This document is downloaded from DR‑NTU (https://dr.ntu.edu.

sg)
Nanyang Technological University, Singapore.

An overview of hardware security and trust :

threats, countermeasures and design tools

Hu, Wei; Chang, Chip‑Hong; Sengupta, Anirban; Bhunia, Swarup; Kastner, Ryan; Li, Hai

2020

Hu, W., Chang, C., Sengupta, A., Bhunia, S., Kastner, R. & Li, H. (2020). An overview of
hardware security and trust : threats, countermeasures and design tools. IEEE Transactions
On Computer‑Aided Design of Integrated Circuits and Systems.
https://dx.doi.org/10.1109/TCAD.2020.3047976

https://hdl.handle.net/10356/147019

https://doi.org/10.1109/TCAD.2020.3047976

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be
obtained for all other uses, in any current or future media, including
reprinting/republishing this material for advertising or promotional purposes, creating new
collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted
component of this work in other works. The published version is available at:
https://doi.org/10.1109/TCAD.2020.3047976

Downloaded on 04 Jan 2024 17:21:47 SGT

IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021 1

An Overview of Hardware Security and Trust:

Threats, Countermeasures and Design Tools
Wei Hu, Member, IEEE, Chip-Hong Chang, Fellow, IEEE, Anirban Sengupta, Senior Member, IEEE,
Swarup Bhunia, Senior Member, IEEE, Ryan Kastner, Senior Member, IEEE, and Hai Li, Fellow, IEEE
(Invited Paper)

Abstract—Hardware security and trust have become a pressing attacks without requiring physical access to the victim. As
issue during the last two decades due to the globalization of the a consequence, our computing hardware is ever closer to the
semi-conductor supply chain and ubiquitous network connection front-line of a burning battle field and confronted with various
of computing devices. Computing hardware is now an attrac-
tive attack surface for launching powerful cross-layer security security threats.
attacks, allowing attackers to infer secret information, hijack Hardware security threats can arise during various stages
control flow, compromise system root-of-trust, steal intellectual of the entire semiconductor life cycle, ranging from specifica-
property (IP) and fool machine learners. On the other hand, tion to fabrication and even recycling. They can result from
security practitioners have been making tremendous efforts in unintentional design flaws [1]–[3], system side effects [4]–[7]
developing protection techniques and design tools to detect hard-
ware vulnerabilities and fortify hardware design against various and intended malicious design modifications [8]–[10]. They
known hardware attacks. This paper presents an overview of usually target security assets like cryptographic functions,
hardware security and trust from the perspectives of threats, secure architectures, intellectual property (IP) and machine
countermeasures and design tools. By introducing the most learning (ML) models. While classic hardware security threats
recent advances in hardware security research and developments, such as covert and side channels, hardware Trojans and reverse
we aim to motivate hardware designers and electronic design
automation tool developers to consider the new challenges and engineering (RE) are constantly evolving, recent powerful
opportunities of incorporating an additional dimension of secu- attacks exploit remote [6], [11], cross-layer [2], [3], [12],
rity into robust hardware design, testing and verification. specification-compatible [8], [13] attack surfaces to compro-
Index Terms—Hardware security, security threat, security mise strong cryptographic primitives, isolation mechanisms,
countermeasures, design tools, survey. memory protection techniques and deep neural networks
(DNNs). Understanding the different hardware security threats
is an important first step to developing effective security
I. I NTRODUCTION countermeasures and design tools for circumventing them.
Security practitioners have been making tremendous efforts
M ODERN computing hardware devices are usually
crafted by vendors with different established levels of
trust and at discrete locations. These hardware components,
in developing effective hardware security countermeasures. An
important first task is to create hardware security primitives
while residing in a mixed-trust computing environment, are that can serve as the building blocks for crafting an archi-
often shared among execution contexts of different security tectural level trusted computing environment enhanced with
levels in a back-to-back manner. In addition, the rich connec- strong isolation mechanisms. Effective side channel protection
tivity features of modern computing systems expose critical and Trojan detection techniques are essential for verifying that
hardware resources to attackers and open up doors for remote the security primitives and trusted computing environment are
free of design flaws, covert and side channels, and backdoors.
Manuscript received June 13, 2020; revised October 3, 2020; accepted Recent advances in ML and artificial intelligence (AI) have
December 15, 2020. This paper was recommended by Associate Editor Y. shown promise in developing more accurate detection solu-
Makris.
Corresponding author: Chip-Hong Chang. W. Hu and C. H. Chang con- tions [14], [15]. IP protection techniques [16]–[19], on the
tribute equally to this article. This research is supported in part by the other hand, protect security primitives, hardware designs and
National Research Foundation, Singapore, under its National Cybersecurity DNN models from RE, counterfeiting, model extraction and
R&D Programme/Cyber-Hardware Forensic & Assurance Evaluation R&D
Programme (NCR Award CHFA-GC1-AW01) and the National Natural Sci- other adversary attacks.
ence Foundation of China under grant 62074131. Despite the numerous protection techniques for thwarting
W. Hu is with the School of Cybersecurity, Northwestern Polytechnical hardware security threats, security is still at large an af-
University, China. E-mail: weihu@nwpu.edu.cn.
C. H. Chang is with the School of Electrical and Electronic Engineering, terthought in hardware design. Most security holes are exposed
Nanyang Technological University, Singapore. E-mail: echchang@ntu.edu.sg. only after their exploitation by the threat actors. Over-reliance
A. Sengupta is with the Discipline of Computer Science and Engineering at on software patches for hardware flaws also contributed to the
Indian Institute of Technology (IIT) Indore, India. E-mail: asengupt@iiti.ac.in.
S. Bhunia is with the Department of Electrical and Computer Engineering, trove of zero-day exploits for the attackers. In many ways, the
University of Florida, USA. E-mail: swarup@ece.ufl.edu. database of common vulnerabilities and exposures (CVE) is
R. Kastner is with the Department of Computer Science and Engineering, just the tip of an iceberg. This is largely due to the lack of
University of California San Diego, USA. E-mail: kastner@ucsd.edu.
H. Li is with the Department of Electrical and Computer Engineering, Duke effective hardware security tools that allow automated spec-
University, USA. E-mail: hai.li@duke.edu. ification, verification and evaluation of security constraints.
2 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

Best design practices and tacit knowledge are necessary but catastrophic consequences for the user or the environment.
inadequate. We need better design tools to enforce hardware Catastrophic failures represent only a small subset of all
security properties for trust assurance. Proactive hardware failures. Hence, safety is a relative and subjective attribute
information flow analyses facilitate vulnerability shielding and that cannot be measured directly. Critical path timing failures,
on-site monitoring. For example, unintentional hardware flaws single-event-upsets and aging effects can be resulted from
and potential security vulnerabilities can be detected early security exploits, such as fault injection [31] and recent ML
by the recent security-driven hardware design flow [20]– attacks [32], to reduce the reliability, increasing the downtime
[22]. As the rally of attacks and countermeasures is a never- or impose safety hazards upon a system.
ending recursion, it is important to keep abreast of its latest
development to continuously close the productivity gap of B. Confidentiality
secure hardware design. If the tool chain does not constantly
update to catch up with the latest design-for-trust and security Confidentiality is a general security property stating that
verification methodologies, at the present rate of growth in secret information should never be obtained or inferred by
hardware design complexity, security may terminate Moore’s observing a public output or memory location. While the direct
law before other physical limits. movements of sensitive information can be easily identified,
At present, the hardware security space has grown to a the stealthy leakage through system side effects and back-
point with many different specialized topics and each topic doors can be more subtle. These include the covert and
has been discussed in several focused survey papers. Exam- side channels [4], [33] in cryptographic cores, system bus
ples of recent surveys on a few specialized topics are side and high-performance elements such as caches and branch
and covert channels [4], [23], [24], reverse engineering [25], predictors [2], [3] as well as hardware Trojans [34].
hardware Trojan [26], [27], physical unclonable function [28],
logic locking [29] and security verification tools [30]. This C. Integrity
paper provides a concise overview of hardware security from Integrity is the dual property of confidentiality. It requires
three perspectives, namely threats, countermeasures and design that a trusted data object should never be overwritten by an
tools, with emphasis on niche, uncharted topics and updated untrusted entity. Integrity attacks often target critical memory
recent developments for hardware security in a mixed-trust locations, e.g., the cryptographic key, program counter and
environment. We also identify potential future research direc- privilege registers. These attacks are usually a first step for
tions with this overarching vision. performing further malicious activities, e.g., hijacking the
The reminder of this paper is organized as follows. A brief control flow [35] and fooling machine learners [36].
description about the common hardware security properties is
introduced in Section II. In Section III, an overview of the
D. Isolation
classic as well as state-of-the-art hardware security attacks is
provided. Section IV reviews the frequently used hardware Isolation is a two-way property requiring that two hardware
security mechanisms for thwarting these attacks. Section V components of different security levels should not directly
summarizes various secure hardware design tools from both communicate with each other. It is a common security property
the academia and industry. Some research challenges and op- that needs to be enforced in System-on-Chip (SoC), modern
portunities in the discussed topics are highlighted in Section VI processors and the cloud, where the interaction between the
and the paper is concluded in Section VII. secure and normal worlds are strictly controlled. However,
there are still ingenious security exploits that break strong
II. H ARDWARE S ECURITY P ROPERTIES isolation mechanisms such as ARM Trust-Zone [37] and Intel
Software Guide Extension (SGX) [38].
Hardware security properties are formal specifications about
invariant security-related behaviors of circuit designs. Secu-
rity threats and attacks usually cause violations of desirable E. Constant Time
security properties while security countermeasures implement The constant time security property enforces that the hard-
mechanisms for enforcing them. Security properties provide ware design should take invariant amount of time to compute
important constraints to security verification tools. In the fol- and produce the result under different input combinations.
lowing, we briefly cover different hardware security properties. In other words, we cannot learn any information about the
inputs by observing the computation time. Violation of the
A. Dependability constant time property creates a timing channel that can
leak sensitive information. Such violation can result from
Reliability, Availability and Safety are three important at- performance optimizations [2], [3], e.g., cache and branch
tributes to assess the trustworthiness of a computing hardware predictor as well as fast path in arithmetic units.
device to perform the expected function during its service
lifespan. Reliability is the ability to produce the intended
functions under normal operation and even under small fluc- F. Quantitative Security Properties
tuations in the computing environment for a specified time Quantitative security properties allow more accurate mea-
period. Availability is the percentage of time a system is able surement of hardware design security, e.g., assessing the
to serve its intended function. Safety is the ability to avoid severity of a vulnerability or evaluating the effectiveness of
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 3

a security protection mechanism. Typical examples of such query the status of the device, or set the device mode. More
quantitative properties include randomness of the output of often than not, device drivers require access to critical parts of
a cryptographic function [20], leakage of side and covert the system and thus it is crucial that they execute efficiently,
channels [39] and strength of a security mitigation [40]. These handle real-time constraints and be secure. A first step towards
security properties are usually measured using statistical and synthesizing correct, efficient and secure device drivers is
information theoretic security metrics [41]. The security of to create properties around on-chip communication protocols
approximate computing and machine learning are more often like Advanced Extensible Interface (AXI) and Wishbone [47].
measured quantitatively. Properly handling access control to the hardware resource is
also important for secure computing with devices [48].
III. H ARDWARE S ECURITY T HREATS 3) Dynamic Random Access Memory (DRAM) Threats:
The Coldboot [49] and Rowhammer [50] attacks demonstrate
A. Architectural and System Threats the importance of protecting sensitive data stored in DRAM.
1) Secure Boot Attacks: A secure boot starts by loading Coldboot exploits the physical phenomenon that DRAM data
code from an immutable boot ROM, correctly initializing persists for a short amount of time even after powering off
critical peripherals, configuring security and system settings, the memory. This time can be extended by cooling down the
authenticating and properly loading boot images and appli- memory, which further reduces the leakage of current from the
cation code and properly sanitizing data upon reset. Many DRAM capacitors. Researchers used this idea to show how to
issues arise due to the system being configured incorrectly, remove a DRAM from one computer, place it into another
e.g., system memory space not protected. Other issues relate and grab the data. Other malicious attacks are also possible.
to data not being properly erased (e.g., keyboard strokes stay in Rowhammer exploits another physical vulnerability of DRAM,
buffers). These and many other real-world secure boot attacks this time using the fact that DRAM data can be altered by
are documented by Bulygin et al. [42]. accessing nearby data. The attacker locates some of their data
The secure boot process is fairly well-documented making next to some critical data in DRAM. By changing the values
it amenable to formal property specification [43], [44]. Such of their data, the attacker induces circuit noise that causes the
properties relate to isolation and access control between boot target sensitive data to change.
stages (e.g., the next stage can only access a limited subset 4) Cache Attacks: Cache attacks [4] exploit information
of the previous stage information), determining if a boot leakage though cache state and are extremely effective at
stage completes fully before continuing to the next stage and extracting protected information. The cache is a shared re-
protecting boot state information properly upon completion source and any process that uses it can leave traces about
(e.g., it cannot be modified and can only be read from boot their computation, in particular, the memory addresses they
code). Additionally, there should be a sequence that causes the accessed.
hardware to fully reset all data, code, configuration and any Cache timing attacks can be categorized as time-driven
other state, and the system should only load from the boot and access-driven [23]. A time-driven attack measures the
ROM upon reset. execution time of the victim process. The attacker manipulates
2) Firmware Attacks: Firmware is the low-level software the contents of a shared cache and observes the timing of
that controls the interaction and behavior of a piece of hard- another process (e.g., a cryptographic operation). The timing is
ware or IP core. Firmware plays a key role in determining the effected by cache hits and misses, which provides information
security of the SoC. Incorrectly setting configuration registers about the key [51]. An access-driven attack extracts informa-
can lead to catastrophic consequences and open the door to tion by measuring the time that it takes the attacker to perform
leaking confidential information, unsafe behaviors and critical a cache access [52]. If a particular cache line is accessed
flaws that can be exploited by attackers. An analysis in 2014 by the victim process, the attacker would observe a cache
showed that at least 140,000 devices had a firmware vulner- hit and vice-versa. For instance, an attacker can identify data
ability [45]. This should not be too surprising as determining access patterns by the victim (e.g., which S-Box entries are
the correctness of the firmware is challenging as each hardware being accessed during AES execution) and use this information
core has different configurations that interact with the overall to extract the confidential information (e.g., the secret key).
system in a non-obvious manner. Cache side channel is a powerful attack that is often used
Firmware is particularly important for SoC architectures. in combination with other attacks, e.g., Meltdown [3] and
Modern SoC architectures are a patchwork of hundreds, Spectre [2] as we will discuss.
sometimes thousands, of different IP cores that are cobbled 5) Speculative Execution Attacks: Meltdown [3] and Spec-
together from in-house sources, outside vendors and open tre [2] are the first of a series of attacks that leverage spec-
source repositories. Ensuring that these are functionally correct ulative execution, out of order execution, caching and other
is a massive undertaking; determining that they lack security architectural performance enhancements to break isolation and
flaws is even more challenging. Subramanyan et al. [46] other security policies.
provide good motivation and the early work in this space. Meltdown enables unauthorized processes to read data from
Device drivers are typically small, but important pieces of any address that is mapped to the current process’s memory
low-level C or assembly code that play an important role space. Meltdown exploits a race condition where the unautho-
in firmware security. They provide an application program rized process attempts to access privileged data. A privilege
interface (API) that is used to deliver data to/from a device, check eventually squashes the execution of that code, but not
4 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

before the data is temporarily loaded into cache. The attack due to the sharing of hardware resources across different
then uses a cache side-channel attack (SCA) to determine software processes. Moreover, an IC may contain fast and slow
contents of the data. execution paths that reveal information regarding the under-
Spectre is a vulnerability that tricks a victim process to lying operation being executed (e.g., arithmetic vs. Boolean
leak its data. Many processors perform speculative execution operation [54]. While chip designers introduce novel features
by branch prediction. Spectre uses the fact that this specula- to improve execution time, more timing channels are being
tive code leaves traces of its execution in the cache whose discovered. These channels may facilitate information transfer
information can be extracted using a cache SCA (similar to at a rate of up to few megabits per second [55]. These timing
Meltdown). Spectre trains a branch predictor to make a wrong channels are often practical only under certain assumptions
decision and then wraps code that should not be executed in a regarding the attacker and the victim. For instance, to form a
condition. The code is speculatively executed since the branch timing channel using some cache-based attack, the victim and
predictor is wrong. It eventually gets squashed but it leaves the attack processes must execute on the same processor core
important information in the cache state, which is extracted for a specific amount of time. The attacker’s ability to adhere
via a cache SCA. to these assumptions can significantly impact the capacity or
6) Code Reuse Attacks: Code reuse attacks carefully use sensitivity of the channel.
existing snippets of software to perform computation of the Over the last few years, researchers have demonstrated
attackers choosing. Return oriented programming (ROP) [53] the feasibility of a wide range of timing-based covert and
is an example of code reuse attack where existing code side channels. Szefer [4] presents a comprehensive overview
fragments (or gadgets) are carefully sequenced to perform a of timing attacks that are feasible due to vulnerabilities in
malicious act. The attacker’s goal is to divert the control flow processor architecture. Execution time differences for various
by gaining control of the call stack and invocating the first instructions, resource sharing, impact of functional unit’s state
gadget, which in term calls subsequent gadgets. This allows on program execution (e.g., branch prediction) and timing
the attacker to perform actions of their choosing. behaviors of memory subsystems (e.g., cache and prefetcher,
etc.) are some characteristics of modern processors that lead
to microarchitectural timing channels.
B. Covert and Side Channels 2) Power Channel: In power SCA [56], [57], an attacker
Covert and side channels have emerged as two types of po- measures the switching power traces of an electronic compo-
tent information leakage channels. Micro-architectural features nent during operation and then employ mathematical analysis
targeted towards performance improvement, e.g., shared cache, on the traces to extract secret information. Basic premise of
speculative control, and hyper-threading, create new covert such an attack lies in the fact that the transient power traces
and side-channel security issues. Covert channels use non- of a chip leak its internal switching patterns, thereby leaking
traditional communication mechanisms to leak critical infor- data secrets (e.g., cryptographic key) through the switching
mation – often between an insider process (e.g., a Trojan Horse behavior. Shrinking technology nodes and increasing power
program) and an outsider spy process. These two processes density have made it possible for attackers to carry out power
do not communicate directly through traditional mechanism, SCAs with increasing degree of success.
e.g., shared cache. Instead, a Trojan process may communicate Attackers have utilized a wide-variety of techniques to ex-
with a spy process by modulating timing of specific events on tract information. A simple visual inspection of the power sig-
a shared resource or writing/checking if a file is locked. On nal information known as Simple Power Analysis (SPA) [56]
the other hand, SCAs utilize physical side-channel parameters is utilized when the internal implementation is known to the
(supply current, event timing, electromagnetic emission, etc.) attacker. If the attacker has complete access to a device, he/she
to leak on-chip secrets. resorts to template matching attacks. Template attacks [5]
While some covert channels require sharing of hardware consist of a profiling step and an attack step. The attacker has
resources among exchanging parties (e.g., shared cache), oth- the freedom to collect many samples in the profiling phase
ers may exist among hardware components that are physically as he/she fully controls the device. In the profiling step, the
isolated or not even in proximity. Hardware-oriented covert parameters of the design are learnt from a device and a profile
channels are typically initiated by introducing manipulation of the device is created. This profile is applied as a template
or exploitation of certain functional (response to a fault) or to other copies of the same device in the attack phase.
parametric (e.g., timing, power and electromagnetic radiation, Differential Power Analysis (DPA) [56] relies on the prin-
etc.) behavior of the hardware that is observed to decode ciples of statistical hypothesis testing, where the attacker
the secret information being transmitted. Side channels are measures the power consumption traces of a target device
unintentional information leakage where an attacker tries to over several time steps by feeding a large number of input
extract information from a target computing system utilizing vectors. The attacker then partitions the resulting power traces
its inherent implementation vulnerabilities. Similar to covert into subsets. The difference in the average values of these
channels, side channel also requires the observation of certain subsets reveal the presence or absence of information leakage
functional or parametric behaviors at runtime. in the design. In the absence of leakage, the difference in
1) Timing Channel: A timing channel is established average values tends to be zero as the choice of assigning a
through the observation of the execution time of a certain trace to a subset is purely random and is uncorrelated with
process. Timing-based covert and side channels may exist the power measurements. On the other hand, a statistically
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 5

significant difference implies that there exists a correlation from various cryptographic processes, including RSA, Elliptic
between the partitioning and trace measurements. Unlike SPA, Curve-based Diffie Hellman (ECDH) and Elliptic Curve based
DPA does not require any knowledge about the underlying Digital Signature Algorithm (ECDSA) [63]. Algorithms like
implementation and can be carried out in highly noisy environ- ECDH and ECDSA are suitable for mobile devices and Inter-
ments. Correlation Power Analysis (CPA) [57] relies on using net of Things (IoT) platforms where a malicious end-user with
statistical models to estimate the correlation between the secret complete physical access can compromise the cryptographic
and the power consumption of the device when the secret is process using SEMA approach.
being used for computation. A CPA typically relies on building Simple visual observation of EM signal may not be suf-
a model of the device’s dynamic power consumption. The ficient for revealing information from many applications. A
activity factor α is modeled using Hamming distance (HD) or more sophisticated attack vector called Differential EM Anal-
Hamming weight (HW). The change in the bits of the input ysis (DEMA), a variant of DPA for EM is proposed [64].
that cause a change in α can be modelled by the HD between However, DEMA requires a large number of EM traces of a
the initial input and the changed input values or the HW of given operation to extract the secret bits that are involved in
an input in case of a software implementation (e.g., on smart the process by observing the variation in EM emission. With
card). This HD or HW model serves as a good approximation the alteration of signal or register states between logic high and
to estimate the power consumption of a device. During a CPA low, energy dissipation in a CPU varies and consequently the
attack, the attacker guesses the value of the secret and obtains EM emission is impacted [61]. Moreover, alteration of signal
as many traces as possible for each guess of the secret. states in a CPU depends on the instructions and variables.
ML algorithms have also been applied to both profiling- Hence, observation of EM emission for a large number of op-
based and non-profiling-based SCAs. In profiling-based ap- erations is useful in retrieving the instructions being executed
proaches, where attackers have access to an exact copy of and intermediate states of different variables.
the attacked hardware, a supervised ML model can be trained 4) Fault Injection: Fault attacks form a potent class of
based on data points in different profiling traces [58]. In non- SCAs wherein the attacker can subvert the execution of the
profiling based approaches, where attackers do not have access hardware by deliberately injecting a fault. A well-placed fault
to a copy of the device, unsupervised ML algorithms such as attack could cause the system to reveal secret information,
clustering are applied to reveal the secret information [59]. such as the key bits [65]. Fault attacks have also emerged
The growth of cloud-based service providers like Amazon as major threats for a program executed by a processor. For
and Google has led to an increase in multiple users sharing the example, precisely flipping the status flags can allow an at-
same hardware resource, such as a Field Programmable Gate tacker to bypass the authentication process giving unauthorized
Array (FPGA). In such multi-tenant operating environments, control or privilege escalation [7]. These faults can be injected
remote power attacks are becoming feasible when an untrusted by causing a glitch in the underlying hardware. The attacker
party shares resources with a trusted one [6], [11]. The attacker typically attempts to manipulate one or more of the devices’
can infer information regarding the trusted program executing power supply or clock or utilizes a highly powerful laser to
in the same resource as the attacker by accessing the power control the temperature of the device.
delivery network. Furthermore, in cloud settings, new attacks Fault attacks have been demonstrated on several crypto-
are emerging where malicious power/current surge caused by functions such as Data Encryption Standard (DES), Advanced
an untrusted process can create denial of service attack in Encryption Standard (AES), International Data Encryption
another process mapped to the same FPGA device [60]. Algorithm (IDEA), Secure and Fast Encryption Routine
3) Electronmagnetic and Photonic Channels: Unintentional (SAFER) and Blowfish. However, not all faults are exploitable.
Electronmagnetic (EM) radiation from electronic devices is Hence, it requires careful profiling of the fault space to identify
a well-known concern for semiconductor vendors due to the the set of exploitable faults. In AES, it has been demonstrated
possibility of interference with wireless communication chan- that a well-placed fault injected in between the seventh and
nels and potential health risks to the end-users [24]. However, ninth round operation could cause the device to reveal the
EM radiation during a security-critical process could also lead entire key with as few as eight faulty ciphertexts.
to vulnerabilities due to its potential to leak information re- More recently, attacks like PlunderVolt [31], VoltJockey [38]
garding the operation. EM emission characteristics are largely and CLKScrew [7] have demonstrated that fault attacks are
device dependent; hence it is difficult to develop break-one- not restricted to crypto-cores but can also impact general
break-all scenario for the attackers. The effectiveness of small purpose SoCs. Both CLKScrew and Plundervolt are software
magnetic loop antennas in detecting EM emission from ICs has generated fault attacks. The attacker leverages the access to
been evaluated in various studies [61]. The signals captured by clock or energy management APIs for injecting the fault.
magnetic loop antennas are digitized for the extraction of the CLKScrew exploits the dynamic voltage frequency scaling
secret. EM signal for information leakage can be observed in utility to extract secrets from ARM Trust-Zone. PlunderVolt
various ways. Visual inspection of the time-domain representa- utilizes the power management utility to compromise the
tion of EM signals is called simple EM analysis (SEMA) [62]. execution of Intel’s SGX.
SEMA can be considered as the EM equivalent of the SPA. Apart from the above discussed side and covert channels,
EM signal can be transformed to frequency domain to perform test and debug infrastructures usually provide privileged access
visual analysis of the spectrogram to reveal information. to critical hardware resources such as machine state and con-
SEMA approach has been used to extract secret information figuration registers. Insecure test and debug ports are potential
6 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

attack surfaces for launching powerful low-level attacks. In the output is not yet valid. Such don’t care HTs can be hard
2012, a military grade FPGA was reported to have a backdoor to detect since they are out of the functional specification. A
in the JTAG port, which allows the attacker to retrieve the more recent work hides HT in the unspecified functionality in
AES key for decrypting the protected bitstream [66]. Rajput obfuscated hardware designs [13]. Based on the fact that the
et al. [67] summarized the security attacks and protections for design functionality under incorrect obfuscation keys cannot
the commonly used JTAG port. Valea et al. [68] performed a be explicitly specified in order to protect the correct key,
more complete survey of security threats and countermeasures the IP designer has numerous flexibility in implementing the
in different test standards. obfuscation logic, including inserting malicious circuitry.
Nahiyan et al. [76] proposed a HT design by adding
C. IP Theft and Counterfeiting Threats malicious state to the finite state machine (FSM). The idea
is to use unoccupied state encoding to insert a floating Trojan
Modern SoC and IC designs usually involve different forms
state. The FSM will never transit to the dangling Trojan state
of IPs, e.g., register transfer level (RTL) design (soft IP),
during normal operation. The Trojan can be activated using
gate level netlist (firm IP) and physical layout (hard IP).
fault attack to force the FSM into the malicious state.
The owner’s IP is outsourced to trustworthy offshore design
Hu et al. [34] leveraged satisfiability don’t cares for HT
houses/foundries for SoC integration or IC fabrication to
insertion. The Trojan uses a pair of signals that will never
reduce design complexity, time to market pressure and manu-
reach a specific input combination (e.g., cannot be logical ‘0’
facturing cost. This can lead to various IP security threats.
simultaneously due to path correlation) under normal operation
In IP counterfeiting, an attacker illegally imitates the orig-
as triggers. Thus, the Trojan will never be triggered during
inal design, creates counterfeited versions of the IPs/ICs,
normal run although each trigger signal is able to switch.
and sells them in the brand name of a genuine supplier. In
Similarly, fault injection is used to force the trigger signals
cloning attack, an adversary copies the original design and
into a desired condition to activate the Trojan. Such Trojan has
supplies cloned versions of original IPs/ICs under his/her own
recently been demonstrated on a multi-tenant FPGA, where the
label. These attacks result in integration of fake IPs/ICs in
attacker can remotely activate the Trojan by deploying power
the electronics systems used in critical applications such as
wasting circuitry to induce considerable fluctuations in the on-
military, healthcare and banking, etc. The fake designs not only
chip signal delays and, consequently, timing faults [77].
sabotage the genuine vendor’s reputation and revenue but also
3) Analog Trojans: Researchers have also demonstrated
lead to large consequences: (i) affecting the reliability and per-
how to create analog HTs through slight modifications of the
formance of the critical systems; (ii) containing malicious or
design layout [78]. Becker et al. [79] and Kumar et al. [80]
backdoor logic that cause leakage of confidential information
insert analog HTs by changing the dopant polarity or ratio
or assist to override the critical systems [69].
of input to transistors to cause a short circuit. These dopant-
In RE attack, an attacker back engineers the design in
level HTs can be hard to identify since they do not introduce
order to deduce the design structure or functionality. This
additional transistors but only modify circuit parameter. Liu
can be done by RE its various design forms such as RTL,
et al. [10] demonstrate an analog HT that leaks the AES key
netlist, layout (GDS-II), mask or a manufactured IC [70]. RE
by slightly modulating the amplitude or frequency of wireless
attack allows the adversary to realize his/her intentions of
transmission without violating the protocol specification. The
inserting backdoors or Trojans into the design and also enables
HT cannot be detected using routine testing methods since it
counterfeiting and IC overbuilding, thereby entails reassessing
does not change the design functionality. The A2 Trojan [9]
trust in electronics hardware [70], [71].
is a small and stealthy malicious analog circuitry. It only adds
a single capacitor that siphons charge from nearby wires as
D. Hardware Trojan they transit. When the capacitor is fully charged, it drives
1) Classical Digital Trojans: Early HTs typically use a a victim flip-flop to a desired value to perform malicious
single trigger signal to activate the Trojan under a rare event. activities, e.g., elevating privilege. The Trojan will remain
The Trust-HUB benchmarks [72] employ such a simple trigger dormant if the capacitor resets through leakage current due
mechanism, which is very sensitive to switching probability to inactive switching activities in the charging wires. A more
analysis. The De-Trust [73] project provides some HT designs recent work exploits analog/mixed-signal circuits for hardware
that use multiple discrete trigger signals so that each trigger Trojans, whose trigger mechanism is deployed in the digital
signal will be able to switch normally. These HTs, when domain while the payload is transferred to the analog domain
activated, will violate explicitly specified design behavior in via the on-chip test infrastructure [81].
the design specification. 4) Trojans Induced Aging and Performance Degradation:
A comprehensive list of Trojan taxonomies [74], [75], In a nanoscale semiconductor device, physical occurrences
benchmark sets [72], [75] and lessons [27] of these classical such as hot-carrier injection, electromigration, time-driven
HT research have been documented. In what follows, we will dielectric breakdown and negative bias temperature instabil-
discuss some recent HT designs and attacks. ity (NBTI) lead to aging phenomenon [82]. These physical
2) Exploitation of Don’t Care Conditions: Fern et al. [8] occurrences are the result of the restrained design margins
leveraged external don’t care conditions (i.e., unspecified func- and transistor scaling. Even a small change in the transistor
tionality) for HT design. For example, the design output may parameter may significantly affect the device performance and
be unspecified under certain “illegal” input conditions or when reliability [82], [83]. Device aging may result in failure of
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 7

semiconductor devices during critical operations. Heavy re- E. Vulnerabilities and Attacks on Deep Learning Networks
liance of SoCs on third party IPs (3PIPs) raises the possibilities
of aging attacks. A rouge 3PIP vendor may accelerate the de- 1) Adversarial Examples: AI has been promoting fast in the
vice aging process by covertly making malicious modifications recent decade, thanks to various deep neural networks (DNNs),
in the design of 3PIPs, with an aim of causing a premature which learn high-level features from raw data to solve many
failure of an electronic device within the warranty period [84]. challenging object recognition problems end-to-end with very
high accuracy and without requiring human intervention. Sim-
One prevalent way of launching an accelerated aging attack ilar to any other fast-advancing fields, the infiltration of deep
is through NBTI stress. NBTI refers to the increase in thresh- learning models into safety and security critical applications
old voltage of a P-type metal oxide semiconductor (PMOS) such as self-driving cars and face recognition payment systems
transistor over time due to the charges trapped under the gate make them an interesting target of attack.
area by the negative bias applied between its source and gate A well-known vulnerability has been exposed in a surprising
terminals [82]. As NBTI is heavily dependent on the dynamic way by the input of adversarial examples. It was initially
operating condition of the device. Attackers can control the demonstrated by Szegedy et al. [86] that small intentionally
supply voltage, temperature and input signal probability to designed perturbations added to the original input image
increase a device NBTI stress to accelerate its aging effect. can create an optical illusion for the DNN classifier at the
An attacker may force the device into continuous stress even inference phase. Adversarial example generation algorithms,
in standby mode, by modifying/adding malicious circuitry. To such as fast gradient sign method [87], universal perturba-
accelerate the aging process, the attacker can use selected input tions [88] and Carlini and Wagner (C&W) attack [89], have
vectors to maximize the NBTI stress on the target devices. succeeded in subverting the deep learning model output with
This attack is demonstrated by Kachave et al. [84] on high success rate. Hardware accelerator for the generation of
digital signal processor (DSP). In this attack model, an attacker adversarial examples has also been proposed to improve the
continuously applies NBTI stress during the standby mode attack efficiency [36]. The imperceptibility of the perturbation
of the device to accelerate the aging by either hardware and generalization ability across models further aggravate
or software modifications. In the hardware-based attack, an the damage of such attacks. Recent research suggests that
attacker introduces some alterations in the DSP hardware such adversarial example attacks can also be applied in the physical
that a rare event (hidden Trojan) triggers the application of world [90] and incorporated with cameras [91]. Adversarial
input vectors that maximize NBTI stress. In the cross-layer examples work across different media and are recognized
attack, an attacker builds a program that automatically applies by Open AI Inc. as a concrete problem in AI safety. They
the test vectors on the DSP circuit to create the greatest stress shatter the confidence of DNN implementation robustness,
during the operational mode. and extend the DNN attack surface beyond the software
boundary. Although conventional techniques such as laser
5) Trojans Insertion Through Malicious EDA Tool: HT beam interference, memory collision and rowhammer have
threat arises primarily from untrusted design process and been deployed as means to attack DNN hardware, they must
supply chain. EDA tools, as an important element in this be subtly and significantly devised to exploit the unique
untrusted environment, can also assist in Trojan attacks. characteristics of DNN. The target asset and threat model of a
DNN attack are in many ways different from those of the
Krieg et al. [85] demonstrated an automated HT inser- cryptosystem. DNN has the transferability, noise immunity
tion technique through light-weight modification to an open and graceful degradation properties that are absent in many
source synthesis tool. The modified FPGA synthesis front- other domain-specific computing solutions. Effectiveness and
end deploys a special look-up table (LUT), whose simulated efficiency of attacks on DNN are often data, model and
design behavior is totally correct. In a second attack phase, application dependent. In general, data plays a more significant
the malicious back-end identifies this LUT and changes its role than the model and the model plays a more significant role
functionality when translating the design into bitstream, which than parameter optimization in the inference.
acts as a Trojan trigger. The challenge in detecting such
2) Hardware-oriented Attacks: Artificial Intelligence of
HT lies in the lack of bitstream verification tools. In their
Things (AIoT) is the convergence of AI and IoT infrastructure.
successive work, the differences in how the don’t care ‘X’
Placement of cognitive computing and AI processing at the IoT
appears in logic simulation and implementation are exploited
edges can benefit in terms of privacy maintenance, bandwidth
to create a Trojan trigger. The trigger signal ‘X’ will be logic 0
reduction and responsiveness. As a core enabler of innovation,
during simulation and logic ‘1’ in hardware implementation.
dedicated hardware accelerators for efficient on-device infer-
Thus, the HT will remain inactive during the design phase
ence are increasingly used for edge AI deployment. Commer-
and will be automatically activated upon configured onto the
cially available hardware accelerators for local AI inferencing
FPGA. Similarly, light-weight modification to the synthesis
include Intel Neural Compute Stick 2 (NCS2), Google Coral,
tool will facilitate automated insertion of such HTs.
Nvidia Jetson Nano and Xilinx edge AI IP core. This new
Besides, several HTs target emerging computing technolo- wave of edge intelligence in the AIoT age invites new attack
gies. In [13], a HT is hidden in the obfuscation logic intended vectors, which are methodologically different from software-
for IP protection. In [6], a remote HT attack targeting multi- oriented DNN attacks like the previously described input of
tenant FPGAs deployed in the cloud was demonstrated. adversarial examples. This is because adversarial examples
8 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

that assume any input pixel can be precisely altered to any steal the model so as to build similar performance AI products
arbitrary value may not achieve the same desired outcomes or solutions at substantially reduced cost. Existing model
when they are presented to a DNN hardware accelerator. extraction attacks can be broadly divided into two categories:
Fault injection attacks such as laser injection [92], glitch dis- query-based and implementation-based. Query-based model
turbance [93], memory collision [94] and rowhammering [95] extraction attack mainly utilizes the input-output relationship
can impact circuit operations within the DNN and are potential of the target model to build a substitute model that has the sim-
threats to edge intelligence. Straightforward fault injection ilar functionality [101]. In the scenario of embedded devices,
will cause denial of service, but it also alerts attention. For the internal model is exposed to the risk of being attacked
instance, overheating the DNN hardware will not only affect by malicious users who have physical access to the device
classification but also suspend the system. Immediate damage by observing the I/O dataflow [102]. These users can then
control may be triggered to limit the benefits that can be train a new model with similar performance based on the I/O
reaped from suck attacks. Existing fault attacks on DNN focus pairs, i.e., replicating the original model. Unlike crypto engine,
mainly on model weight manipulations [95], [96]. Falsifying where all computations can be completed fully on chip, edge
model parameters such as saturating last layer’s bias [32] to implementations of DNN models, except a few tiny models,
converge the output to one specific class regardless of inputs or require some off-chip communications for each inference.
constraining modification magnitude on the weights of all lay- Implementation-based model extraction attack exploits side
ers [96] can be used to create selective input misclassification. channel leakage during model execution. Fine-grained infor-
These simulated attacks assume that the data stored in memory mation could be obtained by tracking cache misses, memory
can be precisely manipulated to arbitrary values through fault access pattern, power consumption and hardware performance
injection, which are not realistic for real-world DNN hard- counters [103], [104]. Algorithms such as DPA and CPA can
ware accelerators. Moreover, manipulation and interpolation of be applied to extract the number of parameters in each layer,
model parameters tend to leave footprints in memory or create the value of each parameter, the total number of layers and
conspicuous output patterns. Such persistent fault induction in the type of activation function. Optimization techniques on
the weights are likely to be directly detected by model read- DNN hardware, such as zero weight pruning, can be utilized
back and bypassed by parameter reloading. Although practical to reduce the complexity of reverse engineering [105]. The
fault injection techniques such as laser beam interference [92] success of model extraction can enable further exploitation
and Rowhammer [95] are able to perturb the output of DNN of the security weaknesses of deep learning, such as evading
algorithm running on general purpose hardware, the attacks systems thereby forcing incorrect predictions and revealing
can be mitigated by low-precision numeral representation, as additional information from the training data to leak sensitive
suggested in [95], which happens to be a common practice of and confidential information.
existing deep learning accelerator for edge applications.
HTs pose a real threat for outsourced DNN IC design, IV. C OUNTERMEASURES
fabrication or testing activity or the use of 3PIPs within DNN A. Hardware Security Primitives
hardware. Successfully embedded stealthy trigger and payload True random number generator (TRNG) and physical un-
into the activation layer [97] or memory controller [98] can clonable function (PUF) are two important hardware-intrinsic
cause misclassification. Fortunately, hardware attacks on edge security primitives that provide built-in instead of bolted-on
deep learning applications have so far been constrained to defense against various emerging threats and vulnerabilities
DNN hardware on small scale (10 categories) classifica- arising at different phases of the IC life cycle or device
tion [92], [94] or are based on simulated instead of physically operation. Compared with TRNG, PUFs have been very well
induced faults [96], [98] on larger network such as Ima- surveyed by many researchers in recent years. For TRNG, we
geNet [99] (1000 categories) classification. One exception is exemplify typical CMOS circuit implementations from four
the most recently reported stealthy misclassification attack on different entropy sources. For PUFs, we focus on the feasibility
deep learning accelerator for ImageNet applications in [100]. of its integration with other non-device signatures. Such a
This attack induces temporal fault into intermediate results unique provenance proof is promising in detecting imposer,
of convolutional layer by introducing infrequent instantaneous tampering, spoofing and fabrication attacks that aim to gain
glitches into the clock signal. The temporary perturbated unauthorized access to system, data or premises.
data will propagate to the inference stage but they will be 1) TRNG: A random number generator is a device or
overwritten by the correct data after each prediction, leaving software that generates sequences of unpredictable numbers.
no trace for detection. The ancient ways of using dice roll or coin toss to harvest
3) Model Extraction Attacks: Model extraction attack [101] natural randomness are too slow to meet the demands of mod-
occurs when attackers attempt to replicate a pre-trained model. ern computing systems. A pseudorandom number generator
Because of the amount of costly training data collected, a (PRNG) is an algorithm or a mathematical formula that can
superior deep learning model trained for a specific task is a be used to produce a sequence of random numbers with a
precious IP that an enterprise can monetize as a commodity sufficiently long but finite period from a seed state. PRNGs
through third party offerings or leverage as a technology that are suitable for the cryptographic applications are called
barrier to competitors of the market. Unlike cryptosystems, cryptographically secure pseudorandom number generators
model confidentiality is assumed as a trained DNN is a pricey (CSPRNGs). CSPNGs are designed from cryptographic prim-
IP. For this reason, there is strong incentive for opponents to itives or hard mathematical problems to pass the next-bit test
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 9

such that the (k+1)-th bit of a sequence cannot be successfully a 2-bit counter was proposed [111]. In order to maximize
predicted in polynomial time from the knowledge of the jitters and reduce power consumption, the inverters in the
first k bits. CSPRNG should also be resilient to the “state two CSROs are biased in the weak inversion region and the
compromise extensions” attack, which is an attack that makes inverters in the regular RO are operating in the strong inversion
use of some known internal states to predict future outputs region. Systemic biases in the beat frequency are effectively
or recover previous outputs. On the contrary, a TRNG is a cancelled out by XORing the outputs of the two matched
hardware security primitive that yields unpredictable random CSROs. The resulting random pulse width is used to clock gate
numbers even if the internal design details are all known. the regular inverter-based RO to the 2-bit counter. This jitter-
With infinite period, it provides higher security property than based TRNG, fabricated in a standard 65 nm, 1.2 V CMOS
CSPRNG. TRNG designs that originated from solid-state process, consumes only 260 µW at a bit rate of 52 Mbps and
devices typically harvest their randomness from four sources, has a small footprint of 366 µm2 .
namely noise, jitter, metastability and chaos. Metastability is a stable state of a dynamical system besides
Thermal noise is a good source of randomness because it the system’s state of least energy. Metastabilities in cross-
is frequency- and technology-independent [106]. The weak coupled inverters, latches, DFFs and SRAMs [112] have been
thermal noise needs to be boosted by a wide-bandwidth utilized to produce random bit streams at high bit rate, but
amplifier, which can consume significant silicon area and complex post-processing units are usually required to elimi-
power. Matsumoto et al. [107] added a silicon nitride (SiN) nate the systematic bias. The key component of metasability-
layer in a standard CMOS process to amplify the thermal noise based TRNG of [112] is the metastability latch, which is
to a measurable level without the amplifier but the extra SiN designed based on a cross-coupled inverter pair with equal rise
mask is itself expensive. Recently, Bae et al. [108] proposed and fall time. A random bit is produced by the metastability
a high-speed TRNG by harvesting the thermal noise from the latch in each cycle. To assure high entropy, a time-to-digital
biasing circuit of a common-mode operating comparator and converter (TDC) is used to measure the settling time and tune
the sampling uncertainty of a Delay Flip Flop (DFF). The the metastable latch against bias introduced by the process and
idea is illustrated in Fig. 1. Common-mode noise is generated temperature variations. The switching speed of the metastabil-
by connecting both inputs of a comparator to the output of ity latch cannot be too fast to prevent the settling time from
a beta-multiplier voltage reference. The thermal noises of the exceeding the time resolution of the TDC. The latch size and
comparator and the biasing circuit are added up and amplified load must also preserve the dominance of thermal noise over
by the differential-to-single ended (D2S) amplifier. The ampli- flicker noise. By combining three entropy sources of similar
fied noise is fed into a slicer to generate a full swing output, cross-coupled inverter pairs that share the same supply and
which is then sampled by a 3 GHz clocked DFF. By combining clock, Intel [106] fabricated a fast TRNG in 14nm FinFET
thermal noise and sampling uncertainty of the asynchronous CMOS process that produces 3 full-entropy bits per clock
input, this TRNG has a very high throughput of 3 Gbps. Its cycle. The three bitstreams of at least 0.33 min-entropy/bit
power consumption is also very high, 5 mW excluding the each are combined by a Barak-Impagliazzo-Wigderson (BIW)
power-hungry external high-speed clock generator. extractor [113]. Correlation suppressors and under-sampled
feedback shift registers are used to de-correlate and whitening
Thermal noise Sampling the raw data to generate 24 uncorrelated bits in every 64 clock
amplification uncertainty
Random
cycles with an ultra-low energy consumption of 3 pJ/bit.
D2S Slicer sequence TRNGs can also be designed from chaotic system described
Noise from
bias circuit Async.pulse
DFF by deterministic equations. At first sight, this may sound like
God plays dice with complete law and order. Being extremely
sensitive to the initial conditions, the disorder states of a
3GHz clock
Noise from chaotic system are very hard to be modeled mathematically
commonmode
compararator even though they are produced by simple systems that obey
precise rules. Chaos is, as described by the legendary Lorenz,
Fig. 1. Design concept of noise-based TRNG [108]. “when the present determines the future, but the approximate
present does not approximately determine the future.” [114].
Conventional jitter-based TRNGs [109] use a slower jittery Chaos-based TRNGs [115] are typically designed by a chaotic
frequency clock to sample a faster clock. Using clock jitters map and a bit generation function. Unfortunately, the map
of free running ring oscillators (ROs) as entropy source, characteristics are susceptible to process, voltage and temper-
the extractor design can be simplified, but additional power- ature (PVT) variations. The optimal bit generation function
hungry clock generators are required to provide adequate jitter for achieving the highest possible entropy rate from a map
variations. Yang et al. [110] proposed a process variation tol- function is costly to implement, and consumes great power. An
erant TRNG by exploiting the oscillation collapse in a double exceptionally energy-efficient implementation [116] is shown
edge injected RO. To achieve the robustness against process in Fig. 2. It consists of a 10-bit fine-SAR ADC, a 5-bit coarse-
variations, 32 stages with 8 selectable inverters per stage are SAR ADC, a dynamic residue amplifier, and an XOR post-
used to provide the tuning space. Recently, a lightweight processing block. The ADC recursively amplifies the initial
TRNG consisting of only two 9-stage current-starved ROs state of the system with environmental noise to produce a
(CSROs) with an identical layout, a 3-stage regular RO and discrete time chaotic map. Due to quantization errors of the
10 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

coarse-SAR ADC, the design is highly sensitive to the initial this eases the enrollment of strong PUF with a large number of
state. The switching power of fine-SAR ADC is reduced by CRPs, the disclosure of multiple helper data also increases the
using the coarse-SAR ADC to detect and skip switching. The risk of side-channel information leakage. This problem can be
design consumes only 82 nW of power and 0.3 pJ/bit of mitigated by a well-structured PUF with balanced BER [121]
energy. A larger portion of the power savings are due to the or appending an Z-channel [122]. Today, PUFs have made
dynamic residue amplifier and adaptive reset comparator. their presence known in industry, e.g., Xilinx [123], NXP
Semiconductor [124] and Qualcomm [125].
Residue Amplification As a hardware root of trust, PUF has opened up new
Coarse-SAR ADC
horizons for solving IoT security problems. The rise of IoT
- + Q(x) has created a huge influx of sensors and accelerated sen-
Vin ADC DAC AMP
Xn,in sor standardization towards building a fully connected and
Recursive Path cohesive supply chain. With sensors as the data feeder, a
1/Z
direct consequence is the new gloss on pushed media data
D[4:0] and distinctively new interactions between human, events and
Xn,out
Random[4:0] XOR Post
devices. A promising new approach to assure real end point
Processing
Fine-SAR ADC ADCout[9:0]
security against the imminent risk of sensor and data analytic
Fig. 2. Block diagram of chaos-based TRNG of [116] attacks is to derive provenance proof from the unification of
PUF responses and biometrics or other existing data analytic
As the need for publicly auditable randomness from appli- based security measures. This approach endows PUF systems
cations like elections and lotteries increases, so is the demand with the capability to not only identifying the device, but also
for randomness beacon. A randomness beacon is a public (i) authenticating the users who have privileged access to the
server that produces completely unpredictable bit strings at device and its data, (ii) assuring the integrity of the data it
regular intervals. During the Crypto Week last year, a new generated or acquired, and (iii) responding actively to events
public randomness beacon called “League of Entropy” [117] occurred in the area of surveillance. Unlike conventional PUF
was released by the American web-infrastructure and website- designs, such interactive PUF systems are usually application-
security titan company Cloudflare. Built upon the provably or sensor-specific, and have dedicated authentication protocols.
secure cryptographic architecture of drand [118], this is a net- (i) Typical user and device authentication methods perform
work of beacons run by a consortium of global organizations user and device authentication sequentially with a substantial
and individual contributors to provide publicly verifiable, de- message exchange. To protect the sensitive credentials during
centralized random outputs. Interestingly, Cloudflare actually transmission, encryption keys are required to be stored in
sources her entropy from a video of a wall of lava lamps. the end device, which are vulnerable to NVM key retrieval
These unpredictable visual data of floating blogs are converted attacks [25]. In [126], [127], a completely different concept
to truly random numbers. Most recently, truly random numbers of unified user-device (UD) PUF was proposed to distinguish
were also created from growing crystals [119]. different users and devices by extracting raw biometric infor-
2) PUF as Provenance Proof: PUF utilizes intrinsic man- mation like touch screen pressure or voice with the innate
ufacturing process variations to generate a unique unforgeable silicon sensor variations. The challenge to the UD-PUF in
device fingerprint. A comprehensive review of PUFs can be [126] is a series of binary coordinates that forms a pattern
found in [28], where different PUF structures, including the on the touchscreen. The response is a digital word obtained
conventional delay-based or memory-based PUFs, and the by quantizing the sequence of sensed pressure values read
emerging non-volatile memory (NVM) based PUFs, FinFET from an Android APP when the user traces the pattern.
PUF, quantum secure PUF and sensor PUFs, have been sur- Unfortunately, the intrinsic parametric changes contributed
veyed. In the early stage of development, the reproducibility of by device fabrication process variations are not structurally
PUF responses at different time and in different environmental harnessed, resulting in high identification error rate for the
conditions is the main practical issue that limits its industrial (same user, same challenge, different device) combination. The
adoption. Majority voting, fuzzy extractor and reverse fuzzy problem is intrigue as amplifying the parametric deviations
extractor are three commonly used techniques to improve the to improve device identification will reduce the sensitivity
reliability of a PUF. Majority voting votes for the most stable of the user biometric whereas noise reduction in biometric
response by repeated application of the same challenge. It is information processing will distort device parametric distribu-
a lightweight technique to enhance the reliability of a PUF tion. Another “UD-PUF” was proposed in [128] for match-
at the expense of latency. Fuzzy extractor (FE) [28] increases on-device applications. A strong PUF is required to generate
the noise tolerance and uniformity of PUF response by error an obfuscated biometric template by feeding the processed
correction code (ECC) and hash function. As ECC decoding biometric feature into it. As small change in the challenge will
is too expensive for resource-constrained IoT devices, it is cause a dramatic bit flips in the PUF response, the quantized
moved from the regeneration phase at the prover (device) biometric feature-based challenge has to be 100% accurate
side to the verifier (server) side by reverse fuzzy extractor to ensure reproducibility of template in the authentication
(RFE) [120]. Instead of generating the helper data only once phase. This problem is mitigated by selecting the most robust
in the PUF enrolment phase, RFE generates helper data on site biometric feature for each individual user using noise aware-
to different noisy versions of the same PUF response. While interval optimized mapping bit allocation (NA-IOMBA). As
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 11

NA-IOMBA requires accurate noise samples/models over time have been proposed. PUF based perceptual image hash was
for different conditions, the scheme can only generate one first conceptualized in [137] for simultaneous tamper detection
determinant template for a (user, device) combination. Once and source camera identification. This work shares the same
the template is leaked, the security of using the particular PUF reliability problem as [128] since the data features were
device will be compromised. This dilemma is resolved by directly applied as the challenge to the underlying PUF. Alter-
a “UDhashing” scheme in [129]. UDhashing adopts a “fuse- natively, a data-device PUF (DD PUF) with relaxed reliability
on-device” and “match-on-server” strategy. Machine learning requirement was proposed in [138]. The method [138] imprints
(ML) resilient strong PUF [130] is preferred to prevent the an indelible birthmark of the camera into its captured images
reuse of authentication credentials, and to achieve cancellable for forgery detection. The robust data-device hash is produced
biometrics and system reconfigurability. To bind a device to by projecting the rotation-/scaling-invariant image features into
its user, the user live biometric and device PUF response the Bernoulli random matrix generated by the PUF responses.
are unified by random projection into a bio-code at the end- This hash is “keyless” and time-, data- and device-dependent.
device. The endpoint and the server are mutually authenticated Attestation is non-repudiable as the perceptual image hash can
by a zero-knowledge proof of the endpoint’s secrets. The only be generated by the timestamp of the image captured
server is authenticated by the endpoint through the hashed through the camera’s tamper-resistant image sensor PUF. To
PUF responses while the endpoint is authenticated by the achieve secure and accurate camera identification with re-
server through the bio-codes. A correct biometric input of duced hardware overhead, the CMOS image sensor PUF [139]
a user to his registered device and a correct response to a derived from fixed pattern noise of individual active pixel
query from that device are both required to authenticate the elements is utilized in both schemes [128], [138].
bio-code. Neither the hashed PUF response nor the bio-code (iii) Existing PUFs, including the CMOS image sensor
reveals the endpoint’s secrets. The bio-code can be easily PUF [139], are typically triggered by server-provided chal-
revoked, reissued or refreshed by a different challenge to lenges. Since the challenges are independent from the sensing
prevent permanent compromise of the users’ biometrics. targets, it is difficult to control the attestation frequency,
(ii) Similarly, PUF-assisted data-device authentication sys- resulting in either redundant or inadequate security tagging.
tems fill the gap of existing data and device independent Traditional frame-based imager generates too much redundant
authentication schemes in digital forensics. Digital images background data, which limits its processing bandwidth in
and videos have been increasingly exposed as important high-speed and privacy-preserved video surveillance applica-
information or art carriers. Their easy-to-access and low- tions. Dynamic vision sensor (DVS), also known as neuromor-
cost attributes also escalate image fraudulence. Two related phic vision sensor, provides a solution to design PUF system
problems are to be solved: detection of image tampering that is capable of responding actively to incidents occurred in
and authentication of the imaging device. Image tampering the surveillance scene. DVS responds only to temporal inten-
is typically detected by image watermarking [131], digital sity change and records only sparse asynchronous address-
image forensics [132] and perceptual image hashing [133]. Of events with precise timing information. It has low latency,
which perceptual image hashing is most effective in tamper high dynamic range and significantly reduced data size. These
detection. It is very sensitive to content-specific modifications features are exploited to make an event-driven PUF in [140].
and yet robust against normal content-preserving processing. It adds only three transistors per DVS pixel to harness the
Since such methods depend on a shared secret key for au- entropy from the fabrication process variability. The PUF
thentication, the security of the whole system will collapse response can only be triggered by and is uniquely dependent
if the secret key is compromised, lost or stolen. Source on the asynchronous addressed event detected in the scene
camera identification is mainly accomplished with ML based without being interfered by the simultaneous firing of other
methods. By analyzing the structure and processing stages of address events. The package of address events acquired by the
the digital camera, appropriate features representing the unique DVS camera is tagged by the event-driven PUF response using
device characteristics can be algorithmically extracted with a keyed Hash-based Message Authentication Code (HMAC).
the knowledge of lens aberration, sensor imperfection, color This is believed to be the first event-driven PUF system to fill
filter array interpolation and salient image features [134]. Ex- the forensic gap of simultaneously authenticating the event
isting works focusing on imaging device brand identification data integrity and source camera identity.
achieve very high accuracy but fail to distinguish individual
devices from the same model and the same brand. Identifying B. System and Architectural Protection Techniques
individual camera devices have been increasingly studied in Resource sharing is inevitable as it leads to more efficient
recent years based on photo response non-uniformity (PRNU) computation. Software processes share memories, datapaths,
pattern [135], [136]. To achieve high reliability and accuracy, accelerators, monitors, sensors and I/O. Hardware IP cores
strict conditions in the acquisition process, number and content require shared access to on-chip interconnect and memories.
of training images as well as geometrical synchronization Yet, it is a challenge for security since any entity must consider
of testing images have to be met. More importantly, the information leakage through shared resource especially when
same approach can also be used by a malicious user to computing on sensitive data. The cache side channel is a
extract the device features from publicly available images. key example of this that has been exploited countless times
To provide dual authentication without the aforementioned for nefarious purposes. Resource isolation is a key security
shortcomings, PUF-based data device authentication schemes mechanism that is often difficult to implement in practice.
12 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

1) Trusted Execution Environment: One common approach The most recent nonvolatile static RAM technology based
for software isolation is a trusted execution environment anti-tamper memory [159] can provide a single or combined
(TEE). TEE uses hardware mechanisms to ensure that isolation features of password protection, data destruction, functional
properties are properly enforced. These properties, in general, destruction and physical destruction upon tampering.
enforce rules that provide a fixed set of resources for a 4) Control Flow Integrity (CFI): Control flow integrity
sensitive computation, and assurances that those computations (CFI) defends against code reuse attacks by monitoring the
are hidden from other system users. There are a number of program’s flow of execution and attempts to ensure that it
different TEEs. Intel’s SGX [141] uses enclaves – a protected performs the correct sequence of operations. CFI is a general
environment that contains the code and data of a security- class of mitigation strategies that monitor and restrict the
sensitive computation. SGX performs isolation by setting aside control flow decisions that a program makes. While there
a memory for trusted computation and isolating the memory are many software CFI techniques, including some done in
from any other access including kernel, hypervisor and DMA practice [160], there are fewer hardware based CFI techniques
accesses. ARM Trust-Zone [142] has two worlds. Sensitive as they generally require substantial changes to the underlying
computations are put into the secure world and are isolated microarchitecture. Hardware CFI defenses depend on a trusted
from code running in the normal world. hardware monitor integrated into the instruction pipeline or
2) Cache Side Channel Mitigations: Cache side channel with access to the processor’s debugging resources to analyze
mitigations attempt to minimize or eliminate information control flow information. de Clercq and Verbauwhede [161]
leakage by isolating secure and non-secure accesses to the classify CFI mitigation strategies into the followings: shadow
cache. Cache partitioning is one class of approaches that call stack, labels, tables, finite state machine, branch reg-
attempts to separate the cache to avoid conflicts. Partitioning ulation, instruction set randomization, signature modeling,
can be performed in various ways, including static locking and code pointer integrity. These mitigation strategies aim to
(PLCache) [143], dynamic locking [144], page coloring [145], monitor execution using a limited number of resources. Their
and selective cache flushing [146]. Randomization is another differences are reflected in the resources that they monitor,
class of techniques where of cache access patterns are per- how they track execution flows, and the type and amount of
muted to minimize any information leakage on conflicts, stateful information that must be stored.
e.g., RPCache [143]. Other mitigations include DAWG [147],
InvisiSpec [148], non-monopolizable caches [149], Intel Cache C. Side Channel Protection Techniques
Allocation Technology [150], and CATalyst [151]. 1) Timing-channel Countermeasures: Existing countermea-
It is difficult to develop and implement a cache mitigation sures against SCA explore both software and hardware-level
scheme. For example, Ardeshiricham et al. [152] showed that approaches. A countermeasure could be detection of the attack
the well-known PLCache [143] mitigation was flawed, and at runtime or analysis of susceptibility during the design
developed a fix to the vulnerability that was formally verified stage. It could also be a design approach (both software and
to be secure. This points to the need for any mitigation to come hardware) for mitigating the covert or side-channel.
with proof that they are correct. Property driven hardware Most timing channels in cryptographic implementations
security [20] advocates for such an approach where the threat occur due to the difference in execution time for different key
model is formally specified as properties, e.g., SystemVerilog and data inputs. As key and data inputs vary, the memory
Assertion (SVA) assertions, information flow properties, etc., access pattern, branches, and various other operations become
and hardware security verification tools provide assurance that different across multiple executions that lead to leakage of
the designs adhere to the specified properties. information. Researchers have proposed constant-time tech-
3) Memory Protection: Many of the system and architec- niques to eliminate such leakage. However, they are difficult
tural threats revolve around performing proper access control to achieve through hardware-level re-implementation and may
on memory locations. This includes strict isolation of memory cause significant impact on performance [162]. Bitslicing
regions (e.g., non-secure processes should never read/write technique has been explored to implement constant-time AES
secure memory) and dynamic policies (e.g., a cryptographic core with improved performance [163].
key is written during secure boot process and is never accessed Researchers have developed compiler-based countermea-
by anyone after that). Standard memory protections rely on a sures to thwart timing channels. These techniques focus on
memory management unit (MMU). Common protections in- introducing noise or randomization in the software implemen-
clude access control through segmentation to provide isolation, tation to eliminate timing leakage. Coppens et al. [164] pro-
data encryption to provide confidentiality [153], and hashing posed compiler-based automatic elimination of key-dependent
to provide integrity [154]. Protecting the memory access infor- control flow by removing conditional move instructions.
mation, along with the confidentiality and integrity of the data, 2) Power Side-channel Countermeasures: Power SCA
is also crucial. Oblivious RAM [155] is an example approach countermeasures can be categorized as algorithmic, physical,
for access pattern protection. 3D integration is a powerful or system-level. Algorithmic countermeasures insert additional
technique for hardware security and can be used for memory operations that mask [165] or split [166] the sensitive com-
protection [156], e.g., embedded DRAM can mitigate threats putation. They have the advantage of being provably secure.
related to off-chip data accesses. Anti-tamper techniques are Physical countermeasures rely on measurements for validating
also widely adopted by chip makers such as Altera [157], ON the security of the device. The problem of measuring the side-
Semiconductor [158] and Cypress [159] to secure key storage. channel leakage of a device has been addressed in [39], [41],
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 13

[167], [168]. Works like [169], [170] use custom gates that portions of the redundant and original outputs are swapped
consume power independent of the gate’s switching. System- thereby making it harder for the attacker to identify exploitable
level countermeasures, such as [171]–[174], use the device’s faults. Another diffusion method is through the use of a fixed
power supply to normalize or randomize the overall power constant matrix to modify the output data [194]. Infection can
consumption. While algorithmic and system-level countermea- also be achieved by adding dummy rounds in addition to the
sures require additional circuitry, physical countermeasures redundant datapath [195], [196].
use custom logic design methodologies to tackle the leakage. However, a significant drawback of the above mentioned
System-level countermeasures rely on injecting noise in the works is that they still require the design engineer to manually
power supply, which reduces the signal-to-noise ratio in the identify the vulnerable fault locations. This poses a significant
side-channel leakage [171]–[174]. The specialized circuitry challenge in larger designs. Thus, in recent years automatic
required by these schemes can drastically affect the area, identification of vulnerable locations has become an interesting
power and performance of the design. For example, the area of research. With respect to fault attacks, the initial works
popular algorithmic masking scheme [175] results in over 3× were restricted to light-weight ciphers [197] or made strong
of performance degradation. In the recent years, the need for assumptions such as restricting to bit-flip faults. Safari [198]
incorporating security countermeasures in low-cost embedded can cater to a large class of block ciphers including add-
hardware has motivated the emergence of efficient counter- rotate-xor (ARX) ciphers. It can comprehensively evaluate
measures like [176]–[178], where the algorithms available in all possible fault scenarios, including those with multiple
the commercial EDA flows are leveraged to reduce area and fault locations. Expfault [199] uses data mining to determine
delay overheads of these countermeasures. vulnerable components of a cipher. Solomon [200] is a formal
3) EM Side-channel Countermeasure: Both hardware and verification based tool-flow that can map vulnerable regions
software-level countermeasures have been proposed to thwart in the specification to their corresponding gate-level or placed
EM side-channel. Execution sequence randomization and ran- netlist representations. Feds [201] is a similar formal verifica-
domization of LUTs have been explored as software-based tion tool-flow that can map fault-attack vulnerable regions in
methods [179], [180]. Certain pairs of instruction sequence the specification of a cipher to the corresponding lines in the
may have distinguishing features in the EM signature that can source code for its implementation.
be leveraged for the detection of security critical events [181].
Randomization of sequence can also be useful in mitigating D. IP Protection Techniques
such leakage. Accessing critical data using pointers may raise 1) Hardware Watermarking: Hardware watermarking can
the difficulty of extracting access pattern information through be performed at electronic system level (ESL), high-level
EM analysis [182]. While masking of critical variables by synthesis (HLS) level or logic synthesis level to protect
random values during execution has been explored, they are an IP against threats such as piracy (or counterfeiting and
found less effective in mitigating the leakage [183], [184]. cloning) and false claim of IP ownership. ESL or HLS based
Minimization of metal artifacts in the chip and use of hardware watermarking is exemplified by binary encoding of
Faraday cage packaging have been suggested as hardware- author’s signature in [202]. This technique embeds watermark
level countermeasures against EM emission [24]. Since EM in the pre-synthesis phase of HLS or behavioral synthesis
emission is proportional to power consumption, low-power in the form of additional design and timing constraints. The
design methodology could also be useful. Introducing asyn- extra constraints encode the author’s signature into a binary
chronous design methods using multiple clocks may raise bitstream of ASCII characters. The high-level description of a
the difficulty of analyzing EM signature as different parts design is converted into control data flow graph (CDFG). After
of the design will be switching at different frequency [24]. scheduling the CDFG into control steps (CS), an interval graph
Analysis framework for evaluating hardware designs for EM (IG) is created wherein each node indicates a storage variable,
side-channel vulnerability would be useful for early detection and an edge between two nodes indicates the overlapping of
and integration of design-time mitigation techniques [185]. the life time between two storage variables. Register allocation
4) Fault Attack Countermeasures: Over the years, various to these variables is performed by graph coloring. Each node
countermeasures have been proposed for protecting digital is first assigned a unique number in increasing order of their
designs against fault attacks. These countermeasures can be lifetime. From the sorted list of nodes, each author signature
broadly classified as infective countermeasures and detection- bit is embedded as an extra edge in the IG by selecting a
based countermeasures. Detection-based countermeasures in- terminal node based on its node number. Bit ‘0’ (or ‘1’) is
volve the addition of detection-circuitry such as parity or embedded by selecting an even (or odd) numbered terminal
additional copies of the design in-order to detect the presence node. The extra constraints are thus imposed into the graph
of a fault. Works such as [186]–[189] rely on parity based coloring problem for optimal register allocation. The strength
circuits while [190], [191] rely on redundant circuits. Works of the authorship proof is assessed by the probabilities of
like [65], [192] attempt to thwart a fault attack by increasing coincidence (PC ) and tampering (PT ). PC denotes the proba-
the probability of unexploitable faults. They achieve this by bility of coincidentally obtaining the same register allocation
transforming the fault space. Infective countermeasures such to the same storage variables as the signature by using any
as [193], [194] on the other hand prevent the occurrence of a other register allocation methods. PT denotes the probability
fault attack by making it impossible for the attacker to inject of successfully corrupting the watermark by eliminating one
a fault. Works like [193] use diffusion-based technique where or more signature bits by altering the color of a node.
14 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

Triple phase Watermarking [16] is another HLS water- design, the slack sustainability of disjoint closed cones is
marking scheme for protecting DSP hardware accelerators. assessed to determined their suitability as watermark hosts.
A complex author-signature is formed by seven variables, The watermarked solution is generated by remapping only the
‘γ’, ‘α’, ‘β’, ‘i’, ‘I’, ‘T’ and ‘!’, and embedded into three selected closed cones according to the watermark constraint
different phases of HLS. During the scheduling phase, on each through incremental synthesis. As the closed cones are selected
occurrence of ‘γ’ digit, an operation in the non-critical path based on both slack and slack sustainability, the embedding
with the highest mobility is moved into the next immediate CS. capacity is maximized, and the watermark bits are stealthier
During the resource allocation phase, in the odd CS on each than hosting them in non-critical paths determined merely by
occurrence of ‘α’ digit in the odd CS, hardware resources to absolute timing slacks.
the odd and even operations are reallocated to type 1 and type 2) Hardware Steganography: A limitation of IP water-
2 venders, respectively; In the even CS, on each occurrence marking is that it is arduous, and not always possible, to
of ‘β’ digits , hardware resources to even and odd operations optimize the design-dependent signature to increase its ro-
are reallocated to type 1 and type 2 vendors, respectively. bustness without exceeding acceptable overhead. Hardware
During the register allocation phase, on each occurrence of steganography is a promising alternative to watermarking. This
‘i’, ‘I’, ‘T’ and ‘!’ digits, additional edges are added into the is due to the following reasons: a) hardware steganography
colored IG (CIG) to reallocate the registers to a set of storage provides a seamless control to resolve ownership conflict and
variables. Specifically, ‘i’ is encoded as an edge between two piracy detection; b) the secret stego-based hardware constraints
prime nodes, ‘I’ an edge between two even nodes, ‘T’ i an are derived from the entropy threshold parameter instead of
edge between a pair of odd and even nodes, and ‘!’ an edge the combination and encoding process of signature variables.
between node number 0 and any other integer node. Consequently, the design overheads are reduced over IP water-
marking. From design perspective, modeling the relationship
CDFG HLS Framework between signature combination and design overhead to select
representation ɣ a robust signature is extremely difficult. Hence, it is desirable
of DSP Scheduling phase to do away with signature dependency for IP protection.
Author’s
hardware Hardware ɑ, ɓ seven
accelerator allocation phase variables High level CDFG
signature description
Resource Register allocation i, I, T, ! Collecting node-pairs
constraints phase of DSP Schedule between same colors
Three phases of hardware CDFG
Watermark Determining swapping
embedded watermark accelerator pairs for each edge between
hardware application CIG two nodes of same color
accelerator Datapath synthesis
Entropy
Stego- Embedding constraint Shortlisting
threshold
Fig. 3. Triple phase watermarking based IP protection technique. embedded edges during register edges based
allocation on Eth value
design
HLS Framework (Eth)
Fig. 3 depicts the triple phase watermarking approach.
Owing to the large number of signature variables embedded in Fig. 4. Entropy based hardware steganography approach.
three different phases of HLS, it is highly tamper-tolerant and
has extremely low PC . The complex signature combination in In [17], a vendor signature-free entropy-based hardware
the three embedding phases has tightly constrained the solution steganography method is proposed to protect DSP cores. This
space, making it highly improbable to find a design of the same approach is depicted in Fig. 4. The secret information is
functionality to also fulfill the additional watermark constraints embedded in the register allocation phase of HLS through
by coincidence. By embedding the watermark at the highest the CIG framework. The stego-constraints are derived from
level of design abstraction, the IP distributed at all lower a set of edges between node-pairs of identical colors. To
levels of abstraction will also be protected without introducing add an edge between two nodes of the same color, the color
integration complexity to the traditional design flow. of one node in the pair needs to be swapped with another
Besides HLS, Kirovski et al. [203] proposed the first node in the CIG. There are a number of possible swapping
logic synthesis watermarking method by implanting user and pairs corresponding to each potential edge to be embedded.
tool specific information into a combinational circuit through An entropy value is computed for each swapping pair as
technology mapping. Design constraints are generated by an indicator of the number of color transformations needed
hashing the owner signature using SHA-256 and a pseudo- for the swapping. The entropy value for all swapping pairs
random number generator. The watermark constraints are used of a potential edge is computed to determine its maximum
to select the internal circuit nodes as pseudo-primary output entropy. Only those edges whose maximum entropy is less
to synthesize a new netlist with the minimum number of than or equal to a chosen entropy threshold (Eth) are qualified
cells for a given technology library without changing the to be embedded as stego-constraints. The strength of the
functionality of the original circuit. Instead of full technology ownership proof is also measured by Pc . The difference is that
mapping, Cui et al. [204] proposed an incremental technology a steganography technique is capable of embedding effectively
mapping technique to adaptively synthesize part of the design a larger number of constraints than HLS based watermarking
for watermark insertion. Using a globally optimized master approaches. This is because it assumes no default constraint,
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 15

while some constraints corresponding to the author’s signature A number of anti-SAT logic locking techniques were pro-
exist by default for watermarking approaches. All the stego- posed to increase the number SAT iterations required. For
constraints corresponding to the chosen Eth are essentially example, Xie et al. [18] leverage point function logic to
embedded as the author’s secret information. The amount of reduce the number of wrong keys pruned by each DIP so that
implanted stego-information and the strength of steganography the number of DIPs required exhibits an exponential relation
can be increased by increasing Eth with negligible design with the obfuscation key length. However, since such anti-
overhead. Hence, this technique offers more designer control SAT logic obfuscation approaches generally rely on AND-tree
on the digital evidence implanted into the design. based point function structure, they suffer from removal attack
To improve the robustness of steganography, two distinct and bypass attack [211], [212]. Several research work [213],
phases viz. register allocation and functional unit (FU) ven- [214] improved the obfuscation techniques to eliminate such
dor allocation of HLS are leveraged for stego-constraints vulnerability by adopting a corrupt-and-correct scheme which
insertion [205]. In addition, the author’s stego-information ensures that when the point function logic is removed, the
generation involves cryptographic modules and stego-keys to circuit would not function properly. However, a recently pro-
enhance the protection against piracy and false ownership posed functionality analysis on logic locking (FALL) attack
claim. The reasons are: (i) even if the secret constraints are combines structural and functional analyses of the obfuscation
compromised by an attacker, the owner has a meaningful and circuit followed by a SAT-based key confirmation to suc-
mathematical way to prove his constraints; (ii) the very large cessfully defeat such obfuscation techniques [215]. Another
size stego-key (more than 600 bits and scalable with the size solution to developing anti-SAT logic locking techniques is
of the IP) is only known to the owner, and such a large to increase the time for each SAT iteration by using pro-
key cannot be cracked by brute force; (iii) the stego-mark grammable logic and routing block networks to obfuscate the
and ownership proof are strengthened by a stronger digital routing of selected wires as well as the logic of the gates
evidence by embedding the stego-information in two distinct preceding and succeeding the selected wires [216].
phases of HLS. Another branch of logic encryption is the FSM based
The secret stego-constraints are generated using secret de- sequential obfuscation techniques. It involves augmenting the
sign data and stego-keys. The secret design data, obtained original FSM with additional states such that the FSM will
from CIG of target DSP application, are a set of elements start from a dummy state and can only reach a functional
where each element is represented by the indices (i, j) of a state upon receiving the correct key sequence [217]. Sequential
node pair (Vi , Vj ) of identical colors in the CIG. A series obfuscation techniques can be breached if the FSM can be
of transformations involving row and column diffusions and enumerated with its transition graph extracted [19].
cryptographic encryptions using the stego-keys are applied on
the secret design data to obtain the stego-constraints in the
E. Hardware Trojan Detection and Prevention Techniques
form of a bitstream. Each bit in the stego-constraints is mapped
to the hardware security constraints based on designer specific 1) Pre-silicon Countermeasures: Pre-silicon HT detection
mapping rules. Further hardware security constraints are em- techniques are designed to identify HTs in the early design
bedded during the register allocation and FU vendor allocation phase. These techniques include switching probability analy-
phases of HLS; thereby, generating a stego-embedded DSP sis, structural checking and security verification.
design. This crypto-based dual phase steganography technique Switching Probability Analysis based HT detection ap-
has also been applied along with structural obfuscation to be proaches are developed upon the assumption that the Trojan
discussed in the next subsection to double the line of defense trigger signal should have extremely low switching probability
for securing JPEG compression-decompression hardware used in order to prevent the HT from being frequently activated.
in medical imaging systems [206]. These methods try to identify the signals with switching ac-
3) Logic Obfuscation: Logic obfuscation is another effec- tivities significantly lower than the average through structural
tive hardware IP protection technique against illegal black- analysis or behavioral code analysis [218]–[220]. These re-
box reuse and RE. It inserts extra logic associated with search works have revealed the close connection between low
dedicated obfuscation key inputs to functionally lock the controllability or observability signals and Trojan circuitry.
design. Such design modification introduces programmability Structural Checking based HT detection methods attempt
into the design such that the circuit functions properly only to extract structural features (e.g., gate type, gate count and
upon application of the correct obfuscation key and would manners of interconnections) specific to HT designs and
otherwise malfunction. perform detection leveraging techniques such as pattern match-
Commonly used logic obfuscation techniques include ing [221]. They usually use a scoring algorithm to match such
XOR/XNOR and MUX based logic locking which can affect features against the circuit structures under test to identify
values of circuit internal nodes or the hardware information Trojan circuitry. However, these methods may indicate false
flow [207], [208]. Similarly, logic obfuscation can also be im- positives and suffer from scalability issues.
plemented by introducing programmable elements to withhold Security Verification can be used to detect certain types of
part of the logic for later configuration [209]. However, these HTs. It works by deriving formal security models for hardware
obfuscation techniques are vulnerable to powerful functional designs and prove security properties such as confidentiality
oracle-guided SAT attacks that iteratively finds distinguishing and integrity through formal approaches, e.g., SAT solving,
input patterns (DIPs) to prune the wrong keys [210]. model checking and type checking [222]–[224]. A security
16 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

property violation indicates the existence of unintentional de- ation add difficulty to this process. Functional [242], [243]
sign flaw or intended malicious design modification. However, and security verification [224], [244]–[248] techniques are
formal verification typically has the scalability problem and promising, with detection rate dependent on the quality of
usually only works for detecting HTs at IP level. the properties. Unfortunately, specifying the right property for
2) Post-silicon Countermeasure: Pre-silicon HT detection Trojan detection is a non-trivial task for 3PIP. Techniques for
methods check for malicious design modifications after chip identifying HTs by matching the design structural [249] or
fabrication. Destructive RE, which involves de-packaging and control data flow [250] features to existing templates is reliable
delayering the ICs and extracting the circuit structure from provided that the features of the Trojans are included in the
layout images, is a common approach for post-silicon HT feature library. New HTs that have not yet been reported may
detection. However, this costly and time-consuming process evade detection. Techniques that deploy on-chip monitors can
may fail when HT is only inserted into a small number of still protect critical security assets from malicious activities
chips. On the contrary, non-destructive methods, including triggered by unknown HTs [251], but full chip protection is
functional testing and SCA, are generally considered more infeasible due to the high design overheads.
viable in practice. 6) HT Prevention Techniques: HT prevention techniques
Functional testing aims to activate the rarely triggered Tro- aim to make HT insertion more difficult or ideally impos-
jan circuitry and propagate the effect to an observable point. sible. Logic obfuscation, split manufacturing and structural
A major research vector is how to generate test vectors which obfuscation are three common Trojan prevention techniques.
can excite each rarely switching node in a circuit. Statistical Logic obfuscation techniques, initially proposed for IP pro-
approaches have provided one possible solution [225] while tection, can also be leveraged as a HT prevention approach.
another attempt is guided tests against HTs in critical portions Without the correct key, the functionality of the obfuscated
of the design [226]. circuit is locked to the untrusted foundry. This renders HT
SCA based methods detect HTs by analyzing physical IC insertion a difficult task [252], [253].
parameters such as power consumption [227], path delay [228] Split Manufacturing can also help to prevent malicious
and chip emissions [229], [230]. The major challenges with design modification. It separates a design layout into Front
these methods lie in the lack of golden chip and the effect of End of Line (FEOL) and Back End of Line (BEOL) portions,
process variation on side-channel measurements. To improve which will be fabricated by trusted and untrusted foundries
HT detection sensitivity, researchers exploit multiple side- respectively. Without information about the BEOL portion, it is
channel parameters [231] or combine logic testing and SCA difficult for the untrusted foundry to embed a useful HT [254].
for directed pattern generation [232]. There are also efforts in Structural Obfuscation transforms the design structure in
developing “golden-free” solutions by estimating the golden order to hide its functionality and make the structure non-
signature through simulation [233] or comparing the signatures obvious/non-interpretable by an adversary. This renders RE
collected at different time windows [234]. harder, which thwarts malicious component/Trojan insertion.
3) Design-for-Trust (DFS) Techniques: DFS techniques in- By considering the trade-off between design metrics such
sert dedicated logic to facilitate HT detection. Some techniques as area, delay and power during high-level transformations
add dummy flip-flops and testing points to improve the con- (HLTs), Lao and Parhi [255] obfuscated DSP circuits with
trollability and observability of internal nodes to accelerate huge structural alterations against RE and HT attacks without
the Trojan activation process [235]. Another type of DFS tech- compromising their original functionality.
niques insert circuit infrastructure such as ring oscillators [236] Hierarchical contiguous folding (HCF) is used to fold X
and current sensors [237] to facilitate production screening and cascaded stages to one hardware module, and N operations
on-site monitoring of HT-infected chips or favor SCA-based inside one stage to a hardware FU. All operations of one stage
HT detection. DFS techniques can also be applied to make HT are performed before the next stage of operations. Different
insertion more difficult while detection easier as demonstrated modes can be implemented by varying the number of stages
in [238]. in the cascaded structure. Some modes produce functionally
4) Runtime Monitoring Techniques: Due to the NP- invalid outputs but are otherwise meaningful from signal
completeness of several testing problems (e.g., controllability, processing perspective. Other modes produce non-meaningful
observability and ATPG), it is impossible to guarantee that outputs. Manifold meaningful and non-meaningful modes are
HTs can be completely eliminated before device deployment. regulated through configured data. The functional mode of a
Thus, it is desirable to employ runtime monitoring techniques DSP design is activated by applying a valid key to an FSM. If
to detect and prevent HT attacks in security critical systems. an invalid key or wrong configured data is applied, different
This can be done by monitoring critical signals [239], dy- modes will result in many equivalent circuits to obscure the
namic power [240] or EM radiation [241] and even through DSP design structure.
hardware-assisted formal approach [223]. Compiler based HLTs [256] is an alternative approach that
5) 3PIP Trojan Detection: The majority of HT detection targets mainly loop based DSP applications to achieve struc-
methods use Trojan benchmarks for evaluating their effective- tural obfuscation. The exploitable HLTs include redundant op-
ness. The task of detecting unknown HTs in 3PIP is more eration elimination (ROE) by eliminating nodes in CDFG with
challenging due to the lack of knowledge about the Trojan matching inputs and operation type, logic transformation by
implementation. Coverage of functional testing, locality of altering some operation types in CDFG without changing the
switching probability analysis and noise from process vari- functionality, tree height transformation (THT) by paralleliz-
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 17

ing some sequential operations, loop unrolling by unrolling soft labels to build a distilled model with the same archi-
the loop body to reduce latency, and loop invariant code tecture [261]. Input Transformation inhibits the adversarial
motion by moving non-iterative operations out of the loop. effect by linear dimensionality reduction. In [262], principal
The aforementioned complier-based techniques considerably component analysis is used to project the original data to the
transform the CDFG and alter the RTL datapath of the DSP training data. Instead of building a fresh model specialized
application post HLS. The latter alteration includes changes for the projected inputs, MagNet [263] reconstructs the inputs
in the size and number of MUXes and DeMUXes, changes using autoencoders before is it trained with sufficient clean
in the interconnectivity of FUs with MUXes and DeMUXes, examples to move the tampered images towards the legit-
change in the number of storage elements (registers), etc. By imate distribution. Hardware-oriented countermeasures have
integrating particle swarm optimization based design space ex- also been proposed to increase the robustness of DNN model.
ploration (PSO-DSE) framework with the HLS process [256], Defensive Quantization protects neural networks against ad-
the transformed/obfuscated graph can be scheduled with the versarial attacks by controlling the Lipschitz constant of the
optimal resource constraints, which minimizes the cost of the network during quantization [264]. The hardware efficiency
structurally obfuscated design. THT based [257] and hybrid for small bitwidth data is still preserved.
transformations based [258] structural obfuscations are also 2) Reactive Measures: Instead of passively regularizing
applied to protect the JPEG codec hardware accelerators and model parameters in black box setting, reactive methods
fault secured DSP designs, respectively. detect the adversarial inputs for follow-up actions. These
methods can be divided into three main types: sample statis-
tics, detector training and prediction inconsistency. Sample
F. ML-assisted Solutions
Statistics use features, such as density estimates calculated
Defenses against hardware security threats leveraging ML from the activations of the last hidden layer and Bayesian
are mainly bifold: uncertainty extracted directly from the dropout layer, to detect
1) ML for Detection: IC counterfeiting and HTs are two illegitimate points lying far from and nearby the natural data
emerging threats to the IC manufacturing industry. In both manifold [265]. Nixon et al. [266] utilizes the sensor pattern
cases, defective or malicious entities are injected as part of noise (SPN) of the device for adversarial examples detection.
the system. Traditional inspection methods can be either very The SPN Dash system, shown in Fig. 5, is introduced before
time-consuming or ineffective. As a result, ML models are the classification phase to detect adversarial perturbations
used to automate the inspection procedure. Parametric mea- after the image compression and submission stage. In Fig. 5,
surements collected from on-chip sensors can be analyzed and Ienc , SP Ncur and SP Ndev denote an input image after the
classified using support vector machines (SVMs) to identify image compression stage, the SPN of the current submitted
recycled ICs [259]. SVMs can also be utilized for real-time Ienc and a reference SPN for a specific device, respectively.
HT detection [14]. Additionally, various ML models such as The main constraints for the generalization of this method
SVM, random forest and multi-layer perceptron (MLP) have are the susceptibility of SPN detector and device-dependent
been applied to counter micro-architectural SCAs [15]. estimation accuracy. Detector Training augments the DNN
2) ML for Robust Architecture Design: Systems with robust subnetworks as adversarial input detector [267]. The additional
designs stay ahead of security threats. Various designs attempt module is trained by freezing the parameters of the original
to combine ML and system characteristics. Yang et al. [102] model to perform binary classification between the clean and
leverage the memristor’s obsolescence effect to design a secure adversarial inputs. This defense requires massive adversarial
neuromorphic computing system. Shan et al. [260] propose examples for training, and is prone to over-generalization of
a machine learning assisted power compensation circuit that adversarial attacks. Prediction Inconsistency uses the degree
enhances the SCA-resistant capability with a smaller area and of consensus among multiple models for the prediction of
lower power overhead compared to traditional methods. adversarial attacks. Wang et al. [268] integrates mutation and
statistic hypothesis testing into the detection algorithm. As
adversarial images are more sensitive to the model mutants
G. Countermeasures Against DNN Attacks than clean images, label change rate (LCR) is defined to assess
Most countermeasures against adversarial attacks on DNN the mutation sensitivity of DNN mutants. Statistic hypothesis
can be dichotomized into proactive and reactive categories. testing is then applied to determine the cleanliness of the
The former intends to improve model robustness while the input based on its LCR. Cognizant of the greater freedom
latter aims to detect adversarial inputs. to adversarial abuse offered by the unnecessarily large feature
1) Proactive Measures: Proactive measures are carried out space, Xu et al. [269] determines if an input is benign or
offline by three methods. Adversarial training retrains the adversarial by comparing the classification results of the initial
model with off-the-shelf adversarial examples added into the and squeezed inputs against a predetermined threshold.
original training dataset. Apart from the cost of crafting 3) Other Hardware-oriented Measures: DNN models are
malicious images from known techniques, it is also limited typically implemented on GPU and application-specific ac-
by the assumption that the attacker is restricted to techniques celerator platforms. The former has greater agility while the
that are known to the defender. Gradient Masking hides the latter is more energy efficient. It is common to have the model
gradient information from the adversaries. One example is training performed on GPUs with the inference executed in
to extract the probability vectors of a pre-trained model as dedicated DNN accelerators. Thus, it is important to port
18 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

channel [47] and detect HTs [224]. The GLIFT project has
Extract
SPNcur evolved to higher level IFT methods such as register-transfer
SPNcur

Submitted Ienc
level IFT (RTLIFT) [279] due the verification performance
Add SPNcur N
bottlenecks at the gate level.
SPNdev
to database available? Similar to GLIFT, RTLIFT [279], Clepsydra [280] and
Y VeriSketch [152] are a set of secure hardware design tools that
Enough Compute employ fine-granularity security labels and label propagation
samples? similarity
metric
policies to measure the flow of information but target RTL
Y Verilog designs. RTLIFT has observed ∼5X improvement in
Estimate SPNdev verification performance as compared to GLIFT. Clepsydra
Above N
threshold?
provides a formal model for timing-only information flow
and allows proving constant time properties in order to detect
Y
SPNdev Discard or timing channels in caches and cryptographic cores. VeriSketch
Ienc to classification filter Ienc employs the sketch technique to automatically synthesize
hardware designs that satisfy desired security properties such
Fig. 5. SPN Dash framework [266]. as confidentiality, integrity and constant time. Like GLIFT, the
information flow security models developed by these projects
defense algorithms into DNN accelerators to secure embedded are described in standard HDL while the security assertions are
intelligence. Most of the aforementioned countermeasures that written in standard property specification languages, e.g., SVA.
target single precision floating-point arithmetic DNN imple- This allows hardware security verification to be performed
mentation on GPU platform may not have considered the under standard EDA verification environments.
effects of fixed-point arithmetic and quantization on hardware The PCH-IP and VeriCoq projects provide several tools for
accelerated DNN. Although truncated models have been used verifying IP security and trust [245]–[247]. These tools define
for the evaluation of the countermeasures proposed in [270] rules for converting RTL Verilog design to Coq1 semantic
and [271], they are simulated under the GPU environment circuit models. They use the Coq theorem prover to formally
without physically integrated into the accelerator. Rouhani et verify confidentiality properties on the Coq circuit models in
al. [272] proposed the first end-to-end hardware accelerated order to detect malicious design modifications. VeriCoq [245]
detection framework that falls under the category of sam- has recently been extended to the transistor level to verify
ple statistics. It exploits the possible adversarial sub-spaces the security of analog/mix-signal designs and detect analog
spanned by the intermediate output feature maps through the HTs [281]. However, these projects tend to employ conserva-
Modular Robust Redundancy that architecturally mirrors the tive rules to model information flow security behaviors, which
victim DNN model. An automated customization tool has also can lead to false alarms in security verification.
been developed for different resource-constrained platforms SecVerilog [282] is an open source hardware security tool
while maximizing the effectiveness of the defense. However, for proving timing non-interference [283] and eliminating
this defense was only tested on small scale classification. timing channels in RTL designs. It incorporates a type system
The complexity of the detection algorithm may increase sub- into Verilog and a timing label to verify information flow
stantially with more complex DNN models for large scale security at compile time. Timing non-interference is enforced
classification. To address this cost and performance trade-off, by checking type rules. The SecVerilog tool has been extended
DNNGuard [273] is proposed. It is an elastic heterogeneous to support mutable dependent types to solve the implicit down-
DNN accelerator architecture that enables simultaneous execu- grading problem [284] and the chisel HDL. SecChisel [285]
tion of the victim network and the detection network. It is also can be used to create secure architectures, synthesize se-
scalable to the implementation of various existing detection cure cryptographic accelerators and capture information leaks
algorithms. Unfortunately, DNNGuard was also evaluated by caused by hardware security flaws, timing channels and HTs
simulation instead of physical implementation. through type checking.
2) Commercial Tools: EDA and hardware security compa-
V. H ARDWARE S ECURITY T OOLS nies have also released several secure hardware design tools.
Mentor Graphics SecureCheck is a security path verification
A. Security Verification Tools
tool running on top of the Questa Formal verification en-
Security verification tools for hardware/software systems gine [286]. It uses assertion based formal verification to prove
have been surveyed in [30]. We summarize a few projects from confidentiality and integrity properties in order to identify risky
the hardware side and also present some recent advances. paths that will lead to security property violations.
1) Academia Tools: One of the earliest hardware security JasperGold Security Path Verification [287] is a hardware
verification tools was developed by the gate level information security formal verification tool from Cadence. The tool runs
flow tracking (GLIFT) [274] project. It establishes the funda- on top of the JasperGold Formal Verification Platform. It
mental theories of hardware information flow tracking (IFT) employs sensitivity analysis to model the flow of information
by providing tracking logic formalization [275], [276] and
complexity theories [277]. GLIFT has been employed to prove 1 An iterative theorem prover named after its principal developer, Thierry
strong isolation in computer architecture [278], identify timing Coquand.
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 19

in SoC designs and identify insecure design paths that can from the choice of security primitives, protocols and architec-
lead to tampering or leakage of critical information [288]. ture. Knechtel et al. [22] provide a comprehensive analysis
Prospect is a hardware security formal verification tool from about the role of EDA on hardware security. They identify
Tortuga Logic. It uses GLIFT [274] to generate logic that the challenges yet to be resolved in effective compilation of
tracks information flow through the circuit. That logic can security assumptions and constraints across different levels
then be analyzed by any functional verification tool to prove of abstraction, modeling and evaluation of hardware security
security properties [277]. The IFT logic is used solely for metrics and holistic synthesis of security countermeasures
design time verification; no additional logic is added to the without causing side-effects.
final circuit. Radix-S [289] and Radix-M [290] are another
two hardware security tools from Tortuga Logic. Radix-S VI. P OTENTIAL R ESEARCH D IRECTIONS
performs IFT based hardware security simulation while Radix- A. System and Architecture Security
M performs hardware security emulation. Emulation allows for
System designers are constantly trying to balance the del-
the verification of system properties across the entire SoC.
icate tradeoff between performance, power, and area. They
Furthermore, it enables verification of properties that span
must now add security as another optimization criteria! Un-
across software, firmware, and hardware interactions, i.e., the
fortunately, measuring “security” is a challenging but crucial
“HardFails” [291].
aspect of hardware design. Security metrics are essential for
Synopsys focuses more on reliability and functional safety
any sort of vulnerability analysis, threat mitigation, and secu-
verification. The CustomSim [292] is a tool set for device-
rity verification. An ideal metric provides a precise measure of
level and interconnect reliability analysis, including infrared
the severity of the threat. Security is a multifaceted notion cov-
radiation drop, current density and electromigration, and de-
ering a wide range of threat models. Therefore, it is unlikely
vice aging. The VC Functional Safety Manager [293] performs
that one metric can cover all threat models. Thus, we need
failure modes and effect analysis, unified fault campaigns
different metrics to understand the various threats. Metrics that
management, annotation and calculation of metrics for the
can combine multiple different threat models and can model
failure modes, effects and diagnostic analysis.
a high dimension space are valuable. Metrics that provide
relative comparisons between different design options are also
B. Security Driven Hardware Design Tools extremely useful in making architectural design decisions [41].
There is a recent move towards developing security driven IFT is a powerful and one of the most popular metrics for
hardware design tools. DARPA has recently launched the hardware security verification, but it enforces binary properties
SSITH and AISS projects. Both aim to develop secure hardware (flow or no flow); Quantitative IFT helps provide some finer
design tools that allow security to be evaluated along with resolution for security threat modeling [300].
traditional design parameters. Debugging is another important but overlooked aspect of
hardware security. This is particularly challenging at the
Urdahl et al. [294] propose a property-driven design flow.
system and architectural level due to the complexity of the
Abstract properties are specified from the system-level and
design and the interactions with many disparate software and
refined along the design process in order to provide a formal
hardware components. When verification uncovers a security
relationship between an abstract system model and its concrete
vulnerability, as it inevitably will do, designers require tech-
implementation at the RTL. In a property driven solution
niques to help localize the source of this vulnerability and
to hardware security [20], high-level security specification is
suggestions on how to redesign the system to mitigate the
translated to lower level security policy, property, assertion
vulnerability. This is particularly important for vulnerabilities
and constraints in order to allow security to be formally
that involve both hardware and software.
verified on more concrete design models. This is demonstrated
by a property specific approach to information flow security
verification [295]. Ma et al. [296] present a security-driven B. IoT and Cyber-physical (CPS) Security
placement tool for EM side channel protection. The idea is to Security of IoT and CPS are becoming increasingly im-
create an EM leakage model and use this model to guide data- portant. This is due to: (1) these systems interact with the
dependent register reallocation. Takarabt et al. [297] propose physical world, and hence security issues in these systems
a pre-silicon evaluation methodology and tool that allow may lead to major safety concerns; and (2) these systems
security verification to be run side by side with functional are designed and manufactured under tight cost and time
verification. The tool identifies vulnerabilities and the precise constraints, which typically do not allow them to go through
line of code where the vulnerability lies with additional rigorous security design and verification process. Generally,
characterization such as severity. Recent advances are also these systems include a hardware layer that consists of sen-
witnessed in security-driven metrics, models and computer- sors and actuators, electronic components for communication,
aided design (CAD) flows that integrate logic encryption, split control and information processing, and a software stack.
manufacturing and camouflaging for secure hardware design The hardware layer serves as the root of trust for the entire
[298], [299]. system. Manufacturers of these systems often use commercial
In [21], it is argued that security should be taken as an off-the-shelf (COTS) components for the hardware layer and
architectural design constraint in addition to time, space and many open-source software modules in the software stack
power. This motivates a security-aware design flow starting due to the cost/time constraints. Moreover, these systems tend
20 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

to incorporate ‘smartness’ through integration of various AI in the scalability of defense methodologies. Unfortunately, the
techniques that enable them to act autonomously as well as opaque nature of deep learning has worsened the defender’s
adapt to an operating environment. situation. This calls for a learning paradigm shift from data-
Due to their distinctive properties, these systems will re- driven to knowledge-driven for explainability enhancement.
quire significant re-thinking in how security solutions – both Explainability is the ability to provide reasons for a specific
design and verification – can be effectively integrated into decision derived by the AI. It can be evaluated by interpretabil-
them. Specific research directions will include, (1) system- ity and completeness. Interpretability aims at describing inner
atic integration of security in IoT/CPS that considers the operations in a simpler way while completeness measures
varying requirements of the target applications (e.g., power, the level of preciseness for an explanation. The dilemma is
performance, cost) with focus on automatic design/verification a highly interpretable system is usually weak in prediction
tools that enables tradeoff between security and other design whereas a precise description is often hardly understandable.
parameters; (2) security of the sensor/actuator subsystem; (3) The tremendous computations involved in deep learning pro-
security of the COTS components, since they come through cessing have added resistivity to provide explanations for its
an untrusted supply chain, thus being subject to counterfeiting decision. The core of processing explainability enhancement
and various tampering attacks; and (4) security of the AI and is therefore to reduce the operational complexity of the target
ML techniques employed in these systems. Additionally, there DNN by for instance, constructing a saliency map to underline
will be increasing need for quantifying the security of these the most influential operations.
systems through development of appropriate, easy-to-use and
easy-to-understand metrics. D. Security-driven EDA
State-of-the-art EDA flow takes functional correctness and
C. ML for Hardware Security and Security of ML performance budgets as primary design constraints. Incorpo-
rating security as an additional dimension of the hardware
ML models can be used to launch or defend attacks against design space and enabling security properties to be evaluated
hardware entities. Current ML-assisted countermeasures rely along with traditional design parameters is a promising yet
mostly on preliminary models such as SVMs, possibly due challenging research direction for both the hardware security
to the scale of the problem and limited training data. As the and EDA communities. We need to develop more standardized
attacks are continuously being developed, more complex ML hardware security models to allow security properties to be
models such as DNNs may emerge for the prowess in data mapped and verified across different levels of abstractions.
processing, which in turn requires a large amount of training In addition, we need to derive effective security metrics to
data. Therefore, unsupervised learning can be a potential key measure security as a quantifiable design variable.
to the problem as labeled data are usually much more valuable
than unlabeled raw data. Furthermore, more effort is needed to VII. C ONCLUSION
direct ML-assisted methodologies towards robust architecture
Hardware security involves multiple levels of abstraction
design than anomaly detection, since the damage has already
in the computing system stack. In view of the enormously
been done in the latter case.
broad focus and attractivity of this field, it is not possible
Conversely, AI hardware are themselves vulnerable. Al-
to comprehensively survey the voluminous publications, mul-
though practical constraints such as limited accessibility and
tidisciplinary and vast diversity of problems and solutions
custom hardware optimization can reduce the success rate of
in one paper. In this paper, we surveyed and discussed the
adversarial attacks, RE and potential exploitation of backdoor
recent advances in selective sub-fields of hardware security.
or flaws through deployed hardware accessibility and unre-
Specifically, we presented attacks and countermeasures on
liable supply chains of IC design remain the valid threats.
secure architectures, IP components and DNN models, as well
Existing detection-based countermeasures mostly focus on
as the design and niche applications of two popular hardware-
software-level using off-line analyses, which are often too late
intrinsic security primitives. We also outlined recent efforts in
for remedy, especially in real-time safety-critical applications.
developing security-driven hardware design tools. Hardware
More research effort is desired in built-in resilience against
attacks and countermeasures are rapidly evolving. It is not
adversarial examples and protection of hardware DNN against
surprising that a different shortest bar of the wooden barrel can
theft of confidential trained model through queries or side
be identified with each major change in processor architectures
channels without compromising efficiency and accuracy. Mod-
and computing technologies. We believe that the rally between
ern primitives for securing hardware, such as PUF, obfuscation
hardware attack and defense will remain a vibrant presence
and metering, may be embedded into the deep learning hard-
for a long time. It is therefore our aim that this review
ware to help monitor or control access to sensitive assets. How-
will alert the hardware designers and tool developers to pay
ever, without considering the intrinsic weaknesses of DNN
additional attention to significant security gaps not addressable
implementation, the overhead and performance penalty may
by traditional hardware design and verification methodologies.
be unacceptable. It boils down to having a hardware-supported
solution that takes unique attributes of DNNs into account R EFERENCES
at design time for system-level defense. Another challenge
[1] Bits, Please, “Extracting Qualcomm’s keymaster keys - Breaking An-
is the evaluation of the protection measures on large-scale droid full disk encryption,” 2016, [Online]. Available: http://bits-please.
datasets and complex models. More attention needs to be paid blogspot.com/2016/06/extracting-qualcomms-keymaster-keys.html.
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 21

[2] P. Kocher, D. Genkin, D. Gruss, W. Haas, M. Hamburg, M. Lipp, [25] S. E. Quadir, J. Chen, D. Forte, N. Asadizanjani, S. Shahbazmohamadi,
S. Mangard, T. Prescher, M. Schwarz, and Y. Yarom, “Spectre attacks: L. Wang, J. Chandy, and M. Tehranipoor, “A survey on chip to system
Exploiting speculative execution,” ArXiv e-prints, 2018. reverse engineering,” J. Emerg. Technol. Comput. Syst., vol. 13, no. 1,
[3] M. Lipp, M. Schwarz, D. Gruss, T. Prescher, W. Haas, S. Mangard, 2016.
P. Kocher, D. Genkin, Y. Yarom, and M. Hamburg, “Meltdown,” ArXiv [26] S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan, “Hardware
e-prints, 2018. Trojan attacks: Threat analysis and countermeasures,” Proc. IEEE, vol.
[4] J. Szefer, “Survey of microarchitectural side and covert channels, 102, no. 8, pp. 1229–1247, 2014.
attacks, and defenses,” Journal of Hardware and Systems Security, [27] K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, and M. Tehranipoor,
vol. 3, no. 3, pp. 219–234, 2019. “Hardware Trojans: Lessons learned after one decade of research,”
[5] O. Choudary and M. G. Kuhn, “Template attacks on different devices,” ACM Trans. Des. Autom. Electron. Syst., vol. 22, no. 1, 2016.
in International Workshop on Constructive Side-Channel Analysis and [28] C. H. Chang, Y. Zheng, and L. Zhang, “A retrospective and a look
Secure Design. Springer, Aug. 2014, pp. 179–198. forward: Fifteen years of physical unclonable function advancement,”
[6] F. Schellenberg, D. R. E. Gnad, A. Moradi, and M. B. Tahoori, “An IEEE Circuits Syst. Mag., vol. 17, no. 3, pp. 32–62, 2017.
inside job: Remote power analysis attacks on FPGAs,” in Des. Autom. [29] A. Chakraborty, N. G. Jayasankaran, Y. Liu, J. Rajendran,
Test Europe Conf. Exhib. (DATE), Mar. 2018, pp. 1111–1116. O. Sinanoglu, A. Srivastava, Y. Xie, M. Yasin, and M. Zuzak, “Keynote:
[7] A. Tang, S. Sethumadhavan, and S. Stolfo, “CLKSCREW: exposing the A disquisition on logic locking,” IEEE Trans. Comput.-Aided Design
perils of security-oblivious energy management,” in USENIX Security Integr. Circuits Syst., vol. 39, no. 10, pp. 1952–1972, 2020.
Symposium (USENIX Security), Aug. 2017, pp. 1057–1074. [30] O. Demir, W. Xiong, F. Zaghloul, and J. Szefer, “Survey of approaches
[8] N. Fern, S. Kulkarni, and K. T. T. Cheng, “Hardware Trojans hidden in for security verification of hardware/software systems,” Cryptology
RTL don’t cares - automated insertion and prevention methodologies,” ePrint Archive, Report 2016/846, 2016, https://eprint.iacr.org/2016/846.
in IEEE Int. Test Conf. (ITC), Oct. 2015, pp. 1–8. [31] K. Murdock, D. Oswald, F. D. Garcia, J. Van Bulck, D. Gruss, and
[9] K. Yang, M. Hicks, Q. Dong, T. Austin, and D. Sylvester, “A2: Analog F. Piessens, “Plundervolt: Software-based fault injection attacks against
malicious hardware,” in IEEE Symp. on Sec. and Priv. (SP), May 2016, intel SGX,” in IEEE Symp. on Sec. and Priv. (SP), May 2020.
pp. 18–37. [32] Y. Liu, L. Wei, B. Luo, and Q. Xu, “Fault injection attack on deep
[10] Y. Liu, Y. Jin, A. Nosratinia, and Y. Makris, “Silicon demonstration of neural network,” in Int. Conf Comput.-Aided Des. (ICCAD), Nov. 2017,
hardware Trojan design and detection in wireless cryptographic ICs,” pp. 131–138.
IEEE Trans. VLSI Syst., vol. 25, no. 4, pp. 1506–1519, 2017. [33] D. J. Bernstein, “Cache-timing attacks on AES,” VLSI Design IEEE
[11] M. Zhao and G. E. Suh, “FPGA-based remote power side-channel Computer Society, vol. 51, no. 2, pp. 218 – 221, 2005.
attacks,” in IEEE Symp. on Sec. and Priv. (SP), May 2018, pp. 229– [34] W. Hu, L. Zhang, A. Ardeshiricham, J. Blackstone, B. Hou, Y. Tai, and
244. R. Kastner, “Why you should care about don’t cares: Exploiting internal
don’t care conditions for hardware Trojans,” in Int. Conf Comput.-Aided
[12] J. V. Bulck, M. Minkin, O. Weisse, D. Genkin, B. Kasikci, F. Piessens,
Des. (ICCAD), Nov. 2017, pp. 707–713.
M. Silberstein, T. F. Wenisch, Y. Yarom, and R. Strackx, “Foreshadow:
[35] O. Mutlu and J. S. Kim, “Rowhammer: A retrospective,” IEEE Trans.
Extracting the keys to the Intel SGX kingdom with transient out-of-
Comput.-Aided Design Integr. Circuits Syst., pp. 1–1, 2019.
order execution,” in USENIX Security Symposium. Baltimore, MD:
[36] H. Guo, L. Peng, J. Zhang, F. Qi, and L. Duan, “Hardware accelerator
USENIX Association, Aug. 2018, pp. 991–1008.
for adversarial attacks on deep learning neural networks,” in Interna-
[13] W. Hu, Y. Ma, X. Wang, and X. Wang, “Leveraging unspecified
tional Green and Sustainable Computing Conference (IGSC). IEEE,
functionality in obfuscated hardware for Trojan and fault attacks,” in
Oct. 2019, pp. 1–8.
Asian Hardware Oriented Security and Trust Symposium, Xi’an, China,
[37] S. Pinto and N. Santos, “Demystifying ARM TrustZone: A compre-
Dec. 2019, pp. 1–6.
hensive survey,” ACM Computing Surveys, vol. 51, no. 6, p. 130, 2019.
[14] A. Kulkarni, Y. Pino, and T. Mohsenin, “SVM-based real-time hard-
[38] P. Qiu, D. Wang, Y. Lyu, and G. Qu, “VoltJockey: Breaching TrustZone
ware Trojan detection for many-core platform,” in Int. Symp. on Quality
by software-controlled voltage manipulation over multi-core frequen-
Electronic Design. IEEE, Mar. 2016, pp. 362–367.
cies,” in ACM SIGSAC Conference on Computer and Communications
[15] M. Alam, S. Bhattacharya, D. Mukhopadhyay, and S. Bhattacharya, Security, Nov. 2019, pp. 195–209.
“Performance counters to rescue: A machine learning based safe- [39] J. Demme, R. Martin, A. Waksman, and S. Sethumadhavan, “Side-
guard against micro-architectural side-channel-attacks.” IACR Cryptol- channel vulnerability factor: A metric for measuring information leak-
ogy ePrint Archive, vol. 2017, p. 564, 2017. age,” in Int. Symp. on Computer Architecture (ISCA), Portland, OR,
[16] A. Sengupta, D. Roy, and S. P. Mohanty, “Triple-phase watermarking USA. IEEE Computer Society, 2012, pp. 106–117.
for reusable IP core protection during architecture synthesis,” IEEE [40] B. Mao, W. Hu, A. Althoff, J. Matai, Y. Tai, D. Mu, T. Sherwood,
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 37, no. 4, pp. and R. Kastner, “Quantitative analysis of timing channel security in
742–755, 2018. cryptographic hardware design,” IEEE Trans. Comput.-Aided Design
[17] A. Sengupta and M. Rathor, “IP core steganography for protecting DSP Integr. Circuits Syst., vol. 37, no. 9, pp. 1719–1732, 2017.
kernels used in CE systems,” IEEE Trans. Consum. Electron., vol. 65, [41] A. Althoff, J. Blackstone, and R. Kastner, “Holistic power side-channel
no. 4, pp. 506–515, 2019. leakage assessment: Towards a robust multidimensional metric,” in Int.
[18] Y. Xie and A. Srivastava, “Anti-SAT: Mitigating sat attack on logic Conf Comput.-Aided Des. (ICCAD). IEEE, Nov. 2019, pp. 1–8.
locking,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., [42] Y. Bulygin, J. Loucaides, A. Furtak, O. Bazhaniuk, and A. Matrosov,
vol. 38, no. 2, pp. 199–207, 2019. “Summary of attacks against BIOS and secure boot,” Defcon-22, 2014.
[19] T. Meade, Z. Zhao, S. Zhang, D. Pan, and Y. Jin, “Revisit sequential [43] W. A. Arbaugh, D. J. Farber, and J. M. Smith, “A secure and
logic obfuscation: Attacks and defenses,” in IEEE Symp. On Cir. and reliable bootstrap architecture,” in IEEE Symp. on Sec. and Priv. (Cat.
Syst. (ISCAS), 2017, pp. 1–4. No.97CB36097), 1997, pp. 65–71.
[20] W. Hu, A. Althoff, A. Ardeshiricham, and R. Kastner, “Towards [44] I. Lebedev, K. Hogan, and S. Devadas, “Secure boot and remote
property driven hardware security,” in International Workshop on attestation in the sanctum processor,” in IEEE Computer Security
Microprocessor and SOC Test and Verification (MTV), 2016, pp. 51–56. Foundations Symposium (CSF). IEEE, 2018, pp. 46–60.
[21] P. Ravi, Z. Najm, S. Bhasin, M. Khairallah, S. S. Gupta, and [45] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti, “A large-scale
A. Chattopadhyay, “Security is an architectural design constraint,” analysis of the security of embedded firmwares,” in USENIX Security
Microprocessors and Microsystems, vol. 68, pp. 17–27, 2019. Symposium (USENIX Security), 2014, pp. 95–110.
[22] J. Knechtel, E. B. Kavun, F. Regazzoni, A. Heuser, A. Chattopadhyay, [46] P. Subramanyan, S. Malik, H. Khattri, A. Maiti, and J. Fung, “Verifying
D. Mukhopadhyay, S. Dey, Y. Fei, Y. Belenky, I. Levi, T. Güneysu, information flow properties of firmware using symbolic execution,” in
P. Schaumont, and I. Polian, “Towards secure composition of integrated Des. Autom. Test Europe Conf. Exhib. (DATE). IEEE, Mar. 2016, pp.
circuits and electronic systems: On the role of EDA,” in Des. Autom. 337–342.
Test Europe Conf. Exhib. (DATE), Mar. 2020, pp. 508–513. [47] J. Oberg, S. Meiklejohn, T. Sherwood, and R. Kastner, “Leveraging
[23] Y. Lyu and P. Mishra, “A survey of side-channel attacks on caches and gate-level properties to identify hardware timing channels,” IEEE
countermeasures,” Journal of Hardware and Systems Security, vol. 2, Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 33, no. 9, pp.
no. 1, pp. 33–50, 2018. 1288–1301, 2014.
[24] A. Sayakkara, N.-A. Le-Khac, and M. Scanlon, “A survey of electro- [48] A. Basak, S. Bhunia, and S. Ray, “A flexible architecture for systematic
magnetic side-channel attacks and discussion on their case-progressing implementation of SoC security policies,” in Int. Conf Comput.-Aided
potential for digital forensics,” Digital Investigation, 2019. Des. IEEE, 2015, pp. 536–543.
22 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

[49] J. A. Halderman, S. D. Schoen, N. Heninger, W. Clarkson, W. Paul, IEEE Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 38, no. 4,
J. A. Calandrino, A. J. Feldman, J. Appelbaum, and E. W. Felten, “Lest pp. 604–616, 2019.
we remember: cold-boot attacks on encryption keys,” Communications [72] A. Baumgarten, M. Steffen, M. Clausman, and J. Zambreno, “A case
of the ACM, vol. 52, no. 5, pp. 91–98, 2009. study in hardware Trojan design and implementation,” International
[50] Y. Kim, R. Daly, J. Kim, C. Fallin, J. H. Lee, D. Lee, C. Wilkerson, Journal of Information Security, vol. 10, no. 1, pp. 1–14, 2011.
K. Lai, and O. Mutlu, “Flipping bits in memory without accessing [73] J. Zhang, F. Yuan, and Q. Xu, “DeTrust: Defeating hardware trust
them: An experimental study of DRAM disturbance errors,” ACM verification with stealthy implicitly-triggered hardware Trojans,” in
SIGARCH Comput. Archit. News, vol. 42, no. 3, pp. 361–372, 2014. ACM SIGSAC Conference on Computer and Communications Security,
[51] D. Brumley and D. Boneh, “Remote timing attacks are practical,” Nov. 2014, pp. 153–166.
Computer Networks, vol. 48, no. 5, pp. 701–716, 2005. [74] R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, “Trustworthy
[52] D. Gullasch, E. Bangerter, and S. Krenn, “Cache games–bringing hardware: Identifying and classifying hardware Trojans,” Computer,
access-based cache attacks on AES to practice,” in IEEE Symp. on vol. 43, no. 10, pp. 39–46, 2010.
Sec. and Priv. IEEE, 2011, pp. 490–505. [75] B. Shakya, T. He, H. Salmani, D. Forte, S. Bhunia, and M. Tehranipoor,
[53] R. Roemer, E. Buchanan, H. Shacham, and S. Savage, “Return- “Benchmarking of hardware Trojans and maliciously affected circuits,”
oriented programming: Systems, languages, and applications,” ACM Journal of Hardware and Systems Security, pp. 85–102, 2017.
Transactions on Information and System Security (TISSEC), vol. 15, [76] A. Nahiyan, K. Xiao, K. Yang, Y. Jin, D. Forte, and M. Tehranipoor,
no. 1, pp. 1–34, 2012. “AVFSM: A framework for identifying and mitigating vulnerabilities
[54] Z. Wang and R. B. Lee, “Covert and side channels due to processor in FSMs,” in Des. Autom. Conf. (DAC), Jun. 2016, pp. 89:1–6.
architecture,” in Annual Computer Security Applications Conference [77] D. Mahmoud, W. Hu, and M. Stojilovic, “X-attack: Remote activation
(ACSAC). IEEE, 2006, pp. 473–482. of satisfiability don’t-care hardware trojans on shared fpgas,” in Int.
[55] C. Hunger, M. Kazdagli, A. Rawat, A. Dimakis, S. Vishwanath, and Conf. on Field-Programmable Logic and Applications (FPL), Aug.
M. Tiwari, “Understanding contention-based channels and using them 2020, p. 8. [Online]. Available: http://infoscience.epfl.ch/record/278020
for defense,” in Int. Symp. on High Performance Computer Architecture [78] A. Antonopoulos, C. Kapatsori, and Y. Makris, Hardware Trojans in
(HPCA). IEEE, 2015, pp. 639–650. Analog, Mixed-Signal, and RF ICs. Cham: Springer International
[56] P. Kocher, J. Jaffe, and B. Jun, “Differential power analysis,” in Publishing, 2018, pp. 101–123.
Advances in Cryptology — CRYPTO’99, M. Wiener, Ed. Berlin, [79] G. T. Becker, F. Regazzoni, C. Paar, and W. P. Burleson, “Stealthy
Heidelberg: Springer Berlin Heidelberg, 1999, pp. 388–397. dopant-level hardware Trojans,” in Cryptographic Hardware and Em-
[57] E. Brier, C. Clavier, and F. Olivier, “Correlation power analysis with bedded Systems - CHES 2013, G. Bertoni and J.-S. Coron, Eds. Berlin,
a leakage model,” in Cryptographic Hardware and Embedded Systems Heidelberg: Springer Berlin Heidelberg, 2013, pp. 197–214.
- CHES 2004, M. Joye and J.-J. Quisquater, Eds. Berlin, Heidelberg:
[80] R. Kumar, P. Jovanovic, W. Burleson, and I. Polian, “Parametric Tro-
Springer Berlin Heidelberg, Aug. 2004, pp. 16–29.
jans for fault-injection attacks on cryptographic hardware,” in Workshop
[58] S. Picek, A. Heuser, A. Jovic, S. A. Ludwig, S. Guilley, D. Jakobovic, on Fault Diagnosis and Tolerance in Cryptography, Sept. 2014, pp.
and N. Mentens, “Side-channel analysis and machine learning: A 18–28.
practical perspective,” in Int. Joint Conf. on Neural Networks. IEEE,
[81] M. Elshamy, G. Di Natale, A. Pavlidis, M. Louërat, and H. Stratigopou-
May 2017, pp. 4095–4102.
los, “Hardware Trojan attacks in analog/mixed-signal ICs via the test
[59] J. Heyszl, A. Ibing, S. Mangard, F. De Santis, and G. Sigl, “Clus-
access mechanism,” in IEEE European Test Symposium (ETS), May
tering algorithms for non-profiled single-execution attacks on expo-
2020, pp. 1–6.
nentiations,” in Int. Conf. on Smart Card Research and Advanced
[82] B. Kaczer, T. Grasser, P. J. Roussel, J. Franco, R. Degraeve, L. .
Applications. Springer, Nov. 2013, pp. 79–93.
Ragnarsson, E. Simoen, G. Groeseneken, and H. Reisinger, “Origin
[60] P. Koeberl, “Multi-tenant fpga security: Challenges and opportunities,”
of NBTI variability in deeply scaled pFETs,” in IEEE International
in Int. Symp. on Field-Programmable Gate Arrays. New York, NY,
Reliability Physics Symposium, May 2010, pp. 26–32.
USA: ACM, Feb. 2020, p. 23.
[83] S. Mahapatra, N. Goel, S. Desai, S. Gupta, B. Jose, S. Mukhopadhyay,
[61] E. Peeters, F.-X. Standaert, and J.-J. Quisquater, “Power and electro-
K. Joshi, A. Jain, A. E. Islam, and M. A. Alam, “A comparative study of
magnetic analysis: Improved model, consequences and comparisons,”
different physics-based NBTI models,” IEEE Trans. Electron Devices,
Integration, vol. 40, no. 1, pp. 52–60, 2007.
vol. 60, no. 3, pp. 901–916, 2013.
[62] N. Homma, T. Aoki, and A. Satoh, “Electromagnetic information
leakage for side-channel analysis of cryptographic modules,” in IEEE [84] D. Kachave, A. Sengupta, S. Neema, and P. Sri Harsha, “Effect of NBTI
Int. Symp. on Electromagnetic Compatibility. IEEE, 2010, pp. 97–102. stress on DSP cores used in CE devices: threat model and performance
estimation,” IET Computers Digital Techniques, vol. 12, no. 6, pp. 268–
[63] D. Genkin, L. Pachmanov, I. Pipman, and E. Tromer, “ECDH key-
278, 2018.
extraction via low-bandwidth electromagnetic attacks on PCs,” in RSA
Conference. Springer, 2016, pp. 219–235. [85] C. Krieg, C. Wolf, and A. Jantsch, “Malicious LUT: A stealthy FPGA
[64] K. Gandolfi, C. Mourtel, and F. Olivier, “Electromagnetic analysis: Trojan injected and triggered by the design flow,” in Int. Conf Comput.-
Concrete results,” in International workshop on cryptographic hard- Aided Des. (ICCAD). New York, NY, USA: ACM, Nov. 2016.
ware and embedded systems. Springer, 2001, pp. 251–261. [86] C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. Goodfel-
[65] S. Patranabis, A. Chakraborty, P. H. Nguyen, and D. Mukhopadhyay, low, and R. Fergus, “Intriguing properties of neural networks,” 2013.
“A biased fault attack on the time redundancy countermeasure for [87] I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing
AES,” in Revised Selected Papers of the 6th International Workshop adversarial examples,” arXiv preprint arXiv:1412.6572, 2014.
on Constructive Side-Channel Analysis and Secure Design, vol. 9064. [88] S. Moosavi-Dezfooli, A. Fawzi, O. Fawzi, and P. Frossard, “Universal
Berlin, Heidelberg: Springer-Verlag, 2015, p. 189–203. adversarial perturbations,” in IEEE Conference on Computer Vision and
[66] S. Skorobogatov and C. Woods, Breakthrough Silicon Scanning Dis- Pattern Recognition, 2017, pp. 86–94.
covers Backdoor in Military Chip. Springer-Heidelberg, 2012, pp. [89] N. Carlini and D. Wagner, “Towards evaluating the robustness of neural
23–40. networks,” in IEEE Symp. on Sec. and Priv. (SP), 2017, pp. 39–57.
[67] P. H. N. Rajput and M. Maniatakos, “Jtag: A multifaceted tool for [90] A. Kurakin, I. Goodfellow, and S. Bengio, “Adversarial examples in
cyber security,” in IEEE Int. Symp. on On-Line Testing and Robust the physical world,” arXiv preprint arXiv:1607.02533, 2016.
System Design (IOLTS), Jul. 2019, pp. 155–158. [91] J. Li, F. Schmidt, and Z. Kolter, “Adversarial camera stickers: A
[68] E. Valea, M. Da Silva, G. Di Natale, M. Flottes, and B. Rouzeyre, “A physical camera-based attack on deep learning systems,” in Int. Conf.
survey on security threats and countermeasures in ieee test standards,” on Machine Learning, Jan. 2019, pp. 3896–3904.
IEEE Design & Test, vol. 36, no. 3, pp. 95–116, 2019. [92] J. Breier, X. Hou, D. Jap, L. Ma, S. Bhasin, and Y. Liu, “Practical fault
[69] F. Koushanfar, S. Fazzari, C. McCants, W. Bryson, P. Song, M. Sale, attack on deep neural networks,” in ACM Conf. on Comp. and Comm.
and M. Potkonjak, “Can EDA combat the rise of electronic counter- Sec. (CCS). New York, NY, USA: ACM, 2018, pp. 2204—-2206.
feiting?” in Design Automation Conference, Jun. 2012, pp. 133–138. [93] M. Agoyan, J.-M. Dutertre, D. Naccache, B. Robisson, and A. Tria,
[70] M. Yasin, J. J. Rajendran, O. Sinanoglu, and R. Karri, “On improving “When clocks fail: On critical paths and clock faults,” in Gollmann
the security of logic locking,” IEEE Trans. Comput.-Aided Design D., Lanet JL., Iguchi-Cartigny J. (Eds.), Smart Card Research and
Integr. Circuits Syst., vol. 35, no. 9, pp. 1411–1424, 2016. Advanced Application (CARDIS 2010), D. Gollmann, J.-L. Lanet,
[71] A. Sengupta, D. Kachave, and D. Roy, “Low cost functional obfusca- and J. Iguchi-Cartigny, Eds. Berlin, Heidelberg: Springer Berlin
tion of reusable IP cores used in CE hardware through robust locking,” Heidelberg, 2010, pp. 182–193.
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 23

[94] M. M. Alam, S. Tajik, F. Ganji, M. Tehranipoor, and D. Forte, [114] T. Durden, “The approximate present does not
“RAM-Jam: Remote temperature and voltage fault attack on FPGAs approximately determine the future,” 2013. [On-
using memory collisions,” in IEEE Workshop on Fault Diagnosis and line]. Available: https://www.zerohedge.com/news/2013-05-21/
Tolerance in Cryptography (FDTC), 2019, pp. 48–55. approximate-present-does-not-approximately-determine-future
[95] S. Hong, P. Frigo, Y. Kaya, C. Giuffrida, and T. Dumitraş, “Terminal [115] F. Pareschi, G. Setti, and R. Rovatti, “Implementation and testing of
brain damage: Exposing the graceless degradation in deep neural high-speed CMOS true random number generators based on chaotic
networks under hardware fault attacks,” in USENIX Conference on systems,” IEEE Trans. Circuits Syst. I, vol. 57, no. 12, pp. 3124–3137,
Security Symposium. USA: USENIX Association, 2019, pp. 497– 2010.
–514. [116] M. Kim, U. Ha, K. J. Lee, Y. Lee, and H. Yoo, “A 82-nW chaotic map
[96] P. Zhao, S. Wang, C. Gongye, Y. Wang, Y. Fei, and X. Lin, “Fault true random number generator based on a sub-ranging SAR ADC,”
sneaking attack: A stealthy framework for misleading deep neural IEEE J. Solid-State Circuits, vol. 52, no. 7, pp. 1953–1965, 2017.
networks,” in Des. Autom. Conf. (DAC). New York, NY, USA: ACM, [117] Cloudflare, “League of entropy.” [Online]. Available: https://www.
Jun. 2019. cloudflare.com/leagueofentropy/
[97] J. Clements and Y. Lao, “Hardware Trojan design on neural networks,” [118] E. Syta, P. Jovanovic, E. K. Kogias, N. Gailly, L. Gasser, I. Khoffi, M. J.
in IEEE Symp. On Cir. and Syst. (ISCAS), 2019, pp. 1–5. Fischer, and B. Ford, “Scalable bias-resistant distributed randomness,”
[98] Y. Zhao, X. Hu, S. Li, J. Ye, L. Deng, Y. Ji, J. Xu, D. Wu, and Y. Xie, in IEEE Symp. on Sec. and Priv. (SP), 2017, pp. 444–460.
“Memory Trojan attack on neural network accelerators,” in Des. Autom. [119] E. C. Lee, J. M. Parrilla-Gutierrez, A. Henson, E. K. Brechin, and
Test Europe Conf. Exhib. (DATE), Mar. 2019, pp. 1415–1420. L. Cronin, “A crystallization robot for generating true random numbers
[99] J. Deng, W. Dong, R. Socher, L. Li, Kai Li, and Li Fei-Fei, “ImageNet: based on stochastic chemical processes,” Matter, vol. 2, no. 3, pp. 649
A large-scale hierarchical image database,” in IEEE Conference on – 657, 2020.
Computer Vision and Pattern Recognition (CVPR), 2009, pp. 248–255. [120] A. V. Herrewege, S. Katzenbeisser, R. Maes, R. Peeters, A.-R. Sadeghi,
[100] W. Liu, C. H. Chang, F. Zhang, and X. Lou, “Imperceptible misclas- I. Verbauwhede, and C. Wachsmann, “Reverse fuzzy extractors: En-
sification attack on deep learning accelerator by glitch injection,” in abling lightweight mutual authentication for PUF-enabled RFIDs,” in
Des. Autom. Conf. (DAC), Jul. 2020. Keromytis A.D. (Eds.) Financial Cryptography and Data Security (FC
[101] F. Tramèr, F. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart, “Stealing 2012), Lecture Notes in Computer Science, vol. LNCS 7397, Springer,
machine learning models via prediction APIs,” in USENIX Security Berlin, Heidelberg, 2012, pp. 374–389.
Symposium, Aug. 2016, pp. 601–618. [121] J. Delvaux, “Security analysis of PUF-based key generation and
[102] C. Yang, B. Liu, H. Li, Y. Chen, W. Wen, M. Barnell, Q. Wu, and entity authentication,” Ph.D. dissertation, School of Cyber Science and
J. Rajendran, “Security of neuromorphic computing: thwarting learning Engineering, Shanghai Jiaotong University and Faculty of Engineering
attacks using memristor’s obsolescence effect,” in Int. Conf Comput.- Science, KU Leuven, 2017, [Online]. Available: https://www.esat.
Aided Des., Nov. 2016, pp. 1–6. kuleuven.be/cosic/publications/thesis-290.pdf.
[122] A. Schaller, T. Stanko, B. Škorić, and S. Katzenbeisser, “Eliminating
[103] M. Yan, C. W. Fletcher, and J. Torrellas, “Cache telepathy:
leakage in reverse fuzzy extractors,” IEEE Trans. Inf. Forensics Secu-
Leveraging shared resource attacks to learn DNN architectures,”
rity, vol. 13, no. 4, pp. 954–964, 2018.
in USENIX Security Symposium. Boston, MA: USENIX
[123] E. Peterson, “Developing Tamper-Resistant Designs with
Association, 2020. [Online]. Available: https://www.usenix.org/
Zynq UltraScale+ Devices,” 2018, [Online]. Available:
conference/usenixsecurity20/presentation/yan
https://www.xilinx.com/support/documentation/application notes/
[104] M. Alam and D. Mukhopadhyay, “How secure are deep learning
xapp1098-tamper-resist-designs.pdf.
algorithms from side-channel based reverse engineering?” in Des.
[124] NXP Semiconductors Netherlands B.V., “NXP Delivers
Autom. Conf. (DAC), Jun. 2019, pp. 1–2.
Enhanced Security Solution to Protect Personal Data for
[105] W. Hua, Z. Zhang, and G. E. Suh, “Reverse engineering convolutional Payment and eGovernment Services,” 2016, [Online]. Available:
neural networks through side-channel information leaks,” in Des. https://media.nxp.com/news-releases/news-release-details/
Autom. Conf. (DAC), San Francisco, CA, USA, Jun. 2018, pp. 4:1– nxp-delivers-enhanced-security-solution-protect-personal-data.
4:6. [125] X. Guo, D. M. Jacobson, Y. Yang, A. J. Drew, and B. M. Rosenberg,
[106] S. K. Mathew, D. Johnston, S. Satpathy, V. Suresh, P. Newman, “Applying circuit delay-based physically unclonable functions (PUFs)
M. A. Anders, H. Kaul, A. Agarwal, S. K. Hsu, G. Chen, and R. K. for masking operation of memory-based PUFs to resist invasive and
Krishnamurthy, “µRNG: A 300–950 mV, 323 Gbps/w all-digital full- clone attacks,” 2017, uS Patent 9787480B2, [Online]. Available: https:
entropy true random number generator in 14 nm FinFET CMOS,” IEEE //patents.google.com/patent/US9787480B2/en.
J. Solid-State Circuits, vol. 51, no. 7, pp. 1695–1704, 2016. [126] R. A. Scheel and A. Tyagi, “Characterizing composite user-device
[107] M. Matsumoto, S. Yasuda, R. Ohba, K. Ikegami, T. Tanamoto, and touchscreen physical unclonable functions (PUFs) for mobile device
S. Fujita, “1200mum2 physical random-number generators based on authentication,” in International Workshop on Trustworthy Embedded
SiN MOSFET for secure smart-card application,” in IEEE International Devices. New York, NY, USA: ACM, 2015, pp. 3—-13.
Solid-State Circuits Conference (ISSC), 2008, pp. 414–624. [127] Y. Guo and A. Tyagi, “Voice-based user-device physical unclonable
[108] S. Bae, Y. Kim, Y. Park, and C. Kim, “3-Gb/s high-speed true functions for mobile device authentication,” J. Hardware Syst. Security,
random number generator using common-mode operating comparator vol. 1, pp. 18—-37, 2017.
and sampling uncertainty of d flip-flop,” IEEE J. Solid-State Circuits, [128] N. Karimian, Z. Guo, F. Tehranipoor, D. Woodard, M. Tehranipoor, and
vol. 52, no. 2, pp. 605–610, 2017. D. Forte, “Secure and reliable biometric access control for resource-
[109] Q. Tang, B. Kim, Y. Lao, K. K. Parhi, and C. H. Kim, “True random constrained systems and IoT,” 2018.
number generator circuits based on single- and multi-phase beat [129] Y. Zheng, Y. Cao, and C. H. Chang, “UDhashing: Physical unclonable
frequency detection,” in IEEE Custom Integrated Circuits Conference function-based user-device hash for endpoint authentication,” IEEE
(CICC), 2014, pp. 1–4. Trans. Ind. Electron., vol. 66, no. 12, pp. 9559–9570, 2019.
[110] K. Yang, D. Blaauw, and D. Sylvester, “An all-digital edge racing [130] Y. Cao, C. Liu, and C. H. Chang, “A low power diode-clamped inverter
true random number generator robust against PVT variations,” IEEE J. based strong physical unclonable function for secure and robust IoT
Solid-State Circuits, vol. 51, no. 4, pp. 1022–1031, 2016. authentication,” IEEE Trans. Circuits Syst. I, vol. 65, no. 11, pp. 3864–
[111] Y. Cao, C. H. Chang, Y. Zheng, and X. Zhao, “An energy-efficient true 3873, 2018.
random number generator based on current starved ring oscillators,” in [131] X. Liu, C. Lin, and S. Yuan, “Blind dual watermarking for color
Asian Hardware Oriented Security and Trust Symposium (AsianHOST), images’ authentication and copyright protection,” IEEE Trans. Circuits
2017, pp. 37–42. Syst. Video Technol., vol. 28, no. 5, pp. 1047–1055, 2018.
[112] C. Tokunaga, D. Blaauw, and T. Mudge, “True random number [132] L. Wen, H. Qi, and S. Lyu, “Contrast enhancement estimation for
generator with a metastability-based quality control,” IEEE J. Solid- digital image forensics,” ACM Trans. Multimedia Comput. Commun.
State Circuits, vol. 43, no. 1, pp. 78–85, 2008. Appl., vol. 14, no. 2, 2018.
[113] S. K. Satpathy, S. K. Mathew, R. Kumar, V. Suresh, M. A. Anders, [133] Z. Tang, X. Zhang, X. Li, and S. Zhang, “Robust image hashing with
H. Kaul, A. Agarwal, S. Hsu, R. K. Krishnamurthy, and V. De, ring partition and invariant vector distance,” IEEE Trans. Inf. Forensics
“An all-digital unified physically unclonable function and true random Security, vol. 11, no. 1, pp. 200–214, 2016.
number generator featuring self-calibrating hierarchical Von Neumann [134] B. Xu, X. Wang, X. Zhou, J. Xi, and S. Wang, “Source camera
extraction in 14-nm tri-gate CMOS,” IEEE J. Solid-State Circuits, identification from image texture features,” Neurocomputing, vol. 207,
vol. 54, no. 4, pp. 1074–1085, 2019. pp. 131 – 140, 2016.
24 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

[135] D. Valsesia, G. Coluccia, T. Bianchi, and E. Magli, “User authentication able: https://www.intel.co.uk/content/dam/www/programmable/us/en/
via PRNU-based physical unclonable functions,” IEEE Trans. Inf. pdfs/literature/wp/wp-01066-anti-tamper-capabilities-fpga.pdf.
Forensics Security, vol. 12, no. 8, pp. 1941–1956, 2017. [158] . Semiconductor Components Industries, LLC, “Anti-tamper Ac-
[136] A. Lawgaly and F. Khelifi, “Sensor pattern noise estimation based tive Shield,” ON Semiconductor White Paper TND6321/D Rev. 0,
on improved locally adaptive DCT filtering and weighted averaging 2019, [Online]. Available: https://www.onsemi.com/pub/Collateral/
for source camera identification and verification,” IEEE Trans. Inf. TND6321-D.PDF.
Forensics Security, vol. 12, no. 2, pp. 392–404, 2017. [159] R. Prakash, “Anti-tamper Memory,” Cypress Semiconductor Inc. White
[137] Y. Cao, L. Zhang, and C. H. Chang, “Using image sensor PUF as root Paper 001-59690, 2016, [Online]. Available: https://www.cypress.com/
of trust for birthmarking of perceptual image hash,” in IEEE Asian file/99056/download.
Hardware-Oriented Security and Trust (AsianHOST), 2016, pp. 1–6. [160] N. Burow, S. A. Carr, J. Nash, P. Larsen, M. Franz, S. Brunthaler,
[138] Y. Zheng, Y. Cao, and C. H. Chang, “A PUF-based data-device hash and M. Payer, “Control-flow integrity: Precision, security, and perfor-
for tampered image detection and source camera identification,” IEEE mance,” ACM Computing Surveys, vol. 50, no. 1, pp. 1–33, 2017.
Trans. Inf. Forensics Security, vol. 15, pp. 620–634, 2020. [161] R. de Clercq and I. Verbauwhede, “A survey of hardware-based control
[139] Y. Cao, L. Zhang, S. S. Zalivaka, C. H. Chang, and S. Chen, “CMOS flow integrity (CFI),” arXiv preprint arXiv:1706.07257, 2017.
image sensor based physical unclonable function for coherent sensor- [162] D. Cock, Q. Ge, T. Murray, and G. Heiser, “The last mile: An empirical
level authentication,” IEEE Trans. Circuits Syst. I, vol. 62, no. 11, pp. study of timing channels on seL4,” in ACM SIGSAC Conference on
2629–2640, 2015. Computer and Communications Security, 2014, pp. 570–581.
[140] Y. Zheng, X. Zhao, T. Sato, Y. Cao, and C. H. Chang, “Ed-PUF: [163] E. Käsper and P. Schwabe, “Faster and timing-attack resistant AES-
Event-driven physical unclonable function for camera authentication GCM,” in International Workshop on Cryptographic Hardware and
in reactive monitoring system,” IEEE Trans. Inf. Forensics Security, Embedded Systems. Springer, 2009, pp. 1–17.
vol. 15, pp. 2824–2839, 2020. [164] B. Coppens, I. Verbauwhede, K. De Bosschere, and B. De Sutter,
[141] F. McKeen, I. Alexandrovich, I. Anati, D. Caspi, S. Johnson, R. Leslie- “Practical mitigations for timing-based side-channel attacks on modern
Hurd, and C. Rozas, “Intel R software guard extensions (intel R SGX) x86 processors,” in IEEE Symp. on Sec. and Priv. IEEE, 2009, pp.
support for dynamic memory management inside an enclave,” in 45–60.
Hardware and Architectural Support for Security and Privacy, 2016, [165] M. Akkar and C. Giraud, “An implementation of DES and AES, secure
pp. 1–9. against some attacks,” in Cryptographic Hardware and Embedded
[142] T. Alves and D. Felton, “TrustZone: Integrated hardware and software Systems - CHES, Paris, France, ser. Lecture Notes in Computer
security-enabling trusted computing in embedded systems,” 2014. Science, Ç. K. Koç, D. Naccache, and C. Paar, Eds., vol. 2162, no.
[143] Z. Wang and R. B. Lee, “New cache designs for thwarting software Generators. Springer, 2001, pp. 309–318.
cache-based side channel attacks,” in ACM SIGARCH Comp. Arch. [166] B. Bilgin, B. Gierlichs, S. Nikova, V. Nikov, and V. Rijmen, “Higher-
News, vol. 35, no. 2. ACM, 2007, pp. 494–505. order threshold implementations,” in Advances in Cryptology, Int. Conf.
[144] D. Page, “Partitioned cache architecture as a side-channel defence on the Theory and Application of Cryptology and Information Security,
mechanism,” IACR eprint archive, 2005. Kaoshiung, Taiwan, R.O.C., ser. Lecture Notes in Computer Science,
[145] H. Raj, R. Nathuji, A. Singh, and P. England, “Resource management vol. 8874. Springer, 2014, pp. 326–343.
for isolation enhanced cloud services,” in ACM workshop on Cloud [167] G. Becker, J. Cooper, E. DeMulder, G. Goodwill, J. Jaffe, G. Kenwor-
computing security, 2009, pp. 77–84. thy, T. Kouzminov, A. Leiserson, M. Marson, P. Rohatgi, and S. Saab,
[146] M. M. Godfrey and M. Zulkernine, “Preventing cache-based side- “Test vector leakage assessment (TVLA) methodology in practice,” in
channel attacks in a cloud environment,” IEEE transactions on Cloud Int. Cryptographic Module Conf., 2013, p. 13.
Computing, vol. 2, no. 4, pp. 395–408, 2014. [168] T. Zhang, F. Liu, S. Chen, and R. B. Lee, “Side channel vulnerability
[147] V. Kiriansky, I. Lebedev, S. Amarasinghe, S. Devadas, and J. Emer, metrics: The promise and the pitfalls,” in International Workshop on
“DAWG: A defense against cache timing attacks in speculative ex- Hardware and Architectural Support for Security and Privacy (HASP).
ecution processors,” in IEEE/ACM Int. Symp. on Microarchitecture New York, NY, USA: ACM, 2013, pp. 2:1–2:8.
(MICRO). IEEE, 2018, pp. 974–987. [169] H. Kim, S. Hong, B. Preneel, and I. Verbauwhede, “STBC: side channel
[148] M. Yan, J. Choi, D. Skarlatos, A. Morrison, C. Fletcher, and J. Torrel- attack tolerant balanced circuit with reduced propagation delay,” in
las, “InvisiSpec: Making speculative execution invisible in the cache IEEE Computer Society Annual Symposium on VLSI, ISVLSI, Bochum,
hierarchy,” in IEEE/ACM Int. Symp. on Microarchitecture. IEEE, Germany. IEEE, 2017, pp. 74–79.
2018, pp. 428–441. [170] K. Tiri and I. Verbauwhede, “A logic level design methodology for a
[149] L. Domnitser, A. Jaleel, J. Loew, N. Abu-Ghazaleh, and D. Ponomarev, secure DPA resistant ASIC or FPGA implementation,” in Des. Autom.
“Non-monopolizable caches: Low-complexity mitigation of cache side Test Europe Conf. Exhib. (DATE), Paris, France. IEEE Computer
channel attacks,” ACM Transactions on Architecture and Code Opti- Society, Feb. 2004, pp. 246–251.
mization, vol. 8, no. 4, p. 35, 2012. [171] X. Wang, W. Yueh, D. B. Roy, S. Narasimhan, Y. Zheng, S. Mukhopad-
[150] Intel, CAT, “Improving real-time performance by utilizing cache allo- hyay, D. Mukhopadhyay, and S. Bhunia, “Role of power grid in side
cation technology,” Intel Inc., 2015. channel attack and power-grid-aware secure design,” in Des. Autom.
[151] F. Liu, Q. Ge, Y. Yarom, F. Mckeen, C. Rozas, G. Heiser, and R. B. Conf. (DAC), Austin, TX, USA. ACM, Jun. 2013, pp. 78:1–78:9.
Lee, “Catalyst: Defeating last-level cache side channel attacks in cloud [172] C. Tokunaga and D. T. Blaauw, “Secure AES engine with a local
computing,” in High Performance Computer Architecture, IEEE Int. switched-capacitor current equalizer,” in IEEE Int. Solid-State Cir.
Symp. on. IEEE, 2016, pp. 406–418. Conf., San Francisco, CA, USA. IEEE, 2009, pp. 64–65.
[152] A. Ardeshiricham, Y. Takashima, S. Gao, and R. Kastner, “VeriSketch: [173] A. Singh, M. Kar, J. H. Ko, and S. Mukhopadhyay, “Exploring power
Synthesizing secure hardware designs with timing-sensitive informa- attack protection of resource constrained encryption engines using
tion flow properties,” in ACM SIGSAC Conference on Computer and integrated low-drop-out regulators,” in IEEE/ACM Int. Symp. on Low
Communications Security, 2019, pp. 1623–1638. Power Electronics and Design (ISLPED), Rome, Italy. IEEE, 2015,
[153] J. P. D. Kaplan, J. Powell, and T. Woller, “AMD memory encryption, pp. 134–139.
white paper,” 2016. [174] M. Kar, A. Singh, S. K. Mathew, A. Rajan, V. De, and S. Mukhopad-
[154] B. Gassend, G. E. Suh, D. Clarke, M. Van Dijk, and S. Devadas, hyay, “Reducing power side-channel information leakage of AES en-
“Caches and hash trees for efficient memory integrity verification,” in gines using fully integrated inductive voltage regulator,” IEEE Journal
Int. Symp. on High-Performance Computer Architecture. IEEE, 2003, of Solid-State Circuits, vol. 53, no. 8, pp. 2399–2414, 2018.
pp. 295–306. [175] D. Canright et al., “A very compact ”perfectly masked” S-Box for
[155] O. Goldreich, “Towards a theory of software protection and simula- AES,” in ACNS, 2008, pp. 446–459.
tion by oblivious RAMs,” in Annual ACM Symposium on Theory of [176] S. Satpathy, S. Mathew, V. Suresh, and R. Krishnamurthy, “Ultra-low
Computing, 1987, pp. 182–194. energy security circuits for IoT applications,” in IEEE Int. Conf. on
[156] J. Valamehr, M. Tiwari, T. Sherwood, R. Kastner, T. Huffmire, Computer Design (ICCD), Scottsdale, AZ, USA. IEEE Computer
C. Irvine, and T. Levin, “Hardware assistance for trustworthy systems Society, 2016, pp. 682–685.
through 3-D integration,” in Annual Computer Security Applications [177] A. G. Bayrak, F. Regazzoni, D. Novo, and P. Ienne, “Sleuth: Automated
Conference, 2010, pp. 199–210. verification of software power analysis countermeasures,” in Int. Conf.
[157] Altera Inc., “Anti-Tamper Capabilities in FPGA Designs,” Altera on Cryptographic Hardware and Embedded Systems (CHES). Berlin,
White Paper, WP-01066-1.0, pp. 1–9, 2008, [Online]. Avail- Heidelberg: Springer-Verlag, 2013, p. 293–310.
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 25

[178] P. Slpsk, P. K. Vairam, C. Rebeiro, and V. Kamakoti, “Karna: A gate- [199] S. Saha, D. Mukhopadhyay, and P. Dasgupta, “ExpFault: An automated
sizing based security aware EDA flow for improved power side-channel framework for exploitable fault characterization in block ciphers,” IACR
attack protection,” in Int. Conf Comput.-Aided Des. (ICCAD), Nov. Transactions on Cryptographic Hardware and Embedded Systems, vol.
2019, pp. 1–8. 2018, no. 2, pp. 242–276, 2018.
[179] H. Saputra, N. Vijaykrishnan, M. Kandemir, M. J. Irwin, R. Brooks, [200] M. Srivatsava, P. Slpsk, C. Rebeiro, A. Hazra, and S. Bhunia,
S. Kim, and W. Zhang, “Masking the energy behavior of DES encryp- “Solomon: An automated framework for detecting fault attack vulnera-
tion [smart cards],” in Design, Automation & Test in Europe Conference bilities in hardware,” in Des. Autom. Test Europe Conf. Exhib. (DATE),
& Exhibition. IEEE, 2003, pp. 84–89. Mar. 2020.
[180] T. Kim, S. Lee, D. Choi, and H. Yoon, “Protecting secret keys in [201] K. K, I. Roy, C. Rebeiro, A. Hazra, and S. Bhunia, “FEDS: Comprehen-
networked devices with table encoding against power analysis attacks,” sive fault attack exploitability detection for software implementations
Journal of High Speed Networks, vol. 22, no. 4, pp. 293–307, 2016. of block ciphers,” IACR Transactions on Cryptographic Hardware and
[181] R. Callan, A. Zajic, and M. Prvulovic, “A practical methodology Embedded Systems, vol. 2020, no. 2, pp. 272–299, 2020.
for measuring the side-channel signal available to the attacker for [202] F. Koushanfar, I. Hong, and M. Potkonjak, “Behavioral synthesis tech-
instruction-level events,” in Annual IEEE/ACM Int. Symp. on Microar- niques for intellectual property protection,” ACM Trans. Des. Autom.
chitecture. IEEE, 2014, pp. 242–254. Electron. Syst., vol. 10, no. 3, p. 523–545, 2005.
[182] M. Witteman and M. Oostdijk, “Secure application programming in [203] D. Kirovski, Y. Hwang, M. Potkonjak, and J. Cong, “Protecting
the presence of side channel attacks,” in RSA conference, 2008. combinational logic synthesis solutions,” IEEE Trans. Comput.-Aided
[183] C. Kim, M. Schläffer, and S. Moon, “Differential side channel analysis Design Integr. Circuits Syst., vol. 25, no. 12, pp. 2687–2696, 2006.
attacks on FPGA implementations of ARIA,” ETRI Journal, vol. 30, [204] A. Cui, C. H. Chang, and S. Tahar, “IP watermarking using incremental
no. 2, pp. 315–325, 2008. technology mapping at logic synthesis level,” IEEE Trans. Comput.-
[184] S. Chari, J. R. Rao, and P. Rohatgi, “Template attacks,” in Interna- Aided Design Integr. Circuits Syst., vol. 27, no. 9, pp. 1565–1570,
tional Workshop on Cryptographic Hardware and Embedded Systems. 2008.
Springer, Aug. 2002, pp. 13–28. [205] A. Sengupta and M. Rathor, “Crypto-based dual-phase hardware
[185] F.-X. Standaert, T. G. Malkin, and M. Yung, “A unified framework for steganography for securing IP cores,” IEEE Letters of the Computer
the analysis of side-channel key recovery attacks,” in Annual Int. Conf. Society, vol. 2, no. 4, pp. 32–35, 2019.
on the theory and applications of cryptographic techniques. Springer, [206] A. Sengupta and M. Rathor, “Structural obfuscation and crypto-
2009, pp. 443–461. steganography-based secured JPEG compression hardware for medical
[186] P. Maistri and R. Leveugle, “Double-data-rate computation as a coun- imaging systems,” IEEE Access, vol. 8, pp. 6543–6565, 2020.
termeasure against fault analysis,” IEEE Trans. Comput., vol. 57, [207] J. A. Roy, F. Koushanfar, and I. L. Markov, “EPIC: Ending piracy of
no. 11, pp. 1528–1539, 2008. integrated circuits,” in Des. Autom. Test Europe Conf. Exhib. (DATE),
Mar. 2008, pp. 1069–1074.
[187] P. Maistri, P. Vanhauwaert, and R. Leveugle, “A novel double-data-
[208] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri, “Logic encryption:
rate AES architecture resistant against fault injection,” in Workshop on
A fault analysis perspective,” in Des. Autom. Test Europe Conf. Exhib.
Fault Diagnosis and Tolerance in Cryptography, 2007, pp. 54–61.
(DATE), Mar. 2012, pp. 953–958.
[188] R. Karri, G. Kuznetsov, and M. Goessel, “Parity-based concurrent
[209] A. Baumgarten, A. Tyagi, and J. Zambreno, “Preventing IC piracy
error detection of substitution-permutation network block ciphers,” in
using reconfigurable logic barriers,” IEEE Des. Test. Comput., vol. 27,
Cryptographic Hardware and Embedded Systems - CHES, C. D. Walter,
no. 1, pp. 66–75, 2010.
Ç. K. Koç, and C. Paar, Eds. Berlin, Heidelberg: Springer Berlin
[210] P. Subramanyan, S. Ray, and S. Malik, “Evaluating the security of
Heidelberg, 2003, pp. 113–124.
logic encryption algorithms,” in IEEE Int. Symp. on Hardware Oriented
[189] T. G. Malkin, F.-X. Standaert, and M. Yung, “A comparative
Security and Trust (HOST), 2015, pp. 137–143.
cost/security analysis of fault attack countermeasures,” in Interna-
[211] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran, “Removal
tional Workshop on Fault Diagnosis and Tolerance in Cryptography.
attacks on logic locking and camouflaging techniques,” IEEE Transac-
Springer, 2006, pp. 159–172.
tions on Emerging Topics in Computing, vol. 8, no. 2, pp. 517–532,
[190] X. Guo, D. Mukhopadhyay, C. Jin, and R. Karri, “Security analysis of 2020.
concurrent error detection against differential fault analysis,” Journal [212] X. Xu, B. Shakya, M. M. Tehranipoor, and D. Forte, “Novel bypass
of Cryptographic Engineering, vol. 5, no. 3, pp. 153–169, 2015. attack and BDD-based tradeoff analysis against all known logic locking
[191] R. Karri, K. Wu, P. Mishra, and Yongkook Kim, “Concurrent error de- attacks,” in Cryptographic Hardware and Embedded Systems – CHES
tection schemes for fault-based side-channel cryptanalysis of symmetric 2017, W. Fischer and N. Homma, Eds. Cham: Springer International
block ciphers,” IEEE Trans. Comput.-Aided Design Integr. Circuits Publishing, 2017, pp. 189–210.
Syst., vol. 21, no. 12, pp. 1509–1517, 2002. [213] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. J. Rajendran, and
[192] S. Patranabis, A. Chakraborty, D. Mukhopadhyay, and P. P. O. Sinanoglu, “Provably-secure logic locking: From theory to practice,”
Chakrabarti, “Fault space transformation: A generic approach to in ACM Conf. on Comp. and Comm. Sec. (CCS). New York, NY, USA:
counter differential fault analysis and differential fault intensity analysis ACM, 2017, p. 1601–1618.
on AES-like block ciphers,” IEEE Trans. Inf. Forensics Security, [214] F. Yang, M. Tang, and O. Sinanoglu, “Stripped functionality logic lock-
vol. 12, no. 5, pp. 1092–1102, 2017. ing with hamming distance-based restore unit (SFLL-hd) – unlocked,”
[193] M. Agoyan, S. Bouquet, J.-M. Dutertre, J. J.-A. Fournier, J.-B. Rigaud, IEEE Trans. Inf. Forensics Security, vol. 14, no. 10, pp. 2778–2786,
B. Robisson, and A. Tria, “Design and characterisation of an AES 2019.
chip embedding countermeasures,” International Journal of Intelligent [215] D. Sirone and P. Subramanyan, “Functional analysis attacks on logic
Engineering Informatics, p. 00, 2011. locking,” IEEE Trans. Inf. Forensics Security, vol. 15, pp. 2514–2527,
[194] M. Joye, P. Manet, and J. . Rigaud, “Strengthening hardware AES 2020.
implementations against fault attacks,” IET Information Security, vol. 1, [216] H. M. Kamali, K. Z. Azar, H. Homayoun, and A. Sasan, “Full-lock:
no. 3, pp. 106–110, 2007. Hard distributions of sat instances for obfuscating circuits using fully
[195] A. Battistello and C. Giraud, “Fault analysis of infective AES computa- configurable logic and routing blocks,” in Des. Autom. Conf. (DAC).
tions,” in Workshop on Fault Diagnosis and Tolerance in Cryptography. New York, NY, USA: ACM, Jun. 2019.
IEEE, 2013, pp. 101–107. [217] R. S. Chakraborty and S. Bhunia, “HARPOON: An obfuscation-
[196] B. Gierlichs, J.-M. Schmidt, and M. Tunstall, “Infective computa- based SoC design methodology for hardware protection,” IEEE Trans.
tion and dummy rounds: Fault protection for block ciphers without Comput.-Aided Design Integr. Circuits Syst., vol. 28, no. 10, pp. 1493–
check-before-output,” in Progress in Cryptology – LATINCRYPT 2012, 1502, 2009.
A. Hevia and G. Neven, Eds. Berlin, Heidelberg: Springer Berlin [218] A. Waksman, M. Suozzo, and S. Sethumadhavan, “FANCI: Identifica-
Heidelberg, 2012, pp. 305–321. tion of stealthy malicious logic using boolean functional analysis,” in
[197] J. Breier and W. He, “Multiple fault attack on PRESENT with a ACM Conf. on Comp. and Comm. Sec. (CCS). New York, NY, USA:
hardware Trojan implementation in FPGA,” in 2015 International ACM, 2013, p. 697–708.
Workshop on Secure Internet of Things (SIoT), 2015, pp. 58–64. [219] J. Zhang, F. Yuan, L. Wei, Y. Liu, and Q. Xu, “VeriTrust: Verification
[198] I. Roy, C. Rebeiro, A. Hazra, and S. Bhunia, “SAFARI: Automatic for hardware trust,” IEEE Trans. Comput.-Aided Design Integr. Circuits
synthesis of fault-attack resistant block cipher implementations,” IEEE Syst., vol. 34, no. 7, pp. 1148–1161, 2015.
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 39, no. 4, pp. [220] S. K. Haider, C. Jin, M. Ahmad, D. M. Shila, O. Khan, and M. van
752–765, 2020. Dijk, “Advancing the state-of-the-art in hardware Trojans detection,”
26 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

IEEE Transactions on Dependable Secure Computing, vol. 16, no. 1, [243] N. Veeranna and B. C. Schafer, “Hardware Trojan detection in behav-
pp. 18–32, 2019. ioral intellectual properties (IP’s) using property checking techniques,”
[221] M. Oya, Y. Shi, M. Yanagisawa, and N. Togawa, “A score-based IEEE Transactions on Emerging Topics in Computing, vol. 5, no. 4,
classification method for identifying hardware-Trojans at gate-level pp. 576–585, 2017.
netlists,” in Des. Autom. Test Europe Conf. Exhib. (DATE), Mar. 2015, [244] Y. Jin and Y. Makris, “Proof carrying-based information flow tracking
pp. 465–470. for data secrecy protection and hardware trust,” in IEEE VLSI Test
[222] M. Rathmair, F. Schupfer, and C. Krieg, “Applied formal methods for Symposium (VTS), 2012, pp. 252–257.
hardware Trojan detection,” in IEEE Symp. On Cir. and Syst. (ISCAS), [245] M. Bidmeshki and Y. Makris, “Toward automatic proof generation for
2014, pp. 169–172. information flow policies in third-party hardware IP,” in IEEE Int.
[223] X. Guo, R. G. Dutta, P. Mishra, and Y. Jin, “Scalable SoC trust Symp. on Hardware Oriented Security and Trust (HOST), 2015, pp.
verification using integrated theorem proving and model checking,” 163–168.
in IEEE Int. Symp. on Hardware Oriented Security and Trust (HOST), [246] Y. Jin, X. Guo, R. G. Dutta, M. Bidmeshki, and Y. Makris, “Data
2016, pp. 124–129. secrecy protection through information flow tracking in proof-carrying
[224] W. Hu, B. Mao, J. Oberg, and R. Kastner, “Detecting hardware Trojans hardware IP—part I: Framework fundamentals,” IEEE Trans. Inf.
with gate-level information-flow tracking,” Computer, vol. 49, no. 8, Forensics Security, vol. 12, no. 10, pp. 2416–2429, 2017.
pp. 44–52, 2016. [247] M. Bidmeshki, X. Guo, R. G. Dutta, Y. Jin, and Y. Makris, “Data
[225] Y. Huang, S. Bhunia, and P. Mishra, “MERS: Statistical test generation secrecy protection through information flow tracking in proof-carrying
for side-channel analysis based Trojan detection,” in ACM Conf. on hardware IP—part II: Framework automation,” IEEE Trans. Inf. Foren-
Comp. and Comm. Sec. (CCS). New York, NY, USA: ACM, 2016, sics Security, vol. 12, no. 10, pp. 2430–2443, 2017.
p. 130–141. [248] J. Portillo, E. John, and S. Narasimhan, “Building trust in 3PIP
[226] M. Banga, M. Chandrasekar, L. Fang, and M. S. Hsiao, “Guided test using asset-based security property verification,” in IEEE VLSI Test
generation for isolation and detection of embedded Trojans in ICs,” in Symposium (VTS), 2016, pp. 1–6.
ACM Great Lakes Symposium on VLSI (GLSVLSI). New York, NY, [249] X. Chen, Q. Liu, S. Yao, J. Wang, Q. Xu, Y. Wang, Y. Liu, and
USA: ACM, 2008, p. 363–366. H. Yang, “Hardware Trojan detection in third-party digital intellectual
[227] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B. Sunar, property cores by multilevel feature analysis,” IEEE Trans. Comput.-
“Trojan detection using IC fingerprinting,” in IEEE Symp. on Sec. and Aided Design Integr. Circuits Syst., vol. 37, no. 7, pp. 1370–1383,
Priv. (SP), 2007, pp. 296–310. 2018.
[228] K. Xiao, X. Zhang, and M. Tehranipoor, “A clock sweeping technique [250] L. Piccolboni, A. Menon, and G. Pravadelli, “Efficient control-flow
for detecting hardware Trojans impacting circuits delay,” IEEE Design subgraph matching for detecting hardware Trojans in RTL models,”
& Test, vol. 30, no. 2, pp. 26–34, 2013. ACM Trans. Embed. Comput. Syst., vol. 16, no. 5s, 2017.
[229] B. Zhou, R. Adato, M. Zangeneh, T. Yang, A. Uyar, B. Goldberg, [251] A. Malekpour, R. Ragel, A. Ignjatovic, and S. Parameswaran, “Dos-
S. Unlu, and A. Joshi, “Detecting hardware Trojans using backside guard: Protecting pipelined mpsocs against hardware Trojan based
optical imaging of embedded watermarks,” in Des. Autom. Conf. DoS attacks,” in IEEE Int. Conf. on Application-specific Systems,
(DAC). New York, NY, USA: ACM, Jun. 2015. Architectures and Processors (ASAP), 2017, pp. 45–52.
[230] D. Forte, C. Bao, and A. Srivastava, “Temperature tracking: An
[252] S. Dupuis, P. Ba, G. Di Natale, M. Flottes, and B. Rouzeyre, “A novel
innovative run-time approach for hardware Trojan detection,” in Int.
hardware logic encryption technique for thwarting illegal overproduc-
Conf Comput.-Aided Des. IEEE, 2013, pp. 532–539.
tion and hardware Trojans,” in IEEE International On-Line Testing
[231] S. Narasimhan, D. Du, R. S. Chakraborty, S. Paul, F. G. Wolff, C. A. Symposium (IOLTS), 2014, pp. 49–54.
Papachristou, K. Roy, and S. Bhunia, “Hardware Trojan detection
[253] J. Rajendran, H. Zhang, C. Zhang, G. S. Rose, Y. Pino, O. Sinanoglu,
by multiple-parameter side-channel analysis,” IEEE Trans. Comput.,
and R. Karri, “Fault analysis-based logic encryption,” IEEE Trans.
vol. 62, no. 11, pp. 2183–2195, 2013.
Comput., vol. 64, no. 2, pp. 410–424, 2015.
[232] Y. Huang, S. Bhunia, and P. Mishra, “Scalable test generation for Trojan
[254] Y. Xie, C. Bao, and A. Srivastava, “Security-aware design flow for 2.5D
detection using side channel analysis,” IEEE Trans. Inf. Forensics
IC technology,” in International Workshop on Trustworthy Embedded
Security, vol. 13, no. 11, pp. 2746–2760, 2018.
Devices. New York, NY, USA: ACM, 2015, p. 31–38.
[233] Y. Liu, K. Huang, and Y. Makris, “Hardware Trojan detection through
golden chip-free statistical side-channel fingerprinting,” in Des. Autom. [255] Y. Lao and K. K. Parhi, “Obfuscating DSP circuits via high-level
Conf. (DAC). New York, NY, USA: ACM, Jun. 2014, p. 1–6. transformations,” IEEE Trans. VLSI Syst., vol. 23, no. 5, pp. 819–830,
[234] T. Hoque, S. Narasimhan, X. Wang, S. Mal-Sarkar, and S. Bhunia, 2015.
“Golden-Free hardware Trojan detection with high sensitivity under [256] A. Sengupta, D. Roy, S. P. Mohanty, and P. Corcoran, “DSP design
process noise,” J. Electron. Test., vol. 33, no. 1, p. 107–124, 2017. protection in CE through algorithmic transformation based structural
[235] H. Salmani, M. Tehranipoor, and J. Plusquellic, “A novel technique for obfuscation,” IEEE Trans. Consum. Electron., vol. 63, no. 4, pp. 467–
improving hardware Trojan detection and reducing Trojan activation 476, 2017.
time,” IEEE Trans. VLSI Syst., vol. 20, no. 1, pp. 112–125, 2012. [257] A. Sengupta, D. Roy, S. P. Mohanty, and P. Corcoran, “Low-cost
[236] J. Rajendran, V. Jyothi, O. Sinanoglu, and R. Karri, “Design and obfuscated JPEG CODEC IP core for secure CE hardware,” IEEE
analysis of ring oscillator based Design-for-Trust technique,” in VLSI Trans. Consum. Electron., vol. 64, no. 3, pp. 365–374, 2018.
Test Symposium, 2011, pp. 105–110. [258] A. Sengupta, S. Neema, P. Sarkar, S. Harsha P, S. P. Mohanty, and
[237] Y. Cao, C. H. Chang, and S. Chen, “A cluster-based distributed active M. K. Naskar, “Obfuscation of fault secured DSP design through hybrid
current sensing circuit for hardware Trojan detection,” IEEE Trans. Inf. transformation,” in IEEE Computer Society Annual Symposium on VLSI
Forensics Security, vol. 9, no. 12, pp. 2220–2231, 2014. (ISVLSI), Jul. 2018, pp. 732–737.
[238] K. Xiao, D. Forte, and M. Tehranipoor, “A novel built-in self- [259] K. Huang, J. M. Carulli, and Y. Makris, “Parametric counterfeit IC
authentication technique to prevent inserting hardware Trojans,” IEEE detection via support vector machines,” in Int. Symp. on Defect and
Trans. Comput.-Aided Design Integr. Circuits Syst., vol. 33, no. 12, pp. Fault Tolerance in VLSI and Nanotechnology Systems (DFT). IEEE,
1778–1791, 2014. Oct. 2012, pp. 7–12.
[239] S. Bhunia, M. Abramovici, D. Agrawal, P. Bradley, M. S. Hsiao, [260] W. Shan, S. Zhang, J. Xu, M. Lu, L. Shi, and J. Yang, “Machine
J. Plusquellic, and M. Tehranipoor, “Protection against hardware Trojan learning assisted side-channel-attack countermeasure and its application
attacks: Towards a comprehensive solution,” IEEE Design & Test, on a 28-nm AES circuit,” IEEE J. Solid-State Circuits, 2019.
vol. 30, no. 3, pp. 6–17, 2013. [261] N. Papernot, P. McDaniel, X. Wu, S. Jha, and A. Swami, “Distillation
[240] Y. Jin and D. Sullivan, “Real-time trust evaluation in integrated as a defense to adversarial perturbations against deep neural networks,”
circuits,” in Des. Autom. Test Europe Conf. Exhib. (DATE), Mar. 2014, in IEEE Symp. on Sec. and Priv. (SP), May 2016, pp. 582–597.
pp. 1–6. [262] A. N. Bhagoji, D. Cullina, C. Sitawarin, and P. Mittal, “Enhancing
[241] J. He, X. Guo, H. Ma, Y. Liu, Y. Zhao, and Y. Jin, “Runtime trust robustness of machine learning systems via data transformations,” in
evaluation and hardware Trojan detection using on-chip EM sensors,” Annual Conference on Information Sciences and Systems, Nov. 2018,
in Des. Autom. Conf. (DAC), Jul. 2020, pp. 1–6. pp. 1–5.
[242] J. Rajendran, V. Vedula, and R. Karri, “Detecting malicious modifica- [263] D. Meng and H. Chen, “MagNet: A two-pronged defense against
tions of data in third-party intellectual property cores,” in Des. Autom. adversarial examples,” in ACM Conf. on Comp. and Comm. Sec. (CCS).
Conf. (DAC), Jun. 2015, pp. 1–6. New York, NY, USA: ACM, Oct. 2017, p. 135–147.
HU et al.: AN OVERVIEW OF HARDWARE SECURITY AND TRUST: THREATS, COUNTERMEASURES AND DESIGN TOOLS 27

[264] J. Lin, C. Gan, and S. Han, “Defensive quantization: When efficiency ware and Architectural Support for Security and Privacy (HASPP).
meets robustness,” Int. Conf. on Learning Representations (ICLR), New New York, NY, USA: ACM, 2019, pp. 7:1–7:8.
Orleans, LA, USA, 2019. [286] Mentor Graphics, “Questa secure check - exhaustive verification of
[265] R. Feinman, R. R. Curtin, S. Shintre, and A. B. Gardner, “Detecting secure paths to critical hardware storage,” 2016, https://www.mentor.
adversarial samples from artifacts,” 2017. com/products/fv/questa-secure-check.
[266] K. W. Nixon, J. Mao, J. Shen, H. Yang, H. H. Li, and Y. Chen, “SPN [287] Cadence, “JasperGold security path verification App,” 2016,
dash: Fast detection of adversarial attacks on mobile via sensor pattern https://www.cadence.com/content/cadence-www/global/en US/home/
noise fingerprinting,” in Int. Conf Comput.-Aided Des. (ICCAD). New tools/system-design-and-verification/formal-and-static-verification/
York, NY, USA: ACM, Nov. 2018. jasper-gold-verification-platform/security-path-verification-app.html.
[267] J. H. Metzen, T. Genewein, V. Fischer, and B. Bischoff, “On detecting [288] G. Cabodi, P. Camurati, S. F. Finocchiaro, C. Loiacono, F. Savarese,
adversarial perturbations,” 2017. and D. Vendraminetto, “Secure path verification,” in IEEE International
[268] J. Wang, G. Dong, J. Sun, X. Wang, and P. Zhang, “Adversarial sample Verification and Security Workshop (IVSW), 2016, pp. 1–6.
detection for deep neural network through model mutation testing,” [289] Tortuga Logic, “Radix-S hardware root of trust security verification
in Int. Conf. on Software Engineering (ICSE. IEEE, Aug. 2019, p. framework,” 2019, https://www.tortugalogic.com/radix-s/.
1245–1256. [290] Tortuga Logic, “Radix-M hardware security platform for firmware
[269] W. Xu, D. Evans, and Y. Qi, “Feature squeezing: Detecting adversarial security validation,” 2019, https://www.tortugalogic.com/radix-m/.
examples in deep neural networks,” in Network and Distributed Systems [291] G. Dessouky, D. Gens, P. Haney, G. Persyn, A. Kanuparthi, H. Khattri,
Security Symposium (NDSS-2018), Jan. 2018. J. M. Fung, A.-R. Sadeghi, and J. Rajendran, “Hardfails: Insights
[270] S. Wang, W. Liu, and C. H. Chang, “Detecting adversarial examples into software-exploitable hardware bugs,” in USENIX Conference on
for deep neural networks via layer directed discriminative noise in- Security Symposium. USA: USENIX Association, 2019, p. 213–230.
jection,” in Asian Hardware Oriented Security and Trust Symposium [292] Synopsys, “CustomSim Reliability Analysis,” 2019, https:
(AsianHOST-2019), Xi’an, China, Dec. 2019, pp. 1–6. //www.synopsys.com/verification/ams-verification/reliability-analysis/
[271] ——, “Fired neuron rate based decision tree for detection of adversarial customsim-reliability-analysis.html.
examples in DNNs,” in IEEE Int. Symp. on Circuits and Systems [293] ——, “VC Functional Safety Manager,” 2019, https://www.synopsys.
(ISCAS), Oct. 2020. com/verification/vc-functional-safety-manager.html.
[272] B. D. Rouhani, M. Samragh, M. Javaheripi, T. Javidi, and F. Koushan- [294] J. Urdahl, S. Udupi, T. Ludwig, D. Stoffel, and W. Kunz, “Properties
far, “DeepFense: Online accelerated defense against adversarial deep first? A new design methodology for hardware, and its perspectives
learning,” in Int. Conf Comput.-Aided Des. (ICCAD), San Diego, in safety analysis,” in Int. Conf Comput.-Aided Des. (ICCAD). New
California, Nov. 2018. York, NY, USA: ACM, Nov. 2016.
[273] X. Wang, R. Hou, B. Zhao, F. Yuan, J. Zhang, D. Meng, and X. Qian, [295] W. Hu, A. Ardeshiricham, M. S. Gobulukoglu, X. Wang, and R. Kast-
“DNNGuard: An elastic heterogeneous DNN accelerator architecture ner, “Property specific information flow analysis for hardware security
against adversarial attacks,” in Int. Conf. on Arch. Support for Prog. verification,” in Int. Conf Comput.-Aided Des. (ICCAD), Nov. 2018,
Lang. and Oper. Sys. (ASPLOS), Lausanne, Switzerland, Mar. 2020, pp. 1–8.
pp. 19—-34. [296] J. He, H. Ma, X. Guo, Y. Zhao, and Y. Jin, “Design for em side-channel
security through quantitative assessment of rtl implementations,” in
[274] M. Tiwari, H. M. Wassel, B. Mazloom, S. Mysore, F. T. Chong, and
Asia and South Pacific Design Automation Conference (ASP-DAC),
T. Sherwood, “Complete information flow tracking from the gates
2020, pp. 62–67.
up,” in Int. Conf. on Arch. Support for Prog. Lang. and Oper. Sys.
[297] S. Takarabt, K. Chibani, A. Facon, S. Guilley, Y. Mathieu, L. Sauvage,
(ASPLOS), 2009, pp. 109–120.
and Y. Souissi, “Pre-silicon embedded system evaluation as new eda
[275] W. Hu, J. Oberg, A. Irturk, M. Tiwari, T. Sherwood, D. Mu, and
tool for security verification,” in IEEE International Verification and
R. Kastner, “Theoretical fundamentals of gate level information flow
Security Workshop (IVSW), 2018, pp. 74–79.
tracking,” IEEE Trans. Comput.-Aided Design Integr. Circuits Syst.,
[298] Y. Hu, V. V. Menon, A. Schmidt, J. Monson, M. French, and P. Nuzzo,
vol. 30, no. 8, pp. 1128–1140, 2011.
“Security-driven metrics and models for efficient evaluation of logic
[276] W. Hu, D. Mu, J. Oberg, B. Mao, M. Tiwari, T. Sherwood, and encryption schemes,” in ACM/IEEE Int. Conf. on Formal Methods and
R. Kastner, “Gate-level information flow tracking for security lattices,” Models for System Design (MEMOCODE). New York, NY, USA:
ACM Trans. Des. Autom. Electron. Syst., vol. 20, no. 1, pp. 1–25, 2014. ACM, 2019.
[277] W. Hu, J. Oberg, A. Irturk, M. Tiwari, T. Sherwood, D. Mu, and [299] S. Patnaik, M. Ashraf, O. Sinanoglu, and J. Knechtel, “Best of both
R. Kastner, “On the complexity of generating gate level information worlds: Integration of split manufacturing and camouflaging into a
flow tracking logic,” IEEE Trans. Inf. Forensics Security, vol. 7, no. 3, security-driven CAD flow for 3D ICs,” in Int. Conf Comput.-Aided
pp. 1067–1080, 2012. Des.(ICCAD). New York, NY, USA: ACM, Nov. 2018.
[278] M. Tiwari, J. K. Oberg, X. Li, J. Valamehr, T. Levin, B. Hardekopf, [300] R. Kastner, W. Hu, and A. Althoff, “Quantifying hardware security
R. Kastner, F. T. Chong, and T. Sherwood, “Crafting a usable micro- using joint information flow analysis,” in Des. Autom. Test Europe
kernel, processor, and I/O system with strict and provable information Conf. Exhib. (DATE). IEEE, Mar. 2016, pp. 1523–1528.
flow security,” in Annual Int. Symp. on Computer Architecture (ISCA),
2011, pp. 189–199.
[279] A. Ardeshiricham, W. Hu, J. Marxen, and R. Kastner, “Register transfer
level information flow tracking for provably secure hardware design,”
in Des. Autom. Test Europe Conf. Exhib. (DATE), Mar. 2017, pp. 1691–
1696.
[280] A. Ardeshiricham, W. Hu, and R. Kastner, “Clepsydra: Modeling Wei Hu (M’17) is currently an associate profes-
timing flows in hardware designs,” in Int. Conf Comput.-Aided Des. sor with the School of Cybersecurity, Northwestern
(ICCAD), Nov. 2017, pp. 147–154. Polytechnical University (NPU). He got his BS, MS
[281] X. Guo, H. Zhu, Y. Jin, and X. Zhang, “When capacitors attack: Formal and PhD in 2005, 2008 and 2012 respectively all
method driven design and detection of charge-domain Trojans,” in Des. from the same university. His research interests are
Autom. Test Europe Conf. Exhib. (DATE), Mar. 2019, pp. 1727–1732. in hardware security, cryptography, formal security
[282] D. Zhang, Y. Wang, G. E. Suh, and A. C. Myers, “A hardware design verification, logic and high-level synthesis, formal
language for timing-sensitive information-flow security,” in Int. Conf. methods and reconfigurable computing.
on Arch. Support for Prog. Lang. and Oper. Sys. (ASPLOS). New Dr. Hu serves as the Guest Associate Editor of
York, NY, USA: ACM, 2015, pp. 503–516. IEEE Transactions on Computer-Aided Design of
[283] J. A. Goguen and J. Meseguer, “Security policies and security models,” Integrated Circuits and Systems. He has been an
in IEEE Symposium on Security & Privacy, 1982, pp. 11–20. Organizing Committee member of IEEE International Symposium on Hard-
[284] A. Ferraiuolo, Weizhe Hua, A. C. Myers, and G. E. Suh, “Secure ware Oriented Security and Trust and Asian Hardware Oriented Security and
information flow verification with mutable dependent types,” in Des. Trust Symposium since 2017. He was the Technical Program Co-Chair of
Autom. Conf. (DAC), Jun. 2017, pp. 1–6. 2019 Asian Hardware Oriented Security and Trust Symposium and Technical
[285] S. Deng, D. Gümüşoğlu, W. Xiong, S. Sari, Y. S. Gener, C. Lu, Program Committee Member of ICCD, ASAP and CFTC. He published over
O. Demir, and J. Szefer, “Secchisel framework for security verification 70 papers in peer-reviewed journals and conferences, 2 books and 3 patents.
of secure processor architectures,” in International Workshop on Hard-
28 IEEE TRANSACTIONS ON COMPUTER-AIDED DESIGN OF INTEGRATED CIRCUITS AND SYSTEMS, VOL. X, NO. X, MM 2021

Chip Hong Chang (S’92-M’98-SM’03-F’18) re- Swarup Bhunia received his B.E. (Hons.) from
ceived the B. Eng. (Hons.) degree from the Na- Jadavpur University, Kolkata, India, M.Tech. from
tional University of Singapore in 1989, and the M. the Indian Institute of Technology (IIT), Kharag-
Eng. and Ph.D. degrees from Nanyang Technolog- pur, and Ph.D. from Purdue University, IN, USA.
ical University (NTU) of Singapore in 1993 and Currently, Dr. Bhunia is a professor and Semmoto
1998, respectively. He is an Associate Professor of Endowed Chair in the University of Florida, FL,
the School of Electrical and Electronic Engineering USA. Earlier he was appointed as the T. and A.
(EEE) of NTU. He held joint appointments with Schroeder associate professor of Electrical Engineer-
the university as Assistant Chair of Alumni from ing and Computer Science at Case Western Reserve
2008 to 2014, Deputy Director of the Center for University, Cleveland, OH, USA. He has over ten
High Performance Embedded Systems from 2000 to years of research and development experience with
2011, and Program Director of the Center for Integrated Circuits and Systems over 250 publications in peer-reviewed journals and premier conferences. His
from 2003 to 2009. He has co-edited 5 books, published 13 book chapters, research interests include hardware security and trust, adaptive nanocomputing
more than 100 international journal papers (more than 70 are in IEEE) and and novel test methodologies. Dr. Bhunia received IBM Faculty Award
more than 180 refereed international conference papers (mostly in IEEE), and (2013), National Science Foundation career development award (2011), Semi-
delivered over 40 colloquia. His current research interests include hardware conductor Research Corporation Inventor Recognition Award (2009), and SRC
security, DNN security, unconventional number systems, low-power arithmetic technical excellence award as a team member (2005), and several best paper
circuits, digital image and signal processing algorithms and architectures. awards/nominations. He has been serving as an associate editor of IEEE
Dr. Chang serves as the Senior Associate Editor and Associate Editor of Transactions on CAD, IEEE Transactions on Multi-Scale Computing Systems,
the IEEE Transactions on Information Forensics and Security since June ACM Journal of Emerging Technologies; served as guest editor of IEEE
2020, and 2016-2019, respectively, Associate Editor of IEEE Transactions Design & Test of Computers (2010, 2013) and IEEE Journal on Emerging
on Very Large Scale Integration (VLSI) Systems from 2011 to 2020, IEEE and Selected Topics in Circuits and Systems (2014). He has served in the
Transactions on Computer-Aided Design of Integrated Circuits and Systems organizing and program committee of many IEEE/ACM conferences.
from 2016 to 2019, IEEE Transactions on Circuits and Systems-I since 2020
and from 2010 to 2013, IEEE Access from 2013 to 2019, Integration, the
VLSI Journal from 2013-2015, Springer Journal of Hardware and System
Security from 2016 to 2020 and Microelectronics Journal from 2014 to 2020.
He guest edited several journal special issues and served in the organizing and Ryan Kastner is a professor in the Department of
technical program committee of more than 60 international conferences. He Computer Science and Engineering at the Univer-
is also an IET Fellow and 2018-2019 Distinguished Lecturer of IEEE Circuits sity of California San Diego. He received a PhD
and Systems Society. in Computer Science (2002) at UCLA, a Masters
degree in engineering (2000) and Bachelor degrees
(BS) in both Electrical Engineering and Computer
Engineering (1999) from Northwestern University.
Professor Kastner’s research interests are broad and
varied, but generally fall into three areas: hardware
acceleration, hardware security, and remote sensing.
He is the co-director of the Wireless Embedded Sys-
tems Graduate Program — a specialized Masters degree targeting individuals
working in local industries. He co-directs the Engineers for Exploration
Anirban Sengupta is an Associate Professor in
Program, which pairs student researchers with domain scientists to build
Computer Science and Engineering at Indian Insti-
technologies to aid in activities related to archaeology, conservation, and
tute of Technology (I.I.T) Indore. He is an elected
cultural heritage. He has been working the hardware security space for over
Fellow of IET and Fellow of British Computer
15 years performing fundamental research in FPGA security, 3D integrated
Society (FBCS), UK. He is a registered Professional
circuit security, and hardware information flow tracking. He is the co-founder
Engineer of Ontario (P.Eng.). He has been awarded
of the company Tortuga Logic that develops hardware security solutions based
prestigious IEEE Distinguished Lecturer by IEEE
upon technology developed in his research group.
Consumer Electronics Society in 2017 and IEEE
Distinguished Visitor by IEEE Computer Society in
2019. He has more than 216 Publications including
3 Books and 11 Patents. He is author of 3 Books
from IET and Springer on Hardware Security, IP core protection and VLSI
Hai (Helen) Li (M’08-SM’16-F’19) received the
Design. He is currently Deputy Editor-in-Chief of IET Computers and
B.S. and M.S. degrees from Tsinghua University,
Digital Techniques Journal and Editor-in-Chief of IEEE VLSI Circuits &
Beijing, China, and the Ph.D. degree from the De-
Systems Letter of IEEE Computer Society TCVLSI. He is currently the Chair
partment of Electrical and Computer Engineering,
of IEEE Computer Society TCVLSI. He currently serves/served in more
Purdue University, West Lafayette, IN, USA, in
than 16 Editorial positions of several IEEE Transactions/Journals, IET and
2004. Dr. Li currently is a Professor of the De-
Elsevier Journals including IEEE Transactions on Aerospace and Electronic
partment of Electrical and Computer Engineering
Systems (TAES), IEEE Transactions on VLSI Systems, IEEE Transactions
at Duke University, Durham, NC, USA. She has
on Consumer Electronics, IEEE Access Journal, IET Journal on Computer &
authored or co-authored more than 200 papers in
Digital Techniques, IEEE Consumer Electronics, IEEE Canadian Journal of
peer-reviewed journals and conferences and a book
Electrical and Computer Engineering, IEEE VLSI Circuits & Systems Letter
entitled Nonvolatile Memory Design: Magnetic, Re-
and other Journals. He is recipient of several IEEE Honors such as IEEE
sistive, and Phase Changing (CRC Press, 2011). Her current research interests
Chester Sall Memorial Consumer Electronics Award, IEEE Outstanding Editor
include neuromorphic computing systems, machine learning and deep neural
Awards, IEEE Outstanding Service Awards and IEEE Best Paper Awards from
networks, memory design and architecture, and cross-layer optimization for
Journals/Magazines and Conferences. He was the General/Conference Chair
low power and high performance. Dr. Li is a Distinguished Lecturer of the
of 37th IEEE International Symposium on Consumer Electronics (ICCE)
IEEE CAS society (2018-2019) and a distinguished speaker of ACM (2017-
2019, Las Vegas and Technical Program Chair of 36th IEEE International
2020). Dr. Li is a recipient of the NSF Career Award (2012), DARPA Young
Conference on Consumer Electronics (ICCE) 2018 in Las Vegas, 9th IEEE
Faculty Award (2013), TUM-IAS Hans Fischer Fellowship from Germany
International Conference on Consumer Electronics (ICCE) - Berlin 2019, 15th
(2017), and ELATE Fellowship (2020). She received eight best paper awards
IEEE International Conference on Information Technology (ICIT) 2016, 3rd
and additional nine best paper nominations from international conferences. Dr.
IEEE International Symposium on Nanoelectronic and Information Systems
Li serves as Associate Editor of IEEE TCAD, IEEE TVLSI, IEEE TCAS-II,
(iNIS) 2017. More details are available at: www.anirban-sengupta.com
IEEE TMSCS, ACM TECS, IEEE CEM, ACM TODAES, and IET-CPS. She
was the General Chair or Technical Program Chair of multiple IEEE/ACM
conferences and the Technical Program Committee members of over 30
international conference series. Dr. Li is an IEEE fellow and a distinguished
member of the ACM.