On Modeling and Detecting Trojans in Instruction Sets

Amid growing concerns about hardware security, comprehensive security testing has become essential for chip certification. This paper proposes a deep-testing method for identifying Trojans of particular concern to middle-to-high-end users, with a focus on illegal instructions. A hidden instruction Trojan can employ a low-probability sequence of normal instructions as a boot sequence, which is followed by an illegal instruction that triggers the Trojan. This enables the Trojan to remain deeply hidden within the processor. It then exploits an intrusion mechanism to acquire Linux control authority by setting a hidden interrupt as its payload. We have developed an unbounded model checking (UMC) technique to uncover such Trojans. The proposed UMC technique has been optimized with slicing based on the input cone, head-point replacement, and backward implication. Our experimental results demonstrate that the presented instruction Trojans can survive detection by existing methods, thus allowing normal users to steal root user privileges and compromising the security of processors. Moreover, our proposed deep-testing method is empirically shown to be a powerful and effective approach for detecting these instruction Trojans.