See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/310514968

Hardware Trojan Model For Attack And Detection Techniques

Article · March 2014

CITATIONS READS
6 684

4 authors, including:

Ahmed Aliyu Abdulaziz Bello

Bauchi State University Kano University of Science & Technology
38 PUBLICATIONS 429 CITATIONS 9 PUBLICATIONS 11 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Ahmed Aliyu on 20 November 2016.

The user has requested enhancement of the downloaded file.

INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 3, ISSUE 3, MARCH 2014 ISSN 2277-8616

Hardware Trojan Model For Attack And Detection

Techniques
Ahmed Aliyu, Abdulaziz Bello, Usman Joda Mohammed, Ibrahim Hussaini Alhassan

Abstract: Today’s integrated circuits (ICs) are vulnerable to hardware Trojans, which are malicious alterations to the circuit, either during design or
fabrication. The interventions of human in production of Hardware resources have given room for possible modification of hardware components, so as
to achieve some malicious aims. This modification help with possible loop holes in the hardware component for later attack. Due to the increase in
popularity aim of attacks using embedded Trojan horse programs into chips, attacker are more likely to suppress them with malicious program, also
notwithstanding the increase in disintegration of the design and manufacturing process of our microelectronic products (ICs), we should not only concern
about inclusion of unplanned, undesirable hardware features (“bugs”), rather about inclusion of planned malicious hardware features: “Trojan Horses,”
which act as spies or guerrillas. This paper presents a Model of the fundamental attacks and possible detection techniques of Hardware Trojan. The
result of the research has shown a great significance in education and for further researches.

Index Terms: Hardware Trojan, integrated circuits (Chips), Electronic design, techniques, Detection, bugs.
——————————
——————————

1. Introduction In general, hardware Trojans try to bypass or destroy the three

Worldwide integration in the Production of integrated circuit (IC) major security concerns (CIA) of any system by: leaking
has exposed numerous vulnerabilities in chip design and confidential information and secret keys covertly to the
fabrication. Many complex ICs today contain multiple adversary (Confidentiality attack); changing the value of a
Intellectual Property (IP) blocks produced by third party certain register (Integrity attack); disabling, deranging or
vendors. Just few numbers of ICs were solely developed in- destroying the entire hardware or components of it (Availability
house, which leads to the minimization in likelihood as the attack). Traditional Hardware testing strategies cannot
circuit becomes more complexly secured. Due to this growth in effectively detect Trojans because the probability of triggering
IP by the third party vendors, an adversary can bargain the hardware Trojan during functional testing is extremely low.
virtue of a design during any aspect in the supply chain. An IP Plus, the small Trojan size with respect to chip overall size
block could provide satisfactory functionality for its designed reduces the Trojan impact on side channels such as static and
specification but also contain malicious logic. Moreover, dynamic power. [1] Hardware Trojans can be a simple
malicious logic can be embedded into the circuit such that it modification to the original circuit as shown in Fig. 1;
remains asleep until activated, but then cannot be forcefully Adversary inserts a simple two input AND gate between the
conquered. Hardware threats referring to the three key original circuit output and logical one. If Trojan is inactive,
aspects of information security: Availability (Denial-of-Service), circuit will produce its actual output, while if Trojan is triggered
Confidentiality (Information Leakage), and Integrity (Data and becomes active, the input will logically be zero so circuit
Altering), must be reduced to ensure trustable formation of produces ‘‘Zero’’ output disregarding its original input value as
chips for required function. This means the chips should explained in Equations. It is called SAZ Trojan (Stuck at Zero)
perform exactly within the range of its original designed as circuit output will stick at ‘‘Zero’’ if Trojan is activated. [1]
specification (no more and no less). In the past two decades,
security researches have focused on both network and
information security and how to prevent cyber attacks.
However, hardware Trojan Horses cause a deeper breach
bypasses upper security layers and threatens all the entire
critical infrastructures such as military infrastructure, financial
systems and transportation vehicles. Hardware chips are
becoming more vulnerable to malicious activities and
alterations during both design and manufacturing phases.

Figure: 1 ‘‘SAZ’’ hardware Trojan.

_________________________
X.1=X (1)
• Ahmed Aliyu and Mohammed Joda Usman are X.0=0 (2)
currently pursuing their masters degree program in
currently pursuing masters degree program in A relatively new threat vector to networks and network
Computer Science, Liaoning University of Technology , endpoints is a HT appearing as a physical peripheral device
China. E-mail: ahmedaliyu8513@yahoo.com, that is designed to interact with the network endpoint using the
umjoda@gmail.com approved peripheral device's communication protocol. For
• Abdulaziz Bello and Ibrahim Hussaini Alhassan are example, a USB keyboard that hides all malicious processing
currently pursuing masters degree program in cycles from the target network endpoint to which it is attached
Electrical Electronic Engineering Technology., Liaoning by communicating with the target network endpoint using
University of Technology, China. unintended USB channels. Once sensitive data is ex-filtrated
E-mail: abdulaziz.bello69@yahoo.com, from the target network endpoint to the HT, the HT can
ihalhssn@yahoo.com process the data and decide what to do with it: store it to
102
IJSTR©2014
www.ijstr.org
INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 3, ISSUE 3, MARCH 2014 ISSN 2277-8616

memory for later physical retrieval of the HT or possibly ex- channel information at the software-architecture level. At the
filtrate it to the internet wirelessly or using the compromised hardware microarchitecture and circuit levels, the attacker
network endpoint as a pivot. [2] [3] takes into record power energy consumption or
electromagnetic energy. Therefore, the authors anticipated a
2. An Overview systematic countermeasure to protect the root of trust at
different design abstractions. Tamper-proof techniques such
ARCHITECTURE-LEVEL TROJAN DETECTION as placing security parts into special casing with light,
Majority voting technique can be used for protection with no temperature, tampering, or motion sensors can provide
need for a fully trusted chip as shown in Fig. 2.1. [1] H.A.M. protection at the physical level. Side-channel information such
Amin et al. aimed at producing a Trojan free output from as power consumption should be separated from processing
infected IP cores. They used voting techniques for the output data or execution time to provide circuit level protection. To
of odd number of multi- vendor IP cores trying to achieve deal with power fluctuation, different technologies such as full-
negligible probability of infected output and report the infected custom dynamic and differential logic styles should be used. In
IP core. Although the use of simple majority voting was experiments conducted by the authors, advanced encryption
suggested in other papers by Waksman and Sethumadhavan standards employing wave dynamic and differential logic
[4]
, it was not thoroughly evaluated using hardware remained safely after 1.5 million power-differential attack
implementation. H.A.M. Amin et al. also evaluated the measurements, whereas standard CMOS technology
protection method based on the probability of Trojans disclosed the key only after 2,000 attack measurements. To
detection, probability of false positives, and probability of false deal with side-channel attacks at the microarchitecture level,
negatives and also suggest an advanced voting technique Verbauwhede and Schaumont suggested balancing if-and-
based on giving a higher voting weight for trusted IP cores and else instructions to use the same amount of time and power
they evaluated both the security properties and hardware during execution. The structure of microprocessors providing
overhead of both voting methods. Hardware overhead here potential sources of side-channel information should be
means circuit area, circuit delay and Leaked power. considered seriously. The authors also suggested using
secure algorithm techniques, such as key and exponent
blinding, to disable side-channel attacks at lower levels. [6] Suh,
Deng, and Chan proposed authenticating the hardware by
directly checking its implementation details at a low level. [7]
The micro architecture features of a high-end secure
microprocessor are complex and unique for each model. A
secure processor is authenticated by a checksum response to
a challenge within a time limit. The unique checksum is based
on the cycle-to-cycle activities of the processor’s specific
internal microarchitectural mechanism. Privacy is not
breached, because the checksum depends on the processor-
manufactured model and not the specific processor. The
authors showed that small differences in the crypto-
Figure: 2.1 Majority Voting Technique. architecture result in significant deviations in the checksum.
Their work relied on the speed advantages of the actual
Hardware chips fabrication process contains two major steps: processor rather than simulations that attempt to impersonate
design (including IP, models, tools, and designers); and the processor. The time limit on the authentication ensures
fabrication (including mask generation and packaging). In an resiliency against simulation models attempting to compute
ASIC design process, the IP core blocks and standard model the checksum. [6] Bloom, Narahari, and Simha introduced a
cells which are used by the designer during the design runtime Trojan activity detection mechanism using a hardware
process are considered untrusted, also hardware fabrication guard circuit and operating-system support. [8] Trojan attacks
step may be considered untrusted because an attacker may can either be internally or externally activated, and they can
replace Trojan logic for original ones or inject a Trojan into chip cause denial of service, privilege escalation, or leakage of
silicon mask. The attacker is assumed to alter the design sensitive information. Trojans can be detected by failure
maliciously before or during fabrication, and detecting these analysis and hardware verification, ATPG, or side-channel
alterations is extremely difficult, as detecting small malicious analysis. Bloom, Narahari, and Simha’s work concentrated on
alteration is extremely harsh in today’s high complex IP cores. denial-of-service (DoS) and privilege escalation attacks. [8]
Nano-meter physical inspection is very sophisticated and costs They used a hardware guard circuit to efficiently perform the
a lot. Trojans are activated under rare conditions so normal testing, while the operating system generated the checks.
function testing is not sufficient to detect them. It is mandatory Their hardware circuit included a timer, a scratch RAM, a
to provide methods that resolve the trust issues among simple processor, and an optional content-addressable
fabrication facilities, designers, and end users. Designers memory (CAM). Two tests were proposed: liveness checks
need to assure that their designs are not altered while and memory protection checks. Liveness checks are
maintaining fabrication facilities technology secrets and third pseudorandom noncached-memory accesses that prevent
party IP core design properties. [1] Verbauwhede and simple prediction, delay, and replay attacks. Two solutions
Schaumont delved into trust issues at different levels of design were provided for memory protection: a naïve solution and a
abstraction (circuits, software, microarchitecture, and solution using a real-time operating system (RTOS). The naive
protocols). [5] At the most abstract level, the adversary can solution periodically schedules a process that continuously
access the interpreter and perform scan-chain readout, tries to read the kernel memory. However, the process is time-
software tempering or a fault attack. It is possible to use Side-
103
IJSTR©2014
www.ijstr.org
INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 3, ISSUE 3, MARCH 2014 ISSN 2277-8616

consuming. transient current will be significant and could be measured

easily. However, process variations will mask the impact of
very small Trojans on circuit power consumption. [6]

3. OUR MODEL ANALYSIS

In a given set of Integrated Circuit (chips) SIC on a hardware, if
there is an implant of Hardware Trojan HT , hence, there exist
changes; change in power, delay in time of processing and
increase in memory size due to Hardware Trojan execution
and processing in the integrated circuit. The following is
deduced;

SIC = {HT: \ ΔCP∩ΔTD∩ΔMS/IM}>β where is β>0.

Once the above model occur, then there exist a tendency of

Hardware Trojan exist in the integrated circuits. Trojan
detection using side-channel signal analysis, there are
namely; power characteristics, Timing (delay) and memory
space occupied by Hardware Trojan. For timing a graph that
signifies the change in power (current) due to presence of
Trojan horse.

Figure 2.2: Analyzing Transition Probability in the Original

Circuit (A) And After Dummy Scan Flip-Flop Insertion (B).
(Source: Salmani et Al. [10])

RTOS support is needed to control the time of the checking

process, which is created as a real-time task that is frequently
required and consumes less time. The proposed solutions are
evaluated on SPEC it 2006 benchmarks. The overhead for
using RTOS support is approximately 2.2%. McIntyre et al. Figure 3.1 Current Variation
used hardware multicore systems, which permit simultaneous
execution of the same functionality combined with verification.
[9]
Multicore systems are inherently redundant. Thus, as trust
detection among the multiple cores is discovered, distributed
software scheduling could be exploited to avoid low-trust
cores. The distributed multicore task scheduler determines,
over time and in the field, each core’s hardware trust level.

POWER-BASED ANALYSIS
Agrawal et al. were the first to use side-channel information to
detect Trojan contributions to circuit power consumption [11]. To
obtain the power signature of Trojan-free (i.e., genuine) ICs,
random patterns are applied and power measurement is
performed. The data belonging to each power measurement Figure 3.2 Time Delay Variation
consists of several elements, including power consumption of
the circuit after applying inputs that are the same in all Trojan- Memory space; once a Hardware Trojan is in existence within
free ICs; measurement noise, which can be removed by the hardware chips it requires memory (cache) for execution.
several measurements; process variations, which are random
and cannot be removed; and Trojan contributions to the 1 2 3 … n
measured power consumption. After patterns are applied, a
limited number of ICs are reverse engineered to ensure they
are Trojan free. Once the reference signature is obtained, the Fig 3.3 Memory location
same random patterns are applied to the IC under
authentication (IUA). If the IUA’s power signature differs from The length of memory is 1…n, there is length increases after
the reference signature, the IUA is considered suspicious and attack, which can be written as 1…n+m, where m is the
that it might contain a Trojan. Trojans of different sizes under change or increment in memory size (MS) or memory
different process variations are detected by applying random consumption due to existence of Hardware Trojan. Even
patterns and observing the signatures. If the Trojan is though some authors have argued extensively that the amount
comparable in size with the circuit, its impact on the circuit-
104
IJSTR©2014
www.ijstr.org
INTERNATIONAL JOURNAL OF SCIENTIFIC & TECHNOLOGY RESEARCH VOLUME 3, ISSUE 3, MARCH 2014 ISSN 2277-8616

memory, current and delay is very negligible but still hardware Detecting Trojan Circuit Attacks,’’ Proc. IEEE Int’l
Trojan can be detected using the parameters stated. Workshop Hardware-Oriented Security and Trust
(HOST 09), IEEE CS Press, 2009, pp. 100-103.
5 CONCLUSIONS
The work in this paper has provided an overview of Hardware [9]. D. McIntyre et al., ‘‘Dynamic Evaluation of Hardware
Trojan horse attacks and detection techniques. These attacks Trust,’’ Proc. IEEE Int’l Workshop Hardware-Oriented
are carried-out due to design fault which may be intentional or Security and Trust (HOST 09), IEEE CS Press, 2009,
unintentional. Through extensive review of several previous pp. 108-111.
research papers, we have demonstrated that using this Model
of hardware Trojan horse attack and detection techniques will [10]. H. Salmani, M. Tehranipoor, and J. Plusquellic, ‘‘New
increase or improve the attacks and detection sensitivity and Design Strategy for Improving Hardware Trojan
understanding. To improve the sensitivity further, the paper Detection and Reducing Trojan Activation Time,’’
only focuses on the Model of attacks and detection Proc. IEEE Workshop Hardware-Oriented Security
techniques. Further work can be done on and Trust (HOST 09), IEEE CS Press, 2009, pp. 66-
automation/simulation of the attacks and detection Modeled 73.
system.
[11]. D. Agrawal et al., ‘‘Trojan Detection Using IC
6 Acknowledgments Fingerprinting,’’Proc. IEEE Symp. Security and
I wish to thanks my colleagues’ for their kindness support and Privacy (SP 07), IEEE CS Press, 2007, pp. 296-310.
encouragement on this paper. More to this my sincere regards
goes to the staff of the faculty of Electrical Electronic
Engineering technology.

REFERENCES
[1]. Hany A.M. Amin, Yousra Alkabani and Gamal M.I.
Selim. “System-level protection and hardware Trojan
detection using weighted voting “Cairo University,
journal of advanced research 2013, pp.1-7.

[2]. J. Clark, S. Leblanc, S. Knight, “Compromise through

USB-based Hardware Trojan device, Future
Generation Computer Systems” (2010) (In Press).
dx.doi.org/10.1016/j.future.2010.04.008.

[3]. John Clark, Sylvain Leblanc, Scott Knight, "Hardware

Trojan Device Based on Unintended USB Channels,"
Network and System Security, International
Conference on, pp. 1-8, 2009 Third International
Conference on Network and System
Security,2009doi.ieeecomputersociety.org/10.1109/NS
S.2009.48.

[4]. Waksman A, Sethumadhavan S. Silencing hardware

backdoors. In: Proceedings of the 2011 IEEE
symposium on security and privacy, SP ’11. IEEE
Computer Society; 2011. p. 49–63.

[5]. I. Verbauwhede and P. Schaumont, ‘‘Design Methods

for Security and Trust,’’ Proc. Design, Automation and
Test in Europe Conf. (DATE 07), EDA Consortium, pp.
672-677.

[6]. Mohammad Tehranipoor and Farinaz Koushanfar, “A

Survey of Hardware Trojan Taxonomy and Detection”
IEEE Design & Test of Computers, 2010, pp. 10-25.

[7]. G.E. Suh, D. Deng, and A. Chan, ‘‘Hardware

Authentication Leveraging Performance Limits in
Detailed Simulations and Emulations,’’ Proc. 46th
Design Automation Conf. (DAC 09), ACM Press,
2009, pp. 682-687.

[8]. G. Bloom, B. Narahari, and R. Simha, ‘‘OS Support for

105
IJSTR©2014
www.ijstr.org
View publication stats