Thispaperdescribesanewphysicalsidechannel,i.e. the backscattering side channel, that is created by transmitting a signal toward the IC, where the internal impedance changes caused by on-chip switching activity modulate the signal that is backscattered (reflected) from the IC. To demonstrate how this new side-channel can be used to detect small changes in circuit impedances, we propose a new method for nondestructively detecting hardware Trojans (HTs) from outside of the chip. We experimentally confirm, using measurements on one physical instance for training and nine other physical instances for testing, that the new side-channel, when combined with an HT detection method, allows detection of a dormant HT in 100% of the HT-afflicted measurements for a number of different HTs, while producing no false positives in HT free measurements. Furthermore, additional experiments are conducted to compare the backscattering-based detection to one that uses the traditional EM-emanation-based side channel. These results show that backscattering-based detection outperforms the EM side channel, confirm that dormant HTs are much more difficult for detection than HTs that have been activated, and show how detection is affected by changing the HT’s size and physical location on the IC.
more »
« less
Exploiting Switching of Transistors in Digital Electronics for RFID Tag Design
Existing analog-signal side-channels, such as EM emanations, are a consequence of current-flow changes that are dependent on activity inside an electronic circuits. In this paper, we introduce a new class of side-channels that is a consequence of impedance changes in switching circuits, and we refer to it as an impedance-based side-channel. One example of such a side-channel is when digital logic activity causes incoming EM signals to be modulated as they are reflected (backscattered), at frequencies that depend on both the incoming EM signal and the circuit activity. This can cause EM interference or leakage of sensitive information, but it can also be leveraged for RFID tag design. In this paper, we first introduce a new class of side-channels that is a consequence of impedance differences in switching circuits, and we refer to it as an impedance-based side-channel. Then, we demonstrate that the impedance difference between transistor gates in the high-state and in the low-state changes the radar cross section (RCS) and modulates the backscattered signal. Furthermore, we have investigated the possibility of implementing the proposed RFID on ASIC for signal enhancement. Finally, we propose a digital circuit that can be used as a semi-passive RFID tag. To illustrate the adaptability of the proposed RFID, we have designed a variety of RFID applications across carrier frequencies at 5.8 GHz, 17.46 GHz, and 26.5 GHz to demonstrate flexible carrier frequency selection and bit configuration.
more »
« less
- Award ID(s):
- 1740962
- PAR ID:
- 10112656
- Date Published:
- Journal Name:
- IEEE journal of radio frequency identification
- Volume:
- 3
- Issue:
- 2
- ISSN:
- 2469-7281
- Page Range / eLocation ID:
- 67-76
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Thispaperdescribesanewphysicalsidechannel,i.e. the backscattering side channel, that is created by transmitting a signal toward the IC, where the internal impedance changes caused by on-chip switching activity modulate the signal that is backscattered (reflected) from the IC. To demonstrate how this new side-channel can be used to detect small changes in circuit impedances, we propose a new method for nondestructively detecting hardware Trojans (HTs) from outside of the chip. We experimentally confirm, using measurements on one physical instance for training and nine other physical instances for testing, that the new side-channel, when combined with an HT detection method, allows detection of a dormant HT in 100% of the HT-afflicted measurements for a number of different HTs, while producing no false positives in HT free measurements. Furthermore, additional experiments are conducted to compare the backscattering-based detection to one that uses the traditional EM-emanation-based side channel. These results show that backscattering-based detection outperforms the EM side channel, confirm that dormant HTs are much more difficult for detection than HTs that have been activated, and show how detection is affected by changing the HT’s size and physical location on the IC.more » « less
-
null (Ed.)Passive radio-frequency identification (RFID) tags are attractive because they are low cost, battery-free, and easy to deploy. This technology is traditionally being used to identify tags attached to the objects. In this paper, we explore the feasibility of turning passive RFID tags into battery-free temperature sensors. The impedance of the RFID tag changes with the temperature and this change will be manifested in the reflected signal from the tag. This opens up an opportunity to realize battery-free temperature sensing using a passive RFID tag with already deployed Commercial Off-the-Shelf (COTS) RFID reader-antenna infrastructure in supply chain management or inventory tracking. However, it is challenging to achieve high accuracy and robustness against the changes in the environment. To address these challenges, we first develop a detailed analytical model to capture the impact of temperature change on the tag impedance and the resulting phase of the reflected signal. We then build a system that uses a pair of tags, which respond differently to the temperature change to cancel out other environmental impacts. Using extensive evaluation, we show our model is accurate and our system can estimate the temperature within a 2.9 degree centigrade median error and support a normal read range of 3.5 m in an environment-independent manner.more » « less
-
In this work, we demonstrate that it is possible to read UHF RFID tags without a carrier. Specifically, we introduce an alternative reader design that does not emit a carrier and allows reading RFID tags intended for conventional carrier-based systems. While traditional RFID tags modulate a carrier, it is important to note that a modulation circuit used for backscatter also modulates the inherent noise of the tag circuitry, including the Johnson noise, irrespective of whether a carrier is present or not. Our Modulated Noise Communication (MNC) approach leverages recent work on Modulated Johnson Noise (MJN) and can be read by an alternative RFID reader design that enables simpler, more accessible RFID readings than a conventional backscatter reader by eliminating self-jamming obstructions. MNC is shown to support wireless transmission of data packets between 2 cm to 10 cm of separation between a standard UHF RFID tag and the proposed alternative reader for data rates of 1 bps and 2 bps.more » « less
-
The threats of physical side-channel attacks and their countermeasures have been widely researched. Most physical side-channel attacks rely on the unavoidable influence of computation or storage on current consumption or voltage drop on a chip. Such data-dependent influence can be exploited by, for instance, power or electromagnetic analysis. In this work, we introduce a novel non-invasive physical side-channel attack, which exploits the data-dependent changes in the impedance of the chip. Our attack relies on the fact that the temporarily stored contents in registers alter the physical characteristics of the circuit, which results in changes in the die's impedance. To sense such impedance variations, we deploy a well-known RF/microwave method called scattering parameter analysis, in which we inject sine wave signals with high frequencies into the system's power distribution network (PDN) and measure the echo of the signals. We demonstrate that according to the content bits and physical location of a register, the reflected signal is modulated differently at various frequency points enabling the simultaneous and independent probing of individual registers. Such side-channel leakage challenges the t-probing security model assumption used in masking, which is a prominent side-channel countermeasure. To validate our claims, we mount non-profiled and profiled impedance analysis attacks on hardware implementations of unprotected and high-order masked AES. We show that in the case of the profiled attack, only a single trace is required to recover the secret key. Finally, we discuss how a specific class of hiding countermeasures might be effective against impedance leakage.more » « less