HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar, Trojan Detection using IC Fingerprinting, Symposium on Security and Privacy, 2007, pp. 296 - 310 Use noise modeling to construct a set of ngerprints for an IC family utilizing sidechannel information such as power, temperature, EM proles Fingerprints are developed using a few ICs, that are later distructively veried The chips-under-test (CUTs) are veried using statistical tests against the ngerprints They show Trojans 3-4 orders of magnitude smaller than the CUT can be detected using signal processing techniques Problem: The problem of Trojan detection essentially reduces to detecting a Trojan signal hiding in the IC process noise, i.e., the small, random, physical and sidechannel differences among different ICs produced from the same process.

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Agrawal et al) The identied several challenges: To determine a small and non-redundant set of tests that provide sufcient coverage of the ICs functionality To [determine test patterns that are comprehensive and practical], and which are capable of distinguishing most Trojans from genuine ICs [Destructive verication uses] demasking, delayering and layer-by-layer comparison of X-ray scans with the original mask -- expensive but done on only a few ICs Experiments: Determine effectiveness of ngerprinting methodology for detecting Trojans by using power simulations Experimental design: cryptographic circuits implementing the Advanced Encryption Standard (AES) and RSA algorithm Trojans investigated: Trojans triggered by timing/clock counting and Trojans triggered by a synchronous/asynchronous comparator Trojan sizes: range from 10% to 0.01% of the total IC size Noise modeling: noise introduced by process variations (+/- 2%, 5%, 7.5%)

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Agrawal et al) Power consumption:

N: switching activity Ileak depends only on the number of gates (not switching activity) Dynamic power is linearly dependent on the clock frequency and switching activity Trojan detection by clock speed manipulation: fast vs slow frequency

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Agrawal et al) What about hiding a Trojan in the signal measurement noise? They claim measurement noise can be eliminated by averaging. Therefore, they claim the problem degenerates to a signal characterization problem. The objective is to characterize the process noise and check if the signal for the chip-under-test (CUT) differs from the process noise

Trojan detected

Trojan not distinguishable

Authors propose the use of subspace projection which projects process noise signals from genuine ICs to a subspace where signals from Trojans and genuine ICs differ

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Agrawal et al) Challenge is guessing how the Trojan may change the genuine signal, otherwise full characterization of the process noise is necessary Authors propose advanced signal processing techniques (Karhunen-Loeve expansion) to nd a signal subspace in which process noise is absent Unless the Trojan signals completely live in this subspace (unlikely), projecting the Trojan signal to this subspace reveals its presence

Authors perform experiments on RSA implementations with 3 different sized Trojans

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods "Detecting Trojans Though Leakage Current Analysis Using Multiple Supply Pad IDDQs", Jim Aarestad, Dhruva Acharyya, Reza Rad, and Jim Plusquellic, Transactions on Information Forensics and Security, Volume: 5, Issue: 4, 2010, pp. 893-904. The main deciency with parametric testing approaches is sensitivity Scaling increases manufacturing process variations Larger number of components on a chip decreases the relative magnitude of the electrical signature of each component The challenge of implementing an effective parametric Trojan-detection method is To design it with enough sensitivity to detect small anomalies introduced by Trojans Building in a mechanism to lter out the natural electrical variations that occur because of manufacturing process variations

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Contributions: Proposed approach is to measure IDDQ (steady-state current) at multiple places simultaneously across the 2-D surface of the chip A region-based IDDQ method directly addresses the adverse impact of increasing levels of process variations and leakage currents Proposed approach uses signal calibration techniques to attenuate and remove PE (process and environmental) signal variation effects Experiment: A set of chips fabricated in IBMs 65 nm, 10 metal layer SOI technology are used in the experiments The chips incorporate an array of cells that allow a Trojan to be emulated in one of 4,000 distinct locations on the chip The test structure permits control over: The position and magnitude of the Trojan current The magnitude and distributional characteristics of the chip-wide leakage current ECE UNM 7 (2/23/12)

HOST

Hardware Trojans III

ECE 495/595
Global Current Local Current Trojan Emulation Source Meter Source Meter Ammeter
-+ -+ -+

Proposed Trojan Detection Methods (Aarestad, et al)

PP11

mechanical switches PP01 PP00 PWR grid 10 metal layers Trojan emulation wire PP10 GND grid PP11

380 m

2 TC subset of the 80x50 array

PWR supply 0.9V

FF1

FF2

FF3

FF1

FF2

FF3

PWR Trojan emulation grid wire Trojan source

shorting inverter

Trojan emulation transistor

IT Ileak

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Trojan-free leakage current distribution, and emulated Trojan placement, labeled 1 through 9 in the gure. PP01 PP11
79 74 69 64 59 54 49 44 39 34 29 24 19 14 9 4 0 0 4 9 14 19 24 29 34 39 44 49 79 74 69 64 59 54

4 5 8 6 9

Q1: Medium leakage Q0: Low leakage

Q3: High leakage Q2: Medium leakage

49 44 39 34 29 24 19 14 9 4 0 49

PP00

14

19

24

29

34

39

44

PP10

Scan chain allows the off state of the shorting inverters to be congured into a high leakage (HL) or low leakage (LL) state

ECE UNM

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Golden model is dened by the actual chips (not simulation experiments) by disabling all emulated Trojans Four branch currents through PP0 through PP11 (and global currents) are measured for each chip Emulated Trojan experiments enable one Trojan emulation transistor TESM voltage is swept from 0.8 V to 0.89 V in 10 mV steps (10 steps) For each step, 4 branch currents (and global current) measured Trojan current varied from 8 uA to 62 uA All together, each chip produces 91 data sets, 1 Trojan-free data set and 90 emulated Trojan data sets (9 Trojans * 10 TESM voltages) With 45 chips, there are a total of 45 Trojan-free data sets and 4,050 emulated Trojan data sets.

ECE UNM

10

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Our statistical analysis is implemented using scatterplots, where one PP current is plotted against another
PP01 PP11

PP00

PP10

PP11 currents

PP pairings PP00-PP01 PP00-PP10 PP01-PP11 PP10-PP11 PP00-PP11 PP01-PP10

Uncalibrated data
Chip C1,Trojan #4 at each TESM voltage 3 limits Regression line

Calibrated data

6 combinations

Increased displacement from regression line Chip C2,Trojan #4 at each TESM voltage

Trojan-free data points

PP01 currents

Regression involves deriving a best t line through the Trojan-free data points 3 sigma statistical limits (parabolic curves) can then be derived A Trojan is detected if its data point falls outside the limits in at least one of the six scatterplots ECE UNM 11 (2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Calibration Dispersion in Trojan-free data points caused by chip-to-chip variations in the power grid resistance series resistance variations from PPs to external power supply Special calibration circuits (CCs) are inserted into the design They are identical to those shown earlier but without the Trojan emulation transistor and wire They are inserted under each of the PPs Calibration data is collected by Enabling each of the CCs (one at a time) and measuring the 4 branch and global currents A matrix of calibration currents is constructed from normalized branch currents, where each is divided by the corresponding global current This matrix (one for each chip) is used to calibrate data collected under the emulated Trojan tests ECE UNM 12 (2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Calibration matrix and calibration operation

X
x 00 x 01 x 10 x 11 x 02 x 03 x 12 x 23

Cx-1
a 00 a 01 a 10 a 11

S
r 02 r 03 r 12 r 13 r 22 r 23 r 32 r 33

= inv x 20 x 21 x 22 x 23 x 30 x 31 x 32 x 33 Transformation matrix

r 00 r 01 a 02 a 03 r r a 12 a 13 10 11 r 20 r 21 a 20 a 21 a 22 a 23 r 30 r 31 a 30 a 31 a 32 a 33

Chip data

Data collected from golden simulation model x 00 x 01 x 10 x 11 x 02 x 03 x 12 x 23 x 23 x 33

Data from chip using Trojan test

N0 N1 N2 N3 = I0 I1 I2 I3 x 20 x 30 Corrected data

x 21 x 22 x 31 x 32

ECE UNM

13

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Regional leakage current variations decreases Trojan detection sensitivity
LL HL1
HL patterns 3-61

HL2
y-coordinate

HL62

HL63

HL64

Chip C1
y-coordinate

60

Chip C2 PC (%) change

60 30 0 -30

30 0 -30 x-coordinate

x-coordinate

ECE UNM

14

(2/23/12)

PC (%) change

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Regression Analysis for Trojan detection:
Trojan #1 PP10 currents PP10 currents Trojan #2 PP10 currents Trojan #3

PP11 currents

PP11 currents

Uncalibrated

Calibrated

PP01 currents

PP01 currents

PP11 currents

450 points per scatter plot (45 chips times 10 TESM Vs)

Uncalibrated

Calibrated

More Trojans detected

Trojans detected

PP00 currents

PP00 currents

PP00 currents

Trojan #4

Trojan #5

Trojan #6

PP01 currents

Trojan #7 PP11 currents PP11 currents

Trojan #8 PP11 currents

Trojan #9

Uncalibrated

Calibrated

PP01 currents

PP01 currents

PP01 currents

ECE UNM

15

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Aarestad, et al) Before and after calibration:
Uncalibrated
PP00-PP01 PP01-PP11 PP00-PP01

Calibrated

PP01-PP11

PPxy currents

PP01-PP10 PP10-PP11

PPxy currents

PP01-PP10 PP10-PP11

PP00-PP11

PP00-PP11 PP00-PP10 PP00-PP10

PPxy currents
45 40 35 30 25 20 15 10 5 0

PPxy currents

Regression: Uncalibrated
45 40 35 30 25 20 15 10 5 0

Regression: Calibrated

Number of Chips

Trojan 8...62 uA Current #1 #2 (A)

#3 #4 #5 #6 #7 Trojan #

#8 #9

Trojan 8...62 uA Current #1 #2 (A)

Number of Chips

#3 #4 #5 #6 #7 Trojan #

#8 #9

ECE UNM

16

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods F. Wolff, C. Papachristou, S. Bhunia, and R. Chakraborty, Towards Trojan-Free Trusted ICs: Problem Analysis and Detection Scheme, Design, Automation and Test in Europe, 2008, pp. 1362-1365. Authors identify three possible triggering mechanisms: Rare value triggered Time-triggered Both Two components: Triggering: occurs only under rare conditions Payload activation logic Insertion is likely to nodes with low controllability and observability The adversary disables the Trojan when the test enable signal is driven Therefore, scan-based designs do NOT help improve security and functional test must be used. ECE UNM 17 (2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Wolff et al) They dene a trojan test vector as a trigger vector that propagates the payload to the circuit output A trigger vector triggers the Trojan only

ECE UNM

18

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Wolff et al) They dene the nodes targeted by their technique using 2 rules: The target nodes are all combinations of q nodes that attain a specic logic value with frequency <= fth, where q is the number of Trojan inputs and fth is the probability that those nodes are toggled. Insert payload (gates that change functionality) on nodes that have low probability of propagating to an circuit output They use logic and fault simulators to identify a set of target nodes and payload nodes, and then use ATPG to to determine the trigger test vectors Details of the ATPG strategy are not provided They admit their strategy can be effective in detecting most small combinational Trojans

ECE UNM

19

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods H. Salmani, M. Tehranipoor, J. Plusquellic, New Design Strategy for Improving Hardware Trojan Detection and Reducing Trojan Activation Time, IEEE International Workshop on Hardware-Oriented Security and Trust, July 2009 pp. 66 - 73. The authors analyze the amount of time it takes to 1) generate a transition in a functional Trojan, partially active it with test vectors and 2) trigger a hardware Trojan They propose a dummy FF insertion process to increase Trojan activity and ultimately reduce Trojan activation time Trojan inputs are likely connected to nodes with low controllability and/or observability. A Trojan cone is used to describe the logic gates driving the inputs to a Trojan gate 17 gates in cone 11 levels ECE UNM 20 7 gates in cone 2 levels

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Salmani et al) Application of random patterns show that different numbers of transitions occur in the Trojan gate, that largely depend on Trojan cone conguration Probability analysis can determine the likelihood of a Trojan gate output switching

output_prob1 = input prob1*input_prob2 output_prob0 = (1 - output_prob1) They use a geometric distribution function to compute the average number of clock cycles it takes to generate a transition in the Trojan gate (P-1 - 1) Large differences in the output probabilities reduces the transition probability significantly, therefore, it is best to try to balance these ECE UNM 21 (2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Salmani et al) The authors propose to insert dummy FFs to maintain a balance

This eliminates hard-to-activate sites, which in turn, increases the probability of switching (full or partial activation) in the Trojan So, this eliminates the need to focus on rare conditions, as in Wolff et al A threshold probability, PTH, is dened to select nets for dummy FF modication The choice trades-off area overhead versus Trojan transition generation time Also, when transient current methods are used to detect the Trojan, then partial activitation is sufcient, and the larger the number of partial activations, the better The authors give an expression that trades off test time, area overhead and the number of Trojan transitions ECE UNM 22 (2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods J. Yier, Y. Makris, Hardware Trojan Detection using Path Delay Fingerprint, IEEE International Workshop on Hardware-Oriented Security and Trust, June 2008, pp. 51 - 57. The path delays of nominal chips are collected to construct a series of ngerprints, that chips are validated against They depend on using a sample of chips, apply tests and then distructively validate them They carry out simulation experiments on DES IP core in which they introduce 4 Trojans, three are comparators and one a counter Trojan The Trojans occupy 0.13% and 0.76% of the total circuit area, respectively They also introduce delay variations of upto +- 7.5% and synthesize the DES circuits without the Trojans (Trojans are added to the netlist afterwards) Synopsys is used to generate 990 genuine models and 800 Trojan models ECE UNM 23 (2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Yier et al) Synopsys TetraMAX ATPG tool is used to generate 163 patterns, designed to cover as many parts of the chip as possible The DES core has 64 outputs and therefore, a total of 10,432 path delays are determined from simulations for each of the models The high dimensionality of the data is reduced using principle component analysis (PCA) to determine the major trends in the original data set The rst three components are selected for analysis A convex hull algorithm is applied to the path delays of the genuine models to dene the Trojan-free space 64 convex hulls are generated with each reecting one aspect of the whole ngerprint of a genuine chip

ECE UNM

24

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods D. Rai, J. Lach, Performance of delay-based Trojan detection techniques under parameter variations, IEEE International Workshop on Hardware-Oriented Security and Trust, July 2009, pp. 58 - 65 In their rst paper (HOST 2008), they propose the insertion of shadow registers that are controlled by a phase-shifted version of the on-chip clock

XOR acts as a comparator and the LOCK block latches a 1 when the main register and shadow register differ (which can be read out using scan-chains)

ECE UNM

25

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Rai et al) With knowledge of the clock skew value used when LOCK is set to 1, the combinational delay can be computed for the path-under-test The authors focus on analyzing their technique in the presence of signicant levels of process variations They conduct simulation experiments on a Braun Multiplier using an two-inverter chains as a Trojan

Trojan Trojan increases delay

ECE UNM

26

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Rai et al) The skew-step resolution is investigated and it was decided that 0.05 ns (50 ps) is needed to detect the insertion of a single inverter They do not address test vector generation but decide that shadow registers are needed at all outputs For each vector, the smallest skip step is determined for each shadow register using a simulation model with no Trojans The authors introduce both inter-die and intra-die variations in Vth (+-20%) and channel length (Leff) in two sets of simulations With Trojan (0.2 ns shift)

Without Trojan

ECE UNM

27

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods M. Banga, M. S. Hsiao, "A region based approach for the identication of hardware Trojans", IEEE International Workshop on Hardware-Oriented Security and Trust, July 2008, pp. 40 - 47 The authors propose a circuit partition based approach to detect and locate embedded Trojans They also propose a power prole based method for rening the candidate regions that may contain the Trojan They dene a region as a structurally connected set of gates They compute the total power prole of a genuine circuit P = CV f Their approach consists of two major steps Region-based Partition: Determine appropriate regions for analysis Relative Toggle Count Magnication: Generate a suitable input vector set that maximizes the partial relative power consumed in each region ECE UNM 28 (2/23/12)
2

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Banga et al) A circuit with 5 regions G2 G1 G3 G11 not included in radius of 2 b/c FF1 G4

The region surrounding a gate comprises all the transitive fanin and fanout gates that are within the dened radius Once the regions are selected, ATPG is used to create an activity peak in each region, while minimizing switching activity in the rest of the IC They acknowledge that detection is possible only if the difference in activity in Trojan and genuine chips is larger than process variation

ECE UNM

29

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods (Banga et al) Regions of larger differences Blue: random vectors Brown: authors vectors

(Graphs have no annotation in paper: x-axis are vector groups, y-axis is percentage change)

ECE UNM

30

(2/23/12)

HOST

Hardware Trojans III

ECE 495/595

Proposed Trojan Detection Methods S. Jha, S. K. Jha, Randomization Based Probabilistic Approach to Detect Trojan Circuits, High Assurance Systems Engineering Symposium, 2008, pp. 117 - 124 The authors propose a randomization based method to probabilistic compare the functionality of the implemented circuit with the original design To determine if a manufactured chip conforms to its design (or contains a Trojan) by functionally activating the Trojan They nd a probability distribution on the inputs such that the probability distribution of the output is unique for every functionally distinct circuit Hypothesis tests is used to statistically infer the presence of a Trojan The result is either an input pattern that distinguishes a Trojan circuit from the design or a condence level that no Trojan exists They dene a characteristic polynomial of a circuit and prove that two Boolean functions f and g are equal if and only if their char. poly. are identical

ECE UNM

31

(2/23/12)