Prepared for BTW2014 Trojans In SRAM Circuits Senwen Kan - AMD/SMU Jennifer Dworak - SMU Overview Background Motivation Trojan Design Inserting Trojans in SRAM Experimental Results Background Israeli use of Electronic Warfare in Operation Orchard , disabled Syrian Air Defense Systems Some Speculate Kill Switch French Military Contractors have Intentionally built in Kill Switch in their military hardware What are Trojans Sequential Vs Combinational Always on Vs Triggered on some condition Leakage, Denial-of-Service (DoS) 3 Why SRAMs? Hard to Detect Simple SRAM 32X32 32 Entries 32 bit wide 2^37 Terms to Trigger on Address lines and/or data Space to Insert Why SRAMs (Cont) SRAMs maybe external IP SRAMs maybe used widely across an SoC, processor caches, register files, storing exception report, used by Crypto Units, FPGAs, & so on Cant Synthesize to netlist (exception would be latch arrays) Dont have accurate ATPG Models Trojan Circuits Trojan 1 Combinational DoS 5 Sub Trojans Once Triggered will Stay on 2 Payload Mechanisms Tri-Stating Scrambling Trojan Circuits (Cont) Trojan 2 Sequential DoS Triggering Mechanism 2 part Payload is Tri-Stating Trojan Circuits (Cont) Trojan 3 Combinational Always on DoS Designed to be evasive Good Design code: assign data_in[W:0] = good_data[W:0]; Trojaned Design code assign data_in[0] = good_data[0]^(good_data[W:0]==TrojanKeyWord); assign data_in[W:1] = good_data[W:1]; Meant to make coverage tools not detect it - at least everything toggled Trojan Insertion Selected 4 Types of industrial SRAMs 2 from OpenSparc Design Library TSA - used by TLU for exceptions Used by network interface 2 from Internal Design Library Processor Data Caches Experimental Results More Details in the Paper But Essentially, 5 to 10 million cycles of Randomized Simulation cant detect anything Did 6N BIST Sims, not catching Anything Q&A