Kan Xiao

Hardware Trojans: Lessons Learned after One Decade of Research

Given the increasing complexity of modern electronics and the cost of fabrication, entities from around the globe have become more heavily involved in all phases of the electronics supply chain. In this environment, hardware Trojans (i.e., malicious modifications or inclusions made by untrusted third parties) pose major security concerns, especially for those integrated circuits (ICs) and systems used in critical applications and cyber infrastructure. While hardware Trojans have been explored significantly in academia over the last decade, there remains room for improvement. In this article, we examine the research on hardware Trojans from the last decade and attempt to capture the lessons learned. A comprehensive adversarial model taxonomy is introduced and used to examine the current state of the art. Then the past countermeasures and publication trends are categorized based on the adversarial model and topic. Through this analysis, we identify what has been covered and the important problems that are underinvestigated. We also identify the most critical lessons for those new to the field and suggest a roadmap for future hardware Trojan research.

BISA: Built-in self-authentication for preventing hardware Trojan insertion

Hardware Trojans have become a significant threat to government agencies and enterprises that require security and trustworthiness in systems with critical applications. Detecting hardware Trojans is very challenging because of the diversity of Trojans and unpredictable process variations during fabrication. In this paper, we propose a novel technique, called built-in self-authentication (BISA), that can fill unused spaces in a circuit layout by functional filler cells instead of non-functional filler cells. All functional filler cells will be tested by BISA itself and a digital signature would be generated. Any modification on BISA will result in a different signature. Thus, BISA can be used to prevent Trojan insertion or make Trojan insertion extremely difficult. BISA can be applied to any single-module or bottom-up hierarchical design, and we evaluate it on different circuits to demonstrate the effective of this technique.

Path-delay fingerprinting for identification of recovered ICs

The counterfeiting of integrated circuits (ICs) has been on the rise over the past decade, impacting the security and reliability of electronic systems. Reports show that recovered ICs contribute to about 80% of all counterfeit ICs in the market today. Such ICs are recovered from scrapped boards of used devices. Identification of such counterfeit ICs is a great challenge since these ICs have an identical appearance, functionality, and package as fresh ICs. In this paper, a novel path-delay fingerprinting technique is proposed to distinguish recovered ICs from fresh ICs. Due to degradation in the field, the path delay distribution of recovered ICs will become different from that found in fresh ICs. Statistical data analysis can effectively separate the impact of process variations from aging effects on path delay. Simulation results of benchmark circuits using 45 nm technology demonstrate the efficiency of this technique for recovered IC identification.

Bit selection algorithm suitable for high-volume production of SRAM-PUF

Physically Unclonable Functions (PUFs) are impacted by environmental variations and aging which can reduce their acceptance in identification and authentication applications. Prior approaches to improve PUF reliability include bit analysis across environmental conditions, better design, and post-processing error correction, but these are of high cost in terms of test time and design overheads, making them unsuitable for high volume production. In this paper, we aim to address this issue for SRAM PUFs with novel bit analysis and bit selection algorithms. Our analysis of real SRAM PUFs reveals (i) critical conditions on which to select stable SRAM cells for PUF at low-cost (ii) unexplored spatial correlation between stable bits, i.e., cells that are the most stable tend to be surrounded by stable cells determined during enrollment. We develop a bit selection procedure around these observations that produces very stable bits for the PUF generated ID/key. Experimental data from real SRAM PUFs show that our approaches can effectively reduce number of errors in PUF IDs/keys with fewer enrollment steps.

Efficient and secure split manufacturing via obfuscated built-in self-authentication

The threats of reverse-engineering, IP piracy, and hardware Trojan insertion in the semiconductor supply chain are greater today than ever before. Split manufacturing has emerged as a viable approach to protect integrated circuits (ICs) fabricated in untrusted foundries, but has high cost and/or high performance overhead. Furthermore, split manufacturing cannot fully prevent untargeted hardware Trojan insertions. In this paper, we propose to insert additional functional circuitry called obfuscated built-in self-authentication (OBISA) in the chip layout with split manufacturing process, in order to prevent reverse-engineering and further prevent hardware Trojan insertion. Self-tests are performed to authenticate the trustworthiness of the OBISA circuitry. The OBISA circuit is connected to original design in order to increase the strength of obfuscation, thereby allowing a higher layer split and lower overall cost. Additional fan-outs are created in OBISA circuitry to improve obfuscation without losing testability. Our proposed gating mechanism and net selection method can ensure negligible overhead in terms of area, timing, and dynamic power. Experimental results demonstrate the effectiveness of the proposed technique in several benchmark circuits.

A Novel Built-In Self-Authentication Technique to Prevent Inserting Hardware Trojans

With the rapid globalization of the semiconductor industry, hardware Trojans have become a significant threat to government agencies and enterprises that require secure and reliable systems for their critical applications. Because of the diversity of hardware Trojans and the randomness associated with process variations, hardware Trojan detection is a challenging problem. In this paper, we propose a novel technique, called built-in self-authentication (BISA), which can be used to make hardware Trojan insertion by untrusted Graphic Data System (GDSII) developer and untrusted foundry considerably more difficult and easier to detect. The unused spaces in the circuit layout represent the best opportunity to insert Trojans by these entities. BISA works by eliminating this spare space and filling it with functional filler cells, instead of nonfunctional filler cells. A self-testing procedure generates a digital signature that will be different if any BISA cells are changed because of hardware Trojan insertion. We demonstrate that BISA can be applied to any flat or bottom-up hierarchical design with negligible overhead in terms of area, power, and timing.

DRAM based Intrinsic Physical Unclonable Functions for System Level Security

Physical Unclonable Functions (PUF) are the result of random uncontrollable variables in the manufacturing process. A PUF can be used as a source of random but reliable data for applications such as generating chip identification and encryption keys. Among various types of PUFs, an intrinsic PUF is the result of a preexisting manufacturing process, does not require any additional circuitry, and is cost effective. In this paper, we introduce an intrinsic PUF based on dynamic random access memories (DRAM). DRAM PUFs can be used in low cost identification applications and also have several advantages over other PUFs such as large input patterns. The DRAM PUF relies on the fact that the capacitor in the DRAM initializes to random values at startup. We demonstrate real DRAM PUFs and describe an experimental setup to test different operating conditions on three DRAMs to achieve the highest reliable results. Finally, we select the most stable bits to use as chip ID using our enrollment algorithm.

TI-TRNG: Technology Independent True Random Number Generator

True random number generators (TRNGs) are needed for a variety of security applications and protocols. The quality (randomness) of TRNGs depends on sensitivity to random noise, environmental conditions, and aging. Random sources of noise improve TRNG quality. In older or more mature technologies, the random sources are limited resulting in low TRNG quality. Prior work has also shown that attackers can manipulate voltage supply and temperature to bias the TRNG output. In this paper, we propose bias detection mechanisms and a technology independent TRNG (TI-TRNG) architecture. The TI-TRNG enhances power supply noise for older technologies and uses a self-calibration mechanism that reduces bias in TRNG output due to aging and attacks. Experiment results on 130nm, 90nm, and 45nm FPGAs demonstrate the quality of random sequences from the TI-TRNG across aging and different environmental conditions.

A study on the effectiveness of Trojan detection techniques using a red team blue team approach

As part of the Embedded Systems Challenge, we assess the effectiveness of Trojan detection techniques. The red team inserted different types of Trojans - combinational, sequential, reliability degrading, and performance degrading - into selected variants of a target design; the other variants are Trojan-free. The blue team has to correctly classify the Trojan-free and Trojan-infected variants. Seven different teams from six different universities performed the blue team activity using different types of Trojan-detection techniques, namely activation-based detection, and power- and delay-based side-channels.

Security Rule Checking in IC Design

The Design Security Rule Check (DSeRC) framework is a first step toward automating the analysis of integrated circuit design vulnerabilities. By mathematically modeling vulnerabilities at each abstraction level and associating them with metrics and rules, DSeRC aims to help designers quantitatively assess potential problems early on, improving security and reducing design costs.