10 1109@iceeot 2016 7755650

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2575039, IEEE Access
JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 1
A New Characterization of Hardware Trojans

Samer Moein, Member, IEEE, T. Aaron Gulliver, Senior Member, IEEE, Fayez Gebali, Life Senior Member, IEEE,
and Abdulrahman Alkandari
AbstractThis paper examines hardware trojan threats to Client-Contractor Contractor

semiconductor chips, which is particularly important for chips Specification Phase:
intended for vital infrastructure and critical applications. The Design Phase:
phases of the chip production life-cycle are considered in terms * Interface & parameter
* IP
of the opportunities for trojan insertion. Trojans are examined definition
* CAD tools
based on eight attribute categories. A matrix identifying the * Design attributes
* Libraries
relationships between these attributes is defined. This matrix is * Packaging selection
* Design abstraction
used to characterize hardware trojans from both the attacker and * Test strategy
defender perspectives. Two case studies are given to illustrate the
usefulness of the proposed approach.
Client Sub-Contractor
Index TermsHardware trojans, chip life cycle, hardware Fabrication & Production
trojan taxonomy, hardware trojan attributes. Testing & Deployment
Phase:
Phase:
* Chip fabrication
I. I NTRODUCTION * Test
* Masking
* Deployment
* Packaging
I N September 2007, Israeli jets bombed a suspected nuclear

installation in northeastern Syria. Among the mysteries
surrounding this airstrike is the failure of the Syrian radar
* Functionality
* Post production test
systems. It has been suggested that the commercial off-the- Fig. 1: The Integrated Circuit (IC) design life-cycle phases.
shelf microprocessors used in these systems may have been
fabricated with a hardware backdoor which was used to tem-
two categories to the previous taxonomy, the classification is
porarily disable them [1]. There are many documented cases
not related to the chip life-cycle. In [11], a more detailed
of similar incidents which have caused significant government,
classification was developed based on five categories: insertion
industry, and consumer concerns. In response, the Defence
phase, abstraction level, activation mechanism, effect, and
Advanced Research Projects Agency (DARPA) initiated the
location. This classification considers the chip life-cycle and
Trusted Integrated Circuits (TRUST) program to develop tech-
the targeted location, but not the physical characteristics of
niques for trojan detection [1], [2]. This highlights the fact
trojans. The taxonomy in [11] has been used to examine trojans
that hardware designers and researchers must be vigilant to
and identify the corresponding attributes. A comprehensive
the insertion of hardware trojans during all phases of the chip
classification was introduced in [12] which is based on 33
production life-cycle. The characterization of these trojans is
attributes in eight categories as shown in Fig. 2. This includes
the main goal of this paper.
the logic type of a trojan, which plays a major role in pre-
Integrated Circuits (ICs) are becoming increasingly vulner-
dicting the effect of a trojan and thus determining appropriate
able to hardware trojan attacks due to design outsourcing,
detection and mitigation techniques.
overseas fabrication, and increasing reliance on third-party
In this paper, a new methodology is presented to study
Intellectual Property (IP). In addition, hardware attacks can
hardware trojan attributes and their relationships. The clas-
originate from the use of unverified design automation tools.
sification in Fig. 2 from [12] is used to illustrate the pro-
Fig. 1 shows the modern IC production life-cycle phases: spec-
posed approach, but it is flexible and can be used with any
ification, design, fabrication (including interfacing, masking,
hardware trojan classification. Further, new attributes based
wafer fabrication and assembly, and packaging), testing and
on technology or chip manufacturing developments can easily
deployment [3][6]. Complete protection of a chip during its
be accommodated. This is important, as with any circuit a
life-cycle is only possible if it is produced by a trusted source.
hardware trojan goes through several production phases as it
Several researchers have proposed taxonomies for hardware
becomes embedded into the target system.
trojans based on their attributes [7][12]. In [7], [8], hard-
The contributions of this paper are as follows:
ware trojans were classified based on two categories: trigger
and payload. These are in fact activation mechanisms for 1) The relationships between the hardware trojan attributes
trojans. In [9], [10], the classification was based on three are defined algebraically based on a comprehensive
categories: physical, activation, and action. Although this adds taxonomy with four levels. These results can be used
to identify unknown attributes and characterize trojans.
S. Moein, T. Gulliver, and F. Gebali are with the Department of Electrical Further, this information can be employed to improve
and Computer Engineering, University of Victoria, Victoria, Canada. chip security during manufacturing, and determine ap-
A. Alkandari is with the Department of Computer, Public Authority for
Applied Education & Training, Kuwait. propriate trojan detection techniques based on vulnerable
Manuscript received August 19, 2015 attributes.
2169-3536 (c) 2016 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See
http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2016.2575039, IEEE Access
Fig. 2: The hardware trojan taxonomy.
2) The trojan life-cycle of a chip is used to determine how represented using an n n matrix defined as
and where a trojan can be inserted into a chip.
3) The proposed approach is flexible and can be used with R1 R12 0 0
any trojan classification or taxonomy. 0 R2 R23 0
R=

0 0 R3 R34

The remainder of this paper is organized as follows. An
algebraic approach to characterizing hardware trojans is given 0 0 0 R4
in Section II. Based on this approach, two case studies are
where n is the number of attributes.
presented in Section III. Finally, Section IV provides some
concluding remarks.
A. Hardware Trojan Matrix
The hardware trojan matrix R has four square submatrices
II. A LGEBRAIC A PPROACH TO H ARDWARE T ROJAN
on the diagonal: R1 , R2 , R3 , and R4 . These matrices
ATTRIBUTES
represent the levels in Fig. 3. The transfer matrices R12 , R23 ,
and R34 represent the connections between the levels. The
In this section, an algebraic approach to hardware trojan characteristics of this matrix are described below.
attributes is presented. Fig. 2 provides a comprehensive clas- 1) Single Element: In matrix R, r(i, j) = 1 indicates that
sification of these attributes. They belong to one of four trojan attribute i can lead to attribute j
levels: chip life-cycle, abstraction, properties, and location, as
shown in Fig. 3. i, j : r(i, j) = 1 attribute(i) attribute(j). (1)
The chip life-cycle level in Fig. 3 is equivalent to the
insertion category in Fig. 2. In this level, the attacker decides By definition r(i, i) = 0.
at which phase of the life-cycle the trojan will be inserted. Ac- 2) Row: In matrix R, r(i, j) = 1 in row i indicates that
cording to this decision, the abstraction of the trojan insertion attribute i can lead to these attributes in column j
is determined. The abstraction category in Fig. 2 is the same
as the abstraction level in Fig. 3. The trojan properties level i : r(i, j) = 1 attribute(i) attribute(j) (2)
contains the properties a trojan may have according to the
chip life-cycle and abstraction levels. The possible location 3) Column: In matrix R, r(i, j) = 1 in column j indicates
for a trojan is based on the chip life-cycle, abstraction, and the attributes that can lead to attribute j
properties levels. Each trojan has a particular combination
of attributes which define its characteristics. These can be j : r(i, j) = 1 attribute(i) attribute(j) (3)
Fig. 3: The four hardware trojan levels.
4) Fan In: The fan in is the number of connections to an represents the trojan chip life-cycle level shown in Fig. 3.
attribute from other attributes. This indicates how many other It also indicates the relationships between attributes in the
attributes can lead to this attribute. The fan in can be expressed insertion phase in Fig. 2. These start with specification (at-
as tribute 1), and end with assembly (attribute 5). For example,
n
X R1 (1, 2) R1 (Specification, Design) = 1 indicates that if
Fin (j) = r(i, j). (4)
there is an incomplete or incorrect specification, it can lead to
i=1
an improper or defective design.
5) Fan Out: The fan out is the number of connections
from an attribute to other attributes. This indicates how many C. Submatrix R2
attributes this attribute can lead to. The fan out can be
expressed as The submatrix R2 given by
Xn
A 6 7 8 9 10 11

Fout (i) = r(i, j). (5) 6 0 1 0 0 0 0
j=i 7 0 0 1 0 0 0
R2 =

8 0 0 0 1 0 0
6) Root Attribute: An attribute with Fin = 0 is called a
9 0 0 0 0 1 0

root attribute. It is an attribute that is not the result of any 10 0 0 0 0 0 1
11 0 0 0 0 0 0
other attribute so that
n
X represents the trojan design level in Fig. 3. It also indicates the
Fin (j) = r(i, j) = 0. (6) relationships between the attributes in the abstraction level in
i=1 Fig. 2. The abstraction level has six sublevels beginning with
7) Terminal Attribute: A terminal attribute is an attribute system (attribute 6) and ending with physical (attribute 11).
with Fout = 0. It is the location of a trojan inserted in a A modification in a sublevel can propagate to the following
system. It does not lead to any attributes so that sublevels. For example, R2 (6, 7) R2 (System, RTL) = 1
indicates that if there is an alteration to the interconnections,
n
X hardware modules, or communication protocols, it can lead
Fout (i) = r(i, j) = 0. (7) to the RTL signals, registers, or boolean functions being
j=i
compromised.
8) Intermediate Attribute: An intermediate attribute has
Fin 6= 0 and Fout 6= 0. Thus, it is an attribute that can D. Submatrix R12
be a consequence of other attributes, and also lead to other The submatrix R12 given by
attributes. A 6 7 8 9 10 11
1 1 0 0 0 0 0
B. Submatrix R1 R12 = 23 00 10 00 00 00 01

The submatrix R1 given by 4 1 0 0 1 0 0
A 1 2 3 4 5 5 1 0 0 0 0 0
1 0 1 0 0 0 describes the connections between R1 and R2 , and thus the

R1 = 23 00 00 10 01 00 relationships between the insertion attributes and the abstrac-

tion attributes. For example, R12 (2, 7) R12 (Design, RTL)
4 0 0 0 0 1
5 0 0 0 0 0 = 1 indicates that if there is an attempt to insert a trojan in
the design level, a modification of the RTL can be used to TABLE I: Matrix R23 Attributes Fan In and Fan Out
accommodate the alteration.
Attribute Fin Fout Attribute Fin Fout
It is clear that development environment (attribute 8) and 6 - 6 18 6 -
transistor (attribute 10) are not directly connected to the 7 - 10 19 3 -
insertion phase, but both are indirectly connected through 8 - 14 20 6 -
paths in R. The system level (attribute 6) has the highest fan in 9 - 8 21 3 -
10 - 9 22 3 -
as it is connected to specification (attribute 1), testing (attribute 11 - 12 23 3 -
4), and assembly (attribute 5) from the insertion category. 12 6 - 24 4 -
13 2 - 25 2 -
14 2 - 26 3 -
E. Submatrix R3 15 4 - 27 3 -
16 3 - 28 2 -
Submatrix R3 given by
17 4 - - - -

A 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
12 0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1
13 0 0 0 0 0 1 0 1 1 0 1 0 1 0 1 1 1

14 0 0 0 0 0 0 0 1 1 0 0 0 1 0 1 1 1

15
16
0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1
1 0 0 1 0 0 1 0 0 1 1 1 0 1 1 1 1

R23 (7, 24) R23 (RTL, Small) = 1, gives the trojan property

17 1 1 0 1 0 0 1 0 1 1 1 1 1 1 1 1 1 attributes that may occur as a result of a trojan being inserted
18 1 0 0 1 1 1 0 0 1 1 1 1 1 1 1 1 1

19 0 1 1 0 0 0 0 0 1 0 0 0 1 0 1 0 1
in the RTL abstraction level.
R3 = 20 1 1 1 1 0 1 1 1 0 0 0 1 1 1 1 1 1

21 1 0 0 1 1 1 1 0 0 0 0 1 1 0 1 1 1

3) Column Example: For column = 14,

22 1 1 0 1 1 1 1 0 0 0 0 0 1 0 1 1 0 R23 (i, 14) R23 (i, Reduce Reliability) = 1:
23 1 0 0 1 1 1 1 0 1 1 0 0 0 1 1 1 1

24 1 1 1 1 0 1 1 1 1 1 1 0 0 0 1 1 0

R23 (10, 14) R23 (Transistor, Reduce Reliability), and
25 1 0 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0

26 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1

R23 (11, 14) R23 (Physical, Reduce Reliability) = 1 indi-
27 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 0 cates that if a trojan reduces the reliability of a chip, it may
28 1 1 1 1 1 1 1 1 1 1 0 1 0 0 1 0 0
be because of a modification in the transistor and/or physical
represents the properties of a trojan given in Fig. 3 and con- abstraction levels.
tains attributes 12 to 28. It indicates the relationships between 4) Fan In and Fan Out Examples: Table I shows the fan
the effect, logic type, functionality, activation, and physical in and fan out for each attribute in R23 . The maximum fan
layout attributes. For example, R3 (14, 19) R3 (Reduced out is 14 for development environment (attribute 8). Thus if
Reliability, Parametric) = 1 indicates that if a trojan reduces a CAD tool is exploited by an attacker, there can be many
chip reliability (i.e. quicker battery drain), it can lead to chip vulnerabilities. The maximum fan in is 6 for change
changes in the power consumption, and thermal and delay functionality, functional, and always on (attributes 12, 18, and
profiles. 20, respectively). This means that many trojans will have these
attributes.
F. Submatrix R23
Submatrix R23 given by
A 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
G. Submatrix R34
6 1 1 0 1 0 0 1 1 1 0 0 0 0 0 0 0 0
7 1 0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0 Submatrix R34 given by
R23 = 8 1 0 0 1 1 1 1 0 1 1 1 1 1 1 1 1 1
9 1 0 0 1 1 1 1 0 1 1 1 0 0 0 0 0 0

10 1 0 1 0 0 1 1 1 1 0 0 0 1 0 1 1 0 A 29 30 31 32 33
11 1 1 1 0 0 0 1 1 1 0 0 1 1 1 1 1 1 12 1 1 1 1 1
13 1 1 1 1 1

is the transfer matrix that describes the connections between
14 1 1 1 1 1

15 1 0 1 1 1
R2 and R3 . Thus it indicates the connections between the

16 1 1 1 1 1
17 1 1 1 1 1
abstraction attributes and the trojan property attributes.

18 1 1 1 1 1

1) Single Element Example: R23 (7, 12) R23 (RTL,
19 0 0 1 1 1

R34 = 20 1 1 1 1 1

Change Function) = 1 indicates that if a trojan has been

21 1 1 1 1 1
22 1 1 1 1 1
inserted in the RTL abstraction level, which changes the

23 1 1 0 0 0

function description, it can also change the function behaviour.
24 1 1 1 1 1

25 1 1 1 1 1
2) Row Example: For row = 7,

26 1 1 1 1 1
27 1 1 1 1 1
R23 (7, j) R23 (RTL, j) = 1: 28 1 1 1 1 1
R23 (7, 12) R23 (RTL, Change Function),
R23 (7, 15) R23 (RTL, Denial of Service), describes the connections between R3 and R3 . Thus it in-
R23 (7, 16) R23 (RTL, Sequential), dicates the connections between the trojan properties and the
R23 (7, 17) R23 (RTL, Combinational), hardware locations. For example, R34 (15, 29) R34 (Denial
R23 (7, 18) R23 (RTL, Functional), of Service, Processor) = 1 indicates that if a denial of service
R23 (7, 20) R23 (RTL, Always On), trojan has been inserted, it may be located in the processor
R23 (7, 21) R23 (RTL, Internally Triggered), to prevent the chip from executing properly. It is clear from
R23 (7, 22) R23 (RTL, Externally Triggered), this matrix that all locations are almost equally vulnerable to
R23 (7, 23) R23 (RTL, Big), and trojans.
H. Matrix R I. Paths
Matrix R represents the complete set of attributes in Fig. 2, A path in R is a sequence of attributes that lead to other
and the hardware trojan levels in Fig. 3. The characteristics attributes (via rows) or are the result of other attributes (via
of a trojan can be inferred from the paths in R. Note that columns). The paths visually show the attribute relationships
an empty submatrix indicates that all entries are zero. For and the connections between the levels in Fig. 3 that charac-
example, R4 = 0 since the location attributes are terminal terize a trojan. They will be used in the next section to obtain
attributes and are not interconnected. directed graph representations of two hardware trojans.
1) Single Element Example: R(17, 29)
R(Combinational, Processor) = 1 indicates that if there III. C ASE S TUDIES
is a trojan inserted in a processor, it may be a combinational In this section, two case studies of hardware trojan char-
circuit. acterization are presented based on the methodology in the
2) Row Example: For row = 6, previous section.
R(6, j) R(System, j) = 1:
R(6, 7) R(System, RTL), A. Combinational Trojan
R(6, 12) R(System, Change Function),
Assume that an attacker works as a design engineer in a
R(6, 13) R(System, Leak Information),
chip manufacturing facility. He uses the trojan shown in Fig. 4
R(6, 15) R(System, Denial of Service),
to change the functionality of a chip when a particular event
R(6, 18) R(System, Functional),
occurs. This is a combinational logic triggered trojan where
R(6, 19) R(System, Parametric), and
A = B = 0 causes the output C to have an incorrect value (C
R(6, 20) R(System, Always On) = 1, which implies that
modified). This circuit reflects an attacker inserting a trojan
if a trojan is introduced at the system abstraction level, it
based on a rare event which is unlikely to be detected during
may lead to a combination of RTL, changed function, leaked
the testing phase. From the figure, the trojan characteristics are
information, denial of service, functional, parametric, and
change in functionality, combinational, functional, internally
always on.
triggered, small, clustered, and augmented (attributes 12, 17,
3) Column Example: For column = 6, 18, 21, 24, 26, and 27 in R3 ). Examining the corresponding
R(i, 6) R(i, System) = 1: columns in R23 , these attributes are all directly connected
R(1, 6) R(Specification, System), to the development environment in the abstraction category
R(4, 6) R(Testing, System), and (attribute 8).
R(5, 6) R(Assembly, System) = 1, which implies that if
a trojan is inserted at the system abstraction level, it may be
because of an incomplete or modified specification, control of
the testing to evade trojan detection, and/or modification in
the assembly phase.
4) Root Attribute Example: From (6), specification is a root
attribute of any trojan as it is at the start of the chip life-cycle.
Thus it does not depend on any other attributes.
5) Terminal Attribute Example: From (7), the location Fig. 4: A combinational logic triggered trojan
attributes are terminal attributes since they do not lead to other
attributes. From R12 , there is no direct connection between attribute
6) Fan In and Fan Out Examples: Table II shows the fan 8 and an attribute in the insertion category (attributes 1 to 5).
in and fan out for the attributes in R. The maximum fan in of However, R2 provides a connection between the development
19 occurs for functional, always on, and augmented (attributes environment (attribute 8) and RTL (attribute 7). Then attribute
18, 20, and 26, respectively). Thus, these three attributes occur 7 is connected to design (attribute 2) and system (attribute
most frequently due to other attributes. Adding an inverter gate 6), and attribute 6 is connected to specification, testing, and
to a chip to insert a trojan is a simple example which combines assembly (attributes 1, 4, and 5). In addition, R1 provides
all of these attributes. The maximum fan out of 21 occurs connections between the attributes in the insertion category.
only for augmented (attribute 26). Thus, this attribute most Matrix R1 shows all candidate paths that characterize this
frequently leads to other attributes. Table II also gives the sums trojan. In R1, the light blue colour shows the row connections,
of the fan in and fan out for the attributes in R. These values the light red colour shows the column connections, and the
reflect the connectivity of an attribute with other attributes. A direct attribute connections are shown in green.
critical attribute is an attribute with the highest sum, since it Assume that attributes 12, 17, 18, 21, 24, 26, and 27 have
has the greatest number of connections with other attributes. been identified for the trojan. These attributes all lie in R3 .
For the analysis presented here, augmented (attribute 26) is the Moving forward (increasing attribute numbers), the expected
critical attribute. Thus inserting a trojan without modifying the trojan locations can be identified, and moving backward
chip layout makes detecting it a very difficult task. Note that (decreasing attribute numbers), the suspect attributes in the
R is flexible and can be updated to accommodate different insertion and abstraction phases can be identified. It is clear
taxonomies or changes in the relationships between attributes. that the attributes in rows 12, 17, 18, 21, 24, 26, and 27 can

A 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
1 0 1 0 0 0 1 0 0 0 0 0
2 0 0 1 0 0 0 1 0 0 0 0

3 0 0 0 1 0 0 0 0 0 0 1
4 0 0 0 0 1 1 0 0 1 0 0
5 0 0 0 0 0 1 0 0 0 0 0

6 0 1 0 0 0 0 1 1 0 1 0 0 1 1 1 0 0 0 0 0 0 0 0
7 0 0 1 0 0 0 1 0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0
8 0 0 0 1 0 0 1 0 0 1 1 1 1 0 1 1 1 1 1 1 1 1 1
9 0 0 0 0 1 0 1 0 0 1 1 1 1 0 1 1 1 0 0 0 0 0 0

10 0 0 0 0 0 1 1 0 1 0 0 1 1 1 1 0 0 0 1 0 1 1 0
11 0 0 0 0 0 0 1 1 1 0 0 0 1 1 1 0 0 1 1 1 1 1 1
12 0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1

13 0 0 0 0 0 1 0 1 1 0 1 0 1 0 1 1 1 1 1 1 1 1

14 0 0 0 0 0 0 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 1
15 0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 0 1 1 1
R= 16 1 0 0 1 0 0 1 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1

17 1 1 0 1 0 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1

18 1 0 0 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1
19 0 1 1 0 0 0 0 0 1 0 0 0 1 0 1 0 1 0 0 1 1 1
20 1 1 1 1 0 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1
21 1 0 0 1 1 1 1 0 0 0 0 1 1 0 1 1 1 1 1 1 1 1

22 1 1 0 1 1 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 1
23 1 0 0 1 1 1 1 0 1 1 0 0 0 1 1 1 1 1 1 0 0 0
24 1 1 1 1 0 1 1 1 1 1 1 0 0 0 1 1 0 1 1 1 1 1
25 1 0 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0 1 1 1 1 1

26 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
27 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 0 1 1 1 1 1
28 1 1 1 1 1 1 1 1 1 1 0 1 0 0 1 0 0 1 1 1 1 1

29
30
31
32
33
TABLE II: The Fan In and Fan Out for the Attributes in R
Attribute Fin Fout Fin + Fout Attribute Fin Fout Fin + Fout Attribute Fin Fout Fin + Fout
1 0 3 3 12 18 17 35 23 14 13 27
2 1 2 3 13 10 13 23 24 16 17 33
3 1 2 3 14 8 11 19 25 11 14 25
4 1 3 4 15 16 16 32 26 19 21 40
5 1 1 2 16 13 15 28 27 17 19 36
6 3 7 10 17 17 18 35 28 14 17 31
7 2 11 13 18 19 18 37 29 16 0 16
8 1 15 16 19 9 9 18 30 15 0 15
9 2 9 11 20 19 18 37 31 16 0 16
10 1 10 11 21 13 15 28 32 16 0 16
11 2 12 14 22 12 14 26 33 16 0 16
lead to all trojan locations (columns 29, 30, 31, 32, and 33). s s s s s
In R1, attributes 12, 17, 18, 21, 24, 26, and 27 all have value 1 2 3 4 5 6 7 8
1 in row 8 only. Thus, a trojan with these seven attributes
can be inserted using attribute 8 (development environment)
in the abstraction phase. R12 can then be used to reach the 12
32 29 26 17
life-cycle phase. R1 provides the complete paths from the
31 27
insertion phase to the location phase for this trojan. These 33 30 24 18
paths are represented by the directed graph in Fig. 5, which 21
provides a complete characterization of the hardware trojan in Fully-Connected
Terminal Nodes
Fig. 4. In this figure, S indicates a possible trojan insertion Subgraph
point.
Fig. 5: A directed graph characterization of the hardware
An attacker will choose a particular point in the chip life- trojan in Fig. 4.
cycle for insertion. Assuming the design phase is selected,
the graph shown in Fig. 6 represents the inserted trojan.
Conversely, a defender has no information about the attacker
decisions, so it is necessary to consider all paths in Fig. 5. defender has now discovered the suspect attributes (attributes
However, if the specification and assembly phases are trusted, 2, 7, and 8). A hardware trojan detection technique is required
the graph in Fig. 5 will reduce to the graph in Fig. 7. Then to check chips based on these attributes. Techniques such
if a defender is able to verify that attribute 6 is not a trojan as those in [13][15] can be used to detect a trojan with a
characteristic, the trojan in Fig. 6 is identified exactly. The combination of these attributes. If the trojan is detected, the
defender should designate this design facility as untrusted. uses four bits, X1 to X4 , to encode them. Since F (X) = X 2 ,
the largest function output is 81, so seven bits are required,
12
Z1 to Z7 . The resulting circuit is shown in Fig. 8a. Testing
s 26 17 using these ten input values shows that the outputs are correct
2 7 8 27 29 and so the circuit functions properly.
24 18
21
Fully-Connected
Subgraph
Fig. 6: The trojan graph assuming it is inserted in the design

phase.
s s s
2 3 4 6 7 8
12 (a) Trojan free circuit

32 29 26 17
31 27
33 30 24 18
21
Terminal Nodes Fully-Connected
Subgraph
Fig. 7: The defender graph assuming the trojan is inserted

during the chip life cycle.
B. Backdoor Trojan
(b) Circuit with a backdoor trojan
Consider a chip manufacturer that designs a circuit to
compute a function F (X) for a system to authenticate user- Fig. 8: The circuits with and without the trojan.
password pairs X and F (X). The design specifies ten users I0
to I9 with F (X) = X 2 . Since there are ten users, the designer With four bits, there are 16 input combinations, but in this

A 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
1 0 1 0 0 0 1 0 0 0 0 0
2 0 0 1 0 0 0 1 0 0 0 0

3 0 0 0 1 0 0 0 0 0 0 1
4 0 0 0 0 1 1 0 0 1 0 0
5 0 0 0 0 0 1 0 0 0 0 0

6 0 1 0 0 0 0 1 1 0 1 0 0 1 1 1 0 0 0 0 0 0 0 0
7 0 0 1 0 0 0 1 0 0 1 1 1 1 0 1 1 1 1 1 0 0 0 0
8 0 0 0 1 0 0 1 0 0 1 1 1 1 0 1 1 1 1 1 1 1 1 1
9 0 0 0 0 1 0 1 0 0 1 1 1 1 0 1 1 1 0 0 0 0 0 0

10 0 0 0 0 0 1 1 0 1 0 0 1 1 1 1 0 0 0 1 0 1 1 0
11 0 0 0 0 0 0 1 1 1 0 0 0 1 1 1 0 0 1 1 1 1 1 1
12 0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1

13 0 0 0 0 0 1 0 1 1 0 1 0 1 0 1 1 1 1 1 1 1 1

14 0 0 0 0 0 0 0 1 1 0 0 0 1 0 1 1 1 1 1 1 1 1
15 0 0 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1 1 0 1 1 1
R1 = 16 1 0 0 1 0 0 1 0 0 1 1 1 0 1 1 1 1 1 1 1 1 1

17 1 1 0 1 0 0 1 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1

18 1 0 0 1 1 1 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1
19 0 1 1 0 0 0 0 0 1 0 0 0 1 0 1 0 1 0 0 1 1 1
20 1 1 1 1 0 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 1 1
21 1 0 0 1 1 1 1 0 0 0 0 1 1 0 1 1 1 1 1 1 1 1

22 1 1 0 1 1 1 1 0 0 0 0 0 1 0 1 1 0 1 1 1 1 1
23 1 0 0 1 1 1 1 0 1 1 0 0 0 1 1 1 1 1 1 0 0 0
24 1 1 1 1 0 1 1 1 1 1 1 0 0 0 1 1 0 1 1 1 1 1
25 1 0 0 1 1 1 1 0 1 0 0 1 0 0 1 1 0 1 1 1 1 1

26 1 1 1 1 1 1 1 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1
27 1 1 1 1 1 1 1 0 1 1 1 1 1 1 1 0 0 1 1 1 1 1
28 1 1 1 1 1 1 1 1 1 1 0 1 0 0 1 0 0 1 1 1 1 1

29
30
31
32
33
case the six inputs 10 to 15 are not used so they are dont care cycle for insertion. Assuming the design phase or testing phase
conditions. With this incomplete specification, the designer (attribute 2 or attribute 4) is chosen, the graph shown in
asserts that the circuit performs the function F (X) = X 2 Fig. 10 represents the trojan. Conversely, a defender has no
correctly. If an attacker makes the small modification indicated information about the attacker decisions, so it is necessary to
in Fig. 8b, the output for the ten valid inputs is the same as with check all possible paths in Fig. 9. These provide a defender
the original circuit. However, it also provides two additional with the suspect attributes (attributes 2, 4, 6, 7, and 9), that
correct outputs for inputs 10 and 11. Therefore, the modified can be used by an attacker to insert the trojan. A hardware
circuit contains a backdoor trojan. trojan detection technique is required to check chips based on
Table III shows the outputs from both circuits for all possi- these attributes. Techniques such as those in [16] can be used
ble inputs. With an input of 10, circuit (a) produces 68, which to detect a trojan with any combination of these attributes.
is not the square of 10, while an input of 11 produces 89.
Thus, circuit (a) provides outputs for the dont care conditions s s
which are not correct values for F (X). However, circuit (b) 2 4 6 7 8 9
outputs the correct values of F (X) for inputs 10 and 11, so the
user-password pairs (10, 100) and (11, 121) are valid, which
15 17
confirms that circuit (b) contains a backdoor trojan. It can be
31
used to allow users who do not have permission to access 22 18
the system. Note that both circuits have the same type and
number of gates. The only difference is a wire connection, so Fully-Connected
the layouts are almost identical. Subgraph
Assuming the trojan in Fig. 8b is used to gain control of the
system to create a denial of service attack, the characteristics Fig. 10: The trojan graph assuming it is inserted during the
are denial of service, combinational logic, functional, and design phase or testing phase.
externally triggered (attributes 15, 17, 18, and 22 in R3 ). Ex-
amining the corresponding columns in R23 , this combination
of attributes can occur if the trojan is inserted at the RTL, IV. C ONCLUSION
development environment, or logic type in the abstraction
phase (attributes 7, 8, or 9). As the attack is enabled by an Hardware trojans are a growing concern in modern In-
incomplete specification (attribute 1), the attacker needs to tegrated Circuit (IC) development and production. This is
control testing (attribute 4) so that the trojan is not discovered. particularly true for chips intended for vital infrastructure and
There are two steps an attacker must take, insert the trojan critical applications. This paper considered the attributes of
during the design phase (attribute 2), and control the testing hardware trojans for all phases of the chip life-cycle. Previous
phase (attribute 4) to evade detection during testing. From results in the literature assume that some phases of this life-
R12 , attribute 7 is connected to design (attribute 2) and system cycle can be trusted, while others may be untrusted. The
(attribute 6), and attribute 6 is connected to specification, attributes of hardware trojans were characterized, and a hard-
testing, and assembly (attributes 1, 4, and 5). Logic (attribute ware trojan matrix was developed to show their connections.
9) is directly connected to testing (attribute 4). This trojan This matrix provides many insights into the characteristics
is inserted due to incomplete specification (attribute 1), and of trojans, and thus is a valuable tool for their design and
R1 indicates a connection between design (attribute 2) and detection.
specification (attribute 1). These paths are represented by the
directed graph in Fig. 9, which is a complete characterization
R EFERENCES
of the hardware trojan in Fig. 8b. In this figure, S indicates a
possible trojan insertion point. [1] S. Adee, The hunt for the kill switch, IEEE Spectrum, vol. 45, no. 5,
pp. 3439, May 2008.
[2] Defense Science Board. (2005) Task force on high performance mi-
crochip supply. [online]. Available: http://www.acq.osd.mil/dsb/reports/
s s s s s ADA435563.pdf
1 2 3 4 5 6 7 8 9 [3] B. Sharkey. (2007) TRUST in integrated circuit program -
briefing to industry. [online]. Available: http://cryptocomb.org/
DARPA-TrustinIntegratedCircuitsProgram.pdf
[4] T. Zhou and T. B. Tarim, An efficient and well-controlled IC system
32 29 15 17 development flow: Design approved specification and design guided test
plan, in Proc. IEEE Int. Symp on Circuits and Systems, Kobe, Japan,
33 31 22 18 May 2005, pp. 27752778.
[5] S. Padmanabhan. (2013) Discover a better way to go from C-level to
Terminal Nodes Fully-Connected synthesis for SoC designs. [online]. Available: http://electronicdesign.
Subgraph com/technologies/discover-better-way-go-c-level-synthesis-soc-designs
[6] M. Tehranipoor and F. Koushanfar, A survey of hardware trojan
Fig. 9: A directed graph characterization of the hardware taxonomy and detection, IEEE Des. Test of Comput., vol. 27, no. 1,
pp. 1025, Jan.-Feb. 2010.
trojan in Fig. 8b. [7] S. Bhunia, M. S. Hsiao, M. Banga, and S. Narasimhan, Hardware trojan
attacks: Threat analysis and countermeasures, Proc. IEEE, vol. 102, no.
An attacker will choose a particular point in the chip life- 8, pp.12291247, Aug. 2014.
TABLE III: The Outputs for the Circuits in Fig. 8
Inputs Circuit (a) Circuit (b)

X1 X2 X3 X4 X Z1 Z2 Z3 Z4 Z5 Z6 Z7 F (X) Z1 Z2 Z3 Z4 Z5 Z6 Z7 F (X)
I0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
I1 0 0 0 1 1 0 0 0 0 0 0 1 1 0 0 0 0 0 0 1 1
I2 0 0 1 0 2 0 0 0 0 1 0 0 4 0 0 0 0 1 0 0 4
I3 0 0 1 1 3 0 0 0 1 0 0 1 9 0 0 0 1 0 0 1 9
Inputs
I4 0 1 0 0 4 0 0 1 0 0 0 0 16 0 0 1 0 0 0 0 16
I5 0 1 0 1 5 0 0 1 1 0 0 1 25 0 0 1 1 0 0 1 25
I6 0 1 1 0 6 0 1 0 0 1 0 0 36 0 1 0 0 1 0 0 36
I7 0 1 1 1 7 0 1 1 0 0 0 1 49 0 1 1 0 0 0 1 49
I8 1 0 0 0 8 1 0 0 0 0 0 0 64 1 0 0 0 0 0 0 64
I9 1 0 0 1 9 1 0 1 0 0 0 1 81 1 0 1 0 0 0 1 81
I10 1 0 1 0 10 1 0 0 0 1 0 0 68 1 1 0 0 1 0 0 100
I11 1 0 1 1 11 1 0 1 1 0 0 1 89 1 1 1 1 0 0 1 121
Undefined
I12 1 1 0 0 12 1 1 1 0 0 0 0 112 1 0 1 0 0 0 0 80
I13 1 1 0 1 13 1 1 1 1 0 0 1 121 1 0 1 1 0 0 1 89
I14 1 1 1 0 14 1 1 0 0 1 0 0 100 1 1 0 0 1 0 0 100
I15 1 1 1 1 15 1 1 1 0 0 0 1 113 1 1 1 0 0 0 1 113
[8] F. Wolff, C. Papachristou, S. Bhunia, and R. S. Chakraborty, Towards T. Aaron Gulliver received the Ph.D. degree in
trojan-free trusted ICs: Problem analysis and detection scheme, in Proc. Electrical Engineering from the University of Vic-
Conf. on Design, Automation and Test in Europe, Munich, Germany, toria, Victoria, BC, Canada in 1989. From 1989
Mar. 2008, pp. 13621365. to 1991 he was employed as a Defence Scientist
[9] R. M. Rad, X. Wang, M. Tehranipoor, and J. Plusquellic, Power at Defence Research Establishment Ottawa, Ottawa,
supply signal calibration techniques for improving detection resolution ON, Canada. He has held academic appointments
to hardware trojans, in Proc. IEEE/ACM Int. Conf. on Computer-Aided at Carleton University, Ottawa, ON, Canada and
Design, San Jose, CA, Nov. 2008, pp. 632639. the University of Canterbury, Christchurch, New
[10] X. Wang, M. Tehranipoor, and J. Plusquellic, Detecting malicious Zealand. He joined the University of Victoria in
inclusions in secure hardware: Challenges and solutions, in Proc. IEEE 1999 and is a Professor in the Department of Electri-
Int. Workshop on Hardware-Oriented Security and Trust, Anaheim, CA, cal and Computer Engineering. In 2002, he became
Jun. 2008, pp. 1519. a Fellow of the Engineering Institute of Canada. In 2012, he was elected a
[11] R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor, Trustworthy Fellow of the Canadian Academy of Engineering. From 2000 to 2003 he was
hardware: Identifying and classifying hardware trojans, IEEE Com- Secretary and a member of the Board of Governors of the IEEE Information
puter, vol. 43, no. 10, pp. 3946, Oct. 2010. Theory Society. He is currently an Area Editor for IEEE T RANSACTIONS
[12] S. Moein, S. Khan, T. A. Gulliver, F. Gebali, and M. W. El-Kharashi, ON W IRELESS C OMMUNICATIONS . His research interests include informa-
An attribute based classification of hardware trojans, in Proc. Int. Conf. tion theory and communication theory, algebraic coding theory, multicarrier
on Computer Eng. and Sys., Cairo, Egypt, Dec. 2015, pp. 351356. systems, smart grid, and security.
[13] Y. Liu, K. Huang, and Y. Makris, Hardware trojan detection
through golden chip-free statistical side-channel fingerprinting, in Proc.
ACM/EDAC/IEEE Design Automation Conf., San Francisco, CA, Jun.
2014, pp. 16.
[14] Y. Liu, Y. Jin, and Y. Makris, Hardware trojans in wireless crypto-
graphic ICs: Silicon demonstration & detection method evaluation, in Fayez Gebali received the B.Sc. degree in Elec-
Proc. IEEE/ACM Int. Conf. on Computer-Aided Design, San Jose, CA, trical Engineering (first class honors) from Cairo
Nov. 2013, pp. 399404. University, the B.Sc. degree in Mathematics (first
[15] X. Mingfu, H. Aiqun, and L. Guyue, Detecting hardware trojan through class honors) from Ain Shams University, and the
heuristic partition and activity driven test pattern generation, in Proc. Ph.D. degree in Electrical Engineering form the
Commun. Security Conf., Beijing, China, May 2014, pp. 16. University of British Columbia where he held an
[16] D. Forte, C. Bao, and A. Srivastava, Temperature tracking: An in- NSERC postgraduate scholarship. Dr. Gebali is a
novative run-time approach for hardware trojan detection, in Proc. Professor in the Department of Electrical and Com-
IEEE/ACM Int. Conf. on Computer-Aided Design, San Jose, CA, Nov. puter Engineering at the University of Victoria, and
2013, pp. 532539. is currently Department Chair. His research inter-
ests include parallel algorithms, networks-on-chip,
three-dimensional integrated circuits, digital communications, and computer
arithmetic.
Samer Moein received the Ph.D. degree in Com-

Abdulrahman Alkandari received the B.Sc. degree
puter Engineering from the University of Victoria,
in Computer Engineering from Kuwait University,
Victoria, BC, Canada, in 2015. Currently, he is a Post
Kuwait in 2004, the M.Sc. degree in Computer En-
Doctoral Fellow in the Department of Electrical and
gineering from Kuwait University, Kuwait in 2011,
Computer Engineering at the University of Victoria.
and the Ph.D. degree in Computer Science from
He received the B.Sc. degree in Computer Engineer-
International Islamic University Malaysia in 2014.
ing from Kuwait University, Kuwait in 2004, and the
Dr. Alkandari is an Assistant Professor in the De-
M.Sc. degree in Computer Engineering from Kuwait
partment of Computer Science, The Public Authority
University, Kuwait in 2011. His research interests
for Applied Education & Training (Basic Education
include computer security, cryptography, and crypto-
College). His research interests include intelligent
processors.
systems, traffic engineering, algorithms, smart phone
applications, IoT, smart cities, and wireless sensor networks.

10 1109@iceeot 2016 7755650

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

10 1109@iceeot 2016 7755650

Transféré par

Droits d'auteur :

Formats disponibles

This article has been accepted for publication in a future issue of this journal, but has not been

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 1

A New Characterization of Hardware Trojans

AbstractThis paper examines hardware trojan threats to Client-Contractor Contractor

I N September 2007, Israeli jets bombed a suspected nuclear

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 2

Fig. 2: The hardware trojan taxonomy.

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 3

Fig. 3: The four hardware trojan levels.

1 0 1 0 0 0 describes the connections between R1 and R2 , and thus the

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 4

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 5

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 6

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 7

Fig. 6: The trojan graph assuming it is inserted in the design

12 (a) Trojan free circuit

Fig. 7: The defender graph assuming the trojan is inserted

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 8

JOURNAL OF LATEX CLASS FILES, VOL. 13, NO. 9, AUGUST 2015 9

TABLE III: The Outputs for the Circuits in Fig. 8

Inputs Circuit (a) Circuit (b)

Samer Moein received the Ph.D. degree in Com-

Vous aimerez peut-être aussi