Abstract
Malicious modification of integrated circuits in untrusted design house or foundry has emerged as a major security threat. Such modifications, popularly referred to as Hardware Trojans, are difficult to detect during manufacturing test. Sequential hardware Trojans, usually triggered by a sequence of rare events, represent a common and deadly form of Trojans that can be extremely hard to detect using logic testing approaches. Side-channel analysis has emerged as an effective approach for detection of hardware Trojans. However, existing side-channel approaches suffer from increasing process variations, which largely reduce the detection sensitivity and sets a lower limit of the sizes of Trojans detectable. In this paper, we present TeSR, a Temporal Self-Referencing approach that compares the current signature of a chip at two different time windows to isolate the Trojan effect. Since it uses a chip as a reference to itself, the method completely eliminates the effect of process noise and other design marginalities (e.g. capacitive coupling), thus providing high detection sensitivity for Trojans of varying size. Furthermore, unlike most of the existing approaches, TeSR does not require a golden reference chip instance, which may impose a major limitation. Associated test generation, test application, and signature comparison approaches aimed at maximizing Trojan detection sensitivity are also presented. Simulation results for three complex sequential designs and three representative sequential Trojan circuits demonstrate the effectiveness of the approach under large inter- and intra-die process variations. The approach is also validated with current measurement results from several Xilinx Virtex-II FPGA chips.
Similar content being viewed by others
References
[Online]. Available: www.opencores.org
Aarestad J, Acharyya D, Rad R, Plusquellic J (2010) Detecting Trojans though leakage current analysis using multiple supply pad IDDQs. IEEE Trans Inf Forensics Secur
Abramovici M, Bradley P (2009) Integrated Circuit security - new threats and solutions, CSIIR Workshop, pp. 1–3
Agrawal D, Baktir S, Karakoyunlu D, Rohatgi P, Sunar B (2007) Trojan detection using IC fingerprinting, Proc. IEEE Symposium on Security and Privacy
Alkabani Y, Koushanfar F (2009) Consistency-based characterization for IC Trojan detection, Proc. International Conference on Computer-Aided Design (ICCAD)
Banga M, Hsiao M (2008) A region based approach for the identification of Hardware Trojans, Proc. IEEE Workshop on Hardware Oriented Security and Trust (HOST)
Banga M, Hsiao MS (2009) A novel sustained vector technique for the detection of hardware Trojans, Proc. 22nd International Conference on VLSI Design, pp 327–332
Bao C, Forte D, Srivastava A (2014) On application of one-class SVM to reverse engineering-based hardware Trojan detection, ISQED
Bhunia S, Hsiao MS, Banga M, Narasimhan S (2014) Hardware Trojan Attacks: Threat Analysis and Countermeasures. In: Proceedings of the IEEE 102.8, pp 1229–1247
Bloom G, Narahari B, Simha R, Zambreno J (2009) Providing secure execution environments with a last line of defense against Trojan circuit attacks. Comput Secur
Borkar S, Karnik T, Narendra S, Tschanz J, Keshavarzi A, De V (2003) Parameter variations and impact on circuits and micro-architecture, DAC
Chakraborty RS, Bhunia S (2009) HARPOON: an obfuscation-based SoC design methodology for hardware protection. IEEE Trans Comput Aided Des Integr Circuits Syst 28.10:1493– 1502
Chakraborty RS, Narasimhan S, Bhunia S (2009) Hardware Trojan: Threats and emerging solutions, High-Level Design Verification and Test Workshop
Chakraborty RS, Wolff F, Paul S, Papachristou C, Bhunia S (2009) MERO: A statistical approach for hardware Trojan detection, CHES Workshop
DARPA (2007) TRUST in Integrated Circuits (TIC). [Online]. Available: http://www.darpa.mil/MTO/solicitations/baa07-24
Du D, Narasimhan S, Chakraborty RS, Bhunia S (2010) Self-referencing: A scalable side-channel approach for hardware Trojan detection, CHES Workshop
Forte D, Bao C, Srivastava A (2013) Temperature tracking: An innovative run-time approach for hardware Trojan detection, ICCAD
Huang Y, Bhunia S, Mishra P (2016) MERS: Statistical Test Generation for Side-Channel Analysis based Trojan Detection, CCS, Vienna
Jin Y, Makris Y (2008) Hardware Trojan detection using path delay fingerprint, HOST
Jin Y, Sullivan D (2014) Real-time trust evaluation in integrated circuits, DATE
Karri R, Rajendran J, Rosenfeld K, Tehranipoor M (2010) Toward trusted hardware: Identifying and classifying hardware Trojans. IEEE Commun Mag
Koushanfar F, Mirhoseini A (2011) A unified framework for multimodal submodular Integrated Circuits Trojan detection. IEEE Trans Inf Forensics Secur 6(1)
Kulikowski KJ, Venkataraman V, Wang Z, Taubin A (2008) Power balanced gates insensitive to routing capacitance mismatch, DATE
Kundu S, Zachariah ST, Chang Y-S, Tirumurti C (2005) On modeling crosstalk faults. IEEE Trans Comput-Aided Design
Kuon I, Rose J (2007) Measuring the gap between FPGAs and ASICs. IEEE Trans Comput Aided Des Integr Circuits Syst 26.2
Lamech C, Rad RM, Tehranipoor M, Plusquellic J (2011) An experimental analysis of power and delay signal-to-noise requirements for detecting Trojans and methods for achieving the required detection sensitivities. IEEE Trans Inf Forensics Secur
Lin L, Burleson W, Parr C (2009) MOLES: malicious off-chip leakage enabled by side-channels, ICCAD
Liu Y, Huang K, Makris Y (2014) Hardware Trojan detection through golden chip-free statistical side-channel fingerprinting, DAC
Meade T, Zhang S, Jin Y (2016) Netlist reverse engineering for high-level functionality reconstruction, ASP-DAC
Nahiyan A, Xiao K, Forte D, Jin Y, Tehranipoor M (2016) AVFSM: a framework for identifying and mitigating vulnerabilities in FSMs, DAC
Narasimhan S, Du D, Chakraborty RS, Paul S, Wolff F, Papachristou C, Roy K, Bhunia S (2010) Multiple-parameter side-channel analysis: A non-invasive hardware Trojan detection approach, HOST
Narasimhan S, Wang X, Du D, Chakraborty RS, Bhunia S (2011) TeSR: A Robust Temporal Self-Referencing Approach for Hardware Trojan Detection, HOST
Nowroz AN, Hu K, Koushanfar F, Reda S (2014) Novel Techniques for High-Sensitivity Hardware Trojan Detection Using Thermal and Power Maps. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 33.12 :1792–1805
Potkonjak M, Nahapetian A, Nelson M, Massey T (2009) Hardware Trojan horse detection using gate-level characterization, DAC
Predictive Technology Model, [Online] http://www.eas.asu.edu/~ptm/
Rad R, Plusquellic J, Tehranipoor M (2010) A sensitivity analysis of power signal methods for detecting hardware Trojans under real process and environmental conditions. IEEE Trans Very Large Scale Integr VLSI Syst
Rajendran J, Jyothi V, Sinanoglu O, Karri R (2011) Design and analysis of ring oscillator based Design-for-Trust technique, VTS
Roy JA, Koushanfar F, Markov IL (2008) EPIC: Ending piracy of integrated circuits, DATE
Salmani H, Tehranipoor M, Plusquellic J (2010) A layout-aware approach for improving localized switching to detect hardware Trojans in Integrated Circuits, IEEE Intl. Workshop on Information Forensics and Security
Shi Y et al (2010) A highly efficient method for extracting FSMs from flattened gate-level netlist, ISCAS
Soll O, Korak T, Muehlberghuber M, Hutter M (2014) EM-based detection of hardware Trojans on FPGAs, HOST
Tehranipoor M, Koushanfar F (2010) A survey of hardware Trojan taxonomy and detection. IEEE Design and Test of Computers 27(1):10–25
Tiri K, Verbauwhede I (2004) A logic level design methodology for a secure DPA resistant ASIC or FPGA implementation, DATE
Wei S, Potkonjak M (2011) Scalable hardware Trojan diagnosis, IEEE Tran. on Very Large Scale Integration (VLSI)
Xiao K, Zhang X, Tehranipoor M (2013) A clock sweeping technique for detecting hardware Trojans impacting circuits delay. IEEE Design & Test of Computers, March/April, pp 26–34
Xiao K, Forte D, Jin Y, Karri R, Bhunia S, Tehranipoor M (2016) Hardware Trojans: Lessons Learned after One Decade of Research, vol 22.1
Yoshimizu N (2014) Hardware Trojan detection by symmetry breaking in path delays, HOST
Zhang X, Tehranipoor M (2011) RON: An on-chip ring oscillator network for hardware Trojan detection, DATE
Zhang J, Yu H, Xu Q (2012) HTOutlier: Hardware Trojan detection with side-channel signature outlier identification, HOST
Zheng Y, Yang S, Bhunia S (2016) SeMIA: Self-Similarity based IC Integrity Analysis. IEEE Trans. Computer-Aided Design of Integrated Circuits and Systems 35(1):37–48
Zhou B, Adato R, Zangeneh M, Yang T, Uyar A, Goldberg B, Unlu S, Joshi A (2015) Detecting Hardware Trojans using backside optical imaging of embedded watermarks, DAC
Author information
Authors and Affiliations
Corresponding author
Additional information
Responsible Editor: S. Hamdioui
Appendices
Appendix A: Reachability Analysis
Algorithm 2 elaborates the reachability analysis, which is based on breadth-first traversal. S 0 is the root state under consideration. G is the FSM state transition graph (STG) in adjacency-list representation, in which each edge (corresponding to one state transition) has an associated property indicating the set of input vectors that can trigger this transition v(S 1, S 2). The reason of using adjacency-list instead of adjacency-matrix representation is that most FSM STGs are sparse graphs, and adjacency-list representation can also favor the image computation of each state. R e a c h e d stands for the set of states reachable from S 0, which is the goal of the entire calculation. F r o n t i e r represents the current frontier states as the breadth-first traversal proceeds. Function I m g(S i , G) calculates the states that are reachable by S i in one step, and is defined as follows, where S is the set of states in G, and E ⊆ S × S is the set of edges in G:
In fact, the image computation can be easily realized by looking into the adjacency-list of the root state, as all the directly reachable states are stored in the same list. As implied by the name, breadth-first traversal expands the search uniformly across the frontier, during which the input vector set dictated by the transition function property v(S 1, S 2) is appended to that of the previous path, and the sequence of input vector sets is associated to each newly identified reachable state as property S j ⋅I. The iterative process is continued until no new states beyond R e a c h e d are experienced, namely F r o n t i e r is empty.
Appendix B: Proof of the Impracticality of Low Overhead Correlated Trojan
Definition 1
A state machine F o could be expressed as: F o = { S o :S o is the set of states, T o :T o is the set of transition paths}
Definition 2
Function P determines the consumed power during kth clock cycle (or transition) by F o during a given test trial due to a transition from state S o, i and S o, j over the path T o, k .
TeSR checks if for the same T o, k , P o w e r o, k is equal in different test trials (i.e. for trial n and n+1, P o w e r o, k, n = P o w e r o, k, n+1).
Definition 3
Function C determines the clock cycles required to move F o from state S o, i to S o, j .
Definition 4
S i n : Initial states in F o from which MERO patterns are being applied.
Definition 5
S r e : Re-initializing states in F o from which S i n is reached back to initiate the next test trial.
Theorem 1
A TeSR undetectable state machine F e that is a correlated version of F o exists if and only if |T e |≥|T o |∨|S e |≥|S o |
Proof
If |T e | < |T o |, assume T o − T e = T x .
To make F e undetectable: S o, i n ∈ |S e | and S o, r e ∈ |S e |.
If T x ∈ (S o, i n → S o, r e ), then after F o and F e are traversed through path S o, i n → S o, r e simultaneously for n trials:
Therefore, we can assume that after C l o c k o, k , during the same test trial:
Consequently, after C l o c k o, k in two different test trials:
Therefore, P o w e r e, k, n ≠P o w e r e, k, n+1.
Furthermore, if |S e |<|S o |, assume S o − S e = S x .
Since for any S x , corresponding T x (s) exists: it can be stated that: P o w e r e, k, n ≠P o w e r e, k, n+1.
Therefore we have established that if |T e |<|T o |∨|S e |<|S o |, state machine F e would be detected by TeSR. □
Rights and permissions
About this article
Cite this article
Hoque, T., Narasimhan, S., Wang, X. et al. Golden-Free Hardware Trojan Detection with High Sensitivity Under Process Noise. J Electron Test 33, 107–124 (2017). https://doi.org/10.1007/s10836-016-5632-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10836-016-5632-y