A FOSS-Based Toolchain for Automated Hardware Trojan Injection in RISC-V Architectures

Digital electronics is one of the biggest revolutions in the history of mankind. Over the last fifty years, digital devices have found a wealth of possible applications, ranging from supercomputers to the Internet of Things (IoT). Such a complexity requires appropriate hardware infrastructures, including application specific circuits together with “general purpose accelerators” (like GPUs) that can aid high-level computation in implementing the more and more specific functionalities required in each context. In the majority of domains there is a tendency to include as many specific digital (and even analog) circuits as possible in the same die, resulting in the so-called System On Chips. This trend is made possible by advancements in both digital technology, illustrated by Moore’s law, and the overall design process, which counts many steps and tools involved. In particular, semiconductor companies may rely on libraries of Intellectual Properties (IPs) not produced in-house to speed up the whole design phase. Third-party IPs are untrusted by definition, due to them potentially including vulnerabilities, bugs or even openly malicious components. Such modifications of the circuit functionality, either malicious or not, are named Hardware Trojans, and they could be leveraged by ill-intentioned actors to wreak havoc during system operation. Due to the increasing complexity of the design flow as a whole, Trojan insertion is made possible at many steps and at different abstraction levels (RTL, gate-level, layout etc.). Many techniques have been developed to identify Trojan affected circuitry, based on different approaches. On the other side, attackers managed to elude most of them through sophisticated injection strategies and stealthy Trojan architectures. Producing a tool capable to automatically inject Trojans is a recurring topic in recent literature, both from the attacker and the defender points of view. Through this technique it would be possible to engineer vulnerable circuits on a large scale, feeding the demanding detection tools with meaningful samples. This thesis work aims to implement such a toolchain for Trojan insertion on processor cores, adopting a scalable architecture-agnostic approach which focuses on the RISC-V ISA. The final product is customizable in all its parts, allowing for new cores or new injection strategies to be included through targeted modifications. In order to make the results accessible to the widest possible audience, the whole flow includes only Free and Open Source Software (FOSS). The decision to rely exclusively on these tools addresses the general shortage of open source based solutions, offering hobbyists and students a free alternative to proprietary EDA software. Some of the latest detection techniques have been used to test the Trojans produced, assessing the quality of the toolchain in the process.