Golden-Free Hardware Trojan Detection with High Sensitivity Under Process Noise

Abstract

Malicious modification of integrated circuits in untrusted design house or foundry has emerged as a major security threat. Such modifications, popularly referred to as Hardware Trojans, are difficult to detect during manufacturing test. Sequential hardware Trojans, usually triggered by a sequence of rare events, represent a common and deadly form of Trojans that can be extremely hard to detect using logic testing approaches. Side-channel analysis has emerged as an effective approach for detection of hardware Trojans. However, existing side-channel approaches suffer from increasing process variations, which largely reduce the detection sensitivity and sets a lower limit of the sizes of Trojans detectable. In this paper, we present TeSR, a Temporal Self-Referencing approach that compares the current signature of a chip at two different time windows to isolate the Trojan effect. Since it uses a chip as a reference to itself, the method completely eliminates the effect of process noise and other design marginalities (e.g. capacitive coupling), thus providing high detection sensitivity for Trojans of varying size. Furthermore, unlike most of the existing approaches, TeSR does not require a golden reference chip instance, which may impose a major limitation. Associated test generation, test application, and signature comparison approaches aimed at maximizing Trojan detection sensitivity are also presented. Simulation results for three complex sequential designs and three representative sequential Trojan circuits demonstrate the effectiveness of the approach under large inter- and intra-die process variations. The approach is also validated with current measurement results from several Xilinx Virtex-II FPGA chips.

Appendices

Appendix A: Reachability Analysis

Algorithm 2 elaborates the reachability analysis, which is based on breadth-first traversal. S ₀ is the root state under consideration. G is the FSM state transition graph (STG) in adjacency-list representation, in which each edge (corresponding to one state transition) has an associated property indicating the set of input vectors that can trigger this transition v(S ₁, S ₂). The reason of using adjacency-list instead of adjacency-matrix representation is that most FSM STGs are sparse graphs, and adjacency-list representation can also favor the image computation of each state. R e a c h e d stands for the set of states reachable from S ₀, which is the goal of the entire calculation. F r o n t i e r represents the current frontier states as the breadth-first traversal proceeds. Function I m g(S _i , G) calculates the states that are reachable by S _i in one step, and is defined as follows, where S is the set of states in G, and E ⊆ S × S is the set of edges in G:

$$ Img(S_{i},G)=\{S^{\prime}\in S\mid (S_{i},S^{\prime})\in E\} $$

(4)

In fact, the image computation can be easily realized by looking into the adjacency-list of the root state, as all the directly reachable states are stored in the same list. As implied by the name, breadth-first traversal expands the search uniformly across the frontier, during which the input vector set dictated by the transition function property v(S ₁, S ₂) is appended to that of the previous path, and the sequence of input vector sets is associated to each newly identified reachable state as property S _j ⋅I. The iterative process is continued until no new states beyond R e a c h e d are experienced, namely F r o n t i e r is empty.

Appendix B: Proof of the Impracticality of Low Overhead Correlated Trojan

Definition 1

A state machine F _o could be expressed as: F _o = { S _o :S _o is the set of states, T _o :T _o is the set of transition paths}

Definition 2

Function P determines the consumed power during kth clock cycle (or transition) by F _o during a given test trial due to a transition from state S _{o, i} and S _{o, j} over the path T _{o, k} .

$$Power_{o,k}=P \left( S_{o,i} \xrightarrow {T_{o,k}} S_{o,j}\right) $$

TeSR checks if for the same T _{o, k} , P o w e r _{o, k} is equal in different test trials (i.e. for trial n and n+1, P o w e r _{o, k, n} = P o w e r _{o, k, n+1}).

Definition 3

Function C determines the clock cycles required to move F _o from state S _{o, i} to S _{o, j} .

$$Clock_{o,k}=C\left( S_{o,i} \rightarrow S_{o,j}\right) $$

Definition 4

S _{i n} : Initial states in F _o from which MERO patterns are being applied.

Definition 5

S _{r e} : Re-initializing states in F _o from which S _{i n} is reached back to initiate the next test trial.

Theorem 1

A TeSR undetectable state machine F _e that is a correlated version of F _o exists if and only if |T _e |≥|T _o |∨|S _e |≥|S _o |

Proof

If |T _e | < |T _o |, assume T _o − T _e = T _x .

To make F _e undetectable: S _{o, i n} ∈ |S _e | and S _{o, r e} ∈ |S _e |.

If T _x ∈ (S _{o, i n} → S _{o, r e} ), then after F _o and F _e are traversed through path S _{o, i n} → S _{o, r e} simultaneously for n trials:

$$Clock_{o,k,n} \neq Clock_{e,k,n}. $$

Therefore, we can assume that after C l o c k _{o, k} , during the same test trial:

$$Current\_State(F_{o})_{n}=S_{o,re} \neq Current\_State(F_{e})_{n}. $$

Consequently, after C l o c k _{o, k} in two different test trials:

$$Current\_State(F_{o})_{n} = Current\_State(F_{o})_{n+1}. $$

$$Current\_State(F_{e})_{n} \neq Current\_State(F_{e})_{n+1}. $$

Therefore, P o w e r _{e, k, n} ≠P o w e r _{e, k, n+1}.

Furthermore, if |S _e |<|S _o |, assume S _o − S _e = S _x .

Since for any S _x , corresponding T _x (s) exists: it can be stated that: P o w e r _{e, k, n} ≠P o w e r _{e, k, n+1}.

Therefore we have established that if |T _e |<|T _o |∨|S _e |<|S _o |, state machine F _e would be detected by TeSR. □