More and more integrated circuit (IC) design houses are outsourcing fabrication to untrusted foundries and incorporating third-party intellectual property (IP) cores into their designs. While this global business model and design reuse help keep costs low and reduce time-to-market pressure, they have also introduced significant vulnerabilities such as malicious modifications to ICs, also known as hardware Trojans. Hardware Trojans can change IC functionality, reduce IC reliability, leak valuable information from the IC, and even cause denial of service. Depending on the applications, the consequences of hardware Trojans range from loss of profit if used in consumer-electronic devices to life-threatening if used in military devices.
There has been a great deal of interest from government and industry to detect hardware Trojans. Detection approaches have been proposed at all three stages of the IC lifecycle: design-time, test-time, and run-time.Test-time approaches are the most widely investigated. They consist of additional tests that take place after conventional post-manufacturing testing. There are two types. Logic-based schemes develop directed test patterns that activate Trojan payloads in order to detect errors in the output. Side Channel-based approaches measure physical parameters, such as power consumption and path delay, of suspect ICs, and compares them with expected parameters of a “golden” model or Trojan-free IC. Run-time Monitoring approaches monitor for unexpected changes in logical and side-channel behavior to detect Trojans, but do so after the IC has been deployed. Design-for-Trust (DFT) are design-time strategies that aid test-time approaches. Examples include use scan flip-flops to increase the probability of Trojan activation and enhance side channel analysis. Since the above schemes have their own unique advantages and disadvantages, some have suggested an integrated approach that utilizes all of them to provide more comprehensive coverage of Trojans.
In our work, we have proposed novel approaches for hardware Trojan detection and prevention that are capable of handling Trojans inserted by untrusted third party IP (3PIP), SoC integrators, and foundries. We have also developed tools for hardware Trojan benchmark generation and analysis:
- Hardware Trojan Benchmarking: Research in the field of hardware Trojans has seen significant growth in the past decade. However, standard benchmarks to evaluate hardware Trojans and their detection are lacking. To this end, we have developed a suite of Trojans, Trojan insertion tools, and ‘trust benchmarks’ (i.e., benchmark circuits with a hardware Trojan inserted in them) that can be used by researchers in the community to compare and contrast various Trojan detection techniques. All tools and benchmarks are made publicly available on Trust-HUB.org.
- Built-In Self Authentication (BISA) and Obfuscated BISA for Hardware Trojan Prevention: One of the best opportunities to insert hardware Trojans rests in the hands of untrusted GDSII developers and foundries. Put simply, they can easily add the gates making up a hardware Trojan into unused spaces in the design that are often filled with non-functional cells. In our work, we have proposed a novel approach that fills all unused spaces of a design with functional cells and authentication circuitry. Post-fabrication, the inserted circuity (called BISA) can be challenged by random numbers. If the expected response is received, we can assume that the BISA circuitry has not been replaced. Without the unused space, it is more difficult for an attacker to add additional circuitry to the original design. Obfuscated BISA (OBISA) combines BISA with split manufacturing and optimizes both techniques so that they complement and improve security against their independent vulnerabilities – IP piracy, cloning, and redesign attacks for BISA and untargeted Trojan insertion for split manufacturing. Our OBISA flows provide dramatic improvements to popular security metrics (k-security and sensitivity to proximity attacks) and performance metrics (area, power, and delay).
- Information Flow Verification for Trojan Detection/Mitigation: To lower R&D cost and speed up the development cycle, SoC design houses typically purchase most of the IP cores from third-party (3P) vendors. A Trojan inserted by a malicious 3PIP vendor can create backdoors in the design through which sensitive information can be leaked and other possible attacks (e.g., denial of service, reduction in reliability, etc.) can be performed. We have developed an approach that detects Trojans which cause violations of information flow policies (confidentiality and integrity) without the need for a golden model. Our framework modified assets as faults and leverages partial-scan automatic test pattern generation (ATPG) algorithms to identify observe/control points through/from which an asset can be leaked/influenced. Experimental results on 18 benchmarks show the proposed framework has lower false positives and false negatives than alternative approaches based on formal methods, GLIFT, proof carrying code, and commercial tools (e.g., Jasper). Our framework can also be used to analyze information flow violations unintentionally introduced by designer mistakes and CAD tools. We have demonstrated detection of FSM vulnerabilities using the proposed tools and developed low-cost mitigation techniques.
- Temperature Tracking for Online Trojan Detection: While the majority of existing detection approaches occur at test-time, effective run-time detection would also be helpful whether on its own or in collaboration with test-time approaches. First, Trojans may be well-hidden and inactive during test-time, making them difficult to detect. Trojan activation during run-time can create large deviations in IC behavior that are more detectable. Second, inactive Trojans perform essentially the same functionality as Trojan-free ICs. Thus, in many cases, it is okay if a Trojan-inserted IC is deployed as long as its Trojan remains inactive. In our work, we have developed a novel temperature tracking approach that can exploit thermal sensors available in many modern systems for dynamic thermal management. A Kalman filter (KF) is used to track the chip temperature and detect any changes in power/temperature caused by Trojan activation. Our overall methodology represents a radical shift from conventional schemes which have focused primarily on post-fabrication testing and might miss inactive/dormant Trojans.
- Reverse Engineering to Identify “Golden” Chips: Among the approaches for Trojan detection, test-time approaches have drawn the greatest attention. While most assume the existence of a “golden model”, little if any work has discussed how to obtain it. Prior works suggest using reverse-engineering to identify Trojan-free ICs for the golden model but they did not state how to do this efficiently. In our work, we have investigated innovative and robust reverse engineering approaches to identify Trojan-free ICs. We adapt well-known machine learning methods to identify outlying sources of variation and then classify ICs as Trojan-free or Trojan inserted. Simulation results show that our approaches can easily identify parametric Trojans that would elude naive reverse engineering approaches.
Current and Past Project Sponsors
We are thankful for the support provided by the following government agencies and companies:
Our Conference and Journal Papers
NOTE: This directory contains pdf/ps files of articles that may be covered by copyright. You may browse the articles at your convenience, in the same spirit as you may read a journal or a proceedings article in a public library. Retrieving, copying, or distributing these files may violate copyright protection laws.
Hardware Trojan Surveys
- Q. Shi, D. Forte, M. Tehranipoor, “Deterrent Approaches Against Hardware Trojan Insertion,” in The Hardware Trojan War: Attacks, Myths, and Defenses, Swarup Bhunia and Mark M. Tehranipoor, Springer, 2018. [link]
- B. Shakya, T. He, H. Salmani, D. Forte, S. Bhunia, M. Tehranipoor, “Benchmarking of Hardware Trojans and Maliciously Affected Circuits”, Journal of Hardware and Systems Security (HaSS), April 2017. [link]
- K. Xiao, D. Forte, Y. Jin, R. Karri, S. Bhunia, M. Tehranipoor, “Hardware Trojans: Lessons Learned After One Decade of Research”, ACM Transactions on Design Automation of Electronic Systems (TODAES), Vol. 22, No. 1, June 2016. [link] [2018 ACM TODAES Best Paper, ACM Computing Reviews Notable Computing Books and Articles 2016, Hardware Category]
Hardware Trojan Detection
- J. Wu, F. Fowze, D. Forte, “EXERT: EXhaustive IntEgRiTy Analysis for Information Flow Security” to appear IEEE Asian Hardware-Oriented Security and Trust (AsianHOST), December 2022. [pdf]
- A. Nahiyan, M. Sadi, R. Vittal, G. Contreras, D. Forte, M.Tehranipoor, “Hardware Trojan Detection through Information Flow Security Verification,” IEEE International Test Conference (ITC), Oct. 2017. [pdf]
- C. Bao, D. Forte, A. Srivastava, “On Reverse Engineering-Based Hardware Trojan Detection,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), Vol. 34, No. 10, Jan. 2016. [link]
- C. Bao, D. Forte, A. Srivastava, “Temperature Tracking: Towards Robust Run-time Detection of Hardware Trojans,” IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), Vol. 34, No. 10, October 2015. [link]
- N. Karimian, F. Tehranipoor, M.T. Rahman, D. Forte, “Genetic Algorithm for Hardware Trojan Detection with Ring Oscillator Network (RON)” IEEE International Conference on Technologies for Homeland Security (HST), April 2015. [pdf]
- C. Bao, D. Forte, A. Srivastava, “On Application of One-class SVM to Reverse Engineering-Based Hardware Trojan Detection”, International Symposium on Quality Electronic Design (ISQED), March 2014. [pdf]
- D. Forte, C. Bao, A. Srivastava, “Temperature Tracking: An Innovative Run-Time Approach for Hardware Trojan Detection”, IEEE/ACM International Conference on Computer-Aided Design (ICCAD), November 2013. [pdf]
Hardware Trojan Prevention
- Q. Shi, M. Tehranipoor, D. Forte, “Obfuscated Built-In Self-Authentication with Secure and Efficient Wire-Lifting”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), 2018. [link]
- Q. Shi, K. Xiao, D. Forte, M. Tehranipoor, “Securing Split Manufactured ICs with Wire Lifting Obfuscated Built-In Self-Authentication”, GLSVLSI, May 2017. [link]
- A. Nahiyan, K. Xiao, K. Yang, Y. Jin, D. Forte, M. Tehranipoor, “AVFSM: A Framework for Identifying and Mitigating Vulnerabilities in FSMs”, Design Automation Conference (DAC) 2016, June 2016. [link]
- K. Xiao, D. Forte, M. Tehranipoor, “Efficient and Secure Split Manufacturing via Obfuscated Built-In Self-Authentication,” Hardware-Oriented Security and Trust (HOST) 2015, May 2015. [pdf] [HOST 2015 Best Paper Award]
- K. Xiao, D. Forte, M. Tehranipoor, “A Novel Built-In Self Authentication Technique to Prevent Inserting Hardware Trojans”, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (TCAD), Vol. 33, No. 12, Dec. 2014. [link]
Hardware Trojan Anatomy and Insertion
- M. Alam, A. Nahiyan, M. Sadi, D. Forte, M. Tehranipoor, “Soft-HaT: Software-based Silicon Reprogramming for Hardware Trojan Implementation,” ACM Transactions on Design Automation of Electronic Systems (TODAES), Vol. 25, No. 4, June 2020. [link]