Hardware Trojan Detection

A hardware Trojan is a malicious modification to an integrated circuit (IC) made by untrusted third-party vendors, fabrication facilities, or rogue designers. Although existing hardware Trojans are designed to be stealthy, they can, in theory, be detected by post-manufacturing and acceptance tests due to their physical connections to IC logic. Manufacturing tests can potentially trigger the Trojan and propagate its payload to an output. Even if the Trojan is not triggered, the physical connections to the IC can enable detection due to additional side-channel activity (e.g., power consumption). In this article, we propose a novel hardware Trojan design, called Soft-HaT , which only becomes physically connected to other IC logic after activation by a software program. Using an electrically programmable fuse (E-fuse), the hardware can be “re-programmed” remotely. We illustrate how Soft-HaT can be used for offensive applications in system-on-chips. Examples of Soft-HaT attacks are demon...

Most semiconductor companies outsource the manufacturing of their chip designs to third-party fabrication foundries. However, untrusted foundries pose significant security risks, including intellectual property (IP) piracy and the insertion of hardware Trojans (HTs)-malicious modifications intended to sabotage circuits. These HTs can lead to increased power consumption, but due to process variations and the minimal footprint of small HTs in large-scale circuits, traditional power consumption analysis (PCA) often fails to detect them. To address this challenge, circuits can be partitioned into smaller sub-circuits, with PCA applied individually to each. In this paper, we propose a novel logic locking [2] technique designed to enhance the effectiveness of PCA-based HT detection. Building on the "RESTORATION" approach introduced in [1], our method increases the power contribution of HTs relative to the overall circuit power, thereby improving their detectability. Experimental results at both the gate level and post-synthesis demonstrate that the proposed locking scheme facilitates more efficient and reliable HT detection compared to existing logic locking [2] techniques.

Logic locking is frequently used to protect integrated circuits against reverse engineering and intellectual property theft. However, classic gate-level locking approaches are becoming more vulnerable to machine learning (ML)-based attacks that exploit design patterns to recover hidden keys. To reduce these concerns, RTL-level locking solutions such as ASSURE have been proposed that attempt to conceal logic earlier in the design cycle. Despite their potential, these strategies are mostly unexplored in terms of real resistance to ML-driven attacks. In this study, we conducted an empirical investigation of the ASSURE RTL locking mechanism, with a focus on its effectiveness against ML-based key recovery attempts. We tested locked versions of benchmark circuits by extracting design attributes and training supervised algorithms to predict hidden keys in realistic threat scenarios. Our findings show that RTL locking provides greater robustness than gate-level locking, with lower prediction accuracy from ML classifiers and tolerable design overhead. This early study supports the use of RTL-level obfuscation to improve hardware security and encourages further research into its implementation and optimization.

These days, hardware devices and its associated activities are greatly impacted by threats amidst of various technologies. Hardware trojans are malicious modifications made to the circuitry of an integrated circuit, Exploiting such alterations and accessing the level of damage to devices is considered in this work. These trojans, when present in sensitive hardware system deployment, tends to have potential damage and infection to the system. This research builds a hardware trojan detector using machine learning techniques. The work uses a combination of logic testing and power side-channel analysis (SCA) coupled with machine learning for power traces. The model was trained, validated and tested using the acquired data, for 5 epochs. Preliminary logic tests were conducted on target hardware device as well as power SCA. The designed machine learning model was implemented using Arduino microcontroller and result showed that the hardware trojan detector identifies trojan chips with a re...

and Computer Engineering Today, electronic computing devices are critically involved in our daily lives, basic infrastructure, and national defense systems. With the growing number of threats against them, hardware-based security features offer the best chance for building secure and trustworthy cyber systems. In this dissertation, we investigate ways of making hardware-based security into a reality with primary focus on two areas: Hardware Trojan Detection and Physically Unclonable Functions (PUFs). Hardware Trojans are malicious modifications made to original IC designs or layouts that can jeopardize the integrity of hardware and software platforms. Since most modern systems critically depend on ICs, detection of hardware Trojans has garnered significant interest in academia, industry, as well as governmental agencies. The majority of existing detection schemes focus on test-time because of the limited hardware resources available at run-time. In this dissertation, we explore innovative run-time solutions that utilize on-chip thermal sensor measurements and fundamental estimation/detection theory to expose changes in IC power/thermal First and foremost, I would like to thank my advisor, Prof. Ankur Srivastava, for his guidance and patience through my Ph.D. His advice, support, and friendship have been invaluable on both academic and personal levels, for which I am extremely grateful. Without him as a continuous source of inspiration and motivation, I would not have been able to improve and achieve all that I have. It has been a pleasure to work with and learn from him. I would also like to extend my gratitude to the members of my dissertation committee for their time and service. I also offer special thanks to Professor Rama Chellappa, Professor Joseph JaJa, Professor, Professor Shuvra Bhattacharyya, and Professor Andre Tits for their support, encouragement, and advice in applying to jobs in academia. My colleagues in Prof. Srivastava's research group have enriched my graduate life in many ways and deserve a special mention here as well. I owe my gratitude to Bing Shi, Caleb Serafy, Tiantao Lu, and Chongxi Bao not only for our fruitful discussions about research, but also the stress relieving conversations and jokes we shared throughout our time together in the lab. I would also like to acknowledge the financial support provided by the ECE department and Northrop Grumman for three semesters of teaching assistantship and one year of research fellowship respectively. Last, but by no means least, I thank all of my family and friends for their support and encouragement throughout my graduate studies. I would especially viii 1. D. Forte and A. Srivastava, "Manipulating Manufacturing Variations for Bet

The hardware Trojan threat has motivated development of Trojan detection schemes at all stages of the integrated circuit (IC) lifecycle. While the majority of existing schemes focus on ICs at test-time, there are many unique advantages offered by post-deployment/run-time Trojan detection. However, run-time approaches have been underutilized with prior work highlighting the challenges of implementing them with limited hardware resources. In this paper, we propose innovative lowoverhead approaches for run-time Trojan detection which exploit the thermal sensors already available in many modern systems to detect deviations in power/thermal profiles caused by Trojan activation. Simulation results using state-of-the-art tools on publicly available Trojan benchmarks verify that our approaches can detect active Trojans quickly and with few false positives.

Hardware piracy is a threat that is becoming more and more serious these last years. The different types of threats include mask theft, illegal overproduction, as well as the insertion of malicious alterations to a circuit, referred to as Hardware Trojans. To protect circuits from overproduction, circuits can be encrypted so that only authorized users can use the circuits. In this paper, we propose an encryption technique that also helps thwarting Hardware Trojan insertion. Assuming that an attacker will attach a Hardware Trojan to signals with low controllability in order to make it stealthy, the principle of the encryption is to minimize the number of signals with low controllability.

Hardware piracy is a threat that is becoming more and more serious these last years. The different types of threats include mask theft, illegal overproduction, as well as the insertion of malicious alterations to a circuit, referred to as Hardware Trojans. To protect circuits from overproduction, circuits can be encrypted so that only authorized users can use the circuits. In this paper, we propose an encryption technique that also helps thwarting Hardware Trojan insertion. Assuming that an attacker will attach a Hardware Trojan to signals with low controllability in order to make it stealthy, the principle of the encryption is to minimize the number of signals with low controllability.

Due to the evolution in the Integrated Circuit (IC) supply chain, soft/firm/hard cores involved in a system under development and manufactured ICs come from numerous, and possibly unreliable, sources. This loss of control over the entire design/production flow leads to several threats including the insertion by an attacker of malicious circuitries known as Hardware Trojans. Hardware Trojan insertion modifies the functionality of the circuit, possibly its reliability, in order to alter its behavior, generate a denial of service or leak secret information for instance. Numerous methods have been proposed in the literature to detect the presence of such alterations, or prevent their insertion. This paper focuses on methods based on logic testing. Researches in this domain are surveyed and remaining unresolved challenges are described along with proposals to meet these challenges.

Software test suites based on the concept of interaction testing are very useful for testing software components in an economical way. Test suites of this kind may be created using mathematical objects called covering arrays. A covering array, denoted by CA(N; t, k, v), is an N × k array over [Formula: see text] with the property that every N × t sub-array covers all t-tuples of [Formula: see text] at least once. Covering arrays can be used to test systems in which failures occur as a result of interactions among components or subsystems. They are often used in areas such as hardware Trojan detection, software testing, and network design. Because system testing is expensive, it is critical to reduce the amount of testing required. This paper addresses the Optimal Shortening of Covering ARrays (OSCAR) problem, an optimization problem whose objective is to construct, from an existing covering array matrix of uniform level, an array with dimensions of (N - δ) × (k - Δ) such that the nu...

Contemporary hardware design shares many similarities with software development. The injection of malicious functionality (Trojans) in FPGA designs is a realistic threat. Established techniques for testing correctness do not cope well with Trojans, since Trojans are not captured in the system model. Furthermore, a well-designed Trojan activates under rare conditions and can escape detection during testing. Such conditions cannot be exhaustively searched, especially in the case of cryptographic core implementations with hundreds of inputs. In this paper, we explore the applicability of a prominent combinatorial strategy, namely combinatorial testing, for FPGA Trojan detection. We demonstrate that combinatorial testing provides the theoretical guarantees for exciting a Trojan of specific lengths by covering all input combinations. Our findings indicate that combinatorial testing constructs can improve the existing FPGA Trojan detection capabilities by reducing significantly the number of tests needed. Besides the foundations of our approach, we also report on first experiments that indicate its practical use.

Detecting hardware trojans is a difficult task in general. In this article we study hardware trojan horses insertion and detection in cryptographic intellectual property (IP) blocks. The context is that of a fabless design house that sells IP blocks as GDSII hard macros, and wants to check that final products have not been infected by trojans during the foundry stage. First, we show the efficiency of a medium cost hardware trojans detection method if the placement or the routing have been redone by the foundry. It consists in the comparison between optical microscopic pictures of the silicon product and the original view from a GDSII layout database reader. Second, we analyze the ability of an attacker to introduce a hardware trojan horse without changing neither the placement nor the routing of the cryptographic IP logic. On the example of an AES engine, we show that if the placement density is beyond 80%, the insertion is basically impossible. Therefore, this settles a simple design guidance to avoid trojan horses insertion in cryptographic IP blocks: have the design be compact enough, so that any functionally discreet trojan necessarily requires a complete replace and reroute , which is detected by mere optical imaging (and not complete chip reverse-engineering). Index Terms-Hardware trojan horses (HTH), HTH detection and insertion, optical pictures versus GDSII comparison technique, ECO place-and-route, core utilization rate (CUR).

Hardware Trojan detection has been the subject of many studies in the realm of hardware security in the recent years. The effectiveness of current techniques proposed for Trojan detection is limited by some factors, process variation noise being a major one. This paper introduces latch-based structures as a self-reference detection technique which uses incircuit path delays as golden reference models. By addressing process variation, these structures can achieve high accuracy in detection resolution. The proposed method is a complementary approach to current side-channel techniques to cover their poor performance in detecting small Trojans. Simulation results show that this technique can detect small Trojans at the scale of only one logical gate with 90% probability on average.

Nowadays there are different kinds of attacks on Field Programmable Gate Array (FPGA). As FPGAs are used in many different applications, its security becomes an important concern, especially in Internet of Things (IoT) applications. Hardware Trojan Horse (HTH) insertion is one of the major security threats that can be implemented in unused space of the FPGA. This unused space is unavoidable to meet the place and route requirements. In this paper, we introduce an efficient method to fill this space and thus to leave no free space for inserting HTHs. Using a shift register in combination with gate-chain is the best way of filling unused space, which incurs a no increase in power consumption of the main design. Experimental results of implementing a set of IWLS benchmarks on Xilinx Virtex devices show that the proposed prevention and detection scheme imposes a no power overhead with no degradation to performance and critical path delay of the main design

https://www.isecure-journal.com/article_82510.html

Nowadays the security of the design is so important because of the different available attacks to the system. the main aim of this paper is to improve the security of the circuit design implemented on FPGA device. Two approaches are proposed for this purpose. The first is to fill out empty space using flip-flops and LUTs so that there is no available space for inserting a hardware Trojan. We name this filling structure as Gate-chain. The second approach increases the security of the implemented design by identifying the low observable/controllable points of the main design and wiring them to the unused ports or the pre-designed Gate-chains. The proposed solutions not only prevent Trojan insertion but also increase the Trojan detection capabilities. Simulation results on Xilinx devices implementing different benchmarks show that the proposed method incurs dynamic power overhead just in test mode with less than one percent of delay overhead for critical path in normal mode.

https://www.isecure-journal.com/article_118140.html

Wireless networks are now prevalent in most electronic systems, due to the rapid growth of telecommunications, sensor applications, and the Internet of Things. Though wireless devices use some form of encryption, the underlying hardware is still vulnerable to malicious modificiations (a.k.a hardware Trojans). Therefore, in this research work, we (i) theoretically analyze the risks posed by hardware Trojans in wireless networks, (ii) experimentally validate those risks and (iii) develop defense mechanisms to prevent such attacks. Wireless devices inherently possess unused space, i.e. a gap, between their operating point and the physical limits of communication (Figure 1). A well crafted hardware Trojan, therefore, can be hidden within this gap and can be used to carryout malicious operations. Along this line, we have extensively studied the risks posed by two hardware Trojans in an IEEE 802.11a/g wireless network. The first Trojan attack is staged in the baseband part of the wireless...

Traditionally, computer security has been associated with the software security, or the information-data security. Surprisingly, the hardware on which the software executes or the information stored-processed-transmitted has been assumed to be a trusted base of security. The main building blocks of any electronic device are Integrated circuits (ICs) which form the fabric of a computer system. Lately, the use of ICs has expanded from handheld calculators and personal computers (PCs) to smartphones, servers, and Internet-of-Things (IoT) devices. However, this significant growth in the IC market created intense competition among IC vendors, leading to new trends in IC manufacturing. System-on-chip (SoC) design based on intellectual property (IP), a globally spread supply chain of production and distribution of ICs are the foremost of these trends. The emerging trends have resulted in many security and trust weaknesses and vulnerabilities, in computer systems. This includes Hardware Trojans attacks, side-channel attacks, Reverse-engineering, IP piracy, IC counterfeiting, micro probing, physical tampering, and acquisition of private or valuable assets by debugging and testing. IC security and trust vulnerabilities may cause loss of private information, modified/altered functions, which may cause a great economical hazard and big damage to society. Thus, it is crucial to examine the security and trust threats existing in the IC lifecycle and build defense mechanisms against IC Trojan threats. In this article, we examine the IC supply chain and define the possible IC Trojan threats for the parties involved. Then we survey the latest progress of research in the area of countermeasures against the IC Trojan attacks and discuss the challenges and expectations in this area.

Design companies often outsource their integrated circuit (IC) fabrication to third parties where ICs are susceptible to malicious acts such as the insertion of a side-channel hardware trojan horse (SCT). In this paper, we present a framework for designing and inserting an SCT based on an engineering change order (ECO) flow, which makes it the first to disclose how effortlessly a trojan can be inserted into an IC. The trojan is designed with the goal of leaking multiple bits per power signature reading. Our findings and results show that a rogue element within a foundry has, today, all means necessary for performing a foundry-side attack via ECO. Index Terms-hardware security, manufacturing-time attack, hardware trojan horse, side-channel attack, VLSI, ASIC.

Design companies often outsource their integrated circuit (IC) fabrication to third parties where ICs are susceptible to malicious acts such as the insertion of a side-channel hardware trojan horse (SCT). In this paper, we present a framework for designing and inserting an SCT based on an engineering change order (ECO) flow, which makes it the first to disclose how effortlessly a trojan can be inserted into an IC. The trojan is designed with the goal of leaking multiple bits per power signature reading. Our findings and results show that a rogue element within a foundry has, today, all means necessary for performing a foundry-side attack via ECO. Index Terms-hardware security, manufacturing-time attack, hardware trojan horse, side-channel attack, VLSI, ASIC.

The design outsourcing of the IC supply chain across the globe has been witnessed as a major trend of the semiconductor design industry in the recent era. The increasing profit margin has been a major boost for this trend. However, the vulnerability of the introduction of malicious circuitry (Hardware Trojan Horses) in the untrusted phases of chip development has been a major deterrent in this cost effective design methodology. Analysis, detection and correction of such Trojan Horses have been the point of focus among researchers over the recent years. In this work, analysis of a secret key revealing Hardware Trojan Horse is performed. This Trojan Horse creates a conditional path delay to the resultant output of the cryptocore according to the stolen bit of secret key per iteration. The work has been extended from the RTL design stage to the pre fabrication stage of ASIC platform where area and power analysis have been made to distinguish the affected core from a normal core in 180nm technology node.

Various design-for-security (DFS) approaches have been proposed earlier for detection of hardware Trojans, which are malicious insertions in Integrated Circuits (ICs). In this paper, we highlight our major findings in terms of innovative Trojan design that can easily evade existing Trojan detection approaches based on functional testing or side-channel analysis. In particular, we illustrate design and placement of sequential hardware Trojans, which are rarely activated/observed and incur ultralow delay/power overhead. We provide models, examples, theoretical analysis of effectiveness, and simulation as well as measurement results of impact of these Trojans in a hardened design. It is shown that efficient design and placement of sequential Trojan would incur extremely low side-channel (power, delay) signature and hence, can easily evade both postsilicon validation and DFS (e.g. ring oscillator based) approaches.

The majority of techniques developed to detect hardware trojans are based on specific attributes. Further, the ad hoc approaches employed to design methods for trojan detection are largely ineffective. Hardware trojans have a number of attributes which can be used to systematically develop detection techniques. Based on this concept, a detailed examination of current trojan detection techniques and the characteristics of existing hardware trojans is presented. This is used to develop a new approach to hardware trojan identification and classification. This identification can be used to compare trojan risk or severity and trojan detection effectiveness. Identification vectors are generated for each hardware trojan and trojan detection technique based on the corresponding attributes. Vectors are also defined which represent trojan risk or severity and trojan detection effectiveness.

The goal of a hardware attack is to physically access a digital system to obtain secret information or modify the system behavior. These attacks can be classified as covert or overt based on the awareness of the attack. Each hardware attack has capabilities as well as objectives. Some employ hardware trojans, which are inserted during, manufacture, while others monitor system emissions. Once a hardware attack has been identified, mitigation techniques should be employed to protect the system. There are now a wide variety of techniques, which can be used against hardware attacks. In this paper, a comprehensive survey of hardware attack mitigation techniques is presented. These techniques are matched to the hardware attacks and attack criteria they can counter, which helps security personnel choose appropriate mitigation techniques to protect their systems against hardware attacks. An example is presented to illustrate the choice of appropriate countermeasures.

Design companies often outsource their integrated circuit (IC) fabrication to third parties where ICs are susceptible to malicious acts such as the insertion of a side-channel hardware trojan horse (SCT). In this paper, we present a framework for designing and inserting an SCT based on an engineering change order (ECO) flow, which makes it the first to disclose how effortlessly a trojan can be inserted into an IC. The trojan is designed with the goal of leaking multiple bits per power signature reading. Our findings and results show that a rogue element within a foundry has, today, all means necessary for performing a foundry-side attack via ECO. Index Terms-hardware security, manufacturing-time attack, hardware trojan horse, side-channel attack, VLSI, ASIC.

The design outsourcing of the IC supply chain across the globe has been witnessed as a major trend of the semiconductor design industry in the recent era. The increasing profit margin has been a major boost for this trend. However, the vulnerability of the introduction of malicious circuitry (Hardware Trojan Horses) in the untrusted phases of chip development has been a major deterrent in this cost effective design methodology. Analysis, detection and correction of such Trojan Horses have been the point of focus among researchers over the recent years. In this work, analysis of a secret key revealing Hardware Trojan Horse is performed. This Trojan Horse creates a conditional path delay to the resultant output of the cryptocore according to the stolen bit of secret key per iteration. The work has been extended from the RTL design stage to the pre fabrication stage of ASIC platform where area and power analysis have been made to distinguish the affected core from a normal core in 180nm technology node.

Design companies often outsource their integrated circuit (IC) fabrication to third parties where ICs are susceptible to malicious acts such as the insertion of a side-channel hardware trojan horse (SCT). In this paper, we present a framework for designing and inserting an SCT based on an engineering change order (ECO) flow, which makes it the first to disclose how effortlessly a trojan can be inserted into an IC. The trojan is designed with the goal of leaking multiple bits per power signature reading. Our findings and results show that a rogue element within a foundry has, today, all means necessary for performing a foundry-side attack via ECO. Index Terms-hardware security, manufacturing-time attack, hardware trojan horse, side-channel attack, VLSI, ASIC.

Malicious hardware modification, also known as hardware Trojan attack, has emerged as a serious security concern for electronic systems. Such attacks compromise the basic premise of hardware root of trust. Over the past decade, significant research efforts have been directed to carefully analyze the trust issues arising from hardware Trojans and to protect against them. This vast body of work often needs to rely on well-defined set of trust benchmarks that can reliably evaluate the effectiveness of the protection methods. In recent past, efforts have been made to develop a benchmark suite to analyze the effectiveness of pre-silicon Trojan detection and prevention methodologies. However, there are only a limited number of Trojan inserted benchmarks available. Moreover, there is an inherent bias as the researcher is aware of Trojan properties such as location and trigger condition since the current benchmarks are static. In order to create an unbiased and robust benchmark suite to evaluate the effectiveness of any protection technique, we have developed a comprehensive framework of automatic hardware Trojan insertion. Given a netlist, the framework will automatically generate a design with single or multiple Trojan instances based user-specified Trojan properties. It allows a wide variety of configurations, such as the type of Trojan, Trojan activation probability, number of triggers, and choice of payload. The tool ensures that the inserted Trojan is a valid one and allow for provisions to optimize the Trojan footprint (area and switching). Experiments demonstrate that a state-ofthe-art Trojan detection technique provides poor efficacy when using benchmarks generated by our tool.

Hardware Trojans are a critical security threat to integrated circuits. We propose an optical method to detect and localize Trojans inserted during the chip fabrication stage. We engineer the fill cells in a standard cell library to be highly reflective at near-IR wavelengths so that they can be readily observed in an optical image taken through the backside of the chip. The pattern produced by their locations produces an easily measured watermark of the circuit layout. Replacement, modification or rearrangement of these cells to add a Trojan can therefore be detected through rapid postfabrication backside imaging. We evaluate our approach using various hardware blocks where the Trojan circuit area is less than 0.1% of the total area and it consumes less than 2% leakage power of the entire chip. In addition, we evaluate the tolerance of our methodology to background measurement noise and process variation.

The design outsourcing of the IC supply chain across the globe has been witnessed as a major trend of the semiconductor design industry in the recent era. The increasing profit margin has been a major boost for this trend. However, the vulnerability of the introduction of malicious circuitry (Hardware Trojan Horses) in the untrusted phases of chip development has been a major deterrent in this cost effective design methodology. Analysis, detection and correction of such Trojan Horses have been the point of focus among researchers over the recent years. In this work, analysis of a secret key revealing Hardware Trojan Horse is performed. This Trojan Horse creates a conditional path delay to the resultant output of the cryptocore according to the stolen bit of secret key per iteration. The work has been extended from the RTL design stage to the pre fabrication stage of ASIC platform where area and power analysis have been made to distinguish the affected core from a normal core in 180nm technology node.

Software test suites based on the concept of interaction testing are very useful for testing software components in an economical way. Test suites of this kind may be created using mathematical objects called covering arrays. A covering array, denoted by CA(N; t, k, v), is an N × k array over [Formula: see text] with the property that every N × t sub-array covers all t-tuples of [Formula: see text] at least once. Covering arrays can be used to test systems in which failures occur as a result of interactions among components or subsystems. They are often used in areas such as hardware Trojan detection, software testing, and network design. Because system testing is expensive, it is critical to reduce the amount of testing required. This paper addresses the Optimal Shortening of Covering ARrays (OSCAR) problem, an optimization problem whose objective is to construct, from an existing covering array matrix of uniform level, an array with dimensions of (N - δ) × (k - Δ) such that the nu...

The threat of inserting malicious logic in hardware design is increasing as the digital supply chains are becoming more deep and span the whole globe. Ring oscillators (ROs) can be used to detect deviations of circuit operations due to changes of its layout caused by the insertion of a hardware Trojan horse (Trojan). The placement and the length of the ring oscillator are two important parameters that define an RO sensitivity and capability to detect malicious alternations. We propose and study the use of ring oscillators with variable lengths, configurable at the runtime. Such oscillators push further the envelope for the attackers, as their design must be undetectable by all supported lengths. We study the efficiency of our proposal on defending against a family of hardware Trojans against an implementation of the AES cryptographic algorithm on an FPGA. CCS Concepts •Security and privacy → Malicious design modifications; •Hardware → Reconfigurable logic and FP-GAs; Bug detection, localization and diagnosis; Hardware test; On-chip sensors;

Detecting hardware trojans is a difficult task in general. In this article we study hardware trojan horses insertion and detection in cryptographic intellectual property (IP) blocks. The context is that of a fabless design house that sells IP blocks as GDSII hard macros, and wants to check that final products have not been infected by trojans during the foundry stage. First, we show the efficiency of a medium cost hardware trojans detection method if the placement or the routing have been redone by the foundry. It consists in the comparison between optical microscopic pictures of the silicon product and the original view from a GDSII layout database reader. Second, we analyze the ability of an attacker to introduce a hardware trojan horse without changing neither the placement nor the routing of the cryptographic IP logic. On the example of an AES engine, we show that if the placement density is beyond 80%, the insertion is basically impossible. Therefore, this settles a simple design guidance to avoid trojan horses insertion in cryptographic IP blocks: have the design be compact enough, so that any functionally discreet trojan necessarily requires a complete replace and reroute , which is detected by mere optical imaging (and not complete chip reverse-engineering). Index Terms-Hardware trojan horses (HTH), HTH detection and insertion, optical pictures versus GDSII comparison technique, ECO place-and-route, core utilization rate (CUR).

The general trend in semiconductor industry to separate design from fabrication leads to potential threats from untrusted integrated circuit foundries. In particular, malicious hardware components can be covertly inserted at the foundry to implement hidden backdoors for unauthorized exposure of secret information. This paper proposes a new class of hardware Trojans which intentionally induce physical side-channels to convey secret information. We demonstrate power side-channels engineered to leak information below the effective noise power level of the device. Two concepts of very small implementations of Trojan side-channels (TSC) are introduced and evaluated with respect to their feasibility on Xilinx FPGAs. Their lightweight implementations indicate a high resistance to detection by conventional test and inspection methods. Furthermore, the proposed TSCs come with a physical encryption property, so that even a successful detection of the artificially introduced side-channel will not allow unhindered access to the secret information.

Due to the evolution in the Integrated Circuit (IC) supply chain, soft/firm/hard cores involved in a system under development and manufactured ICs come from numerous, and possibly unreliable, sources. This loss of control over the entire design/production flow leads to several threats including the insertion by an attacker of malicious circuitries known as Hardware Trojans. Hardware Trojan insertion modifies the functionality of the circuit, possibly its reliability, in order to alter its behavior, generate a denial of service or leak secret information for instance. Numerous methods have been proposed in the literature to detect the presence of such alterations, or prevent their insertion. This paper focuses on methods based on logic testing. Researches in this domain are surveyed and remaining unresolved challenges are described along with proposals to meet these challenges.

A Transient Effect Ring Oscillator (TERO) is a special case of a Ring Oscillator (RO) design that exhibits increased sensitivity to intrinsic noise. It can serve as a basis for implementing a True Random Number Generator (TRNG) or a Physically Uncloneable Function (PUF). Also, as a digital sensor for detecting insertion of malicious hardware logic (Trojans) in digital circuits. Here, we explore the application of TERO for detecting hardware Trojans injected in FPGA implementations of the AES cryptographic algorithm. Experiments and comparisons are reported in terms of the frequency as a function of the TERO length. Our findings indicate that TERO-based digital sensors can be used to efficiently detect the presence of the Trojan.

Hardware Trojan horses are a realistic threat for both ASIC and FPGA systems. Ring Oscillators (ROs) can be used to detect the presence of malicious hardware functionality. The length of an RO is a significant parameter for detecting efficiently malicious logic (sensitivity) while maintaining a low space and power profile. We explore through simulation the effect of the RO length on detecting different classes of Trojan horses on an FPGA.

This paper presents a novel method for locating combinational hardware Trojans (HT) based on fault location approaches used in combinatorial testing. This method relies exclusively on the combinatorial properties of the executed test vectors and the results of test execution. Under specific assumptions, the method is guaranteed to locate all combinational HTs with trigger patterns of length or less, with the location process itself consuming negligible time. We give a description of our method by devising suitable algorithms and provide the links to combinatorial fault location. Furthermore, we demonstrate our approach in a concrete case study where we locate HTs embedded in a circuit that implements the AES symmetrickey encryption algorithm with 128 bits key length. In these experiments, we demonstrate how any HT that is activated by a trigger pattern of length ≤ 8 can be located in an effective way. Our method compares particularly well against randomized approaches. Although instantiated for a specific circuit in our case study, the proposed approach is generic, due to its algorithmic description, and can be applied for testing other (cryptographic) circuits. We believe that our work presents an important first step in the development of more general logic testing methodologies for HT location using combinatorial testing methods. INDEX TERMS Circuit testing, combinatorial testing, detection techniques, hardware trojans, fault location analysis.

Due to the increasing use of information and communication technologies in most aspects of life, security of the information has drawn the attention of governments and industry as well as the researchers. In this regard, structural attacks on the functions of a chip are called hardware Trojans, and are capable of rendering ineffective the security protecting our systems and data. This method represents a big challenge for cyber-security as it is nearly impossible to detect with any currently practical detection scheme. Due to Various methods of this type of attack, many different methods are presented by the researchers to detect them. Each of these methods has been proposed different techniques to detect the Hardware Trojan horse, and are varied in terms of performance and conditions of use. In this paper, we survey the published methods and evaluate the strengths and weaknesses of each of them and analyze the efficiency of the proposed method to introduce efficient methods for Hardware Trojan horse detecting.

The design outsourcing of the IC supply chain across the globe has been witnessed as a major trend of the semiconductor design industry in the recent era. The increasing profit margin has been a major boost for this trend. However, the vulnerability of the introduction of malicious circuitry (Hardware Trojan Horses) in the untrusted phases of chip development has been a major deterrent in this cost effective design methodology. Analysis, detection and correction of such Trojan Horses have been the point of focus among researchers over the recent years. In this work, analysis of a secret key revealing Hardware Trojan Horse is performed. This Trojan Horse creates a conditional path delay to the resultant output of the cryptocore according to the stolen bit of secret key per iteration. The work has been extended from the RTL design stage to the pre fabrication stage of ASIC platform where area and power analysis have been made to distinguish the affected core from a normal core in 180nm technology node.

Nowadays there are different kinds of attacks on Field Programmable Gate Array (FPGA). As FPGAs are used in many different applications, its security becomes an important concern, especially in Internet of Things (IoT) applications. Hardware Trojan Horse (HTH) insertion is one of the major security threats that can be implemented in unused space of the FPGA. This unused space is unavoidable to meet the place and route requirements. In this paper, we introduce an efficient method to fill this space and thus to leave no free space for inserting HTHs. Using a shift register in combination with gate-chain is the best way of filling unused space, which incurs a no increase in power consumption of the main design. Experimental results of implementing a set of IWLS benchmarks on Xilinx Virtex devices show that the proposed prevention and detection scheme imposes a no power overhead with no degradation to performance and critical path delay of the main design

Field programmable gate arrays (FPGAs) are being increasingly used in a wide range of critical applications, including industrial, automotive, medical, and military systems. Since FPGA vendors are typically fabless, it is more economical to outsource device production to offshore facilities. This introduces many opportunities for the insertion of malicious alterations of FPGA devices in the foundry, referred to as hardware Trojan attacks, that can cause logical and physical malfunctions during field operation. The vulnerability of these devices to hardware attacks raises serious security concerns regarding hardware and design assurance. In this paper, we present a taxonomy of FPGA-specific hardware Trojan attacks based on activation and payload characteristics along with Trojan models that can be inserted by an attacker. We also present an efficient Trojan detection method for FPGA based on a combined approach of logic-testing and side-channel analysis. Finally, we propose a novel design approach, referred to as Adapted Triple Modular Redundancy (ATMR), to reliably protect against Trojan circuits of varying forms in FPGA devices. We compare ATMR with the conventional TMR approach. The results demonstrate the advantages of ATMR over TMR with respect to power overhead, while maintaining the same or higher level of security and performances as TMR. Further improvement in overhead associated with ATMR is achieved by exploiting reconfiguration and time-sharing of resources. Ç 1 INTRODUCTION F IELD programmable gate arrays (FPGA) are integrated circuits (IC), consisting of an array of logic blocks and distributed interconnect structure, which can be programmed and reprogrammed several times postmanufacturing to implement logic functions. Early FPGAs were used only as prototypes for implementing ASIC designs on hardware for functional verification. In the past decade, advances in fabrication processes have reduced the performance gap between FPGAs and ASICs, leading to FPGAs being the main solution in a variety of performance-critical applications. Additionally, designs implemented on FPGAs do not suffer the increasing nonrecurring engineering (NRE) costs of ASIC production. FPGAs are typically designed as an interleaved array of configurable logic blocks, programmable interconnects, and distributed embedded memory blocks (EMBs). High resource availability and the flexibility of the interconnect network enables designs to perform multiple parallel operations each cycle for increased computational power compared to sequential processors.

The majority of techniques developed to detect hardware trojans are based on specific attributes. Further, the ad hoc approaches employed to design methods for trojan detection are largely ineffective. Hardware trojans have a number of attributes which can be used to systematically develop detection techniques. Based on this concept, a detailed examination of current trojan detection techniques and the characteristics of existing hardware trojans is presented. This is used to develop a new approach to hardware trojan identification and classification. This identification can be used to compare trojan risk or severity and trojan detection effectiveness. Identification vectors are generated for each hardware trojan and trojan detection technique based on the corresponding attributes. Vectors are also defined which represent trojan risk or severity and trojan detection effectiveness.

The goal of a hardware attack is to physically access a digital system to obtain secret information or modify the system behavior. These attacks can be classified as covert or overt based on the awareness of the attack. Each hardware attack has capabilities as well as objectives. Some employ hardware trojans, which are inserted during, manufacture, while others monitor system emissions. Once a hardware attack has been identified, mitigation techniques should be employed to protect the system. There are now a wide variety of techniques, which can be used against hardware attacks. In this paper, a comprehensive survey of hardware attack mitigation techniques is presented. These techniques are matched to the hardware attacks and attack criteria they can counter, which helps security personnel choose appropriate mitigation techniques to protect their systems against hardware attacks. An example is presented to illustrate the choice of appropriate countermeasures.

Hardware Trojans (HTs) are malicious alterations to a circuit introduced at design or manufacturing phases by an adversary. Due to their diversity, detecting and/or locating them are challenging tasks. Among the different kinds of detection methods, methods based on logic testing aim to reveal the presence of HTs thanks to their logical activation and observation through primary outputs. However, HTs are stealthy in nature, i.e. mostly inactive unless triggered by a very rare condition. Furthermore, test patterns must be developed without any knowledge on the location and function implemented by the HT. A procedure has recently been proposed to identify in a netlist suspicious signals that may be part of a HT introduced at design stage: these so-called "outliers" present an activity poorly correlated with other signals. In this paper, we undertake to use outliers in order to detect a HT introduced at manufacturing stage. We propose a test pattern generation technique based on the exploration of outliers. Our assumption is that such signals may be selected by an attacker in order to trigger his/her HT.

Title of Thesis: SECURITY THROUGH OBSCURITY: LAYOUT OBFUSCATION OF DIGITAL INTEGRATED CIRCUITS USING DON’T CARE CONDITIONS Sana Mehmood Awan, Master of Science, 2015 Directed By: Professor Gang Qu, Department of Electrical and Computer Engineering and Institute for Systems Research, University of Maryland Contemporary integrated circuits are designed and manufactured in a globalized environment leading to concerns of piracy, overproduction and counterfeiting. Contemporary integrated circuits are designed and manufactured in a globalized environment leading to concerns of piracy, overproduction and counterfeiting. One class of techniques to combat these threats is circuit obfuscation which seeks to modify the gate-level (or structural) description of a circuit without affecting its functionality in order to increase the complexity and cost of reverse engineering. Most of the existing circuit obfuscation methods are based on the insertion of additional logic (called “key gates”) or ca...

Globalization has provided us with a vast choice of intellectual property (IP) core suppliers at various levels of the design flow, and parts of a design can now come from anywhere in the world. Examples include processors (ARM, Leon, SPARC, MIPS), bus controllers (AMBA), DDR controllers, memory BIST, production test DFT, UART/RS-232, Ethernet, USB, GPIO peripherals, PLLs and DLLs, JTAG, etc. This list of IPs ranges from application-specific integrated circuits (ASICs) and commercial-off-the-shelf (COTS) parts, to microprocessors/ ...

Hardware Trojan detection and protection is becoming more crucial as more untrusted third parties manufacture many parts of critical systems nowadays. The most common way to detect hardware Trojans is comparing the untrusted design with a golden (trusted) one. However, third party intellectual properties (IPs) are black boxes with no golden IPs to trust. So, previous attempts to detect hardware Trojans will not work with third party IPs. In this work, we present novel methods for Trojan protection and detection on field programmable gate arrays (FPGAs) without the need for golden chips. Presented methods work at runtime instead of test time. We provide a wide spectrum of Trojan detection and protection methods. While the simplest methods have low overhead and provide limited protection mechanisms, more sophisticated and costly techniques are introduced that can detect hardware Trojans and even clean up the system from infected IPs. Moreover, we study the cost of using the FPGA partial reconfiguration feature to get rid of infected IPs. In addition, we discuss the possibility to construct IP core certificate authority that maintains a centralized database of unsafe vendors and IPs. We show the practicality of the introduced schemes by implementing the different methodologies on FPGAs. Results show that simple methods present negligible overheads and as we try to increase security the delay and power overheads increase.

Electronic voting (e-voting) systems have been in use since the 1960s. E-voting offers many advantages compared to other voting techniques. However, it also introduces many security challenges. As it may contain malicious back-doors that can affect system dependability. In this work, we present one of e-voting challenges where the hardware Trojan tampers results totally. We implement an e-voting machine as a case study on Xilinx FPGA board. Then, we inject a hardware Trojan to tamper voting results. The attack depends mainly on the unused bits. We provide a protection technique and show its overhead. Furthermore, we introduce other attacks and protection scenarios. We compare between our selected protection techniques and others techniques. Finally, we illustrate that our chosen protection technique incurs negligible power overhead, whereas the average area and delay overheads are 4% and 10%, respectively.