Publications

In this work we examine approaches for using implementation diversity to disrupt or disable hardware trojans. We explore a variety of general frameworks for building diverse variants of circuits in voting architectures, and examine the impact of these on attackers and defenders mathematically and empirically. This work is augmented by analysis of a new majority voting technique. We also describe several automated approaches for generating diverse variants of a circuit and empirically study the overheads associated with these. We then describe a general technique for targeting functional circuit modifications to hardware trojans, present several specific implementations of this technique, and study the impact that they have on trojanized benchmark circuits.

Counterfeiting or surreptitious modification of electronic systems is of increasing concern, particularly for critical infrastructure and national security systems. Such systems include avionics, medical devices, military systems, and utility infrastructure. We present experimental results from an approach to uniquely identify printed circuit boards (PCBs) on the basis of device unique variations in surface mount passive components and wire trace patterns. We also present an innovative approach for combining measurements of each of these quantities to create unique, random identifiers for each PCB and report the observed entropy, reliability, and uniqueness of the signatures. These unique signatures can be used directly for verifying the integrity and authenticity of the PCBs, or can serve as the basis for generating cryptographic keys for more secure authentication of the devices during system acquisition or field deployment. Our results indicate that the proposed approaches for measuring and combining these quantities are capable of generating high-entropy, unique signatures for PCBs. The techniques explored do not require system designers to utilize specialized manufacturing processes and implementation is low-cost.

Abstract not provided.

Critical Infrastructure control systems continue to foster predictable communication paths, static configurations, and unpatched systems that allow easy access to our nation's most critical assets. This makes them attractive targets for cyber intrusion. We seek to address these attack vectors by automatically randomizing network settings, randomizing applications on the end devices themselves, and dynamically defending these systems against active attacks. Applying these protective measures will convert control systems into moving targets that proactively defend themselves against attack. Sandia National Laboratories has led this effort by gathering operational and technical requirements from Tennessee Valley Authority (TVA) and performing research and development to create a proof-of-concept solution. Our proof-of-concept has been tested in a laboratory environment with over 300 nodes. The vision of this project is to enhance control system security by converting existing control systems into moving targets and building these security measures into future systems while meeting the unique constraints that control systems face.

We are using the DoD MIL-STD as our guide for microelectronics aging (MIL-STD 883J, Method 1016.2: Life/Reliability Characterization Tests). In that document they recommend aging at 3 temperatures between 200-300C, separated by at least 25C, with the supply voltage at the maximum recommended voltage for the devices at 125C (3.6V in our case). If that voltage causes excessive current or power then it can be reduced and the duration of the tests extended. The MIL-STD also recommends current limiting resistors in series with the supply. Since we don’t have much time and we may not have enough ovens and other equipment, two temperatures separated by at least 50C would be an acceptable backup plan. To ensure a safe range of conditions is used, we are executing 24-hour step tests. For these, we will apply the stress for 24 hours and then measure the device to make sure it wasn’t damaged. During the stress the PUFs should be exercised, but we don’t need to measure their response. Rather, at set intervals our devices should be returned to nominal temperature (under bias), and then measured. The MIL-STD puts these intervals at 4, 8, 16, 32, 64, 128, 256, 512 and 1000 hours, although the test can be stopped early if 75% of the devices have failed. A final recommendation per the MIL-STD is that at least 40 devices should be measured under each condition. Since we only have 25 parts, we will place 10 devices in each of two stress conditions.

Abstract not provided.