Circumventing a ring oscillator approach to FPGA-based hardware Trojan detection
Ring oscillators are commonly used as a locking mechanism that binds a hardware design to a specific area of silicon within an integrated circuit (IC). This locking mechanism can be used to detect malicious modifications to the hardware design, also known as a hardware Trojan, in situations where such modifications result in a change to the physical placement of the design on the IC. However, careful consideration is needed when designing ring oscillators for such a scenario to guarantee the integrity of the locking mechanism. This paper presents a case study in which flaws discovered in a ring oscillator-based Trojan detection scheme allowed for the circumvention of the security mechanism and the implementation of a large and diverse set of hardware Trojans, limited only by hardware resources.
The 2010 Computer Security Awareness Week (CSAW) Embedded Systems Challenge hosted by the Polytechnic Institute of NYU presented student-led teams around the country with a hardware hacking challenge. Teams were given the RTL code for two different designs as well as a BASYS 2 evaluation platform with a Xilinx Spartan3E-100 Field Programmable Gate Array (FPGA). The two designs contained a specific hardening technique [1] to detect any modifications to their design. The challenge was to surreptitiously embed malicious circuitry, also known as hardware Trojans [2], into the design.