The globalization of the Integrated Circuit (IC) supply chain, driven by time-to-market and cost considerations, has made ICs vulnerable to hardware Trojans (HTs). Against this threat, a promising approach is to use Machine Learning (ML)-based side-channel analysis, which has the advantage of being a non-intrusive method, along with efficiently detecting HTs under golden chip-free settings. In this paper, we question the trustworthiness of ML-based HT detection via side-channel analysis. We introduce a HT obfuscation (HTO) approach to allow HTs to bypass this detection method. Rather than theoretically misleading the model by simulated adversarial traces, a key aspect of our approach is the design and implementation of adversarial noise as part of the circuitry, alongside the HT. We detail HTO methodologies for ASICs and FPGAs, and evaluate our approach using TrustHub benchmark. Interestingly, we found that HTO can be implemented with only a single transistor for ASIC designs to generate adversarial power traces that can fool the defense with 100% efficiency. We also efficiently implemented our approach on a Spartan 6 Xilinx FPGA using 2 different variants: (i) DSP slices-based, and (ii) ring-oscillator-based design. Additionally, we assess the efficiency of countermeasures like spectral domain analysis, and we show that an adaptive attacker can still design evasive HTOs by constraining the design with a spectral noise budget. In addition, while adversarial training (AT) offers higher protection against evasive HTs, AT models suffer from a considerable utility loss, potentially rendering them unsuitable for such security application. We believe this research represents a significant step in understanding and exploiting ML vulnerabilities in a hardware security context, and we make all resources and designs openly available online: https://dev.d18uu4lqwhbmka.amplifyapp.com

翻译：集成电路供应链因上市时间和成本考量而全球化的趋势，使其易受硬件木马攻击。针对这一威胁，基于机器学习的侧信道分析是一种有前景的防御方法，其优势在于非侵入性，且能在无黄金芯片条件下高效检测硬件木马。本文质疑了基于机器学习的侧信道硬件木马检测的可信度。我们提出一种硬件木马混淆方法，使木马能够绕过此类检测。与通过模拟对抗性轨迹从理论上误导模型不同，本方法的关键在于将对抗性噪声作为电路组成部分与硬件木马一同设计与实现。我们详细阐述了适用于ASIC和FPGA的HTO实现方法，并利用TrustHub基准测试评估了该方法。有趣的是，我们发现针对ASIC设计，仅需单个晶体管即可实现HTO，生成的对抗性功耗轨迹能以100%效率欺骗防御系统。在Spartan 6 Xilinx FPGA上，我们通过两种变体高效实现了该方法：（i）基于DSP切片的设计与（ii）基于环形振荡器的设计。此外，我们评估了频谱域分析等反制措施的有效性，并证明自适应攻击者仍可通过施加频谱噪声预算约束来设计出具有规避能力的HTO。同时，尽管对抗性训练能为规避式硬件木马提供更强防护，但其模型存在显著的效用损失，可能导致此类模型不适用于该安全场景。我们相信这项研究是理解并利用硬件安全领域机器学习漏洞的重要一步，所有资源与设计均已开源：https://dev.d18uu4lqwhbmka.amplifyapp.com