Hardware Trojan Detection by Multiple-Parameter Side-Channel Analysis

1

Hardware Trojan Detection byMultiple-Parameter Side-Channel Analysis

Seetharam Narasimhan, Dongdong Du, Rajat Subhra Chakraborty, Somnath Paul, Francis Wolff,Christos Papachristou, Kaushik Roy and Swarup Bhunia

Abstract—Hardware Trojan attack in the form of malicious modification of a design has emerged as a major security threat.Side-channel analysis has been investigated as an alternative to conventional logic testing to detect the presence of hardwareTrojans. However, these techniques suffer from decreased sensitivity towards small Trojans, especially because of the largeprocess variations present in modern nanometer technologies. In this paper, we propose a novel non-invasive, multiple-parameterside-channel analysis-based Trojan detection approach. We use the intrinsic relationship between dynamic current and maximumoperating frequency of a circuit in order to isolate the effect of a Trojan circuit from process noise. We propose a vector generationapproach and several design/test techniques to improve the detection sensitivity. Simulation results with two large circuits, a 32-bit integer execution unit (IEU) and a 128-bit Advanced Encryption Standard (AES) cipher, show a detection resolution of 1.12%amidst ±20% parameter variations. The approach is also validated with experimental results. Finally, the use of a combinedside-channel analysis and logic testing approach is shown to provide high overall detection coverage for hardware Trojan circuitsof varying types and sizes.

Index Terms—Hardware Security, Hardware Trojan Attack, Side-channel Analysis, Logic Testing.

�

1 INTRODUCTION

ONE of the recent issues in hardware security isto provide a level of trust in Integrated Circuits

(ICs) to ensure that a fabricated IC does not con-tain any malicious modification, also referred to as a“hardware Trojan” [1]. These malicious alterations inthe circuitry can be incorporated at different stages ofthe design flow. However, a major concern is potentialTrojan insertion in an untrusted foundry, because ofthe prevalence of outsourcing of IC fabrication ser-vices to foreign countries. An intelligent adversary islikely to insert a Trojan instance which evades de-tection during conventional post-manufacturing testbut manifests itself during in-field operation [2], [3],[4]. This can be achieved by externally triggering its

• S. Narasimhan, F. Wolff, C. Papachristou and S. Bhunia are with theDepartment of Electrical Engineering and Computer Science, CaseWestern Reserve University, Cleveland, OH, 44106 USA e-mail:{sxn124, fxw12, cap2, skb21}@case.edu

• D. Du is with Hyland Software, Cleveland, OH, 44106 USA e-mail:[email protected]

• R. S. Chakraborty is with the Department of Computer Science andEngineering, Indian Institute of Technology, Kharagpur, 721302 Indiae-mail: [email protected]

• S. Paul is with SoC Design Lab at Intel Corp, Hillsboro, OR, USAe-mail: [email protected]

• K. Roy is with Purdue University, West Lafayette, IN, 47907 USAe-mail: [email protected].

• The work is funded by the US Department of Defense (DoD) grantFA-8650-08-1-7859.

operation or by making it dependent on rare circuitconditions [5], [6]. We refer to the condition of Trojanactivation as the trigger condition, which can be purelycombinational or sequentially related to the clock or aset of rare events, and the node affected by the Trojanas its payload. Fig. 1(a) shows some example Trojancircuits, including a combinational and a sequentialTrojan, inserted into a complex System-on-Chip (SoC).The malicious effects of Trojan payloads can rangefrom passive, such as leakage of secret information [7]from a cryptographic IC, to actively altering the de-sired functionality of a circuit in a critical fashion [8].

Several approaches for hardware Trojan detectionduring manufacturing test have been proposed. Ageneral taxonomy of Trojan detection approaches isshown in Fig. 1(b). These are broadly classified as: 1)logic testing and 2) side-channel analysis approaches.Conventional structural and functional testing ap-proaches aimed at functional validation or fault cov-erage are not directly applicable to Trojan detection.Hence, random test patterns or Automatic Test PatternGeneration (ATPG) tool-generated test patterns do notprovide high detection coverage, even for combina-tional Trojans which are easier to activate and observethan their sequential counterparts. Hence, statisticallogic testing approaches [5], [6] have been proposedwhich generate structural tests to activate rare eventsin the circuit and propagate the malicious effect inlogic values to primary outputs. Such approaches canbe effective in detecting ultra-small Trojans (typicallya few gates in size) reliably under large processvariations. The main challenge with logic testing ap-proaches, however, is the difficulty to trigger and

Digital Object Indentifier 10.1109/TC.2012.200 0018-9340/12/$31.00 © 2012 IEEE

IEEE TRANSACTIONS ON COMPUTERSThis article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.

2

Fig. 1. (a) Complex SoC with malicious insertion orhardware Trojan, which can be combinational or se-quential. (b) Taxonomy of Trojan detection techniques.

observe an arbitrary Trojan instance, particularly thecomplex sequential Trojans, and the inordinately largenumber of possible Trojan instances an adversary canexploit [6].

On the other hand, measurement of physical “side-channel” parameters like power signature [11], [12],[13], [14], [15], [16], [17] or delay [18], [19] of an ICcan be used to identify the presence of an undesiredstructural change in the design. Such approaches donot require triggering of the Trojan and observing itsimpact at the primary output. The major challengeis due to the extensive process variations, whichcan cause extreme variations in the measured side-channel parameter e.g. 20X power and 30% delayvariations in 180nm technology [20], correspondingto only 20% variations in the transistor threshold volt-age. Existing side-channel approaches suffer from oneor more of the following shortcomings: 1) In scaledtechnology nodes, with increasing process variations,the effectiveness of the process calibration techniquesand hence, the Trojan detection sensitivity reduces;2) they consider only die-to-die process variationsand do not consider local within-die variations; and3) they require design modifications, which can po-tentially be compromised by an adversary. Besides,the effect of process variations is worsened by mea-surement noise (electrical and environmental) whichmakes isolation of the Trojan effect further difficult.Typically, the detection sensitivity of side-channel ap-proaches degrades with increasing size of the originalcircuit and decreasing Trojan size.

In this paper, we describe a novel non-invasivemultiple-parameter side-channel analysis approachfor effective detection of complex Trojans under largeprocess-induced parameter variations. The concepttakes its inspiration from multiple-parameter test-ing [22], which considers the correlation of the in-

trinsic leakage (IDDQ) to the maximum operatingfrequency (Fmax) of the circuit in order to distinguishfast, intrinsically leaky ICs from defective ones. In-stead of using only the power signature (which ishighly vulnerable to variations [11], [20]), the pro-posed side-channel approach achieves high signal-to-noise ratio (SNR) using the intrinsic dependenciesbetween transient supply current (IDDT ) and Fmax

of a circuit to identify the Trojan-infected ICs in anon-invasive manner. Here, we focus on the problemof detecting Trojans inserted in the ICs at an untrustedfoundry. Hence, we assume the presence of a goldendesign which can be used to generate test vectorsand characterize the design. It precludes the casewhere the design involves untrusted third-party IPs orCAD tools. Moreover, we assume that a set of goldenICs [1], [11] can be extracted from the untrustedpopulation of ICs by destructive reverse-engineeringand these will be used to characterize the golden trendline in presence of process noise.

In particular, the major contributions are as follows:1) It proposes a multiple-parameter based non-invasive Trojan detection technique using IDDT andFmax. This technique requires no modification to thedesign flow and incurs no hardware overhead.2) It provides a theoretical analysis regarding how therelationship between the multiple parameters is usedfor reducing the process noise and identifying Trojans.3) It provides both simulation verification and hard-ware validation with an FPGA-based measurementsetup of the proposed approach.4) In order to detect small Trojans (< 0.1% of die area)in a multi-million transistor circuit, it proposes severalapproaches to improve the detection sensitivity underprocess variation induced noise. First, it provides astructural test-generation approach that minimizes theswitching activity in different parts of the design,while increasing the activity of an arbitrary Trojanwithin a region-under-test. Next, it proposes usingpower gating techniques to reduce the backgroundcurrent, thereby improving the SNR (signal-to-noiseratio). It also proposes using a third parameter, qui-escent current (or IDDQ) to improve confidence ofdetection. Finally, it explores the choice of proper testconditions, such as operating voltage and frequency,to increase detection sensitivity.5) It integrates the proposed side-channel approachand a statistical logic testing approach, which pro-vides complementary ability for Trojan detection ofdifferent types and sizes.

The rest of the paper is organized as follows. Sec-tion 2 presents the background on past research onhardware Trojan detection and the motivation behindthis work. The multiple-parameter based Trojan detec-tion methodology is described in section 3. Section 4presents the simulation and measurement results.Integration of the proposed approach with a logic-testing based Trojan detection scheme is discussed in


3

Section 5. Section 6 concludes the paper.

2 BACKGROUND

Hardware Trojans: A detailed taxonomy of Trojansand their detection mechanisms is presented in [9]. Acommon classification of Trojans [8], [19] is based onthe activation mechanism (referred as Trojan trigger)and the effect on the circuit functionality (referred asTrojan payload). Trojans can be both combinationallyand sequentially triggered. Fig. 1 shows an example ofa combinationally triggered Trojan where the occurrenceof the condition A = B at the trigger inputs A andB causes a payload node ER to have an incorrectvalue at ER�. An adversary is expected to choose anextremely rare activation condition so that it is highlyunlikely for the Trojan to trigger during conventionalmanufacturing test. Sequentially triggered Trojans (theso-called “time bombs”), on the other hand, are acti-vated by the occurrence of a sequence of rare events,or after a period of continuous operation. The sim-plest sequential Trojans are synchronous stand-alonecounters, which trigger a malfunction on reaching aparticular count. Fig. 1 shows an asynchronous k-bit counter which activates when the count reaches2k − 1, by modifying the node ER to an incorrectvalue at node ER�. Here, the count is increasednot by the clock, but by a rising transition at theoutput of an AND gate with inputs p and q. Theoutput of the Trojan circuit can maliciously affectthe functionality of the circuit by affecting the logicvalues at its internal nodes (payload) as shown in theabove examples. Another kind of Trojan which has apassive payload, consists of a Linear Feedback ShiftRegister (LFSR) [7]which is used to leak the secret keyused in cryptographic hardware by aiding in side-channel attacks. A classification of Trojans designedfor information leakage is presented in [10].

Trojan Detection Approaches: Hardware Trojansare stealthy in nature because they are typically ac-tivated by rare events inside the circuit. Also, theenormous variety of Trojans makes it difficult to de-vise a single “silver bullet” Trojan detection techniquethat would be applicable for all Trojan types [8]. Ageneral taxonomy of Trojan detection techniques isshown in Fig. 1(b). Destructive testing of a chip by de-packaging, de-metallization and micro-photographybased reverse-engineering is highly expensive (in timeand cost) and not a feasible solution because an at-tacker may selectively insert a Trojan into a small sub-set of the manufactured ICs [12]. The non-destructiveTrojan detection approaches can be classified undertwo main types - (a) logic testing based, and (b) side-channel analysis based. The logic testing based Trojandetection approaches [5], [6], [24] aim to trigger rareevents at internal nodes in the circuit to activateTrojans and then compare the obtained output logic

values of the circuit with the expected golden val-ues of the IC. A design technique to enhance logic-testing coverage for Trojan detection was presentedin [25], by increasing the controllability of possibleTrojan trigger nodes and observability of possibleTrojan payloads. The test stimulus can be appliedeither post-manufacturing before deployment, or on-line during run-time [3], [26], [27]. On the otherhand, the side-channel analysis based Trojan detectionapproaches [11], [13], [19], [28], [29] observe the effectof an inserted Trojan on a physical parameter such ascircuit transient current, leakage current or path delay,and then compare it with the pre-characterized goldenvalue of the parameter. If the observed value differsby more than a threshold from the golden value, thepresence of a Trojan is suspected. Most side-channelanalysis based techniques try to minimize the effect ofprocess noise on the “background signal” or maximizethe Trojan signal by appropriate test vector gener-ation [12], [28], characterization of the experimentalnoise [11], or characterization of the measurementport transfer function [13], [14], [15] to accuratelyextract the side-channel information. Characterizationof the golden circuit’s leakage in order to detectpresence of Trojan is described in [29], [30]. Designtechniques for improving Trojan detection sensitivityfor side-channel analysis are presented in [15], [18].

Both classes of Trojan detection techniques havetheir relative pros and cons. The main challengefor logic testing based approaches is the extremelylarge Trojan design space, which makes complete enu-meration and test generation computationally infea-sible. The advantage of side-channel analysis basedapproaches is that even if the Trojan circuit doesnot cause observable malfunction in the circuit dur-ing test, the presence of the extra circuitry can bereflected in the measured side-channel parameter.However, the main challenges associated with side-channel analysis are large process-induced parametervariations in modern nanometer technologies [20], andmeasurement noise, which can mask the effect of aninserted Trojan circuit, especially for small Trojans.However, most of the proposed techniques do notconsider simultaneous elimination of the effects of“inter-die” or global process variation (the variationbetween different ICs), as well as “intra-die” or localprocess variation (the variation in the same IC) onthe measured parameter. Recent work on calibratingthe effect of within-die parameter variations on theleakage current has been presented in [14]. While thecalibration circuitry can itself be tampered to hidethe Trojan effect, the sensitivity of such approach alsodegrades for large designs and small Trojans becauseof the exponential nature of dependence of leakagecurrent on process variations. The main motivationbehind the work described in this paper is the de-velopment of a non-invasive side-channel analysisbased Trojan detection technique which systematically


4

eliminates both global and local process variationeffects by using multiple measured parameters likemaximum operating frequency and transient current.

3 METHODOLOGY

Any malicious hardware (Trojan) inserted in a trusteddesign will consume leakage power, which is largelydependent on the size of the Trojan. It will alsocontribute to the dynamic power when any switchingactivity is induced inside the Trojan. Power analysistechniques can, therefore, be employed to discoverthe differences in side-channel information betweentrusted and untrusted ICs [11]. However, there aretwo main challenges in such techniques:1) Small Trojan circuits are likely to cause little or nochange in the supply current, thereby making it diffi-cult to discover their presence, effectively resulting in“false negatives”, and2) Leakage current in scaled technologies can vary byup to 20X [20] due to process variations. Thus a “falsepositive” may be detected when differences betweenthe power consumption of trusted and untrusted ICsare masked by process variations. Also, if provision ismade for a “guard-band” to account for the processvariation effects, some tampered ICs can be consid-ered benign.Trojan detection based on the analysis of side-channelinformation has two major advantages: 1) it is non-invasive - i.e. it does not require design modificationor any post-manufacturing destructive procedure; and2) it does not require activation of the maliciouspayload of the Trojan to observe its impact at primaryoutput nodes, which can be extremely difficult for acomplex sequential Trojan during manufacturing test.

3.1 Multiple-parameter Trojan DetectionIn order to use side-channel analysis for Trojan de-tection, we need to distinguish between the Trojancontribution and process noise by comparing the side-channel information for the golden and the untrustedICs. However, the effect of a Trojan circuit on the max-imum operating frequency or Fmax and the transientsupply current or IDDT can be masked by processvariations. Average IDDT and Fmax values for an 8-bit ALU circuit (c880 from ISCAS-85 benchmark suite)obtained from simulation in HSPICE are plotted inFig. 2(a) and Fig. 2(b) for 100 chips which lie at differ-ent process corners. Here, we consider only die-to-dieor inter-die variations in transistor threshold voltage(Vth), where all transistors in a die experience similarvariations. The effect of process-induced variations inother parameters like Tox and Leff can be modeledas variations in Vth [21]. The effect of a combinationalTrojan (8-bit comparator circuit) is only observed inthe current; it does not affect the Fmax because it is notinserted in the critical path of the circuit. The spreadin IDDT due to variation easily masks the effect of

the Trojan, making it infeasible to isolate from processnoise, as shown in Fig. 2(a). The problem becomesmore severe with decreasing Trojan size or increasingvariations in device parameters in scaled technologies.

To overcome this issue, the intrinsic relationshipbetween IDDT and Fmax can be utilized to differ-entiate between the original and tampered versions.The plot for IDDT vs. Fmax for the ISCAS-85 circuitc880 is shown in Fig. 2(c). It can be observed thattwo chips (e.g. Chipi and Chipj) can have the sameIDDT value, one due to presence of Trojan and theother due to process variation. By considering onlyone side-channel parameter, it is not possible to dis-tinguish between these chips. In fact the Chipi andChipk are at the same process corner as indicated bytheir identical Fmax values. However, the correlationbetween IDDT and Fmax can be used to distinguishmalicious changes in a circuit under process noise.The presence of a Trojan will cause the chip to deviatefrom the trend line. As seen in Fig. 2(c), the presenceof a Trojan in Chipi causes a variation in IDDT whencompared to a golden chip (Chipk), while it does nothave similar effect on Fmax as induced by processvariation - i.e. the expected correlation between IDDT

and Fmax is violated by the Trojan.Note that in the proposed approach, Fmax is used

for calibrating the process corner of the chips. It is usuallymeasured for each chip during the speed-binningprocess of testing. In practice, the delay of any pathin the circuit can be used for this purpose. Hence, itbecomes difficult for an attacker to know in advancewhich path delay will be used for calibrating processnoise. Since a typical design will have exponentiallylarge number of paths, it is infeasible for an attacker

(a) (b)

(c) (d)

Fig. 2. (a) Average IDDT values at 100 randomprocess corners (with maximum variation of ±20% ininter-die Vth) for c880 circuit. The impact of Trojan (8-bit comparator) in IDDT is masked by process noise.(b) Corresponding Fmax values. The Fmax vs. IDDT

plot can help identify Trojan-containing ICs under both(c) inter-die and (d) intra-die process variations.


5

to manipulate all circuit paths in order to hide theTrojan effect. Furthermore, even if the path is guessedby the attacker, an inserted Trojan is likely to increaseboth delay and activity of the path on which it isinserted. Hence, a chip containing the Trojan willdeviate from the expected IDDT vs. Fmax trend line,where both current and frequency increase or decreasesimultaneously. Finally, in order to alter the Fmax

such that the Trojan evades the multiple-parameterapproach (i.e., it falls within the limit line in Fig. 2(c)),the adversary needs to know the exact magnitude ofprocess variation for each path of each chip, which isdifficult to estimate prior to fabrication [20].

Fig. 2(d) shows the effect of random intra-die pro-cess variation effects on top of inter-die variationsupon the IDDT and Fmax values for 1000 instancesof the c880 circuit with and without Trojan. We per-formed Monte Carlo simulations in HSPICE usinginter-die (σ = 10%) and intra-die (σ = 6%) variationsin Vth (see Fig. 3). In this case, the transistors on thesame die can have random variations on top of acommon inter-die shift from the nominal process cor-ner, causing deviations from the trend line obtainedby considering only inter-die variations. However, thespread in IDDT values for a fixed Fmax value is muchless compared to the total spread in IDDT across allprocess corners. The trend line is obtained by usingpolynomial curve fitting of order three in MATLAB,which matches the trend obtained by considering onlyinter-die process variation effects. By computing thespread in IDDT values for a given Fmax, correspond-ing to a particular inter-die process corner, we canestimate the sensitivity of the approach in terms ofTrojan detection. Any Trojan which consumes extracurrent less than this spread will remain undetected.The limit line is obtained by scaling the trend lineby the spread factor, which is computed using themean and standard deviation of the actual spreadin IDDT values for a given Fmax, for the goldensample of ICs and allows us to identify all the Trojaninstances without any error, even for a small Trojan.A theoretical basis for the existence of a trend line

Fig. 3. Effect of process variations (both inter- andintra-die) on device threshold voltage [17].

between IDDT and Fmax under process variations isprovided in Appendix A.

3.2 Improving Detection Sensitivity

The minimum size of Trojan which can be detected byany side-channel approach based on the measurementof current for a given amount of process noise isquantified by the detection sensitivity. In a single Vth

(or Fmax) point, the sensitivity can be expressed as:

Sensitivity =Itampered − Ioriginal

Ioriginal× 100%. (1)

The detection sensitivity of the proposed approachreduces with decreasing Trojan size and increasingcircuit size. In order to extend the approach fordetecting small sequential/combinational Trojans inlarge circuits (with > 105 transistors), we need toimprove the SNR using appropriate side-channel iso-lation techniques. Clearly, the sensitivity can be im-proved by increasing the current contribution of theTrojan circuit relative to that of the original circuit.Next, we describe different techniques used to reduceIoriginal and increase its difference from Itampered.

3.2.1 Test Vector SelectionNote that although Fmax is a unique parameter foreach IC, the average IDDT is a function of the appliedinput vector. A set of patterns that maximizes theactivity in the Trojan circuit, while reducing the back-ground current, is likely to provide the best signal-to-noise ratio. Our test generation approach tries tomaximize the contribution of an arbitrary Trojan cir-cuit in supply current while minimizing the effectof background current. Fig. 4 illustrates the over-all methodology for the proposed Trojan detection

Fig. 4. Major steps in the multiple-parameter Trojandetection approach.


6

technique, along with the steps of the test vectorgeneration algorithm [17].

A complex circuit under test (CUT) typically com-prises of several functional modules {MI}, whichare interconnected according to their input/outputdependencies. In general, the activity in most func-tional blocks can be controlled by input conditions.For example in a processor, activity in the floatingpoint unit (FPU), branch logic or memory periph-eral logic can be turned off by selecting an integerALU operation. Similarly, in a pipelined processor, thedifferent pipeline stages correspond to the differentregions. By repeating the same initial test instruction,we can fill the pipeline such that on application ofa new test vector, the different pipeline stages areactivated one-at-a-time. Any large functional block isfurthered partitioned by hypergraph partitioning or byusing other region-based partitioning approaches [12].The partitioning approach should consider the follow-ing properties: 1) The blocks should be reasonablylarge to cancel out the effect of random parametervariations, but small enough to minimize the back-ground current. 2) The blocks should be functionallyindependent so that the test generation process canincrease the activity of one block (or few blocks) whileminimizing the activity of all others.

Next, we generate test vectors for activating eachmodule separately. The test vector generation algo-rithm needs to take into account two factors: 1) Onlyone region must be activated at a time. 2) When aparticular region is being activated, the test vectorsshould try to activate possible Trojan trigger condi-tions in order to cause some switching activity withinpossible Trojan circuits. This motivates us to considera modified version of the statistical test generationapproach (MERO) proposed in [6] for maximizingTrojan trigger coverage. Note that, unlike logic testingapproaches, the Trojan payload need not be affectedduring test time, and the observability of Trojan effecton the side-channel parameter is enough to signifythe presence of the Trojan. For each module Mi, weuse connectivity analysis in order to assign weightsto the primary inputs in terms of their tendency tomaximize activity in the region under considerationwhile minimizing activity in other regions. This stepcan also identify control signals which can direct theactivity exclusively to particular regions. Next, wegenerate weighted random input vectors and estimatethe activity within each region for each pair of inputvectors using a graph-based functional simulationapproach. We sort the vectors based on a metric Cij

which is higher for a vector pair which can maximallyactivate module Mi while minimizing activity in eachof the other modules. Then, we prune the vector setto choose a reduced but highly efficient vector setgenerated by MERO, which is motivated by the N-detect test generation technique [33]. In this approach,we identify internal nodes with rare values within

each module, which can be candidate trigger signalsfor a Trojan. Then we identify the subset of vectorswhich can take the rare nodes within the module totheir rare values at least N times, thus increasing thetrigger possibility of arbitrary Trojans. The vectors forall regions are combined to generate a test suite whichcan be applied to each chip for measuring supplycurrent corresponding to each of its regions.

3.2.2 Power Gating and Operand Isolation

To prevent unwanted switching in independent func-tional modules, low-power designs conventionallyuse power gating techniques such as clock gating,supply gating or operand isolation. We propose toemploy the already-existing power gating controlsto improve Trojan detection sensitivity by reducingIoriginal, without introducing any modifications tothe design. These approaches are supplementary tothe test vector generation technique described earlierand are applicable to circuits in which the region-based test generation is not very effective. We appliedthese techniques to the Advanced Encryption Stan-dard (AES) circuit, shown in Fig. 5 [23]. It should benoted that depending on the functionality of the CUT,it might not be always possible to switch-off certainunits whose outputs feed other dependent modules.Thus, when testing for Trojan in module 4, we cannotshut off the modules 1 and 3 that affect the controlla-bility (and hence the activity) of the internal nodes in4. One major concern against using power gating isthat if we introduce power gating during test-time asa method to increase our Trojan detection sensitivity,the attacker can use these control signals to disablethe Trojan during test time. However, in this case, it isdifficult for the adversary to distinguish between thenormal functional mode and Trojan detection mode,since the decision about which blocks are turned-offor biased is taken dynamically. Hence, the attackercannot use the power gating techniques to reduce thecurrent contribution of the inserted Trojan.

Fig. 5. Schematic showing the functional modulesof the AES cipher circuit. The “Key Expand” moduleis clock-gated and operand isolation is applied to the“SBOX” modules to reduce the background current.


7

Fig. 6. The correlation among IDDT , IDDQ and Fmax

can be used to improve Trojan detection confidence.

3.2.3 Use of Other Side-channel Parameters

It should be noted that various measurable parame-ters can be used for multiple-parameter side-channel-based Trojan detection where at least one parameteris affected by the Trojan and other parameters areused to calibrate the process noise. Besides IDDT andFmax, other circuit parameters such as quiescent orleakage current (IDDQ) can also be used to increasethe confidence level. Apart from contributing to thedynamic current (IDDT ), a Trojan will also contributeto the leakage current (IDDQ). Moreover, similar toIDDT , the value of IDDQ increases monotonically withFmax for a given design from one process corner toanother. Thus any decision derived from studying theIDDT vs. Fmax relation can be reinforced by observ-ing the IDDQ vs. Fmax relation for the same set ofICs. Similar to IDDT , the value for IDDQ is input-dependent, thus, a low-leakage vector can improvethe IDDQ sensitivity of a Trojan. To understand thejoint effect of the three variables, we simulated thec880 circuit with and without an 8-bit comparatorTrojan. Fig. 6 shows a 3-D plot of IDDT , IDDQ andFmax, with projections on the IDDQ–Fmax and IDDT –Fmax planes. We can observe that a Trojan instanceclearly isolates a chip in the multiple-parameter spacefrom process induced variations.

3.2.4 Test conditions

During side-channel testing, the choice of testing con-ditions can have a significant impact on sensitivityof Trojan detection. For instance, the placement ofthe current sensor to measure IDDT for the chip isan important parameter. It should be noted that incase of a non-invasive approach for Trojan detection,the current sensors are not inserted within the chip.Also, if they are inserted within the chip, they canbe tampered with, by the attacker. However, it isadvisable to measure the current as close to the pinsas possible. If we measure the current drawn fromthe power supply, the averaging effect of the bypasscapacitors on the board can cause a negative impact

on Trojan detection sensitivity. Also, if the currentsensing can be done at individual VDD pins at thechip-level, instead of at the common supply node atthe board-level, we can divide the background currentto a considerably smaller value. It can also help inisolating the Trojan effect if the functional regionsbeing activated draw supply current dominantly fromdifferent VDD pins. In this context, a region-basedTrojan detection approach described in [13], explainshow one can use the supply current values for differ-ent regions to calibrate the process noise.

The value of the supply voltage and the operatingfrequency during testing can also be varied to getbetter Trojan detection sensitivity by our approach.As the supply voltage is reduced below nominal, thegates start switching slowly. Also, the dynamic andleakage current get reduced. Since we use averagecurrent measured over a clock period as the IDDT

value corresponding to a pair of test vectors, it con-tains components from both switching current and theleakage current. Based on the equations derived inSection A, and the trend lines in Fig. 6, a trend lineexists between Fmax and IDDT whereas the relationbetween Fmax and IDDQ is non-linear. We can seethat if the measured average current is dominated bythe leakage component, the relationship has a non-linear trend. If the trend remains close to linear, it iseasier to get a limit line and determine a thresholdfor characterizing process variations. We can reducethe leakage component by measuring the averageleakage current for the same vector and subtractingit from the measured switching current to extract theactual IDDT . On the other hand, we can get similarsensitivity by measuring the current for shorter periodof time (i.e. at high operating frequency) which leavesvery little margin beyond the critical path delay, orby testing at a lower supply voltage, when the gatedelays increase and consume the slack for the partic-ular operating frequency. If other low-power designtechniques are built into the design, like applyingbody-bias to reduce leakage or clock/supply gatingor adaptive voltage scaling for different functionalregions, these can be used to our advantage in orderto increase Trojan detection sensitivity.

4 RESULTS

4.1 Simulation-based Verification4.1.1 Test SetupWe used two test cases to validate the proposedTrojan detection approach: 1) an AES cipher circuitwith an equivalent area of slightly over 25,000 two-input NAND gates (i.e > 105 transistors) and about30% of the total area contributed by memory ele-ments and 2) a 32-bit pipelined Integer Execution Unit(IEU) with about 20,000 two-input gates. Both designswere synthesized using Synopsys Design Compiler andmapped to a LEDA library. To determine the trend


8

Fig. 7. Trojans considered in our simulation setup.

line and estimate the Trojan detection sensitivity, weused ±20% variation over the nominal Vth in oursimulations. We validated our technique with both250nm TSMC models and 70nm Predictive TechnologyModel (PTM) [34] models to establish the technologyscalability of our approach. Finally, we used MonteCarlo simulations in HSPICE with random variationsin inter-die and intra-die Vth.

We introduced four types of Trojan circuits in thetwo test circuits, with each Trojan type having anarea an order of magnitude smaller than the previoustype. Trojans I, II and III are sequential Trojans whichare designed as counters of decreasing size (24, 10and 3 flip-flops respectively. However, they derivetheir clock from internal nodes of the circuit with rarevalues. Trojan IV is a combinational 8-bit comparatorcircuit, which occupies a meagre 0.04% of the AEScircuit area. Fig. 7 shows schematics of the Trojancircuits considered in our simulations.

4.1.2 ResultsFig. 8(a) shows a plot of IDDT vs. Fmax for the AEScircuit, with and without an inserted Trojan of type I.From this plot, it is observed that the current differen-tial due to the Trojan circuit is only 2.63% at differentprocess corners. For smaller Trojan circuits (Trojan II-IV), this difference is less prominent and likely to be

(a) Trojan I in AES. (b) Trojan I in AES, w/gating.

(c) Trojan II in 32-bit IEU. (d) Trojan III in 32-bit IEU.

Fig. 8. IDDT vs. Fmax relationship for both golden andtampered AES and IEU circuits showing the sensitivityof our approach for detecting different Trojan circuits.

TABLE 1Detection sensitivity for different Trojan sizes in AES.

Trojan Trojan SensitivityType Size w/o gating w/ gating

I (seq, 24-FF) 1.10% 2.63% 12.20%II (seq, 10-FF) 0.40% 1.70% 8.60%III (seq, 3-FF) 0.11% 0.81% 3.53%

IV (comb, 8-bit) 0.04% 0.23% 1.12%

TABLE 2Detection sensitivity for different Trojan sizes in IEU.

Trojan Trojan SensitivityType Size IDDQ IDDT (vec 1) IDDT (vec 2)

I 14.0% 17.1% 6.79% 12.22%II 4.0% 6.93% 2.82% 5.92%III 1.14% 2.00% 1.12% 3.33%IV 0.5% 0.21% 0.45% 2.01%

masked by process noise. Thus the clock gating andoperand isolation as discussed in Section 3.2.2 wereimplemented to improve the Trojan detection sensi-tivity in the AES test circuit. As a result of selectivegating, it was possible to reduce the average activityper node significantly (from 0.16 to 0.05). Fig. 8(b)shows the average IDDT vs. Fmax plots for Trojan I,with power gating applied, which increases the sensi-tivity from 2.63% (Fig. 8(a)) to 12.2%. The sensitivityfor different Trojan sizes is shown in Table 1.

Fig. 8(c) and 8(d) show IDDT vs. Fmax trends forthe 32-bit IEU circuit, which shows sensitivity reduc-tion with decrease in Trojan size. These sensitivityvalues can be improved by choosing proper low-activity vectors which reduce the background current.The improvement in sensitivity for different Trojancircuits due to low-activity vectors is shown in Table 2.Fig. 9 shows the detection sensitivity using multiple-parameter approach for Trojans of different sizes inthe IEU circuit. Large sequential Trojans having 24and 10 flip-flops have better sensitivity with IDDQ,since the Trojan circuit occupies a considerable per-centage of the original circuit area. However, smallersequential (3 flip-flops) and combinational Trojans

Fig. 9. Sensitivity of Trojans of different sizes and typesto different parameters.


9

Fig. 10. Effect of random process variations usingMonte Carlo simulations with inter-die σ = 10% andrandom intra-die σ = 6% for the 32-bit IEU circuit withTrojan IV inserted. VDD = 1V, Period = 5ns.

(a) VDD=1V, Period=3ns (b) VDD=0.8V, Period=3ns

Fig. 11. Choosing a faster clock period (3ns) andlowering the supply voltage from 1V to 0.8V givesbetter Trojan detection accuracy.

(16, 10, 8-bit comparators) which occupy very smallpercentage of the area have very low detection sen-sitivity using IDDQ. Since quiescent current is mea-sured for the entire circuit, its sensitivity decreasesfor large circuits and small Trojans. In this regard,multi-power port measurement [13] can be useful toattain higher confidence. However, using IDDT andlow-activity vectors, we can increase the detectionsensitivity to more than 2%. For ultra-small Trojans (4-bit comparator), the side-channel sensitivity is below2%, which can be increased by proper test conditions.Moreover, such Trojans are easily detected by logic-testing approaches [6].

Fig. 10 shows the results of Monte Carlo simula-tions for 1000 instances of the IEU circuit with andwithout Trojan IV. Here we consider both die-to-dieand within-die variations as well as uncorrelated vari-ations between NMOS and PMOS threshold voltages.Using a 2% sensitivity limit line, we obtain 99.3% Tro-jan detection accuracy, with 0.3% false alarms, whichindicates that 3 out of 1000 dies fall beyond the 2%limit line. Hence, the multiple-parameter approach isshown to work even under random process variationeffects on top of inter-die variations. However, theseresults were obtained at nominal supply voltage of 1Vand relatively low operating frequency of 200 MHz(clock period = 5ns). As described in Section 3.2.4, wecan use supply voltage scaling and frequency scalingduring testing to make the measured supply currentreflect the switching current (IDDT ) only. By reducingthe slack when no switching activity takes place in thecircuit, we can get better Trojan detection sensitivity

as shown in Fig. 11. By decreasing the clock periodto 3ns, we limit the idle time within the measurementperiod. Also, by reducing the supply voltage to 0.8V,the switching speed of the gates reduces and the slackdecreases further to give large separation betweengolden trend line and Trojan IDDT . Thus, properchoice of test conditions can lead to increased sensi-tivity for detecting ultra-small combinational Trojans.

4.2 Hardware Validation4.2.1 Test SetupHardware validation of the proposed multiple-parameter approach was performed using an FPGA-platform where FPGA chips were used to emulate theASIC scenario. We wanted to observe the effectivenessof the proposed approach to isolate the Trojan effect inpresence of process variations, when a golden designand its variant with Trojan are mapped to the FPGAdevices. Such an FPGA-based test setup provides aconvenient platform for hardware validation usingdifferent Trojan types, sizes and even different de-signs. The selected FPGA device was Xilinx Virtex-IIXC2V500 fabricated in 120nm CMOS technology. Wedesigned a custom test board with socketed FPGAsfor measuring current from eight individual supplypins as well as the total current, using 0.5Ω precisioncurrent sense resistors. The test circuit was the 32-bit IEU with a 5-stage pipelined multiplier which hasa logic utilization of 90% of the FPGA slices. TheTrojan circuit was a sequential counter circuit, whosesize was varied from 256 (1.76% of design size) to 4(0.03%) flip-flops. IDDT was monitored for two types

(a) Test Board schematic (b) Schematic of IEU

(c) Experimental Setup (d) Recorded waveforms

Fig. 12. (a) Test PCB schematic. (b) Test circuitschematic. (c) Experimental setup. (d) Snapshot ofmeasured IDDT waveform from oscilloscope.


10

Fig. 13. Timing diagram for application of test vectorsand acquisition of average current values (IDDT).

of input vectors: low-activity logic operations andhigh-activity multiplication operations.

The test setup is shown in Fig. 12. In order tomeasure IDDT , we measured the voltage drop acrossa sense resistor, using high-side current sensing strat-egy. To increase accuracy of measurements amidstmeasurement noise, the sense resistors were con-nected between the core VDD pins and the bank ofbypass capacitors. A differential probe was used tomeasure the voltage waveforms, which were recordedusing an Agilent mixed-signal oscilloscope (100 MHz,2 Gsa/sec). The timing diagram for the application oftest vectors, along with SYNC signal for averaging thecurrent waveform over multiple applications of thesame test vectors is shown in Fig. 13. The waveformswere synchronized with a 10 MHz clock input andrecorded over 16 cycles corresponding to a pattern of16 input vectors. A “SYNC” signal was used to indi-cate the first input vector in the set, so that the currentcan be measured for the same vectors in all cases.Average current waveforms were obtained from theoscilloscope by averaging over 1024 repetitions of thesame vector set in order to reduce the measurementand temporal noise. We performed experiments with10 FPGA chips from the same lot, which were placedin the same test board using a BGA socket, with the

(a) IDDT values (b) IDDT vs. Fmax

Fig. 14. Measurement results for 10 FPGA chipsshowing (a) IDDT values only and (b) IDDT vs. Fmax

trend for the IEU test circuit and a 16-bit sequentialTrojan (0.14% area).

same design mapped to each chip.Frequency (an estimate of Fmax) was measured for

process-calibration of the FPGA chips using a 15-inverter chain ring oscillator circuit with an on-chipcounter, as described in [35]. The measurement of ringoscillator frequencies mapped to the FPGAs was donemultiple (10) times with a stable experimental setup toensure similar operating conditions including temper-ature and averaged to eliminate temporal variations.The spatial variations were averaged by measuringring oscillator frequency from 5 different placements(4 quadrants and center) of the ring oscillator in eachIC (taking care to preserve the internal routing). Theentire set of measurements for the 20 test chips (takinga total time of 14 hours) was repeated three times toensure the accuracy of the trend line.

4.2.2 ResultsThe experimental results for multiple-parameter test-ing approach are shown in Fig. 14. The results showthat while measurements of IDDT only (Fig. 14(a))may not be able to capture the effect of a Trojan underparameter variations, multiple-parameter based side-channel analysis can be effective to isolate it. For a setof golden chips, IDDT vs. Fmax follows an expectedtrend under process noise and deviation from thistrend indicates the presence of structural changes inthe design. Fig. 14(b) shows this scenario for 10 FPGAchips, 8 golden and 2 with Trojans (16-bit sequentialTrojan). The ones with Trojans stand out from therest in the IDDT vs. Fmax space. Note that some de-sign marginalities, such as small capacitive coupling,which cause localized variation, can make the IDDT

vs. Fmax plot for golden chips to deviate from thelinear trend. Also, better trend can be obtained byperforming measurements over larger population ofchips, than was available.

Fig. 15(a) shows the measured IDDT vs. Fmax trendfor a 4-bit sequential Trojan, which occupied 0.03%of logic resources in the FPGA. By drawing a limitline with a sensitivity of 2%, we get errors in Trojandetection. Lowering the sensitivity to 1% will decreasethe number of false negatives (Trojan chips classifiedas golden), but increase the number of false posi-tives (golden chips classified as Trojan). To improve

(a) With background cur-rent.

(b) Without backgroundcurrent.

Fig. 15. Measured IDDT vs. Fmax results for 8 goldenand 2 Trojan chips for the IEU circuit with and withouta 4-bit sequential Trojan (0.03% area).


11

Fig. 16. Trojan detection sensitivity decreases with Tro-jan size but improves by proper test vector selection.

the sensitivity of Trojan detection, we subtracted thebackground current (current measured with no inputactivity) for each chip and the corresponding IDDT

vs. Fmax trend is shown in Fig. 15(b). Even with asensitivity of 1%, we can now clearly identify theTrojan chips without any errors.

Fig. 16 shows the variation in Trojan detectionsensitivity with Trojans of various sizes and with setsof input test vectors with differing activity levels. Itis clear from this graph, that the sensitivity of Trojandetection decreases with decrease in Trojan size, andfor very small Trojans, we need to use sensitivityimprovement techniques to avoid classification errors.The sensitivity towards Trojan detection by measur-ing from individual pins compared to the sensitivitywhen measuring the total current is plotted in Fig. 17.It can be observed that when activating the multiplierwhich is spread out over a large part of the FPGA, wedo not get much improvement in sensitivity. How-ever, the supply current corresponding to the logicoperations shows clear improvement in sensitivity of∼1.25X over the overall current sensitivity, for thepin R2 which is closest to the placement of the logicblock of the IEU on the FPGA. The sensitivity can beimproved further by integrating current sensors intothe packaging closer to the pins and by using currentintegration circuitry to perform the averaging.

Fig. 17. Sensitivity of Trojan detection can be improvedby measuring current from multiple supply pins.

5 INTEGRATION WITH LOGIC-TESTING

As shown in Section 4, sensitivity of Trojan detectionwith the proposed side channel approach reduceswith Trojan size. Hence, while such an approach canbe generally effective for relatively large Trojans (in-cluding complex sequential Trojans), it may not detectultra small Trojans reliably. On the other hand, logictesting based approaches can detect small Trojanswith high confidence. However, it is extremely chal-lenging to detect structurally and functionally com-plex Trojans using logic testing. This is because a finiteset of generated test vectors are usually unable totrigger the Trojans and manifest their malicious effect.As shown in [6], the logic testing approach generallyachieves poor Trojan detection coverage for Trojanswith more than 8 inputs. However, for side-channelanalysis based approaches, it is not essential to acti-vate the entire Trojan circuit - even activating a smallpart of the Trojan circuit might be sufficient to reliablyidentify Trojan effect in supply current. Hence, theproposed methodology can also be integrated withlogic-testing based Trojan detection approaches (suchas MERO [6]) to provide comprehensive coverage forTrojans of different types and sizes.

The overall coverage can be estimated by a statisti-cal sampling approach, in which a random sampleof Trojan instances of a specific size (e.g. 100K) ischosen from the Trojan population. The percentageof Trojans in the sample detected by a given test-set is determined using functional simulation. Trojandetection coverage for a particular test-set is definedas:

Coverage =# of Trojans detected

# of sampled Trojans× 100% (2)

We analyze the effect of changing the rareness of thenodes in terms of Trojan trigger coverage in Fig. 18.As the value of θ increases beyond 0.2, even theTrojans triggered by non-rare nodes are activatedwith high probability. Hence, even though the N-detect test generation method focuses on taking the

Fig. 18. Trigger coverage for different values of θ, therareness of the nodes considered for test generation.


12

Fig. 19. Trojan coverage improvement due to observ-able test point insertion (5 and 10).

rare nodes to their rare values N times, the Trojanstriggered by non-rare nodes will also get activated,resulting in high coverage for all Trojans. One canalso use coverage enhancement techniques like test-point insertion to enhance logic-testing based Trojandetection. We can insert low-overhead test points toincrease the observability of poorly observable inter-nal circuit nodes and making them primary outputs.To reduce pin overhead, we can use multiplexing ofthe test points on existing pins. Similarly, controllabletest point insertion can be used to improve triggercoverage. In order to observe the effect of observabletest points, we performed simulations with 5 and 10inserted test points (TP). To select the test points, thenodes were ranked in descending order based on thefollowing metric:

M =fin + fout

abs(fin − fout) + 1(3)

where fin and fout represent the sizes of the fanin andfanout cones of a node, respectively. The metric indi-cates that nodes closer to the primary inputs/outputshave less chance of getting selected. Fig. 19 shows theeffect of test point insertion on the Trojan coverageas compared to a baseline case with no inserted testpoint, for three sequential (ISCAS’89) benchmark cir-cuits with N = 1000, q = 2 and θ = 0.2 [6]. As observedfrom this plot, test point insertion helps to improvethe Trojan coverage considerably for some circuits andhelps to reduce the gap between trigger coverage andTrojan coverage. Design techniques to improve Trojandetection ability have been proposed earlier [15], [18],[25]. Here we show that the integrated side-channeland logic testing approach for Trojan detection canbenefit from appropriate low-cost design techniques.Although we show the improvement in case of logictesting, a similar approach of inserting controllablepoints can considerably improve Trojan detection sen-sitivity for side-channel testing approaches by increas-ing the switching activity inside the gates of possibleTrojan circuits. It should be noted that such Designfor Security (DfS) approaches come with their ownoverhead and can only be used in cases where aninvasive approach for ensuring trust is tolerated.

TABLE 3Trojan Coverage for ISCAS-85 Benchmark Circuits

Benchmark Troj. Cov. (MERO) (%) Troj. Cov. (total) (%)

c880 48.37 100.00c1355 20.00 100.00c1908 70.37 100.00c2670 31.44 100.00c3540 12.50 100.00c5315 4.82 100.00c6288 36.92 100.00c7552 4.52 99.84

Average 28.62 99.98

We computed the Trojan detection coverage for dif-ferent ISCAS-85 benchmark circuits for a populationof 100,000 10-input combinational Trojans, using theMERO logic testing algorithm as well as the combinedside-channel and MERO approach, as shown in Table3. We used the sensitivity value derived in Section 3.2to determine if a Trojan is detected using side-channelapproach. Although the logic testing approach inisolation achieves relatively poor coverage for largeTrojans (size ≥ 8 inputs), the total coverage of theintegrated approach is 100% for most circuits.

We also analyzed the complementary nature of cover-age by the logic testing and side-channel approachesof Trojan detection. Fig. 20 shows the Trojan coveragefor logic testing approach (MERO) and side-channelapproach without any sensitivity improvement tech-niques applied, as well as the total coverage for thecombined approach, for a 32-bit Integer ExecutionUnit (IEU) for Trojans of different sizes. It can beobserved that for larger Trojans with 8 or more inputs,the detection coverage of the MERO approach ismuch inferior to that of the side-channel based multi-parameter testing. Conversely, small Trojans are easierto trigger and detect using logic testing, but their con-tribution to side-channel parameter may be difficult todistinguish. From this analysis, we note that Trojansof different types and sizes can be detected with highconfidence by the integrated approach.

6 CONCLUSION

We have presented a multiple-parameter side-channelanalysis approach for hardware Trojan detection that

Fig. 20. Complementary nature of MERO and side-channel analysis for Trojan detection coverage.


13

exploits the intrinsic relationship between active-mode current (IDDT ) and maximum operating fre-quency (Fmax) to achieve high signal-to-noise ratio inpresence of process variations. The approach is scal-able with respect to increasing die-to-die and within-die process variations in nanoscale technologies. Wehave also presented appropriate test vector selectiontechniques, use of power gating and operand selec-tion, use of IDDQ as a third parameter and choiceof test conditions in the context of improving thedetection sensitivity. The approach is validated usingboth simulation as well as hardware measurementsusing 120nm FPGA chips. We show that the proposedapproach can detect complex sequential Trojans withhigh confidence in presence of large process varia-tions. For ultra-small Trojans, the proposed approachmay suffer from reduced sensitivity, whereas logictesting can be more effective. Hence, the proposedapproach can be integrated with complementary logictesting approach for reliable detection of Trojans ofall forms and sizes. Finally, the approach can alsobe combined with design for security approaches toimprove test time and Trojan detection coverage.

REFERENCES

[1] DARPA, “TRUST in Integrated Circuits (TIC),” 2007. [On-line]. Available: http://www.darpa.mil/MTO/solicitations/baa07-24.

[2] S. Adee, “The hunt for the kill switch,” IEEE Spectrum, vol.45, no. 5, pp. 34-39, May 2008.

[3] M. Abramovici and P. Bradley, “Integrated circuit security -New threats and solutions,” Workshop on Cyber Security andInformation Intelligence Research, pp. 1-3, 2009

[4] S. King et al, “Designing and implementing malicious hard-ware,” Usenix Workshop on Large-Scale Exploits and EmergentThreats, 2008.

[5] F. Wolff et al, “Towards Trojan-free trusted ICs: Problemanalysis and detection scheme,” Design Automation and Testin Europe, pp. 1362-1365, 2008.

[6] R.S. Chakraborty et al, “MERO: A statistical approachfor hardware Trojan detection,” Cryptographic Hardware andEmbedded Systems Workshop, 2009.

[7] L. Lin, W. Burleson and C. Parr, “MOLES: Malicious off-chipleakage enabled by side-channels,” Intl. Conf. on Computer-Aided Design, 2009.

[8] R.S. Chakraborty, S. Narasimhan and S. Bhunia, “HardwareTrojan: Threats and emerging solutions,” High-Level DesignVerification and Test Workshop, 2009.

[9] M. Tehranipoor and F. Koushanfar, “A survey of hardwareTrojan taxonomy and detection,” IEEE Design and Test ofComputers, vol. 27, no. 1, pp. 10-25, 2010.

[10] R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, “To-ward trusted hardware: Identifying and classifying hardwareTrojans,” IEEE Computer Magazine, 2010.

[11] D. Agrawal et al, “Trojan detection using IC fingerprinting,”IEEE Symp. on Security and Privacy, pp. 296-310, 2007.

[12] M. Banga and M.S. Hsiao, “A region based approach for theidentification of hardware Trojans,” Proc. IEEE Intl. Workshopon Hardware-Oriented Security and Trust, pp. 40-47, 2008.

[13] R. Rad, J. Plusquellic and M. Tehranipoor, “A sensitivityanalysis of power signal methods for detecting hardwareTrojans under real process and environmental conditions,”IEEE Tran. on Very Large Scale Integration Systems, 2010.

[14] J. Aarestad, D. Acharyya, R. Rad and J. Plusquellic, “DetectingTrojans though leakage current analysis using multiple supplypad IDDQs,” IEEE Tran. on Information Forensics and Security,2010.

[15] H. Salmani, M. Tehranipoor, and J. Plusquellic, “A layout-aware approach for improving localized switching to detecthardware Trojans in Integrated Circuits,” IEEE Intl. Workshopon Information Forensics and Security (WIFS), 2010.

[16] S. Narasimhan et al, “Multiple-parameter side-channel analy-sis: A non-invasive hardware Trojan detection approach,” Proc.IEEE Intl. Symposium on Hardware-Oriented Security and Trust,2010.

[17] D. Du, S. Narasimhan, R.S. Chakraborty and S. Bhunia, “Self-referencing: A scalable side-channel approach for hardwareTrojan detection,” Cryptographic Hardware and Embedded Sys-tems Workshop, 2010.

[18] D. Rai and J. Lach, “Performance of delay-based Trojandetection techniques under parameter variations,” Proc. IEEEIntl. Workshop on Hardware-Oriented Security and Trust, pp. 58-65, 2009.

[19] Y. Jin and Y. Makris, “Hardware Trojan detection using pathdelay fingerprint,” Proc. IEEE Intl. Workshop on Hardware-Oriented Security and Trust, pp. 51-57, 2008.

[20] S. Borkar et al, “Parameter variations and impact on circuitsand micro-architecture,” Design Automation Conference, pp.338-342, 2003.

[21] P. Yang, E. Hocevar, P. Cox, C. Machala, and P. Chatterjee,“An integrated and efficient approach for MOS VLSI statisticalcircuit design,” IEEE Transaction on CAD, vol. 5, no. 1, pp. 5-14,1986.

[22] A. Keshavarzi et al, “Multiple-parameter CMOS IC testingwith increased sensitivity for IDDQ,” IEEE Tran. on Very LargeScale Integration Systems, pp. 863-870, 2003.

[23] [Online]. Available: www.opencores.org.[24] S. Jha and S.K. Jha, “Randomization based probabilistic

approach to detect Trojan circuits,” 11th IEEE High AssuranceSystems Engineering Symposium, pp. 117-124, 2008.

[25] R.S. Chakraborty, S. Paul and S. Bhunia, “On-demandtransparency for improving hardware Trojan detectability,”Proc. IEEE Intl. Workshop on Hardware-Oriented Security andTrust, pp. 48-50, 2008.

[26] D. McIntyre, F. Wolff, C. Papachristou, S. Bhunia and D. Weyer,“Dynamic evaluation of hardware trust,” Proc. IEEE Intl. Work-shop on Hardware-Oriented Security and Trust, 2009.

[27] G. Bloom et al, “Providing secure execution environments witha last line of defense against Trojan circuit attacks,” Computersand Security, 2009.

[28] M. Banga and M.S. Hsiao, “A novel sustained vector techniquefor the detection of hardware Trojans,” VLSI Design Conference,2009.

[29] M. Potkonjak, A. Nahapetian, M. Nelson and T. Massey,“Hardware Trojan horse detection using gate-level characteri-zation,” Design Automation Conference, 2009.

[30] Y. Alkabani and F. Koushanfar, “Consistency-based character-ization for IC Trojan detection,” Intl. Conf. on Computer-AidedDesign, 2009.

[31] T. Sakurai and A.R. Newton, “Alpha-power law MOSFETmodel and its applications to CMOS inverter delay and otherformulas,” IEEE Journal of Solid State Circuits, vol. 25, no. 2,pp. 584-594, 1990.

[32] A. Papoulis and S.U. Pillai, Probability, Random Variables andStochastic Processes, 4th ed. McGraw-Hill, 2002.

[33] I. Pomeranz and S.M. Reddy, “A measure of quality for n–detection test sets,” IEEE. Tran. on Computers, vol. 53, no. 11,pp. 1497-1503, Nov. 2004.

[34] Predictive Technology Model, [Online]http://www.eas.asu.edu/∼ptm/

[35] S. Paul, H. Mahmoodi and S. Bhunia, “Low-overhead Fmaxcalibration at multiple operating points using delay sensitivitybased path selection,” ACM Transactions on Design Automationof Electronic Systems, Feb 2010.


14

Seetharam Narasimhan (S’07) receivedhis B.E. (Hons.) from Jadavpur University,Kolkata, India in 2006 and is a PhD candidatein Computer Engineering at Case WesternReserve University, OH, USA.

He served as a summer intern at Broad-com Corp., Tempe, AZ, USA in 2010.His current research interests include thealgorithm-architecture-circuit co-design forbio-implantable neural interface systems andhardware security.

Dongdong Du received his B.E. (Hons.)from Northeastern University, China in 2005and his M.S. from Case Western ReserveUniversity, Cleveland, OH, USA in 2010.

He is currently working as a Quality As-surance Technical Specialist in Hyland Soft-ware, Westlake, OH, USA. His research in-terests are in hardware Trojan detection.

Rajat Subhra Chakraborty received hisPh.D. degree in Computer Engineering fromCase Western Reserve University (Cleve-land, Ohio, USA) in 2010 and a B.E. (Hons.)degree in Electronics and Telecommunica-tion Engineering from Jadavpur University in2005.

He is an Assistant Professor in theComputer Science and Engineering Depart-ment of IIT Kharagpur. From 2005-2006, heworked as a CAD Software Engineer at Na-

tional Semiconductor in Bangalore, and in Fall 2007, he was a co-op at Advanced Micro Devices (AMD) in Sunnyvale,California. Asa graduate student, he has received multiple student awards fromIEEE and ACM, and an annual award for academic excellence fromCase Western Reserve University in 2009. Part of his Ph.D. researchwork has been the subject of a U.S. patent filed by Case WesternReserve University in 2009. His research interest includes hardwaresecurity, including design methodology for hardware IP/IC protection,hardware Trojan detection/prevention through design and testing,attacks on hardware implementation of cryptographic algorithms,and reversible watermarking for digital content protection.

Somnath Paul (S’07,M’12) received the B.E.degree in Electronics and Telecommunica-tion engineering from Jadavpur University,Kolkata, India, in 2005. He received his Ph.D.degree in Computer Engineering from CaseWestern Reserve University, Cleveland, OH,in 2011.

He was a Design Engineer with AdvancedMicro Devices, Bangalore, India. He has alsoheld internship positions at Intel and Qual-comm. He is currently working in the SoC

Design Lab as part of Integrated Platforms Research at Intel Corp,Hillsboro, OR, USA. His research interests include developmentof novel hardware frameworks for reconfigurable architectures andhardware/software co-design for yield improvement in nanoscaletechnologies.

Francis G. Wolff received his Ph.D in Com-puter Engineering & Science at Case West-ern Reserve University. He received both hisMasters and undergraduate (Summa CumLaude) degrees in Computer & InformationScience with Electrical Engineering at Cleve-land State University, Ohio.

His has worked in Industry in both embed-ded hardware technology design and soft-ware programming, such as Rockwell Inter-national, and Pro-Data Corporation. He has

been a visiting professor for courses such as programming cellphones, Object-oriented programming, VLSI & FPGA chip designand embedded systems. He is currently Visiting Associate Professorat Case Western Reserve University doing research in various tech-nology areas: Function Specification to RTL validation, Hardwaretrojans and security, DSP and reconfigurable architectures.

Christos A. Papachristou (M’72,SM’83) re-ceived the Ph.D. degree in Electrical En-gineering and Computer Science from theJohns Hopkins University, Baltimore, MD.

He is currently a Professor with the De-partment of Electrical Engineering and Com-puter Science, Case Western Reserve Uni-versity, Cleveland, OH. His research interestsinclude design automation and design fortestability of VLSI systems, microarchitecturedesign and validation, and high performance

architecture and parallel processing.

Kaushik Roy (SM’95,F’01) received theB.Tech. degree in Electronics and ElectricalCommunications Engineering from the In-dian Institute of Technology, Kharagpur, In-dia, and the PhD degree from the Electricaland Computer Engineering Department atthe University of Illinois at Urbana- Cham-paign in 1990.

He was with the Semiconductor Processand Design Center, Texas Instruments, Dal-las, where he worked on FPGA architecture

development and low-power circuit design. He is currently a pro-fessor and holds the Roscoe H. George Chair in Electrical andComputer Engineering at Purdue University, West Lafayette, Indiana.He is the chief technical advisor of Zenasis Inc. and was a researchvisionary board member of Motorola Laboratories in 2002. His re-search interests include VLSI design/CAD for nanoscale silicon andnonsilicon technologies, low-power electronics for portable comput-ing and wireless communications, VLSI testing and verification, andreconfigurable computing.

Swarup Bhunia (M’05,SM’09) received hisB.E. (Hons.) from Jadavpur University,Kolkata, India, and M.Tech. from the IndianInstitute of Technology (IIT), Kharagpur. Hereceived his Ph.D. from Purdue University,IN, USA, in 2005.

Currently, he is an associate professor ofElectrical Engineering and Computer Sci-ence at Case Western Reserve University,Cleveland, OH, USA. His research interestsare in the areas of VLSI design, CAD and test

techniques. He has worked in the semiconductor industry on RTLsynthesis, verification, and low power design for about three years.


Date post:	13-Apr-2015
Category:	Documents
Upload:	mohammed-morsy
View:	78 times
Download:	12 times

Hardware Trojan Detection by Multiple-Parameter Side-Channel Analysis

Documents