Thispaperdescribesanewphysicalsidechannel,i.e. the backscattering side channel, that is created by transmitting a signal toward the IC, where the internal impedance changes caused by on-chip switching activity modulate the signal that is backscattered (reflected) from the IC. To demonstrate how this new side-channel can be used to detect small changes in circuit impedances, we propose a new method for nondestructively detecting hardware Trojans (HTs) from outside of the chip. We experimentally confirm, using measurements on one physical instance for training and nine other physical instances for testing, that the new side-channel, when combined with an HT detection method, allows detection of a dormant HT in 100% of the HT-afflicted measurements for a number of different HTs, while producing no false positives in HT free measurements. Furthermore, additional experiments are conducted to compare the backscattering-based detection to one that uses the traditional EM-emanation-based side channel. These results show that backscattering-based detection outperforms the EM side channel, confirm that dormant HTs are much more difficult for detection than HTs that have been activated, and show how detection is affected by changing the HT’s size and physical location on the IC.
more »
« less
Exploiting Switching of Transistors in Digital Electronics for RFID Tag Design
Existing analog-signal side-channels, such as EM emanations, are a consequence of current-flow changes that are dependent on activity inside an electronic circuits. In this paper, we introduce a new class of side-channels that is a consequence of impedance changes in switching circuits, and we refer to it as an impedance-based side-channel. One example of such a side-channel is when digital logic activity causes incoming EM signals to be modulated as they are reflected (backscattered), at frequencies that depend on both the incoming EM signal and the circuit activity. This can cause EM interference or leakage of sensitive information, but it can also be leveraged for RFID tag design. In this paper, we first introduce a new class of side-channels that is a consequence of impedance differences in switching circuits, and we refer to it as an impedance-based side-channel. Then, we demonstrate that the impedance difference between transistor gates in the high-state and in the low-state changes the radar cross section (RCS) and modulates the backscattered signal. Furthermore, we have investigated the possibility of implementing the proposed RFID on ASIC for signal enhancement. Finally, we propose a digital circuit that can be used as a semi-passive RFID tag. To illustrate the adaptability of the proposed RFID, we have designed a variety of RFID applications across carrier frequencies at 5.8 GHz, 17.46 GHz, and 26.5 GHz to demonstrate flexible carrier frequency selection and bit configuration.
more »
« less
- Award ID(s):
- 1740962
- PAR ID:
- 10112656
- Date Published:
- Journal Name:
- IEEE journal of radio frequency identification
- Volume:
- 3
- Issue:
- 2
- ISSN:
- 2469-7281
- Page Range / eLocation ID:
- 67-76
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Thispaperdescribesanewphysicalsidechannel,i.e. the backscattering side channel, that is created by transmitting a signal toward the IC, where the internal impedance changes caused by on-chip switching activity modulate the signal that is backscattered (reflected) from the IC. To demonstrate how this new side-channel can be used to detect small changes in circuit impedances, we propose a new method for nondestructively detecting hardware Trojans (HTs) from outside of the chip. We experimentally confirm, using measurements on one physical instance for training and nine other physical instances for testing, that the new side-channel, when combined with an HT detection method, allows detection of a dormant HT in 100% of the HT-afflicted measurements for a number of different HTs, while producing no false positives in HT free measurements. Furthermore, additional experiments are conducted to compare the backscattering-based detection to one that uses the traditional EM-emanation-based side channel. These results show that backscattering-based detection outperforms the EM side channel, confirm that dormant HTs are much more difficult for detection than HTs that have been activated, and show how detection is affected by changing the HT’s size and physical location on the IC.more » « less
-
Physical side-channel attacks can compromise the security of integrated circuits. Most physical side-channel attacks (e.g., power or electromagnetic) exploit the dynamic behavior of a chip, typically manifesting as changes in current consumption or voltage fluctuations where algorithmic countermeasures, such as masking, can effectively mitigate them. However, as demonstrated recently, these mitigation techniques are not entirely effective against backscattered side-channel attacks such as impedance analysis. In the case of an impedance attack, an adversary exploits the data-dependent impedance variations of the chip power delivery network (PDN) to extract secret information. In this work, we introduce RandOhm, which exploits a moving target defense (MTD) strategy based on the partial reconfiguration (PR) feature of mainstream FPGAs and programmable SoCs to defend against impedance side-channel attacks. We demonstrate that the information leakage through the PDN impedance could be significantly reduced via runtime reconfiguration of the secret-sensitive parts of the circuitry. Hence, by constantly randomizing the placement and routing of the circuit, one can decorrelate the data-dependent computation from the impedance value. Moreover, in contrast to existing PR-based countermeasures, RandOhm deploys open-source bitstream manipulation tools on programmable SoCs to speed up the randomization and provide real-time protection. To validate our claims, we apply RandOhm to AES ciphers realized on 28-nm FPGAs. We analyze the resiliency of our approach by performing non-profiled and profiled impedance analysis attacks and investigate the overhead of our mitigation in terms of delay and performance.more » « less
-
null (Ed.)Passive radio-frequency identification (RFID) tags are attractive because they are low cost, battery-free, and easy to deploy. This technology is traditionally being used to identify tags attached to the objects. In this paper, we explore the feasibility of turning passive RFID tags into battery-free temperature sensors. The impedance of the RFID tag changes with the temperature and this change will be manifested in the reflected signal from the tag. This opens up an opportunity to realize battery-free temperature sensing using a passive RFID tag with already deployed Commercial Off-the-Shelf (COTS) RFID reader-antenna infrastructure in supply chain management or inventory tracking. However, it is challenging to achieve high accuracy and robustness against the changes in the environment. To address these challenges, we first develop a detailed analytical model to capture the impact of temperature change on the tag impedance and the resulting phase of the reflected signal. We then build a system that uses a pair of tags, which respond differently to the temperature change to cancel out other environmental impacts. Using extensive evaluation, we show our model is accurate and our system can estimate the temperature within a 2.9 degree centigrade median error and support a normal read range of 3.5 m in an environment-independent manner.more » « less
-
In this work, we demonstrate that it is possible to read UHF RFID tags without a carrier. Specifically, we introduce an alternative reader design that does not emit a carrier and allows reading RFID tags intended for conventional carrier-based systems. While traditional RFID tags modulate a carrier, it is important to note that a modulation circuit used for backscatter also modulates the inherent noise of the tag circuitry, including the Johnson noise, irrespective of whether a carrier is present or not. Our Modulated Noise Communication (MNC) approach leverages recent work on Modulated Johnson Noise (MJN) and can be read by an alternative RFID reader design that enables simpler, more accessible RFID readings than a conventional backscatter reader by eliminating self-jamming obstructions. MNC is shown to support wireless transmission of data packets between 2 cm to 10 cm of separation between a standard UHF RFID tag and the proposed alternative reader for data rates of 1 bps and 2 bps.more » « less