detecting hardware trojan through heuristic partition and ... - IEEE Xplore

DETECTING HARDWARE TROJAN THROUGH HEURISTIC PARTITION AND ACTIVITY DRIVEN TEST PATTERN GENERATION Xue Mingfu1,2, Hu Aiqun1, Li Guyue1 1

Research Center of Information Security, College of Information Science and Engineering, Southeast University, Sipailou 2nd, 210096, Nanjing, China. 2 School of Electrical & Electronic Engineering, Nanyang technological University, Singapore. [email protected], [email protected], [email protected] Keywords: hardware security, hardware Trojan detection, heuristic partition, test pattern generation.

Abstract Hardware Trojan has emerged as an impending security threat to many critical systems. However, detecting hardware Trojan is extremely difficult due to Trojans are always triggered by rare events. Side-channel signal analysis is effective in detecting Trojan but facing the challenge with process variation and environment noise in nanotechnology. Moreover, side-channel approaches that analyze global signals cannot scale well to large circuits. This paper presents a heuristic partition and test pattern generation based localized signal analysis method for hardware Trojan detection. First, we partition the design into regions controlled by scan chains. Then a test vector ordering algorithm is used to generate optimized vectors which can magnify the activity in the target region where Trojan may be located. At last, power ports are placed in each region to measure the localized transient current anomalies for Trojan detection, while a signal calibration technique is used to eliminate the negative effect of process variation and noise. We evaluate our approach on ISCAS89 benchmark circuits and the results show that the proposed scheme can magnify the detection sensitivity in multiples from the state-of-the-art. Two further benefits of this method are that it can scale well to large circuits and determine Trojan’s location.

1 Introduction In recent years the issue of trust in integrated circuits (ICs) is becoming an impending problem [1,2]. Because of the globalization of the semiconductor design and fabrication process, ICs are becoming increasingly vulnerable to malicious alterations, commonly known as hardware Trojans. Hardware Trojans can make the IC design malfunction, leak confidential information, etc., thus have raised serious concerns from industry, government and many other critical communities. Hardware Trojan detection technique is urgently needed to ensure trust in ICs [1,2]. However, hardware Trojan detection is extremely difficult due to many reasons [1-3].

The side-channel signal analysis technique have proven to be effective in extracting Trojan signal by monitoring delay, leakage power, supply current of the circuit [3,4]. However, this method is not sufficient to deal with the process variation and the environment noise which can completely mask Trojan’s contribution to the circuit [1-3]. Moreover, these global signal analysis methods cannot scale well to large circuits. Therefore, a few of regional activation approaches are proposed to magnify Trojan’s contributions [5,6]. However, only large number of random patterns is applied during detection which ignores the pattern’s effect on detection sensitivity, while in some works, computationally intense and time consuming training process is also used for pattern selection. Obviously, random patterns are blind and not good enough for Trojan detection. Authors in [7] proposed a signal calibration technique to attenuate process variation and noise. However, this method did not consider the test pattern issue. Switching activity of other components in the circuit caused by test patterns is another important source of noise which can also mask the Trojan’s anomalies in the transients, making Trojans escape the verification. This paper presents a heuristic partition and test pattern generation based localized current analysis method for hardware Trojan detection. First, we use a scan cell distribution based heuristic partition to divide the circuit into regions. We use a scan cell distribution based partition since not only it can achieve a good partition, but also benefit the test pattern generation. Moreover, it can be easily integrated into existing IC design flow. Then, based on the weighted transition (WT) metric, we propose a test vector ordering algorithm (TVO) to generate optimized test patterns which can introduce maximum switching activities in the measured region. These test patterns for hardware Trojan detection are generated based on the circuit’s structure. Sustained “0” patterns are applied to other regions to keep background components silent. Lastly, power ports are placed symmetrically in each region, which is used for localized IDDT (transient current) analysis. A signal calibration technique is used to eliminate the effect of process variation and noise. Through this method, the Trojan’s activity is greatly magnified, while background switching activity noise, process variation and environment noise are suppressed. We evaluate our scheme in ISCAS89 benchmark circuits and the results

show that by applying the proposed scheme, the detection sensitivity is magnified in multiples from the state-of-theart. Two further significant benefits are that this approach can ensure the scalability of detection facing large scale ICs and determine Trojan’s location.

2 Proposed Methodology The overall flow of the proposed scheme is outlined as follows. First, a scan cell distribution based partition algorithm is used to partition the circuit into regions. After that, scan cells are connected within the same region to form scan chains. Thus, the circuit is divided into regions controlled by scan chains. Then, for each scan chain, nonfunctional test pattern generation is performed. Using a transition driven test vector ordering algorithm (TVO), both the input and corresponding response vectors are reordered to maximize switching activities in the target region. Power ports are placed at each region and a set of calibration circuits [7] are inserted during the physical design phase.

last, scan cells within the same region are reconnected while routing congestions are optimized using Encounter. This heuristic partition can ensure the scalability of our approach facing large designs that are equipped with scan chains for conventional testing purpose. After partitioning, power ports are placed in the middle of each region for further localized IDDT analysis. Figure 2 shows an example of the partition and power ports placement for the ISCAS89 benchmark circuit s953. START Perform N Calibration tests by inputting step current stimulus to each power port successively Obtain N*N calibration test data and construct transformation matrix T Select a region of the CUA Apply the reordered test vectors to scan chains in target region and all-0 vectors into other scan chains

In the detection phase, first, calibration tests are performed to construct transformation matrix T [7]. Then, test patterns generated in above TVO procedure are applied to scan chains in the target region. Scan chains in other regions are kept applying sustained “0” vectors to keep background switching noise silent. Transient currents from multiple power ports are measured, and will undergo a signal calibration process. At last, the calibrated localized IDDT data are analyzed for Trojan detection. The flow of our Trojan detection approach is shown in Figure 1.

Obtain response vectors Measure IDDT at each power port Calibrate the measured IDDT data using the transformation matrix T Check response vectors against those of golden chip

2.1 Scan cell distribution based partition We aim at achieving a good regional activation result as long as there is no negative impact on test time and fault coverage. It should also be easily integrated into a standard design-for-test (DFT) flow. We divide the circuit into regions with ideally equal test power consumption. The number of regions M is limited by the available number of power ports N. A partition algorithm modified from [8] is used here, which is outlined in pseudo code as shown in Algorithm 1. The partition is exploited with Cadence Encounter. First, the number of cut is calculated. Then, the physical design information of scan cells is extracted and the connections between scan cells are removed. This physical design information is represented as horizontal and vertical coordinates. In which, Xmax, Ymax represent the maximum abscissa and the maximum ordinate, while Xmin, Ymin represent the minimum abscissa and the minimum ordinate. After that, a region is recursively cut into two equal regions in terms of the number of scan cells. The cutting is done either vertically or horizontally depending on the largest horizontal and vertical distances in the current region. At

If match?

No

Yes Check localized IDDT percentage deviation from golden chip

If < threshold? Yes Yes

Any untested regions?

No

Trojaninserted in selected region

No CUA is determined as Trojan-free END

Figure 1. Proposed Trojan detection flow: region-based switching activity control and localized IDDT analysis

6FDQBLQ

6FDQBLQ

6FDQBLQ 6FDQBLQ

6FDQBRXW

6FDQBRXW Power ports

6FDQBLQ

6FDQBRXW

6FDQBLQ

6FDQBLQ 6FDQBRXW

6FDQBRXW 6FDQBRXW 6FDQBRXW

6FDQBRXW

6FDQBLQ

(a) (b) (c) Figure 2. Partitioning of s953: (a) Before partitioning, (b) After Partitioning (c) Scan chain reorganization and power ports placement. Algorithm 1. Scan cell distribution based Partition Inputs: A design with inserted scan chains; Physical design information of scan cells; Available number of power ports N. Outputs: Partitioned design. % Main programme 1. Calculate: No.Cut 2. 3. 4. 5. 6. 7.

«¬log 2 ( N ) »¼ Extract the physical design information of scan cells. Remove connections between scan cells. Current_Region = Entire_Region. CutFunction(Current_Region, No.Cut) Reconnect scan cells within each region and optimize routing congestions using Encounter. Save the partitioned design.

% CutFunction 1. WHILE No.Cut ! 0 DO 2. 'X X max X min of scan cells in Current_Region;

'Y Ymax Ymin of scan cells in Current_Region; IF ( 'X ! 'Y ) Scan cells in Current_Region are cut by increasing order of abscissa; 6. ELSE 7. Scan cells in Current_Region are cut by increasing order of ordinate; 8. Current_Region is partitioned into Region1 and Region2. 9. CutFunction(Region1, No.Cut-1); 10. CutFunction(Region2, No.Cut-1); 11. Output partition results.

3. 4. 5.

2.2 Time complexity of the proposed regional activation In related works, for a design with M regions, all combinations of regional activation up to the largest fan-in of a logic cell Imax are inspected, resulting in

I max

¦C

i M

runs of

i 1

regional activation, which will be rather time consuming. The given example assumes that one pattern can be applied per clock cycle at a frequency of 250 MHz without considering the length of the patterns. As input patterns are shifted through the scan chain one bit at a time, the actual authentication time will be much longer. In fact, a

Trojan that distributed across multiple nonadjacent regions is more likely to impact the path or transition delay of the design [4]. And the errant timing behavior can be easily detected using path or delay based side-channel approaches. Thus it is not necessary to examine every combination of regions even though Trojans can be sparsely distributed across the design layout. We only have to consider the localized hardware Trojan which is distributed in one region or adjacent two regions. For the same example, the authentication time will be reduced to only a small fraction of the original if every region is activated independently or if two adjacent regions are activated simultaneously. This is illustrated by inserting a sequential Trojan T3 (described in Section 4) into Regions 15 and 16 of ISCAS89 benchmark circuit s38417 after it has been clustered by Algorithm 1. We define a metric named power consumption percentage difference (PCPD) for the detection decision, as given by: PCUA ( x) PGolden ( x) PCPD( x) (1) PGolden ( x) where PCUA(x) is the power of region x in the CUA and PGolden(x) is the power of region x in the golden chip. The PCPD for each run of regional activation is recorded. As expected, two PCPD peaks stand out in Regions 15 and 16, which means PCPD(15) and PCPD(16) are the highest among all the PCPDs. This is the indication that Trojan is located in these two regions. Then, we activate Region 15 and Region 16 simultaneously. The detection results of these individual and combined regional activations are shown in Table 1. It was observed that by activating both regions simultaneously, the PCPD (0.00093746) lies in between those obtained from the independently activated Regions 15 (0.00161354) and 16 (0.00042425). The results corroborate that combined activation of multiple regions increase the background noise. The effect is similar to having a coarser partitioning, which reduces the detection sensitivity. Thus, it is only necessary to examine each region individually, even if the Trojan circuit spreads over two or more regions. It is M cases in total. Hence, the time complexity is greatly reduced in our approach.

c3

position6 position1

c5

c6

c7

Scan_out

Output responses 0 0 1 1 0 0 1 = R1 0 0 0 1 0 0 1 = R2 position1 position 6

Figure 3. WT model sample Our test vectors for hardware Trojan detection are generated based on the WT in scan chains. We propose a TVO algorithm to generate test patterns which can maximize switching activities in target region where Trojan may reside. The input to this procedure is a sequence of test vectors with the corresponding output responses. The output is an ordered test vector set with maximum switching activities in target scan chains. For a given test sequence, first, we calculate the number of bit differences between each pair of bits. Then, an undirected weighted graph is constructed, in which, each vertex represents a bit and each edge represents a possible connection between the two bits. The weight on each edge reflects the transitions by connecting these two bits together. Considering a sample test sequence as shown in Figure 4(a), the constructed undirected weighted graph is shown in Figure 4(b). Then, since we need to find the test vector order that can maximize the transitions, we change all the weights to their reciprocals to make this problem equal to the wellknown Traveling Salesman Problem (TSP). TSP is known to be NP-hard. Thus, we use a Genetic algorithm-based heuristic to solve the problem, in which, the individuals are the possible bit orders. We use Partially Mapped Crossover (PMX) [10] and the point mutation operator [11] as the Crossover operator and the Mutation operator respectively. The path representation is used to represent

r5

r6

r7

0 1 1 0 0 0 1 0 0 1 1 0 1 1

0 0 1 0 0 1 0 1 1 1 1 1 0 1

1 1 0 1 1 1 0 0 0 1 0 0 1 0

0 0 0 1 0 0 1 1 0 1 0 0 0 1

r1

r2

5 10 7

r7

r3

10 66

7

Input vectors V1 = 0 1 1 0 0 0 1 V2 = 1 1 0 0 1 0 1

c4

r4

1 1 0 0 1 0 0 0 1 0 0 1 0 0

7

c2

r3

1 1 0 0 1 1 0 1 1 0 1 0 0 0

6

c1

r2

1 0 1 0 1 0 1 1 1 0 1 0 0 1

8

Scan_in

r1

11

Scan chain

V1 = R1 = V2 = R2 = V3 = R3 = V4 = R4 = V5 = R5 = V6 = R6 = V7 = R7 =

7

k is the size of scan chain, and PT is the position of transition. We use an example to demonstrate the WT model used in our paper, as shown in Figure 3. For a test vector and an output response, the intrinsic value of PT is opposite, and when the first bit of a test vector differs from the last bit of the previous output response vector, additional transitions will be generated and will propagate through the entire scan chain.

4

(2)

T

r6

10

¦ k P

8

WT

7

Since our regional activation works under scan test mode, we need to monitor the power dissipation during scan test. During scan test, the power dissipation is highly correlated with the amount of transitions in scan chains. We use the weighted transition (WT) metric introduced in [9] to estimate the scan test power dissipated by a complete test sequence, which is given by:

The result of bit order achieved from the above steps can now be represented by an oriented cyclic graph, as shown in Figure 5(a). After that, in order to determine which bit to be the first bit, we evaluate the k possible solutions in terms of WT and choose the one with the highest WT. k is the size of the scan chain. At last, test vector ordering is performed based on the achieved bit order. The result is shown in Figure 5(b), and the final test pattern is V1, V2, V3, V4, V5, V6, and V7. The bits in red-box indicate the transitions which will propagate through the entire scan chain. This final test pattern is only used for hardware Trojan detection thus has no impact on the real functional tests. It’s obvious that the WT generated by initial random pattern (176) is far less than the WT generated by TVO pattern (234). Thus, TVO pattern can achieve better performance than the random pattern.

9

2.3 Test pattern generation for Trojan detection

individuals. For example, the bit order b3-b2-b4-b1-b7b5-b6 is simply represented by (3 2 4 1 7 5 6).

6

Table 1. Detection results of combined regional activation and individual regional activation Regional activation PCPD Region 15 0.00161354 Region 16 0.00042425 Combined Regions 15 and 16 0.00093746

r4

8 11

r5

7

(a) (b) Figure 4. (a) The example test sequence; (b) The weighted graph for the example test sequence;

r2

r7

r4

r1

r3

r6

r5

V1 = R1 = V2 = R2 = V3 = R3 = V4 = R4 = V5 = R5 = V6 = R6 = V7 = R7 =

r1

r6

r5

r3

r4

r2

r7

1 0 1 0 1 0 1 1 1 0 1 0 0 1

1 1 0 1 1 1 0 0 0 1 0 0 1 0

0 0 1 0 0 1 0 1 1 1 1 1 0 1

1 1 0 0 1 0 0 0 1 0 0 1 0 0

0 1 1 0 0 0 1 0 0 1 1 0 1 1

1 1 0 0 1 1 0 1 1 0 1 0 0 0

0 0 0 1 0 0 1 1 0 1 0 0 0 1

(a) (b) Figure 5. (a) The oriented cyclic graph (b) The final bit order after test vector ordering

2.4 Signal calibration and Localized IDDT analysis In this work, we will show that combining the signal calibration method in [7] with our scheme, process variations, environment noises and background switching activity can be effectively suppressed. IDDT data values measured from N power ports are used to analyze for Trojan detection, referred as power percentage difference analysis. Each calibrated IDDT value of the CUA is compared with the corresponding IDDT value of the golden chip. If all the N

IDDT values have no significant difference (below the user defined threshold) with the values from the golden chip, the CUA is considered as Trojan-free. Or else, the CUA is deemed as Trojan-inserted. Unlike the power ports distributed in each corner of the chip in [7], power ports in our approach are placed in the middle of each region. This can bring two advantages. First, it can reduce the number of power ports induced by partition since the available number of power ports may become a restriction for partition. Second, place the power ports in the middle of each region can better monitor the side-channel signal in that region. If the power ports are placed in the corners of each region, the power estimation of each region may need superposition of current drawn from several correlated power ports.

3 Experiment Results We design two combinational Trojans and one sequential Trojan inserted in ISCAS89 benchmark suites separately. T1 only has two gates, while T2 is a 4 bit comparator and T3 is a 3 bit counter. These tiny hardware Trojans don’t have meaningful attack functions and are only used to evaluate the detection ability and sensitivity. T3 only occupies around 0.005% of the total circuit size of s38417. The output of T2 and T3 are left unconnected to make these hardware Trojans not impact on circuit’s normal outputs. The original designs were synthesized and inserted scan chains using Synopsys Design Compiler with 65nm TSMC technology. The heuristic partition and layout-aware scan cell reconnection are exploited with Cadence Encounter and separated programs. The test vectors and the corresponding output responses are generated by Mentor Graphic FastScan. The test vector ordering are implemented in separated C programs. The Mentor Graphic ModelSim is used to analyze the switching activities. The power consumption is analyzed in Synopsys Power Compiler. The process variation is set to be 1%. Figure 6 shows the hardware Trojan detection results when each region is activated separately. This approach can determine Trojan’s location since the region with a high PCPD value is most likely to be the area where Trojan was inserted. The results clearly indicate that the hardware Trojan is located at Region 1 of s5378, Region 20 of s15850, Region 15 of s35932, and Region 15 of s38417. The results also clearly indicate that the Trojan’s contributions are greatly magnified when its located region is activated (from 0.000052319 to 0.00161354 for T3 in s38417). This is because through the proposed scheme, the sensitized paths of test patterns are limited in the region where we measure while the background switching activity noise are kept at a low level. Thus the Trojan’s anomalies are highlighted. Table 2 presents a detailed analysis of detection sensitivity of Trojan-inserted benchmarks. Column 3 is the PCPD of original side-channel method which monitors global signal, while Column 4-10 are the PCPD results using our approach. The PCPD data shown in Column 5, 7, 10 is the

maximum PCPD value achieved from regional activation experiments correlating to a certain region. First, the detection sensitivity of our approach is compared with original side-channel approach that monitoring global signals (Column 5, 7 VS Column 3). It is shown that all the patterns under regional activation can magnify Trojan’s contribution thus increasing the detection sensitivity in multiples, as shown in Column 6, 8. Even using random patterns under our partition approach can magnify Trojan’s contribution up to 26.19X (for T3 in s15850), while using the proposed TVO pattern can magnify Trojan’s contribution up to 33.66X. After calibration, this magnification is high up to 37X (0.004641673/0.000125487). X represents the magnification of detection sensitivity. The magnification can be much higher with larger number of regions, as shown in Figure 7. Using random patterns may not be good enough. Column 5 and column 7 in Table 2 also present a comparison between the proposed TVO patterns and random patterns. As shown in Column 9, it is clear that the proposed TVO pattern strategy can always achieve much better detection sensitivity than random patterns for all the experiments. The percentage improvement to random patterns is high up to 41.05%. In Column 7 and Column 10 of Table 2, the detection sensitivity achieved from the experiment without signal calibration is compared with the one using signal calibration. It is obvious that for all the benchmarks, the Trojan detection sensitivities are improved after using signal calibration. As expected, this calibration increases Trojan’s anomalies under the presence of process variation and noise.

4 Conclusion Hardware Trojan constitutes an emerging threat in hardware security. We have developed a partition and test pattern generation based localized signal analysis method to detect hardware Trojan. Through this approach, the switching activities in target region and the background switching noise in other regions are effectively controlled. Experiment results show that this scheme can magnify the hardware Trojan detection sensitivity in multiples from the state-of-the-art, and the percentage improvement of the proposed test vector ordering patterns to random patterns is high up to 41.05%.

Figure 7. Detection results with different number of regions for T3 in s38417

3&3'

3&3'

5HJLRQ

5HJLRQ

3&3'

3&3'

D

5HJLRQ

F

E

5HJLRQ

G

Figure 6. Hardware Trojan detection results of: (a) T2 in s5378; (b) T3 in s15850; (c) T3 in s35932; (d) T3 in s38417. Table 2. Hardware Trojan detection sensitivity analysis of Trojan-inserted benchmarks Trojan

benchmark

T1

Original

Proposed scheme

sidechannel: global signal

M

Random pattern, Uncalibrated

Magnification to sidechannel

s344

0.0073668

4

0.04218686

T2

s5378

0.00136347

16

0.01101983

T3

s5378

0.00069624

16

T3

s15850

0.00012549

T3

s35932

T3

s38417

TVO pattern, Uncalibrated

Magnification to sidechannel

improvement to random patterns

TVO pattern, Calibrated

5.73X

0.049012

6.652X

16.1784%

0.05385934

8.08X

0.01398625

10.26X

26.9189%

0.01488831

0.00902416

12.96X

0.01147122

16.48X

27.1169%

0.01260574

32

0.00328653

26.19X

0.00422392

33.66X

28.5224%

0.00464167

0.0000644

32

0.00100365

15.58X

0.0014157

21.98X

41.0549%

0.00163413

0.00005232

32

0.00103124

19.71X

0.00134838

25.77X

30.7527%

0.00161354

References [1]

[2]

[3]

[4]

[5]

[6]

Rajat Subhra Chakraborty, Seetharam Narasimhan, and Swarup Bhunia, “Hardware Trojan: Threats and emerging solutions”. IEEE International High Level Design Validation and Test Workshop, HLDVT 2009, Nov. 4-6, 2009, pp.166-171. Mohammad Tehranipoor, and Farinaz Koushanfar, “A Survey of Hardware Trojan Taxonomy and Detection”. IEEE design & test of computers, 2010, vol.27, no.1, pp.10-25. Dakshi Agrawal, Selcuk Baktir, Deniz Karakoyunlu, et al., “Trojan Detection Using IC Fingerprinting”. Proc. IEEE Symp. Security and Privacy (SP 07), May 20-23, 2007, pp. 296-310. Y. Jin, and Y. Makris, “Hardware Trojan Detection Using Path Delay Fingerprint”. Proc. IEEE International Hardware-Oriented Security and Trust (HOST 08), June 9-9, 2008, pp. 51-57. M. Banga, and M. Hsiao, “A Region Based Approach for the Identification of Hardware Trojans”. Proc. IEEE International Workshop on HardwareOriented Security and Trust (HOST 08), June 9-9, 2008, pp. 40-47. Sheng Wei, and Miodrag Potkonjak, “Scalable Hardware Trojan Diagnosis”. IEEE Transactions on

very large scale integration (VLSI) systems, 2012, vol.20, no.6, pp.1049-1057. [7] Jim Aarestad, Dhruva Acharyya, Reza Rad, et al., “Detecting Trojans Through Leakage Current Analysis Using Multiple Supply Pad IDDQs”. IEEE Transactions on information forensics and security, December, 2010, vol. 5, no. 4, pp.893-904. [8] Y. Bonhomme, P. Girard, L. Guiller, et al., “Design of Routing-Constrained Low Power Scan Chains”. DELTA 04 Proceedings of the Second IEEE International Workshop on Electronic Design, Test and Applications, Feb. 16-20, 2004. pp. 62-67. [9] Y. Bonhomme, P. Girard, C. Landrault, et al., “Power Driven Chaining of Flip-flops in Scan Architectures”. IEEE Int. Test Conf., 2002. pp. 796-803. [10] Goldberg D. E., Robert Lingle Jr, “Alleles Loci and the TSP”. In Grefenstette, J. J. (ed.) Proceedings of the First International Conference on Genetic Algorithms and Their Applications, Hillsdale, New Jersey, Lawrence Erlbaum, 1985, pp.154-159. [11] Ambati B. K., Ambati J., and Mokhtar M. M., “Heuristic Combinatorial Optimization by Simulated Darwinian Evolution: A Polynomial Time Algorithm for the Traveling Salesman Problem”. Biological Cybernetics, 1991, pp. 31-35.