scan segmentation approach to magnify detection sensitivity for tiny hardware trojan

Fakir Sharif Hossain

PhD student

Graduate School of Information Science

Scan Segmentation Approach to Magnify Detection

Sensitivity for Tiny Hardware Trojan

Nara Institute of Science and technology (NAIST)

Hardware Trojan

Detail from "The Procession of the Trojan

Horse in Troy“, Giovanni Domenico Tiepolo

A malicious modifications of an IC during design orfabrication in an untrusted design house orfoundry

'Trojan horse' is used as a metaphor for asomething that appears friendly but actuallyconceals a secret attacker

Threats

slide 3

Insertion Phase and Location

Figure: Vulnerable phases of IC development cycle: Chakraborty, Narasimhan & Bhunia (2010)

Modify Functionality Modify Specification Leak Information Denial of Service

Hig

h P

robabili

ty t

o b

e u

ntr

ust

ed

HT Taxonomy

slide 4

This is a Trust-Hub Taxonomy

The HINT project shows the following:

→ 4 (effects) × 5 (locations) × 5 (insertion phases) × 6 (abstraction levels) × 5 (activation mechanisms) = 3000 different HTs!

→ Very rich taxonomy!

→ Impossible to implement them all, and then detect them

Challenges of Hardware Trojan Detection

slide 5

Challenges:

• lack of observability and controllability after fabrication

• complexity

due to existence of billions of nano-scale components

due to high volume of soft and hard integrated IP cores

• overhead associated with physical inspection ofnanometer feature sizes for reverse engineering

could be intrusive

• difficulty to activate a Trojan

• increasing fabrication and environmental variations with technology scaling

Countermeasure Techniques

slide 6

Prevention: Prevention at Design Prevention at Fabrication Prevention at Post-Fabrication

Detection: Destructive Non-destructive

Invasive Non-invasive

Runtime Logic Testing Side-Channel Analysis

Objective of Our Proposed Method

To magnify the Trojan detection sensitivity for small hardware Trojan.

• We perform design for security (DFS)

Scan chain partitioning technique

Scan chain segmentation technique

• Generate Test pattern to detect HT into post fabricated IC

TDGP

• Power-based side-channel analysis

Switching current

slide 7

General Program Flow

slide 8

Figure: The Activity diagram of the whole process of HT detection

Design layout Feb Testing

RTLSpecification

Layout information

Netlist information

All chip with power ports

Data: power, leakage power

Physical chip

UntrustedTrusted Always Trusted

Scan Chain Repartitioning

Scan Segmentation by Clock Gating

Trojan Detection Golden Pattern (TDGP) and Golden Power Fingerprint Generation

Apply TDGP to IC and Measure Power

Compare Measured Power and Golden Fingerprint whether Trojan is inserted or not

Circuit w/Layout Information

Modified Circuit

TDGPGolden Fingerprint

Measured Power

Design Phase

Detection Phase

Manufactured IC

Proposed Working Diagram

Technique

Our proposed technique consist of four sections: Scan chain repartitioning

Scan chain segmentation

LOC pattern application technique

TDGP

Scan chain repartitioning

slide 10

Scan chain Repartitioning

slide 11

Eliminate longest chain connections among scan FFs ( remove allconnections)

Then reorder the scan cells so as to stitched them together using thenearest neighbor criteria

Reconnect them

Scan out

Scan in

Scan chain Repartitioning

slide 12

Figure. Proposed scan partition of s1238 benchmark, (a) Original

scan chains, (b) Connections removed and repartitioned according to

the algorithm, (c) reconnection scan cells

[1] Y. Bonhomme, P. Girard, L. Guiller, C. Landrault et al., “Design of routing-constrained low power scan chains,” Design, Automation and Test in Europe

Conference and Exhibition (DATE), pp. 62-67, 2004

We perform layout synthesis so that the scan chain repartition technique can have layout awareness

Technique

Our proposed technique consist of four sections:




TDGP

slide 13


slide 14[1] K. Hong, K. Cheong, K. Sung, “A New Scan Partition Scheme for Low-Power Embedded Systems,” Electronics and Telecommunications Research

Institute (ETRI) journal, vol. 30, no. 3, pp. 412-420, 2008.

The scan segmentation architecture similar to [1] with little modification.

In [1] they segment so as the scan chain rippling is restricted during the scan

shift operation where we propose in launch operation.

fixed number of length-balancedsegments Add additional hardware for Gated clock controller Any segment can activate inde-Pendently by clock gating

Technique





TDGP

slide 15


slide 16

launch-on-capture (LOC) mode

Scan_EN=1, all the segments are active (shifting starts)

Vector, v1 is shifting into chain FFs

Scan_EN=0, v1 is set

First functional clock is applied, generates vector, v2

Ignore the capture response, r

Figure: The modified LOC technique for segment seg2_1

One segment gets clock

Others hold the previous value (frozen)

Technique





TDGP

slide 17

TDGP

slide 18

Trojan detection golden pattern (TDGP) is defined as the highest power consumption pattern during launch cycle.

TDGPs are based on switching power fingerprints

TDGPs are applied in detection phase to detect Troy

No. of TDGPs are small so the detection time is minimized

Detection

slide 19

PCPD (x) =𝑃𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷(𝑥)−𝑃𝑇𝐷𝐺𝑃(𝑥)

𝑃𝑇𝐷𝐺𝑃(𝑥)

Detection is performed by power consumption percentage difference (PCPD) matrix

Where, 𝑃𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷 = measured dynamic power after

applying TDGP 𝑃𝑇𝐷𝐺𝑃 = Golden power fingerprint

If Power difference is significant, we can detect Trojan

Results on Experiment

slide 20

Our proposed method is applied into s1238 benchmark of ISCAS89

The original design is synthesized using Synopsys Design Compiler and IC Compiler with 90nm technology.

The scan chain repartitioning and reordering algorithm is performed with C program.

Transition delay test vectors are generated by Synopsys TetraMax ATPG tool.

The Synopsys Verilog Compiler (VCS) is used to analyze switching activity of Trojans and

the power consumption is analyzed in Synopsys Prime Time


slide 21

To evaluate our method we segments the s1238 benchmark circuit into 4 with 2 scan chains

Each scan chain has 9 FFs

We insert a small combinational Trojan (2 AND + 1 NAND) into the Segment0_2 of scan chain-1.

It occupies only <0.6% of area of total circuit area (504 Gates)

24 transition delay test vectors are generated for each segment.

Therefore, our proposed method has total 96 (24×4) test patterns


slide 22

For comparative analysis we design two more methods and insert same Trojan.

The first method (method-1) is normal LOC without segmentation and clock gating.

The second method (method-2) has clock gating for scan chains only but not for segmentations.

For method-1 we apply 10 TDGPs and record 10 power fingerprints.

Similarly, we get 20 power fingerprints from method-2 when apply 20 TDGPs (10 for each scan chain).


slide 23

The values are in %difference in golden and measured power

TDGP ID

Meth.-1 Method-2 Method-3 (Proposed)

Entire chain-1 chain-2 Seg0_1 Seg0_2 Seg1_1 Seg1_2

0 5.51 8.40 0.46 0.25 22.9 0.34 0.521 2.33 15.1 0.30 0.49 5.64 0.54 0.082 2.08 5.50 0.16 0.09 7.28 0.7 0.033 8.06 7.40 0.80 0.42 18.1 0.4 0.304 3.67 12.5 0.44 0.64 13.4 0.7 0.275 6.62 5.92 0.46 0.39 11.10 0.58 0.216 2.86 10.78 0.28 0.39 10.78 0.78 0.137 6.78 10.06 0.26 0.30 10.14 0.32 0.228 7.97 0.69 0.50 0.24 10.22 0.32 0.239 3.37 6.53 0.27 0.75 6.39 0.58 0.11

Max 8.06 15.11 22.96

Table: Trojan detection summary for 1238 benchmark


slide 24

0

5

10

15

20

25

Seg0_1 Seg0_2 Seg1_1 Seg1_2 Original Chain-1 Chain-2

TDGP vs. Power difference

TDGP-1 TDGP-2 TDGP-3 TDGP-4 TDGP-5

Fig. 5. A column chart of 3-methods for combinational Trojan

• As our proposed method has clock gating for both segmentations

and scan chains, 40 TDGPs are applied (10 for each segment)

and got 40 power fingerprints.

Conclusions

slide 25

This proposed technique is an effective method aiming to

magnify detection sensitivity.

The results showed that switching in most of the non-target

segments reduced significantly.

The impact of the smaller segment’s size and test application

method designated that this technique could effectively detect

the Trojans.

The detection sensitivity of this method delivered the rank of

efficiency of this technique.

Future extension:

we will address process variations and

introduce a new detection technique without golden references.

Thank You All