xuwei ye,jianhua feng,haoran gong,chunhua he,weilei feng

DOI: https://doi.org/10.1109/edssc.2015.7285146

2015-01-01

Abstract:Hardware Trojan, realized by malicious modification of design characteristics, has emerged as a major security concern. The recently proposed Trojan detection methods arc mainly classified into two categories: side-channel signal analysis and logic testing. Due to the stealthy nature of Trojan circuits, it's difficult to activate Trojans to perform logic testing. In this paper, an activation probability-based approach is proposed. A probability obfuscation scan chain (POSC) is presented aiming at increasing the difficulty of Trojan insertion and increasing the activation probability of the Trojan circuits. It proves to be very effective in detecting the presence of a Trojan in a circuit. Experimental results on ISCAS benchmark circuits show that this approach can effectively increase Trojan activation probability and make the detection of the Trojan more easily.

Yumin Hou,Hu He,Kaveh Shamsi,Yier Jin,Dong Wu,Huaqing Wu

DOI: https://doi.org/10.1109/hst.2018.8383914

2018-01-01

Abstract:With the globalization of semiconductor industry, hardware security issues have been gaining increasing attention. Among all hardware security threats, the insertion of hardware Trojans is one of the main concerns. Meanwhile, many current Trojan detection solutions follow the assumption that the hardware Trojan itself should be composed of digital logic. This assumption is invalidated by recently proposed analog Trojans which are extremely small and can detect rare events. This paper proposes a runtime hardware Trojan detection method which is geared towards detecting such advanced Trojans. The principle of this method is to guard a set of concerned signals, and initiate a hardware interrupt request when abnormal toggling events occur in these guarded signals. To prove the effectiveness of this method, we design a processor based on ARMv7-A&R ISA, and insert an analog Trojan into the processor. We fabricated the design in the SMIC 130 nm process and demonstrate the effectiveness of the proposed methodology.

Kaige Qu,Liji Wu,Xiangmin Zhang

DOI: https://doi.org/10.1109/CIS.2015.80

2015-01-01

Abstract:Hardware trojan detection is paid more and more attention in recent years due to the great potential threat imposed by hardware trojan to the whole integrated circuit industry. In this paper, ring oscillator network based hardware trojan detection method is tactfully implemented in FPGA and a novel corresponding detection algorithm is proposed. Incremental compilation technique is applied to design ring oscillator network and to insert trojans in FPGA. The method is verified effective for both sequential and combinational trojans. The trojans can be found with up to 20 to 200 times of detecting measurement based on their active status. Particularly, besides dynamic power consumption, extra static power consumed by trojan circuits are also used to differentiate trojan-free and trojan-inserted circuits.

Der-Chen Huang,Chun-Fang Hsiao,Tin-Wei Chang,Ying-Yi Chu

DOI: https://doi.org/10.1186/s13638-022-02165-9

2022-09-07

EURASIP Journal on Wireless Communications and Networking

Abstract:Recently, the issue of malicious circuit alteration and attack draws more attention than ever before due to the globalization of IC design and manufacturing. Malicious circuits, also known as hardware Trojans, are found able to degrade the circuit performance or even leak confidential information, and accordingly it is definitely an issue of immediate concern to develop detection techniques against hardware Trojans. This paper presents a ring oscillator-based detection technique to improve the hardware Trojan detection performance. A circuit under test is divided into a great number of blocks, path assignment is optimized using a path tracking algorithm, and a high coverage is reached accordingly.

telecommunications,engineering, electrical & electronic

Fan Zhang,Chen Dong,Wucheng Hu,Jinghui Chen,Guorong He

DOI: https://doi.org/10.1109/IAEAC47372.2019.8997863

2019-01-01

Abstract:EDA tools almost completely automate the current chip design. However, EDA tools are all provided by third-party companies, therefore the credibility of EDA tools and the trust issues brought by their process libraries have attracted people's attention. Given these problems, this paper proposes a self-training hardware Trojan confrontation framework based on machine learning embedded in EDA tools. The framework focuses on the gate-level netlist files generated during the integrated chip comprehensive optimization phase, thereby detects, locates and deletes hardware Trojans that may appear. The experimental results show that the framework can achieve more than 85% detection effect for unknown hardware Trojans. Moreover, for known hardware Trojans, this framework can achieve almost 100% detection. Accordingly, hardware Trojans can be located and deleted.

Yumin Hou,Hu He,Kaveh Shamsi,Yier Jin,Dong Wu,Huaqiang Wu

DOI: https://doi.org/10.1109/tcad.2018.2864246

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:With the globalization of semiconductor industry, hardware security issues have been gaining increasing attention. Among all hardware security threats, the insertion of hardware Trojans is one of the main concerns. Meanwhile, many current Trojan detection solutions follow the assumption that the hardware Trojan itself should be composed of digital logic. This assumption is invalidated by recently proposed analog Trojans which are extremely small and can detect rare events. This paper proposes a runtime hardware Trojan detection method which is geared toward detecting such advanced Trojans. The principle of this method is to guard a set of concerned signals, and initiate a hardware interrupt request when abnormal toggling events occur in these guarded signals. To prove the effectiveness of this method, we design a processor based on ARMv7-A&R ISA, and insert an analog Trojan into the processor. We fabricated the design in an SMIC 130-nm process and demonstrate the effectiveness of the proposed methodology.

Lei LI,Zijing SHANG,Jianhua FENG,Xing ZHANG,Huiyao AN

2013-01-01

Abstract:According to the hardware Trojans inserted during design and fabrication, the authors provide a new model of Trojan. New model is based on a finite state machine which is more difficult to trigger and detect than those based on combinational circuits. Also, the locations in target circuits to insert Trojans are considered to avoid being detected using path delay fingerprint method. S349 circuit from ISCAS'89 benchmark circuits is chosen as the target circuit. Functional simulations are performed and delay information is simulated. The results show that this type of hardware Trojan is difficult to activate and the insertion method is effective to hide delay information.

Tony F. Wu,Karthik Ganesan,Yunqing Alexander Hu,H.-S. Philip Wong,Simon Wong,Subhasish Mitra

DOI: https://doi.org/10.1109/TCAD.2015.2474373

2015-08-25

Abstract:There are increasing concerns about possible malicious modifications of integrated circuits (ICs) used in critical applications. Such attacks are often referred to as hardware Trojans. While many techniques focus on hardware Trojan detection during IC testing, it is still possible for attacks to go undetected. Using a combination of new design techniques and new memory technologies, we present a new approach that detects a wide variety of hardware Trojans during IC testing and also during system operation in the field. Our approach can also prevent a wide variety of attacks during synthesis, place-and-route, and fabrication of ICs. It can be applied to any digital system, and can be tuned for both traditional and split-manufacturing methods. We demonstrate its applicability for both ASICs and FPGAs. Using fabricated test chips with Trojan emulation capabilities and also using simulations, we demonstrate: 1. The area and power costs of our approach can range between 7.4-165% and 0.07-60%, respectively, depending on the design and the attacks targeted; 2. The speed impact can be minimal (close to 0%); 3. Our approach can detect 99.998% of Trojans (emulated using test chips) that do not require detailed knowledge of the design being attacked; 4. Our approach can prevent 99.98% of specific attacks (simulated) that utilize detailed knowledge of the design being attacked (e.g., through reverse-engineering). 5. Our approach never produces any false positives, i.e., it does not report attacks when the IC operates correctly.

Hardware Architecture,Cryptography and Security

Shenghua Yang,Lei Li,Jianhao Hu,Wanting Zhou,Xueying Li

DOI: https://doi.org/10.2991/mmsa-18.2018.107

2018-01-01

Abstract:The insidious of Hardware Trojans (HT) makes it hardly to active in the Integrated Circuit(IC). We designed a special structure, been named AND-AND or OR-OR, which is inserted in the critical points that HT is liable to insert by analyze the characteristics of the IC. Then the state turnover rate of these notes will be greatly improved, and the activate time of HT that driven by these notes will be reduced. The implementation results of UART benchmarks prove that this method can significantly increase the activity of Hardware Trojans and improve the detection efficiency. Compared with the previous method such as inserting Dummy flip-flop or MFTD structure, not only will our method reduce the number of input ports and the consumption of the area, but it will easier to control. Keywords—AND-AND; OR-OR; Trojan detection; transition probability; quickly activate

Xinming Wei,Jiaxi Zhang,Guojie Luo

DOI: https://doi.org/10.1109/sp54263.2024.00160

2024-01-01

Abstract:Due to the escalating complexity of chip design and the exorbitant cost of building cutting-edge manufacturing facilities, outsourcing the fabrication of Integrated Circuits (ICs) is prevalent in modern semiconductor industry. However, significant security risks may arise because untrustworthy foundries can conduct insidious attacks without close supervision. Since prior works show the feasibility of implementing practical foundry-level Trojan attacks that circumvent post-fabrication detection, IC designers should protect their IC layouts before sending them to a third-party foundry, and such protections are known as design-time defenses. To this end, security metrics for layout vulnerability assessment are crucial to test the effectiveness of the proposed defenses. However, existing metrics are geometric-only and Trojan-oblivious, failing to capture the fundamental aspects of foundry-level Trojan insertion and the associated side effects.To bridge the gap between real attacks and threat prediction, we present SiliconCritic, a simulation-based, extensible framework that leverages design-time techniques to simulate the blackbox foundry-level Trojan attacks and post-fabrication analysis. SiliconCritic encodes the difficulty of inserting a specific Trojan into a finalized physical layout by measuring the variation of side-channel parameters (timing, power) after the simulated Trojan insertion, where larger deviations denote better detectability and thus enhanced security. SiliconCritic allows IC designers to interactively refine defensive strategies against the objective Trojan based on the feedback of side-channel analysis. Through evaluations on real-world ASIC designs and reported hardware Trojans, SiliconCritic demonstrates the limitations of existing layout-level defenses and highlights the influence of Trojan properties on defensive efficacy. Our work refreshes the understanding of Trojan prevention and suggests future directions for defenses against untrustworthy foundries.

Ruochen Dai,Tuba Yavuz

DOI: https://doi.org/10.48550/arXiv.2111.03989

2021-11-07

Abstract:Due to the globalization of Integrated Circuit (IC) supply chain, hardware trojans and the attacks that can trigger them have become an important security issue. One type of hardware Trojans leverages the don't care transitions in Finite State Machines (FSMs) of hardware designs. In this paper, we present a symbolic approach to detecting don't care transitions and the hidden Trojans. Our detection approach works at both RTL and gate-level, does not require a golden design, and works in three stages. In the first stage, it explores the reachable states. In the second stage, it performs an approximate analysis to find the don't care transitions. In the third stage, it performs a state-space exploration from reachable states that have incoming don't care transitions to find behavioral discrepancies with respect to what has been observed in the first stage. We also present a pruning technique based on the reachability of FSM states. We present a methodology that leverages both RTL and gate-level for soundness and efficiency. Specifically, we show that don't care transitions must be detected at the gate-level, i.e., after synthesis has been performed, for soundness. However, under specific conditions, Trojan detection can be performed more efficiently at RTL. Evaluation of our approach on a set of benchmarks from OpenCores and TrustHub and using gate-level representation generated by two synthesis tools, Yosys and Synopsis Design Compiler (SDC), shows that our approach is both efficient (up to 10X speedup w.r.t. no pruning) and precise (0% false positives) in detecting don't care transitions and the Trojans that leverage them. Additionally, the total analysis time can achieve up to 3.40X (using Yosys) and 2.52X (SDC) speedup when synthesis preserves the FSM structure and the Trojan detection is performed at RTL.

Symbolic Computation

Yumin Hou,Hu He,Kaveh Shamsi,Yier Jin,Dong Wu,Huaqiang Wu

2018-01-01

Abstract:This demo will show a fabricated analog hardware Trojan detection method. This design mainly targets on A2-like Trojans which are triggered by a successive toggling events. The principle of the detection method is to guard a set of concerned signals, and initiate a hardware interrupt request when abnormal toggling events occur in these guarded signals. We design a processor based on ARMv7-A&R ISA, and insert an analog Trojan into the processor. The detection mechanism is also implemented in this processor. We also fabricate a proof-ofconcept chip in the SMIC 130 nm Mixed-Signal 1P7M process and demonstrate that the analog Trojan works on the ARM processor, and the detection method is effective in detecting the analog Trojan. I. HARDWARE ARCHITECTURE A. The ARM-compatible Processor We propose a fused microarchitecture based on the ARMv7A&R ISA. This ARM processor is named Merlin. Using michroarchitectural techniques, Merlin expands the DSP capabilities of the ARM processor. Merlin supports most traditional ARM instructions, but does not support some ISA extensions, such as Thumb, ThumbEE, Jazelle, Floating-point, and Advanced SIMD. We realize 181 ARM instructions in total, which is enough to run common benchmarks, such as DhryStone, CoreMark, DSPStone, and EEMBC telecom. There are 7 execution modes defined in ARMv7-A&R ISA, while Merlin works only under user mode. Merlin adopts a fused microarchitecture integrating in-order superscalar and VLIW. Normally, Merlin works under dual-issue in-order superscalar mode. It can be switched to 6-issue VLIW mode when the task is compute intensive. Mode switch can be performed through software. Merlin can be used as an MCU, or a DSP under different application scenarios. Merlin has 16 KB of on-chip L1 instruction Cache, with a 256-bit wide port, and 32 KB dual-port data memory, with each port being 64-bits wide. Merlin has 6 functional units, consisting of 2 arithmetic units (A), 2 multiply units (M), and 2 load/store units (D). An SoC is designed, where Merlin is used as an MCU. The chip diagram is shown in Figure 1. On this chip, Merlin is integrated with DMA, ROM, SRAM, four 128KB embedded ReRAM, and a variety of peripheral I/O. The Dhrystone performance of Merlin is 1.9 DMIPS/MHz, which is comparable to ARM Cortex-A8 processors. B. A2-like Analog Trojan in Merlin A2 is a small analog circuit, which can be inserted into an already placed and routed design. It reads a digital pulse signal (the trigger input), and triggers the payload when the pulse signal has toggled with a high frequently for a certain period of time. The trigger input is connected to a signal that can be toggled with high frequency through a special code snipper running on the processor. The attacker insures that the trigger signal has a much lower toggle rate during typical workloads. This makes detecting the hardware Trojan difficult through testing, not to mention that there exists many low toggling frequency bits in modern processors. When inserting the analog Trojan trigger circuit into the Merlin processor, we should first select a viable trigger input. The trigger input should have low toggling rate in common cases. It should be controllable through software, so that the trigger code can make it toggle at high frequency to launch the attack. CPSR (Current Program Status Register) is a software reachable register. The definition of CPSR is shown in Figure 2. We select the CPSR J bit as the trigger input. Since Merlin does not support ISA extensions, this bit has no function. We use R0 as the attack payload. Once the attack is triggered, the value store in R0 will be modified. We generate the trigger input by frequently writing 0 and 1 to CPSR J alternatively. When the Trojan is triggered, it changes the value stored in R0 from 0 to 1 so that we can observe the change through a register read. We also attach the trigger output signal ROM ITCM SRAM system SRAM AHB SPI0 system control AHB2APB SD Host Controller DMA PLL RRAM 4×128KB Merlin

Yijun Yang,Liji Wu,Xiangmin Zhang,Jianben He

DOI: https://doi.org/10.1109/icasid.2017.8285766

2017-01-01

Abstract:This paper introduces a hardware Trojan detection method using Chip ID which is generated by Relative Time-Delays (RTD) of sensor chains and the effectiveness of RTD is verified by post-layout simulations. The rank of time-delays of the sensor chains would be changed in Trojan-inserted chip. RTD is an accurate approach targeting to all kinds of Trojans, since it is based on the RELATIVE relationship between the time-delays rather than the absolute values, which are hard to be measured and will change with the fabricate process. RTD needs no golden chip, because the RELATIVE values would not change in most situations. Thus the genuine ID can be generated by simulator. The sensor chains can be inserted into a layout utilizing unused spaces, so RTD is a low-cost solution. A Trojan with 4x minimum NMOS is placed in different places of the chip. The behavior of the chip is obtained by using transient based post-layout simulation. All the Trojans are detected AND located, thus the effectiveness of RTD is verified.

Xiaofei Zhang,Jianhua Feng,Zhoupeng Xue,Yinxuan Lv

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.029

2017-01-01

Abstract:To reduce the dependency of hardware Trojan on low-controllability nodes,a method for improving the implanted node selection and the internal structure of hardware Trojan was designed. For Trojan implanted nodes, a node searching algorithm for finding low-probability combination from high-controllability nodes was proposed.For low-probability nodes inside Trojan,a Trojan de-sign model based on non-rare events and multi-nodes controlling attack path was presented.By the ISCAS-85 benchmark circuit,the triggering probabilities of Trojans based on low-probability nodes and the combination probability are compared,and a Trojan design with 6-inputs based on the pro-posed method was realized.The experimental results show that the hardware Trojans based on com-bination probability can achieve a comparable(or even lower)triggering probability with that based on low-probability nodes when the numbers of Trojan triggering ports increase.And Trojan internal nodes with a direct impact on Trojan triggering probability can be eliminated by the Trojan design based on non-rare events,protecting Trojan from being triggered by auto-test patterns.Thus,impro-ving the concealment of hardware Trojan.

Wei Hu,Beibei Li,Lingjuan Wu,Yiwei Li,Xuefei Li,Liang Hong

2023-11-21

Abstract:Third-party intellectual property cores are essential building blocks of modern system-on-chip and integrated circuit designs. However, these design components usually come from vendors of different trust levels and may contain undocumented design functionality. Distinguishing such stealthy lightweight malicious design modification can be a challenging task due to the lack of a golden reference. In this work, we make a step towards design for assurance by developing a method for identifying and preventing hardware Trojans, employing functional verification tools and languages familiar to hardware designers. We dump synthesized design netlist mapped to a field programmable gate array technology library and perform switching as well as coverage analysis at the granularity of look-up-tables (LUTs) in order to identify specious signals and cells. We automatically extract and formally prove properties related to switching and coverage, which allows us to retrieve Trojan trigger condition. We further provide a solution to preventing Trojan from activation by reconfiguring the confirmed malicious LUTs. Experimental results have demonstrated that our method can detect and mitigate Trust-Hub as well as recently reported don't care Trojans.

Cryptography and Security

Xinming Wei,Jiaxi Zhang,Guojie Luo

DOI: https://doi.org/10.1109/DAC56929.2023.10247697

2023-01-01

Abstract:With the ever-shrinking feature size of transistors, the exorbitant cost has driven the massive outsourcing of integrated circuits (IC) fabrication. However, this outsourcing poses significant security risks because untrustworthy foundries can conduct insidious fabrication-time attacks without close supervision. Therefore, it is crucial to undertake design-time protection before sending finalized design layouts to the foundry. Foundry-level hardware Trojan has emerged as a major security threat, but existing design-time countermeasures lack sufficient consideration of good trade-offs between design security and performance. This work proposes an automatic framework, GDSII-Guard, to strengthen implemented physical layouts against potential fabrication-time Trojan attacks while preserving design performance, power, and quality. We develop an Engineering Change Order (ECO) placement and routing (P&R) flow containing elaborate anti-Trojan operators to prevent Trojan insertion. Moreover, we introduce a multi-objective optimization model with evolutionary strategies that incorporate anti-Trojan flow information to exploit balances between the aforementioned multiple design metrics. Experimental results demonstrate that GDSII-Guard reduces the overall risk of Trojan attacks on given designs by 98.8% with minimized timing, power, and design quality impact, surpassing existing approaches prominently.

Li XU,Xinchun WU,Bin ZHOU,Wenxia YE

DOI: https://doi.org/10.11918/j.issn.0367-6234.201611138

2017-01-01

Abstract:In order to effectively detect whether the chip is inserted into the hardware Trojan circuit during the design and manufacturing process, a method is proposed to increase the transition probability of the circuit nodes by inserting 2-to-1 MUXs in the chip design stage. The main input of the candidate node whose transition probability is lower than the transition probability threshold is inserted into the MUX to improve the transition probability of the relevant nodes, so as to realize acceleration of hardware Trojan detection in the circuit. The optimization of the insertion algorithm is realized by analyzing the fan-out cone and logic topology, and the node with the greatest influence on the transition probability of the whole circuit is selected as the candidate node, thus the number of MUXs insertion is reduced. Meanwhile, the critical path delay limit is increased to avoid the critical path delay of the circuit exceeding the preset threshold. The input terminals of the pre-designed hardware Trojan circuit are inserted into the nodes with small transition probability in the circuit, and the excitation signal is inputted to the input terminals of the circuit to analyze the change of the circuit ' s transition probability and the activation probability of the hardware Trojan circuit before and after the MUX insertion. The experimental results of the ISCAS'89 reference circuit show that the number of nodes whose transition probability is less than the transition probability threshold in the circuit is significantly lower; the probability of the inserted hardware Trojan being activated is significantly improved; the increased percentage of circuit critical path delay is controlled within a preset scale factor.

Jiatong Tan,Jianhua Feng,Yinxuan Lyu

DOI: https://doi.org/10.1109/edssc.2019.8754248

2019-01-01

Abstract:The design methods and the detection methods for Hardware Trojan develop rapidly. Existing trustiness verification methods are effective to obviously malicious HT but no effect on Stealthy Trojan. Stealthy Trojan is an advanced attack form and hard to be detected. In this paper, we analyze the characteristic of stealthy Trojan and propose a static detection method based on feature analysis. The results on ISCAS benchmarks show that the proposed method can detect the Stealthy Trojan node and is convenient to be implanted into other scalable verification framework.

Tianliang Xu,Chenxu Wang,Shiyao Zhao,Zhiquan Zhou,Min Luo,Xinsheng Wang

DOI: https://doi.org/10.1109/PACRIM47961.2019.8985088

2019-01-01

Abstract:A hardware Trojan is defined as a malicious, undesired modification hidden in an electronic circuit. Since the logic test has the advantage of being free of process fluctuations and test noise, a logic test is used to test whether the circuit under test contains a hardware Trojan. This paper optimizes N-detect ATPG detection scheme to generate optimized test vectors for logic testing. The simulation results on s5378 and s38417 benchmarks demonstrate that, compared with traditional logic test technique, the test vectors generated by this paper are able to successfully increase activation probability of a hardware Trojan and detect abnormal outputs.

Thilo Krachenfels,Jean-Pierre Seifert,Shahin Tajik

DOI: https://doi.org/10.48550/arXiv.2107.10147

2023-02-02

Abstract:The threat of hardware Trojans (HTs) and their detection is a widely studied field. While the effort for inserting a Trojan into an application-specific integrated circuit (ASIC) can be considered relatively high, especially when trusting the chip manufacturer, programmable hardware is vulnerable to Trojan insertion even after the product has been shipped or during usage. At the same time, detecting dormant HTs with small or zero-overhead triggers and payloads on these platforms is still a challenging task, as the Trojan might not get activated during the chip verification using logical testing or physical measurements. In this work, we present a novel Trojan detection approach based on a technique known from integrated circuit (IC) failure analysis, capable of detecting virtually all classes of dormant Trojans. Using laser logic state imaging (LLSI), we show how supply voltage modulations can awaken inactive Trojans, making them detectable using laser voltage imaging techniques. Therefore, our technique does not require triggering the Trojan. To support our claims, we present three case studies on 28 and 20 SRAM- and flash-based field-programmable gate arrays (FPGAs). We demonstrate how to detect with high confidence small changes in sequential and combinatorial logic as well as in the routing configuration of FPGAs in a non-invasive manner. Finally, we discuss the practical applicability of our approach on dormant analog Trojans in ASICs.

Cryptography and Security