Power Supply Signal Calibration Techniques for Improving Detection

Resolution to Hardware Trojans

Reza M. Rad, Xiaoxiao Wang+, Mohammad Tehranipoor+, Jim Plusquellic*
Department of CSEE, Univ. of Maryland, Baltimore Campus
+Department of Electrical and Computer Engineering, Univ. of Connecticut
*Department of Electrical and Computer Engineering, Univ. of New Mexico

Abstract cess variations and leakage currents. A region is defined as a por-

tion of the layout that receives the majority of its power from a set
Chip design and fabrication is becoming increasingly vulnerable of surrounding power ports or C4 bumps. In previous work, we
to malicious activities and alternations with globalization. An showed that regional analysis significantly increases the resolu-
adversary can introduce a Trojan designed to disable and/or
destroy a system at some future time (Time Bomb) or the Trojan tion of power analysis methods to Trojans [3]. However, by itself,
may serve to leak confidential information covertly to the adver- it is not sufficient for dealing with the adverse effects of process
sary. This paper proposes a taxonomy for Trojan classification and test environment (PE) variations on detection resolution. To
and then describes a statistical approach for detecting hardware fully leverage the resolution enhancements available in a region-
Trojans that is based on the analysis of an ICs power supply tran- based approach, such methods must be combined with signal cali-
sient signals. A key component to improving the resolution of bration techniques, that are designed to attenuate and remove PE
power analysis techniques to Trojans is calibrating for process signal variation effects.
and test environment (PE) variations. The main focus of this In this paper, we propose four signal calibration strategies,
research is on the evaluation of four signal calibration tech- one based on quiescent signals (DC) and three based on transient
niques, each designed to reduce the adverse impact of PE varia-
tions on our statistical Trojan detection method. signals (AC), and evaluate them using simulations of a design
with inserted Trojans. The improvements to Trojan detection res-
1 Introduction olution provided by each signal calibration method are deter-
A drawback to the globalization of the chip industry is the mined using a prediction ellipse statistical approach and an
increased susceptibility of chip design and fabrication to mali- analysis of outlier residuals. Our simulation results indicate that
cious alternations [1][2]. This new threat involves actions taken 1) all signal calibration methods significantly improve Trojan
by an adversary to deliberately modify a chip’s design to include a detection resolution of region-based power signal analysis meth-
hardware Trojan. The Trojan may be designed to cause the chip to ods when compared with no signal calibration, 2) the AC tech-
fail at some critical time while operating in mission mode or it niques outperform the DC method and 3) there is no significant
may serve to leak confidential information covertly to the adver- difference among the three AC alternatives. The last finding is
sary. Many types of hardware systems are threatened including significant because it indicates that a simple sample-based AC
those responsible for the security of personal information, and calibration method can be used over the more complex waveform
those that implement and support financial infrastructures, mili- sampling techniques.
tary systems and even household appliances. Trojans are cleverly The remainder of this paper is organized as follows. Related
hidden by the adversary to make it extremely difficult for chip val- work is described in Section 2 and a Trojan classification scheme
idation processes, such as manufacturing test, to accidentally dis- is presented in Section 3. The simulated design, inserted Trojans
cover them. Many proposed Trojan detection techniques, and statistical analysis method are described in 4. Section 5
particularly logic-based testing techniques that target Trojan acti- describes the signal calibration methods and Section 6 presents
vation via statistical analysis of unlikely circuit states, will not be the simulation results. Section 7 gives our conclusions.
effective against even the simplest Trojan hiding techniques. 2 Background
Most hardware-based security techniques modify hardware Security is a major concern in the design and test of chips,
to prevent attacks and to protect IPs or secret keys. However, the particularly in areas that involve protecting secret keys and IPs.
types of attacks addressed in this paper are fundamentally differ- The malicious insertion of hardware Trojans in ICs is a new secu-
ent. Here the attacker is assumed to maliciously alter the design rity concern that must now be addressed in combination with con-
before or during fabrication. Unfortunately, detection of such ventional security risks. The following summarizes the published
alterations is extremely difficult for several reasons. First, physi- work on this topic.
cal inspection through destructive reverse engineering is becom- The authors of [4] were the first to address the hardware Tro-
ing increasingly difficult and costly in nanometer technologies. jan issue. They propose the use of side-channel signals, e.g., tran-
Second, purposeful activation and discovery of Trojan circuits sient power supply currents, to identify Trojans in chips. The
through application of random or ATPG generated patterns is eas- main deficiencies of their technique include the measurement of
ily defeated by an adversary. Third, the adversary can configure global signals and the use of signal processing techniques to deal
the Trojan to have a minimal impact on the chip’s nominal tran- with process variation effects. Also, test environment variations
sient and quiescent leakage current. Therefore, conventional test- are not modeled or addressed in their work and, unfortunately, are
ing methods that measure global, chip-wide, behavior of the significant detractors for transient signal analysis methods.
power supply current, e.g., IDDQ, are ineffective because of very The authors of [5] propose an method that first determines a
small Trojan-current-to-background-current ratios that are present set of target ‘hard-to-observe’ sites for a Trojan with q inputs and
in multi-million transistor chips. then uses ATPG to generate patterns to activate the Trojan.
Given these characteristics, we believe the most effective Although this may be an effective strategy for Trojans with a
approach for detecting Trojans is to analyze the parametric prop- small number of inputs, analysis complexity and test set size will
erties, e.g., power and delay, across multiple regions of the chip. make this type of approach impractical for larger Trojans.
In particular, we propose a region-based transient power signal A Trojan detection method that measures the combinational
analysis method to reduce the impact of increasing levels of pro- delay of a large number of register-to-register paths internal to the

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.
 Trojan taxonomy

Physical Activation Action

characteristics characteristics characteristics

Type Distribution Always Condition Modify

on based function

Functional Parametric Tight Loose Sensor Logic

based Add Bypass
based
Modify
Size spec.
Temp. Volt. Ext.

Small Large Internal Input Cnter/Clk Defects Reliability

Transistor/wire Gate/Macro state

Data Instruction Interrupt

Figure 1. Taxonomy of Trojans
functional portion of the IC is proposed in [6]. This approach through modifications of existing wires and logic. The thinning of
assumes the attacker is not able to leverage existing ‘white space’ a wire, the weakening of a transistor or any modification of a
to insert the Trojan, or use design techniques that avoid adding to physical geometry designed to sabotage reliability or increase the
path delays. Moreover, the method requires precise characteriza- likelihood of a functional or performance failure are examples of
tion of silicon path delays at design time, which is becoming the latter. The size category accounts for the number of compo-
increasingly difficult because of process variation effects. nents in the chip that have been added, deleted or compromised
In [7], the authors propose a region-based stimulation strat- while the distribution category describes the location of the Tro-
egy and analyze the global power consumption to detect Trojans. jan in the physical layout of the chip. For example, a tight distri-
However, their method does not account for PE variations. In [8], bution describes a Trojan whose components are topologically
the authors introduce special circuitry that enables the direct con- close in the layout while a loose distribution describes Trojans
trol of the least controllable nodes in the circuit as a means of trig- that are dispersed across the layout of the chip.
gering the activation of a Trojan. As indicated earlier, methods 3.2 Trojan Activation Characteristics
that target direct activation are practical only for small Trojans. In
[9], the authors build a path delay fingerprint of Trojan-free chips Activation characteristics refer to the criteria that causes the
by running high coverage input patterns. The number of vectors Trojan to become active and carry out its disruptive function. We
needed for large designs to achieve adequate Trojan coverage is partition Trojan activation characteristics into two subclasses,
likely to make this approach impractical. labeled Always-on and Condition-based as shown in Figure 1.
In previous work, we proposed several region-based IDDQ Always-on, as the name implies, indicates that the Trojan is
always active and can disrupt the function of the chip at any time.
and IDDT test methods for detecting manufacturing defects and
This class covers Trojans that are implemented by modifying the
showed that techniques for calibrating PE variations are critical to geometries of the chip such that certain nodes or paths in the chip
providing adequate detection resolution [10][11]. The same con- have a higher susceptibility to failure. We referred to these types
cern holds true for Trojan detection. In this paper, we compare the of Trojans as ‘parametric’ in the type subclass of the physical
previously described DC calibration technique with several new characteristics class.
AC calibration techniques and demonstrate the latter are more
effective at reducing the adverse effects of PE variations on Tro- The Condition-based subclass includes Trojans that are
jan detection sensitivity. ‘inactive’ until a specific condition is met. The activation condi-
tion can be based on the output of a sensor that monitors tempera-
3 Taxonomy ture, voltage or any type of external environmental condition, e.g.,
Our proposed taxonomy describes Trojans using five electro-magnetic interference (EMI), humidity, altitude, etc. Or it
attributes, including three physical, one activation and one action can be based on an internal logic state, a particular input pattern or
attribute as shown Figure 11. Trojan physical characteristics refer an internal counter value. The Trojan in these cases is imple-
to the actual layout implementation details of the Trojan. The acti- mented by adding logic gates and/or flip-flops to the chip, and
vation category describes the strategies an adversary may use to therefore is represented as a combinational or sequential circuit.
trigger the Trojan to carry out its malicious act. The action cate-
gory describes the types of changes the Trojan may introduce to 3.3 Trojan Action Characteristics
the IC. Action characteristics identify the types of disruptive behav-
3.1 Trojan Physical Characteristics ior introduced by the Trojan. The classification scheme shown in
The type sub-category under physical characteristics parti- Figure 1 partitions Trojan actions into two categories; Modify-
tions Trojans into two fundamentally different classes, functional function and Modify-specification. As the name implies, the Mod-
and parametric. The functional class includes Trojans that are ify-function class refers to Trojans that change the chip’s function
physically realized through the addition or deletion of transistors through additional logic or by removing or bypassing existing
or gates, while parametric refers to Trojans that are realized logic. The Modify-specification class refers to Trojans that focus
their attack on changing the chip’s parametric properties, such as
delay. The latter class represents parametric Trojans that modify
1. Reference [12] elaborates on this taxonomy scheme. wire and transistor geometries.

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.
 Wire in original 31 Wire in
31 original
A design Inserted gate
To design
Trojan
B activation detonator Inserted gate
32-bit register
wire To

32-bit register
Trojan detonator
activation
32-input wire
NAND gate
Trojan gates and wires 0 Trojan transistors,
0 (a) gates and wires (b)
Figure 2. Multi-stage logic implementation of a Trojan comparator (a) Monolithic logic gate implementation of a Trojan
comparator (b)

4 Simulated Design and Trojan Detection Method ing logic testing, e.g., one chance in 232. However, actively moni-
Based on the proposed Taxonomy, it is clear that the diver- toring the values in a 32-bit register consumes power, and opens
sity of Trojans is immense and therefore, the most effective strat- up the possibility that the Trojan may be detected by monitoring
egy for detecting them may vary depending on the specific the power supply current during testing. Therefore, a secondary
characteristics of the Trojan. This paper does not attempt to evalu- issue for the adversary is to minimize the impact of the compara-
ate the overall effectiveness of region-based transient power sig- tor on the power consumption profile of the chip.
nal analysis methods across the proposed Trojan taxonomy (this is There are many possible ways to implement the comparator.
left for future work), but rather is focused on determining the The implementation shown in Figure 2(a) is a multi-stage logic
most effective method(s) of calibrating transient signals for PE gate with one minterm, i.e., it asserts its output under only one
variation effects. The results presented are therefore of benefit to permutation of its inputs. The drawback to this scheme, with
any type of Trojan detection scheme and are independent of Tro- regard to power consumption, is the high probability that partial
jan type. However, in order to provide a meaningful context for activation of the Trojan will occur during testing. Partial activa-
evaluating the signal calibration methods, a core logic design and tion is defined when one or more of the NORs and NANDs gate
several specific Trojan implementations are selected, as described outputs switch in response to changing data patterns in the regis-
in the following subsections. ter. This occurs because each gate monitors only a subset of the
4.1 Trojan Design register values. The partial activation of the Trojan increases
Given the clandestine nature of Trojans, we assume an intel- power consumption and makes it possible to detect it. A second
ligent and determined adversary will make it nearly impossible to scheme is to instead implement the monitor as a monolithic gate,
activate the Trojan accidentally or purposefully through func- as shown in Figure 2(b). In this case, a 32-bit NAND gate, shown
tional, structural, and random test patterns during manufacturing at the transistor level, is used to determine when the target bit pat-
test. For functional, condition-based Trojans, the adversary will tern is present. Partial activation occurs in this implementation as
work diligently to control activation to a time of his or her choos- well by virtue of the inserted inverters and the potential for charg-
ing. ing and discharging of the internal parasitic capacitances in the
The Trojan implementation shown in Figure 2(a) meets this long chain of series n-channel devices.
criteria for a hypothetical military application. The Trojan in this There are in fact many other implementations possible for
scenario is embedded in a chip that serves as the controller for a the comparator. The main point of this analysis, however, is to
missile system. The chip receives encrypted data from a ground- demonstrate that Trojans will always have some level of impact
based station through an RF channel and stores the data in a regis- on the power profile of the chip. Even if stealthy layout strategies
ter (shown on the left side of Figure 2(a)). By design, the data is are used that reduce the probability of partial activation, capaci-
decrypted and checked for validity by core logic components in tive loading to the wires being monitored will always be present.
the chip (not shown). This is a very important concept because it suggests that it is pos-
The gates shown to the right of the register in the figure rep- sible to detect the Trojan without activating it. The challenge is to
resent the Trojan. The inputs to the Trojan connect to the register develop a detection technique that maximizes the sensitivity to
and monitor its state. Since the register holds un-encrypted data, potentially small changes in the power profile of a chip with an
the adversary can control, through his own data transmission embedded Trojan. The main detractor to achieving high levels of
tower, the activation of the Trojan at a time of his choosing by resolution are process and environmental (PE) variations.
transmitting a specific bit pattern to the register. One possible 4.2 Simulation Models and Detection Algorithm
action carried out once the Trojan is activated might be to cause We propose a power supply transient analysis (IDDT) tech-
the missile to detonate prior to reaching its target. nique for detecting Trojans that is robust to the adverse effects of
The additional circuitry added by the adversary to implement PE variations. The method analyzes local, i.e., within-chip, IDDT
the Trojan necessarily includes some type of comparator to decide measurements obtained from the multiple, individual power ports
when the trigger bit pattern is present. In order to prevent acciden- (PPs) on the chip. The method is described following the descrip-
tal discovery of the Trojan, during, for example, manufacturing tion of the design and model used in the simulation experiments.
test, the comparator must monitor a sufficiently large number of
bits and assert its output only on one or a very small number of 4.2.1 Simulation Model
possible combinations of those bits. For this discussion, assume A block diagram of the IC design used in the simulation
the values in a 32-bit register serve as input to the Trojan and the experiments is shown in Figure 3. The design includes a six metal
comparator asserts on only one set of values. This is sufficient to layer power grid with nine power ports, labeled PP0 through PP9.
make it unlikely that the Trojan will be accidentally activated dur- The core logic consists of four copies of the ISCAS‘85 C499

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.
 Membrane probe and its
Tester Power Supply DIB, Probe Card (PCB) contact resistance

PP2 PP5 PP8 Decoupling

PPP12 C499 Power Supply Stages Probe card VDD C4 model
C499 Copy 4 8Ω
PP1
Copy 2 PP4 PP7
1mΩ 4nH 30mΩ 2mΩ 250mΩ
94nH 25pH
112pH 4pH
2mΩ 1mΩ
2nd PWR
PPP01 C499 C499 and GND
V 2.5V 1st 250pH 5pH stage
Copy 1 Copy 3 stage C4s
PP0 PP3 PP6 GND C4 model
8Ω
6600uF 16.4uF 250mΩ
25pH
PPP03 PPP36 2mΩ 31pH 4pH

Figure 3. Architecture of Simulation Model Figure 4. Probe card model used in the simulation experiments

benchmark circuit [13]. The design is subsequently referred to as Trojan-free

the Quad Core. process models
The Trojan simulation models are created in two different

PP0 IDDT areas

ways for each of the two Trojans shown in Figure 2(a) and (b). Prediction
For 2(a), the Trojan is added to the netlist of one copy of the C499 ellipse
(lower left copy) and CADENCE FIRST ENCOUNTER is used
to synthesize the layout. The re-synthesis of the layout with the
Trojan gates (shown in Figure 2(a)) introduce significant changes residual
in the placement and routing of the core components of the C499.
In contrast, the components of the Trojan shown in Figure 2(b) are Trojan-inserted
added to an empty rectangle that is first introduced in the Trojan- process models
free version of the C499 and the inputs to the Trojan are routed
manually to a set of nodes along paths in the C499. Therefore, the PP1 IDDT areas
differences in the Trojan-inserted and Trojan-free layouts for Tro-
jan 2(b) are small. As shown in the simulation results, these two Figure 5. Example scatterplot for PPP01 of Figure 3 for one
different implementation strategies make it possible to detect Tro- of the experiments.
jan 2(a) more easily than Trojan 2(b).
Trojan-free and ten Trojan-inserted PMs. As an example, the scat-
PE variations are modeled in two ways. First, twenty unique
terplot shown in Figure 5 is created using the areas measured
RC-transistor models of the design are created by configuring
from adjacent power ports PP0 and PP1 for an experiment using
DIVA with different sets of TSMC 0.18 um process parameters
[14]. The two Trojan-free versions of the layout described above Trojan 2(b). A prediction ellipse is derived using the first fifteen
are extracted under each of these process models (PMs) while the data points from the twenty Trojan-free PM simulations (the last
two Trojan-inserted versions are extracted under only the first ten five Trojan-free PMs are used as control samples.)1 The disper-
PMs. Second, probe card impedance variations are introduced in sion in the Trojan-free data points is a result of un-calibrated PE
the off-chip components of the power distribution system. Figure variations.
4 shows a schematic of the power distribution system which
includes components representing the power supply (left), decou- Also shown are the data points from the ten Trojan-inserted
pling networks and probe card parasitics (middle) and membrane PMs. For this experiment, the Trojan introduces sufficient
probe card contact parasitics (right) [15]. One copy of the probe regional variation to cause all data point to fall outside the bounds
card and C4 parasitics are included for each of the nine power of the prediction ellipse and to be identified as outliers. The resid-
ports of the core logic. A dashed circle encloses the resistance and ual is labeled for one of the data points in the figure. In our exper-
inductance components that are varied in each of the simulation iments, it is defined as the distance between the data point and the
models. The inductor values are varied over 2-20 pH while the elliptical bound expressed as a standardized quantity. For exam-
resistance values are varied over 0-800 mΩ. The same procedure ple, a standardized residual of three indicates the data point is
was used to create twenty Trojan-free simulation models. three standard deviations from the elliptical bound.
Three two-pattern test sequences are used to drive the inputs From the architecture shown in Figure 3, it is possible to
of the lower left copy of the C499. The inputs to the other copies construct twelve scatterplots from adjacent power port pairings
are held at steady-state. Each of the test sequences sensitizes paths (PPPs). Several are labeled in the figure as PPP01, PPP12, PPP03
along which some of the Trojan inputs are connected. None of the and PPP36. For each Trojan-inserted PM, we report the largest
test sequences cause full activation of either Trojan. However,
each sequence introduces different levels of partial activation. standardized residual among the data points that are outliers as a
measure of the effectiveness of the signal calibration technique
4.2.2 Trojan Detection Algorithm under investigation.
The IDDT detection algorithm is based on a statistical analy-
sis of the IDDT waveform areas generated at the nine power ports
1. The elliptical bound is computed from the eigen val-
as a test sequence is simulated on the Quad Core. For each orthog-
onal pairing of power ports (see Figure 3), a scatterplot is con- ues of the covariance matrix and a three σ Χ2 (chi-
structed using the areas produced from simulations of the twenty square) distribution statistic.

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.
 NC
path areas scatterplot

Current (mAs)
Current (mAs)

analysis
PP1-IDDT
path wfms
calibration values path wfms
PP0-IDDT DC AS AW
PP6-IDDT 5 ns
Time (ns) Time (ns)
IDDQs wfm IR areas path
samples areas
Fig. 6. Calibration circuit step responses (left) and their
integrated derivatives (right). matrix transformation

5 Signal Calibration Techniques calibrated

scatterplot
Calibration is used to deal with process variations that occur path areas
analysis
in the chip’s core logic, power grid and off-chip connections to the
power ports. It is carried out on each chip using special calibration AW
calibration
circuits connected through a scan chain and inserted directly
below each of the power ports. The calibration circuits are wfms DFT
calibration values matrix
designed to generate a simple stimulus to the power grid. For trans.
IDDT signal analysis, the stimulus is a step current, that is created path calibrated
DFT iDFT
by enabling a transistor connected between the power grid and wfms path areas
ground grid in metal 1. path values
The left side of Figure 6 gives the simulated step response
current waveforms for a calibration test performed using a cali- Fig. 7. Signal Calibration Processes
bration circuit under PP0 in Figure 3. The waveforms produced at
The AA technique requires the area under the derivative of the
each of the nine power ports are shown at positions that corre-
step response or IR waveform to be measured. The measurement
spond to the layout positions of the power ports (a few are labeled
instrumentation needed for this technique is more complex and is
in the figure). As expected, the largest IDDT corresponds to PP0.
less attractive for this reason. The AW method requires complete
This is true because the power grid resistance is smallest between sampling of the step response waveforms and is clearly the most
the calibration circuit and this power port. Although not shown, expensive in terms of instrumentation.
eight other calibration tests are performed for each of the remain-
ing power ports, with each test producing a set of nine waveforms The calibration process can be generalized as follows. The
as shown for PP0. In total, eighty-one waveforms are produced data from the calibration tests define a matrix CM, as given by
from the nine calibration tests. Equation 1, where the rows correspond to the calibration tests and
In this paper, we investigate four signal calibration tech- the columns correspond to the power ports. Here, PPDxy indicates
niques, called DC for IDDQ-based, AS for AC-sample-based (first
PPD 00 PPD 01 PPD 08
proposed in [17]), AA for AC-area-based and AW for AC-wave- ----------------- ----------------- ... ----------------- cal. test 0
form-based, and compare their effectiveness on reducing the GD 0 GD 0 GD 0
adverse effects of PE variations against a fifth technique called
NC, i.e., no signal calibration. All methods (except NC) make use PPD 10 PPD 11 PPD 18
----------------- ----------------- ... ----------------- cal. test 1
of the calibration test data to define a transformation matrix. The CM = GD
1 GD 1
GD 1
methods differ in the use of the information available in the cali- Eq.1.
bration response waveforms, as depicted in Figure 7. For DC cali- ... ... ... ... ...
bration, the steady-state (IDDQ) value of the step response is used. PPD 80 PPD 81 PPD 88
For AS, the value of the step response at 5 ns is used. For AA, the ----------------- ----------------- ... ----------------- cal. test 8
GD 8 GD 8 GD 8
area under the derivative of the step response waveform is used1.
For AW, the entire step response waveform is used. power port data for calibration test x measured at power port y.
Since DC calibration uses IDDQs, it is capable of calibrating The normalization factor given as the denominator, GAx, is the
for only resistance variations in the CUT and test environment. sum of individual values along each row x. A transformation
Therefore, the AC techniques are expected to outperform DC in matrix, X, is computed from CM by taking its inverse, as given by
cases where inductance and capacitance variations are present. Equation 2, where the elements of CM, i.e., PPD00/GA0, are rep-
This holds true in our experiments because the series inductance resented as a00 in CM-1.
in the C4 membrane probe card and the capacitance of the power
grids are different in each of the PMs. Among the three AC meth- X = CM--1
ods, AS is the simplest because it requires the measurement of
–1
only a single sample from the calibration response waveforms. x 00 x 01 ... x 08 a 00 a 01 ... a 08
This is similar to the DC technique except that the sample is col- Eq.2.
lected immediately following the introduction of the step input. x 10 x 11 ... x 18 a a 11 ... a 18
= 10
... ... ... ... ... ... ... ...
1. The derivative of the step response is the impulse x 80 x 81 ... x 88 a 81 a 82 ... a 88
response or IR.

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.
 The transformation matrix is computed for each test chip and un-normalized path data and 2) by calibrating the path data to
from the calibration data. Once computed, it is subsequently used IDENTITY and to t22t, under each of the four calibration meth-
to calibrate the path data measured under core logic tests, as given ods and three test sequences. This process is repeated for Trojan
by Equation 3. The vector given by t0 through t8 corresponds to 2(a) and 2(b).
Cn = Tn * X 6 Simulation Results
The results of the simulation experiments are displayed in a
set of 3-D bar graphs for Trojan 2(a) in Figures 8 and 9 and for
c0 x 00 x 01 ... x 08 Trojan 2(b) in Figure 10. The x-axis of the bar graphs gives the
c1 x x ... x 18 Eq.3. control PMs, C1 through C5, and the ten Trojan-inserted PMs, T1
= t 0 t 1 ... t 8 × 10 11 through T10. The y-axis gives the results for the no signal calibra-
... ... ... ... ... tion case in front of the results for the DC, AS, AA and AW cali-
c8 x 80 x 81 ... x 88 bration cases. The z-axis gives the maximum standardized
residuals, i.e., the largest distance among the data points across
the nine data values (areas or waveforms) from the core logic the twelve scatterplots that fall outside the three sigma limits for
tests. The calibrated data is given by the column vector on the left, each process model. A value of zero indicates that all data points
i.e., c0 through c8. fell within the limits.
The bar graphs of Figure 8 show two results, one for un-nor-
The calibrated path data given by Cn in Equation 3 can be
malized data (top) and one for normalized data (bottom). Both bar
used directly in the prediction ellipse method. We refer to this graphs give results for Trojan 2(a) under the 2nd test sequence
analysis as ‘un-normalized’ in Section 6. The path data can also with the path data calibrated to t22t. The results in Figure 9 are
be normalized using a process identical to that described for the similar except they are derived from data calibrated to IDEN-
calibration data, i.e., the elements of the vector Cn are each TITY. The results for the 1st and 3rd test sequences in both cases
divided by the sum computed across all elements. We refer to this show similar trends and are therefore not shown.
analysis as ‘normalized’. From these results, it is clear that the ‘no calibration’ tech-
From Figure 7, the calibration data used in Equation 1 corre- nique performs poorly in all cases. For the un-normalized bar
sponds to single floating point numbers for the DC, AS and AA graphs, outliers are present in only five of the ten Trojan-inserted
methods, i.e., current samples for DC and AS and areas for AA. process models and all maximum residuals are less than 0.7. In
The calibration data for AW is an entire waveform and requires the normalized bar graphs, no outliers are generated so that Trojan
special treatment as shown along the bottom of Figure 7. In this is not detected. As described in Section 4.1, the signal variations
case, a discrete Fourier transform (DFT) is applied to the IR introduced by Trojan 2(a) are fairly large because of the way it is
waveforms to convert them into the real and imaginary compo- implemented. This result demonstrates that signal calibration is an
nents appropriate for the matrix inverse operation. The matrix important component for achieving a reasonable level of sensitiv-
inverse is then computed for each set of frequency components ity to Trojans using transient power supply detection methods.
separately. In our experiments, the frequency domain representa- From the bars corresponding to the calibration techniques, it
tion contains 1024 real and imaginary components, so 1024 9-by- is clear that each is are able to easily identify the presence of this
9 CM matrices are constructed and inverted. Normalization is per- Trojan. The maximum residuals range from 15 to nearly 60 stan-
formed by dividing all frequency components by the DC compo- dard deviations. The failure of the DC calibration method to
nents. The path waveforms are treated in a similar fashion. Once account for inductance and capacitance variations reduces its sen-
calibrated, an inverse DFT is performed on the calibrated path real sitivity to Trojans. This is more noticeable in the bottom (normal-
and imaginary components and the area under the path waveforms ized) bar graphs where the maximum residuals for DC are
are used in the prediction ellipse method. noticeable smaller than those for any of the AC techniques. Inter-
One other variant of the calibration process is investigated in estingly, the AC techniques are nearly equivalent in terms of their
this paper. The transformation matrix X given by Equation 2 is detection resolution. This is significant because it suggests that
defined as the matrix inverse of CM. It is also possible to calibrate the simpler AS technique can be used in place of more complex
to a specific probe card and process model by multiplying the techniques such as AW which perform full waveform calibration.
CM-1 obtained for any given process model by the CM of the tar- The last notable observation concerning these results is the
difference in the magnitudes of the maximum residuals of un-nor-
get process model using Equation 2, i.e., X = CM-1(PMa) X
malized and normalized techniques. The normalized technique
CM(PMb) to calibrate PMa to PMb. The target process model in marginally outperforms the un-normalized technique for this Tro-
our experiments is the model identified as t22t on [14]. The two jan. There does not appear to be any advantage to calibrating to
approaches are referred to as ‘calibrate to IDENTITY’ and ‘cali- IDENTITY or t22t.
brate to t22t’. The bar graph of Figure 10 gives the results across all paths
The process followed in our experiments is as follows. A set for Trojan 2(b) using the normalized and ‘calibrate to t22t’ meth-
of thirty simulation models are created for the Quad Core, twenty ods. The format is identical to that used in Figures 8 and 9 except
for the Trojan-free design and ten for Trojan-inserted designs. The for the concatenation of the individual path results along the x-
calibration tests are carried out on each model and the transforma- axis. The results for the un-normalized and ‘calibrate to IDEN-
tion matrix computed. Three core logic test sequences are applied TITY’ methods show no distinguishable advantage for Trojan
and the IDDT areas or waveforms are calibrated using the transfor- 2(b), and consequently are not shown.
mation matrix. Twelve scatterplots are created from the calibrated The smaller range of values along the z-axis reflects the
data and the prediction ellipses are computed using fifteen data much smaller signal anomaly introduced by this Trojan, as pre-
points from the Trojan-free PMs. The largest residuals for the five dicted in the discussion concerning its implementation in Section
remaining Trojan-free PMs and ten Trojan-inserted PMs are com- 4.1. It is also clear that the level of sensitivity to Trojans strongly
puted using the data points that fall outside the elliptical bounds depends on the test sequence. The maximum residuals of the 2nd
across the twelve scatterplots. The scatterplot analysis is carried test sequence are a factor of nearly three smaller than those under
out separately using uncalibrated data and using 1) normalized test sequences 1 and 3. Another notable feature is that one of the

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.
 Maximum Residuals

Maximum Residuals
25 35
20 30
25
15 20
10 15
10
5 AW 5 AW
AA AA
0 AS 0 AS
DC DC
NC NC
Control PMs Trojan PMs Control PMs Trojan PMs

Maximum Residuals
Maximum Residuals

60 40
50 35
40 30
25
30 20
20 15
AW 10
10 5 AW
AA AA
0 AS 0 AS
DC DC
NC NC
Control PMs Trojan PMs Control PMs Trojan PMs
Figure 8. Maximum residuals for Trojan 1, path 2, Figure 9. Maximum residuals for Trojan1, path2,
calibrated to t22t, un-normalized (top), normalized calibrated to IDENTITY, un-normalized (top), normalized
(bottom). (bottom).

8
7
Maximum Residuals

6
5
4
3
2
1
AW
0 AA
AS
DC
Control PMs Trojan PMs Control PMs Trojan PMs Control PMs Trojan PMs NC
1st test sequence 2nd test sequence 3rd test sequence
Figure 10. Maximum residuals for Trojan2, all paths, normalized and calibrated to t22t.

Trojan-free control PMs produces outliers with a maximum resid- new AC methods proposed in this paper outperform previously
ual of approximately two standard deviations. This indicates the described DC methods and the simplest form of AC signal cali-
importance of accurately characterizing the Trojan-free process bration, namely AC sampling, is equivalent in power to more
space. The conclusions drawn for Trojan 2(a) concerning the sig- complex schemes. For AC sampling, the important components of
nal calibration techniques hold true here as well. In particular, the the impedance variations in the chip and test environment are cap-
method applied without signal calibration for this Trojan produces tured in a single waveform sample under the condition that the
no outliers under any of the three test sequences. sample is collected close in time (couple of ns) to the delivery of
7 Conclusions the calibration stimulus.

A statistical approach is proposed for the detection of Tro-

8 Acknowledgements
jans that is based on the analysis of regional transient power sup- The work of Reza Rad and Jim Plusquellic was supported in
ply signals. Four different signal calibration techniques are part by NSF grant CNS-0716559. The work of Mohammad
analyzed to determine their relative effectiveness on reducing the Tehranipoor was supported in part by NSF grant CNS-0716535.
adverse effects of process and test environment variations. Simu- References
lation experiments demonstrate that signal calibration is an essen- [1] http://www.acq.osd.mil/dsb/reports/2005-02-
tial component to enhancing Trojan resolution of the method. The HPMS_Report_Final.pdf

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.
[2] http://www.darpa.mil/mto/solicitations/baa07-24/index.html Oriented Security and Trust, 2008, pp. 51-57.
[3] R. Rad, J. Plusquellic, M. Tehranipoor, “Sensitivity Analysis [10] D. Acharyya and J. Plusquellic, “Hardware Results Demon-
to Hardware Trojans using Power Supply Transient Sig- strating Defect Detection Using Power Supply Signal Mea-
nals”, International Workshop on Hardware-Oriented Secu- surements”, VLSI Test Symposium, 2005, pp. 433-438.
rity and Trust, 2008, pp. 3-7. [11] J. Plusquellic, D. Acharyya, A. Singh, M. Tehranipoor and C.
[4] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar, Patel, “Quiescent Signal Analysis: a Multiple Supply Pad
“Trojan Detection using IC Fingerprinting”, Symposium on IDDQ Method,” IEEE Design and Test of Computers, vol.
Security and Privacy, 2007, pp. 296 - 310. 23, no. 4, pp. 278-293, 2006.
[5] F. Wolff, C. Papachristou, S. Bhunia, and R. Chakraborty, [12] X. Wang, M. Tehranipoor and J. Plusquellic, “Detecting Ma-
“Towards Trojan-Free Trusted ICs: Problem Analysis and licious Inclusions in Secure Hardware: Challenges and So-
Detection Scheme”, Design, Automation and Test in Eu- lutions”, International Workshop on Hardware-Oriented
rope, 2008, pp. 1362-1365. Security and Trust, 2008, pp. 15-19.
[6] Jie Li and John Lach, “At-Speed Delay Characterization for IC [13] http://www.fm.vslib.cz/~kes/asic/iscas/
Authentication and Trojan Horse Detection”, International [14] http://www.mosis.com/Technical/Testdata/tsmc-018-
Workshop on Hardware-Oriented Security and Trust, 2008, prm.html
pp. 8-14. [15]D. Acharyya and J. Plusquellic, “Impedance Profile of Com-
mercial Power Grid and Test System”, International Test Con-
[7] M. Banga and M. S. Hsiao, “A Region Based Approach for the ference, 2003, pp. 709-718.
Identification of Hardware Trojans”, International Work- [16] A. Singh, C. Patel and J. Plusquellic, “Fault Simulation Mod-
shop on Hardware-Oriented Security and Trust, 2008, pp. el for iDDT Testing: An Investigation”, VLSI Test Sympo-
40-47. sium, 2004, pp. 304-310.
[8] R. S. Chakraborty, S. Paul and S. Bhunia, “On-Demand Trans- [17] M. Sachdev, P. Janssen, V. Zieren, “Defect Detection with
parency for Improving Hardware Trojan Detectability”, In- Transient Current Testing and its Potential for Deep Sub-
ternational Workshop on Hardware-Oriented Security and micron CMOS ICs", International Test Conference, 1998,
Trust, 2008, pp. 48-50. pp. 204-213.
[9] Y. Jin and Y. Makris, “Hardware Trojan Detection Using Path
Delay Fingerprints”, International Workshop on Hardware-

Authorized licensed use limited to: CADENCE DESIGN SYSTEMS. Downloaded on December 03,2024 at 13:19:25 UTC from IEEE Xplore. Restrictions apply.