Showing papers on "Hardware Trojan published in 2016"

Hardware Trojans: Lessons Learned after One Decade of Research

Abstract: Given the increasing complexity of modern electronics and the cost of fabrication, entities from around the globe have become more heavily involved in all phases of the electronics supply chain. In this environment, hardware Trojans (i.e., malicious modifications or inclusions made by untrusted third parties) pose major security concerns, especially for those integrated circuits (ICs) and systems used in critical applications and cyber infrastructure. While hardware Trojans have been explored significantly in academia over the last decade, there remains room for improvement. In this article, we examine the research on hardware Trojans from the last decade and attempt to capture the lessons learned. A comprehensive adversarial model taxonomy is introduced and used to examine the current state of the art. Then the past countermeasures and publication trends are categorized based on the adversarial model and topic. Through this analysis, we identify what has been covered and the important problems that are underinvestigated. We also identify the most critical lessons for those new to the field and suggest a roadmap for future hardware Trojan research.

On Reverse Engineering-Based Hardware Trojan Detection

Abstract: Due to design and fabrication outsourcing to foundries, the problem of malicious modifications to integrated circuits (ICs), also known as hardware Trojans (HTs), has attracted attention in academia as well as industry. To reduce the risks associated with Trojans, researchers have proposed different approaches to detect them. Among these approaches, test-time detection approaches have drawn the greatest attention. Many test-time approaches assume the existence of a Trojan-free (TF) chip/model also known as “golden model.” Prior works suggest using reverse engineering (RE) to identify such TF ICs for the golden model. However, they did not state how to do this efficiently. In fact, RE is a very costly process which consumes lots of time and intensive manual effort. It is also very error prone. In this paper, we propose an innovative and robust RE scheme to identify the TF ICs. We reformulate the Trojan-detection problem as clustering problem. We then adapt a widely used machine learning method, ${K}$ -means clustering, to solve our problem. Simulation results using state-of-the-art tools on several publicly available circuits show that the proposed approach can detect HTs with high accuracy rate. A comparison of this approach with our previously proposed approach [1] is also conducted. Both the limitations and application scenarios of the two methods are discussed in detail.

Hardware Trojans classification for gate-level netlists based on machine learning

Abstract: Recently, we face a serious risk that malicious third-party vendors can very easily insert hardware Trojans into their IC products but it is very difficult to analyze huge and complex ICs. In this paper, we propose a hardware-Trojan classification method to identify hardware-Trojan infected nets (or Trojan nets) using a support vector machine (SVM). Firstly, we extract the five hardware-Trojan features in each net in a netlist. Secondly, since we cannot effectively give the simple and fixed threshold values to them to detect hardware Trojans, we represent them to be a five-dimensional vector and learn them by using SVM. Finally, we can successfully classify a set of all the nets in an unknown netlist into Trojan ones and normal ones based on the learned SVM classifier. We have applied our SVM-based hardware-Trojan classification method to Trust-HUB benchmarks and the results demonstrate that our method can much increase the true positive rate compared to the existing state-of-the-art results in most of the cases. In some cases, our method can achieve the true positive rate of 100%, which shows that all the Trojan nets in a netlist are completely detected by our method.

AVFSM: a framework for identifying and mitigating vulnerabilities in FSMs

Abstract: A finite state machine (FSM) is responsible for controlling the overall functionality of most digital systems and, therefore, the security of the whole system can be compromised if there are vulnerabilities in the FSM. These vulnerabilities can be created by improper designs or by the synthesis tool which introduces additional don't-care states and transitions during the optimization and synthesis process. An attacker can utilize these vulnerabilities to perform fault injection attacks or insert malicious hardware modifications (Trojan) to gain unauthorized access to some specific states. To our knowledge, no systematic approaches have been proposed to analyze these vulnerabilities in FSM. In this paper, we develop a framework named Analyzing Vulnerabilities in FSM (AVFSM) which extracts the state transition graph (including the don't-care states and transitions) from a gate-level netlist using a novel Automatic Test Pattern Generation (ATPG) based approach and quantifies the vulnerabilities of the design to fault injection and hardware Trojan insertion. We demonstrate the applicability of the AVFSM framework by analyzing the vulnerabilities in the FSM of AES and RSA encryption module. We also propose a low-cost mitigation technique to make FSM more secure against these attacks.

MERS: Statistical Test Generation for Side-Channel Analysis based Trojan Detection

Abstract: Hardware Trojan detection has emerged as a critical challenge to ensure security and trustworthiness of integrated circuits. A vast majority of research efforts in this area has utilized side-channel analysis for Trojan detection. Functional test generation for logic testing is a promising alternative but it may not be helpful if a Trojan cannot be fully activated or the Trojan effect cannot be propagated to the observable outputs. Side-channel analysis, on the other hand, can achieve significantly higher detection coverage for Trojans of all types/sizes, since it does not require activation/propagation of an unknown Trojan. However, they have often limited effectiveness due to poor detection sensitivity under large process variations and small Trojan footprint in side-channel signature. In this paper, we address this critical problem through a novel side-channel-aware test generation approach, based on a concept of Multiple Excitation of Rare Switching (MERS), that can significantly increase Trojan detection sensitivity. The paper makes several important contributions: i) it presents in detail the statistical test generation method, which can generate high-quality testset for creating high relative activity in arbitrary Trojan instances; ii) it analyzes the effectiveness of generated testset in terms of Trojan coverage; and iii) it describes two judicious reordering methods can further tune the testset and greatly improve the side channel sensitivity. Simulation results demonstrate that the tests generated by MERS can significantly increase the Trojans sensitivity, thereby making Trojan detection effective using side-channel analysis.

TPAD: Hardware Trojan Prevention and Detection for Trusted Integrated Circuits

Abstract: There are increasing concerns about possible malicious modifications of integrated circuits (ICs) used in critical applications. Such attacks are often referred to as hardware Trojans. While many techniques focus on hardware Trojan detection during IC testing, it is still possible for attacks to go undetected. Using a combination of new design techniques and new memory technologies, we present a new approach that detects a wide variety of hardware Trojans during IC testing and also during system operation in the field. Our approach can also prevent a wide variety of attacks during synthesis, place-and-route, and fabrication of ICs. It can be applied to any digital system, and can be tuned for both traditional and split-manufacturing methods. We demonstrate its applicability for both application-specified integrated circuits and field-programmable gate arrays. Using fabricated test chips with Trojan emulation capabilities and also using simulations, we demonstrate: 1) the area and power costs of our approach can range between 7.4%–165% and 7%–60%, respectively, depending on the design and the attacks targeted; 2) the speed impact can be minimal (close to 0%); 3) our approach can detect 99.998% of Trojans (emulated using test chips) that do not require detailed knowledge of the design being attacked; 4) our approach can prevent 99.98% of specific attacks (simulated) that utilize detailed knowledge of the design being attacked (e.g., through reverse engineering); and 5) our approach never produces any false positives, i.e., it does not report attacks when the IC operates correctly.

SVM-based real-time hardware Trojan detection for many-core platform

Abstract: Hardware Trojans inserted during design or fabrication time by untrustworthy design house or foundry possesses important security concerns. These Trojans lead to un-desired change in functionality of the design and provide easy access to sensitive information. Trojans attacks or malicious activities are triggered based on very rare conditions, which can evade test-time Trojan detection but can arise during long hours of field operation. In this paper we propose a run-time Trojan detection architecture for a custom many-core based on Machine Learning technique. We exploit Support Vector Machine (SVM) supervised machine learning algorithms. The Data-set is generated based on many-core router behavior under normal and Trojan triggered settings. The paper targets different communication attacks triggered by Hardware Trojans, namely core address spoofing, traffic diversion, route looping attack. Support Vector Machine (SVM) algorithm has detection accuracy in the range of 94% to 97%.We implemented a framework for many-core architecture with SVM kernel while triggering Trojans based on two different conditions. To demonstrate the performance of proposed security framework, we implement a bio-medical seizure detection application as a case study. The algorithm is mapped on 64 processing cores and it takes 2.1µS to execute whereas with the proposed security framework it requires 4.8µS execution time. The Distributed Attack Detection Framework is implemented with each attack detection module having 2% area overhead.

Hardware security assurance in emerging IoT applications

Abstract: The Internet of Things (IoT) offers a more advanced service than a single device or an isolated system, as IoT connects diverse components, such as sensors, actuators, and embedded devices through the internet. As predicted by Cisco, there will be 50 billion IoT connected devices by 2020. Integration of such a tremendous number of devices into IoT potentially brings in a new concern, system security. In this work, we review two typical hardware attacks that can harm the emerging IoT applications. As IoT devices typically have limited computation power and need to be energy efficient, sophisticated cryptographic algorithms and authentication protocols are not suitable for every IoT device. To simultaneously thwart hardware Trojan and side-channel analysis attacks, we propose a low-cost dynamic permutation method for IoT devices. Experimental results show that the proposed method achieves 5.8X higher accumulated partial guessing entropy than the baseline, thus strengthening the IoT processing unit against hardware attacks.

Design and Validation for FPGA Trust under Hardware Trojan Attacks

Abstract: Field programmable gate arrays (FPGAs) are being increasingly used in a wide range of critical applications, including industrial, automotive, medical, and military systems. Since FPGA vendors are typically fabless, it is more economical to outsource device production to off-shore facilities. This introduces many opportunities for the insertion of malicious alterations of FPGA devices in the foundry, referred to as hardware Trojan attacks, that can cause logical and physical malfunctions during field operation. The vulnerability of these devices to hardware attacks raises serious security concerns regarding hardware and design assurance. In this paper, we present a taxonomy of FPGA-specific hardware Trojan attacks based on activation and payload characteristics along with Trojan models that can be inserted by an attacker. We also present an efficient Trojan detection method for FPGA based on a combined approach of logic-testing and side-channel analysis. Finally, we propose a novel design approach, referred to as Adapted Triple Modular Redundancy (ATMR), to reliably protect against Trojan circuits of varying forms in FPGA devices. We compare ATMR with the conventional TMR approach. The results demonstrate the advantages of ATMR over TMR with respect to power overhead, while maintaining the same or higher level of security and performances as TMR. Further improvement in overhead associated with ATMR is achieved by exploiting reconfiguration and time-sharing of resources.

Mitigation of Denial of Service Attack with Hardware Trojans in NoC Architectures

Abstract: As Multiprocessor System-on-Chips (MPSoCs) continue to scale, security for Network-on-Chips (NoCs) is a growing concern as rogue agents threaten to infringe on the hardware's trust and maliciously implant Hardware Trojans (HTs) to undermine their reliability. The trustworthiness of MPSoCs will rely on our ability to detect Denial-of-Service (DoS) threats posed by the HTs and mitigate HTs in a compromised NoC to permit graceful network degradation. In this paper, we propose a new light-weight target-activated sequential payload (TASP) HT model that performs packet inspection and injects faults to create a new type of DoS attack. Faults injected are used to trigger a response from error correction code (ECC) schemes and cause repeated retransmission to starve network resources and create deadlocks capable of rendering single-application to full chip failures. To circumvent the threat of HTs, we propose a heuristic threat detection model to classify faults and discover HTs within compromised links. To prevent further disruption, we propose several switch-to-switch link obfuscation methods to avoid triggering of HTs in an effort to continue using links instead of rerouting packets with minimal overhead (1-3 cycles). Our proposed modifications complement existing fault detection and obfuscation methods and only adds 2% in area overhead and 6% in excess power consumption in the NoC micro-architecture.

Cost-efficient Acceleration of Hardware Trojan Detection Through Fan-Out Cone Analysis and Weighted Random Pattern Technique

Abstract: Fabless semiconductor industry and government agencies have raised serious concerns about tampering with inserting hardware Trojans (HTs) in an integrated circuit supply chain in recent years. In this paper, a low hardware overhead acceleration method of the detection of HTs based on the insertion of 2-to-1 MUXs as test points is proposed. In the proposed method, the fact that one logical gate has a significant impact on the transition probability of the logical gates in its logical fan-out cone is utilized to optimize the number of the inserted MUXs. The nets which have smaller transition probability than the user-specified threshold and minimal logical depth from the primary inputs are selected as the candidate nets. As for each candidate net, only its input net with smallest signal probability is required to be inserted the MUXs-based test points. The procedure repeats until the minimal transition probability of the entire circuit is not smaller than the threshold value. In order to further optimize the number of required insertions and reduce the overhead, the weighted random pattern technique is also applied. Experiment results on ISCAS’89 benchmark circuits show that our proposed method can achieve remarkable improvement of transition probability with on average 9.50% power, 2.37% delay, and 10.26% area penalty.

A Design Methodology for Stealthy Parametric Trojans and Its Application to Bug Attacks

Abstract: Over the last decade, hardware Trojans have gained increasing attention in academia, industry and by government agencies. In order to design reliable countermeasures, it is crucial to understand how hardware Trojans can be built in practice. This is an area that has received relatively scant treatment in the literature. In this contribution, we examine how particularly stealthy Trojans can be introduced to a given target circuit. The Trojans are triggered by violating the delays of very rare combinational logic paths. These are parametric Trojans, i.e., they do not require any additional logic and are purely based on subtle manipulations on the sub-transistor level to modify the parameters of the transistors. The Trojan insertion is based on a two-phase approach. In the first phase, a SAT-based algorithm identifies rarely sensitized paths in a combinational circuit. In the second phase, a genetic algorithm smartly distributes delays for each gate to minimize the number of faults caused by random vectors.

Vulnerability Analysis of a Circuit Layout to Hardware Trojan Insertion

Abstract: While the horizontal integrated circuit design process is extensively practiced, untrusted foundries can impose significant threats on the security of final products. A carefully inserted extra circuitry as a hardware trojan in a circuit layout can interfere with circuit functionality under very rare circumstances with inconsiderable footprints. In this paper, we introduce a novel layout-level vulnerability analysis flow to evaluate the susceptibility of a circuit layout’s regions to hardware Trojan insertion. We also present several metrics based on a circuit layout to quantify the possibility of hardware Trojan insertion in a specific region of layout. Results of applying our flow to several benchmarks have revealed considerably high vulnerability of circuit layouts to hardware Trojan insertion. Furthermore, several Trojans are implemented and inserted in layout regions with different vulnerabilities to evaluate the effectiveness of our new metrics. Our novel layout-level vulnerability analysis flow makes it possible to quantitatively determine the vulnerability of different implementations of a circuit and analyze the susceptibility of each corner of circuit layout to different types of functional Trojans.

A side channel based power analysis technique for hardware trojan detection using statistical learning approach

Abstract: Hardware Trojan (HT) is an intentional and the undesired modification of the integrated circuit (IC) and major security issue for the semiconductor industry. HT alters the normal working of IC, can leak the secret information or may damage the IC permanently. Due to the small size of the devices on IC, detection of trojan is very difficult by normal testing methods. In this paper, a side channel based trojan detection technique using power analysis is used to detect the trojan infected IC. Here a trust-hub test bench circuit is used to validate trojan detection technique in which the Trojan is inserted on AES-128 bit crypto core. The trojan detection is improved by analyzing the power of IC without trojan (Golden model) and IC with trojan (Trojan model) and by comparing the mean of power traces of both the IC. Statistical data analysis is performed and statistical parameters of power are calculated which are then used as feature vectors. These feature vectors are reduced by using Principal Component Analysis (PCA) algorithm and then classified using Linear Discriminant Analysis (LDA) which discriminates between the Golden and Trojan model and detects the trojan infected IC from the IC under test with 100% accuracy.

On detecting delay anomalies introduced by hardware trojans

Abstract: A hardware Trojan (HT) detection method is presented that is based on measuring and detecting small systematic changes in path delays introduced by capacitive loading effects or series inserted gates of HTs. The path delays are measured using a high resolution on-chip embedded test structure called a time-to-digital converter (TDC) that provides approx. 25 ps of timing resolution. A calibration method for the TDC as well as a chip-averaging technique are demonstrated to nearly eliminate chip-to-chip and within-die process variation effects on the measured path delays across chips. This approach significantly improves the correlation between Trojan-free chips and a simulation-based golden model. Path delay tests are applied to multiple copies of a 90nm custom ASIC chip having two copies of an AES macro. The AES macros are exact replicas except for the insertion of several additional gates in the second hardware copy, which are designed to model HTs. Simple statistical detection methods are used to isolate and detect systematic changes introduced by these additional gates. We present hardware results which demonstrate that our proposed chip-averaging and calibration techniques in combination with a single nominal simulation model can be used to detect small delay anomalies introduced by the inserted gates of hardware Trojans.

A self-learning framework to detect the intruded integrated circuits

Abstract: Globalization trends in integrated circuit (IC) design using deep submicron (DSM) technologies are leading to increased vulnerability of ICs against malicious intrusions. These malicious intrusions are referred as hardware Trojans. One way to address this threat is to utilize unique electrical signatures of ICs. However, this technique requires analyzing extensive sensor data to detect the intruded integrated circuits. In order to overcome this limitation, we propose to combine the signature extraction mechanism with machine learning algorithms to develop a self-learning framework that can detect the intruded integrated circuits. The proposed approach applies the lazy, eager or probabilistic learners to generate self-learning prediction model based on the electrical signatures. In order to validate this framework, we applied it on a recently proposed signature based hardware Trojan detection technique. The cross validation comparison of these learner shows that eager learners are able to detect the intrusion with 96% accuracy and also require less amount of memory and processing power compared to other machine learning techniques.

A Game-Theoretic Approach for Testing for Hardware Trojans

Abstract: The microcircuit industry is witnessing a massive outsourcing of the fabrication of ICs (Integrated Circuit), as well as the use of third party IP (Intellectual Property) and COTS (Commercial Off-The-Shelf) tools during IC design. These issues raise new security challenges and threats. In particular, it brings up multiple opportunities for the insertion of malicious logic, commonly referred to as a hardware Trojan, in the IC. Testing is typically used along the IC development lifecycle to verify the functional correctness of a given chip. However, the complexity of modern ICs, together with resource and time limitations, makes exhaustive testing commonly unfeasible. In this paper, we propose a game-theoretic approach for testing digital circuits that takes into account the decision-making process of intelligent attackers responsible for the infection of ICs with hardware Trojans. Testing for hardware Trojans is modeled as a zero-sum game between malicious manufacturers or designers (i.e., the attacker) who want to insert Trojans, and testers (i.e., the defender) whose goal is to detect the Trojans. The game results in multiple possible mixed strategy Nash equilibria that allow to identify optimum test sets that increase the probability of detecting and defeating hardware Trojans in digital logic. Results also show that the minimum number of Trojan classes tested by the defender and the fines imposed to the attacker can deter rational as well as irrational attackers from infecting circuits with Trojans.

SeMIA: Self-Similarity-Based IC Integrity Analysis

Abstract: Counterfeit chips in the supply chain as well as hardware Trojan (HT) attacks pose serious threats to the semiconductor industry. If undetected before deployment, they can lead to serious consequences including system performance/reliability issues during field operation and potential revenue/reputation loss for a trusted manufacturer. Currently, no unified detection method is available that can simultaneously address these integrity violations in integrated circuits (ICs). In addition, most existing detection approaches require a set of golden chips as a reference, which significantly increases the test cost and complexity. Furthermore, in some scenarios, it may be extremely difficult to obtain golden chips. In this paper, we present a novel unified IC integrity analysis approach that can effectively detect both recycled counterfeit ICs (the most dominant form of counterfeiting) as well as Trojan attacks in ICs without the need of golden chips. The proposed approach, referred to as self-similarity-based microchip integrity analysis (SeMIA), exploits intrinsic structural self-similarity in a design (e.g., multiple cores, multiple functional units of the same type, different parts of an adder) to isolate recycled chips and HT attacks under large inter- and intra-die process variations. It compares dynamic current ( ${I} _{\text {DDT}}$ ) signatures between two adjacent similar circuit structures using an appropriate isolation metric to detect such attacks with high degree of confidence. SeMIA does not rely on any embedded structure for authentication, thus it comes at virtually zero hardware overhead and can be applied to chips already produced. Through extensive simulations, we show that for 15% inter- and 10% intra-die variations in threshold voltage for a 45 nm CMOS process, over 98% of recycled chips can be reliably identified. Finally, experimental measurements on field programmable gate array chips demonstrate effectiveness of SeMIA for protection against both attacks.

Secure Model Checkers for Network-on-Chip (NoC) Architectures

Abstract: As chip multiprocessors (CMPs) are becoming more susceptible to process variation, crosstalk, and hard and soft errors, emerging threats from rogue employees in a compromised foundry are creating new vulnerabilities that could undermine the integrity of our chips with malicious alterations. As the Network-on-Chip (NoC) is a focal point of sensitive data transfer and critical device coordination, there is an urgent demand for secure and reliable communication. In this paper we propose Secure Model Checkers (SMCs), a real-time solution for control logic verification and functional correctness in the micro-architecture to detect Hardware Trojan (HT) induced denial-of-service attacks and improve reliability. In our evaluation, we show that SMCs provides significant security enhancements in real-time with only 1.5% power and 1.1% area overhead penalty in the micro-architecture.

An enhanced classification-based golden chips-free hardware Trojan detection technique

Abstract: Recently, integrated circuits (ICs) are becoming increasing vulnerable to hardware Trojans. Most of existing works require golden chips to provide references for hardware Trojan detection. However, obtaining a golden chip is extremely difficult or even not exists. This paper presents a novel automated hardware Trojan detection technique based on enhanced two-class classification while eliminating the need of golden chips after fabrication. We formulate the Trojan detection problem into a classification problem, and train the algorithms using simulated ICs during IC design flow. The algorithm will form a classifier which can automatically identify Trojan-free and Trojan-inserted ICs during test-time. Moreover, we propose several optional optimized methods to enhance the technique: 1) we propose adaptive iterative optimization of one algorithm by focusing on errors, in which the weight-adjusting are based on how successful the algorithm was in the previous iteration; 2) we analyze the misclassified ICs' numbers of certain algorithms and present the matched algorithm-pairs; 3) we alter the algorithms to take into account of the costs of making different detection decisions, called cost-sensitive detection; 4) we present the suitable algorithm settings against high level of process variations. Experiment results on benchmark circuits show that the proposed technique can detect both known Trojans and various unknown Trojans with high accuracy and recall (90%∼100%). Since we didn't add any extra circuit to the design, there is no overhead of this approach.

Trust games: How game theory can guide the development of hardware Trojan detection methods

Abstract: The development of circuit testing and verification methods is commonly driven by formal analysis centered on an abstract mathematical model of the error or defect the method is designed to detect. Hardware Trojans, however, confound attempts to develop simple representative models due to the varieties of their physical embodiments in a circuit and the creative nature of a rational human adversary. Since it is nonetheless desirable to have a mathematical framework for determining the effectiveness of hardware Trojan detection methods, we present a game theoretic framework for so doing. Modeling the Trojan maker and detection method designer as opposing players in a 2-person strategic game is a necessary step in our process. However, the ultimate utility of the approach depends on an accurate security economic model of both players that can correctly consider the players' incentives, empirically-derived detection method efficacy metrics, a comprehensive taxonomy of hardware Trojans, and the places in the design cycle of the circuit where the Trojan insertion and detection occur. In this paper, we present such a security economic model and the resulting game, which we call the Trust Game. We illustrate the value of this game primarily in the context of how it may guide the development of new hardware Trojan detection methods. We solve a representative game, illustrating the value of two common solution concepts, the iterated elimination of dominated strategies and Nash equilibrium. We further show that this framework has utility to both of the opposing players in the game. Finally, we recommend the development of standardized Trust Games that can be used to quickly measure the efficacy of both new hardware Trojans and hardware Trojan detection methods.

Private Circuits III: Hardware Trojan-Resilience via Testing Amplification

Abstract: Security against hardware trojans is currently becoming an essential ingredient to ensure trust in information systems. A variety of solutions have been introduced to reach this goal, ranging from reactive (i.e., detection-based) to preventive (i.e., trying to make the insertion of a trojan more difficult for the adversary). In this paper, we show how testing (which is a typical detection tool) can be used to state concrete security guarantees for preventive approaches to trojan-resilience. For this purpose, we build on and formalize two important previous works which introduced ``input scrambling" and ``split manufacturing" as countermeasures to hardware trojans. Using these ingredients, we present a generic compiler that can transform any circuit into a trojan-resilient one, for which we can state quantitative security guarantees on the number of correct executions of the circuit thanks to a new tool denoted as ``testing amplification". Compared to previous works, our threat model covers an extended range of hardware trojans while we stick with the goal of minimizing the number of honest elements in our transformed circuits. Since transformed circuits essentially correspond to redundant multiparty computations of the target functionality, they also allow reasonably efficient implementations, which can be further optimized if specialized to certain cryptographic primitives and security goals.

Efficient triggering of Trojan hardware logic

Abstract: The detection of malicious hardware logic (hardware Trojan) requires test patterns that succeed in exciting the malicious logic part. Testing of all possible input patterns is often prohibitively expensive. As an alternative, we explored previously the applicability of the combinatorial testing principles. In this paper, we turn our focus on the efficiency of this approach for triggering the hidden malicious logic. We present a series of experiments with Trojan designs of various activation patterns and lengths that target a cryptographic module performing AES cryptography. Our findings indicate that the available test suites succeed in triggering the malicious logic in all cases requiring only a very small number of test vectors. Thus, it is an efficient means for detecting malicious hardware logic.

A New Characterization of Hardware Trojans

Abstract: This paper examines hardware trojan threats to semiconductor chips, which is particularly important for chips intended for vital infrastructure and critical applications. The phases of the chip production life-cycle are considered in terms of the opportunities for trojan insertion. Trojans are examined based on eight attribute categories. A matrix identifying the relationships between these attributes is defined. This matrix is used to characterize hardware trojans from both the attacker and defender perspectives. Two case studies are given to illustrate the usefulness of the proposed approach.

Hardware Trust through Layout Filling: A Hardware Trojan Prevention Technique

Abstract: The insertion of malicious alterations to a circuit, referred to as Hardware Trojans, is a threat considered more and more seriously during the last years. Numerous methods have been proposed in the literature to detect the presence of such alterations. More recently, Design-for-Hardware-Trust (DfHT) methods have been proposed, that enhance the design of the circuit in order to incorporate features that can either prevent the insertion of a HT or that can help detection methods. This paper focuses on a HT prevention technique that aims at creating a layout without filler cells, which are assumed to provide a great opportunity for HT insertion, in order to make the insertion of a HT in a layout as difficult as possible.

Automatic Feature Selection of Hardware Layout: A Step toward Robust Hardware Trojan Detection

Abstract: Recently, the problem of hardware Trojan detection has gained a tangible significance in academia and industry. That problem, by its nature, is complex, time consuming and error prone due to design and fabrication outsourcing of hardware circuits to external untrusted foundries. Researchers have proposed different approaches, either destructive or non-destructive, to overcome that problem. The destructive approach depends on reverse engineering via decapsulation, delayering and layout identification. This paper presents a first trial of a new approach that can afford an automatic and robust solution for the step of layout identification. The proposed technique takes the underlying digital circuit as input, and automatically determines its basic features using Haar feature extractor. Based on that features, a decision tree is trained to act as a weak classifier, which is later boosted, by making use of AdaBoost learning algorithm, to produce a strong classifier in a chain of cascaded classifiers. Accordingly, a classification model is built up to provide an automatic hardware Trojan location and detection tool. To evaluate the proposed model, ISCAS89 benchmark dataset was used for training and testing. The hardware dataset has been altered deliberately to show different Trojan examples ---namely, Trojan insertion, Trojan deletion and Trojan parametric- inside hardware circuits. By investigating the underlying experimental results, the capabilities of the proposed model are evaluated, and the evaluation shows that the approach can detect different hardware Trojan types in different circuit layouts, with high accuracy rate. The proposed approach is not only automatic, but also robust and promising.

Translating circuit behavior manifestations of hardware Trojans using model checkers into run-time Trojan detection monitors

Abstract: It is a consensus among the researchers, although not proven, that it is close to impossible to guarantee completely secure hardware design. Therefore, it is desired to have run-time hardware Trojan detection techniques. This paper is toward developing a framework of how to achieve run-time hardware Trojan detection units. Although it is difficult to predict the stage of circuit design at which hardware intruder would insert Trojan as well as the hardware Trojan detection methodology that should be applied, behavior patterns of certain design units in the hardware can indicate malicious activities in the design. We propose to translate such behavior patterns using formal verification approaches to establish run-time hardware Trojan detection technique leading which can improve the resiliency of hardware designs against hardware Trojan. We examine the possibility of malicious intrusions in both combinational and sequential circuits that may result in functional incorrectness, and applied our methodology in two example circuits.

Making split-fabrication more secure

Abstract: Today many design houses must outsource their design fabrication to a third party which is often an overseas foundry. Split-fabrication is proposed for combining the FEOL capabilities of an advanced but untrusted foundry with the BEOL capabilities of a trusted foundry. Hardware security in this business model relates directly to the front-end foundry's ability to interpret the partial circuit design it receives in order to reverse engineer or insert malicious circuits. The published experimental results indicate that a relatively large percentage of the split nets can be correctly guessed and there is no easy way of detecting the possibly inserted Trojans. In this paper, we propose a secure split-fabrication design methodology for the Vertical Slit Field Effect Transistor (VeSFET) based integrated circuits. We take advantage of the VeSFET's unique and powerful two-side accessibility and monolithic 3D integration capability. In our approach the design is manufactured by two independent foundries, both of which can be untrusted. We propose the design partition and piracy prevention, hardware Trojan insertion prevention, and Trojan detection methods. In the 3D designs, some transistors are physically hidden from the front-end foundry_1's view, which causes that it is impossible for this foundry to reconstruct the circuit. We designed 10 MCNC benchmark circuits using the proposed flow and executed an attack by an in-house developed proximity attacker. With 5% nets manufactured by the back-end foundry_2, the average percentage of the correctly reconstructed partitioned nets is less than 1%.

Supervised and unsupervised machine learning for side-channel based Trojan detection

Abstract: Hardware Trojan (HT) has recently drawn much attention in both industry and academia due to the global outsourcing trend in semiconductor manufacturing, where a malicious logic can be inserted into the security critical ICs at almost any stages. HT severity mainly stems from its low-cost and stealthy nature where the HT only functions at a strict condition to purposely alter the logic or physical behavior for leaking secrets. This fact makes HT detection very challenging in practice. In this paper, we propose a novel HT detection technique based on machine learning approach. The described solution is constructed over one-class SVM and is shown to be more robust compared to the template based detection techniques. An unsupervised approach is also applied in our solution for mitigating the golden model dependencies. To evaluate the solution, a practical HT design was inserted into an AES coprocessor implemented in a Xilinx FPGA. Based on the partial reconfiguration, the HT size can be dynamically changed without altering cipher part, which helps to precisely evaluate the HT influence. The experimental results have shown that our proposed detection technique achieve a high performance accuracy.