Mitigating Cyberattacks caused by Fast-Acting Hardware

This is a research based project sponsored by Dr. Saied Hemati and the University of Idaho ECE Department. The goal of this project is to design a nearly undetectable hardware trojan capable of disabling targeted integrated circuits (ICs) and developing defensive schemes to prevent a widespread flash fatal trojan attack.

Background
A widespread flash fatal trojan attack may cause millions of sensitive communications, networking, computing, sensing, and/or interfacing devices to stop working and may cause enormous financial, political, or military losses. Developing techniques for eliminating security weaknesses and circuit vulnerabilities, which can be exploited in a flash fatal Trojan attack, is a high payoff and high risk research goal requiring expertise in cybersecurity, transistor physics, and mixed-signal integrated circuit design techniques.

Mission Statement
To conduct exploratory research on the feasibility of hardware Trojan attacks, and to develop suitable defensive schemes to protect vital systems.

Specifications

 * Trojan must produce enough voltage to break a modern MOSFET or FINFET.


 * Trojan must be able to be built within a simple, existing IC device.


 * Ideally must be hidden and difficult to detect (small layout and very low power consumption).


 * Trojan must be able to be activated by an external signal.


 * If a device is built and validated, research will be conducted on methods to mitigate its effect.

Deliverables
Our deliverables will include:
 * A functioning trojan capable of rendering an IC unusable.
 * Research regarding the best defensive schemes to protect IC's against trojans similar to our design.
 * A technical paper with publishable results.

Vulnerabilities
The idea behind this project is to generate a voltage large enough, that when applied to the oxide layer, it destroys it, rendering the MOSFET useless. For this, we used Cadence to simulate what these breakdown voltages will be, with schematic and simulation results shown below. These breakdown voltages are dependent on the technology used and the thickness of the oxide layer.



DC to DC Converters
Since our goal is to build a voltage up to a gate oxide breakdown level from a low input voltage, we first looked at classic DC boost converters that could be altered to complete the job. The details of these are explained below.

Inductive Boost Converter
The first DC to DC converter that we looked at was the classic DC to DC boost converter.



The boost converter can generate voltages dependent on the size of the capacitor, inductor, and the switching frequency. This topic was not explored too much due to the size of inductors. One consideration was using the integrated circuit packaging intrinsic inductances, or using an off chip inductor. While this style of DC to DC converter could certainly generate the voltages needed, it would be easily identified and thus is not suited for a hardware trojan project.



Charge Pump
The team spent a fair amount of time exploring the charge pump, specifically the Dickson charge pump, as the DC to DC converter to boost the input voltage to gate oxide breakdown level voltages.



Trojan Design
There are two parts to the system design of the Trojan. The first, is the design of the Trojan itself, which produces high voltages on chip capable of rendering the chip unusable. The second is developing a mechanism by which the Trojan could be activated by an external signal.

To build the Trojan, we looked at first building a single stage that produces our desired result of increasing the voltage on the chip. After the design of a single stage, the team worked to put the stages together, where the output voltage of one stage went to the input voltage of the next, allowing us to add together as many stages as needed to produce the necessary output. The final prototype was built using 7 stages. The circuit has not been shown as the request of our sponsor.

The circuit has not been shown at the request of our adviser and project sponsor.

Triggering Mechanism
After initial project learning and discussion with professors, we decided to try to activate the Trojan using a light emitting diode (LED) as the receiver. The concept is that almost all electronic systems have status LEDs – for example, an LED that lights up when the system is on. The question we wanted to answer was, with an extra circuit discretely and secretly implemented into the system, could we send an activation trigger to the Trojan?

LEDs can work in the opposite way for which they are intended - typical use would be to put a voltage across the LED to produce light, but in fact light can also be applied to the LED externally to produce a voltage. Using a high intensity laser, and a circuit that allows us to both use the LED as a status indicator (flashing off and on), we were able to send a signal through the LED to activate the Trojan. The circuit schematic has not been shown at the request of our sponsor. Our setup uses a red LED and a red laser with an output of 3 mW. Higher frequency lasers (such as blue or green) that have larger outputs are easily obtainable and would have a better performance, but not necessary for this project with the LEDs that we are using and the budget that we have. A green LED however, would require the use of a green or blue laser to be activated.

PCB Design
A PCB was designed using DipTrace after building the prototype using discrete components on solderless breadboards. The total size of the PCB is 4” by 4”, with two inputs (Vdd and WAVE for the status LED) and one output (Vout). The final circuit mounted on the PCB contains the following parts:


 * 18 CD4007UBE packages – discrete transistors
 * 7 capacitors
 * 1 LM714 Operational Amplifier
 * 3 Resistors
 * 1 LED
 * Input Port
 * Output Port

Some of these, parts, including the resistors, LED, and wave input, are there to simulate the external system that the Trojan would be connected to and hidden in. The operational amplifier and one PMOS transistor are used to turn the system’s LED into an activation mechanism. Packaging for the final PCB was designed and 3D printed for our project by another senior design team, the Trailer Park Boys (see their project here).

Future Work
This project was started from the beginning this semester, and finished within the academic year. The team is currently exploring opportunities to present their design and findings in journals or conferences. Rafael Watanabe will be pursuing graduate studies at the University of Idaho, and may continue writing papers on this subject.

One of the initial goals of the project was to have the trojan fabricated on chip by MOSIS and packaged. Continuing with this and making a chip, instead of building using discrete components, would be an interesting and useful continuation of this project.

Documentation
Further Documentation is shown here.

Meeting Minutes

Schedule

Gantt Chart

Budget

The Team


{| class="wikitable collapsible" style="width:80%; margin-right:auto; background: #FFFFFF; border:2px solid #FFFFFF;" !style="background-color:#000000; width:65%"| Member !style="background-color:#000000; width:35%"| Discipline
 * - style="color:white"

Hector grew up in Boise, Idaho. His academic interests include microelectronics and power electronics. Outside of school, he enjoys just being a dude. After graduation, he plans on becoming a hard working engineer in the workforce. Dustin was born and raised in Idaho Falls, Idaho. His academic interests include electronics and communication systems. Throughout his time at the University of Idaho, he has served as a lab assistant for the Circuits I lab and as President of the ECE Ambassadors organization. Outside of school, he enjoys playing hockey and woodworking. After graduation, he is moving to Orlando, FL, to be a Systems Integration and Test Engineer.
 * Hector Cruz || Electrical Engineering
 * colspan="6"| teamtbd_hector.jpg
 * colspan="6"| teamtbd_hector.jpg
 * colspan="6"| teamtbd_hector.jpg
 * colspan="6" bgcolor="#000000"|
 * Dustin Mallett || Electrical Engineering & Applied Scientific Modeling Mathematics
 * colspan="6"| teamtbddustin.jpg
 * Dustin Mallett || Electrical Engineering & Applied Scientific Modeling Mathematics
 * colspan="6"| teamtbddustin.jpg
 * colspan="6"| teamtbddustin.jpg

Brenton grew up in Kuna, Idaho. His academic interests include microelectronic design and semiconductor devices. Outside of school, he enjoys playing on the University of Idaho club lacrosse team. After graduation, he is moving back to Boise to be a DRAM Product Engineer at Micron Technology. Rafael is from Aguas Claras, Brazil. His academic interests include microelectronic design and power electronics. After graduation, he intends on continuing towards a masters degree here at the University of Idaho with a focus on power electronics.
 * colspan="6" bgcolor="#000000"|
 * Brenton Van Leeuwen || Electrical Engineering
 * colspan="6"| teamtbd_brenton.jpg
 * Brenton Van Leeuwen || Electrical Engineering
 * colspan="6"| teamtbd_brenton.jpg
 * colspan="6"| teamtbd_brenton.jpg
 * colspan="6" bgcolor="#000000"|
 * Rafael Watanabe || Electrical Engineering & Applied Scientific Modeling Mathematics
 * colspan="6"| teamtbd_rafael.jpg
 * Rafael Watanabe || Electrical Engineering & Applied Scientific Modeling Mathematics
 * colspan="6"| teamtbd_rafael.jpg
 * colspan="6"| teamtbd_rafael.jpg
 * colspan="6" bgcolor="#000000"|
 * -}
 * -}