1. HARDWARE TROJAN : Threats and
Countermeasures
Animesh Basak Chowdhury
A joint collaboration between ISI and CAIR, DRDO
Research Supervisor : Prof. (Dr.) Bhargab B. Bhattacharya
Advanced Computing and Microelectronics Unit
Indian Statistical Institute, Kolkata, INDIA
June 07, 2016
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 1 / 31
2. Outline
1 HARDWARE TROJAN IN NEWS
2 INTRODUCTION
3 MOTIVATION
4 RELATED WORK
5 LOGIC TESTING BASED TROJAN DETECTION
6 SATBiST : An in-house developed TEST Framework for TROJAN
DETECTION
7 RESULTS
8 CONCLUSION AND FUTURE DIRECTIONS
9 REFERENCES
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 2 / 31
3. Hardware Trojan in News
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 3 / 31
4. Hardware Trojan in News
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 4 / 31
5. Hardware Trojan in News
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 5 / 31
6. Hardware Trojan in News
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 6 / 31
7. Introduction : Hardware Trojan (HT)
Modern semiconductor industry trends :
Outsourcing the fabrication facility
Using 3rd Party IPs as an intermediate to design an SoC.
These trends have given rise to many threats.
Adversary can tamper the design at RTL Level or Gate Level Netlist
in the IPs.
A malicious circuitry can be introduced in the design by addition of
small number of gates.
Malicious tampering of design at hardware level is called
HARDWARE TROJAN.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 7 / 31
8. Introduction : Hardware Trojan (HT)
Modern semiconductor industry trends :
Outsourcing the fabrication facility
Using 3rd Party IPs as an intermediate to design an SoC.
These trends have given rise to many threats.
Adversary can tamper the design at RTL Level or Gate Level Netlist
in the IPs.
A malicious circuitry can be introduced in the design by addition of
small number of gates.
Malicious tampering of design at hardware level is called
HARDWARE TROJAN.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 7 / 31
9. Introduction : Hardware Trojan (HT)
Modern semiconductor industry trends :
Outsourcing the fabrication facility
Using 3rd Party IPs as an intermediate to design an SoC.
These trends have given rise to many threats.
Adversary can tamper the design at RTL Level or Gate Level Netlist
in the IPs.
A malicious circuitry can be introduced in the design by addition of
small number of gates.
Malicious tampering of design at hardware level is called
HARDWARE TROJAN.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 7 / 31
10. Introduction : Hardware Trojan (HT)
Modern semiconductor industry trends :
Outsourcing the fabrication facility
Using 3rd Party IPs as an intermediate to design an SoC.
These trends have given rise to many threats.
Adversary can tamper the design at RTL Level or Gate Level Netlist
in the IPs.
A malicious circuitry can be introduced in the design by addition of
small number of gates.
Malicious tampering of design at hardware level is called
HARDWARE TROJAN.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 7 / 31
11. Introduction : Hardware Trojan (HT)
Modern semiconductor industry trends :
Outsourcing the fabrication facility
Using 3rd Party IPs as an intermediate to design an SoC.
These trends have given rise to many threats.
Adversary can tamper the design at RTL Level or Gate Level Netlist
in the IPs.
A malicious circuitry can be introduced in the design by addition of
small number of gates.
Malicious tampering of design at hardware level is called
HARDWARE TROJAN.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 7 / 31
12. Introduction : Hardware Trojan (HT)
Modern semiconductor industry trends :
Outsourcing the fabrication facility
Using 3rd Party IPs as an intermediate to design an SoC.
These trends have given rise to many threats.
Adversary can tamper the design at RTL Level or Gate Level Netlist
in the IPs.
A malicious circuitry can be introduced in the design by addition of
small number of gates.
Malicious tampering of design at hardware level is called
HARDWARE TROJAN.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 7 / 31
13. Introduction : Hardware Trojan (HT)
Why HARDWARE TROJAN are inserted in the Design :
Modify functionality.
Gain unauthorized access to the system.
Leak out sensitive information.
Launch denial-of-service attack.
Vunerable phases of IC development Cycle [Wolff10]
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 8 / 31
14. Motivation : WHY to Detect Hardware Trojan
Why HARDWARE TROJAN is an important area of research ?
Secured Hardware is must for areas like Military, Health and Nuclear
reactor centers.
Why HARDWARE TROJAN is a Threat?
Hard-to-detect by conventional test patterns and functional
verification.
System may be hacked from outside world, gaining unauthorised
control over system.
Hardware Trojan activation is a RARE event. Continuous monitoring
at runtime, is a large overhead.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 9 / 31
15. Trojan Detection And Countermeasures
Source : HARDWARE TROJAN - Lessons Learned After One Decade
of Research, ACM TODAES 2016, K. Xiao, D. Forte, R. Karri, S. Bhunia,
M. Tehranipoor
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 10 / 31
16. Trojan Detection And Countermeasures
Source : HARDWARE TROJAN - Lessons Learned After One Decade
of Research, ACM TODAES 2016, K. Xiao, D. Forte, R. Karri, S. Bhunia,
M. Tehranipoor
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 11 / 31
17. Trojan Detection : Pre-Silicon Stage
Pre-Silicon Verification and Validation
Use functional and formal Verification Techniques.
Assertion Based Verification flow have proven to be ineffective,
especially when the trojan triggering acts as time-bomb.[Beamont11]
Most of the ASICs, are relatively very large and complex. Formal
Tools suffer from scalability issues, inability to produce a
counter-example upto a certain level doesn’t guarantee the
design to be Trojan Free. [Beamont11]
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 12 / 31
18. Trojan Detection : Post-Silicon Stage
Side Channel Analysis
Use Current [Dak07], Path Delay [Jin08], Power Signatures [Rad10]
for comparision.
Requirement of Trusted IC for reference.
Unable to detect trojans, if additional 10-12 gates are introduced to
insert trojan.
False positive result on comparision of Golden IC with IC Under Test,
when smaller trojans are inserted.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 13 / 31
19. Trojan Detection : Post-Silicon Stage
Design-for-TRUST and Logic Testing Based Techniques
Lesser explored area.
MERO Test Patterns : Significant contribution in reporting trojans of
smaller sizes using Statistical Approach. [RSubhra09]
DFTT : Design for Trojan Test , a framework defined to make
insertion of Trojan extremely difficult at design level and
Manufacturing level. [Jin10]
ODETTE: A non-scan design-for-test methodology for Trojan
detection in ICs. Effective for uncovering Trojans in Sequential
Circuits. [Banga11]
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 14 / 31
20. Logic Testing Based Trojan Detection : Trojan Modelling
Trojans are extremely stealthy in nature. They remain undetected
unless they are triggered.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 15 / 31
21. Logic Testing Based Trojan Detection : Trojan Modelling
Trojans are extremely stealthy in nature. They remain undetected
unless they are triggered.
Trojan activation is a rare event.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 15 / 31
22. Logic Testing Based Trojan Detection : Trojan Modelling
Trojans are extremely stealthy in nature. They remain undetected
unless they are triggered.
Trojan activation is a rare event.
A trojan consists of two parts : TRIGGER and PAYLOAD
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 15 / 31
23. Logic Testing Based Trojan Detection : Trojan Modelling
Trojans are extremely stealthy in nature. They remain undetected
unless they are triggered.
Trojan activation is a rare event.
A trojan consists of two parts : TRIGGER and PAYLOAD
TRIGGER is the functionailty which activates the Trojan.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 15 / 31
24. Logic Testing Based Trojan Detection : Trojan Modelling
Trojans are extremely stealthy in nature. They remain undetected
unless they are triggered.
Trojan activation is a rare event.
A trojan consists of two parts : TRIGGER and PAYLOAD
TRIGGER is the functionailty which activates the Trojan.
PAYLOAD is the node whose logic value is corrupted by activation of
Trigger.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 15 / 31
25. Logic Testing Based Trojan Detection : Trojan Modelling
Trojans are extremely stealthy in nature. They remain undetected
unless they are triggered.
Trojan activation is a rare event.
A trojan consists of two parts : TRIGGER and PAYLOAD
TRIGGER is the functionailty which activates the Trojan.
PAYLOAD is the node whose logic value is corrupted by activation of
Trigger.
An attacker’s viewpoint would be finding suitable
TRIGGER-PAYLOAD combination which are hard-to-detect and
moderately triggerable.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 15 / 31
26. Logic Testing Based Trojan Detection : Trojan Modelling
Trojan Insertion can be done at various levels. We are particularly
interested in inserting Trojans at Gate Level Netlist.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 16 / 31
27. Logic Testing Based Trojan Detection : Trojan Modelling
Trojan Insertion can be done at various levels. We are particularly
interested in inserting Trojans at Gate Level Netlist.
Consider a node, in a gate level netlist, where occurrence of logic
value 0 or 1, is very RARE.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 16 / 31
28. Logic Testing Based Trojan Detection : Trojan Modelling
Trojan Insertion can be done at various levels. We are particularly
interested in inserting Trojans at Gate Level Netlist.
Consider a node, in a gate level netlist, where occurrence of logic
value 0 or 1, is very RARE.
Now, if we AND these nodes, with their RARE logic values, the
simultaneous occurrence would be much more RARE.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 16 / 31
29. Logic Testing Based Trojan Detection : Trojan Modelling
Trojan Insertion can be done at various levels. We are particularly
interested in inserting Trojans at Gate Level Netlist.
Consider a node, in a gate level netlist, where occurrence of logic
value 0 or 1, is very RARE.
Now, if we AND these nodes, with their RARE logic values, the
simultaneous occurrence would be much more RARE.
We call each such node along with its RARE logic value, an
Activation Node.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 16 / 31
30. Logic Testing Based Trojan Detection : Trojan Modelling
Trojan Insertion can be done at various levels. We are particularly
interested in inserting Trojans at Gate Level Netlist.
Consider a node, in a gate level netlist, where occurrence of logic
value 0 or 1, is very RARE.
Now, if we AND these nodes, with their RARE logic values, the
simultaneous occurrence would be much more RARE.
We call each such node along with its RARE logic value, an
Activation Node.
An attacker can make a TRIGGER instance, by selecting any
number of Activation Nodes.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 16 / 31
31. Logic Testing Based Trojan Detection : Problem
Statement
Number of Activation Nodes Q, depends on Attacker’s Choice.
Figure showing Sequential and Combinational Trojan Circuits
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 17 / 31
32. Logic Testing Based Trojan Detection : Problem
Statement
Number of Activation Nodes Q, depends on Attacker’s Choice.
Till now, it has been figured out with existing techniques, that for
values of Q ≥ 8, the trojans can be detected by side-channel
analysis.
Figure showing Sequential and Combinational Trojan Circuits
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 17 / 31
33. Logic Testing Based Trojan Detection : Problem
Statement
Number of Activation Nodes Q, depends on Attacker’s Choice.
Till now, it has been figured out with existing techniques, that for
values of Q ≥ 8, the trojans can be detected by side-channel
analysis.
So, our primary target is to detect all possible Trojan instances, with
Q ≤ 8.
Figure showing Sequential and Combinational Trojan Circuits
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 17 / 31
34. MERO Test Pattern : A statistical approach For HT
Detection
Chakraborty, R.S. proposed a testing framework MERO, which is an
ATPG designed for detecting Trojan in a given netlist, minimizing the
number of test patterns.[RSubhra09]
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 18 / 31
35. MERO Test Pattern : A statistical approach For HT
Detection
Chakraborty, R.S. proposed a testing framework MERO, which is an
ATPG designed for detecting Trojan in a given netlist, minimizing the
number of test patterns.[RSubhra09]
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 18 / 31
36. MERO Test Pattern : A statistical approach For HT
Detection
Chakraborty, R.S. proposed a testing framework MERO, which is an
ATPG designed for detecting Trojan in a given netlist, minimizing the
number of test patterns.[RSubhra09]
MERO utilizes the concept of N-detect ATPG scheme. The
framework generates test patterns which can activate the Activation
Node to its RARE valued logic at least N times.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 18 / 31
37. MERO Test Pattern : A statistical approach For HT
Detection
Chakraborty, R.S. proposed a testing framework MERO, which is an
ATPG designed for detecting Trojan in a given netlist, minimizing the
number of test patterns.[RSubhra09]
MERO utilizes the concept of N-detect ATPG scheme. The
framework generates test patterns which can activate the Activation
Node to its RARE valued logic at least N times.
The underlying assumption is, increasing the value of N, would also
increase the testset length, which increases the possibility of
simultaneous occurrence of rare logic at the Trigger instances, thereby
triggering the trojan.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 18 / 31
38. MERO Test Pattern : A statistical approach For HT
Detection
Chakraborty, R.S. proposed a testing framework MERO, which is an
ATPG designed for detecting Trojan in a given netlist, minimizing the
number of test patterns.[RSubhra09]
MERO utilizes the concept of N-detect ATPG scheme. The
framework generates test patterns which can activate the Activation
Node to its RARE valued logic at least N times.
The underlying assumption is, increasing the value of N, would also
increase the testset length, which increases the possibility of
simultaneous occurrence of rare logic at the Trigger instances, thereby
triggering the trojan.
Though the framework is a huge achievement over ATPG patterns
and Random test patterns in Trojan Detection, still the technique
suffers from scalability bottleneck and larger testset compared to
sample size.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 18 / 31
39. SATBiST : An in-house developed scalable TEST
generation framework using ATPG Binning and SAT Solver
for HT Detection
Motivated by the drawback of scalability and providing a certain level
of reliability to a system, against small Trojans, we decided to develop
a framework with focus on scalability and covering all possible
Trigger instances
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 19 / 31
40. SATBiST : An in-house developed scalable TEST
generation framework using ATPG Binning and SAT Solver
for HT Detection
Motivated by the drawback of scalability and providing a certain level
of reliability to a system, against small Trojans, we decided to develop
a framework with focus on scalability and covering all possible
Trigger instances
The next motivation was to make use of already existing Optimization
Techniques available, and make the framework easily integrable with
existing tools.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 19 / 31
41. SATBiST : An in-house developed scalable TEST
generation framework using ATPG Binning and SAT Solver
for HT Detection
Motivated by the drawback of scalability and providing a certain level
of reliability to a system, against small Trojans, we decided to develop
a framework with focus on scalability and covering all possible
Trigger instances
The next motivation was to make use of already existing Optimization
Techniques available, and make the framework easily integrable with
existing tools.
We primarily focussed on this area, as integrating this technique with
multiple parameter side channel analysis would be able to detect
Trojans, almost with any Q value.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 19 / 31
42. SATBiST : Scalable ATPG Binning and SAT Based
Approach For HT Detection
Points Considered while designing the Framework
We have taken value of Rareness threshold θ, to be 0.1.
The trigger instances consist of 3 Activation Nodes, i.e. Q=3.
The trigger instances directly corrupt a primary output(PO) or a
set of POs.
We use the tools like ATALANTA ATPG tool [ATALANTA], HOPE
fault Simulator [HOPE], Transition Probability Calculator(TPC)
[Salmani12] from trust-hub.org and zchaff SAT Solver [zChaff].
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 20 / 31
45. Experimental Results
Table showing SATBiST test patterns, with Q=3, θ=0.1, Bin Size B =
2000, UE denotes Under Experimentation, Results yet to come.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 23 / 31
46. Experimental Results
Table showing a comparative analysis of MERO patterns and SATBiST
patterns. Note that, SATBiST patterns provide cent percent Trigger
coverage. For Sequential Benchmarks, we restricted our results to 1million
instances and θ to 0.01, in order to comply with number of rare occuring
nodes in combinational ones.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 24 / 31
47. Conclusion and Further Experimentations
Conclusion
SATBiST test patterns have shown promising results in terms of
scalability, test length, and CPU time.
SATBiST test patterns have been able to provide controlibility of all
trigger instances.
SATBiST framework can be easily integrable to already existing
ATPG tool.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 25 / 31
48. Conclusion and Further Experimentations
Further Experimentations
In SATBiST pattern, we have primarily considered coverage of all
possible trigger instances and the trojan instances in which
payload is Primary Output (PO) or a set of POs.
A Bi-Partite Matching problem between uncompressed SATBiST
test patterns and stuck-at ATPG patterns, to cover maximum
possible trigger-payload combination in a given circuit.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 26 / 31
49. References
Chakraborty, Rajat Subhra, et al. [RSubhra09]
”MERO: A statistical approach for hardware Trojan detection.” Cryptographic
Hardware and Embedded Systems-CHES 2009. Springer Berlin Heidelberg, 2009.
396-410.
Salmani, Hassan, Mohammad Tehranipoor, and Jim Plusquellic [Salmani12]
”A novel technique for improving hardware trojan detection and reducing trojan
activation time.” Very Large Scale Integration (VLSI) Systems, IEEE Transactions
on 20.1 (2012): 112-125.
Wolff, Francis, Chris Papachristou, Swarup Bhunia, and Rajat S. Chakraborty.
[Wolff08]
”Towards Trojan-free trusted ICs: Problem analysis and detection scheme.”
Proceedings of the conference on Design, automation and test in Europe. ACM,
2008.
Tehranipoor, Mohammad, and Farinaz Koushanfar [Teh101]
”A survey of hardware Trojan taxonomy and detection.” (2010).
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 27 / 31
50. References
Tehranipoor, Mohammad, et al. [Teh102]
”Trustworthy hardware: Trojan detection and design-for-trust challenges.”
Computer 7 (2010): 66-74.
Jin, Y. , Makris, Y. [Jin08]
”Hardware Trojan detection using path delay fingerprint.” Hardware-Oriented
Security and Trust, 2008. HOST 2008. IEEE International Workshop on. IEEE,
2008.
Agrawal, Dakshi, et al. [Dak07]
”Trojan detection using IC fingerprinting.” Security and Privacy, 2007. SP’07. IEEE
Symposium on. IEEE, 2007
Rad, Reza, Jim Plusquellic, and Mohammad Tehranipoor [Rad10]
A sensitivity analysis of power signal methods for detecting hardware Trojans under
real process and environmental conditions.” Very Large Scale Integration (VLSI)
Systems, IEEE Transactions on 18.12 (2010): 1735-1744.
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 28 / 31
51. References
Jin, Yier, Nathan Kupp, and Yiorgos Makris [Jin10]
”DFTT: Design for Trojan test.” Electronics, Circuits, and Systems (ICECS), 2010
17th IEEE International Conference on. IEEE, 2010.
Banga, Mainak, and Michael S. Hsiao [Banga11]
”ODETTE: A non-scan design-for-test methodology for trojan detection in ics.”
Hardware-Oriented Security and Trust (HOST), 2011 IEEE International
Symposium on. IEEE, 2011.
Lee, Hyung Ki, and Dong Sam Ha [HOPE]
”HOPE: An efficient parallel fault simulator for synchronous sequential circuits.”
Computer-Aided Design of Integrated Circuits and Systems, IEEE Transactions on
15.9 (1996): 1048-1058.
Ha, D. S. [ATALANTA]
ATALANTA: An ATPG Tool.” Bradley Department of Electrical Engineering,
Virginia Polytechnic and State University, Blacksburg, VA (1994).
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 29 / 31
52. References
Eggersgl, Stephan, and Rolf Drechsler [Rolf]
High Quality Test Pattern Generation and Boolean Satisfiability. Springer Science
Business Media, 2012.
Moskewicz, M. W., Madigan, C. F., Zhao, Y., Zhang, L., Malik, S. [zChaff]
”CHAFF: Engineering an efficient SAT solver.” Proceedings of the 38th annual
Design Automation Conference. ACM, 2001.
Beamont, Mark et al. [Beamont11]
”Hardware Trojan : Threat, Prevention and Countermeasures, A Literature survey.”
Unclassified Report, Australian Government, Department of Defence. 2011
Animesh Basak Chowdhury (ISI Kolkata) HT Detection June 07, 2016 30 / 31