Hardware Trojans

Mohammad Tehranipoor

ECE 6095: Hardware Security & Trust
University of Connecticut
ECE Department

What’s Hardware Trojan?

- Hardware Trojan:
  - A malicious addition or modification to the existing circuit elements.

- What hardware Trojans can do:
  - Change the functionality
  - Reduce the reliability
  - Leak valuable information

- Applications that are likely to be targets for attackers
  - Military applications
  - Aerospace applications
  - Civilian security-critical applications
  - Financial applications
  - Transportation security
  - More

Applications and Threats

- Thousands of chips are being fabricated in untrusted foundries

IC/IP Trust Problem

- Chip design and fabrication is becoming increasingly vulnerable to malicious activities and alterations with globalization.

- IP Vendor and System Integrator:
  - IP vendor may put a Trojan in the IP
  - IP Trust problem

- Designer and Foundry:
  - Foundry may put a Trojan in the layout design.
  - IC Trust problem

Hardware Trojan – Back Door

- Adversary can send and receive secret information
- Adversary can disable the chip, blowup the chip, send wrong processing data, impact circuit information etc.

- Adversary can place an Antenna on the fabricated chip
- Such Trojan cannot be detected since it does not change the functionality of the circuit.

Time Bomb

- Counter
- Finite state machine (FSM)
- Comparator to monitor key data
- Wires/transistors that violate design rules
- Such Trojan cannot be detected since it does not change the functionality of the circuit.
- In some cases, adversary has little control on the exact time of Trojan action
- Cause reliability issue
Hardware Threats Source

Any of these steps can be untrusted

Issues with Third IP Design

Company X
Company Y
Company Z
Company V
Company W

These companies are located across the world
There is no control on the design process

Hardware Threats Source

IP Piracy
System Trust

Manufacture

Hardware Threats Source

IC Trust
Counterfeiting
Secure Manufacturing Test

Manufacture

Untrusted Foundry
ASIC Design Process – Untrusted Foundry

Untrusted Designer and Foundry

Trojan Taxonomy

Example: Type

Example: Size

Example: Distribution
Example: Structure

- The adversary may be forced to regenerate the layout to be able to insert the Trojan, then the chip dimensions change.
  - It could result in different placement for some or all the design components.
- A change in physical layout can change the delay and power characteristics of chip.
  - It is easier to detect the Trojan.

Trojan Taxonomy: Activation

- Activation Characteristics:
  - Externally activated
  - Internally activated
- Activation Sources:
  - Receiver/Antenna
  - Sensor/Logic
- Condition-based

- Change in circuit form factor can change the delay and power characteristics of chip.
- It is easier to detect the Trojan.

Example: Action

- Modify Function
- Modify Specification:
  - Noise, Delay and Temperature

Trojan Taxonomy: Action

- Action Characteristics:
  - Modify Function
  - Modify Specification
  - Transmit Information
- Action Sources:
  - Add
  - Repeat
  - Insert
  - Replace

IP Trust & IP Security

- IP Trust Issue
  - Detect malicious circuits inserted by the third-party (IP designers or IP vendors)
  - Protect IP buyers
- IP Security Issue
  - Focus on whether IP cores are used illegally
  - Protect the ownership of IP designers and IP vendors
IP Trust

- IPs from untrusted vendors need to be verified for trust before use in a system design.
- How can one establish that the IP does exactly as the specification, nothing less nothing more?
- IP cores: soft IP, firm IP and hard IP.

Challenges:
- No known golden model for the IP as that for IC
- Soft IP is just code so that we can not read its implementation
- No side-channel information

Approaches For Pre-synthesis

- Formal verification
  - Property checking
  - Model checking
  - Equivalence checking
- Coverage analysis
  - Code coverage
  - Functional coverage

Formal Verification

- Ensuring IP core is exactly same as its specification, nothing more and nothing less
- Three types of verification methods:
  - Property checking: every requirement is defined as assertion in testbench and is checked
  - Equivalence checking: check the equivalence of RTL code, gate-level netlist and GDSII file
  - Model checking:
    - System is described in a formal model (C, HDL)
    - The desired behavior is expressed as a set of properties
    - The specification is checked against the model

Coverage Analysis

- Code coverage
  - Line coverage
    - Show which lines of the RTL have been executed
  - Statement Coverage
    - Spans multiple lines, more precise
  - FSM Coverage
    - Show which state can be reached
  - Toggle
    - Each Signal in gate-level netlist
  - Function coverage
    - Assertion
      - Successful or Failure

Suspicious Parts

- If one of assertion is failed, the IP is untrusted.
- If coverage is not 100%, uncovered parts are suspicious.

IC Trust: Trojan Detection and Isolation

- The objective is to ensure that the fabricated chip/system will carry out only our desired function and nothing more.
- Challenges:
  - Tiny: several gates to millions of gates
  - Quiet: hard-to-activate (rare event) or tripped itself (time-bomb)
  - Hard to model: human intelligence
  - Conventional test and validation approaches fail to reliably detect hardware Trojans.
- Focus on manufacture defects and does not target detection of additional functionality in a design.
Classification of Trojan Detection Approaches

- **Destructive Approach**: expensive and time consuming
  - Reverse engineering to extract layer-by-layer images by using Scanning Electron Microscope
  - Identify transistors or gates and routing elements by using a template-matching approach

- **Non-destructive Approach**
  - Run-time monitoring: Monitor abnormal behavior during run-time
    - Exploit pre-existing redundancy in the circuit
    - Compare results and select a trusted part to avoid an infected part of the circuit.
  - Test-time: Detect Trojans throughout test duration.
    - Logic-testing-based approaches
    - Side-channel analysis-based approaches

Logic-testing Approach

- Focus on test-vector generation for
  - Activating a Trojan circuit
  - Observing its malicious effect on the payload at the primary outputs
  - Both functional and structural test vectors are applicable.

- **Pros & Cons**:
  - Pros: straightforward and easy to differentiate
  - Cons:
    - The difficulty in exciting or observing low controllability or low observability nodes.
    - Intentionally inserted Trojans are triggered under rare conditions.
      (e.g., sequential Trojans)
    - It cannot trigger Trojans that are activated externally and can only observe functional Trojans.

MERO

- **MERO**:
  - Generate a set of test vectors that can trigger each rare node to its rare value multiple times (N times)
  - It improves the probability of triggering a Trojan activated by a rare combination of a selection of the nodes

Functional Test Deficiency

- **Functional Test Deficiency**
  - Functional patterns could potentially detect a "functional" Trojan.
    - Exhaustive test would be effective
    - Not applicable for large circuits
    - E.g. 64 input adder $\rightarrow$ 2^{64} input combination (including carry in)
    - $2^{64} > 10^{18}$ – This is impractical
    - 100MHz is used $\rightarrow$ $10^{10}$ s $\rightarrow$ 317 years
    - Only a few and more effective patterns are used $\rightarrow$ Trojan can escape.
    - The fault coverage is low for manufacturing test

In practice, structural tests are used.

Side-Channel Analysis-Based Approaches

- All the side-channel analysis are based on observing the effect of an inserted Trojan on a physical parameter such as
  - IDDQ: Extra gates will consume leakage power.
  - IDDT: Extra switching activities will consume more dynamic power.
  - Path delay: additional gates and capacitance will increase path delay.
  - EM: Electromagnetic radiation due to switching activity

- **Pros & Cons**:
  - Pros: It is effective for Trojan which does not cause observable malfunction in the circuits.
  - Cons: Large process variations in modern nanometer technologies and measurement noise can mask the effect of the Trojan circuits, especially for small Trojan.
Side Channel Signal Analysis -- Power

- Hardware Trojans inserted in chip can change the power consumption characteristics.
- Partial activation of Trojan can be extremely valuable for power analysis.
- The more number of cells in Trojan is activated the more the Trojan will draw current from power grid.

![Partial Activation Diagram]

Trojan Inserted into s38417 Benchmark

Current (Charge) Integration Method

- Current consumption of Trojan-free and Trojan-inserted circuits

\[
\Delta Q = \int_{t_1}^{t_2} [I_{\text{trojan-free}}(t) - I_{\text{trojan-inserted}}(t)] \, dt
\]

Power Analysis -- Locality

Current difference measured from power pad 17 (Trojan-free vs Trojan-inserted).

There is no change in layout of the circuit. Trojan was inserted in an unused space in the circuit layout.

Power Analysis -- Challenges

- Pattern Generation
  - How to increase switching activity in Trojans?
  - How to reduce background noise?
  - Switching locality
  - Random Patterns

- Measurement Device Accuracy
  - Measurement noise

- Process Variations
  - Calibration

- On-Chip Measurement
  - Vulnerable to attack

- Authentication Time
  - Trojans can be inserted randomly

Process Variations

- Worst & Best Cases:
  - Define lower and upper bounds on current consumption
  - Determine confidence level on Trojan detection

PV:
- L: Channel Length
- Vth: Threshold voltage
- Tox: Oxide Thickness

![PV Diagram]
**Side Channel Analysis -- Delay**

- Hard to be detected using power analysis
  - Distributed Trojans
  - Hard-to-activated Trojans
- Path delay: A change in physical dimension of the wires and transistors can also change path delay.
- We are developing new methods that can detect additional delays on each path of the circuit.

**Delay-based Methods**

- Shadow-register provides a possible solution for measuring internal path delay.
- From this architecture, it can be seen that the basic unit contains one shadow register, one comparator and one result register.
- Limitations:
  - PV
  - Overhead
  - S-clock
  - Output

**Clock Sweeping Technique**

- Clock sweeping involves applying a pattern at different clock frequencies, from a lower speed to higher speeds.
- Some paths sensitized by the pattern which are longer than the current period start to fail when the clock speed increases.
- The obtained start-to-fail clock frequency can indicate the delays of the paths sensitized by the patterns.

**Delay Analysis -- Challenges**

- Major advantage over power analysis: No activation is required.
- Detection and Isolation
  - How significant is the delay inserted by Trojan?
  - It depends on Trojan size and type
  - Location: on short paths or long paths
- Pattern Generation
  - Delay test patterns
- Path Coverage
  - Process Variations ($V_{DD}$, $L$, $T_{ox}$)
  - Impact circuit delay characteristics significantly
  - Differentiate between Trojan and PV
- Trojan can have impact on multiple paths (an advantage over PV)

**Trojan Detection**

- Fully Activation of Trojans
  - Not applicable to all Trojans (Combinational and Sequential Trojans only)
  - Requires increased controllability and observability
- Trojan Isolation
  - Important to know adversary’s intention
Design for Hardware Trust

- Since detecting Trojan is extremely challenging, design for hardware trust approaches are proposed to
  - Facilitate hardware Trojan detection methods
    - Improve sensitive to power and delay
    - Rare event removal
  - Prevent hardware Trojan insertion
    - Design obfuscation

Rare Event Removal

- Intelligent attackers will choose low-frequency events to trigger the inserted Trojans.
- Improving controllability or observability can make rare events scarce, thereby facilitating detecting Trojans inside the design.
  - Design for Trojan test: inserting probing points
  - Inserting dummy scan flip-flops

Increasing Probability of Partial/Full Activation

- Inserting dummy FFS on path with very low activation probability

- Dummy scan flip-flops are inserted to control hard-to-excite nodes.
  - Usage:
    - Full activation: increase controllability
    - Power-based: generate switching activities
    - Delay-based: activate more paths to improve coverage

Trojan Prevention-Design obfuscation

- The objective is deterring attackers from inserting Trojans inside the design.
- Design obfuscation means that a design will be transformed to another one which is functionally equivalent to the original, but in which it is much harder for attackers to obtain complete understanding of the internal logic, making reverse engineering much more difficult to perform.
- The authors propose a Trojan prevention method that obfuscates the state transition function to add an obfuscated mode on top of the original functionality (called normal mode).

Design obfuscation

- Specified pattern is able to guide the circuit into its normal mode.
- The transition arc K3 is the only way the design can enter normal operation mode from the obfuscated mode.
Question?