Analog Hardware Trojan

When the time came for the final project in EE 330, my lab partner and I chose the
Analog Hardware Trojan. We wanted a challenging project, and the idea was interesting.
Software Trojans have been an issue for several years, but the recent development has been the
idea that as chips become smaller and more complex, it becomes easier for a person to hide
malicious intent in their part of the hardware design.
Despite their complexity, devices still use some basic, well known circuits for simple
tasks, such as power or clock signals. These circuits have one or two well-known solutions to
how they operate, but since the components used are nonlinear, they could have possibly infinite
solutions. The idea of the Hardware Trojan is that someone could hide additional circuitry to
force these secondary solutions via an external command signal, and cause the device to operate
in some way other than intended.
We were given a three-inverter Phase Locked Loop pair to test this theory of secondary
modes. The first step was to build and test the base circuit in Cadence, with loose coupling
between the two loops. We began testing the secondary modes theory by connecting an NMOS
transistor between the first stage and second stage of each loop respectively, with a pulse
generator on the gate to act as a momentary switch, which would pull the two rings 120 degrees
out of phase. We tried other ideas, but this seemed the most promising.
When the pulse on the NMOS was timed to start near when the loop one output was at its
negative peak, we noticed strange waveforms would appear on both outputs with a phase
difference between the two. These strange secondary waveforms would also be more stable when
the pulse width matched the period of the oscillations. Finding a stable secondary mode was only
the first step.

Figure 1 Secondary Operational Mode

The main idea of Analog Hardware Trojans, are that this secondary mode could be
activated and deactivated externally at any time. To allow this, we took the voltage levels at each
node in each loop for the secondary solution, and set sources in our simulation to these voltages
through PMOS devices controlled by a pulse. This allowed us to start the secondary mode at any
time without knowing where the outputs were at in their oscillations. Stopping this mode was

simple, we momentarily connected a single node to ground, sending the loops back to normal
operation.

Figure 2 Nearly Final Circuit, missing grounding transistor

This is only one example of the many ways someone could compromise the integrity of a
device through hidden circuit components. The scope of this project was to show how a device
could potentially be forced into another mode, the actual methods of sending activate and
deactivate signals were beyond the scope and time scale of the project, but could be implemented
in any number of ways.