verbleiben: Hierdurch kann dieser neuartige Angriff zur Zeit weder von herkömmlichen Test- und Verifikationsmethoden, noch von unserer vorher vorgestellten Verifikation auf der Bitstromebene entdeckt werden.}}, author = {{Ahmed, Qazi Arbab}}, keywords = {{FPGA Security, Hardware Trojans, Bitstream-level Trojans, Bitstream Verification}}, publisher = {{ Paderborn University, Paderborn, Germany}}, title = {{{Hardware Trojans in Reconfigurable Computing}}}, doi = {{10.17619/UNIPB/1-1271}}, year = {{2022}}, } @inproceedings{32342, author = {{Ahmed, Qazi Arbab and Platzner, Marco}}, location = {{Pafos, Cyprus}}, publisher = {{IEEE Computer Society Annual Symposium on VLSI (ISVLSI,2022)}}, title = {{{On the Detection and Circumvention of Bitstream-Level Trojans in FPGAs}}}, year = {{2022}}, } @inproceedings{29138, author = {{Ahmed, Qazi Arbab}}, booktitle = {{2021 IFIP/IEEE 29th International Conference on Very Large Scale Integration (VLSI-SoC)}}, title = {{{Hardware Trojans in Reconfigurable Computing}}}, doi = {{10.1109/vlsi-soc53125.2021.9606974}}, year = {{2021}}, } @inproceedings{20681, abstract = {{The battle of developing hardware Trojans and corresponding countermeasures has taken adversaries towards ingenious ways of compromising hardware designs by circumventing even advanced testing and verification methods. Besides conventional methods of inserting Trojans into a design by a malicious entity, the design flow for field-programmable gate arrays (FPGAs) can also be surreptitiously compromised to assist the attacker to perform a successful malfunctioning or information leakage attack. The advanced stealthy malicious look-up-table (LUT) attack activates a Trojan only when generating the FPGA bitstream and can thus not be detected by register transfer and gate level testing and verification. However, also this attack was recently revealed by a bitstream-level proof-carrying hardware (PCH) approach. In this paper, we present a novel attack that leverages malicious routing of the inserted Trojan circuit to acquire a dormant state even in the generated and transmitted bitstream. The Trojan's payload is connected to primary inputs/outputs of the FPGA via a programmable interconnect point (PIP). The Trojan is detached from inputs/outputs during place-and-route and re-connected only when the FPGA is being programmed, thus activating the Trojan circuit without any need for a trigger logic. Since the Trojan is injected in a post-synthesis step and remains unconnected in the bitstream, the presented attack can currently neither be prevented by conventional testing and verification methods nor by recent bitstream-level verification techniques.}}, author = {{Ahmed, Qazi Arbab and Wiersema, Tobias and Platzner, Marco}}, booktitle = {{2021 Design, Automation & Test in Europe Conference & Exhibition (DATE)}}, location = {{Alpexpo | Grenoble, France}}, publisher = {{2021 Design, Automation and Test in Europe Conference (DATE)}}, title = {{{Malicious Routing: Circumventing Bitstream-level Verification for FPGAs}}}, doi = {{10.23919/DATE51398.2021.9474026}}, year = {{2021}}, } @inproceedings{9913, abstract = {{Reconfigurable hardware has received considerable attention as a platform that enables dynamic hardware updates and thus is able to adapt new configurations at runtime. However, due to their dynamic nature, e.g., field-programmable gate arrays (FPGA) are subject to a constant possibility of attacks, since each new configuration might be compromised. Trojans for reconfigurable hardware that evade state-of-the-art detection techniques and even formal verification, are thus a large threat to these devices. One such stealthy hardware Trojan, that is inserted and activated in two stages by compromised electronic design automation (EDA) tools, has recently been presented and shown to evade all forms of classical pre-configuration detection techniques. This paper presents a successful pre-configuration countermeasure against this ``Malicious Look-up-table (LUT)''-hardware Trojan, by employing bitstream-level Proof-Carrying Hardware (PCH). We show that the method is able to alert innocent module creators to infected EDA tools, and to prohibit malicious ones to sell infected modules to unsuspecting customers.}}, author = {{Ahmed, Qazi Arbab and Wiersema, Tobias and Platzner, Marco}}, booktitle = {{Applied Reconfigurable Computing}}, editor = {{Hochberger, Christian and Nelson, Brent and Koch, Andreas and Woods, Roger and Diniz, Pedro}}, isbn = {{978-3-030-17227-5}}, location = {{Darmstadt, Germany}}, pages = {{127--136}}, publisher = {{Springer International Publishing}}, title = {{{Proof-Carrying Hardware Versus the Stealthy Malicious LUT Hardware Trojan}}}, doi = {{10.1007/978-3-030-17227-5_10}}, volume = {{11444}}, year = {{2019}}, }