2.1 Field of the Invention
The present invention concerns detecting Trojans in an integrated circuit (IC).
2.2 Background Information
The globalization of IC design flow may create opportunities for rogue elements within the supply chain to corrupt IC design. (See, e.g., the article Defense Science Board Task Force, “High Performance Microchip Supply,” available online at acq.osd.mil/dsb/reports/ADA435563.pdf, (February 2005), incorporated herein by reference.) An IC may be corrupted by introducing a deliberate and malicious change, known as a “Trojan,” to the IC design. It may be possible for an attacker to gain access and control a target IC any time in its life with the help of the Trojan. To establish trust during fabrication, trusted foundries may be used for fabrication. (See, e.g., the article Trusted Foundry Program, “Accredited Suppliers,” available online at dmea.osd.mil/otherdocs/accreditedsuppliers.pdf, (February 2012), incorporated herein by reference.) However, using accredited foundries may not be economically feasible and may go against the trend of globalization in IC design and fabrication. In an alternate approach to establish trust, the design of the IC is typically hardened before fabrication by inserting Design-For-Trust (DFTr) infrastructure, and the trustworthiness of the fabricated IC may be verified using the inserted infrastructure.
One DFTr technique to detect Trojans in an IC creates an identity for a design of the IC. Any alteration in the IC design should change this identity. A design's circuit path delays may be used as an identity of that IC design. DFTr techniques based on path delay measurement technique (See, e.g., the article Y. Jin and Y. Makris, “Hardware Trojan Detection Using Path Delay Fingerprint,” IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 51-57, (June 2008), incorporated herein by reference.) and power consumption have been proposed. Most DFTr techniques detect Trojans by analyzing the power sidechannel. Based on the assumption that Trojans consume additional power, measurement of IC power dissipation may be used to detect Trojans. (See, e.g., the article D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B. Sunar, “Trojan Detection Using IC Fingerprinting,” IEEE Symposium on Security and Privacy, pp. 296-310, (May 2007), incorporated herein by reference.) The power consumed in specific parts of the chip may be measured by increasing the switching activity in those parts. Input patterns may be designed to increase switching activity in the targeted region, thereby increasing or maximizing the power consumption of that targeted region. (See, e.g., the article M. Banga and M. Hsiao, “A Novel Sustained Vector Technique for the Detection of Hardware Trojans,” IEEE International Conference on VLSO Design, pp. 327-332, (January 2009), incorporated herein by reference.) Statistical techniques may be used to overcome the effect of process variations. (See, e.g., the article R. M. Rad, X. Wang, M. Tehranipoor, and J. Plusquellic, “Power Supply Signal Calibration Techniques for Improving Detection Resolution To Hardware Trojans,” IEEE/ACM International Conference on Computer-Aided Design, pp. 632-639, (2008), incorporated herein by reference.) Since Trojan circuits draw extra current from the power supply, measurement of the current flowing through power ports of the chip may also detect Trojans. (See, e.g., the article X. Wang, H. Salmani, M. Tehranipoor, and J. Plusquellic, “Hardware Trojan Detection and Isolation Using Current Integration and Localized Current Analysis,” IEEE International Symposium on Defect and Fault Tolerance of VLSI Systems, pp. 87-95, (October 2008), incorporated herein by reference.) However, power analysis based Trojan detection methods may become less effective when the Trojans are power-gated. It may be useful to develop a technique that detects a Trojan even if the Trojans are power-gated.
Trojans may also be detected by activating them and observing their malicious responses. (See, e.g., the articles S. Jha and S. Jha, “Randomization Based Probabilistic Approach to Detect Trojan Circuits,” IEEE High Assurance Systems Engineering Symposium, pp. 117-124, (December 2008); and H. Salmani, M. Tehranipoor, and J. Plusquellic, “New Design Strategy for Improving Hardware Trojan Detection and Reducing Trojan Activation Time,” IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 66-73, (July 2009), both incorporated herein by reference.) Since it may be likely that Trojans are inserted in the hard-to-excite nodes (gate inputs or outputs) in a design, applying input patterns and making the hard-to-excite nodes easily testable may be another approach to detect Trojans. (See, e.g., the article H. Salmani, M. Tehranipoor, and J. Plusquellic, “New Design Strategy for Improving Hardware Trojan Detection and Reducing Trojan Activation Time,” IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 66-73, (July 2009).) However, this method deals with Trojans that are inserted at hard-to-excite nodes. Trojans can also be inserted at other places in a circuit.
Trojans may also be detected based on their impact on path delays. In path delay DFTr techniques, test patterns are generated to excite the paths in the design and statistical techniques are applied to overcome the effect of process variations. (See, e.g., the article Y. Jin and Y. Makris, “Hardware Trojan Detection Using Path Delay Fingerprint,” IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 51-57, (June 2008).) Operating the IC at its critical speed or greater than its critical speed, and checking for violations in their behavior may be another technique used to detect Trojans. (See, e.g., the article J. Li and J. Lach, “At-Speed Delay Characterization for IC Authentication and Trojan Horse Detection,” IEEE International Workshop on Hardware-Oriented Security and Trust, pp. 8-14, (June 2008), incorporated herein by reference.) Since the inserted Trojans might impact at least one of the sidechannels, measuring multiple sidechannels can detect Trojans. (See, e.g., the article S. Narasimhan, D. Dongdong, R. Chakraborty, S. Paul, F. Wolff, C. Papachristou, K. Roy, and S. Bhunia, “Multiple-Parameter Side-Channel Analysis: A Non-Invasive Hardware Trojan Detection Approach,” IEEE International Symposium on Hardware-Oriented Security and Trust, pp. 13-18, (June 2010), incorporated herein by reference.) Due to the process variations in fabrication of the IC, the delay caused in a path of the IC may vary. If the delay caused due to the process variations is more than a delay caused due to a Trojan, the path delay based DFTr technique might not detect the Trojan.
Typically, each Trojan activation method assumes a model for every Trojan that it targets. In reality, however, the intentions of an attacker, as well as their Trojans, may not be modeled. Further, most of the current Trojan detection models typically assume that Trojans are inserted in all the fabricated ICs of a system.
In view of the foregoing, it would be useful to improve the DFTr techniques. It would be useful to support a non-invasive DFTr technique (for example, a technique that does not involve delayering or peeling of the IC chip) that is practical in terms of Trojan detection capabilities, hardware overhead and test cost, and that can detect Trojans in the presence of process variations and measurement errors. It would be useful to provide a DFTr technique that does not assume any Trojan model and can detect Trojans inserted not only in all the ICs but also in a subset of the ICs.