近年來實時時鐘電路被廣泛地應用於電子系統中以在系統開機時提供正確的時間資訊。本研究提出兩種以使用系統中的時間資訊作為觸發條件的硬體木馬，一種為基於真實時間的硬體木馬，其可在某個特定的真實時間攻擊系統；另一種為基於相對時間的硬體木馬，其可在系統開機經過特定時間後被觸發。無論觸發上述任何的硬體木馬，都可能造成系統損壞或將內部資訊洩露至外界。我們使用幾個Benchmark Programs和供應商提供的Formal Assertions來評估提出的硬體木馬在RISC-V處理器上的隱藏性。我們還使用數種典型的硬體木馬檢測方法來檢測提出的硬體木馬。結果顯示，大多數方法不能有效檢測到提出的硬體木馬。除此之外，我們的合成結果亦顯示，提出的硬體木馬在面積、功率和延遲的開銷都非常小，這意味著傳統的基於分析面積、功率和延遲的開銷的檢測方法也無法有效檢測這些安全威脅。

Real-time clock (RTC) circuitry is widely used in modern electronic systems to provide time information to the systems. In this work we present two types of hardware Trojans (HTs) that employ time information as the trigger conditions. One is a real-time based HT, which will attack a system at some specific real-world time. The other is a relative-time based HT, which will be triggered when a specific period has passed after the system is powered on. In either case when a HT is triggered, its payload circuitry may corrupt the system or leak some internal information to the outside world. We evaluate the concealment of these time-related HTs on a RISC-V processor by using several benchmark programs and vendor-provided formal assertions. We also try to detect the presented HTs through several typical HT detection methods. The results show that the HTs can escape the detection of most of these methods. Moreover the synthesis results show that the extra area, power, and delay overhead caused by the presented HTs are all very small, implying that the HT detection methods based on area, power, or delay analysis are also not effective to detect these HTs.

[1] M. Beaumont, B. Hopkins, and T. Newby. (2011). Hardware Trojans—Prevention, detection, countermeasures [Online]. Available: https://apps.dtic.mil/dtic/tr/fulltext/u2/a547668.pdf.
[2] S. Adee, "The Hunt For The Kill Switch," IEEE Spectrum, vol. 45, no. 5, pp. 34-39, May 2008.
[3] Defense Science Board Task Force (2005). High performance microchip supply [Online]. Available: https://www.acq.osd.mil/dsb/reports/2000s/ADA435563.pdf.
[4] Reuters news agency. (2007). China virus found in Seagate drives in Taiwan: report Available: https://www.reuters.com/article/us-taiwan-trojan/china-virus-found-in-seagate-drives-in-taiwan-report-idUSTP20376020071112.
[5] D. Spiegel. (2014, May 17). Cisco slams NSA for intercepting packages en route to customers. Available: https://thedesk.matthewkeys.net/ 2014/05/cisco-slams-nsa-for-intercepting-packages-en-route-to-customers/.
[6] Y. Alkabani and F. Koushanfar, "Extended Abstract: Designer’s Hardware Trojan Horse," in Proc. IEEE Int. Workshop Hardware-Oriented Security and Trust, 2008, pp. 82-83.
[7] R. S. Chakraborty, S. Narasimhan and S. Bhunia, "Hardware Trojan: Threats and emerging solutions," in Proc. IEEE International High Level Design Validation and Test Workshop, 2009, pp. 166-171.
[8] R. Karri, J. Rajendran, K. Rosenfeld and M. Tehranipoor, "Trustworthy Hardware: Identifying and Classifying Hardware Trojans," Computers, vol. 43, no. 10, pp. 39-46, Oct. 2010.
[9] M. Tehranipoor and F. Koushanfar, "A Survey of hardware Trojan Taxonomy and Detection," in IEEE Design & Test of Computers, vol. 27, no. 1, pp. 10-25, Jan.-Feb. 2010.
[10] S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan, "Hardware Trojan Attacks: Threat Analysis and Countermeasures," Proceedings of IEEE, vol. 102, no. 8, Aug. 2014, pp. 1229-1247.
[11] S. Moein, T. A. Gulliver, F. Gebali and A. Alkandari., "A New characterization of Hardware Trojans," IEEE Access, vol. 4, pp. 2721-2731, 2016.
[12] M. Kuo, C. Hu and K. Lee, "Time-Related Hardware Trojan Attacks on Processor Cores," 2019 IEEE International Test Conference in Asia, Tokyo, Japan, 2019, pp. 43-48.
[13] Y. Jin, N. Kupp and Y. Makris, "Experiences in Hardware Trojan design and implementation," in Proc. IEEE Int. Workshop on Hardware-Oriented Security and Trust, 2009, pp. 50-57.
[14] H. Liu, H. Luo, and L. Wang, "Design of hardware trojan horse based on counter," in Proc. IEEE Int. Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering, 2011, pp. 1007-1009.
[15] H. Salmani, M. Tehranipoor, and R. Karri, "On Design vulnerability analysis and trust benchmark development", in Proc. IEEE Int. Conference on Computer Design, Oct. 2013, pp471-474.
[16] B. Shakya et al., “Benchmarking of Hardware Trojans and Maliciously Affected Circuits”, Journal of Hardware and Systems Security, pp. 1-18, April 2017.
[17] M. Tehranipoor. (2018). Trust-hub Available: https://www.trust- hub.org/home
[18] D. Lampret. (2001). Available: http://www.opencores.org/cores/rtc
[19] Syntacore. (2018). Available: https://github.com/syntacore/scr1
[20] J. Zhang, Feng Yuan, Lingxiao Wei, Zelong Sun and Q. Xu, "VeriTrust: Verification for hardware trust," IEEE Design Automation Conference, pp. 1-8, 2013.
[21] J. Zhang, F. Yuan, and Q. Xu, “DeTrust: Defeating hardware trust verification with stealthy implicitly-triggered hardware Trojans,” in Proc. ACM Conference Computer Communications Security, Scottsdale, 2014, pp. 153-166.
[22] A. Waksman, M. Suozzo, and S. Sethumadhavan, "FANCI: Identification of stealthy malicious logic using Boolean functional Analysis," in Proc. ACM Conference on Computer and Communication Security, 2013, pp. 697-708.
[23] S. Yao et al., "FASTrust: Feature analysis for third-party IP trust verification," in Proc. IEEE Int. Test Conference, 2015, pp. 1-10