skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: A Symbolic Approach to Detecting Hardware Trojans Triggered by Don’t Care Transitions
Due to the globalization of Integrated Circuit supply chain, hardware Trojans and the attacks that can trigger them have become an important security issue. One type of hardware Trojans leverages the “don’t care transitions” in Finite-state Machines (FSMs) of hardware designs. In this article, we present a symbolic approach to detecting don’t care transitions and the hidden Trojans. Our detection approach works at both register-transfer level (RTL) and gate level, does not require a golden design, and works in three stages. In the first stage, it explores the reachable states. In the second stage, it performs an approximate analysis to find the don’t care transitions and any discrepancies in the register values or output lines due to don’t care transitions. The second stage can be used for both predicting don’t care triggered Trojans and for guiding don’t care aware reachability analysis. In the third stage, it performs a state-space exploration from reachable states that have incoming don’t care transitions to explore the Trojan payload and to find behavioral discrepancies with respect to what has been observed in the first stage. We also present a pruning technique based on the reachability of FSM states. We present a methodology that leverages both RTL and gate-level for soundness and efficiency. Specifically, we show that don’t care transitions and Trojans that leverage them must be detected at the gate-level, i.e., after synthesis has been performed, for soundness. However, under specific conditions, Trojan payload exploration can be performed more efficiently at RTL. Additionally, the modular design of our approach also provides a fast Trojan prediction method even at the gate level when the reachable states of the FSM is known a priori . Evaluation of our approach on a set of benchmarks from OpenCores and TrustHub and using gate-level representation generated by two synthesis tools, YOSYS and Synopsis Design Compiler (SDC), shows that our approach is both efficient (up to 10× speedup w.r.t. no pruning) and precise (0% false positives both at RTL and gate-level netlist) in detecting don’t care transitions and the Trojans that leverage them. Additionally, the total analysis time can achieve up to 1.62× (using YOSYS) and 1.92× (using SDC) speedup when synthesis preserves the FSM structure, the foundry is trusted, and the Trojan detection is performed at RTL.  more » « less
Award ID(s):
2019283
PAR ID:
10454170
Author(s) / Creator(s):
;
Date Published:
Journal Name:
ACM Transactions on Design Automation of Electronic Systems
Volume:
28
Issue:
2
ISSN:
1084-4309
Page Range / eLocation ID:
1 to 31
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; (, International Verification and Security Workshop (IVSW))
    Due to the increasing complexity of hardware designs, third-party hardware Intellectual Property (IP) cores are often incorporated to alleviate the burden on hardware designers. However, the prevalent use of third-party IPs has raised security concerns such as hardware Trojans. These Trojans inserted in the soft IPs are very difficult to detect through functional testing and no single detection methodology has been able to completely address this issue. Based on a Register- Transfer Level (RTL) soft IP analysis method named Structural Checking, this paper presents a hardware Trojan detection methodology and tool by detailing the implementation of a Golden Reference Library for matching an unknown IP to a functionally similar Golden Reference. The matching result is quantified in percentages so that two different IPs with similar functions have a higher percentage match. A match of the unknown IP to a whitelist IP advances it to be identified with a known functionality, while a match to a blacklist IP causes it to be detected as Trojan-infested. 
    more » « less
  2. ; ; ; (, Proceedings GOMACTech)
    One aspect of system security is evaluating a system’s vulnerability to Trojan attack. A hardware Trojan attack can have potentially devastating effects, especially given the increased reliance on integrated circuits within critical systems. A significant amount of research concerns attacks on digital systems, but attacks on AMS and RF systems have recently been of interest as well. A class of Trojans has been proposed that uses undesired alternate modes of operation in nonlinear systems as the Trojan payload. These Trojans are of particular interest because they do not cause deviations from the ideal system performance and cannot be detected until the Trojan is triggered. This work addresses this class of Trojans by listing different payloads, trigger mechanisms, and examples of system architectures vulnerable to attack. 
    more » « less
  3. ; ; ; ; ; (, IEEE)
    Verification of FPGA-based designs and comprehension of legacy designs can be aided by the process of reverse engineering the flattened Look-up Table (LUT) level netlists to high-level RTL representations. We propose a tool flow to extract Finite State Controllers by identifying control registers and progressively improving the accuracy of register classification. A control unit consists of one or more Finite State Machines (FSMs) which manage the execution of datapath units. The proposed tool flow has two phases. Phase 1 extracts the potential state/control registers. Phase 2 identifies the exact list of state/control registers and groups FSMs. The main goal of the proposed work is to improve the accuracy of control register identification. Three types of controllers used for experimental evaluation are standalone FSM designs with no datapath units, datapaths with a single FSM, and datapaths with multiple FSMs. Accuracy is observed to be 73% to 100% in controllers with multiple FSMs, 100% in controllers with a single FSM and standalone FSM controller designs. The average accuracy of control register detection over all the real-world designs considered is 98%. 
    more » « less
  4. ; (, IEEE)
    The risk of hardware Trojans being inserted at various stages of chip production has increased in a zero-trust fabless era. To counter this, various machine learning solutions have been developed for the detection of hardware Trojans. While most of the focus has been on either a statistical or deep learning approach, the limited number of Trojan-infected benchmarks affects the detection accuracy and restricts the possibility of detecting zero-day Trojans. To close the gap, we first employ generative adversarial networks to amplify our data in two alternative representation modalities: a graph and a tabular, which ensure a representative distribution of the dataset. Further, we propose a multimodal deep learning approach to detect hardware Trojans and evaluate the results from both early fusion and late fusion strategies. We also estimate the uncertainty quantification metrics of each prediction for risk-aware decision-making. The results not only validate the effectiveness of our suggested hardware Trojan detection technique but also pave the way for future studies utilizing multimodality and uncertainty quantification to tackle other hardware security problems. 
    more » « less
  5. ; (, IEEE)
    Globalized outsourcing of integrated circuit manufacturing has introduced potent security threats such as unauthorized overproduction and hardware Trojan insertion. An approach that is used to protect circuit designs from overproduction is logic locking, which introduces key inputs to a digital circuit such that only the correct key will allow the circuit to work properly and all others will cause unintended functionality. On the other hand, the majority of the existing methods to tackle hardware Trojans are in the realm of proactive prevention or static detection, but a more challenging problem, which is the run-time mitigation of the Trojans inserted in a zero-trust design flow, is yet to be solved. In this work, we look through the lens of logic locking with the goal of introducing online reconfigurability into a design and apply the fundamental principles of fault tolerance and state traversal to create an effective mitigation tactic against hardware Trojans. Redundancy is inserted at low-controllable states to create trap states for the attackers, and key inputs are added to select the active path. The strength of our proposed approach lies in its ability to circumvent Trojan payloads transparently at run-time with only a slight overhead, as demonstrated by experiments run on over 40 benchmarks of varying sizes. We also demonstrate viability when combined with secure logic locking methods to provide multi-objective security. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email