Thispaperdescribesanewphysicalsidechannel,i.e. the backscattering side channel, that is created by transmitting a signal toward the IC, where the internal impedance changes caused by on-chip switching activity modulate the signal that is backscattered (reflected) from the IC. To demonstrate how this new side-channel can be used to detect small changes in circuit impedances, we propose a new method for nondestructively detecting hardware Trojans (HTs) from outside of the chip. We experimentally confirm, using measurements on one physical instance for training and nine other physical instances for testing, that the new side-channel, when combined with an HT detection method, allows detection of a dormant HT in 100% of the HT-afflicted measurements for a number of different HTs, while producing no false positives in HT free measurements. Furthermore, additional experiments are conducted to compare the backscattering-based detection to one that uses the traditional EM-emanation-based side channel. These results show that backscattering-based detection outperforms the EM side channel, confirm that dormant HTs are much more difficult for detection than HTs that have been activated, and show how detection is affected by changing the HT’s size and physical location on the IC.
more »
« less
Exploiting Switching of Transistors in Digital Electronics for RFID Tag Design
Existing analog-signal side-channels, such as EM emanations, are a consequence of current-flow changes that are dependent on activity inside an electronic circuits. In this paper, we introduce a new class of side-channels that is a consequence of impedance changes in switching circuits, and we refer to it as an impedance-based side-channel. One example of such a side-channel is when digital logic activity causes incoming EM signals to be modulated as they are reflected (backscattered), at frequencies that depend on both the incoming EM signal and the circuit activity. This can cause EM interference or leakage of sensitive information, but it can also be leveraged for RFID tag design. In this paper, we first introduce a new class of side-channels that is a consequence of impedance differences in switching circuits, and we refer to it as an impedance-based side-channel. Then, we demonstrate that the impedance difference between transistor gates in the high-state and in the low-state changes the radar cross section (RCS) and modulates the backscattered signal. Furthermore, we have investigated the possibility of implementing the proposed RFID on ASIC for signal enhancement. Finally, we propose a digital circuit that can be used as a semi-passive RFID tag. To illustrate the adaptability of the proposed RFID, we have designed a variety of RFID applications across carrier frequencies at 5.8 GHz, 17.46 GHz, and 26.5 GHz to demonstrate flexible carrier frequency selection and bit configuration.
more »
« less
- Award ID(s):
- 1740962
- NSF-PAR ID:
- 10112656
- Date Published:
- Journal Name:
- IEEE journal of radio frequency identification
- Volume:
- 3
- Issue:
- 2
- ISSN:
- 2469-7281
- Page Range / eLocation ID:
- 67-76
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Thispaperdescribesanewphysicalsidechannel,i.e. the backscattering side channel, that is created by transmitting a signal toward the IC, where the internal impedance changes caused by on-chip switching activity modulate the signal that is backscattered (reflected) from the IC. To demonstrate how this new side-channel can be used to detect small changes in circuit impedances, we propose a new method for nondestructively detecting hardware Trojans (HTs) from outside of the chip. We experimentally confirm, using measurements on one physical instance for training and nine other physical instances for testing, that the new side-channel, when combined with an HT detection method, allows detection of a dormant HT in 100% of the HT-afflicted measurements for a number of different HTs, while producing no false positives in HT free measurements. Furthermore, additional experiments are conducted to compare the backscattering-based detection to one that uses the traditional EM-emanation-based side channel. These results show that backscattering-based detection outperforms the EM side channel, confirm that dormant HTs are much more difficult for detection than HTs that have been activated, and show how detection is affected by changing the HT’s size and physical location on the IC.more » « less
-
The threats of physical side-channel attacks and their countermeasures have been widely researched. Most physical side-channel attacks rely on the unavoidable influence of computation or storage on current consumption or voltage drop on a chip. Such data-dependent influence can be exploited by, for instance, power or electromagnetic analysis. In this work, we introduce a novel non-invasive physical side-channel attack, which exploits the data-dependent changes in the impedance of the chip. Our attack relies on the fact that the temporarily stored contents in registers alter the physical characteristics of the circuit, which results in changes in the die's impedance. To sense such impedance variations, we deploy a well-known RF/microwave method called scattering parameter analysis, in which we inject sine wave signals with high frequencies into the system's power distribution network (PDN) and measure the echo of the signals. We demonstrate that according to the content bits and physical location of a register, the reflected signal is modulated differently at various frequency points enabling the simultaneous and independent probing of individual registers. Such side-channel leakage challenges the t-probing security model assumption used in masking, which is a prominent side-channel countermeasure. To validate our claims, we mount non-profiled and profiled impedance analysis attacks on hardware implementations of unprotected and high-order masked AES. We show that in the case of the profiled attack, only a single trace is required to recover the secret key. Finally, we discuss how a specific class of hiding countermeasures might be effective against impedance leakage.more » « less
-
We propose an electroacoustic transistor enabled by reconfigurable topological insulators (TIs). The underlying structure of the device is a hexagonal lattice with a unit cell consisting of piezoelectric disks bonded to an aluminum substrate. First, we study the dispersion of flexural waves in the reconfigurable TI to identify Dirac cones in the band structure of a unit cell possessing C6v-symmetry. A topological bandgap can be opened by breaking inversion symmetry in the unit cell. This is achieved by altering the elastic response of one of the affixed piezoelectric disks using a negative impedance shunt circuit. Next, we analyze various topological states formed by interfacing mirror-symmetric unit cells. Sublattices with interface states are then combined to construct a transistor supercell which hosts at least two topologically protected channels for wave propagation. The amplitude of an incoming acoustic signal propagating in one of the topological channels, referred to as the ‘Gate’, is used to switch on or off a second topological channel between a wave source and receiver, mimicking the behavior of a field effect transistor in electronics. We employ finite element analysis to study the harmonic response of the transistor structure demonstrating the OFF and ON states of the device. Further, we present a mock-up of an electrical circuit which enables the switching of the topological channel between a wave source and receiver. The design of the proposed wave-based transistor promises the advantage of topological protection and may find applications in wearable devices, edge computing, and sensing in harsh environments.more » « less
-
null (Ed.)Passive radio-frequency identification (RFID) tags are attractive because they are low cost, battery-free, and easy to deploy. This technology is traditionally being used to identify tags attached to the objects. In this paper, we explore the feasibility of turning passive RFID tags into battery-free temperature sensors. The impedance of the RFID tag changes with the temperature and this change will be manifested in the reflected signal from the tag. This opens up an opportunity to realize battery-free temperature sensing using a passive RFID tag with already deployed Commercial Off-the-Shelf (COTS) RFID reader-antenna infrastructure in supply chain management or inventory tracking. However, it is challenging to achieve high accuracy and robustness against the changes in the environment. To address these challenges, we first develop a detailed analytical model to capture the impact of temperature change on the tag impedance and the resulting phase of the reflected signal. We then build a system that uses a pair of tags, which respond differently to the temperature change to cancel out other environmental impacts. Using extensive evaluation, we show our model is accurate and our system can estimate the temperature within a 2.9 degree centigrade median error and support a normal read range of 3.5 m in an environment-independent manner.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Journal Article:
- The DOI is not currently available.
