Scalable Consistency-based Hardware Trojan

Detection and Diagnosis

Sheng Wei Miodrag Potkonjak
Computer Science Department
University of California, Los Angeles (UCLA)
Los Angeles, CA 90095
{shengwei, miodrag}@cs.ucla.edu

Abstract-Hardware Trojans (HTs) have become a major We develop a complete and scalable solution of HT detec
concern in modern IC industry, especially with the fast growth in tion, diagnosis and masking using an aging and consistency
IC outsourcing. HT detection and diagnosis are challenging due
based gate characterization scheme. In particular, we divide
to the huge number of gates in modern IC designs and the high
cost of testing. We propose a scalable and efficient HT detection
a large IC into several overlapping segments and analyze the
and diagnosis scheme based on segmentation and consistency gate-level properties in each segment. We detect the HTs in the
analysis of the gate-level properties. Furthermore, we develop a case where the overlapping gates exhibit inconsistent charac
HT masking approach that prevents the HTs from functioning terized properties in different segments. After confirming the
using selective device aging. We evaluate our HT detection and
existence of HTs, we further develop a consistency-based HT
diagnosis schemes on a set of ISCAS and ITC benchmarks.
diagnosis scheme to refine the scope of the HTs to a small
segment. Next, we adopt an IC aging method to disable the
I. INTRODUCTION
HTs while keeping the regular gates in the circuit unaltered.
Hardware trojans (HTs) [1] are malicious attacks on inte Our main technical contributions in this paper include the
grated circuits (ICs) that modify the functionality or impact following:
the performance of the ICs. HTs are possibly embedded a scalable and efficient HT detection method based on
by attackers during the manufacturing process in the form segmentation and consistency analysis;
of additional gates or resized gates compared to the design a HT diagnosis scheme to determine the locations of the
specification. As IC outsourcing has become more and more HTs in the circuit; and
popular recently, HT detection and diagnosis have become a HT masking method using selective device aging.
a necessity for IC designers and users, because the ICs are
exposed to anyone who is in charge of the manufacturing II. RELATED WORK
process for potential HT attacks. In this section, we briefly review the directly related work
A typical procedure of handling HT attacks would include in HT research and the supporting techniques regarding gate
three strategic steps: HT detection, HT diagnosis, and HT level characterization (GLC) and IC aging.
masking. HT detection is the process that determines whether
any HTs exist in the circuit. If there are any, a HT diagnosis A. Hardware Trojan Detection

approach is required to locate the HTs in the IC in terms of Agrawal et al. [2] proposed one of the first HT detection
their types, locations, and input pins. After that, a HT masking techniques in 2007. They construct fingerprints using side
mechanism should be conducted to disable the malicious channels (e.g., power and temperature) of the circuit for a
functionalities of the HTs. specific design and authenticate the IC instances based on
Although many HT detection approaches have been pro the fingerprints. The technique is based on the assumptions
posed recently [2][3][4], the HT diagnosis and masking prob that there is no process variation, ICs are available for reverse
lems were seldom discussed and addressed. Also, in the exist engineering, and there are no measurement errors in the side
ing HT detection approaches, scalability has become a major channels.
concern, especially with the fast development of submicron Several early HT detection approaches employed functional
technologies. It is challenging for the detection procedure to test techniques. Functional tests simulate the input vectors on
determine whether there is any HT embedded among millions the circuit and monitor the outputs to see whether they match
of gates in the circuit. The cost of testing and running time the expected patterns. For example, Wolff et al. [3] proposed
have become a major concern in conducting this type of the generation of test vectors that maximize the likelihood of
detection. Also, even if one can detect the presence of HTs detecting rarely switching HT gates. Also, Banga et al. [4]
accurately, it will cost much more effort to determine their proposed automatic test pattern generation (ATPG) techniques
exact locations in the circuit. Furthermore, the masking of that employ the divide-and-conquer paradigm. Recently, HT
HTs after detection and diagnosis has a potential of damaging detection methods using side channel-based analysis have been
the circuit. developed [5][6][7][8]. They characterize the target ICs for

978-1-4577-0460-4/11/$26.00 2011 IEEE 176

their manifestational properties, such as delay and power, in can be expressed by Equation (1), where L nom is the nominal
order to detect the embedded HTs. design value of the effective channel length, and!:l.L is the
Tehranipoor et al. [1] presented a comprehensive survey variation caused by pv.
of HT detection. There are two most common conceptual
mistakes in the existing HT detection approaches: (1) the LeJf = L nom +!:l.L (1)
authors assume that both an IC with and without HT are
available, and (2) all the gates have the same PV properties. Several models have been proposed to capture the impact
In this paper, we do not impose these two assumptions for HT of PV, which formulate!:l.L as a random distribution or a
attacks and detections. Furthermore, we employ segmentation combination of multiple distributions to represent the spatial
based gate characterization into the process of HT detection, correlations on a chip, as well as the inter-chip variations.
which ensures the scalability of the approach. Although the accuracy of the PV models have been verified
with the experimental data, they are only effective from the
B. Gate-level Characterization perspective of statistical properties, i.e., when a large number
Gate-level characterization (GLC) is the process of iden of chips are presented. For IC applications based on specific IC
tifying the process variation in the manufactured IC [9]. instances, such as those in hardware security, the PV models
Recently, there are two classes of GLC methods that have been are not appropriate because of their lack of control over the
proposed for IC synthesis and analysis. The first class conducts individual chips.
physical measurements of transistor parameters [10]. The
second class employs nondestructive methods that measure B. Gate-level Characterization
the manifestational properties (e.g., delay, leakage power, and
In the process of GLC [9], the PV is represented as a scaling
switching power) of the entire IC and characterize the gate
factor towards the gate-level manifestational properties, such
level properties. For example, some of these techniques use
as delay and power. Then, a system of linear equations can
sophisticated mathematical techniques, such as single value
be obtained by summing up the gate-level properties and
decomposition and compressive sensing [11], while others rely
measuring the total power and delay. Taking leakage power as
more on statistical processing of data obtained from systems
an example, the system of linear equations can be formulated
of linear or nonlinear equations [12][13][14].
as follows:
n
C. IC Aging
ifj = esj + erj + L Kij Gi (2)
IC lifetime is influenced by a variety of phenomena that i=l
have been studied by the material science and semiconductor
where ifj is the total leakage power of the entire IC when input
community, such as time dependent dielectric breakdown
vector j is applied; Gi is a variable that represents the PV
(TDDB) [15], thermal cycling (TC) [16], and negative bias
scaling factor of gate i; Kij is the nominal leakage power of
temperature instability (NBTI) [17]. These phenomena are
gate i when input vector j is applied; and esj and erj represent
causing significant alterations of both delay and leakage char
the systematic and random measurement errors, respectively.
acteristics of a gate. For example, aging can increase delay
Following Equation (2), we obtain a system of linear equations
by 10% and leakage energy by several times [18]. Currently,
by applying different input vector j and measuring the leakage
aging has been assumed as having a detrimental impact on
power of the entire circuit. Then, we solve the system of linear
IC performance. There have been a large number of efforts to
equations using a linear programming (LP) solver, with an
develop techniques that accurately predict the level of aging
objective function that minimizes the measurement errors, to
and its impact on IC lifetime. Our novelty in this domain is
obtain the G values.
that we use IC aging to disable the malicious attack conducted
by the HTs.
C. IC Aging Model
III. PRELIMINARIES
IC aging causes the threshold voltage of the transistors to
In this section, we introduce the preliminaries of our HT de increase and, consequently, the speed of the circuit to decrease.
tection, diagnosis, and masking approaches, including process In particular, the threshold voltage shift caused by NBTI is a
variation, gate-level characterization, and IC aging models. function of stress time, temperature, and applied gate voltage,
as shown in the following equation [17]:
A. Process Variation

Process variation (PV ) during IC manufacturing causes IC !:l.vth = A . expC8Vc) . exp( - EO!./kT) . to.25 (3)
key parameters to vary from their nominal design specifica
tions. For example, PV may vary leakage power by up to 20X where t is the stress time; T is the temperature; Vc is the
and frequency by 30% on a single wafer [19]. In particular, applied gate voltage; A, (3 and k are constants; and EO!. is the
there are two physical level properties that are major sources measured activation energy of the NBTI process. We employ
of PV: threshold voltage and effective channel length. For this aging model to quantify the threshold voltage increase of
example, the effective channel length of a manufactured gate the gates that are in the stress mode.

177
 IV. CONSISTENCy-BASED HARDWARE TROJAN (davg) in calculated scaling factors of overlapping segments
DETECTION as an indicator of whether a HT is present or not. davg is
calculated as the average standard deviation of the scaling
Our goal in this section is to address the detection of HTs factors of the same gate in the overlapping segments.
using consistency analysis given the results of GLe. Our idea We illustrate our segmentation-based HT detection scheme
is based on the fact that a circuit containing HT would cause using an example shown in Fig. 1. For the sake of brevity
systematic bias in the total leakage power consumption, no and clarity, the circuit has only five NAND gates (named Xl
matter where the HT is, how it is constructed, and even to X5) as shown in Fig. l(a). We adopt normalized values
whether it is activated or not. With our GLC process, since as shown in Fig. l(b) for their nominal leakage power. Our
there are no variables in the system of equations (shown goal is to determine whether there is any HT embedded in
in Equation (2 to represent the HT, the systematic bias in the circuit. We first partition the circuit into two segments,
the total leakage power would create inconsistencies in the as shown in Fig. l(a). We obtain Segment 1 (gates Xl, X2,
equations, and the bias would be reflected in the scaling factors and X5) by freezing inputs 3 and 4 and by applying different
of regular gates in the circuit. By observing the bias in the input vectors to inputs 1 and 2. Similarly, we obtain Segment
leakage power scaling factors, we are able to detect HTs 2 (gates X3, X4, and X5) by freezing inputs 1 and 2.
embedded in the circuit. Next, we conduct GLC for each individual segment. In
There are two key challenges with the consistency-based particular, we apply four input vectors to each segment that
HT detection approach. Firstly, we do not assume that we provide four sets of nominal leakage values for gates Xl, X2,
have a clean circuit that does not have any HTs. Therefore, it and X5 in Segment 1 and gates X3, X4, and X5 in Segment
is difficult to observe the bias in the scaling factors caused by 2. For HT detection, we show three cases where HT exists or
HTs, as there is no standard scaling factors to compare with. does not exist in Segment 1 and Segment 2. We assume that
Secondly, since the number of gates in modern IC designs is we do not know whether the circuit has HT in advance, and
up to the magnitude of millions, the size of the system of we form the system of linear equations to conduct GLC for
equations would easily exceed the computational limit of the each segment as shown in Fig. l(c).
LP solvers. In case 1 (where HT is present in neither Segment 1 nor
We address both challenges using segmentation. The seg Segment 2), the values of overlapping gate X5 in the two
mentation of an IC is based on the divide-and-conquer segments are identical. In case 2 (where a single HT gate is
paradigm, in which we divide a large IC into multiple small present in Segment 1), the two calculated values of X5 have
segments and characterize each of them using GLe. Seg a 30.8% discrepancy. Finally, in case 3 (where HT is present
mentation can be implemented using input vector control, in both Segment 1 and Segment 2), the values of X5 have a
where we freeze the signals of a subset of inputs and vary 3.7% discrepancy. These results indicate that the discrepancy
the other. Consequently, only the gates controlled by the between overlapping gates in multiple segments can serve as
varying inputs would change their coefficients in the system an indicator for the systematic bias in leakage power caused
of linear equations, while the other gates would have identical by embedded HTs. Therefore, we check the GLC results of
coefficients in all the equations. Therefore, we can represent overlapping gates between pairs of segments in the circuit. As
all the frozen gates using a single variable in the system of long as the segments can cover all the gates in the circuit,
linear equations. In this way, the size of the LP is greatly our approach can detect any HTs embedded in the circuit.
reduced, to the extent that can be handled by LP solvers. Furthermore, the use of segmentation ensures the scalability
Furthermore, there are overlapping gates across segments. of GLC, since the number of gates being characterized in each
This provides us with an opportunity to characterize a single system of linear equations is drastically reduced.
(overlapping) gate in multiple sub-circuits (segments), and thus
V. CONSISTENCY-BASED HARDWARE TROJAN DIAGNOSIS
observe possible bias in scaling factors due to the presence of
HT. For example, suppose there are two segments A and B The goal in HT diagnosis is to determine the locations of
with a overlapping gate X, we can characterize the scaling the HTs in the circuit if any exist, so that one can either
factors of X in both segment A and B, namely aa and abo remove or mask the HTs from the circuit. We design a
Our idea is that aa and ab will be consistent if there is no scalable HT diagnosis scheme based on our consistency-based
HT present in either segment A or segment B, as ensured HT detection method. We have observed that one can detect
by the accuracy of GLC in both segments. In the case where the existence of HTs using two segments with overlapping
HT exists in either A or B, there exists inconsistencies in the gates. However, the HT detection results do not indicate which
segment that contains the HT, and the resulting scaling factor segment the HTs may be embedded in, and thus it is difficult
(a a or ab) will be biased to reflect the inconsistencies. In the for the HT masking process to handle the HTs. In order to
case where HTs exist in both segments A and B, since the diagnose the HTs, we introduce a third segment with the same
two segments are different in terms of their gates and overall set or subset of overlapping gates and use it as an arbiter for
leakage power, the systematic bias caused by the HTs will HT diagnosis. Fig. 2 shows an example of the consistency
be different in the two segments, which will again result in based HT diagnosis. We find one more segment (Segment 3)
different values for aa and abo We use the average discrepancy compared to the example in Fig. 1. The three segments have an

178
 11 12 13 14
r----
I Gates X1 -X5 HT Gate Z
I
I
I Input Nominal leakage
I Input Nominal leakage
I 00 1
I 0 2
01 3
I
I 1 5
10 4
I
I 11 10

02
Segment 1 Segment 2

(a) Segmentation (b) Leakage power lookup table

Case 1: HTfree vs. HT-free

Input Vectors System of Equations Input Vectors System of Equations

11 12 13 14 (Segment 1 ) 11 121314 (Segmen t 2)
0000 1 01 + 1 02 + 1005 =15.3 0000 1 03 + 1 04 + 1005 = 15.4

0100 401+302+1005 =21 0001 403 + 3 04 + 1005 = 21.35

1000 301+402+1005::;;21.1 0010 303+404+1005=21.45

1100 1001+1002+305::;;26.9 0011 1003+1004 +405 =29.2

Results 01 = 1.1; 02 = 1.2; 05 = 1.3 Results 03 = 1.15; 04 = 1.25; 05 = 1.3

Case 2: HTfree vs. HTpresent

Input Vectors System of Equations Input Vectors System of Equations

11 121314 (Segment 1) 11 121314 (Segment 2)

0000 1 01 + 1 02 + 10 05 =15.3 0000 103+104+1005=19.4

0100 401 + 302 + 1005 = 21 0001 4 03 +3 04+ 10 05= 25.35

1000 301 +402 + 1005 = 21.1 0010 303+404+1005=25.45

1100 1001+1002 +305::;; 26.9 0011 1003+1004+405::;;30.8

Results 01 :;; 1.1; 02:;; 1.2; 05:;; 1.3 Results 03 = 1.15; 04 = 1.25; 05 = 1.7

Case 3: HTpresent vs. HT-present

Input Vectors System of Equations Input Vectors System of Equations

11 121314 (Segment 1) 11121314 (Segment 2)

0000 1 01 +1 02 + 1005 = 18.8 0000 1 03+ 1 04 +10 05 = 19.4

0100 401 +302 + 1005 = 24.5 0001 403 + 3 04 +1005 = 25.35

1000 301 + 402 + 1005::;; 24.6 0010 303+404+1005 =25.45

1100 1001+1002+305::;;28.3 0011 1003+ 1004 + 405 = 30.8

Results 01=1.12; 02 = 1.21; 05=1.64 Results 03 = 1.15; 04 =1.25; 05 = 1.7

(c) Formulation of systems of linear eq u ation s for HT detection

Fig. 1. Example of the segmentation-based HT detection approach: (a) shows that a circuit with five gates is segmented into two segments, and gate X5 is
the overlapping gate of the two segments; (b) shows the nominal leakage power values for all the gates in the circuit; and (c) demonstrates the formulation
of systems of linear equations and their solutions in three cases regarding whether a HT is present in each segment. The discrepancy of the solutions of
overlapping gates (X5) in the two segments is an indicator of whether any HT exists or not.

179
 Segment 1:
11 12 13 14 15 16
r----
Input Vectors
I System of Equations
I
11 1213141516
I
I
000000 1 01 + 1 02+ 10 05 ;;: 15.3
I
I 010000 4 01 +302+ 1005 = 21
I
I
I
100000 3 01 + 4 02 + 1005 = 21.1
I
I Segment 1 110000 10 0 1 +1002+305=26.9
L _______

Segment 3 Results 1: 01 = 1.1; 02 = 1.2; 05 = 1.3

Segment 2: Segment 3:

Input Vectors Input Vectors

Syste m of Equations System of Equations
11 121314 1516 11 12 13 14 15 16
000000 1 03 + 1 04 + 1005 ;;: 19.4 000000 1 06 + 10 a5 ;;: 14.2
000001 4 03 + 3 04 + 1005 ;;: 25.35 000100 3 06 + 10 a5 ;;: 16.6
000010 303 + 4 04 + 1005 ;;: 25.45 001000 406 + 10 a5 = 17.8

000011 1003 + 1004 + 4 05 = 30.8 001100 10 a6 + 3 05 = 25.9

Results 2: 01;;: 1 . 1 5; 02;;: 1.25; 05 = 1.7 Results 3: a6;;: 1.2; 05;;: 1.3

Results 1 + Results 3: {X1, X2, X5, X6} HT-Free

Results 1 + Results 2: {X1, X2, X3, X4 . X5} possibly HTPresent

Conclusion: {X3, X4} HTPresent

Results 2 + Results 3: {X3, X4, X5, X6} possibly HTPresent

Fig. 2. Example of consistency-based HT diagnosis. We demonstrate the gate characterization in three segments with overlapping gates. The consistency in
Segment 1 and Segment 3 exposes the possible HTs in Segment 2.

overlapping gate X5. We vary the controlling inputs of each case where all three scaling factor values have large difference
segment and characterize the scaling factor of all the gates. In compared to the others, we conclude that multiple HTs are
the case where the HT is embedded in Segment 2, we have the embedded in at least two segments and find more segments
scaling factor of X5 consistent in Segment I and Segment 3 that cover the overlapping gates to further diagnose the HTs.
(e.g., 0:5 =1.3), while that in Segment 2 has a different value
(e.g., 0:5 = 1.7). Then, we analyze each combination of the V I. AGING-BASED HARDWARE TROJAN MASKING
pair of segments following the rule that an inconsistency in the
After identifying the locations of the HTs, we must find a
scaling factor of the overlapping gate indicates possible HTs
way to either remove them from the circuit or disable them so
in either of the segments, while a consistent result ensures
that they may not conduct malicious attacks to the target Ie.
that both of the involved segments are HT-free. For example,
Since physical methods to remove a particular component from
as shown in Fig. 2, we conclude that the HTs are present in
an IC are very expensive to apply and have a potential of dam
Segment 2 (i.e., gates X3 and X4).
aging the normal parts of the IC, we design a non-destructive
Pseudocode I describes the detailed procedure of the approach to disable the functionalities of the HTs. Our key idea
consistency-based HT diagnosis. In each round of the diag is to utilize proactive IC aging that increases only the threshold
nosis, we first characterize three segments with at least one voltage of the HTs while maintaining the other gates on the
overlapping gate. Then, we compare the scaling factor values circuit unaffected. Consequently, when the threshold voltages
of the overlapping gate obtained from the three segments. The increase to an extend that saturates the performance (speed)
one that has a large difference compared to the other two of the HTs, they are assumed nonfunctional in terms of the
values is in the segment that is possibly HT-present. In the malicious attacks. Even for the high leakage energy attack, in

180
Pseudocode 1 Consistency-based HT diagnosis. where Obji is corresponding to a gate ID in the circuit netlist,
Input: Target circuit with embedded HTs; and k is the number of gates that we expect to specify signal 0
Ouput: Segment set S eg, which contains all the segments or 1 for. If the SAT problem is satisfiable, the output from the
that are HT-present; SAT solver is a list of input vectors that satisfies the objectives.
I: Detect the existence of HTs; We demonstrate the SAT problem formulation for HT
2: Search for S, the three-segment set that covers all the masking using a small example in Fig. 3. For the clarity of
gates in the circuit; discussion, we consider only a small circuit with four AND
3: for each Si in S do gates and two NAND gates. In this example, gate 6 is the HT
4: for j =1 ---+ 3 do embedded by an attacker. In the SAT objective file, we set the
5: Characterize Segment Sij and obtain scaling factor HT gate (gate 6) to signal 1 and all the regular gates (gates 1-
Ctj for the overlapping gate; 5) to signal O. The SAT solver outputs the input vector 00111
6: end for that satisfies the specified objectives. Then, we apply the input
7: d1 min{ICtl - Ct21,ICtl - Ct31};
= vector 00111 to the circuit, which constantly pushes the HT
8: d2 min{ICt2 - Ct11,ICt2 - Ct31};
= gate in the stress mode.
9: d3 min{ICt3 - Ct11,ICt3 - Ct21};
=

o 0
10: h argmax{d1,d2,d3};
=

11: Insert Sih into S e g;

12: end for
13: return S eg; SAT Objectives SAT Solution
Gate 1+- 0 00111
Gale 2 0
+-

Gale 3 0
+-
which an attacker attempts to leak a large amount of energy
Gale 4 0
+-

during IC operation, once the threshold voltage increases to a Gale 5 0

+-

value close to the supply voltage, the additional leakage energy Gale 6 +-1
caused by the HTs becomes negligible.

A. SAT-based Ie aging
HT gate
One of the challenges in aging-based HT masking is how
to ensure that only the HT gates are stressed by the applied
input vectors, while the regular gates on the circuit should not Fig. 3. Example of SAT formulation for HT masking. The SAT objectives
be constantly under stress. We address this issue by defining are formulated to set the HT gate (gate 6) to signal I and the regular gates
and solving a Satisfiability (SAT) problem that searches for (gates 1-5) to signal O. The output from the SAT solver provides the input
vectors that satisfy the objectives.
input vectors to set only the HT gates in the stress mode (i.e.,
signal 1) and the normal gates unstressed (i.e., signal 0).
SAT is a problem that determines if a set of variables can B. Input Vector Selection
be assigned to satisfy a boolean formula. In the IC domain,
The major issue in applying SAT-based approach for aging
if the netlist of a circuit is known, the signal of each gate
input vector selection is that the SAT problem is often unsat
can be expressed as a boolean formula with a set of primary
isfiable, under the strict SAT objectives that all HT gates are
input signals as the variables. Therefore, the input vector
set to signal 1 and all regular gates are set to signal O. This
selection problem that aims to set a specific gate or a set of
is due to the internal structure of the circuit (netlist) and the
gates to specific signals can be naturally converted to a SAT
correlations between the gates. In this case, we must design
problem. By solving the SAT problem, we can provably find
an input vector selection scheme on top of the SAT problem
the desirable input vectors for aging based on our requirements
formulation, which ensures that all the HTs are disabled and
regarding the gate signals.
the impact on the regular gates is minimized. We achieve
SAT has been proved as one of the first known examples of
this goal by applying three technical approaches in three
NP-Complete problems. Recently, there have been many SAT
different phases, namely weight assignment, LP-based input
solvers developed in the SAT community [20] that deliver fast
vector selection, and adaptive body bias compensation.
and accurate SAT solutions. In this paper, we do not discuss
I) Weight-based Iterative SAT Solving: In the case where
the details of SAT solving. Instead, we mainly focus on how
the strict SAT formulation is not satisfiable, we first divide the
we use SAT solving techniques to address the problem of input
gates into two groups based on their importance in terms of the
vector selection for aging the HT gates.
performance and energy consumption. One group, called CP
In our SAT problem formulation, we use an objective file to
gates, includes all the gates that are on the critical path (e.g.,
specify the signals of a subset of gates that we are obtaining
the path that has the longest delay and determines the delay of
input vectors for. In particular, the objectives in the SAT
the circuit). The other group, called non-CP gates, includes all
problem follow the following format:
the gates that are off the critical path. The CP gates are more
obji = all, i = l...k (4) important because of the fact that they determine the delay of

181
the IC directly. The non-CP gates are relatively less important the entire HT masking process, the HT can be disabled but
because their delay increases would not impact the delay of at the price that some regular gates are constantly aged,
the IC as long as they do not become CP gates. Based on this which greatly impacts the overall performance of the IC and
intuition, we first relax the objectives of setting non-CP gates has a potential of causing a subset of the regular gates to
in the case where the strict SAT formulation is not satisfiable. malfunction.
Within each group, either the CP-gates or non-CP gates, The speed degradation issue require us to use multiple aging
we further sort the gates based on their importance. Here input vectors alternately, in order not to age the same set of
the importance of a gate is quantified by the value of delay regular gates during the HT masking process. Our idea is to
increase caused by aging. For example, if the delay of a gate select a subset of input vectors from the entire input vector set
would increase by a high value due to aging, we should avoid provided by the SAT solving process and use them to keep the
aging it. In order to implement this key idea, we assign a timing constraint of each gate satisfied. We achieve this goal
weight factor to each gate using the following formula, which by setting an additional set of timing constraints in a linear
can be determined via simulation: program, where the objective is to maximize the total delay
increase of the HT gates with the following timing constraints
1 m
Weightj = - L dij(t)
m i=l
(5) for each regular gate:
m

where m is the number of input vectors we apply to the target Dj = L r/jdij :::; Thj (6)
circuit, and dij(t) is the delay increase of gate j under input i=l
vector i for a time period of t. In our simulation to determine where m is the number of candidate input vectors obtained
the weight factor for each gate, we randomly select m input from the SAT solving process; n is the number of regular
vectors, characterize the delay increase of the gate using GLC, gates; r/j (j = L.m) is the percentage of time to apply
and calculate the weight factor. each candidate input vector; dij(i = L.m,j = L.n) is the
Pseudocode 2 shows our iterative SAT solving algorithm for expected delay increase of regular gate j when input vector
determining a set of satisfiable SAT objectives. We begin with i is applied; and Thj is the threshold for the delay increase
the objectives that set all the signals of regular gates to 0 and of gate j. Among all the parameters, m is provided by the
HT gates to 1. If the resulting SAT problem is not satisfiable, aforementioned SAT solving process; dij can be obtained by
we keep removing the gate that has the lowest weight from the gate characterization process; and 'fJj'S are the variables we
the SAT objectives until a satisfiable SAT problem is obtained. are characterizing in the LP;
3) Delay Compensation Using Adaptive Body Bias: As
Pseudocode 2 Iterative input vector selection. discussed in the previous subsections, the aging-based HT
Input: Netlist of the target circuit; delay model; masking approach causes the delays of the regular gates
Ouput: Input vector set IV for aging to increase, because the SAT problem that strictly sets all
1: Detect and diagnose the HT gate set HT; regular gates to 0 and HT gates to 1 is often unsatisfiable.
2: for each obji in SAT S do Be sides introducing timing constraints in the LP formulation,
3: if Obji E HT then we further use adaptive body bias (ABB) to compensate for
4: obji 1; =
the delay degradation. ABB has been proposed as an effective
5: else approach to compensate for the PV impact on performance
6: Obji 0; =
and power consumption. It provides the ability to manipulate
7: end if transistor threshold voltage through the body effect and thus
8: end for enables either a forward or a reverse body effect to change
9: IV = saCsolve(S); threshold voltage [21]. Here we use ABB to manipulate the
10: while IV 0 do==
threshold voltage of regular gates that are increased by aging,
11: Remove Objk with the lowest weight from SAT S; so that we can compensate for the degradation in delay.
12: IV = saCsolve(S);
V II. SIMULATION RESULTS
13: end while
14: return IV A. Consistency-based HT detection

We show the simulation results on ISCAS and ITC bench

2) Linear Programming: The iterative SAT solving process marks for consistency-based HT detection in Table I. For each
provide us with a set of input vectors that can be used in the benchmark, we simulate two cases where HTs are present
IC aging process to stress the HT gates in order to disable (i.e., HT-present) and there are no HTs in the circuit (i.e.,
the attacks. Although we specified in the strict SAT objectives HT-free). The threat model we consider is the additional gate
that the regular gates should be set in the unstressed mode, attack, where the attacker embeds one or more small sized
the resulting relaxed SAT objectives would cause some of gate (e.g. a NAND gate) into the circuit. The metric we use
the regular gates to be aged by the applied input vectors. for identifying HTs is the average discrepancy (davg) of the
Consequently, if we only apply a single input vector during scaling factors that is defined in Section IV . We select pairs

182
 TABLE I
HT DETECTION RESULTS USING CONSISTENCY-BASED GLC: THE VALUES V III. CONCLUSION
IN THE " HT-FREE" AND "HT-PRESENT" COLUMNS REPRESENT THE
We developed a complete solution of HT detection, diagno
AVERAGE DISCREPANCY OF THE OVERLAPPING GATES IN TERMS OF THEIR
SCALING FACTORS. sis, and masking. We employed segmentation and consistency
based gate characterization to determine the existence of HTs
Benchmark Number of Gates HT-Free HT-Present and their locations. Next, we select input vectors to age the
C432 160 0.0018 0.088 HTs embedded in the circuit and disable their functionalities.
C499 202 0.0062 0.20 Our simulation results on a set of ISCAS and ITC benchmarks
C880 383 0.0058 0.073
indicate that the proposed approach is scalable and capable of
CI355 546 0.0039 0.27
detecting and diagnosing HTs accurately.
CI908 880 0.0021 0.23
C2670 1193 0.0014 0.13 ACKNOWLEDGMENT
C3540 1669 0.015 0.12
This work was supported in part by the NSF under awards
C5315 2307 0.0062 0.12
CNS-0958369, CNS-1059435, and CCF-0926127.
S526 72 0.0013 1.30
S38584 19253 0.0047 0.24 REFERENCES
bl9 231266 0.0059 0.38
[I] M. Tehranipoor,F. Koushanfar, A Survey of Hardware Trojan Taxonomy
and Detection, IEEE Design and Test of Computers, Vol. 27,No. 1,2010,
pp. 10-25.
[2] D. Agrawal, S. Baktir, D. KarakoyunIu, P. Rohatgi, B. Sunar, Trojan
of segments that have overlapping gates and can cover all the Detection Using IC Fingerprinting, SP 2007, pp. 296-310.
gates in the circuit, conduct GLC of each of the segment, and [3] F. Wolff, C. Papachristou, S. Bhunia, R. Chakraborty, Towards Trojan
calculate the dav9 value over all pairs. We can observe from free Trusted ICs: Problem Analysis and Detection Scheme,DATE 2008.
pp. 1362-1365.
Table I that for the sizing-based HT attack, there are large gaps [4] M. Banga, M. Hsiao, A Region Based Approach for the Identification of
(more than 15X) in terms of dav9 between the HT-free case Hardware of Trojans, HOST 2008, pp. 40-47.
and the HT-present case. This enables us to draw a decision [5] J. Li,J. Lach, At-speed Delay Characterization for IC Authentication and
Trojan Horse Detection, HOST 2008, pp. 8-I4.
line between the dav9 values in the two cases and use it to [6] Y. Jin, Y. Makris, Hardware Trojan Detection Using Path Delay Finger
determine whether HTs exist or not. In this way, we obtain print, HOST 2008, pp. 51-57.
zero false positives and zero false negatives in HT detection. [7] S. Wei, M. Potkonjak, Scalable Segmentation-Based Malicious Circuitry
Detection and Diagnosis, ICCAD 2010, pp. 483-486.
B. Consistency-based HT Diagnosis [8] S. Wei, M. Potkonjak,Scalable Hardware Trojan Diagnosis,IEEE Trans
actions on VLSI Systems, 201I.
We evaluate the consistency-based HT diagnosis approach [9] S. Wei, S. Meguerdichian, M. Potkonjak. Gate-level Characterization:
Foundations and Hardware Security Applications, DAC 2010, pp. 222-
on a set of ISCAS benchmarks, as shown in Fig. 4. For each
227.
benchmark, we show the scaling factors of the overlapping [10] P. Friedberg, Y. Cao, J. Cain, R. Wang, 1. Rabaey, C. Spanos, Mod
gates in three segments, where a single HT is embedded in eling Within-Die Spatial Correlation Effects for Process-Design Co
Optimization, ISQED 2005, pp.5I6-521.
one of the segments (e.g., Segment 3). We observe from the
[II] M. Nelson, A. Nahapetian, F. Koushanfar, M. Potkonjak, SV D-Based
results that the two values of scaling factors from the HT-free Ghost Circuitry Detection, Information Hiding 2009, pp. 221-234.
segments are consistent with each other, and that in the HT [12] S. Wei, S. Meguerdichian, M. Potkonjak,Malicious Circuitry Detection
Using Thermal Conditioning, IEEE Transactions on Information Foren
present segment is either a very high value or a very low value
sics and Security, 20II.
apart from the two consistent values. These results enable us [13] S. Wei, M. Potkonjak, Integrated Circuit Security Techniques Using
to conclude that the HT is embedded in Segment 3 with zero Variable Supply Voltage, DAC 201I, pp. 248-253.
[14] S. Wei, A. Nahapetian, M. Potkonjak,Robust Passive Hardware Meter
false positives and zero false negatives.
ing, to appear, ICCAD 2011.
[15] J. Stathis, Physical and Predictive Models of Ultrathin Oxide Reliability
in CMOS Devices and Circuits, IEEE Transactions on Device and
Segment 1 (HT-Free) -
1.8
Segment 2 (HT-Free l = Materials Reliability, Vol. I, No. 1,2001, pp. 43-59.
Segment 3 {HT-Present - [16] J. Pang, D. Chong, T. Low, Thermal Cycling Analysis of Flip-chip
1.6 Solder Joint Reliability IEEE Transactions on Components and Packaging
Technologies. Vol. 24, No. 4, 2001, pp. 705- 712.
1.1
[17] S. Chakravarthi, A. Krishnan, V. Reddy, C. Machala, S. Krishnan, A
5
Comprehensive Framework for Predictive Modeling of Negative Bias
j
'"
1.2
Temperature Instability, Reliability Physics Symposium Proceedings,
.
2004, pp. 273-282.
[18] M. Agarwal,B. Paul,M. Zhang,S. Mitra. Circuit Failure Prediction and
0.8
Its Application to Transistor Aging, V TS 2007, pp.277-286.
0.6 [19] S. Borkar, T. Kamik, S. Narendra, 1. Tschanz, A. Keshavarzi, V. De.
Parameter Variations and Impact on Circuits and Microarchitecture. DAC
O. 1
2003, pp. 338-342.
0.2
[20] N. Een, N. Sorensson, An Extensible SAT-solver, SAT 2003, pp. 333-
C432 C499 CSSO C1355 C190S C2670 C3540 C5315 C7552 336.
Benchmarks [21] T. Chen, S. Naffziger, Comparison of Adaptive Body Bias (ABB) and
Adaptive Supply Voltage (ASV ) for Improving Delay and Leakage Under
Fig. 4. Simulation results for consistency-based HT diagnosis. the Presence of Process Variation, IEEE Transactions on VLSI Systems,
Vol. II,No. 5, 2003, pp. 888-899.

183