Salman I 2016

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2613842, IEEE
Transactions on Information Forensics and Security
COTD: REFERENCE-FREE HARDWARE TROJAN DETECTION AND RECOVERY BASED ON

CONTROLLABILITY AND OBSERVABILITY IN GATE-LEVEL NETLIST
Hassan Salmani
ECE Department
Howard University
hassan.salmani@howard.edu
ABSTRACT the side-channel signal analysis and the logic value analysis.
This paper presents a novel hardware Trojan detection technique Majority of work on Trojan detection based on side-channel
in gate-level netlist based on controllability and observability anal- analysis has focused on power and delay side-channel signals
yses. Using an unsupervised clustering analysis, the paper shows [3][4][5][6][7][8][9][10][11][12][13]. Some of main challenges
that the controllability and observability characteristics of Trojan with side-channel Trojan detection techniques are environmental
gates present significant inter-cluster distance from those of gen- and process variations that can mask Trojan contributions into cir-
uine gates in a Trojan-inserted circuit such that Trojan gates are cuit power consumption and delay characteristics. The need for a
easily distinguishable. The proposed technique does not require set of golden circuits as a reference is another important issue. To
any golden model and can be easily integrated into the current improve the effectiveness of side-channel-based detection tech-
integrated circuit design flow. Furthermore, it performs a static nique, some work has recommended design-for-hardware-trust
analysis and does not require any test pattern application for Tro- [14][15].
jan activation either partially or fully. In addition, the timing com-
Besides side-channel based detection techniques mainly ap-
plexity of proposed technique is an order of the number of signals
plied after design fabrication, some work have investigated hard-
in a circuit. Moreover, the proposed technique makes it possible
ware Trojans in early design stages [16][17][18][19][20][21][22].
to fully restore an inserted Trojan and to isolate its trigger and
High-level syntheses for security have been proposed to render
payload circuits. The technique has been applied on various types
a hardware Trojan ineffective [23][24][25][26], and several logic
of Trojans, and all Trojans are successfully detected with 0 false
testing techniques have been introduced to detect hardware Tro-
positive and negative rates in less than 14 seconds in the worst
jans [27][28][29]. Some others have studied the switching ac-
case.
tivity of circuit signals and their correlation to identify a hard-
Index Terms Hardware Security, Hardware Trojans, con- ware Trojan in gate-level netlist [30][31][32][33][34]. Some of
trollability, observability, unsupervised clustering. the main issues with these techniques are none-zero false positive
and false negative rates, significant processing time and their scal-
1. INTRODUCTION ability limitations. Furthermore, it has been shown they can be
defeated, and a carefully designed Trojan can remain undetected
Modern designs like system-on-chips and network-on-chips are
[34][35]. In addition, neither of the techniques are able to de-
equipped with variety of resources such as memory blocks in dif-
tect always-on Trojans such as a ring-oscillator Trojan that is not
ferent sizes and types, interfaces with different characteristics, and
connected to the main circuit, and presents normal switching ac-
several processors and co-processors to realize high performance
tivities, but aims to reduce circuit reliability.
computing systems, often with tight design restrictions in terms
of power and area. The high complexity of modern designs, the While majority of existing techniques mainly generate list of
constraint of time-to-market window, and the cost restriction of fi- suspicious signals, it remains the responsibility of a design house
nal product highly drive the horizontal design process. The third- to still scrutinize the netlist. To be used in practice, a HT detection
party intellectual properties (3PIPs) are widely used in the forms technique should be easily integrable into commercial circuit de-
of soft, firm and hard IPs to expedite the design development pro- sign flows. Furthermore, they should present 0 false positive and
cess. However, using external IPs exposes a design to 3PIPs inten- false negative HT detection rates. In addition, authentication time
tionally modified by inserting a hardware Trojan (HT) to tamper should be small to meet time-to-market constraints.
with the design and causes its malfunction under very rare circum- This paper introduces the Controllability and Observability for
stances [1][2]. hardware Trojan Detection (COTD) technique for hardware Tro-
Hardware Trojans have negligible effects on circuit param- jan detection in gate-level netlist. Controllability reflects the diffi-
eters and rarely become fully activated. While considerable culty of setting a signal line to a required logic value, and observ-
amount of work has been presented on hardware Trojan detec- ability reflects the difficulty of propagating the logic value of the
tion, they can be broadly categorized into two major groups: signal line to observation points. The COTD technique combines
1556-6013 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2613842, IEEE
the controllability and observability analyses and an unsupervised and thus regard the circuit to be potentially infected resulting in
machine learning to determine a circuit is Trojan inserted or Tro- false positives.
jan free and to evaluate false positive and false negative rates. The FANCI [33] applies Boolean function analysis to flag suspi-
contributions of the paper are: cious wires in a design which have weak input-to-output depen-
dency. For each input in the combinational logic cone of an output
1. COTD does not need any golden circuit as a reference, wire, a control value (CV), which represents the percentage impact
2. COTD does not need any test pattern application for Trojan of changing an input on the output, is computed. If the mean of all
partial/full activation, the CVs is lower than a threshold, then the resulting output wire
is considered malicious. This is a probabilistic method where the
3. COTD presents 0 false positive and false negative Trojan
threshold is computed with some heuristic to achieve a balance
detection rates,
between security and the false positive rate. A very low thresh-
4. COTD can be readily integrated into current commercial in- old may result in a high false positive rate by considering most of
tegrated design flows, the wires (even non-malicious ones) as malicious, whereas a high
5. COTD presents time complexity of linear function of the threshold may actually result in false negatives by considering a
number of signals in the circuit, and HT related (malicious) wire to be not malicious.
Both VeriTrust and FANCI only monitor the combinational
6. COTD makes it possible to fully isolate an inserted Trojan.
logic between two registers (i.e. one sequential stage). Know-
COTD has been applied to all gate-level Trojans available on ing this limitation, DeTrust [34] designs new HTs whose cir-
Trust-HUB [36] and introduced by DeTrust [34], always-on Tro- cuitries are distributed over several sequential stages such that
jans, and HaTCh [35], and COTD has successfully detected all FANCI/VeriTrust, while observing a single sequential stage,
of them in a fraction of a minute with 0 false positive and false would consider them non-malicious.
negative rates. In [30], an information-theoretic approach for Trojan detection
The paper is organized as follows. Previous work is studied in has been proposed. It basically estimates the statistical correlation
Section 2, and Section 3 discusses the background and motivation. between signals in a circuit for Trojan detection with the use of
Section 4 introduces the COTD technique. Simulation results are OPTICS clustering algorithm. To study the correlation between
presented in Section 5 and Section 6 provides detailed discussions. the signals, inputs patterns are applied and a weighted graph of
Section 7 concludes the paper. design created. While the technique presents full coverage for se-
lected benchmarks, the accuracy of technique highly depends on
observing enough activity on each signal to study signals corre-
2. PREVIOUS WORK lation and presented results indicate non-zero false positive rate.
The unused circuitry identification (UCI) technique [37] is one Furthermore, the application of the technique for large circuits
of the first such techniques which distinguishes minimally used may require considerable processing time and memory usage.
logic from the other parts of the circuit. First, UCI creates a data- In another effort, a score-based classification method is pre-
flow graph for a circuit. Nodes of graph are signals (wires) and sented for identifying hardware-Trojans [31]. The proposed tech-
state elements and its edges indicate data flow between the nodes. nique extracts Trojan characteristics introduced at Trust-HUB [36]
Based on this data-flow graph, UCI generates a list of all direct and defines an incremental metric to isolate some of Trojan nets
and indirect signal pairs where data flows from a source signal to from the rest of circuit. While the proposed technique does not re-
a sink signal. In the following, UCI simulates the HDL code using quire a golden circuit, it is constructed towards the limited Trust-
design verification tests to find the set of data-flow pairs where HUB Trojans, and it takes considerable processing time even for
intermediate logic does not affect the data that flows between the such small circuits.
source and sink signals. While UCI centers on the fact that the HT
circuitry mostly remains inactive within a design, and hence such
minimally used logic can be distinguished from the other parts of 3. BACKGROUND AND MOTIVATION
the circuit, some later works such as [32] showed how to design While the horizontal integrated circuit design flow is widely prac-
HTs which can defeat the UCI detection scheme. ticed, a circuit is susceptible to hardware Trojan insertion across
VeriTrust [32] flags suspicious circuitries by identifying po- circuit design flow. A hardware Trojan can be inserted in a gate
tential trigger inputs used in HTs, based on the observation that level netlist provided by a malicious 3PIP vendor. Detecting such
these inputs keep dormant under non-trigger condition and hence a hardware Trojan is a very challenging task for two main rea-
are redundant to the normal logic function of the circuit. In or- sons: (1) the lack of a reference/golden circuit and (2) no pre-
der to detect the redundant inputs, it first performs functional test- information about the hardware Trojan inserted into a given netlist
ing and records the activation history of the inputs in the form [31].
of sums-of-products (SOP) and product-of-sums (POS). Then it Hardware Trojans can be typically divided into two groups
further analyzes these inactivated SOPs and POSs to find the re- from the activation mechanism perspective: always-on and trig-
dundant inputs. However, because of the functional verification gered. Always-on Trojans are activated as soon as their hosting
constraints, VeriTrust can see several inactivated SOPs and POSs designs are powered-on while conditional Trojans seek specific
nLowActiveNet
In1 in Figure 1 may have a very low switching activity, the signal may
have high testability. This fact emphasizes that applying random
T
patterns and merely analyzing switching activity of signals do not
In2 necessarily determine whether the signal is a Trojan signal or not
and can result in false negative and false positive conclusions.
Low-testability signals more infrequently determine circuit
primary outputs and its states; therefore, their manipulation highly
remains hidden. Testability analysis can be performed by calcu-
lating the controllability and observability of each signal. The
Sandia Controllability/Observability Analysis Program (SCOAP)
is the most popular testability program that measures testability
of each signal s in a circuit logic based on several numerical
values including: CC0(s) - combinational 0-controllability of
s, CC1(s) - combinational 1-controllability of s, and CO(s) -
Fig. 1. The fan-in cone of signal T with low switching activity in
combinational observability of s. These combinational testability
s38417 benchmark [38].
measures roughly determine the number of signals that must be
triggers to launch. In general, a functional Trojan consists of two manipulated in order to control or observe s from primary inputs
parts: a Trojan trigger and a Trojan payload. The Trojan trigger or at primary outputs. The values of controllability measures
determines conditions under which the Trojan payload propagates range between 1 and , while the values of observability mea-
erroneous values into the main circuit. While both always-on and sures range between 0 and . As a boundary condition, the CC0
triggered Trojans contain the Trojan payload, the triggered type and CC1 values of a primary input are set to 1, and the CO value
also has the Trojan trigger. The Trojan trigger might be con- of a primary output is set to 0 [40].
nected to some internal nets, and the Trojan payload re-stitches The SCOAP method first calculates the controllability val-
some other nets [39]. ues for all signals from primary inputs towards primary outputs.
To reduce Trojan detectability, the Trojan trigger might be To do so, the circuit is levelized and each gate is assigned a
connected to nets with low activity to create a rare triggering vec- level order. The output controllability of each gate is calcu-
tor, and the Trojan payload might re-stitch nets whose deviations lated in level order when the controllability of all its inputs have
are not readily observable. As a result, it is expected that Trojan been calculated.PFor example, CC0(s)=min{input CC0} + 1
signals present a very low switching activity and small correlation and CC1(s)= (input CC1) + 1 for the output of a AND
with other signals in a circuit as considered in [30], [31], and [33]. gate. The rules for other types of gates are presented in [40].
However, the circuit may contain some genuine signals with low After calculating controllability measures for all signals, the
switching activity, and they can be wrongly identified as Trojan observability measures for all signals from primary outputs
signals (i.e. false positive). On the other hand, a smart imple- towards primary inputs are calculated. For example, the ob-
mentation of Trojan can realize a low-active Trojan trigger whose servability
Pof one input of a AND gate with multiple inputs is
Trojan trigger does not match any cases studies in [31]. For ex- CO(s)= (output observability, CC1 of other inputs)+1.
ample, Figure 1 shows a very low active signal, the signal T , with The rules for other types of gates are similarly presented in [40].
its fan-in cone in s38414 benchmark [38], and Figure 2 shows From the security perspective, signals with low controllability
the switching on the signal T after applying random test patterns or low observability are more susceptible to be used for the Tro-
for 725041 test cycles. While the signal T presents no switching jan trigger and the Trojan payload. While a target signal might be
activity, this question remains whether the signal T is a Trojan highly observable but hardly controllable or vice versa, the pair
trigger signal whose fan-in cone is different from cases studied in <CC, CO> is created for each signal in the circuit, and the mag-
[31] to evade Trojan detection technique. Or, it is not a Trojan nitude of pair is defined as
signal due to its correlation with its driving signal, the signal In2, p
as studied in [30]. |<CC, CO>|= CC 2 (s) + CO2 (s). (1)
It is also possible that a Trojan has no trigger as it is an always-
While the value of CO can be directly obtained from the
on Trojan, and its payload is not connected to any net in the circuit.
SCOAP program, the CC value is defined as
For example, an inverter-based ring-oscillator Trojan only consists
of an odd number of inverters. This Trojan is not connected to any p
CC(s)= CC02 (s) + CC12 (s). (2)
internal net and is to reduce design reliability over the time. Such a
Trojan can easily evade the Trojan detection techniques presented It is expected Trojan signals to have low testability to avoid
in [30] and [31] (i.e. false negative). frequent impact on design functionality. To study the relationship
Testability is a relative measure of the effort or cost of test- between a signal testability and its manipulation effect, the testa-
ing a logic circuit, and it can be used to identify nets with poor bility analysis is performed on s38417 benchmark [38], and the
testability [40]. Testability considers the circuit implementation pair <CC, CO> for every signal is obtained. In the following,
and gates interconnections. While a signal such as the signal T 10 signals with different |<CC, CO>| value in the benchmark
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content
may change prior to final publication. Citation information: DOI 10.1109/TIFS.2016.2613842, IEEE

T
In1
In2
NoError Fig. 2. The signal T s waveform after applying random test patterns for 725041 test cycles.

700
that the detection probability is almost 1 for any fault whose t is
600 smaller than 40 when =0.9. The detection probability is almost
0 if the t of a net is larger. For =0.5 and =0.3, this threshold
500
is 55 and 100, respectively. Figure 4(a) indicates any fault whose
400
t is considerably high, its detection probability is almost 0. Figure
NoError
4(b) studies the effect of the number of test vectors on the fault de-
300 tection probability. While =0.5, V takes the values of 7.2E +11,
200
7.2E + 12, 7.2E + 13, and 7.2E + 14. Figure 4(b) highlights the
inconsiderable impact of increasing the number of test vector on
100 fault detection probability. Similar to Figure 4(a), Figure 4(b) also
emphases that a net whose t is considerably high remains unde-
0
101.57 94.62 92.59 69.75 61.16 50.45 40.80 33.17 20.42 10.95 tected. Therefore, a circuit with 100% fault coverage does not
|<CC,CO>| contain any signals with large t. As detecting a Trojan signal re-
Fig. 3. The relationship between signal testability and signal error quires its activation and propagation to an observation point, the
for selected signals in s38417 benchmark. above analysis for probability of fault detection is applicable to
are intentionally modified by passing them through one inverter. Trojan signal detection. Complement of Figure 3, Figure 4 also
Figure 3 presents |<CC, CO>| versus the number of mismatches indicates Trojan signals should have considerably low testability
(N oError) at the primary outputs and scan flip-flops after apply- to remain hidden during circuit authentication.
ing random patterns for 57400 test clock cycles.
While a large |<CC, CO>| value indicates low testability of a
4. THE COTD FLOW
signal due to its low controllability and observability, Figure 3 sig-
nifies that the number of mismatches considerably low when the Figure 5 presents the COTD flow. It takes a gate-level netlist as the
|<CC, CO>| value is even moderately high. The signal with |< input, and the Controllability and Observability Analyses step per-
CC, CO>|=101.57 only causes 10 mismatches over 57400 test forms the controllability and observability analyses to determine
clock cycles. On the other hand, Figure 3 also indicates that with controllability and observability values, i.e. CC0, CC1, and CO
reducing |<CC, CO>|, i.e. increasing a signals testability, No- values. Afterwards, the Unsupervised Clustering Analysis step is
Error considerably increases such that the average of NoError is performed to cluster signals based on their controllability and ob-
about 430 when |<CC, CO>| 50. This analysis indicates that servability values. Two signal lists are produced: Trojan Signals
if a Trojan is composed of signals with considerably low testabil- List and Genuine Signals List. The Genuine Signals List only con-
ity, its existence would highly remain unknown during testing. tains all genuine/original signals in the netlist. The Trojan Signal
There is direct relationship between controllability and ob- List only contains all Trojan signals if any Trojan exists. If this list
servability values and fault coverage [41]. Task of detecting a is empty, the circuit is Trojan free; otherwise, the circuit is Trojan
fault on a net requires (i) controlling the net to a desired value and inserted.
(ii) observing the net through propagating its value to a primary One major issue associated with hardware Trojan detection is
output. Detection probability of a fault can be represented as the lack of golden circuit as a reference. Unsupervised learning is
a type of machine learning algorithm used to explore datasets con-
P (t)=et . (3) sisting of input data without labeled responses. Cluster analysis or
clustering is the most common unsupervised learning method used
where t is sum of controllability and observability values of the
for grouping data. It groups a set of objects in such a way that ob-
faulty line for SCOAP, and generally takes a value close to 1
jects in the same group/cluster are more similar to each other than
that indicates the strong correlation of t and P (t). Based on the
to those in other groups/clusters. The clusters are modeled using a
geometric distribution, the probability of detecting a fault after
measure of similarity metrics such as Euclidean. Two factors de-
applying V test vector is
termine the quality of clustering: intra-cluster distance and inter-
cluster distance. While clustering, it is desired to maximize inter-
1 [1 P (t)]V (4)
cluster distances and to minimize intra-cluster distances. One of
Figure 4 presents the relationship between the detection prob- the most common clustering algorithms is k-means clustering that
ability of a fault and t. Figure 4(a) presents how the probability of strives to meet both goals at the same time [42].
detecting a fault is related to t for three different value of when k-means clustering aims to partition n observations into k
V =7.2E + 11. While V is considerably high, the figure shows clusters in which each observation belongs to the cluster with the
FaultCoverage
1 1
=0.9 V=720000000000000
V =7.2E+14
0.9 =0.5 0.9 V=72000000000000
V =7.2E+13
0.8 =0.3 V=7200000000000
V =7.2E+12
DetectionProbability
DetectionProbability
0.8
0.7 V =7.2E+11 0.7 V=720000000000
V =7.2E+11
=0.5
0.6 0.6
0.5 0.5
0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
0 0
0 50 100 150 200 250 300 0 50 100 150 200 250 300
t t
(a) (b)
Fig. 4. The relationship between detecting a fault and its t defined as the sum of controllability and observability values.
GateLevel cluster distances from the cluster of genuine signals. Consider-

Netlist ing the small CC or CO values for genuine signals and the rela-
ow Controllabilityand
tive small size of hardware Trojans, the cluster of genuine signals
ObserverabilityAnalyses is easily distinguishable as its centroid is the closest to the cor-
ner <CC, CO>=<0, 0> compared with the centroids of Trojan
clusters, and it contains the larger portion of circuit signals. There-
SignalsControllabilityand
ObserverabilityValues fore, the COTD technique can effectively determine whether a cir-
cuit is Trojan inserted without need of any golden circuit.
Unsupervised To perform controllability and observability analyses, we use
ClusteringAnalysis
Synopsyss TetraMAX tool [43]. Using a simple TCL program,
COTD obtains CC0, CC1, and CO values for each signal in a
TrojanSignals GenuineSignals gate-level netlist. In the following, COTD determines CC value
List List for each signal using Equation 2 and stores CC and CO values for
all signals in a n 2 array where n is the number of signals in the
No Empty Yes circuit. To perform clustering analysis, the array is passed to an-
other simple program in R to perform the unsupervised k-means
TrojanInserted TrojanFree
cluster analysis with k=3 [44]. Upon existence of any Trojan sig-
Fig. 5. The COTD flow. nals in the circuit, they are separately clustered with considerable
nearest mean, serving as the center (or centroid) of the cluster. inter-cluster distances from the cluster of genuine signals.
Given a set of observations (x1 , x2 , . . . , xn ), where each obser-
vation is a d-dimensional real vector, k-means clustering aims to 4.1. Complexity: COTD vs. Existing Techniques
partition the n observations into k sets S={S1 , S2 , . . . , Sk } so as
to minimize the within-cluster sum of squares. In other words, its Usability of any HT detection technique strongly depends on its
objective is to find: time complexity. In this subsection, the time complexity of COTD
is compared with HaTCh, VeriTrustX, and FANCIX techniques
k X
X [35]. Both VeriTrustX, and FANCIX techniques require monitor-
arg minS ||x i ||2 (5) ing of all sequential stages of design. VeriTrustX monitors the ac-
i=1 xSi
tivation history of each entry in the truth table instead of terms in
Using the Equation 2, the COTD technique obtains the pairs SOP/POS form of the Boolean function. Assuming m the number
<CC, CO> for every signal in a circuit. Then it passes them of circuit inputs, the time complexity of VeriTrustX is O(2m ); i.e.
in the form of a 2-dimensional dataset to the k-means algorithm an exponential computation [35]. To compute the control value
where k=3. Signals can be divided into three clusters (k=3): (i) of each signal in a circuit, FANCIX needs to go through the each
genuine signals whose both CC and CO values are small, and entry of developed truth tables and for all primary input combi-
Trojan signals (ii) with large CC values or (iii) with large CO nations. This leads to the time complexity O(m2m ) [35]. As-
values. Therefore, the k parameter is set to 3 to distinguish Tro- suming n represents the total number of wires in the circuit and d
jan signals from genuine signals. It is possible a Trojan signal to the worst case trigger signal dimension, HaTCh has the time com-
have both large CC and CO values. Such a Trojan signal is still plexity of O((2n2 )d ) [35]. n and d may have a linear relation-
distinguished and reported in Trojan Signal List. ship and a logarithmic relationship with m, respectively. On the
As Trojan signals should have large CC or CO values to avoid other hand, COTD consists of two steps in sequence: Step-1 de-
their detection as opposed to genuine signals that should have termining controllability and observability values, and Step-2 ex-
small CC or CO values to be testable, the 3-means algorithm ecuting k-mean clustering. Step-1 has the time complexity O(n),
effectively separates all genuine signals in one cluster and iso- and Step-2 has the time complexity of O(nkdi) using the Lloyds
lates all Trojan signals in different clusters with considerable inter- algorithm where n is the number of wires, d is the number of data
Table 1. Detecting hardware Trojans in Trust-HUB gate-level netlist using COTD.

Trigger Payload Inter-cluster Distance Processing Time(min:sec) No Genuine No Trojan
Trojan
Size Size Gen Clst-Tj. Clst 1 Gen Clst-Tj. Clst 2 Ctrl&Obsr Clustering Signals (FN) Signals (FP)
s38417T100 11 1 316.97 255.69 00:03.47 00:0.08 5629(0) 12(0)
s38417T200 11 4 246.66 247.41 00:02.89 00:0.06 5629(0) 15(0)
s38417T300 15 29 431.11 246.87 00:02.66 00:0.07 5629(0) 44(0)
EthernetT700 12 1 298.14 247.86 00:11.97 00:1.04 102852(0) 13(0)
EthernetT710 12 1 283.50 247.45 00:09.96 00:1.10 102852(0) 13(0)
EthernetT720 12 1 298.14 247.80 00:08.98 00:1.10 102852(0) 13(0)
EthernetT730 12 1 298.14 247.75 00:09.75 00:1.08 102852(0) 13(0)
RS232T1000 10 3 335.77 251.23 00:00.53 00:0.01 241(0) 13(0)
RS232T1100 11 1 345.72 251.20 00:00.69 00:0.00 241(0) 12(0)
RS232T1200 12 1 375.98 251.21 00:00.96 00:0.02 241(0) 13(0)
RS232T1300 6 2 294.32 251.23 00:01.24 00:0.00 241(0) 8(0)
RS232T1400 12 1 345.53 251.15 00:00.81 00:0.01 241(0) 13(0)
RS232T1500 12 3 346.33 251.23 00:00.91 00:0.02 241(0) 15(0)
RS232T1600 9 2 362.77 251.23 00:00.96 00:0.00 241(0) 11(0)
s15850T100 26 1 331.02 250.80 00:00.83 00:0.03 2405(0) 27(0))
s35932T100 13 2 435.86 250.52 00:00.80 00:0.07 6386(0) 15(0)
s35932T300 12 24 250.51 251.03 00:00.95 00:0.06 6386(0) 36(0)
s38584T200 126 1 431.49 252.14 00:0.97 00:0.08 7272(0) 127(0)
s38584T300 1142 1 434.46 249.01 00:01.05 00:0.09 7272(0) 1143(0)
Complexity vga lcdT100 4 1 248.12 246.60 00:07.08 00:0.71 69832(0) 5(0)
wb conmaxT100 11 4 184.42 153.41 00:02.02 00:0.24 22182(0) 15(0)
TimeComplexityofCountermeasures
1.0E+80
trollability and observability analyses, any Trojan circuit not con-
FANCIX
1.0E+75
1.0E+70
VeriTrustX nected to the main circuit would have infinite CC or CO values.
HaTCh2in
1.0E+65
1.0E+60
HaTCh4in
COTD
As a result, they are separately clustered with high inter-cluster
TimeComplexity(timeunit)
1.0E+55
1.0E+50
distance and can be identified easily. In addition, using the unsu-
1.0E+45
1.0E+40
pervised clustering technique eliminates the need for golden cir-
1.0E+35
1.0E+30
cuit as Trojan signals are clustered as signals with considerably
1.0E+25
1.0E+20
low testability and with considerable inter-cluster distance from
1.0E+15 genuine signals.
1.0E+10
1.0E+05
1.0E+00
1 2 4 8 16 32 64 128 256
#ofinputsofthecircuit
5. SIMULATION RESULTS
Fig. 6. Comparison of computational complexities of different The COST technique is applied to gate-level Trojan-inserted
hardware Trojan countermeasures. netlist provided on Trust-HUB [36] and some other circuits in-
fected by Trojans proposed by DeTrust [34], always-on Trojans
dimensions, k the number of clusters which is set to 3 for COTD, and HaTCh [35]. In two consecutive steps, COTD firstly obtains
and i the number of iterations needed until convergence. On data CC0(s), CC1(s), and CO(s) for every signal s in a circuit using
that do have a clustering structure, the number of iterations until Synopsys TetraMAX [43], and then it executes unsupervised k-
convergence is often small, and results only improve slightly after mean clustering with k=3 to identify Trojan signals. Synopsys
the first dozen iterations. Therefore, the Lloyds algorithm is often TetraMAX can report the SCOAP controllability and observabil-
considered to be of linear time complexity in practice (O(n)). ity numbers in a set of numbers CC0-CC1-CO. When each of
In total, the time complexity of COTD is O(n) + O(n)=O(n). these values exceeds the 254 limit that the program can track, it
Figure 6 shows a comparison of time complexity of different reports * for that value. In this work, * is replaced with 254
countermeasures. HaTCh-2in and HaTCh-4in show the complex- to execute COTD.
ities for the m-input AND gate circuit implementation with 2- Table 1 presents the results of applying COTD to gate-level
input and 4-input AND gates, respectively. While HaTCh is sub- Trust-HUB benchmarks. While the first column indicates the
exponential in m and not exponential in m as for FANCIX and name of benchmark, the second and third columns present the size
VeriTrustX, COTD outperforms and presents a linear relationship of trigger and payload of inserted Trojan in terms of the number of
with m. The inconsiderable time complexity of COTD makes it a gates. The next set of two columns presents the inter-cluster dis-
perfect choice for hardware Trojan detection in a gate-level netlist. tances between the genuine-signal cluster and two Trojan-signals
The COTD technique can be easily integrated into current inte- clusters. The next set of two columns indicates the amount of time
grated design flow as it is based on widely used commercial tools. required to obtain controllability and observability values and to
Furthermore, the COTD technique does not require any pattern ap- perform clustering and identifying Trojan signals. The last two
plication; therefore, it outperforms the current existing techniques columns show the number of signals identified as genuine signals
in terms of performance. As the COTD technique is based on con- (No Genuine Signals) and the number of signals identified as Tro-
Table 2. Gate-level Trojans in Trust-HUB with low controllability and observability values.
Genuine Circuit Trojan Circuit
Trojan Trigger size Payload size # of Trojan Activation # Test clock cycles
Max CC Max CO Max CC Max CO
s35932T200 11 1 8.48 12 17.02 20 42 4261
s38584T100 8 1 35.35 32 7.07 9 21 3286
s38417-T100 Ethernet-T700 RS232-T1000 s15850-T100
100 150 200 250
100 150 200 250
100 150 200 250

100 150 200 250
Gen Cluster Gen Cluster Gen Cluster Gen Cluster

Tj Cluster1 Tj Cluster1 Tj Cluster1 Tj Cluster1
CO
CO
CO
CO
50
50
50
50
0
0
0 50 100 150 200 250 0 50 100 150 200 250 300 350 0 50 100 150 200 250 0 50 100 150 200 250 300 350
CC CC CC CC
s35932-T100 s38584-T200 vga-lcd-T100 wb_conmax-T100

100 150 200 250
100 150 200 250
100 150 200 250
150
Gen Cluster Gen Cluster Gen Cluster Gen Cluster
100
CO
CO
CO
CO
50
50
50
50
0
0
0 50 100 150 200 250 300 350 0 50 100 150 200 250 300 350 0 50 100 150 200 250 0 50 100 150
CC CC CC CC
Fig. 7. Unsupervised k-mean clustering with k=3 for selected gate-level Trojans on Trust-HUB.
jan signals (No Trojan Signals). Further, false negative (FN) rate, s35932T200 benchmark has very low controllability and ob-
the number of signals wrongly identified as genuine signals, and servability values; therefore, we observe the Trojan is activated 42
false positive (FP) rate, the number of signals wrongly identified times by only applying random test patterns for 4261 test clock
as Trojan signals, are reported. cycles. s38584T100 benchmark also contains a small Trojan
While the circuits have different sizes, and they contain Tro- with low controllability and observability values. For this case,
jans with different sizes and functionality, all Trojans are success- the maximum CC and CO values for the Trojan circuit are even
fully detected. For all benchmarks, signals are grouped in three less than those for the genuine circuit. Table 2 indicates that this
clusters. All genuine signals are isolated in one cluster (Gen Clst), Trojan is activated 21 times within only 3286 test clock cycles.
and all Trojan signals are divided into two clusters one with high Results in Table 2 emphasize that the controllability and observ-
CC values (Tj. Clst1) and the other with high CO values (Tj. ability values of Trojan signals cannot be small and close to those
Clst2). The results in Table 1 highlight there is considerable inter- of genuine signals; otherwise Trojans frequently interfere the nor-
cluster distance between genuine signals and Trojan signals such mal operation of a circuit.
that they can be easily distinguished. The average inter-cluster The controllability and observability values of Trojan signals
distance of Gen Clst and Tj. Clst1 and Gen Clst and Tj. Clst2 are should be significantly high so that the Trojan remains hidden
about 328 and 245, respectively. during circuit authentication. Table 3 presents the maximum
The processing timing analysis shows time to determine a cir- and minimum of |<CC, CO>| for signals in the genuine circuit
cuit contains a Trojan has taken less than 14 seconds in the worst and Trojan circuit for Trust-HUB gate-level netlist, respectively.
case. This results support that the timing complexity of COTD is The results clearly indicate even the minimum magnitude of
a linear order of the number of signals in the circuits as discussed |<CC, CO>| for Trojan signals is much higher than the maxi-
in subsection 4.1. Table 1 also presents the number of genuine mum magnitude of |<CC, CO>| for genuine signals. The larger
and Trojan signals for each benchmark, and it shows both FN and this difference is, the stealthier a Trojan behaves. Almost all
FP rates are 0 for all cases. The zero rates indicate that there is Trojans have a minimum |<CC, CO>| value above 254 while
no signal that is wrongly identified as a genuine signal while it is the maximum |<CC, CO>| value for genuine signals ranges
truly a Trojan signal and vice versa. between 12 and 101.
The results signify that realizing a stealthy hardware Trojan Figure 7 depicts the results of unsupervised k-mean clustering
getting rarely activated would result in Trojans whose signals with k=3 for selected gate-level Trojans in Table 3. The figure
have significantly high controllability and observability values, shows genuine signals are localized in the bottom left corner of
i.e. very difficult to control and observe. Otherwise, they are eas- graph while Trojan signals are mainly located in three other cor-
ily detectable. Interestingly, two gate-level Trojans in Trust-HUB ners of graph where CC, CO, or both are high. Furthermore, Fig-
benchmarks present low controllability and observability values, ure 7 depicts the significant inter-cluster distance between Trojan
and they are frequently activated by only applying few hundred signals and genuine signals.
test patterns, shown in Table 2. Among Trojans in Table 3, the maximum |<CC, CO>| value
Shown in Table 2, s35932T200 benchmark contains a Tro- for genuine signals in wb conmaxT100 benchmark is relatively
jan whose trigger has 11 gates and its payload one gate. The close to the minimum |<CC, CO>| value for the Trojan inserted
analysis indicates that the maximum CC and CO for the genuine in this benchmark. While this Trojan is correctly detected, the low
circuit and the Trojan circuit are <8.48, 12> and <17.02, 20>, value of minimum |<CC, CO>| value for the Trojan compare
respectively. Comparing with Trojans in Table 1, the Trojan in to the other Trojans may expose its existence during the authen-
Table 3. Analysis of controllability and observability values for Table 4. Detecting DeTrusted hardware Trojans in Trust-HUB
genuine and Trojan signals. gate-level netlist using COTD.
Genuine Circuit Trojan Circuit Inter-cluster Distance
Trojan Trojan
Max |<CC, CO>| Min |<CC, CO>| Gen Clst-Tj. Clst 1 Gen Clst-Tj. Clst 2
s38417T100 254.03 s38417T100 383.78 252.71
s38417T200 101.57 254.05 s38417T200 246.69 366.67
s38417T300 255.13 s38417T300 431.11 246.99
EthernetT700 254.01 EthernetT700 393.86 247.47
88.01
RS232T1000 254.00 RS232T1000 348.50 251.23
RS232T1100 254.03 RS232T1100 358.30 251.20
RS232T1200 254.00 RS232T1200 389.37 251.21
RS232T1300 13.19 254.00 RS232T1300 330.50 251.23
RS232T1400 254.00 RS232T1400 363.69 251.15
RS232T1500 254.00
RS232T1500 358.22 251.23
RS232T1600 254.00
RS232T1600 378.73 251.23
s15850T100 86.15 254.00
s15850T100 428.59 249.47
s35932T100 254.03
12.08 s35932T100 428.72 250.52
s35932T300 254.00
s35932T300 250.51 404.21
s38584T200 256.26
35.41 vga lcdT100 340.73 246.34
s38584T300 254.13
wb conmaxT100 250.45 241.77
vga lcdT100 42.05 256.00
wb conmaxT100 98.34 142.39
is an unexplored assumption with DeTrust.
The inserted sequential elements behave as directly control-
tication phase. We have applied random test patterns for 3779 lable and observable elements in confronting with FANCI and
test clock cycles to wb conmaxT100 benchmark, and the Tro- serve as present states (pseudo primary inputs) in creating SOP
jan becomes activated 5 times. While the Trojan in wb conmax and POS terms in studying VeriTrust. On the other hand, COTD
T100 benchmark is stealthier than Trojans in s35932T200 and identifies Trojan signals based on their controllability and ob-
s38584T100 benchmarks analyzed in Table 2, having Trojan servability values. Even if a Trojan uses sequential elements,
signals with low |<CC, CO>| values reveals the Trojan existence the controllability and observability values of signals in their
in a short time. This fact signifies that the minimum |<CC, CO>| fan-out cone is not reduced. According to the SCOAP program
values for Trojan signals should be considerably high to avoid <CC0, CC1, CO> for the output q and input d of D flip-flop is:
Trojan activation during authentication time. On the other hand,
COTD can catch Trojan signals as they stand in a cluster with con-
siderably high inter-cluster distance from genuine signals. CC0(q)=min{CC0(d) + CC0(CK) + CC1(CK) + CC0(r),
While the COTD technique has correctly identified all gate- CC1(r) + CC0(CK)}
level Trojans in Trust-HUB with zero false negative and false posi- CC1(q)=CC1(d) + CC0(CK) + CC1(CK) + CC0(r)
tive rates without need for a golden model, we have applied COTD CO(d)=CO(q) + CC0(CK) + CC1(CK) + CC0(r) (6)
to some other Trojans introduced by DeTrust [34] and HaTCh
[35].
DeTrust effectively creates a multi-layer wall of sequential el- where CK and r are clock and reset inputs, respectively [40].
ements (e.g. flip-flops) to divide the trigger cone of Trojan into As Equation 6 highlights inserting flip-flops does not reduce the
several combinational blocks so as to eliminate direct reachabil- controllability and observability values of their input and out-
ity of a Trojan payload to its triggering inputs. This technique put. Therefore, inserting multi-layer wall of sequential elements
has effectively defeated FANCI [33] and VeriTrust [32]. While in Trojan fan-in cone by DeTrust to hide Trojan circuits would
FANCI identifies rare trigger inputs based on the large fan-in cone render ineffective in dealing with COTD. It should be noted that
of Trojan payload, DeTrust breaks this large fan-in cone into sev- it is not expected that a Trojan contains scan flip-flops as this
eral smaller ones; therefore, the size of cone directly driving the would modify the existing scan architecture and increase Trojan
Trojan payload is effectively reduced, and the Trojan resides in activation probability by serving as pseudo primary inputs.
the false negative zone. VeriTrust identifies un-activated sum-of- To study Trojans designed with DeTrust in mind, Trust-HUB
product (SOP) and product-of-sum (POS) terms in a circuit and gate-level Trojans are updated by inserting one flip-flop at the
then isolates redundant terms by setting the un-activated SOP/POS output of each gate in their trigger circuitry. Figure 8 presents
terms to dont cares. The redundant terms are flagged as suspi- |<CC, CO>| values for Trojan trigger signals for original Trust-
cious Trojan triggers. In a similar manner, DeTrust indeed breaks HUB Trojan (labeled Trust-HUB) and for the same signals and
the SOP and POS terms by raising a multi-layer wall of sequential new introduced signals after applying DeTrust technique (labeled
elements between Trojan payload and its triggers. However, there DeTrusted).
DeTrust
450
400
350
|<CC,CO>|
300
250
200
150
100
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
TrustHUB
DeTrusted
T700 T701 T702 T703 T1000 T1100 T1200 T1300 T1400 T1500 T1600 T100 T100 T300 T100 T200 T300 T100 T100
wb_conmax
s35932
s38417
Ethernet
RS232
s15850
vga_lcd
Fig. 8. Comparing Trust-HUB Trojans before and after applying DeTrust technique.
Feedback Logic
Always-on Trojans: A Trojan can be always-on such that it
does not require any input from a circuit to operate. An inverter-
based ring-oscillator Trojan that has no input control and is to re-
rk r3 r2 r1
duce circuit reliability is an example of such. As such a Trojan
Selective is not connected to any internal net and its internal signals are
Connections
continuously changing, the Trojan looks like a legitimate module
with no rarely active state. As majority of detection techniques
are to localize Trojans based on their rare activity, an always-on
Trojan can be missed. As such a Trojans trigger is not connected
to any internal signals, its internal signals are not controllable and

observable; therefore, Trojan signals would have the maximum

CC0, CC1, and CO values. Hence, COTD can easily detect Tro-
Fig. 9. The general structure of k-XOR-LFSR Trojans introduced jan Always-on Trojans.
by HaTCh [35].
Figure 5: k-XOR-LFSR: A general HD trojan. s38417-T300 benchmark contains a triggered Trojan whose
Figure 8 highlights how inserting flip-flops indeed increase payload is a ring-oscillator with 29 stages. To realize an always-on
|<CC, CO>| values. For example, the original Ethernet-T700/- Trojan, Trojan trigger is removed. COTD reports that all Trojan
0 i <T701/-T702/-T703
u j}, then the wire have
Trojans combination
the median of the CO>|
|<CC, d wires val-corresponding to of
signals (outputs ruj Trojan inverters) have CC0=254, CC1=
29 |P
254, and CO=254.
T rig (otherwise
ues of aboutt({T 254, rig})
and the>maximumj): if this is the
|<CC, CO>|case for are
values all d dimensional P , then
HaTCh has investigated the introduction of implicit mali-
resent aflip-flops,
subset of r . The probability that r i |P : 0 is at the stealthiness of hardware Trojans
about 439, 359,uj and 439, and 439, respectively. uj After inserting
the DeTrusted
|P
|<CC, CO>| values are dsignificantly
{r cious < u toj}increase
ibehavior
e probability
increased that i : 0 value
with{rthe|Pmedian i < uofaboutj} =439. 1} the
{0, Or, , which
medianis (by by the union
creating bound) of having a false negative under logic
a possibility
|<CC, CO>| value for wb conmax-T100 before inserting flip- testing based techniques. To do so, HaTCh has introduced k-
1 flops
is aboutP178. rob({r i
|P : 0 i < u j} {0,
On the other hand, this value is considerably 1} d
\ {w}) XOR-LFSR Trojans whose general structure is shown in Figure
increased
w{0,1} to about 439 after applying the DeTrust technique. Fig-
d 9. Using a linear-feedback-shift-register (LFSR) brings a semi-
ure 8 does not include Trojans inserted in s38584 benchmark as nondeterministic behavior for a Trojan, such that it would be
=already
1 constitute (1flip-flops
1/2 )in theirimplementations.
12 e
d uj d (uj)/2 d
they The de- difficult to characterize its behavior. Such a characteristic makes
tailed analysis shows d that the median values |<CC, CO>| of De- Trojan detection difficult using existing detection technique. On
w{0,1}
Trusted Trojans are about 1.3X larger those of original Trust-HUB the other hand, COTD is able to detect such a Trojan as the LFSR
k
d k /d! projections, T rig cannot represent a subset of r withisprobability
d Trojans, on average. Figure 8 signifies that introducing flip-flops ujcircuit not connected to the main circuit. That is, a k-XOR-
into a Trojan circuitry would considerably increase the controlla- LFSR Trojan is not controllable and its controllability value is
bility and observability values of Trojan signalsd such that they can infinite.
(1 2d e(uj)/2 )k /d! (1)
d
be easily caught by COTD. To evaluate the effectiveness of COST, the 4-XOR-LFSR

Table 4 presents inter-cluster distances between the clusters Trojan to leak a secret key described in [35] is implemented as
j) log(log(u j) logand
of Trojansignals k+ thelog log k),
cluster this lower
of genuine signalsbound is aboutshown
for DeTrusted 1/e. Since10(a).
in Figure u kUpon reset the LFSR <L3L2L1L0> is
ing thegate-level
term log log k,onthis
Trojans shows As
Trust-HUB. anitapproximate
is expected basedlower
on Equa-boundloadedon d({T 1010, i.e.,
with rig}), and the Trojan leaks a secret information
tion 6, there is increase in inter-cluster distances from original Tro- when L1=0 and L3L2L0=111. Figure 10(b) shows CC0,
janslog(k t({T rig}))
to DeTrusted Trojans.The log(log(k t({T rig}))
average inter-cluster log k)
distances of CC1, and CO for Trojan signals. As the results show either
original Trojan in Table 1 is 286.85 and that of DeTrusted Tro- controllability value or observability value of Trojan signals has
es the stealthiness of the k-XOR-LFSR trojan.
jans is 312.66. Therefore, DeTrusted Trojans are even more easily the maximum value. Therefore, the k-XOR-LFSR Trojans can be
in section 2.2, due to the implicit malicious behavior it may not always be possible
distinguishable by COTD. easily detected by COTD.
malicious output from a normal output just by monitoring the output ports.
he implicit malicious behavior adds to the stealthiness of the 9
HT since it creates
having1556-6013
a false(c) 2016negative
IEEE. Personal useunder
is permitted,logic testing based
but republication/redistribution techniques.
requires We quantify this
IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
ning the implicit behavior factor as follows:
MUX21X1Tj_mux1(.IN1(D0),.IN2(1'b0),.S(rst),.Q(LI0)); Cell PinCC0CC1CO

MUX21X1Tj_mux2(.IN1(L0),.IN2(1'b1),.S(rst),.Q(LI1)); Tj_LFSR_0 Q254254254
MUX21X1Tj_mux3(.IN1(L1),.IN2(1'b0),.S(rst),.Q(LI2)); Tj_mux2 Q2541254
MUX21X1Tj_mux4(.IN1(L2),.IN2(1'b1),.S(rst),.Q(LI3)); Tj_LFSR_1 Q254254254
DFFARX1Tj_LFSR_0(.D(LI0),.CLK(CK),.RSTB(1'b1),.Q(L0)); Tj_mux3 Q1254254
DFFARX1Tj_LFSR_1(.D(LI1),.CLK(CK),.RSTB(1'b1),.Q(L1)); Tj_LFSR_2 Q254254254
DFFARX1Tj_LFSR_2(.D(LI2),.CLK(CK),.RSTB(1'b1),.Q(L2)); Tj_mux4 Q2541254
DFFARX1Tj_LFSR_3(.D(LI3),.CLK(CK),.RSTB(1'b1),.Q(L3)); Tj_LFSR_3 Q254254254
XOR2X1Tj_U1(.IN1(L3),.IN2(L2),.Q(D0)); Tj_U1 Q254254254
AND2X1Tj_U2(.IN1(L3),.IN2(L2),.Q(L32)); Tj_mux1 Q1254254
AND2X1Tj_U3(.IN1(L32),.IN2(L0),.Q(W3)); Tj_mux_DS0 Q254254254
OR2X1Tj_U4(.IN1(L1),.IN2(W3),.Q(W2)); Tj_mux_DS1 Q254254254
MUX21X1Tj_mux_DS0(.IN1(n4135),.IN2(g640),.S(L1),.Q(out_DS0)); Tj_U2 Q254254254
MUX21X1Tj_mux_DS1(.IN1(n1859),.IN2(n4220),.S(L1),.Q(out_DS1)); Tj_U3 Q254254254
MUX21X1Tj_mux_DS2(.IN1(out_DS0),.IN2(out_DS1),.S(W2),.Q(out)); Tj_U4 Q254254254
Tj_mux_DS2 Q2542540
(a) (b)
Fig. 10. The 4-XOR-LFSR Trojan to leak a secret key, introduced in [35].
gate is identified as a Trojan triggering signal. Any signal that is
TrojanSignals Gatelevel
List Netlist not a Trojan signal but passing through a Trojan gate is identified
ryFlow TrojanGates
as a Trojan payload signal. Any gate whose one of inputs is a pay-
load signal composes the Trojan payload circuitry. The remaining
Identification Trojan gates compose the Trojan trigger circuitry. The hardware
Trojan recovery flow is implemented in Synopsys design com-
piler and only consists of about 100 lines, and its complexity is
TrojanGates TrojanInput/
OutputPins an order of the number of Trojan signals. The flow is being ap-
plied to all gate-level netlist on Trust-HUB, and all Trojans are
Trojan successfully recovered.
Reconstruction As a sample, Figure 12 presents the output of flow for the
s38417-T100 Trojan on Trust-HUB. While Figure 12 shows a part
of report, the report includes (1) Trojan gates for each of which in-
TrojanTrigger TrojanPayload put and output pins with their connected nets are reported, (2) Tro-
jan internal signals are distinguished, (3) Trojan triggering signals
are detected, and (4) Trojan payload gates, along with targeted
TrojanInternal TrojanPrimary PayloadSignal nets are identified.
Signals inputSignals andGates
Comparing the report in Figure 12 with the Trojan inserted in
Fig. 11. The hardware Trojan recovery flow for gate-level netlist.
s38417-T100 circuit shows the proposed hardware Trojan recov-
Hardware Trojan Recovery: It is so valuable to fully recover ery flow can perfectly extract the inserted Trojan. While a Trojan
an inserted Trojan in a circuit to understand the purpose of ad- circuit can be completely isolated, it is also possible to clean up
versary. Identifying Trojan trigger and Trojan payload circuitry the Trojan-inserted circuit.
present detailed information about Trojan implementation. Fur-
ther, it would also make it possible to determine (i) which signals
are being used as inputs for the Trojan trigger, and (ii) which sig- 6. DISCUSSION
nals are targeted by the Trojan payload. The results indicate the COTD technique has successfully detected
After isolating Trojan signals using COTD, it is possible to all gate-level Trust-Hub Trojans and Trojans designed based on
fully recover a hardware Trojan inserted in a gate-level netlist. DeTrust and HaTCh techniques in less than 14 seconds with zero
Figure 11 presents the proposed hardware Trojan recovery flow in false positive and negative rates without need for a golden model.
a gate-level netlist. Trojan signals identified by COTD and Trojan- COTD is based on SCOAP controllability and observability num-
inserted circuit are used as inputs. The Trojan Gates Identifica- bers which are approximate measurements of circuit testability.
tion step extracts Trojan gates, and their input and output pins. As SCOAP does not consider the dependency of signals, recon-
With this information, it is possible to execute the Trojan Recon- vergent signals may result in the increase of controllability and
struction step. In this step, Trojan trigger and Trojan payload cir- observability values.
cuitry are restored. Signals connected to Trojan gates pins are As SCOAP controllability and observability values are ap-
obtained, and the interconnection between Trojan gates is recon- proximate and COTD distinguishes Trojan signals based on their
structed. Further, it is determined which signals from the main significantly high controllability and observability values, two im-
circuit are being used as Trojan triggering signals, and which sig- portant questions may arise: Question 1 - whether it is possible to
nals in the main circuit are attacked by the Trojan payload. Any realize a Trojan signal with low controllability and observability
signal that drives a Trojan gate and is not driven by any Trojan numbers such that it remains inactive during testing (false nega-
10
FalseNegative
10000
s15850 RS232
TrojanGates......................................................... s35932 s38417
Trojan1234_NOT s38584 vgalcd
Trojan1234_NOT/IN1:Tj_OUT1 wb_conmax Ethernet
Thenumberoftransitions
1000
Trojan1234_NOT/IN2:Tj_OUT2
100
Trojan1234_NOT/Q:Tj_OUT1234
Trojan2
Trojan2/IN1:n3023
Trojan2/IN2:n3000 10
Trojan2/QN:Tj_OUT2
.
.
. 1
1 4 16 64 256 1024 4096 16384 65536 262144
Signalindex
.
TrojanTriggeringSignals....................................... Fig. 13. Switch activity of signals in Trojan-free circuits after
n3023:U5423/Q applying random test vectors for 500 test cycles.
n3000:U5415/Q
n3751:U6726/QN While the circuits contain signals with wide range of switching ac-
n3749:U6724/QN
n2792:U4217/QN tivities, there is zero signal with zero switching activity even after
n2632:U4219/QN applying a small number of random test patterns.
n3008:U5419/Q
n3068:U4737/QN The results emphasize any signal whose the controllability and
n3128:U4743/QN observability values even if overestimated is in the range of con-
n3036:U4734/QN
n2351:U4179/QN
trollability and observability values for the original signals expe-
n2430:U4182/QN riences switching activity. This also holds true for a Trojan signal
n3758:U6728/QN has controllability and observability values less than or close to
n3788:U6730/QN
n3065:U4739/Q the maximum |<CC, CO>| of genuine signals. This fact is al-
n3016:U5180/Q ready discussed in Table 2 where two Trojans consisting of signals
TrojanPayloadGates............................................
Trojan_Payload
whose maximum CC and CO are slightly larger and smaller than
n4263_Tj_Payload>DFF_1563_Q_reg the maximum CC and CO of genuine signals in hosting original
circuits. Table 2 shows considerable switching activities of Trojan
Fig. 12. The restored s38417-T100 Trojan.
signals after applying few thousands test patterns.
tive); Question 2 - whether an original signal can be recognized It should be noted that there might be some signals in the orig-
as a Trojan signal (false positive). inal circuit that are undetectable meaning either not controllable
False Negative: Inaccuracy of SCOAP is attributed to the ex- or not observable. A signal can be undetectable if it is unused,
istence of reconvergent signals and ignoring dependency between blocked, or redundant. Undetectable signals are distinguishable
signals. As a result, the controllability and observability values of using ATPGA tools; therefore, a Trojan signal cannot be imple-
some signals might be overestimated. To ensure a circuit is fully mented as an undetectable signal.
testable, all signals of the circuit should be controllable and ob- False Positive: To be incorrectly recognized as a Trojan signal
servable. As a result, any signal situated in the zone of controllable by COTD, a genuine signal should present a considerable inter-
and observable signals including Trojan signals would experience cluster distance from other genuine signals. Table 5 presents the
switching activity. Hence, it is not possible to implement a Trojan inter-cluster distances between signals after executing unsuper-
whose signals have controllability and observability in the range vised k-mean clustering with k=3 on Trojan-free gate-level Trust-
of genuine signals in a hosting circuit but remain inactive during HUB benchmarks in Table 3. Compared with the inter-cluster dis-
circuit testing. Such a behavior flags them as untestable signals, tance of Trojan signal clusters and genuine signal clusters in Ta-
and it would be followed with their thorough analyses. ble 1, the inter-cluster distance of genuine signal clusters in Table
To evaluate switching activity of signals, Figure 13 shows the 5 is significantly smaller. The average inter-cluster distance for
frequency of switching activity in each original circuit in Table 3 Trojan-inserted circuits in Table 1 is about 286.85 and the average
after applying random test vectors for 500 test cycles. While the inter-cluster distance for Trojan-free circuits in Table 5 is about
number of transitions are sorted ascending in each circuit, the hor- 18.45 that is about 15 times smaller. Furthermore, Figure 14 de-
izontal axis indicates the signal index and the vertical axis presents picts the three clusters for each Trojan-free gate-level Trust-HUB
the number of transitions from 0 to 1 or 1 to 0. The axes are benchmarks. The figure shows there are overlaps between clusters
presented in logarithmic scales to provide a finer look at signals and it is not possible to group signals into well-separated clusters.
with low switching activities. Using the signal index, it is possible While Trojan signals present high controllability and observ-
to observe how many signals exist with switching activities below ability values to realize stealthy Trojans, clusters of genuine sig-
a certain number. For example, Ethernet benchmark has four signals present small inter-cluster distances even if some are possibly
nals whose switching activity is two. The circuits have different overestimated. Furthermore, to ensure circuit testability, a gen-
sizes with different functionality, and larger circuits like Ethernet uine signal experiences the minimum switching activity as shown
benchmark have larger number of signals with low switching ac- in Figure 13. Therefore, the characteristics of genuine signals ef-
tivities in comparison with smaller circuits like RS232 benchmark. fectively makes the false positive rate zero.
11
s38417 Ethernet RS232 s15850
70
100
10 12
80
80
50
60
60
8
CO
CO
CO
CO
40
30
6
40
4
20
20
10
2
0
0
0 20 40 60 80 0 20 40 60 80 2 4 6 8 10 0 20 40 60 80
CC CC CC CC
s35932 s38584 vga-lcd wb_conmax

12
80
40
10 15 20 25 30
10
60
30
8
CO
CO
CO
CO
40
6
20
4
20
10
2
5
0
0
2 3 4 5 6 7 8 5 10 15 20 25 30 35 0 10 20 30 40 0 20 40 60 80 100
CC CC CC CC
Fig. 14. Unsupervised k-mean clustering with k=3 for Trojan-free gate-level benchmarks on Trust-HUB.
[8] M. Potkonjak, A. Nahapetian, M. Nelson, and T. Massey, Hardware Trojan Horse
Table 5. Inter-cluster distances in Trojan-free gate-level Trust- Detection Using Gate-Level Characterization, ACM/IEEE Design Automation Con-
HUB benchmarks. ference (DAC), pp. 688693, 2009.
Inter-cluster Distance [9] Y. Liu, K. Huang, and Y. Makris, Hardware Trojan detection through golden chip-
Circuit free statistical side-channel fingerprinting, ACM/IEEE Design Automation Confer-
Clst1 - Clst2 Clst1 - Clst3 Clst2 - Clst3
ence (DAC), pp. 16, 2014.
s38417 45.12 31.88 45.87 [10] X. Wang, Y. Zheng, A. Basak, and S. Bhunia, IIPS: Infrastructure IP for Secure SoC
Ethernet 13.79 41.38 28.32 Design, IEEE Transactions on Computers, vol.64, no.8, pp. 22262238, 2015.
RS232 4.71 3.56 5.52 [11] R. S. Chakraborty, F. Wolff, S. Paul, C. Papachristou, and S. Bhunia, MERO: A Sta-
s15850 16.78 14.85 16.38 tistical Approach for Hardware Trojan Detection, International Workshop on Crypto-
graphic Hardware and Embedded Systems(CHES09), pp. 396410.
s35932 6.14 6.68 3.42
[12] Y. Zheng, S. Yang, and S. Bhunia, SeMIA: Self-Similarity-Based IC Integrity Analy-
s38584 4.58 9.41 13.60 sis IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems,
vga lcd 34.16 23.73 23.36 Volume: 35, Issue: 1, pp. 3748, 2016.
wb conmax 12.60 13.09 23.90 [13] Y. Huang, S. Bhunia, and P. Mishra, MERS: Statistical Test Generation for Side-
Channel Analysis based Trojan Detection, The ACM Conference on Computer and
Communications Security (CCS), 2016.
7. CONCLUSIONS [14] H. Salmani and M. Tehranipoor, Layout-aware switching activity localization to en-
hance hardware Trojan detection, IEEE Transactions on Information Forensics and
Considering the extensive practice of integrated circuit horizon- Security (TIFS), Volume: 7, Issue: 1, pp. 7687, 2012.
[15] H. Salmani, M. Tehranipoor, and J. Plusquellic, A novel technique for improving
tal design flow and demand for untrusted third party intellectual hardware Trojan detection and reducing Trojan activation time, IEEE Trans. Very
properties, the COTD technique, a novel Trojan detection tech- Large Scale Integr. Syst. (TVLSI), Volume: 20, Issue: 1, pp. 112125, 2012.
nique at the gate level, was presented. Based on controllability [16] Y. Jin and Y. Makris, A proof-carrying based framework for trusted microprocessor
IP, 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD),
and observability analyses, COTD isolated Trojan signals using pp. 824829, 2013.
unsupervised k-mean clustering with k=3. Without need for a [17] E. Love, Y. Jin, and Y. Makris, Proof-Carrying Hardware Intellectual Property: A
Pathway to Trusted Module Acquisition, IEEE Trans. on Information Forensics and
golden model, COTD was able to detect various Trojans with zero Security (TIFS), Volume: 7, No: 1, pp. 2540, 2012.
false positive and false negative rates, and the maximum reported [18] H. Salmani and M. Tehranipoor, Analyzing circuit vulnerability to hardware Trojan
insertion at the behavioral level, 2013 IEEE International Symposium on Defect and
execution time has been a fraction of minute. While majority of Fault Tolerance in VLSI and Nanotechnology Systems (DFTS), pp. 190195, 2013.
Trojan detection techniques are based in test pattern application,
[19] X. Zhang and M. Tehranipoor, Case study: Detecting hardware Trojans in third-party
COTD is a static technique does not require any test pattern gener- digital IP cores, 2011 IEEE International Symposium on Hardware-Oriented Security
ation and application. In addition, COTD made it possible to fully and Trust (HOST), pp. 6770, 2011.
[20] M. Banga and M. S. Hsiao, Trusted RTL: Trojan detection methodology in pre-silicon
isolate a Trojan circuit, if it exists. Finally, COTD can be easily designs, 2010 IEEE International Symposium on Hardware-Oriented Security and
integrated into current commercial integrated design flow. Trust (HOST), pp. 5659, 2010.
[21] X. Guo, R. G. Dutta, Y. Jin, F. Farahmandi, and P. Mishra, Pre-silicon security veri-
fication and validation: A formal perspective, 2015 52nd ACM/EDAC/IEEE Design
Automation Conference (DAC), pp. 15, 2015.
8. REFERENCES [22] D. Sullivan, J. Biggers, G. Zhu, S. Zhang, and Y. Jin, FIGHT-Metric: Functional
Identification of Gate-Level Hardware Trustworthiness, Proceedings of the 51st An-
[1] S. Adee, The hunt for the kill switch. IEEE Spectrum, 2008. nual Design Automation Conference (DAC14), pp. 173:1173:4, 2014.
[2] M. Tehranipoor and C. Wang, Introduction to Hardware Security and Trust, Springer [23] J. Rajendran, H. Zhang, O. Sinanoglu, and R. Karri, High-level synthesis for security
New York Dordrecht Heidelberg London, August 2011. and trust, IEEE 19th International On-Line Testing Symposium (IOLTS), pp. 232
[3] L. Jieand and J. Lach, At-Speed Delay Characterization for IC Authentication and 233, 2013.
Trojan Horse Detection, IEEE International Symposium on Hardware Oriented Secu- [24] J. J. Rajendran, O. Sinanoglu, and R. Karri, Building Trustworthy Systems Using
rity and Trust (HOST), pp. 814, 2008. Untrusted Components: A High-Level Synthesis Approach, IEEE Transactions on
Very Large Scale Integration (VLSI) Systems, Volum: 24, Issue: 9, pp. 29462959,
[4] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B. Sunar, Trojan Detection
2016.
using IC Fingerprinting, IEEE Symposium on Security and Privacy (SSP), pp. 296
310, 2007. [25] X. Cui, K. Ma, L. Shi, and K. Wu High-Level Synthesis for Run-Time Hardware Tro-
jan Detection and Recovery, In Proceedings of the 51st Annual Design Automation
[5] X. Wang, H. Salmani, M. Tehranipoor, and J. Plusquellic, Hardware Trojan Detection Conference (DAC). pages: 157:1157:6, 2014.
and Isolation Using Current Integration and Localized Current Analysis, Defect and [26] A. Sengupta, S. Bhadauria, and S. Mohanty, TL-HLS: Methodology for Low Cost
Fault Tolerance of VLSI Systems (DFTV), pp. 8795, 2008. Hardware Trojan Security Aware Scheduling with Optimal Loop Unrolling Factor dur-
[6] J. Dubeuf, D. Hely, and R. Karri, Run-time detection of hardware Trojans: The pro- ing High Level Synthesis, IEEE Transactions on Computer-Aided Design of Inte-
cessor protection unit, IEEE European Test Symposium (ETS), pp. 16, 2013. grated Circuits and Systems , vol.PP, no.99, pp.11, 2016.
[7] F. Koushanfar and A. Mirhoseini, A Unified Framework for Multimodal Submodular [27] N. Lesperance, S. Kulkarni, and K. T. Cheng, Hardware Trojan detection using ex-
Integrated Circuits Trojan Detection, IEEE Transactions on Information Forensics and haustive testing of k-bit subspaces, The 20th Asia and South Pacific Design Automa-
Security (TIFS), vol.6, no.1, pp.162174, 2011. tion Conference, pp. 755760, 2015.
12
[28] A. G. Voyiatzis, K. G. Stefanidis, and P. Kitsos, Efficient triggering of Trojan hard-

ware logic, IEEE 19th International Symposium on Design and Diagnostics of Elec-
tronic Circuits & Systems (DDECS), pp. 16, 2016.
[29] N. Fern and S. Kulkarni, and K. T. Cheng Hardware Trojans Hidden in RTL Dont
Cares Automated Insertion and Prevention Methodologies, International Test Con-
ference (ITC), pp. 18, 2015.
[30] B. Cakir and S. Malik, Hardware Trojan Detection for Gate-level ICs Using Signal
Correlation Based Clustering, Proceedings of the 2015 Design, Automation & Test in
Europe Conference & Exhibition (DATE), pp. 471476, 2015.
[31] M. Oya, Y. Shi, M. Yanagisawa, and N. Togawa, A Score-based Classification Method
for Identifying Hardware-Trojans at Gate-level Netlists, Proceedings of the 2015 De-
sign, Automation & Test in Europe Conference & Exhibition (DATE), pp. 465470,
2015.
[32] J. Zhang, F. Yuan, L. Wei, Z. Sun, and Q. Xu, VeriTrust: Verification for Hard-
ware Trust, ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 61:1
61:8, 2013
[33] A. Waksman, M. Suozzo, and S. Sethumadhavan, FANCI: identification of stealthy
malicious logic using Boolean functional analysis, Proceedings of the 2013 ACM
SIGSAC Conference on Computer & Communications Security (CCS), pp. 697-708,
2013.
[34] J. Zhang, F. Yuan, and Q. Xu, DeTrust: Defeating Hardware Trust Verification
with Stealthy Implicitly-Triggered Hardware Trojans, Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security (CCS), pp. 153166,
2014.
[35] S. K. Haider, C. Jin, M. Ahmad, D. M. Shila, O. Khan, and M. V. Dijk, HaTCh:
A Formal Framework of Hardware Trojan Design and Detection, Cryptology ePrint
Archive, Report 2014/943, 2014.
[36] Trust-HUB benchmarks, https://www.trust-hub.org/taxonomy
[37] M. Hicks, M. Finnicum, S.T. King, M. Martin, and J.M. Smith, Overcoming an
Untrusted Computing Base: Detecting and Removing Malicious Hardware Automati-
cally, IEEE Symposium on Security and Privacy, pp. 6477, 2010.
[38] ISCAS benchmarks, http://www.pld.ttu.ee/ maksim/benchmarks/
[39] R. Karri, J. Rajendran, K. Rosenfeld, and M. Tehranipoor Trustworthy Hardware:
Identifying and Classifying Hardware Trojans, IEEE Computer, vol. 43, no. 10, pp.
39-46, 2010.
[40] C. Wu, L. Wang, and X. Wen VLSI Test Principles and Architectures: Design for
Testability, The Morgan Kaufmann Series in Systems on Silicon, 2006.
[41] K. R. Kantipudi Controllability and Observability, Dept of Electrical & Computer
Engineering. Auburn University, 2002.
[42] G. A. F. Seber, Multivariate Observations, John Wiley & Sons, Inc., 1984.
[43] Synopsyss TetraMAX, http://www.synopsys.com/Tools/Pages/default.aspx
[44] The R Project for Statistical Computing, https://www.r-project.org/
H. Salmani received his PhD

from the University of Connecti-
cut 2011. He is currently an Assis-
tant Professor in at the University
of Florida. His current research
projects include: hardware secu-
rity and trust and supply chain
security. Dr. Salmani has pub-
lished tens of journal articles and
refereed conference papers and
has given more than several in-
vited talks. He has published one
book and one book chapter. He
serves as a Program Committee
and Session Chair for design au-
tomation conference (DAC), Hardware-Oriented Security and
Trust (HOST), International Conference on Computer Design
(ICCD), VLSI Design and Test (VDAT). Dr. Salmani is a member
of the IEEE and SAE Internationals G-19A Tampered Subgroup,
and Member of ACM and ACM SIGDA.
13

Salman I 2016

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Salman I 2016

Transféré par

Droits d'auteur :

Formats disponibles

This article has been accepted for publication in a future issue of this journal, but has not been

COTD: REFERENCE-FREE HARDWARE TROJAN DETECTION AND RECOVERY BASED ON

GateLevel cluster distances from the cluster of genuine signals. Consider-

Table 1. Detecting hardware Trojans in Trust-HUB gate-level netlist using COTD.

s38417-T100 Ethernet-T700 RS232-T1000 s15850-T100

100 150 200 250

100 150 200 250

100 150 200 250

Gen Cluster Gen Cluster Gen Cluster Gen Cluster

s35932-T100 s38584-T200 vga-lcd-T100 wb_conmax-T100

100 150 200 250

100 150 200 250

observable; therefore, Trojan signals would have the maximum

be easily caught by COTD. To evaluate the effectiveness of COST, the 4-XOR-LFSR

MUX21X1Tj_mux1(.IN1(D0),.IN2(1'b0),.S(rst),.Q(LI0)); Cell PinCC0CC1CO

Trojan1234_NOT/IN1:Tj_OUT1 wb_conmax Ethernet

s38417 Ethernet RS232 s15850

s35932 s38584 vga-lcd wb_conmax

[28] A. G. Voyiatzis, K. G. Stefanidis, and P. Kitsos, Efficient triggering of Trojan hard-

H. Salmani received his PhD

Vous aimerez peut-être aussi