A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting

Microprocessors and Microsystems xxx (2014) xxx–xxx

Contents lists available at ScienceDirect

Microprocessors and Microsystems journal homepage: www.elsevier.com/locate/micpro

A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting Arash Nejat 1, Seyed Mohammd Hossein Shekarian 1, Morteza Saheb Zamani ⇑ Department of Computer Engineering and Information Technology, Amirkabir University of Technology, Tehran, Iran

a r t i c l e

i n f o

Article history: Available online xxxx Keywords: Hardware security Hardware Trojan detection Design for hardware trust Analysis of hardware security

a b s t r a c t Hardware Trojan horses (HTHs) are among the most challenging treats to the security of integrated circuits. Path-delay fingerprinting has shown to be a promising HTH detection approach. However, previous work in this area incurs a large hardware cost or requires expensive testing techniques. Moreover, the relation between technology mapping and the efficiency of delay-based HTH detection have not yet been studied. In this paper, we present a HTH detection method which uses an effective test-vector selection scheme and a path-delay measurement structure. Furthermore, we demonstrate the large impact of technology mapping on the effectiveness of delay-based HTH detection. We also show that delay-based detection methods are highly scalable. In case of choosing an area-driven design strategy, the average HTH detection probability of our approach is about 63%, 78% and 90% if false alarm rate is 0%, 2% and 16%, respectively. However, with modifications in the technology mapping, the results show improvements to 85%, 94% and 99%, at the cost of about 20% area overhead. In addition, the efficiency of our method would not decrease for large benchmarks with thousands of gates. Ó 2014 Elsevier B.V. All rights reserved.

1. Introduction The high cost of silicon chip fabrication has caused most hardware manufacturers to outsource the fabrication of their integrated circuits (ICs) to the third party foundries [1]. These foundries can serve attackers by modifying the circuit’s design or its physical parameters. These modifications, usually known as hardware Trojan horses (HTHs), may change the functionality or reliability of a chip in a disastrous way [1,2]. HTHs are classified into parametric and functional types. Parametric HTHs are modifications in the characteristics of existing wires and gates while functional HTHs are designed by adding or removing gates and transistors [1]. The focus of this paper is on the HTHs of the latter type which usually have more complicated and damaging behaviors. Moreover, this paper concentrates on the HTHs which are inserted into the design during the fabrication process. HTHs must be triggered by some internal or external events or a sequence of such events, to become operative. A wisely designed HTH is triggered only under rare conditions. For example, the

⇑ Corresponding author. Tel./fax: +98 2164542720. E-mail addresses: [email protected] (A. Nejat), [email protected] (S.M.H. Shekarian), [email protected] (M. Saheb Zamani). 1 Tel.: +98 2164545124.

attacker usually uses a rarely-changed signal which already exists in the original circuit as an input of the HTH and designs the HTH in a way that it is triggered only if that signal changes. For this reason, HTHs are not usually detectable by conventional testing methods [1]. Parametric testing or side-channel analysis techniques are reported to be more effective for HTH detection. These techniques are based on the fact that even a non-triggered HTH may change the side-channel properties of the chip [3]. For example, the HTH may change the power consumed by the circuit, or it may alter the delay of some paths in the design [1]. The greatest challenge of these techniques is process variation which may cover the Trojan effects and limit the scalability of the techniques. Techniques based on path-delay analysis are among the most promising side-channel analysis approaches for HTH detection [4–9]. However, previous efforts in this area are not without limitations. The approach presented in [4] seems to be powerful in detecting HTHs which contribute to the delay of critical paths. However, employing this technique to detect HTHs that only change non-critical path-delays requires a large number of test vectors. Other delay-based HTH detection techniques use delay measurement structures [5–9]. Some of these techniques can reduce the difficulties of detecting HTHs on non-critical paths [7–9] but they incur additional hardware cost and design complexities. Moreover, these techniques do not benefit from a proper design strategy and test vector generation.

http://dx.doi.org/10.1016/j.micpro.2014.01.003 0141-9331/Ó 2014 Elsevier B.V. All rights reserved.

Please cite this article in press as: A. Nejat et al., A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting, Microprocess. Microsyst. (2014), http://dx.doi.org/10.1016/j.micpro.2014.01.003

2

A. Nejat et al. / Microprocessors and Microsystems xxx (2014) xxx–xxx

In this paper, we address the challenges of using path-delay measurement to detect HTHs. Our contributions are as follows: 1. A novel HTH detection approach is presented based on path delay fingerprinting. The essence of this technique is to test the delay characteristics at different frequencies. Varying the frequency can simplify delay measurement in non-critical paths. In addition, modified scan chain helps to measure the delay-paths. Our approach needs hardware redundancy in the structure of scan flip-flops (SFF) which are already widely used in ICs for testing various models of faults. An SFF is a flip-flop (FF) with extra scan logic, scan input and scan output which are used during the test mode to set or fetch the value of that FF. 2. Guidelines are presented for the efficient use of some other related ap-proaches in the literature. 3. HTH detection probabilities on paths are estimated based on path-delay characteristics. The detection probabilities are also valid for any HTH detection technique based on single pathdelay fingerprinting if the proposed guidelines are followed. 4. The impact of technology mapping on the delay-based techniques is investigated, and design hints are provided to improve the probability of HTH detection. 5. The scalability of delay-based Trojan detection techniques is studied and shown as an important score of this methods compared to the power-based Trojan detection approaches. Our experiments are conducted on various ISCAS’89 benchmarks. 90 nm process technology is used because there is close accurate information about timing variation in this technology [10]. In case of area-driven technology mapping, the average detection probability of our approach is 63%, 78% and 90% by accepting a zero, 2% and 16% false alarm rate, respectively. However, these detection probabilities correspondingly improve to 85%, 94% and 99% if it is tried to design the circuit with shorter paths due to the less background variation effects of paths with shorter delay. Our experimental results also show that contrary to the powerbased HTH detection techniques, the delay-based approaches are intrinsically scalable. The rest of this paper is organized as follows: Section 2 introduces the previous work. The basic idea of our approach is described in Section 3. The detailed approach is presented in Section 4. Section 5 presents the experimental setup and results. The method used to estimate HTH detection probability is also explained in these sections. Finally, Section 6 concludes the paper and purposes some future works. 2. Previous work Attackers try to hinder the process of HTH detection by making the trigger conditions as rare as possible. Moreover, the HTHs which only produce analog outputs (e.g., power characteristics) would not be detected even by an exhaustive testing [11]. Hence, it is usually impractical to detect HTHs by using traditional testing methods. Post-design HTHs may not be detected by reverse engineering either, since they may exist only in a portion of fabricated chips [1]. It is noteworthy that reverse engineering is a destructive process, so it is helpful only when applied on a single chip or a small fraction of chips. Many efforts have been made in recent years to develop more convenient methods for HTH detection. Some test pattern generating approaches are presented in [12–14] to adapt testing techniques for HTH detection. However, these techniques are of limited gain for large circuits. Authors in [3] demonstrated that side-channel analysis is a more efficient approach for detecting HTHs. This is because even non-triggered HTHs may change the side-effect characteristics of a chip recognizably. Two of such characteristics are widely used for the purpose of

HTH detection, namely, power consumption [3,15] and path-delays [4–9,16,17]. As it is demonstrated in [8,18], analyzing both power and delay profiles of the circuit is needed to achieve better results. As the focus of this paper is on the path-delay analysis, related work in this area is discussed in the rest of this section. The first systematic approach for path-delay fingerprinting was presented in [4]. This approach collects the overall delay characteristics of the whole design by analyzing some genuine chips. The genuine chips are assured to be Trojan-free by using invasive techniques. The data is used as a reference to verify the genuineness of other chips. However, HTHs that merely change non-critical path-delays can hardly be detected by this technique. Shadow registers are used in [5,6] for HTH detection. Each shadow register is placed next to a register in the design, getting the same input as that of the original register. The shadow registers are triggered by a shadow clock signal with a controllable phase offset. Path-delays can be measured by changing the phase offset. Ring oscillators (ROs) are also employed for HTH detection [7,8,16,17]. ROs can be added to a design in a way that they can measure the delay characteristics. The large hardware cost is the main drawback of both structures. Another delay-based HTH detection approach is introduced in [9], which creates a delay chain by bypassing some of the FFs in the design. Besides 10% area overhead, this technique suffers from leaning on the delay analysis of long paths. These long-delay paths are generated due to the FF bypassing process. As we demonstrate in Section 5, long-delay paths may not be qualified candidates for being tested for HTHs. 3. The basic idea An intelligent attacker tries to avoid adding an HTH on critical paths (paths with the largest delay). Otherwise, changes in the timing characteristics of the circuit would be simply identifiable. However, changes in the delay of non-critical paths would be unrecognizable by using conventional timing test approaches. The main idea of the proposed approach is to test the circuit at proper frequencies. Each path is tested at a clock cycle with a period equal to the delay of the path under test. We name this clock cycle as zero-slack clock cycle. The slack of a path becomes zero at its corresponding zero-slack clock cycle unless an HTH increases the path-delay. Consequently, the HTH is mapped into a path-delay fault, i.e. a fault that causes the propagation delay of a path to increase beyond its expected value [19]. Now, an SFF can be employed to monitor the path outputs. As in delay-fault test techniques [15], one pair of test vectors must be produced for pathdelay fault as well as HTH testing in our approach. The two test vectors are chosen in a way that they cause two complementary values at the output of the path. As a result, these vectors can generate a desirable transition in the target path and propagate the transition to the SFFs. If the delay of a path increases due to the HTH, the correct value cannot pass the path during the zeroslack clock cycle and the SFF will have incorrect value. This issue is illustrated by an example in Fig. 1. In this figure, it is assumed that all the gates have 1-unit delay and the delay of interconnects is negligible. The critical path has a 3-unit delay, so the minimum allowed clock period is 3 units. The attacker is assumed to connect an HTH (the colored gate) to the output of gate G3. The connections of the trigger circuit to the original circuit are neglected in this figure. The delay of the bold path is increased by 1 unit due to the existence of the HTH. This additional delay is not recognizable by at-speed testing unless a zero-slack clock cycle (here, a clock cycle with a period of 1 unit) makes the bold path sensitive as the critical path. In summary, our approach maps the chip delay characteristics to observable functional behaviors. The Trojan detection technique

Please cite this article in press as: A. Nejat et al., A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting, Microprocess. Microsyst. (2014), http://dx.doi.org/10.1016/j.micpro.2014.01.003

A. Nejat et al. / Microprocessors and Microsystems xxx (2014) xxx–xxx

3

Fig. 1. An HTH-infected circuit.

presented in [5,6] uses a similar strategy, but it incurs more hardware overhead compared to the approach we propose in Section 4. Moreover, our technique uses an efficient path selection attitude. While theoretically all HTHs can be detected by our approach, the following challenges arise in real world situations: 1. Process variation is a hard challenge in the HTH detection methods based on side channel analysis. The timing violations may be resulted from the process variation, and not by the HTH effects. For improving the Trojan detection, it is necessary to decrease the masking effects of the process variation. 2. There are many non-critical paths in the circuit that would not have a delay longer than the delay of the critical path even after adding an HTH. Testing of all such paths is impractical. However, the nets in the design are the real elementary components which may be affected by the HTHs. Therefore, for each net in the design, only one of its covering paths must be tested for HTH. However, many candidate paths exist in the circuit for some of the nets. 3. Path-delay measurement is very difficult in new technologies. In general, HTH effects are more observable when the background effect is small. Our preliminary experiments show that the same rule is true for path-delays. In other words, HTH delays are likely to be more observable on a short-delay path. In addition, we use this rule to select appropriate paths for the testing process. As it is demonstrated in Section 5, our experiments confirm the high efficiency of this path selection scheme. In Section 5, we show that synthesizing a circuit with shorter paths increases the HTH detection probability. 4. The proposed approach 4.1. The HTH Detection Algorithm An HTH detection approach based on using multiple frequencies is pre-sented in this section. The approach proceeds as follows: 1. For each net in the circuit, the minimum-delay path which covers that net is selected. If the vectors for testing pathdelay-fault in the selected path are not found, the next minimum-delay candidate path that crosses the net is selected for testing the path-delay fault. This process is repeated till a testable path is found.

2. Accurate delay estimation is performed. For delay testing, the maximum expected delay of the selected path must be used as the testing clock-period. However, enforcing an ultra-high frequency to the clock signal and propagating this signal through the chip may incur difficulties in the real-world because the minimum required rise and fall times of the gates may not be met. To overcome this issue, we use a delay-estimation structure as shown in Fig. 2(a). The first multiplexer in this figure (MUX 1) is the intrinsic multiplexer of the scan flip-flop. The second multiplexer (MUX 2) along with signal DM (Detection Mode) is used in our approach for replacing of the original clock (CLK) with an extra clock signal (CLKp). Both clock signals have the same frequencies, but their phase-difference equals to the expected delay of the path under test. If CLK is replaced by CLKp, a zero-slack clock cycle with legitimate pulse-widths is produced as it is illustrated in Fig. 2(b). As shown in this figure, the DM signal must be generated in a way that the minimum negative and positive pulse widths required in the technology are provided. By the terms minimum negative and positive pulse widths, we mean the minimum time intervals between the falling and rising edges and the rising and falling edges respectively. As the frequencies of the two clock signals are equal and both signals work legitimately, there is no need to further replacement of CLKp with CLK during the test mode. The resolution of this technique is limited by the skew of the two clock signals and can be estimated by using Eq. (1).

R ¼ t 0 þ t 1 þ t skew

ð1Þ

where t 0 and t 1 are the minimum applicable negative and positive pulse widths, and t skew is the skew time. All the three parameters are technology-dependent while t skew also depends on the benchmark and the synthesis algorithms. Fig. 2 illustrates our delay estimation technique by an example. As shown in this figure, for testing a path with 0.1 ns maximum expected delay, two clock signals with a 0.1 ns phase-difference are used. Consequently, a zero-slack clock pulse is produced and there is no need to initially produce and propagate a periodic clock signal with a 10 GHz frequency. If an HTH increases the delay of this path, it will be detected during the zero-slack clock pulse. Paths with other delays can also be simply tested by changing the phase differences of CLK and CLKp (e.g., for a path with 0.2 ns maximum expected delay, the phase-difference of the two clock signals must be equal to 0.2 ns). The switching from CLK to CLKp is performed by a multiplexer.

Please cite this article in press as: A. Nejat et al., A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting, Microprocess. Microsyst. (2014), http://dx.doi.org/10.1016/j.micpro.2014.01.003

4

A. Nejat et al. / Microprocessors and Microsystems xxx (2014) xxx–xxx

Fig. 2. Path-delay-measurement: (a) structure, and (b) clock handling and signal timing.

3. The state of the destination SFF on the path is checked. Any deviation from the previously known values is interpreted as a Trojan infection. Our path selection strategy can be employed to improve other HTH detection techniques based on path-delay fingerprinting (refer to Section 5.4). Furthermore, the proposed approach can be applied to improve the technique proposed in [4]. If the delay characterization is performed at a zero-slack clock cycle (with regard to each path), a more informative convex hull can be constructed in [4]. 5. Experimental results 5.1. Experimental setup Our experiments are based on introducing the model of HTHs into benchmarks and try to detect the HTHs by using the proposed approach. The experiments are conducted on five ISCAS’89 benchmark circuits in TSMC 90 nm process technology. Table 1 presents the size characteristics of the selected benchmarks. The applied technology is chosen, as accurate timing information is available for it [10]. The process variation is assumed to have normal distribution and a standard deviation of 6.61% [10]. Synopsys tools are used for synthesis and analysis of the circuits. Physical design is not performed, as we want to estimate the efficiency of our approach independent from the effects of physical design process.

Table 1 Number of inputs, outputs, FFs, and gates. Benchmark

S713

S1423

S5378

S13207

S35932

Inputs Outputs FFs Gates

37 23 19 393

17 5 74 657

35 49 179 2779

62 152 638 7951

35 320 1728 16065

For modeling Trojans, we focus on the payload part of the HTH. Considering the functional HTHs which are our target cases, the payload circuit must include at least one gate inserted into an existing path or one input added to an existing gate. However, our initial experiments show that the delay effect of a second-type payload gate (i.e., an existing gate with an extra input) is not smaller than the delay effects of some first-type Trojan (i.e., added gates). For example, replacing a 2-input AND gate by a 3-input one incurs a delay effect similar to that of inserting one 2-input AND gate before the original 2-input AND gate. As a result, we use single gates as abstract models of HTHs. The delay effects which may be caused due to a trigger circuit or a larger payload circuit are ignored in favor to harden the Trojan detection. As it is shown in Table 2, 24 different cells are inserted into the design as Trojans to study the effects of such HTHs. The functionalities of the cells vary from single 2-input AND and OR gates (AND2 and OR2) to a full-adder (ADDFH). As the trigger input, a proper cell input is chosen, i.e., the input that can keep the HTH

Please cite this article in press as: A. Nejat et al., A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting, Microprocess. Microsyst. (2014), http://dx.doi.org/10.1016/j.micpro.2014.01.003

5

A. Nejat et al. / Microprocessors and Microsystems xxx (2014) xxx–xxx

false alarm rate are equal to the area of the vertically and diagonally shaded regions, respectively.

Table 2 HTH cells types. HTH OR2 OR3 OR4 XOR3

XNOR3 MX4 AO22 OA21

OAI2BB2 OAI2BB1 OAI2B1 OAI2B11

AND2 AND3 AND4 XOR2

XNOR2 MX2 AO21 OA22

5.3. Results

AOI2BB2 AOI2BB1 AOI2B1 ADDFH

in the idle state. A single NOT gate is not used as an HTH, as it always inverts a value in the circuit and cannot be put in the idle mode. Trojans must be idle in most of their lives, or they would be easily detected with traditional functional/structural tests. Buffer gates are not used either, as they are harmless as functional Trojans. 5.2. HTH detection probability estimation We calculate the detection probability of each inserted HTH based on the variation distribution of the delay of the path under test. The normal distribution is characterized by two parameters; a mean (l) equal to the delay estimated in the absence of the variation, and a variance (r) determined by the process variation. The normal distribution of an HTH-infected path is shifted due to the delay introduced by the HTH. The delay distribution of one of the paths tested in our experiments is illustrated in Fig. 3, before and after HTH insertion. The HTH is detectable if it increases the path-delay longer than the maximum delay resulted from the variation effects. The reason is that at the frequency corresponding to the path under test, such a delay prevents loading of the correct value into the output FF. Thus, the HTH detection probability is at least equal to the area of the shaded region in Fig. 3(a). The HTH detection probability can be improved at the cost of incurring a non-zero false alarm rate. Generally, the false alarm rate is the fraction of valid chips which are wrongly reported to be faulty (HTH-infected in our work) [15]. An example is shown in Fig. 3. In this example, the HTH detection probability and the

We use the full scan-chain and the delay structure introduced in Section 4. Firstly, the resolution of the technique is estimated by using Eq. (1) from Section 4. The values of t 1 and t 0 in this equation are .09 ns and .06 ns respectively according to the technology information. The value of tskew is experimentally chosen to be .025 ns in our most complicated benchmark. As a result, the resolution of our technique is estimated as 0.2 ns in our experiments. In the next step, the shortest sensitizable path with a delay longer than 0.2 ns delay is found for each net in the circuit. The detection probability of the inserted HTH is then calculated based on the probability distribution of the delay of the selected path. In our first experiments, we synthesized the benchmark circuits with the traditional style of area-driven technology mapping. Then we performed a performance-driven technology mapping with a maximum allowed area overhead of 20%. For each benchmark and for testing each path (selected by the scheme explained in Section 4), all 24 modeled HTHs introduced in Table 2 are used. The average, minimum, and maximum detection probability of the HTHs for area and performance-driven technology mapping are shown in Tables 3 and 4, respectively. As it is shown in Table 3, the average detection probability in case of area-driven technology mapping is 63%. By accepting a false alarm rate of 2% and 16%, the average detection probability is improved to 78% and 90%, respectively. Discarding a large percentage of healthy chips may not be acceptable in some application, but the suspicious chips may be utilized in non-safety–critical applications. The detection probability would be much better if the designer tries to design the circuit with shorter paths. As shown in Table 4, the average detection probability in case of area-constrained performance-driven technology mapping is 85%, 94% and 99% by accepting a false alarm rate of zero, 2% and 16%, respectively. This improvement is obtained, as the background variation effects would be less in short-delay paths.

Fig. 3. (a) HTH detection probability with zero false alarm rate, and (b) HTH detection probability with non-zero false alarm rate.

Table 3 HTH detection probability in area driven technology mapping.

a b c d

S1423

S5378

S13207

Averaged

Benchmarks

S713

S35932

False alarm rate

0%

2%

16%

0%

2%

16%

0%

2%

16%

0%

2%

16%

0%

2%

16%

0%

2%

16%

MINa MAXb AVGc

0.71 0.96 0.83

0.85 0.99 0.92

0.95 1.00 0.97

0.45 0.72 0.56

0.60 0.80 0.69

0.76 0.86 0.81

0.34 0.74 0.51

0.56 0.89 0.71

0.80 0.97 0.89

0.38 0.77 0.55

0.59 0.89 0.73

0.81 0.96 0.89

0.50 0.87 0.68

0.70 0.95 0.83

0.87 0.99 0.94

0.48 0.81 0.63

0.66 0.90 0.77

0.81 0.96 0.90

Minimum HTH detection probability. Maximum HTH detection probability. Average HTH detection probability. Average detection probability in the five benchmarks.

Please cite this article in press as: A. Nejat et al., A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting, Microprocess. Microsyst. (2014), http://dx.doi.org/10.1016/j.micpro.2014.01.003

6

A. Nejat et al. / Microprocessors and Microsystems xxx (2014) xxx–xxx

Table 4 HTH detection probability in performance driven technology mapping.

a b c d

S1423

S5378

S13207

Averaged

Benchmarks

S713

S35932

False alarm rate

0%

2%

16%

0%

2%

16%

0%

2%

16%

0%

2%

16%

0%

2%

16%

0%

2%

16%

MINa MAXb AVGc

0.82 0.99 0.89

0.92 1.00 0.96

0.98 1.00 0.99

0.49 0.84 0.59

0.70 0.94 0.78

0.88 0.98 0.92

0.88 1.00 0.94

0.97 1.00 0.99

0.99 1.00 1.00

0.77 0.98 0.85

0.91 1.00 0.95

0.98 1.00 0.99

0.98 1.00 0.99

1.00 1.00 1.00

1.00 1.00 1.00

0.79 0.96 0.85

0.90 0.99 0.94

0.97 1.00 0.98

Minimum HTH detection probability. Maximum HTH detection probability. Average HTH detection probability. Average detection probability in the five benchmarks.

In addition to the considerable effects of technology mapping on the detection probability, another important issue can be concluded from the results shown in Tables 3 and 4. The HTH detection probability does not decrease if the size of the target circuit increases. For example, there is a higher chance to detect HTHs in the largest benchmark, S35932, than in most other benchmarks. The reason is that a large number of adequately short paths exist in large circuits. Consequently, in regard with the HTH detection probability, the delay-based detection techniques are intrinsically scalable. It is a great advantage compared to the power-based detection techniques which incur hardware overhead (e.g., extra power pads) to become more scalable [15]. On the other hand, our technique is also scalable in regard to the number of applied test vectors which are of the order of the number of nets (and not paths) as reported in Table 5. Our experimental results are provided in Table 6 with a different view-point. This table shows the reduction in the number of vulnerable nets in the design in case of using the performancedriven technology mapping approach. We define vulnerable nets as the nets with HTH detection probability of less than 90%. The number of vulnerable nets is a criterion of the effort which must

Table 5 The number of applied test vectors for the two technology-mapping approaches. Benchmark

s713 s1423 s5378 s13207 s35932

Number of applied test vectors Area-driven synthesis

Performance-driven synthesis

291 884 2056 3886 12,475

387 1181 2764 4778 14,354

Table 6 Summary of results from two technology mapping. Benchmark

Reduction in the number of vulnerable points

Performance gain (%)

Area overhead (%)

s35932 s13207 s5378 s1423 s713

5517–16 2078–770 1169–119 599–425 45–54

333 498 377 329 300

22 12 23 18 19

be performed to increase the trustworthiness of the design. The area overhead and the performance gain caused by this technology mapping approach are also presented in Table 6. 5.4. Discussions on the area-overhead of the technique An accurate comparison between the area overheads of the proposed technique and other delay fingerprinting techniques is not straightforward due to the dependencies of the overhead to the real-world implementation. However, the hardware overhead of our detection technique is less than that of other techniques. Similar to our technique, shadow registers presented in [5,6] also require an extra clock line. Moreover, both techniques use equal number of delay measurement units if they are designed to achieve equal Trojan detection capabilities. Nevertheless, our delay measurement structure (Fig. 2(a)) is smaller, as it only includes one extra multiplexer for each target SFF in the design. On the other hand, the technique presented in [5,6] requires one extra (shadow) FF for every target FF and a comparator for comparing the value of the original and the shadow FFs. A mechanism must also be added for scanning the comparison result. An XOR can be used as the minimum-size comparator. The most cost-efficient scanning mechanism is using the original SFFs of the design. By using such a mechanism, one multiplexer is needed to input the comparison results into the SFF. The second and third rows of Table 7 present the area overhead of our technique and shadow registers (with the above-mentioned implementation) respectively. The estimations are generated in logic level and routing and clock routing overhead is ignored. However, this overhead is of similar order for both techniques. Moreover, during the experiments, it is assumed that both techniques use one delay measurement unit for each FF in the design (i.e., both techniques use a similar path selection scheme). As it is shown in Table 7, using shadow registers is very costly. Actually, authors in [5,6] use a more limited number of shadow FFs. They place the FFs at the end of the paths which include a minimal set that covers all nodes of the design. However, they lose the benefit of testing short delay paths. We can equally degrade the number of our delay measurement units (and their overall overhead) by using the same path selection scheme. Nevertheless, a much more HTH detection ability is obtained by testing short paths, as described above. Comparing our technique with RO-based techniques [7,8,16,17] is a little more complicated. RO-based techniques have the advantage of using no extra clock line. However, these techniques still

Table 7 Hardware overhead of delay fingerprinting techniques for HTH detection.

Area overhead Our technique Shadow registers RO-based technique

s713 (%)

s1423 (%)

s5378 (%)

S13207 (%)

S35932 (%)

24 92 45

26 99 29

21 79 26

20 75 23

19 73 43

Please cite this article in press as: A. Nejat et al., A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting, Microprocess. Microsyst. (2014), http://dx.doi.org/10.1016/j.micpro.2014.01.003

A. Nejat et al. / Microprocessors and Microsystems xxx (2014) xxx–xxx

incur a large overhead. An RO includes an odd number of inverters placed on a combinational loop. Such a loop is generated by adding a feedback loop into an existing path. As a result, at least one multiplexer is needed for creating each loop in the operational mode [7]. A mechanism for scanning the output of ROs is also required, probably including some extra pins. Longest paths are chosen in [7] for RO insertion, as such paths cover more nodes. Nonetheless, this leads to a smaller detection probability. Again, we assume that ROs are placed on the same paths chosen by our shortest-path selection scheme to have a fair comparison. Alternatively, we can degrade the number of our delay measurement units (and their overall overhead) by using the same path selection scheme applied in [7]. The last row of Table 7 presents the area overhead of RO-based HTH detection technique. Here, only the overhead of multiplexers are considered and the potential extra inverters and the scanning hardware/output pins (which probably incur a much larger overhead) are ignored. The result shows that using ROs causes a larger area overhead in comparison with our technique. A more accurate comparison requires a full implementation of both techniques. 6. Conclusion and future work A new HTH detection approach was presented in this paper based on path-delay fingerprinting. Our approach incurs less area overhead compared to the techniques which use shadow registers, ring-oscillators and the technique proposed in [9]. More importantly, our approach benefits from the reverse relation between the HTH detection probability and the delay of the Trojan-infected path. The result would be improved if the path-delays are reduced by using an appropriate synthesis approach. We demonstrated this concept by using a performance-driven technology mapping. Future work includes trying to improve the HTH detection probability of delay-based techniques (i.e., to reduce the number of vulnerable nets) with more developed and specific modifications in the design flow. References [1] M. Tehranipoor, F. Koushanfar, A survey of hardware trojan taxonomy and detection, Des. Test Comput. IEEE 27 (2010) 10–25. [2] J.I. Lieberman, White Paper: National Security Aspects of the Global Migration of the us Semiconductor Industry, Office of Senator Joseph I. Lieberman, Ranking Member, United States Senate Armed Services Committee, Washington, 2003. [3] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar, Trojan detection using ic fingerprinting, in: IEEE Symposium on Security and Privacy, 2007, SP’07, IEEE, 2007, pp. 296–310. [4] Y. Jin, Y. Makris, Hardware trojan detection using path delay fingerprint, in: IEEE International Workshop on Hardware-Oriented Security and Trust, 2008. HOST 2008, IEEE, 2008, pp. 51–57. [5] J. Li, J. Lach, At-speed delay characterization for ic authentication and trojan horse detection, in: IEEE International Workshop on Hardware-Oriented Security and Trust, 2008, HOST 2008, IEEE, 2008, pp. 8–14. [6] D. Rai, J. Lach, Performance of delay-based trojan detection techniques under parameter variations, in: IEEE International Workshop on Hardware-Oriented Security and Trust, 2009, HOST’09, IEEE, 2009, pp. 58–65. [7] J. Rajendran, V. Jyothi, O. Sinanoglu, R. Karri, Design and analysis of ring oscillator based design-for-trust technique, in: 2011 IEEE 29th VLSI Test Symposium (VTS), IEEE, 2011, pp. 105–110. [8] C. Lamech, R.M. Rad, M. Tehranipoor, J. Plusquellic, An experimental analysis of power and delay signal-to-noise requirements for detecting trojans and methods for achieving the required detection sensitivities, IEEE Trans. Inf. Forensics Secur. 6 (2011) 1170–1179. [9] C. Lamech, J. Plusquellic, Trojan detection based on delay variations measured using a high-precision* low-overhead embedded test structure, in: 2012 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), IEEE, 2012, pp. 75–82. [10] A. Maiti, J. Casarona, L. McHale, P. Schaumont, A large scale characterization of ro-puf, in: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), IEEE, 2010, pp. 94–99.

7

[11] L. Lin, M. Kasper, T. Güneysu, C. Paar, W. Burleson, Trojan side-channels: Lightweight hardware trojans through side-channel engineering, in: Cryptographic Hardware and Embedded Systems-CHES 2009, Springer, 2009, pp. 382–395. [12] S. Jha, S.K. Jha, Randomization based probabilistic approach to detect trojan circuits, in: 11th IEEE High Assurance Systems Engineering Symposium, 2008, HASE 2008, IEEE, 2008, pp. 117–124. [13] F. Wolff, C. Papachristou, S. Bhunia, R.S. Chakraborty, Towards trojan-free trusted ics: problem analysis and detection scheme, in: Design, Automation and Test in Europe, 2008, DATE’08, IEEE, 2008, pp. 1362–1365. [14] R.S. Chakraborty, F. Wolff, S. Paul, C. Papachristou, S. Bhunia, Mero: a statistical approach for hardware trojan detection, in: Cryptographic Hardware and Embedded Systems-CHES 2009, Springer, 2009, pp. 396–410. [15] R. Rad, J. Plusquellic, M. Tehranipoor, A sensitivity analysis of power signal methods for detecting hardware trojans under real process and environmental conditions, IEEE Trans. Very Large Scale Integration (VLSI) Syst. 18 (2010) 1735–1744. [16] J. Rajendran, V. Jyothi, R. Karri, Blue team red team approach to hardware trust assessment, in: 2011 IEEE 29th International Conference on Computer Design (ICCD), IEEE, 2011, pp. 285–288. [17] X. Zhang, N. Tuzzio, M. Tehranipoor, Red team: design of intelligent hardware trojans with known defense schemes, in: 2011 IEEE 29th International Conference on Computer Design (ICCD), IEEE, 2011, pp. 309–312. [18] S. Narasimhan, D. Du, R.S. Chakraborty, S. Paul, F. Wolff, C. Papachristou, K. Roy, S. Bhunia, Multiple-parameter side-channel analysis: a non-invasive hardware trojan detection approach, in: 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), IEEE, 2010, pp. 13–18. [19] M. Bushnell, V.D. Agrawal, Essentials of Electronic Testing for Digital, Memory, and Mixed-Signal VLSI Circuits, vol. 17, Springer, 2000.

Arash Nejat received his B.S. degree in computer engineering from Allameh Mohaddes Noori Institute of Higher Education in 2006 and his M.S. degree in computer engineering from Amirkabir University of Technology in 2012. He is currently working on hardware security. His Research interests are hardware security, test and testability, ASIC design felow, embedded systems design, FPGA, fault tolerant and low power design.

Seyed Mohammad Hossein Shekarian received his B.S. degree in computer engineering from Shahid Beheshti University in 2004 and his M.S. degree in computer engineering from Sharif University of Technology in 2007. He is now a Ph.D. candidate at Amirkabir University of Technology. He is currently working on hardware security and his other research interests include fault-tolerant computing and low-power design.

Morteza Saheb Zamani received the B.Sc. degree in computer engineering from Isfahan University of Technology, Iran in 1989, and the M.Eng.Sc. and Ph.D. degrees in Computer Engineering from the University of New South Wales, Australia in 1992 and 1996, respectively. He joined Amirkabir University of Technology in 1996 and he is now an associate professor and the head of Computer Engineering and IT department. His Research interests are VLSI design, electronic design automation, biological design automation, quantum computing and hardware security.

Please cite this article in press as: A. Nejat et al., A study on the efficiency of hardware Trojan detection based on path-delay fingerprinting, Microprocess. Microsyst. (2014), http://dx.doi.org/10.1016/j.micpro.2014.01.003