Linköping University: Students Alumni Trade and Industry/Society Internal Search
TCAD2024_OMADTIIS

On Modeling and Detecting Trojans in Instruction Sets

Ying Zhang
 
Aodi He
Jiaying Li
 
Ahmed Rezine
Zebo Peng Author homepage
 
Erik Larsson
Tao Yang
 
Jianhui Jiang
Huawei Li

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 43, no. 10, pp. 3226-3239

ABSTRACT
Amid growing concerns about hardware security, comprehensive security testing has become essential for chip certification. This article proposes a deep-testing method for identifying Trojans of particular concern to middle-to-high-end users, with a focus on illegal instructions. A hidden instruction Trojan can employ a low-probability sequence of normal instructions as a boot sequence, which is followed by an illegal instruction that triggers the Trojan. This enables the Trojan to remain deeply hidden within the processor. It then exploits an intrusion mechanism to acquire Linux control authority by setting a hidden interrupt as its payload. We have developed an unbounded model checking (UMC) technique to uncover such Trojans. The proposed UMC technique has been optimized with slicing based on the input cone, head-point replacement, and backward implication. Our experimental results demonstrate that the presented instruction Trojans can survive detection by existing methods, thus allowing normal users to steal root user privileges and compromising the security of processors. Moreover, our proposed deep-testing method is empirically shown to be a powerful and effective approach for detecting these instruction Trojans.


[ZHLR24] Ying Zhang, Aodi He, Jiaying Li, Ahmed Rezine, Zebo Peng, Erik Larsson, Tao Yang, Jianhui Jiang, Huawei Li, "On Modeling and Detecting Trojans in Instruction Sets", IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 43, no. 10, pp. 3226-3239
( ! ) perl script by Giovanni Squillero with modifications from Gert Jervan   (v3.1, p5.2, September-2002-)