Francis G. Wolff

MERO: A Statistical Approach for Hardware Trojan Detection

In order to ensure trusted in---field operation of integrated circuits, it is important to develop efficient low---cost techniques to detect malicious tampering (also referred to as Hardware Trojan ) that causes undesired change in functional behavior. Conventional post--- manufacturing testing, test generation algorithms and test coverage metrics cannot be readily extended to hardware Trojan detection. In this paper, we propose a test pattern generation technique based on multiple excitation of rare logic conditions at internal nodes. Such a statistical approach maximizes the probability of inserted Trojans getting triggered and detected by logic testing, while drastically reducing the number of vectors compared to a weighted random pattern based test generation. Moreover, the proposed test generation approach can be effective towards increasing the sensitivity of Trojan detection in existing side---channel approaches that monitor the impact of a Trojan circuit on power or current signature. Simulation results for a set of ISCAS benchmarks show that the proposed test generation approach can achieve comparable or better Trojan detection coverage with about 85% reduction in test length on average over random patterns.

Towards trojan-free trusted ICs: problem analysis and detection scheme

There have been serious concerns recently about the security of microchips from hardware trojan horse insertion during manufacturing. This issue has been raised recently due to outsourcing of the chip manufacturing processes to reduce cost. This is an important consideration especially in critical applications such as avionics, communications, military, industrial and so on. A trojan is inserted into a main circuit at manufacturing and is mostly inactive unless it is triggered by a rare value or time event; then it produces a payload error in the circuit, potentially catastrophic. Because of its nature, a trojan may not be easily detected by functional or ATPG testing. The problem of trojan detection has been addressed only recently in very few works. Our work analyzes and formulates the trojan detection problem based on a frequency analysis under rare trigger values and provides procedures to generate input trigger vectors and trojan test vectors to detect trojan effects. We also provide experimental results.

Multiple-parameter side-channel analysis: A non-invasive hardware Trojan detection approach

Malicious alterations of integrated circuits during fabrication in untrusted foundries pose major concern in terms of their reliable and trusted field operation. It is extremely difficult to discover such alterations, also referred to as “hardware Trojans” using conventional structural or functional testing strategies. In this paper, we propose a novel non-invasive, multiple-parameter side-channel analysis based Trojan detection approach that is capable of detecting malicious hardware modifications in the presence of large process variation induced noise. We exploit the intrinsic relationship between dynamic current (IDDT ) and maximum operating frequency (Fmax) of a circuit to distinguish the effect of a Trojan from process induced fluctuations in IDDT . We propose a vector generation approach for IDDT measurement that can improve the Trojan detection sensitivity for arbitrary Trojan instances. Simulation results with two large circuits, a 32-bit integer execution unit (IEU) and a 128-bit Advanced Encryption System (AES) cipher, show a detection resolution of 0.04% can be achieved in presence of ±20% parameter (Vth) variations. The approach is also validated with experimental results using 120nm FPGA (Xilinx Virtex-II) chips.

Hardware Trojan Detection by Multiple-Parameter Side-Channel Analysis

Hardware Trojan attack in the form of malicious modification of a design has emerged as a major security threat. Sidechannel analysis has been investigated as an alternative to conventional logic testing to detect the presence of hardware Trojans. However, these techniques suffer from decreased sensitivity toward small Trojans, especially because of the large process variations present in modern nanometer technologies. In this paper, we propose a novel noninvasive, multiple-parameter side-channel analysisbased Trojan detection approach. We use the intrinsic relationship between dynamic current and maximum operating frequency of a circuit to isolate the effect of a Trojan circuit from process noise. We propose a vector generation approach and several design/test techniques to improve the detection sensitivity. Simulation results with two large circuits, a 32-bit integer execution unit (IEU) and a 128-bit advanced encryption standard (AES) cipher, show a detection resolution of 1.12 percent amidst ±20 percent parameter variations. The approach is also validated with experimental results. Finally, the use of a combined side-channel analysis and logic testing approach is shown to provide high overall detection coverage for hardware Trojan circuits of varying types and sizes.

An Efficient BICS Design for SEUs Detection and Correction in Semiconductor Memories

We propose a new built-in current sensor (BICS) to detect single event upsets (SEUs) in SRAM. The BICS is designed and validated for 100 nm process technology. The BICS reliability analysis is provided for process, voltage and temperature variations, and power supply noise. The BICS detects various shapes of current pulses generated due to particle strike. The BICS power consumption and area overhead are also provided. The BICS is found to be very reliable for process, voltage and temperature variations and under stringent noise conditions.

Estimation of software reliability by stratified sampling

A new approach to software reliability estimation is presented that combines operational testing with stratified sampling in order to reduce the number of program executions that must be checked manually for conformance to requirements. Automatic cluster analysis is applied to execution profiles in order to stratify captured operational executions. Experimental results are reported that suggest this approach can significantly reduce the cost of estimating reliability.

Process reliability based trojans through NBTI and HCI effects

In this paper, we introduce the notion of process reliability based trojans which reduce the reliability of integrated circuits through malicious alterations of the manufacturing process conditions. In contrast to hardware/software trojans which either alter the circuitry or functionality of the IC respectively, the process reliability trojans appear as a result of alterations in the fabrication process steps. The reduction in reliability is caused by acceleration of the wearing out mechanisms for CMOS transistors, such as Negative Bias Temperature Instability (NBTI) or Hot Carrier Injection (HCI). The minor manufacturing process changes can result in creation of infected ICs with a much shorter lifetime that are difficult to detect. Such infected ICs fail prematurely and might lead to catastrophic consequences. The paper describes possible process alterations for both NBTI and HCI mechanisms that might result in creation of process reliability trojans. The paper also explores some possible detection techniques that can help identify the hidden trojans and discusses the various scenarios when process reliability based trojans lead to severe damages.

Dynamic evaluation of hardware trust

Current research into Trojan detection suggests that exhaustive Trojan detection in a chip during limited manufacturing test time is an extremely difficult problem. Indeed, an especially nefarious form of Trojan known as the time bomb has a payload activated in a delayed manner making it extremely hard to detect. As a result, chip trust detection at manufacturing test time may not be adequate especially for critical applications. This suggests that some form of dynamic trust detection of the chip both preliminary (possibly during a preproduction phase) and during in-field use at run time is required. We explore an approach to this problem that combines multicore hardware with dynamic distributed software scheduling to determine hardware trust during in-field use at run time. Our approach involves the scheduling and execution of functionally equivalent variants (obtained by different compilations, or different algorithm variations) simultaneously on different PEs and comparing the results. The process dynamically achieves trust determination by identifying the existence of Trojans with a high level of confidence.

Node sensitivity analysis for soft errors in CMOS logic

In this paper, we introduce an approach for computing soft error susceptibility of nodes in large CMOS circuits at the transistor level. The node sensitivity depends on the electrical, logic, and timing masking. An efficient technique is developed to compute the electrical masking of nodes using characterization tables and inverse pulse propagation. We generated these tables for every logic cell of the library using Spice simulations for a 100 nm process technology. An additional technique to compute the logic masking of the transistor nodes using an automatic test pattern generation tool is described. Our results show that our approach has Spice like accuracy but it is several orders of magnitude faster than Spice. This approach can be used to analyze the vulnerability of circuits to single event upsets at the chip level. Results are provided for ISCAS85 benchmark circuits

A New Asymmetric SRAM Cell to Reduce Soft Errors and Leakage Power in FPGA

Soft errors in semiconductor memories occur due to charged particle strikes at the cell nodes. In this paper, we present a new asymmetric memory cell to increase the soft error tolerance of SRAM. At the same time, this cell can be used at the reduced supply voltage to decrease the leakage power without significantly increasing the soft error rate of SRAM. A major use of this cell is in the configuration memory of FPGA. The cell is designed using a 70nm process technology and verified using Spice simulations. Soft error tolerance results are presented and compared with standard SRAM cell and an existing increased soft error tolerance cell. Simulation results show that our cell has lowest soft error rate at the various supply voltages.