Evasive Hardware Trojan through Adversarial Power Trace
Behnam Omidi, Khaled N. Khasawneh, Ihsen Alouani
TL;DR
The paper shows that ML-based hardware Trojan detection using power side-channel traces can be rendered ineffective by adversarial, hardware-implementable power perturbations. It introduces HTO, a pipeline that first generates a universal adversarial power patch and then implements circuitry on ASICs and FPGAs to consume that power trace during HT activation, achieving near-100% evasion with minimal hardware (as little as one transistor in ASIC). It also explores optimizations via patch quantization, unsynchronised patches, and adaptive attacks with spectral budgets, and evaluates countermeasures including spectral defenses and adversarial training, highlighting tradeoffs in security versus utility. The results underscore a significant vulnerability in ML-based HT detection and emphasize the need for robust, multi-faceted defenses in hardware security contexts, with resources and designs openly available online.
Abstract
The globalization of the Integrated Circuit (IC) supply chain, driven by time-to-market and cost considerations, has made ICs vulnerable to hardware Trojans (HTs). Against this threat, a promising approach is to use Machine Learning (ML)-based side-channel analysis, which has the advantage of being a non-intrusive method, along with efficiently detecting HTs under golden chip-free settings. In this paper, we question the trustworthiness of ML-based HT detection via side-channel analysis. We introduce a HT obfuscation (HTO) approach to allow HTs to bypass this detection method. Rather than theoretically misleading the model by simulated adversarial traces, a key aspect of our approach is the design and implementation of adversarial noise as part of the circuitry, alongside the HT. We detail HTO methodologies for ASICs and FPGAs, and evaluate our approach using TrustHub benchmark. Interestingly, we found that HTO can be implemented with only a single transistor for ASIC designs to generate adversarial power traces that can fool the defense with 100% efficiency. We also efficiently implemented our approach on a Spartan 6 Xilinx FPGA using 2 different variants: (i) DSP slices-based, and (ii) ring-oscillator-based design. Additionally, we assess the efficiency of countermeasures like spectral domain analysis, and we show that an adaptive attacker can still design evasive HTOs by constraining the design with a spectral noise budget. In addition, while adversarial training (AT) offers higher protection against evasive HTs, AT models suffer from a considerable utility loss, potentially rendering them unsuitable for such security application. We believe this research represents a significant step in understanding and exploiting ML vulnerabilities in a hardware security context, and we make all resources and designs openly available online: https://dev.d18uu4lqwhbmka.amplifyapp.com