Eqsa: A Golden-Ic Free Equal Power Self-Authentication For Hardware Trojan Detection

EqSA: A Golden-IC Free
Equal Power Self- Authentication for

Hardware Trojan Detection
Fakir Sharif Hossain, Mohammed Abdul Kader Tomokazu Yoneda
Department of EEE Graduate School of Information Science

International Islamic University Nara Institute of Science and Technology
Chittagong (IIUC), Bangladesh (NAIST), Japan
Outline
 Hardware Trojans (HT)

 Background
• HT detection
• Related works
 Proposed method
• EqSA: Equal-power Self-Authentication
 Experimental results
 Conclusion
slide 2
Introduction Background Method Evaluation Results Conclusion
Hardware Trojan (HT)

 A malicious addition or modification to the existing circuit
elements.
Design of Outsourcing Fabrication Intentional
modification
IC of IC by manufacturer
IC with HT Handover to designer
Criterion Fault HT
Activation Known functional state Arbitrary
Insertion Accidental Intentional
Manifestation Functional/parametric Both + Leak info.
slide 3
HT- Back Door

What HT can do?
Time Bomb
 Modify Functionality
 Leak Information
 Denial of Service
Counter
Untrusted hardware
Cause reliability Issue

slide 4
Some Real Life Events

After years of speculation that electronics can be accessed by
intelligence agencies through a back door, an internal NSA
(National Security Agency)catalog reveals that such methods
already exist for numerous end-user devices. (Dec-2013)
 U.S. Suspicions of China's Huawei Based Partly on NSA's Own
Spy Tricks-26 Mar,2014
 Proof That Military Chips From China Are Infected? (2012)
 Researchers Discover Hacker-Ready Computer Chips(UK-2012)
 August 2010 Scientific American article "The Hacker in Your
Hardware”.
 Edward Snowden (NSA) evidenced- the US intelligence hardware
sold to other countries.
http://www.cl.cam.ac.uk/~sps32/sec_news.html slide 5
Challenges in HT Detection
 Versatility of HTs : Size, Location, quiet, different
type/form
 Testing/verification tools fail: Conventional tools are for
defects and faults, not for intentionally added HTs
 Distinction between HTs and “noise”
 Error from testing and HT detection methods.
 Side channel noise and measurement errors.
 Functional noise (e.g. don’t cares)
 Manufacturing variations (process variations)
slide 6
Classification of HT Detection
 Destructive approaches
@ Costly and time consuming.
 Non-destructive approaches
• Run-time Monitoring
• Test-time detection
 Logic test (Limited Detection)
@ Only functional HT
@ Required a sophisticated pattern set
 Side channel analysis.
@ Power: quiescent current, transient current
@ Delay, Radiation etc.
slide 7
HT Detection
 Side-channel analysis: Power, delay etc.
 Does not require triggering Trojans to observe its
impact at primary output nodes
 May catch HT even for a partial activation
Trojan 1110100 HT or variations

power
input Side-channel
01101101
 How to distinguish HT from process variations?

slide 8
Existing Methods on Side-Channel
Researchers Side-channel Golden-IC Approach

Agrawal et al. [2007] Dynamic power w/ Gate level
Jin et Makris [2008] Delay w/ Gate level
Rad et al. [2008] Dynamic power w/ Layout level
S. Narasimhan [2013] Power w/ Gate Level
Banga et Hsiao [2009] Transient power w/ Gate level
Alkabani et al. [2009] Leakage power w/ Gate level
Salmani et al. [2010] Power w/ Transistor level
Li et al. [2012] Delay Free Layout level
S. Narasimhan [2011] Power Free Gate level
Y. Liu [2014] Power & Delay Free PCM
slide 9
Objective & Solution
 Magnify detection sensitivity

 Scan chain based segmentation
-A fine grain partitioning
- Increased Trojan-to-circuit power consumption
 Golden IC free detection
 Self-authentication using Non Overlapping Equal-power

Patterns (NOEP)
 Reduced variation effects
slide 10
Scan Chain
Scan Flip Flop (FF)
Scan inserted Sequential circuit
slide 11
Proposed Method
Scan-chain segmentation
• Increase Trojan-to-circuit power consumption
Pattern application technique
• Activate most FFs in launch-on-capture (LOC) mode
– Transition to combinational core increases
• Restrict background switching
Scan Chain
– Clock gating for FFs
 Self-Authentication FF
• Generating NOEPs for HT detection
slide 12
Scan Segmentation & Pattern Application

 Segment gets clock independently
 Clock gating technique
 Remaining segments hold scan-shift values (frozen)
 Launch-on-capture (LOC) mode
Scan segmentation LOC pattern application technique

Control signal 1st vector v1 2nd vector v2
Gated clock controller
Clk2_2
Clk Clk1_2 Scan-out
Clk1_1 Clk2_1
Segment-1 Segment-2 Clk1_2
Scan-in Clk2_1 SC-1 Clk2_2 Clk1_1
Segment-3 Segment-4 Clk
Scan_EN
SC-2
Scan shift Launch Capture
slide 13
NOEP Generation 1/2

Generating EP pairs Create_Table2(Table1)
P : Power, V: LOC vectors Seg1 Seg2 Seg3 Seg4
P1 V1 V4
Table1: total Power Simulation Results P1 V3 V1
Seg Seg Seg Seg P2 V2 V2
1 2 3 4
P3 V3
V1 P1 P1
P4 V4 V5
V2 P2 P2
Patter 2 1 2 3
V3 P3 P1 n
V4 P1 P4 count
V5 P4 Table3: EP pairs
V1 V2 V3 V4 V5
NOEP-1 Seg-1 Seg-2
NOEP-2 Seg-4 Seg-3
NOEP-3 Seg-1/seg-4
NOEP-4 Seg-3 Seg-4 slide 14
NOEP Generation 2/2
 Selection is made if equal-power is found

 Discard: equal-power but overlapping cells
slide 15
Detection: Golden-IC Free

 Self-Authentication
 Compare two segments of an NOEP
 On-chip measurement
SR
Trojan cells
P1=Pm(Sr,tr)
On-chip Comparison P2=Pm(St,tt)
ST
slide 16
Tolerance Against Process Variations
 The variation window is small

With Golden IC
Seg-1 Seg-1 Difference:
o Power consumed by HT
SUS Golden IC - Inter-die variations
- Intra-die variations
W/o Golden IC
Seg-1
Difference:
SUS
o Power consumed by HT
Seg-2 - Intra-die variations
Self-authentication
slide 17
Inserted Trojans
Trojans` specification in 90nm technology library
Type Circuit Type Total cell area
(µm2)
T1 2 AND gates and 1 NAND gate 22
T2 2-bit counter 305
T3 4 bit comparator with 2 FF 1875
T2
g1
g3
T3 g2
T1 slide 18
Cell Activation by LOC Patterns

 Four regions of s35932 benchmark circuit out of
16-regions
Region-4 Region-5
400000 400000
350000 350000
300000
Regions 7 & 16
300000
250000 250000
200000
200000
may have
Chip size in nm in Y-axis
150000
150000 100000
100000
50000
50000
0
overlapping
0 0 100000 200000 300000 400000 cells
0 100000 200000 300000 400000
400000
Region-7 Region-16
400000
350000
300000 300000
250000
200000 200000
150000
100000 100000
50000
0
0
0 100000 200000 300000 400000
0 100000 200000 300000 400000
Chip size in nm in X-axis slide 19

EP Pair Generation
 Region-5 & region-13 show power difference (PD)
Trojan detection for s35932 benchmark circuit

0.0057
Region-5 Reson-13
Power value in watt
0.0056
0.0055
0.0054
0.0053
0.0052
0.0051
0.005
1 2 3 4 5 6 7 8 9 10
Number of NOEP sets
slide 20
Overall Trojan Detection Results

Circuit Regions Inserted Trojan Proposed Method
Name No. of NOEPs activated Max PD
gates Trojan (µw)
gates
s1423 4 T1 3 74 3 (100%) 30
s1238 4 T1 3 18 3 (100%) 30
s5378 6 T1 3 40 3 (100%) 30
T2 18 13 (72%) 130
s13207 8 T3 13 78 9 (69%) 90
s35932 16 T1 3 74 3 (100%) 30
T3 13 7 (54%) 70
s38584 12 T2 18 132 11 (61%) 110
T3 13 12 (92%) 120
s38417 32 T2 18 200 17 (94%) 170
T3 13 5 (38%) 50
 Most cases more than 80% chances of Trojan cell activation slide 21
Summary
 Golden reference free detection
 Power side channel based detection ensures high

detectability even for partial activation
 Higher detection sensitivity

 Maximum PD of 170 µW for a single NOEP
 Most cases Trojan activation chances are high
slide 22
Thank You
For more queries

Dr. Fakir Sharif Hossain
sharifo16@yahoo.com
slide 23

Eqsa: A Golden-Ic Free Equal Power Self-Authentication For Hardware Trojan Detection

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eqsa: A Golden-Ic Free Equal Power Self-Authentication For Hardware Trojan Detection

Uploaded by

Copyright:

Available Formats

EqSA: A Golden-IC Free

Equal Power Self- Authentication for

Fakir Sharif Hossain, Mohammed Abdul Kader Tomokazu Yoneda

Department of EEE Graduate School of Information Science

 Hardware Trojans (HT)

Hardware Trojan (HT)

IC with HT Handover to designer

HT- Back Door

Cause reliability Issue

Some Real Life Events

Trojan 1110100 HT or variations

 How to distinguish HT from process variations?

Existing Methods on Side-Channel

Researchers Side-channel Golden-IC Approach

Objective & Solution

 Magnify detection sensitivity

 Golden IC free detection

 Self-authentication using Non Overlapping Equal-power

Scan inserted Sequential circuit

Scan Segmentation & Pattern Application

Scan segmentation LOC pattern application technique

NOEP Generation 1/2

NOEP Generation 2/2

 Selection is made if equal-power is found

Detection: Golden-IC Free

On-chip Comparison P2=Pm(St,tt)

Tolerance Against Process Variations

 The variation window is small

Cell Activation by LOC Patterns

Chip size in nm in X-axis slide 19

 Region-5 & region-13 show power difference (PD)

Trojan detection for s35932 benchmark circuit

Number of NOEP sets

Overall Trojan Detection Results

 Golden reference free detection

 Power side channel based detection ensures high

 Higher detection sensitivity

For more queries

You might also like