Abstract
Over the past decades, there has been an exponential growth in the number of connected devices, often without well-thought out security mechanisms in place for the relevant network standards and protocols. As a result, security loopholes have been discovered and widely exploited for these vulnerable connected devices, often with devastating consequences. As a countermeasure to these attacks, subsequently some of these original network standards have been enhanced with addition of security features, e.g., the original insecure Ethernet protocol (IEEE 802.3) was supplemented by the IEEE 802.1AE Media Access Control Security (MACSec) standard. In this paper, we present a network packet redirection attack on reconfigurable network devices, specifically a MACSec-enabled NetFPGA-SUME based Ethernet switch, as well as on a NetFPGA-SUME based IPv4 router, by means of Hardware Trojan (HT) insertion. Our HT design is probabilistic in its functionality, with multi-level trigger mechanism. In the MAC layer attack, an activated HT redirects a frame to an incorrect port leading to possible eavesdropping by a malicious attacker as well as denial-of-service, while in the network layer attack, upon activation it forwards all IP packets through a sub-optimal router port causing a denial-of-service attack on the receiver. The proposed HT evades most state-of-the-art HT detection schemes, while having very low resource footprint. We present the complete architecture, detailed description of the mode of operation, and implementation of the HT, with promising experimental results.
Similar content being viewed by others
References
Kiravuo T, Sarela M, Manner J (2013) A survey of ethernet LAN security. IEEE Commun Surv Tut 15(3):1477–1491
Chen H, Chen Y, Summerville DH (2011) A survey on the application of FPGAs for network infrastructure security
The NetFPGA Project. (2018) https://netfpga.org/
Zilberman N, Audzevich Y, Kalogeridou G, Manihatty-Bojan N, Zhang J, Moore A (2015) netFPGA Rapid prototyping of networking devices in open source. SIGCOMM Comput Commun Rev 45(4):363–364
Lockwood JW, et al. (2020) The field programmable port extender (FPX). https://www.arl.wustl.edu/projects/fpx/
Ibanez S, Brebner G, McKeown N, Zilberman N (2019) The p4→netFPGA Workflow for line-rate packet processing. In: Proceedings of the 2019 ACM/SIGDA international symposium on field-programmable gate arrays, FPGA ’19, pages 1–9, New York, NY, USA. Association for Computing Machinery
Xiao K, Forte D, Jin Y, Karri R, Bhunia S, Tehranipoor M (2016) Hardware Trojans: Lessons learned after one decade of research. ACM Trans Des Autom Electron Syst 22(1):6:1–6:23
IEEE Standard for local and metropolitan area networks–port-based network access control (2010) IEEE Std 802.1X-2010 (Revision Of IEEE Std 802.1X-2004). 1–205
Govindan V, Koteshwara S, Das A, Parhi KK, Chakraborty RS (2019) ProTro: a probabilistic counter based hardware trojan attack on FPGA based MACSec enabled ethernet switch. In: Bhasin S, Mendelson A, Mridul M. Nandi (eds) Security, privacy, and applied cryptography engineering. pp 159–175
Hicks M, Finnicum M, King ST, Martin MMK, Smith JM (2010) Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: 2010 IEEE symposium on security and privacy. pp 159–172
Zhang J, Yuan F, Wei L, Sun Z, Xu Q (2013) VeriTrust: Verification for hardware trust. In: 2013 50th ACM/EDAC/IEEE design automation conference (DAC). pp 1–8
Haider SK, Jin C, Ahmad M, Shila DM, Khan O, van Dijk M (2019) Advancing the state-of-the-art in hardware trojans detection. IEEE Trans Depend Secure Comput 16(1):18–32
Chakraborty RS, Narasimhan S, Bhunia S (2009) Hardware Trojan: threats and emerging solutions. In: Proc IEEE international high level design validation and test workshop (HLDVT’09). pp 166–171
Bhunia S, Abramovici M, Agrawal D, Bradley P, Hsiao M, Plusquellic J, Tehranipoor M (2013) Protection against hardware trojan attacks: towards a comprehensive solution. IEEE Design Test 30 (3):6–17
Chakraborty RS, Wolff F, Paul S, Papachristou C, Bhunia S (2009) MERO: A statistical approach for hardware trojan detection. In: Cryptographic hardware and embedded systems-CHES 2009, pp 396–410. Springer
Guo X, Dutta RG, Jin Y, Farahmandi F, Mishra P (2015) Pre-silicon security verification and validation: A formal perspective. In: 2015 52nd ACM/EDAC/IEEE design automation conference (DAC). pp 1–6
Rajendran J, Dhandayuthapany AM, Vedula V, Karri R (2016) Formal security verification of third party intellectual property cores for information leakage. In: 2016 29th International conference on VLSI design and 2016 15th international conference on embedded systems (VLSID). pp 547–552
Cruz J, Farahmandi F, Ahmed A, Mishra P (2018) Hardware trojan detection using ATPG and model checking. In: 2018 31st International conference on vlsi design and 2018 17th international conference on embedded systems (VLSID). pp 91–96
Waksman A, Suozzo S, Sethumadhavan S (2013) FANCI: Identification of stealthy malicious logic using boolean functional analysis. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, CCS ’13. pp 697–708
Sturton C, Hicks M, Wagner D, King ST (2011) Defeating UCI: building stealthy and malicious hardware. In: 2011 IEEE symposium on security and privacy. pp 64–77
Zhang J, Yuan F, Xu Q (2014) DeTrust: defeating hardware trust verification with stealthy implicitly-triggered hardware Trojans. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security, CCS ’14, ACM. pp. 153–166
Krieg C, Wolf C, Jantsch A (2016) Malicious LUT: a stealthy FPGA Trojan injected and triggered by the design flow. In: In 2016 IEEE/ACM international conference on computer-aided design (ICCAD). pp 1–8
Haider SK, Jin C, van Dijk M (2016) Advancing the state-of-the-art in hardware trojans design. arXiv:1605.08413
Wang X, Tehranipoor M, Plusquellic J (2008) Detecting malicious inclusions in secure hardware challenges and solutions. In: IEEE International workshop on hardware-oriented security and trust (HOST’08). pp 15–19
Dupuis S, Natale GD, Flottes M, Rouzeyre B (2013) On the effectiveness of hardware trojan horse detection via side-channel analysis. Inf Sec J A Global Perspective 22(5–6):226–236
Jin Y, Makris Y (2008) Hardware trojan detection using path delay fingerprint. In: Proceedings of the IEEE International workshop on hardware-oriented security and trust (HOST’08). pp 51–57
Narasimhan S, Du D, Chakraborty RS, Paul S, Wolff F, Papachristou C, Roy K, Bhunia S (2010) Multiple-parameter side-channel analysis: a non-invasive hardware trojan detection approach. In: Proceedings of the IEEE international symposium on hardware-oriented security and trust (HOST’10). pp 13–18
Salmani H, Tehranipoor M, Plusquellic J (2010) A Layout-aware approach for improving localized switching to detect hardware trojans in integrated circuits. In: In IEEE International workshop on information forensics and security (WIFS’10). pp 1–6
Kitsos P, Stefanidis K, Voyiatzis AG (2016) TERO-based detection of hardware trojans on FPGA implementation of the AES algorithm. In: In euromicro conference on digital system design (DSD’16). pp 678–681
Govindan V, Chakraborty RS, Santikellur P, Chaudhary AK (2018) A hardware trojan attack on FPGA based cryptographic key generation impact and detection. J Hardware Sys Sec 2:225–239
Tessier R, Wolf T, Kekai H, Chandrikakutty H (2015) Reconfigurable Network Router Security. In: Reconfigurable logic: architecture, tools, and applications. pp 375–395
NetFPGA SUME’s reference switch design. (2018) https://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Learning-Switchhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Learning-Switchhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Learning-Switch
IEEE Standard for Local and Metropolitan Area Networks (2006) Media access control (MAC) security. IEEE Std 802.1AE-2006. 1–150
Koteshwara S, Das A, Parhi KK (2017) FPGA Implementation and comparison of AES-GCM and Deoxys authenticated encryption schemes. In: 2017 IEEE International symposium on circuits and systems (ISCAS). pp 1–4
Gibb G (2010) NetFPGA Reference Router Decision Diagram. https://github.com/netFPGA/netfpga/blob/master/projects/reference_router/doc/DecisionDiagram.pdf
NetFPGA SUME’s reference router design. (2018) https://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Routerhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Routerhttps://github.com/NetFPGA/NetFPGA-SUME-public/wiki/NetFPGA-SUME-Reference-Router
Rostami M, Koushanfar F, Karri R (2014) A primer on hardware security models, methods, and metrics. Proc IEEE 102(8):1283–1295
Chakraborty RS, Saha I, Palchaudhuri A, Naik GK (2013) Hardware trojan insertion by direct modification of FPGA configuration bitstream. IEEE Design Test 30(2):45–54
Johnson AP, Saha S, Chakraborty RS, Mukhopadhyay D, Gören S (2014) Fault attack on AES via hardware trojan insertion by dynamic partial reconfiguration of FPGA over ethernet. In: Proceedings of the 9th workshop on embedded systems security, WESS’14, pp 1:1–1:8
Ender M, Moradi A, Paars C (2020) The unpatchable silicon: a full break of the bitstream encryption of Xilinx 7-Series FPGAs. In: 29th USENIX security symposium (USENIX Security 20), Boston, MA. USENIX Association
CISCO Ethernet Encryption for High Speed WAN deployments. (2018) https://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdfhttps://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdfhttps://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/MACsec/WP-High-Speed-WAN-Encrypt-MACsec.pdf
Riley N, Zilles C (2006) Probabilistic counter updates for predictor hysteresis and bias. IEEE Comput Archit Lett 5(1):18–21
Dice D, Lev Y, Moir M (2013) Scalable statistics counters. In: Proceedings of the twenty-fifth annual ACM symposium on parallelism in algorithms and architectures, SPAA ’13, pages 43–52, New York, NY, USA. ACM
Shah D, Iyer S, Prahhakar B, McKeown N (2002) Maintaining statistics counters in router line cards. IEEE Micro 22(1):76–81
Juniper Junos OS System Statistics. (2018) https://www.juniper.net/documentation/en_US/junos/topics/reference/command-summary/show-system-statistics.html
Zhang J, Xu Q (2013) On hardware Trojan design and implementation at register-transfer level. In: 2013 IEEE international symposium on hardware-oriented security and trust (HOST). pp 107–112
Tehranipoor M, Karri R, Koushanfar F, Potkonjak M (2019) Trust-hub Available:http://trust-hub.org
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
A preliminary version of this work was presented at the International Conference on Security, Privacy and Applied Cryptographic Engineering 2019 (SPACE’19). The current version additionally describes a different probabilistic Hardware Trojan attack for the Network Layer that affects IPv4 routing.
Rights and permissions
About this article
Cite this article
Mukherjee, R., Govindan, V., Koteshwara, S. et al. Probabilistic Hardware Trojan Attacks on Multiple Layers of Reconfigurable Network Infrastructure. J Hardw Syst Secur 4, 343–360 (2020). https://doi.org/10.1007/s41635-020-00107-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41635-020-00107-9