Crypto Trojan

Imagine the following scenario: a security critical system (e.g. key card) was designed with an AES encryption circuit. The personalized 128 bit key should under no circumstances be accessible by the user. However, somewhere in the production process workflow a hardware trojan was inserted into the chip.

The Crypto Trojan example project provides an AES128 encryption netlist with more than 10000 gates that has been tampered with. The purpose is to demonstrate the HAL analysis tools finding the trojan and learning how it gets activated.

When opening the project be warned that rendering the entire netlist (e.g. by double click on the top module) will take a long time. It might be interesting though to have a look at the overwhelming number of gates but it doesn't reveal the functionality of the circuit nor whether something is wrong with it.

The first tool that is needed is the dataflow plugin. Please go to the plugin manager (main menu > Utilities) page and verify that the dataflow plugin has been activated. If not enable it and restart HAL.

There are two ways to invoke the dataflow analysis:

GUI: Open the dataflow setting form in main menu > Plugins > dataflow. Set the expected register with to 128, select an existing output directory for the results an set the ckeckmark to create a dot graph.

Script: The project comprises a python script named "find_128bit_aes_register.py". Running this script will produce the same results. However, any modification of parameters (e.g. different directory for dot file) requires editing of the python script.

Analysis of the dot file

The graph.dot file is a textual representation of the generated graph and must be converted to your favorite graphic format for viewing. The following example line generates a graph.png file but the dot tool is also capable of generating .pdf, .ps, or .svg files.

dot -Tpng -ograph.png graph.dot

Studying how the 128bit registers are connected reveals immediately their function in the AES encryption circuit. Remember that there exists a round key which is only dependent on the key input register. The actual encoding is done round by round (register pointing to itself) based on data from plain text register and round key register. Then there is finally the ciphertext output register which does not have any successors.

Since the key is the secret which must not be leaked we are alerted spotting a direct connection from key input register to ciphertext output register within the graph. Further analysis steps are necessary to isolate that connection and to understand how leaking the key gets triggered.

Crypto Trojan

Analysis of the dot file

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally