A Framework for Automated Exploration of Trojan Attack Space in FPGA Netlists

Abstract

Field Programmable Gate Arrays (FPGAs) provide a flexible compute platform for quick prototyping or hardware acceleration in diverse application domains. However, similar to the global semiconductor life-cycle in the modern supply chain, FPGA-based product development includes processes and interactions with potentially untrusted parties outside the traditional scrutiny of a completely in-house development cycle. An untrusted party or software can maliciously alter a hardware intellectual property (IP) block mapped to an FPGA device during various stages of the FPGA life-cycle. Such malicious alterations, also known as hardware Trojan attacks, have garnered significant research into their detection and prevention in the context of application-specific integrated circuit (ASIC) design flow. However, Trojan attacks in FPGAs have not enjoyed this same attention. Designers often rely on mapping ASIC-specific solutions and evaluation benchmarks to the FPGA domain, which leaves much of the FPGA-specific Trojan space uncovered. We note that the distinctive business model as well as the architectural configurations of FPGAs present unique opportunities for Trojan attacks to an adversary. To this end, we introduce a framework to automatically explore the hardware Trojan attack space in FPGA netlists. It is capable of inserting different types of FPGA-specific Trojans in a netlist enabling rapid exploration of potential Trojan attacks in an FPGA design: soft-template, monolithic, and distributed dark silicon. Soft template Trojans use behavioral templates with random synthesis constraints to increase Trojan structural diversity. Monolithic and distributed dark silicon Trojans use the under-utilized input space (FPGA dark silicon) in FPGA primitives to realize Trojans with effectively zero area and power footprint. Further optimizations are also presented to remove any potential delay impact. We then generate over 1300 Trojan-inserted benchmarks using each of the introduced FPGA Trojan classes, and compare their impact on utilization, delay, and power. Finally, we evaluate our Trojans against a machine learning-based Trojan detection to highlight their evasiveness.