Professional Documents
Culture Documents
SAT-Based Integrated Hardware Trojan Detection and Localization Approach Through Path-Delay Analysis
SAT-Based Integrated Hardware Trojan Detection and Localization Approach Through Path-Delay Analysis
8, AUGUST 2021
Abstract—With the rapid growth in IC outsourcing in the ICs in the presence of process variations [7]. Recently, authors
semiconductors industry, concerns have increased about the of [8] proposed an automated test pattern generation scheme
weakening ICs security against hardware Trojan attacks. In this to generate test vectors that are likely to activate trigger
brief, an integrated hardware Trojan detection and localization condition, and change critical paths. However, this method
methodology is presented by employing the proposed SAT-based
is solely able to detect timing anomaly of trigger-activated
test pattern generation scheme and the MUX-based debugging
technique. The experimental results show that our methodology Trojans, which is not always possible, especially for hard-to-
can effectively detect timing anomalies in the path-delays caused detect Trojans. Authors of [9] developed a learning assisted
by hardware Trojans with node coverage around 97% as well as delay-based analysis methodology to detect HTs by train-
localizing all Trojan’s gates with a localization resolution around ing a neural network for correlating the static timing data to
99.6%. Moreover, all timing error sites are successfully identified delay information obtained from clock sweeping [3]. Although
with zero False Negative and 0.56% False Positive rates. various hardware Trojan defensive approaches have recently
Index Terms—Hardware Trojan, boolean satisfiability, Trojan been introduced, the localization problem has been paid much
detection, hardware security, delay analysis, SAT. less attention than it deserves. Authors of [10] developed
a solution for detection and localization of Trojans by analyz-
ing the power consumption characteristics. Nevertheless, this
I. I NTRODUCTION approach is only able to estimate the Trojan-infected section,
resulting in a low localization resolution.
ITH the rapid growth in globalization of Integrated
W Circuits (ICs) design and fabrication processes, ICs are
becoming more vulnerable to malicious activities introduced
In this brief, an integrated methodology for Trojan
DEtection and Localization through Path-delay Analysis called
DELPA is presented by means of the proposed Satisfiability-
by Hardware Trojans (HTs) [1]. Trojans are potent yet stealthy
based (SAT-based) test pattern generation and Multiplexer-
attacks that are inserted by the untrusted entities to change
based (MUX-based) debugging technique. To the best of our
the genuine functionality, degrade performance, or steal vital
knowledge, this is one of the first attempt to integrate both
information of the chip. In recent years, there has been a sig-
Trojan detection and localization through path-delay analysis.
nificant effort in detecting various models of hardware Trojans
The main contributions of this work are as follows:
by either employing logic testing [2] or side channel-based
1) Presenting a new methodology for localizing Trojan’s
analysis approaches [2]–[5]. The side channel-based analysis
gates inserted by an untrusted foundry using MUX-
approaches are focusing on the anomaly in the circuit parame-
based debugging technique so that the problem is
ters (e.g., delay, power, and temperature) introduced by Trojans
adapted to a SAT instance and the MUXs selected by
to separate infected ICs from the golden ones [3]. The alter-
SAT engine would select which nodes are likely to be
native defensive approach is to modify the original circuit to
the possible Trojan location.
facilitate the post-silicon detection [2], [4]–[6]. Considering
2) Developing an automated SAT-based test generation
the path-delay analysis, authors of [3] introduced a clock-
scheme through path-delay analysis alongside the clock-
sweeping technique to measure path-delays so that it can
sweeping technique for measuring the genuine path-
generate signatures for each IC to distinguish Trojan-infected
delays [3].
circuits. They leveraged statistical approach which has been
3) Scaling up the proposed methodology to diagnosis
proved to be highly effective in identifying Trojan infected
multiple timing error sites caused by different parts of
Manuscript received February 4, 2021; revised March 17, 2021; accepted Trojan circuit.
April 13, 2021. Date of publication April 20, 2021; date of current version The rest of this brief is organized as follows. The basic back-
July 30, 2021. This work was supported in part by the Iran National Science ground and DELPA methodology is introduced in Section II.
Foundation (INSF) under Grant 98006098. This brief was recommended by The detection and localization phases will be further discussed
Associate Editor X. Li. (Mohammad Sabri and Ahmad Shabani contributed
equally to this work.) (Corresponding author: Bijan Alizadeh.)
in Sections III and IV. Finally, the experimental results and
The authors are with the Design, Verification, and Debugging of Embedded conclusion are provided in Sections V and VI.
Systems Laboratory, School of Electrical and Computer Engineering, College
of Engineering, University of Tehran, Tehran 14395-515, Iran (e-mail: II. PATH -D ELAY T ESTING AND
sabri@ut.ac.ir; ah.shabani@ut.ac.ir; b.alizadeh@ut.ac.ir). M EASUREMENT T ECHNIQUE
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TCSII.2021.3074549. In order to inspect anomaly in path-delays, generally two-
Digital Object Identifier 10.1109/TCSII.2021.3074549 vector sequences <V1 , V2 > are employed. By applying the
1549-7747
c 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
SABRI et al.: SAT-BASED INTEGRATED HARDWARE TROJAN DETECTION AND LOCALIZATION APPROACH THROUGH PATH-DELAY ANALYSIS 2851
Fig. 2. Proposed stuck at ‘1’ and ‘0’ models to generate test pairs <V1 , V2 >.
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
2852 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 68, NO. 8, AUGUST 2021
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
SABRI et al.: SAT-BASED INTEGRATED HARDWARE TROJAN DETECTION AND LOCALIZATION APPROACH THROUGH PATH-DELAY ANALYSIS 2853
TABLE I
T EST PATTERN G ENERATION R ESULTS OF D IFFERENT
B ENCHMARK C IRCUITS
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app
2854 IEEE TRANSACTIONS ON CIRCUITS AND SYSTEMS—II: EXPRESS BRIEFS, VOL. 68, NO. 8, AUGUST 2021
TABLE IV
L OCALIZATION R ESOLUTION R ESULTS (NL = 3)
TABLE II
L OCALIZATION R ESOLUTION R ESULTS (#CX = 3 & NL = 1)
R EFERENCES
TABLE III [1] M. Tehranipoor and F. Koushanfar, “A survey of hardware Trojan tax-
L OCALIZATION R ESOLUTION R ESULTS (NL = 2) onomy and detection,” IEEE Design Test Comput., vol. 27, no. 1,
pp. 10–25, Jan./Feb. 2010, doi: 10.1109/MDT.2010.7.
[2] A. Shabani and B. Alizadeh, “PMTP: A MAX-SAT-based approach to
detect hardware Trojan using propagation of maximum transition prob-
ability,” IEEE Trans. Comput. Des. Integr. Circuits Syst., vol. 39, no. 1,
pp. 25–33, Jan. 2020, doi: 10.1109/TCAD.2018.2889663.
[3] K. Xiao, X. Zhang, and M. Tehranipoor, “A clock sweep-
ing technique for detecting hardware Trojans impacting circuits
delay,” IEEE Desig Test, vol. 30, no. 2, pp. 26–34, Apr. 2013,
doi: 10.1109/MDAT.2013.2249555.
[4] A. Shabani and B. Alizadeh, “Enhancing hardware trojan detec-
tion sensitivity using partition-based shuffling scheme,” IEEE Trans.
Circuits Syst. II, Exp. Briefs, vol. 68, no. 1, pp. 266–270, Jan. 2021,
doi: 10.1109/tcsii.2020.3001263.
[5] A. Shabani and B. Alizadeh, “PODEM: A low-cost property-based
design modification for detecting hardware Trojans in resource-
constraint IoT devices,” J. Netw. Comput. Appl., vol. 167, Oct. 2020,
Art. no. 102713, doi: 10.1016/j.jnca.2020.102713.
[6] A. Nejat, D. Hely, and V. Beroulle, “ESCALATION: Leveraging
logic masking to facilitate path-delay-based hardware Trojan detec-
Table II show that the LR metric of the proposed approach is tion methods,” J. Hardw. Syst. Security, vol. 2, pp. 83–96, Feb. 2018,
about 99.97%, and the FPR is about 0.08%, on average. From doi: 10.1007/s41635-018-0033-6.
[7] Y. Jin and Y. Makris, “Hardware Trojan detection using path delay fin-
the evidence, the reduction in the number of PTLs (NPTL ) is gerprint,” in Proc. IEEE Int. Workshop Hardw. Oriented Security Trust,
achieved by extracting more CXs during the detection phase, 2008, pp. 51–57, doi: 10.1109/HST.2008.4559049.
which makes the identified possible locations get closer to [8] Y. Lyu and P. Mishra, “Automated test generation for Trojan detection
the GTL, as shown in Fig. 5. We also inspect the effects of using delay-based side channel analysis,” in Proc. Design Autom. Test
multiple timing errors on localization accuracy. According to Europe Conf. Exhibition (DATE), 2020, pp. 1031–1036.
[9] A. Vakil, F. Behnia, A. Mirzaeian, H. Homayoun, N. Karimi,
Tables III and IV, as the number of timing error sites (NL ) and A. Sasan, “LASCA: Learning assisted side channel delay
increases, so does the number of PTLs, resulting in reduc- analysis for hardware Trojan detection,” 2020. [Online]. Available:
tion in localization resolution. The average number of PTLs arXiv2001.06476.
(NPTL ) is 30 and 41 for NL = 2 and NL = 3, respectively. [10] S. Wei and M. Potkonjak, “Scalable consistency-based hardware Trojan
detection and diagnosis,” Proc. 5th Int. Conf. Netw. Syst. Security, 2011,
Also, the average LR is about 99.78% and 99.14% for NL = 2 pp. 176–183, doi: 10.1109/ICNSS.2011.6059998.
and NL = 3, respectively. [11] S. Bhunia and M. M. Tehranipoor, The Hardware Trojan War: Attacks,
Myths, and Defenses. Cham, Switzerland: Springer, 2017.
[12] T. Hoque, S. Narasimhan, X. Wang, S. Mal-Sarkar, and S. Bhunia,
VI. C ONCLUSION “Golden-free hardware trojan detection with high sensitivity under pro-
cess noise,” J. Electron. Test., vol. 33, no. 1, pp. 107–124, 2017,
In this brief, an integrated methodology called doi: 10.1007/s10836-016-5632-y.
DELPA incorporating both delay-based hardware Trojan [13] L. Bushnell and V. D. Agrawal, Essentials of Electronic Testing for
detection and localization approaches was proposed. The Digital, Memory, and Mixed-Signal VLSI Circuits. New York, NY, USA:
SAT-based test pattern generation scheme alongside the Kluwer Academic Publishers, 2002.
[14] B. Alizadeh and M. Shakeri, “QBF-Based post-silicon debug of
MUX-based debugging technique was proposed. From the speed-paths under timing variations,” IEEE Trans. Circuits Syst.
experimental results, the following conclusions can be drawn. I, Reg. Papers, vol. 65, no. 12, pp. 4326–4335, Dec. 2018,
1) It localizes Trojan’s gates with zero FNR, and 0.55% FPR, doi: 10.1109/TCSI.2018.2858291.
thorized licensed use limited to: AMRITA VISHWA VIDYAPEETHAM AMRITA SCHOOL OF ENGINEERING. Downloaded on September 03,2021 at 12:18:49 UTC from IEEE Xplore. Restrictions app