Toggle MUX: How X-Optimism Can Lead to Malicious Hardware

Speaker/Bio

Christian Krieg received the bachelor's and master's degree in electrical engineering from TU Wien and is now pursuing his PhD studies on hardware security at TU Wien. His research focuses on design-level hardware Trojan design and detection. He also works on reasonable threat models for hardware Trojan attacks. Christian recently received the ICCAD William McCalla best paper award for a novel hardware Trojan implementation. At a wider scope, Christian's research interests include security-driven design understanding, cyber-physical systems security and IoT security.

Abstract

To highlight a potential threat to hardware security, we propose a methodology to derive a trigger signal from the behavior of Verilog simulation models of field-programmable gate array (FPGA) primitives that behave X-optimistic. We demonstrate our methodology with an example trigger that is implemented using Xilinx 7 Series FPGAs. Experimental results show that it is easily possible to create a trigger signal that is ‘0’ in simulation (pre- and post-synthesis), and ‘1’ in hardware. We show that this kind of trigger is neither detectable by formal equivalence checks, nor by recent Trojan detection techniques. As a countermeasure, we propose to carefully reconsider the utilization of X-optimism in FPGA simulation models.