Xinmu Wang

TeSR: A robust Temporal Self-Referencing approach for Hardware Trojan detection

Malicious modification of integrated circuits, referred to as Hardware Trojans, in untrusted fabrication facility has emerged as a major security threat. Logic testing approaches are not very effective for detecting large sequential Trojans which require multiple state transitions often triggered by rare circuit events in order to activate and cause malfunction. On the other hand, side-channel analysis has emerged as an effective approach for detection of such large sequential Trojans. However, existing side-channel approaches suffer from large reduction in detection sensitivity with increasing process variations or decreasing Trojan size. In this paper, we propose TeSR, a Temporal Self-Referencing approach that compares the current signature of a chip at two different time windows to completely eliminate the effect of process noise, thus providing high detection sensitivity for Trojans of varying size. Furthermore, unlike existing approaches, it does not require golden chip instances as a reference. Simulation results for three complex designs and three representative sequential Trojan circuits demonstrate the effectiveness of the approach under large inter- and intra-die process variations.

MECCA: a robust low-overhead PUF using embedded memory array

The generation of unique keys by Integrated Circuits (IC) has important applications in areas such as Intellectual Property (IP) counter-plagiarism and embedded security integration. To this end, Physical Unclonable Functions (PUF) have been proposed to build tamperresistant hardware by exploiting random process variations. Existing PUFs suffer from increased overhead to the original design due to their specific functions for generating unique keys and/or routing constraints. In this paper, we propose a novel memory-cell based PUF (MECCA PUF), which performs authentication by exploiting the intrinsic process variations in read/write reliability of cells in static memories. The reliability of cells is characterized after manufacturing by inducing temporal failures, such as write and access failures in the cells using a programmable word line duty cycle controller. Since most modern designs already have considerable amount of embedded memory, the proposed approach incurs very little overhead (<1%) compared to existing PUF designs. Simulation results for 1000 chips with 10% inter-die variations show that the PUF provides large choice of challenge-response pairs with high uniqueness (49.9% average inter-die Hamming distance) and excellent reproducibility (0.85% average intra-die Hamming distance).

Improving IC Security Against Trojan Attacks Through Integration of Security Monitors

This paper describes using on-chip monitors to significantly improve the sensitivity of side-channel signal analysis techniques to malicious inclusions in integrated circuits known as hardware Trojans.

Sequential hardware Trojan: Side-channel aware design and placement

Various design-for-security (DFS) approaches have been proposed earlier for detection of hardware Trojans, which are malicious insertions in Integrated Circuits (ICs). In this paper, we highlight our major findings in terms of innovative Trojan design that can easily evade existing Trojan detection approaches based on functional testing or side-channel analysis. In particular, we illustrate design and placement of sequential hardware Trojans, which are rarely activated/observed and incur ultralow delay/power overhead. We provide models, examples, theoretical analysis of effectiveness, and simulation as well as measurement results of impact of these Trojans in a hardened design. It is shown that efficient design and placement of sequential Trojan would incur extremely low side-channel (power, delay) signature and hence, can easily evade both post-silicon validation and DFS (e.g. ring oscillator based) approaches.

Role of power grid in side channel attack and power-grid-aware secure design

Side-channel attack (SCA) is a method in which an attacker aims at extracting secret information from crypto chips by analyzing physical parameters (e.g. power). SCA has emerged as a serious threat to many mathematically unbreakable cryptography systems. From an attackers point of view, the difficulty of mounting SCA largely depends on Signal-to-Noise Ratio (SNR) of the side-channel information. It has been shown that SNR primarily depends on algorithmic and circuit-level implementation, measurement noise, as well as device thermal noise. However, to the best of our knowledge, there has not been any study on the effect of power delivery network (PDN) on SCA resistance. We note that the PDN plays a significant role in SNR of measured supply current. Furthermore, SCA resistance strongly depends on the operating frequency due to RLC structure of a power grid. In this paper, we analyze the effect of power grid on SCA and provide quantitative results to demonstrate the frequency-dependent SCA resistance due to PDN-induced noise. This property can potentially be exploited by an attacker to facilitate the attack by operating a device at favorable frequency points. On the other hand, from a designers perspective, one can explore countermeasures to secure the device at all operating frequencies while minimizing the design overhead. Based on this observation, we propose a frequency-dependent noise-injection based compensation technique to efficiently protect against SCA. Simulation results using realistic PDN model as well as experimental measurements using FPGA test board validate the observations on role of PDN in SCA and the efficacy of the proposed compensation approach.

IIPS: Infrastructure IP for Secure SoC Design

Security is becoming an increasingly important parameter in current system-on-chip (SoC) design due to diverse hardware security attacks that can affect manufacturers, system designers or end users. To effectively address the security issues, design-time considerations, e.g. incorporation of design-for-security (DfS) features, are becoming essential. However, DfS measures for diverse security threats require specific design modifications to achieve target security level, which significantly increases design effort thus time-to-market, and usually incurs considerable design overhead. In addition, the general heterogeneous architecture of current SoCs makes many core-level DfS mechanisms unusable at SoC level. In this paper, we propose a centralized on-chip infrastructure IP for SoC security (IIPS), which alleviates the SoC designers from separately addressing different security issues through design modifications in multiple cores. It also provides ease of integration and functional scalability. We consider a specific implementation of IIPS that provides protection against: (1) scan-based attack for information leakage through low-overhead authentication; (2) counterfeiting attacks through integration of a Physical Unclonable Function (PUF); and (3) hardware Trojan attacks through a test infrastructure fortrust validation. To make the IP amenable for plug-and-play during SoC design, working protocols of the security functions are designed to comply with IEEE 1500 Standard for Embedded Core Test (SECT). Since IIPS resides outside the functional modules, it does not incur functional performance or power overhead. Simulations and experiments on example SoC designs validate the effectiveness of IIPS in providing protections against diverse attacks at a low hardware overhead.

Software exploitable hardware Trojans in embedded processor

Growing threat of hardware Trojan attacks in untrusted foundry or design house has motivated researchers around the world to analyze the threat and develop effective countermeasures. In this paper, we focus on analyzing a specific class of hardware Trojans in embedded processor that can be enabled by software or data to leak critical information. These Trojans pose a serious threat in pervasively deployed embedded systems. An attacker can trigger these Trojans to extract valuable information from a system during field deployment. We show that an adversary can design a low-overhead hard-to-detect Trojan that can leak either secret keys stored in a processor, the code running in it, or the data being processed.

SACCI: Scan-Based Characterization Through Clock Phase Sweep for Counterfeit Chip Detection

Counterfeit chips in a supply chain have emerged as a major security concern in the semiconductor industry with serious potential consequences (such as performance degradation, revenue, and reputation loss). With rising incidences of this attack, wide-spread effort has been made in both industry and academia to develop effective countermeasures. However, existing solutions to protect against these attacks suffer from both robustness issue (in terms of detecting chips with minor functional/structural deviations) as well as design/area overhead and test cost. In addition, they cannot reliably detect different forms of cloning attacks. In this paper, we propose a novel characterization method to identify counterfeit chips - in particular, the cloned ones - based on extraction of scan path delay signatures of a chip. It uses the scan chain, a prevalent design-for-testability structure, to create a robust authentication signature. The proposed approach has two major advantages: 1) it comes at virtually zero design and hardware overhead, since it does not require any additional embedded structure; and 2) it alleviates the design house from characterizing each manufactured chip instance, thus mitigating test cost. In addition, a novel and practical method based on clock phase sweep is proposed to measure delay of short scan paths with high resolution. Using Monte Carlo simulation on the layouts of two ISCAS-89 benchmarks at 45-nm CMOS process, we observe that over 99% of counterfeit chips can be reliably identified even under large process variations. Effectiveness of the approach is also validated with delay measurements in field programmable gate array chips.

Implantable electronics: Emerging design issues and an Ultra light-weight security solution

Implantable systems that monitor biological signals require increasingly complex digital signal processing (DSP) electronics for real-time in-situ analysis and compression of the recorded signals. While it is well-known that such signal processing hardware needs to be implemented under tight area and power constraints, new design requirements emerge with their increasing complexity. Use of nanoscale technology shows tremendous benefits in implementing these advanced circuits due to dramatic improvement in integration density and power dissipation per operation. However, it also brings in new challenges such as reliability and large idle power (due to higher leakage current). Besides, programmability of the device as well as security of the recorded information are rapidly becoming major design considerations of such systems. In this paper, we analyze the emerging issues associated with the design of the DSP unit in an implantable system. Next, we propose a novel ultra light-weight solution to address the information security issue. Unlike the conventional information security approaches like data encryption, which come at large area and power overhead and hence are not amenable for resource-constrained implantable systems, we propose a multilevel key-based scrambling algorithm, which exploits the nature of the biological signal to effectively obfuscate it. Analysis of the proposed algorithm in the context of neural signal processing and its hardware implementation shows that we can achieve high level of security with ∼ 13X lower power and ∼ 5X lower area overhead than conventional cryptographic solutions.

Golden-Free Hardware Trojan Detection with High Sensitivity Under Process Noise

Malicious modification of integrated circuits in untrusted design house or foundry has emerged as a major security threat. Such modifications, popularly referred to as Hardware Trojans, are difficult to detect during manufacturing test. Sequential hardware Trojans, usually triggered by a sequence of rare events, represent a common and deadly form of Trojans that can be extremely hard to detect using logic testing approaches. Side-channel analysis has emerged as an effective approach for detection of hardware Trojans. However, existing side-channel approaches suffer from increasing process variations, which largely reduce the detection sensitivity and sets a lower limit of the sizes of Trojans detectable. In this paper, we present TeSR, a Temporal Self-Referencing approach that compares the current signature of a chip at two different time windows to isolate the Trojan effect. Since it uses a chip as a reference to itself, the method completely eliminates the effect of process noise and other design marginalities (e.g. capacitive coupling), thus providing high detection sensitivity for Trojans of varying size. Furthermore, unlike most of the existing approaches, TeSR does not require a golden reference chip instance, which may impose a major limitation. Associated test generation, test application, and signature comparison approaches aimed at maximizing Trojan detection sensitivity are also presented. Simulation results for three complex sequential designs and three representative sequential Trojan circuits demonstrate the effectiveness of the approach under large inter- and intra-die process variations. The approach is also validated with current measurement results from several Xilinx Virtex-II FPGA chips.