Ring Oscillators and Hardware Trojan Detection

  • Paris Kitsos
  • Nicolas Sklavos
  • Artemios G. Voyiatzis


Hardware Trojan horses is a realistic threat in the modern IC supply chain. Once the associate risk is considered, appropriate defense mechanisms must be designed and employed at the various stages in order to detect such hardware malware. We propose two novel uses of ring oscillators, one as an attack vector against hardware implementations of true random number generators and one as an on-chip detection method for Trojans. We show that the transient-effect ring oscillators (TERO) of appropriate length are very sensitive even to small modifications of the monitored circuit and can be a viable alternative to detection based on conventional ring oscillators. Finally, we discuss an outlook to the future of hardware Trojan defenses.


Trojan Horse Ring Oscillator Cryptographic Algorithm Physically Uncloneable Function Reset Signal 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported in part by the EU COST Action IC1204 Trustworthy Manufacturing and Utilization of Secure Devices (TRUDEVICE), the GSRT Action “KRIPIS” with national (Greece) and EU funds, in the context of the research project “ISRTDI” while P. Kitsos and A.G. Voyiatzis were with the Industrial Systems Institute of the “Athena” Research and Innovation Center in ICT and Knowledge Technologies, and the COMET K1 program by the Austrian Research Promotion Agency (FFG), while A.G. Voyiatzis was with SBA Research.


  1. 1.
    Adee S. The hunt for the kill switch. IEEE Spectrum. 2008;45(5):34–9.CrossRefGoogle Scholar
  2. 2.
    Banga M, Hsiao MS. A novel sustained vector technique for the detection of hardware Trojans. In: 2009 22nd international conference on VLSI design. IEEE; 2009. p. 327–32.Google Scholar
  3. 3.
    Banga M, Hsiao MS. VITAMIN: voltage inversion technique to ascertain malicious insertions in ICs. In: HOST’09, IEEE international workshop on hardware-oriented security and trust, 2009. IEEE; 2009. p. 104–7.Google Scholar
  4. 4.
    Bloom G, Narahari B, Simha R, Zambreno J. Providing secure execution environments with a last line of defense against Trojan circuit attacks. Comput Secur. 2009;28(7):660–9.CrossRefGoogle Scholar
  5. 5.
    Böhl E, Ihle M. A fault attack robust TRNG. In: 2012 IEEE 18th international on-line testing symposium (IOLTS). IEEE; 2012. p. 114–7.Google Scholar
  6. 6.
    Bossuet L, Ngo XT, Cherif Z, Fischer V. A PUF based on a transient effect ring oscillator and insensitive to locking phenomenon. IEEE Trans Emer Top Comput. 2014;2(1):30–6.CrossRefGoogle Scholar
  7. 7.
    Cherkaoui A, Fischer V, Fesquet L, Aubert A: A very high speed true random number generator with entropy assessment. In: Cryptographic hardware and embedded systems-CHES 2013. Springer; 2013. p. 179–96.Google Scholar
  8. 8.
    Clark J, Leblanc S, Knight S. Hardware Trojan horse device based on unintended USB channels. In: NSS’09, third international conference on network and system security, 2009. IEEE; 2009. p. 1–8.Google Scholar
  9. 9.
    Clark J, Leblanc S, Knight S. Compromise through USB-based hardware Trojan horse device. Future Gener Comput Syst. 2011;27(5):555–63.CrossRefGoogle Scholar
  10. 10.
    Clark J, Leblanc S, Knight S. Risks associated with USB hardware Trojan devices used by insiders. In: 2011 IEEE international systems conference (SysCon). IEEE; 2011. p. 201–8.Google Scholar
  11. 11.
    Dabrowski A, Hobel H, Ullrich J, Krombholz K, Weippl E: Towards a hardware Trojan detection cycle. In: 2014 ninth international conference on availability, reliability and security (ARES); 2014. p. 287–94.Google Scholar
  12. 12.
    Fischer V, Lubicz D. Embedded evaluation of randomness in oscillator based elementary TRNG. In: Cryptographic hardware and embedded systems-CHES 2014. Springer; 2014. p. 527–43.Google Scholar
  13. 13.
    Jin Y. Introduction to hardware security. Electronics. 2015;4(4):763–84.MathSciNetCrossRefGoogle Scholar
  14. 14.
    Jin Y, Makris Y. Hardware Trojans in wireless cryptographic ICs. IEEE Des Test Comput. 2010;27(1):26–35.CrossRefGoogle Scholar
  15. 15.
    King ST, Tucek J, Cozzie A, Grier C, Jiang W, Zhou Y. Designing and implementing malicious hardware. LEET. 2008;8:1–8.Google Scholar
  16. 16.
    Kitsos P, Simos D, Torres-Jimenez J, Voyiatzis A. Exciting FPGA cryptographic Trojans using combinatorial testing. In: 26th IEEE international symposium on software reliability engineering (ISSRE 2015), IEEE CPS (2015). Gaithersburg, MD, USA, November 2–5, 2015. p. 69–76.Google Scholar
  17. 17.
    Kitsos P, Voyiatzis A. FPGA Trojan detection using length-optimized ring oscillators. In: 17th EUROMICRO conference on digital system design (DSD 2014). Verona, Italy: IEEE CPS; 2014.Google Scholar
  18. 18.
    Kitsos P, Voyiatzis A. Towards a hardware Trojan detection methodology. In: 2nd EUROMICRO/IEEE workshop on embedded and cyber-physical systems (ECYPS 2014). Budva, Montenegro; 2014.Google Scholar
  19. 19.
    Kitsos P, Voyiatzis A. A comparison of TERO and RO timing sensitivity for hardware Trojan detection applications. In: 18th EUROMICRO conference on digital system design (DSD 2015). Madeira, Portugal: IEEE CPS; 2015.Google Scholar
  20. 20.
    Lee W, Rotoloni B: Emerging cyber threats report 2013. Georgia Tech Cyber Secur Summit. 2012.Google Scholar
  21. 21.
    Lin L, Kasper M, Güneysu T, Paar C, Burleson W. Trojan side-channels: lightweight hardware Trojans through side-channel engineering. In: Cryptographic hardware and embedded systems-CHES 2009. Springer; 2009. p. 382–95.Google Scholar
  22. 22.
    Lindorfer M, Kolbitsch C, Comparetti PM. Detecting environment-sensitive malware. In: Recent advances in intrusion detection. Springer; 2011. p. 338–57.Google Scholar
  23. 23.
    Markettos AT, Moore SW. The frequency injection attack on ring-oscillator-based true random number generators. In: Cryptographic hardware and embedded systems-CHES 2009. Springer; 2009. p. 317–31.Google Scholar
  24. 24.
    Rad RM, Wang X, Tehranipoor M, Plusquellic J. Power supply signal calibration techniques for improving detection resolution to hardware Trojans. In: Proceedings of the 2008 IEEE/ACM international conference on computer-aided design. IEEE Press; 2008. p. 632–9.Google Scholar
  25. 25.
    Rai D, Lach J. Performance of delay-based Trojan detection techniques under parameter variations. In: HOST’09, IEEE international workshop on hardware-oriented security and trust, 2009. IEEE; 2009. p. 58–65.Google Scholar
  26. 26.
    Ray S, Yang J, Basak A, Bhunia S. Correctness and security at odds: post-silicon validation of modern SoC designs. In: Proceedings of the 52nd annual design automation conference, DAC ’15. New York, NY, USA: ACM; 2015. p. 146:1–146:6.Google Scholar
  27. 27.
    Rogers M, Ruppersberger CD. Investigative report on the US national security issues posed by Chinese telecommunications companies Huawei and ZTE: a report. US house of representatives; 2012.Google Scholar
  28. 28.
    Rukhin A, Soto J, Nechvatal J, Smid M, Barker E. A statistical test suite for random and pseudorandom number generators for cryptographic applications. DTIC document: Tech. rep; 2001.Google Scholar
  29. 29.
    Salmani H, Tehranipoor M, Plusquellic J. A novel technique for improving hardware Trojan detection and reducing Trojan activation time. IEEE Trans Very Large Scale Integr VLSI Syst. 2012;20(1):112–25.Google Scholar
  30. 30.
    Schindler W, Killmann W. Evaluation criteria for true (physical) random number generators used in cryptographic applications. In: Cryptographic hardware and embedded systems-CHES 2002. Springer; 2003. p. 431–49.Google Scholar
  31. 31.
    Sreedhar A, Kundu S, Koren I. On reliability Trojan injection and detection. J Low Power Electron. 2012;8(5):674–83.CrossRefGoogle Scholar
  32. 32.
    UEA2&UIA I. Specification of the 3GPP confidentiality and integrity algorithms UEA2 & UIA2. Document 2: SNOW 3G specifications. Version: 1.1. ETSI; 2006.Google Scholar
  33. 33.
    Varchola M, Drutarovsky M. New high entropy element for FPGA based true random number generators. In: Cryptographic hardware and embedded systems, CHES 2010. Springer; 2010. p. 351–65.Google Scholar
  34. 34.
    Vidas T, Christin N. Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM symposium on information, computer and communications security. ACM; 2014. p. 447–58.Google Scholar
  35. 35.
    Wang X, Tehranipoor M, Plusquellic J. Detecting malicious inclusions in secure hardware: challenges and solutions. In: HOST 2008, IEEE international workshop on hardware-oriented security and trust, 2008. IEEE; 2008. p. 15–9.Google Scholar

Copyright information

© Springer International Publishing Switzerland 2017

Authors and Affiliations

  • Paris Kitsos
    • 1
  • Nicolas Sklavos
    • 2
  • Artemios G. Voyiatzis
    • 3
  1. 1.Computer and Informatics Engineering DepartmentTEI of Western GreeceAntirioGreece
  2. 2.Computer Engineering and Informatics DepartmentUniversity of PatrasPatrasGreece
  3. 3.SBA ResearchViennaAustria

Personalised recommendations