work, the applications need services provided by the system software (typically the Operating System), which in turn is the last virtualisation layer on top of the hardware. \Hardware" is a vague concept, being it often given di erent interpretations and meanings, as a consequence of the peculiar points of view of di erent stakeholders, including end-users, providers, OEMs, manufacturers, designers, etc. In the sequel, the term hardware is used to collectively refer to the whole set of electronic devices used to set-up an Information System, Information Technology (IT) or Operational Technology (OT) indi erently, regardless its complexity, its eld of application, and the functionality/role of the devices within it.

USER     WEB / COMMUNICATION

From the security point of view, any component of any Information System layer may have weaknesses that can generate vulnerabilities. The MITRE Corporation2 de nes a vulnerability as a weakness present inside a component of an information system that, \when exploited, results in a negative impact to Con dentiality, Integrity, OR Availability " [ 2 ]. Anything that endangers at least one of the three aspects of the CIA triad makes the system vulnerable, i.e., not completely secure.

When a component of one of the layers is compromised by an attack, either the lower layer provides protection, and thus the intrusion is stopped, or it is compromised as well, and the attacker can use it maliciously. It is therefore clear that the base of the layer stack, the hardware, plays a primary role in Information System security: it represents, by construction, the last line of defense against intrusions [7, Section 4.1]. Directly or indirectly being the base all the other layers rely on, if attacked, it may render useless all the defences implemented in the upper layers.

The presence of hardware vulnerabilities has thus an obvious impact on the Information System security, but this is not the only role that hardware plays in its security. We can, in fact, identify three di erent areas to consider, as shown in Figure 2: Hardware Security, Hardware-based Security, and Hardware Trust.

Hardware Security refers to all the actions needed to (i) identify hardware vulnerabilities, (ii) analyse their e ects, (iii) prevent their exploitations by mitigating, reducing, and (ideally) making null the risks induced by their presence, (iv) develop and implement protections and remediation solutions, and (v) possibly avoid them by proper remediations during the design and production phases (Security-by-Design). Note that this de nition is in no way constrained on where or when what described above can be done. For example, the fact that the vulnerabilities be located in the hardware and that the hardware attacks try to open breaches through them to compromise the security of the system, does not necessarily mean that the defences against them must be implemented at the hardware level. This would be extremely limiting, since most vulnerabilities are discovered once the hardware is already operating in the eld, without the possibility of being patched, as it can mostly be done for software. Therefore, any technique aimed at counter hardware attacks falls under the de nition of Hardware Security, even if mitigations are applied at the upper layers.

Hardware-based Security refers to all the solutions aimed at resorting to hardware to protect the system from attacks that exploit vulnerabilities present in other components of the system.

Hardware Trust refers to minimising the risks introduced by hardware counterfeiting, thus guaranteeing the other components of the system about the authenticity of the used hardware devices.

HARDWARE SECURITY

HARDWARE

BASED

SECURITY HARDWARE HARDWARE

TRUST

In the sequel of this paper, we shall zoom on Hardware Security, only, presenting a taxonomy of both vulnerabilities a ecting the hardware and of the attacks targeting it. Section 2 contextualises the paper and shows some previous attempts to systematise the topic; then, Section 3 classi es hardware vulnerabilities, Section 4 presents hardware attacks and, eventually, Section 5 concludes the paper. 2

Since Information Systems began to spread and evolve, the topic of security has always been mainly addressed in relation to the protection from intrusions made possible by their web connections, i.e., in an environment potentially open to anyone. It is therefore a fact that networks and software have received the most of the attention, while hardware has traditionally been considered as secure and inviolable. On the other hand, the role of hardware components in safety and in safety-critical applications have been deeply investigated [ 13 ]: it was commonly believed that hardware could at most fail, but not be attacked.

At the end of the last century, smart cards were already di used. Based on chips specialized in security and authentication applications, these devices were considered impossible to crack if not with very advanced means, out of the possibility of common hackers. But starting from 1996, this thesis started to be dismantled through demonstrations, for the rst time, of fault injection attacks or microprobing experiments carried out with common equipment against these chips [ 5 ] [ 6 ], and the problem began to be slowly acknowledged.

In the same years or a little later, important authors such as Kocher [ 33 ] [ 32 ] and others [ 41 ] [ 39 ] began to raise the problem of extrapolating information from secure devices such as smart cards simply by listening to the surrounding environment, e.g., by measuring the time taken, the energy consumed, the radiation emitted. Cryptographic algorithms, considered practically impossible to break mathematically, are instead vulnerable in their physical implementations. This was how the so-called side-channel attacks started to be known.

At the beginning of the century, the vertical integration model in the hardware supply chain was abandoned in favor of the horizontal one: instead of taking care of all stages of production, from speci cations to nal manufacture, companies started to outsource manufacturing to thirdparty companies, to which the layout of their devices is delivered. Therefore, the community started to reason about the possible risks of counterfeiting and piracy deriving from this, with a rst article in 2001 by Koushanfar et al. [ 35 ]. The issue was even raised years later by the United States Congress [ 1 ]. Thus, a whole literature has been produced on the so-called hardware metering [ 34 ] and its implementation methods, including Physical Unconable Functions (PUFs) [ 40 ] or circuit obfuscation [ 42 ]. Similarly, a manufacturing process that includes untrusted actors started to raise doubts about the possibility of inclusion of hardware Trojan horses [ 55 ], i.e., Trojans inserted directly into the circuit, to be activated once the device is put into operation.

The concept of security related to hardware is therefore a young concept, and it may seem in itself a spurious union of techniques for protecting sometimes the originality and the integrity of the hardware design, sometimes the information itself treated by the hardware. Only in more recent years, some authors have tried to tidy up by proposing examples of taxonomies, among which we report here the most signi cant according to our opinion.

In a paper of 2014, Rostami et al. [ 45 ] distinguish, within the sphere of Hardware Security, 5 major issues: Hardware Trojans, Reverse Engineering of the design, Intellectual-Property Piracy, Side-Channel Attacks and Hardware Counterfeiting. It is a classi cation that confuses vulnerabilities, types of attacks and purposes of attacks, since, for example, many reverseengineering attacks are certainly performed to steal the intellectual property of a circuit, while Trojans are to be considered rather as vulnerabilities, triggered later by an attack, but they are not properly an attack category.

In the same year, Hamdioui et al. [ 25 ] tried to classify attacks in attacks to data (e.g., Sidechannel attacks), attacks to design (e.g., reverse-engineering attacks) and attacks to functionality, with three modes in the context of attacks to data: invasive, non-invasive, or semi-invasive with respect to the physical device itself, a very important concept that will be discussed later in the paper.

In their handbook published in 2018 [ 10 ], Bhunia and Tehranipoor well explain problems related to security of hardware components with many practical examples, without much re ning the taxonomy of Rostami's 2014 article, but adding a fundamental distinction of the overall problem in two wide families: (i) attacks targeting hardware with their countermeasures, and (ii) attacks targeting the system with their hardware-based countermeasures, i.e., what we have respectively called Hardware Security and Hardware-based Security in the previous Section. 3

The proposed taxonomy of hardware vulnerabilities is shown in Figure 3. Vulnerabilities are rst clustered according to their nature and their domain, in turns into di erent criteria.

HARDWARE VULNERABILITIES nature

domain unintentional intentional logical

physical bug flaw

backdoor

The nature may be intentional or unintentional , i.e., the vulnerability may be introduced into the device voluntarily or not during its design and production phases. Unintentional vulnerabilities are further split into bugs and aws.

A bug is an inconsistency between a speci cation and its actual implementation, introduced by a mistake during a speci c design phase which is not detected during the subsequent V&V (Validation and Veri cation) phase.

A aw is, instead, a non-primary feature that does not constitute an inconsistency w.r.t. the specs, and that is the result of a misconception of the designer who did not take into consideration its potential dangerousness. A aw di ers from a bug, being not colliding with any speci cation. As an example, in the design of modern microprocessors, the need to optimize performance through speculative execution and aggressive caching caused aws such as the famous Meltdown [ 37 ] and Spectre [ 31 ]: such vulnerabilities were not born by a mistake made by the designer, but unintentionally introduced during the optimisation phase, without taking into account the risks that those race conditions could have led to.

A vulnerability inserted intentionally inside a hardware device can be referred to as a backdoor, as the person who inserts them wants to guarantee her/himself (or someone else) the possibility of a later access or misuse that is outside the set of intended use-cases. Note that the presence of a backdoor exposes the hardware component to threats independently of the fact it was inserted maliciously or not. From the one hand, an example of malicious backdoor is a Hardware Trojan [ 55 ], i.e., a rogue piece of circuitry inserted at a given point of the design and production phases, which can carry out unauthorised actions when its \triggering" conditions are satis ed. As already said, with the globalization of Integrated-Circuit (IC) design and manufacturing, the outsourcing of production task has become a common way to lower the product's cost. Embedded hardware devices are not always produced by the companies that design and sell them, nor in the same country where they will be used. A malicious intruder with access to the manufacturing process can introduce some changes to the nal product. A Hardware Trojan is characterized by a payload, i.e. the entire activity that the Trojan executes when it is activated, and by a trigger which is the condition veri ed in the state of the circuit that activates the payload. In general, malicious Trojans try to bypass or disable the security fence of a system, they can leak con dential information by radio emission or by other side-channel signal. A Trojan can also be used to disable, derange or destroy the entire chip or components of it. A Trojan can be introduced during any production step (design, fabrication, test, assembly) and at any level (register-transfer level, gate level, transistor level and even physical level).

From the other hand, an example of non-malicious backdoors is provided by the undocumented instructions of some processors belonging to x86 family, such as the one presented in [ 15 ]: the undocumented opcode ALTINST (0x0F3F), most likely originally introduced by the designers for debugging purposes, allows the user to switch to an alternative ISA (Instruction Set Architecture), closer to the actual inner RISC architecture, and it can be used maliciously to mount a privilege escalation attack.

Orthogonally to its nature, a hardware vulnerability belongs to a domain, either logical or physical. A hardware vulnerability is logical when it has been introduced during the early design phases of the device, whereas it is physical when it is related to vulnerabilities introduced during the latest technology-mapping steps of the design process.

A typical example is here provided by the fact that a series of consecutive write operations into a DRAM memory cell (row hammering ) can induce adjacent cells to ip their content, due to an electric leakage e ects [ 30 ]. Such a vulnerability is in fact intrinsic to the technology adopted for implementing the memory, even if an accurate analysis of the well known linked dynamic faults in DRAM [ 4 ] [ 14 ] could suggest proper remediation at the design time. 4

For the very meaning of the term, a vulnerability is not such if it cannot be exploited, because it would not expose the system to any risk, so it would not constitute any weakness. The exploit is the mean or method of taking advantage of a vulnerability for malicious purposes. Therefore, a hardware attack can be de ned as the act of taking advantage of a hardware vulnerability.

It is important to clearly point out that an attack always happens just when the hardware a ected by a vulnerability is operating in the eld: modifying a design to introduce a backdoor is a vulnerability insertion, while exploiting it is an attack.

Moreover, if the presence of a vulnerability jeopardises Con dentiality, Integrity or Availability (Section 3), and if the vulnerability is such only if it is exploitable, then an attack, using an exploit, is by de nition an action that puts at risk the Con dentiality, the Integrity or the Availability of an asset, and therefore everything that does not impact on any of these three properties is outside the de nition of attack.

The taxonomy for hardware attacks is summarised in Figure 4.

A hardware attack is rst classi ed by the goal for which it is launched. The goal is the malicious action that the attacker wants to take against an asset of the attacked hardware, de ned as a target. The target can be the information that the hardware is treating, but also a property of the hardware itself, either functional or non-functional [ 26 ]. One can launch an attack to: steal a target (e.g., a cryptographic key, a secret password, an intellectual property, a resource, etc.); referring to the CIA triad, stealing is an action carried out in violation of Con dentiality, since the attacker takes possession of an asset of which she/he does not own the

HARDWARE ATTACKS goal target domain modality steal corrupt inhibit information property logical physical invasive

non-invasive passive active rights of access or use. It worths pointing out that the so called intellectual property (IP) theft is to be considered as a case of IP-piracy attack, and related solutions are demanded to Hardware Security. Intellectual property is in fact a full- edged target according to the de nition given in Section 4, and therefore it should be protected exactly as any other hardware asset; corrupt a target (e.g., a memory word, a permission le, a functionality to make it folded to one's advantage, etc.); corrupting is an action carried out in violation of Integrity, since the attacker modi es an asset without being authorised to do it; inhibit a target (e.g., a service, a set of critical data, a defense mechanism, etc.); inhibiting is an action carried out in violation of Availability, since the attacker prevents an asset from being properly accessed or used by those who hold rights to do that.

As well as vulnerabilities, hardware attacks always have a domain in which they are implemented. An attack belongs to the logical domain if it is implemented starting from upper layers with respect to hardware (Figure 1), i.e., when a hardware vulnerability, logical or physical, is exploited through actions not directly on the hardware itself, but on the software levels running on top of it. This domain includes, for example, privilege escalation attacks exploiting the row-hammer vulnerability [ 49 ] [ 56 ], or those that exploit vulnerabilities in processor microarchitecture such as Meltdown [ 37 ], Spectre [ 31 ] or others [ 20 ] [ 12 ] [ 47 ] [ 28 ], and also cache-based attacks [ 58 ] [ 48 ].

An attack belongs instead to the physical domain if it is implemented through actions directly performed on the attacked hardware device.

Finally, a hardware attack is quali ed depending on the modality in which it is carried out. The attack is invasive when the actions taken against the attacked hardware includes physical intrusions such as desoldering, depackaging, disconnection of its internal components. Attacks having this modality are, for example: • Microprobing Attacks: A microprobing attack tries to extract information by measuring electrical quantities directly on the silicon die of the target device, once obtained physical access to it. The die exposition is usually achieved by removing the plastic packages via chemical etching and/or by mechanical approaches. When possible, attackers study the netlist of the target before the attack, so with little reverse engineering they are able to nd matches with the layout in order to locate connection carrying sensible data. At this point, thank to advanced equipment as Focused Ion Beam (FIB) generators, they can obstruct wires with nanometric precision, or create conductive paths that serve as electrical probe contact in a further moment. A probe equipment is then employed to read the target signals and extract information. Such sophisticated equipment seems di cult to obtain commonly, but for example a FIB generator can be rented for just a couple hundred dollars per hour, which is reasonable with respect to an information theft that could be highly rewarding [ 50 ] [ 52 ]. • Reverse Engineering Attacks: An attack of reverse engineering is similar to microprobing with respect to mounting phase (desoldering and decapsulation), but actually has a di erent scope. It in fact aims at understanding the structure of a semiconductor device and its functions, i.e., at stealing the intellectual properties of the designer. A deep knowledge and expertise on advance IC design are obviously required to succeed. All the layers formed during chip fabrication are removed one-by-one in reverse order and photographed to determine the internal structure of the chip. At the end, by processing all the acquired information, a standard netlist le can be created and used to simulate and eventually redesign the target device [ 19 ]. • Data Remanence Attacks: Computers typically store secret data in DRAM, properly de-powered when the device is tampered with. It is common to think that once the power is down, the content of volatile memories is erased (this is why they are called volatile, actually). Although, it has been proved that the charge stored in a DRAM cell has a given decay rate which is not in nitive and strictly depends on temperature. At temperatures from 50 C down, the contents of RAMs can be \frozen" and kept for one or even more days. This is what usually happens in a cold-boot attack [ 23 ] [ 22 ], in which the hacker uses spray cans or liquid nitrogen on a volatile device just disconnected from the original system and gains precious time to perform a memory dump, i.e., a copy of the contents on a non-volatile device for subsequent analysis. Data remanence a ects in a di erent way non-volatile types of memory such as EEPROM and Flash. Some sensible information thought to be erased can still be extracted [ 51 ].

The attack is instead non-invasive when it can be carried out without any physical contact with the device under attack. Non-invasive attacks are further split into passive and active. Passive non-invasive attacks are carried out by analysing and measuring one (or more) physical dynamic entities of the attacked hardware. All di erent types of side-channel attacks [ 36 ] [ 54 ] belong to this category. Active non-invasive attacks require instead speci c actions on the device, aimed at forcing the system into abnormal states in which the goal is easier to reach. This category includes all the di erent types of fault attacks [ 11 ] [ 8 ] and test-infrastructure-based attacks [ 57 ] [ 44 ].

Side-Channel Attacks. Being something with physical consistence, when it is in activity, the hardware unintentionally releases in the surrounding environment a certain number of \clues", such as spent time, spent energy, electromagnetic radiation released, noise, etc.. These clues, along with the knowledge of some details about the device structure or just about the executed algorithms, may turn out to be critical for information protection. The mostly known classes of side-channel attacks are: • Timing Attacks : A timing side-channel attack tries to recover sensible data by measuring their computation time in a piece of hardware. In most cases, the algorithm implementation strongly depends on the actual values of its input. If an attacker knows this correlation, he can extract, for example, the encryption key or the password that is being processed. Examples of timing attacks against hardware implementations of RSA [ 33 ] or AES [ 9 ] [ 29 ] have been presented in literature. • Power Attacks : The actual power consumption of a programmable device depends on both the executed instructions and the processed data. A power side-channel attack tries to read in reverse this process and to recover sensible data processed by measuring the variation of power consumption of the hardware device [ 32 ] [ 53 ]. • Electromagnetic Attacks : Whenever a current ows, an electromagnetic eld is created around it. This radiation unintentionally carries information about the source, and by resorting to proper capturing devices, such as an induction coil, located in the proximity of the device, one can reconstruct the digital signal which originated it [ 59 ]. • Acoustic Attacks : Acoustic cryptoanalysis exploits vibration produced by hardware components of every kind and at any level, from device to circuit level. Covert listening devices may be placed by attackers to record the sound emitted by keyboards and keypads, and then a signi cative amount of sensed data can be later processed by signal analysis and/or Machine Learning algorithms to associate a particular sound-wave with the pressed key [ 43 ] [ 24 ]. Acoustic emissions in the ultrasonic band occur in circuit elements as coils and capacitors as a consequence of the current owing through them. Voltage regulation circuits in PC motherboards are responsible for acoustic emanation which are directly correlated with CPU activity [ 21 ]. • Optical Attacks : Besides draining current or emitting radiation, a transistor that switches also emits some light in the form of a few photons for a very short time. If an attacker is able to detect such an emission, he can steel sensible information from the circuit [ 17 ]. Alternatively, information-carrying light emissions can also be exploited when LEDs are employed as device activity indicators [ 38 ].

Fault Attacks. They consist in the injection of deliberate (malicious) faults into the target device, aimed at bringing it into a set of states from which private internal information items can be fraudolently extracted. Types of fault attacks are mostly clustered according to the fault injection techniques. The most relevant are: • Supply Attacks : If an attacker is able to tap into the power supply line of the target device and connect his power unit, he can underpower the device itself. If the power is lower, the delay of logic gates increases and in the case of critical paths it may happen that wrong values are sampled; this practically implies that one, or more, faulty bits, are injected into the system [ 16 ]. On the other hand, if a chip is overpowered, serious damaging actions can be carried out. • Clock Attacks: The length of a single cycle can be shortened through forcing a premature toggling of the clock signal. In this way, registered bytes can be corrupted. To alter the length of the clock cycle, the attacker needs to get a direct control of the clock line, as it typically happens when smart cards are targeted. As an unplanned clock edge introduces a glitch in the internal signals, these attacks are also knowns as Glitch Attacks [ 18 ]. • Heating Attacks : Rising the temperature in the environment in which the target device operates may be exployted to attack it. Electrons inside the transistors are excited by the surrounding heat and random currents are generated, which may lead to bit ipping (both in SRAM memory cells inside processors and in DRAM memory cells) or even to accelerated the ageing of the circuit, with the extreme consequence of its destruction when the overheating reaches a given threshold [ 27 ]. • Radiation Attacks: A practical way to induce faults without having to tap into the device is to cause strong electromagnetic disturbances near it. The eddy currents induced in the circuit by strong EM pulses cause temporary alterations of the level of a signal, which may be, for example, recorded by a latch or a ip- op. When the disturbance becomes higher and higher, components of the device may stop working or even be physically destroyed [ 46 ].

Test-Infrastructure-Based Attacks. Hardware designers systematically rely on Design-forTestability and Built-in Self Test (BIST) methodologies [ 13 ] to improve testability of the target system both at the end-of-production and in- eld. Some of these methodologies are so widely adopted to become standards, both de-facto and de-iure. Examples include, among the many, IEEE 1149.1 (aka Boundary Scan) and IEEE 1500. Unfortunately, these test infrastructures, mandatory for getting the desired levels of testability in terms of cost, in most cases create severe security hazards. As an example, when the pins of an 1149.1 standard interface are left outside accessible, a potential attacker can easily exploit the scan chain to get the data stored into the connected ip- ops. Once the position of the target elements (e.g., registers containing secret keys) inside the chain are known, the attack is very easily accomplished [ 57 ] [ 44 ]. 5

In this paper, we emphasized the importance of information security aspects related to hardware, and we have tried to characterize the roles that it has in the security domain. In fact, not everything related to \hardware" and \security" can be collected into the Hardware Security eld, but should instead be distinguished. First, the hardware can be seen as a component to be secured, since it may contain vulnerabilities like any other component: this is the actual domain of Hardware Security. The hardware can also be seen as a mean by which to implement the system's security (Hardware-Based Security). On the other hand, there are several issues related to the Hardware Trust, which has to do with the authenticity of hardware components and the contrast to counterfeiting.

We have then proposed a de nition of hardware vulnerability and hardware attack, providing for each of these two concepts a meaningful and comprehensive taxonomy. We classi ed vulnerabilities depending on their domain (logical, physical) and on their nature (intentional, unintentional). We then classi ed attacks depending on their target (information, property), their goal to be reached on the target (steal, corrupt, inhibit), the way they are carried out (invasively, non-invasively) and the domain in which they are implemented (logical, physical).