Mohammed M. Farag

Interacting with Hardware Trojans over a network

Hardware Trojan horses (HTHs) are emerging threats to integrated circuits (ICs) outsourced to a global supply chain or developed with untrusted tools and intellectual property (IP). HTHs are stealthy in nature, and covert communication is their usual means of interaction and information transfer. Previous research has focused on short-range interaction via side-channels and existing IC interfaces, while remote interaction with HTHs across wired computer networks has received less attention. Generalized and non-local HTH interaction can support attacks normally associated with software Trojans. We investigate remote communication with HTHs and provide partial methods to exploit vulnerabilities in media layers of the protocol stack. Specifically, we focus on covert communication over point-to-point physical links in 10 gigabit Ethernet (10GbE) networks by exploiting loose specifications in physical- and link-layer protocols. The developed HTHs are assessed in terms of resource overhead and achieved bit rate, and demonstrate the potential for establishing high bandwidth covert channels using lightweight implanted circuits. We also describe a PUF-based IC or IP tracking attack enabled by HTH interaction across a network.

Run-time prediction and preemption of configuration attacks on embedded process controllers

Embedded electronics are widely used in cyber-physical process control systems (PCSes), which tightly integrate and coordinate computational and physical elements. PCSes have safety-critical applications, such as the supervisory control and data acquisition (SCADA) systems used in industrial control infrastructure, or the flight control systems used in commercial aircraft. Perimeter security and air gap approaches to preventing malware infiltration of PCSes are challenged by the complexity of modern networked control systems incorporating numerous heterogeneous and updatable components such as standard personal computing platforms, operating systems, and embedded configurable controllers. Global supply chains and third-party hardware components, tools, and software limit the reach of design verification techniques. As a consequence, attacks such as Stuxnet have demonstrated that these systems can be surreptitiously compromised. We present a run-time method for process control violation prediction that can be leveraged to enhance system security against configuration attacks on embedded controllers. The prediction architecture provides a short-term projection of active controller actions by embedding an accelerated model of the controller and physical process interaction. To maintain convergence with the physical system, the predictor model state is periodically synchronized with the actual physical process state. The predictor is combined with run-time guards in a root-of-trust to detect when the predicted process state violates application specifications. Configurations can be screened before they are applied or monitored at run-time to detect subtle modifications or Trojans with complex activation triggers. Advanced notification of process control violations allows remedial actions leveraging well known, high-assurance techniques, such as temporarily switching control to a stability-preserving backup controller. Experimental simulation results are provided from a root-of-trust developed for an aircraft pitch control system.

Overloaded CDMA bus topology for MPSoC interconnect

Intra-chip communication is a major bottleneck in modern multiprocessor system-on-chip (MPSoC) designs. The bus topology is the most common on-chip interconnect technology and bus contention in one of the major issues in bus-based MPSoC designs. Code division multiple access (CDMA) has been proposed as a bus sharing strategy to overcome the bus contention problem. In CDMA, a limited number of orthogonal spreading codes can share the medium due to the Multiple Access Interference (MAI) problem. In wireless communications, overloaded CDMA has been considered to increase the system capacity by adding extra non-orthogonal spreading codes with specific characteristics. We propose a novel CDMA bus architecture leveraging the overloaded CDMA concepts to increase the maximum number of cores sharing the same CDMA bus in MPSoC by 25% at a marginal cost. The overloaded CDMA bus architecture is illustrated, resource- and speed-efficient decoding circuits are presented, and a prototype system is implemented and validated on a Virtex-7 FPGA VC707 evaluation kit. The overloaded and ordinary CDMA bus architectures are compared in terms of resource usage, power consumption, bus operating clock frequency and bandwidth. Evaluation results show an improvement in resource utilization and power consumption per unit (IP core) and the bus bandwidth by approximately %25 while preserving the access delay of the ordinary CDMA bus.

Hardware/software co-design of a dynamically configurable SHA-3 System-on-Chip (SoC)

In this paper, we present a novel design of a dynamically configurable hardware accelerator for the new NIST SHA-3 standard, namely the Keccak hashing function. The SHA-3 accelerator is composed of a static datapath built based on two different folded architectures of the Keccak function and controlled by a programmable Finite State Machine (FSM) that can be dynamically configured at run-time to hash a message of arbitrary size and digest length. The proposed hardware architectures enable implementing all functions and modes of operation supported by the Keccak SHA-3 hashing standard. Two prototypes of the accelerator are developed and validated on a Xilinx Virtex-6 FPGA kit as a stand-alone system and on a ZedBoard kit featuring a ZynQ-7000 SoC FPGA, where the SHA-3 accelerator is implemented in the programmable logic and interfaced to an ARM Cortex-A9 processor. Hardware implementation is followed by a hardware/software co-design of a SHA-3 SoC running the keyed-Hash Message Authentication Code (HMAC) and Pseudo-Random Number Generator (PRNG) security applications. The ARM processor runs the application software and offloads SHA-3 computations to the hardware accelerator. The implementation results illustrate the performance enhancement of the SHA-3 SoC over pure software implementations in addition to the unprecedented flexibility offered by the proposed accelerators.

Enhanced Overloaded CDMA Interconnect (OCI) Bus Architecture for On-Chip Communication

On-chip interconnect is a major building block and a main performance bottleneck in modern complex System-on-Chips (SoCs). The bus topology and its derivatives are the most deployed communication architectures in contemporary SoCs. Space switching exemplified by cross bars and multiplexers, and time sharing are the key enablers of various bus architectures. The cross bar has quadratic complexity while resource sharing significantly degrades the overall systems performance. In this work we motivate using Code Division Multiple Access (CDMA) as a bus sharing strategy which offers many advantages over other topologies. Our work seeks to complement the conventional CDMA bus features by applying overloaded CDMA practices to increase the bus utilization efficiency. We propose the Difference-Overloaded CDMA Interconnect (D-OCI) bus that leverages the balancing property of the Walsh codes to increase the number of interconnected elements by 50%. Two implementations of the D-OCI bus optimized for both speed and resource utilization are presented. The bus operation is validated on a Xilinx Artix-7 AC701 FPGA kit and the bus performance is evaluated and compared to other existing bus topologies. We also present the synthesis results for the UMC-0.13 μm design kit to give an idea of the maximum achievable bus frequency on ASIC platforms. Moreover, we advance a proof-of-concept HLS implementation of the D-OCI bus on a Xilinx Zynq-7000 SoC and compare its performance, latency, and resource utilization to the ARM AXI bus. The performance evaluation demonstrates the superiority of the D-OCI bus.

Parallel overloaded CDMA interconnect (OCI) bus architecture for on-chip communications

On-chip interconnects are the performance bottleneck in modern System-on-Chips (SoCs). Bus topologies and Networks-on-Chip (NoCs) are the main approaches used to implement on-chip communication. The interconnect fabric enables resource sharing by Time and/or Space Division Multiple Access (T/SDMA) techniques. Code Division Multiple Access (CDMA) has been proposed to enable resource sharing in on-chip interconnects where each data bit is spread by a unique orthogonal spreading code of length N. Unlike T/SDMA, in wireless CDMA, the communication channel capacity can be increased by overcoming the Multiple Access Interference (MAI) problem. In response, we present two overload CDMA interconnect (OCI) bus architectures, namely TDMA-OCI (T-OCI) and Parallel-OCI (P-OCI) to increase the classical CDMA interconnect capacity. We implement and validate the T-OCI and P-OCI bus topologies on the Xilinx Artix-7 AC701 kit. We compare the basic SDMA, TDMA, and CDMA buses and evaluate the OCI buses in terms of the resource utilization and bus bandwidth. The results show that the T-OCI achieve 100% higher bus capacity, 31% less resource utilization compared to the conventional CDMA bus topology. The P-OCI bus provides N times higher bus bandwidth compared to the T-OCI bus at the expense of increased resource utilization.

Thwarting Software Attacks on Data-Intensive Platforms with Configurable Hardware-Assisted Application Rule Enforcement

Security is difficult to achieve on general-purpose computing platforms due to their complexity, excess functionality, and resource sharing. An alternative is the creation of a Tailored Trustworthy Space for the system or application class of interest. We focus on data-intensive computing systems using reconfigurable hardware to implement streaming operations, and provide security assurances that are independent of application software, middleware, or operating system integrity and correctness. All interaction between software and the dataflow hardware passes through an automatically synthesized and formally verified hardware controller incorporating enforcement and real-time monitoring of application-specific rules. Abstractions provided by the Blue spec high-level language assist in the translation of domain-specific policy rules to synthesized logic. For the cognitive radio example used, hardware-enforced policies include physical layer rules such as sanctioned spectrum usage. Policy changes cause the secure generation and transfer of a new controller-wrapped datapath hardware plug-in. Datapath dynamic block swaps and cryptographic operations are managed entirely by the hardware controller rather than software drivers. Design for performance and design for security are therefore simultaneously addressed since the datapath is configured and monitored at hardware speeds, and software has no access to datapath configurations and cryptographic keys.

Lane departure warning tracking system based on score mechanism

This paper presents a new lane tracking algorithm for the lane departure warning system without using Kalman filter. The system is capable of extracting the true lane boundaries from all detected lines including noise in the frame and estimates its future position. The new algorithm uses the score mechanism to trace the appearance of lines in previous frames using a score variable which indicates the number of frame lines that have been detected and scores state of each line (increasing or decreasing). The lateral shift is calculated from prior knowledge of lane boundary positions in previous frames. Moreover, the algorithm introduces a hysteresis loop of line score varying the number of predicted frames for line position which has a significant impact in smoothing and stabilizing the tracking process.

SHA-3 Instruction Set Extension for A 32-bit RISC processor architecture

The Secure Hash Algorithm 3 (SHA-3) is a crypto-graphic hash function widely used in most security applications. The execution of the SHA-3 function is computationally intensive on lightweight embedded RISC processors. In this work, we advance a SHA-3 Instruction Set Extension (ISE) to improve its performance on a 32-bit MIPS processor. Two ISE approaches are proposed, namely native datapath and coprocessor-based ISEs. The ISE is developed with the aid of Codasip Studio, and the extended processor is implemented and benchmarked on a Xilinx Virtex-6-XC6VLX75t FPGA. The benchmarking results exhibit a 21% and 43% increase in the execution speed of the SHA-3 algorithm on the MIPS processor at the expense of 9% and 26% resource overheads for the native datapath and coprocessor-based ISEs, respectively.

E-Playground: Simultaneous Identification of Multi-players in Educational Physical Games Using Low-cost RFID

We propose a design for an affordable interactive floor, and an accompanied software architecture for developing multi-player educational games. The floor uses passive RFID technology for robust tracking of the position and the identity of the students during play. The tracking results could be used to monitor and analyse the performances of individual students. A prototype was implemented using off-the-shelf electronics and thus it could be adopted in schools or community clubs with declined budget. To evaluate the latency and the scalability of the design, an analytical model and its empirical validation are presented.