Post on 16-Jan-2017
slide 1
Fakir Sharif Hossain
PhD student
Graduate School of Information Science
Scan Segmentation Approach to Magnify Detection
Sensitivity for Tiny Hardware Trojan
Nara Institute of Science and technology (NAIST)
slide 2
Hardware Trojan
Detail from "The Procession of the Trojan
Horse in Troy“, Giovanni Domenico Tiepolo
A malicious modifications of an IC during design orfabrication in an untrusted design house orfoundry
'Trojan horse' is used as a metaphor for asomething that appears friendly but actuallyconceals a secret attacker
Threats
slide 3
Insertion Phase and Location
Figure: Vulnerable phases of IC development cycle: Chakraborty, Narasimhan & Bhunia (2010)
Modify Functionality Modify Specification Leak Information Denial of Service
Hig
h P
robabili
ty t
o b
e u
ntr
ust
ed
HT Taxonomy
slide 4
This is a Trust-Hub Taxonomy
The HINT project shows the following:
→ 4 (effects) × 5 (locations) × 5 (insertion phases) × 6 (abstraction levels) × 5 (activation mechanisms) = 3000 different HTs!
→ Very rich taxonomy!
→ Impossible to implement them all, and then detect them
Challenges of Hardware Trojan Detection
slide 5
Challenges:
• lack of observability and controllability after fabrication
• complexity
due to existence of billions of nano-scale components
due to high volume of soft and hard integrated IP cores
• overhead associated with physical inspection ofnanometer feature sizes for reverse engineering
could be intrusive
• difficulty to activate a Trojan
• increasing fabrication and environmental variations with technology scaling
Countermeasure Techniques
slide 6
Prevention: Prevention at Design Prevention at Fabrication Prevention at Post-Fabrication
Detection: Destructive Non-destructive
Invasive Non-invasive
Runtime Logic Testing Side-Channel Analysis
Objective of Our Proposed Method
To magnify the Trojan detection sensitivity for small hardware Trojan.
• We perform design for security (DFS)
Scan chain partitioning technique
Scan chain segmentation technique
• Generate Test pattern to detect HT into post fabricated IC
TDGP
• Power-based side-channel analysis
Switching current
slide 7
General Program Flow
slide 8
Figure: The Activity diagram of the whole process of HT detection
Design layout Feb Testing
RTLSpecification
Layout information
Netlist information
All chip with power ports
Data: power, leakage power
Physical chip
UntrustedTrusted Always Trusted
Scan Chain Repartitioning
Scan Segmentation by Clock Gating
Trojan Detection Golden Pattern (TDGP) and Golden Power Fingerprint Generation
Apply TDGP to IC and Measure Power
Compare Measured Power and Golden Fingerprint whether Trojan is inserted or not
Circuit w/Layout Information
Modified Circuit
TDGPGolden Fingerprint
Measured Power
Design Phase
Detection Phase
Manufactured IC
Proposed Working Diagram
Technique
Our proposed technique consist of four sections: Scan chain repartitioning
Scan chain segmentation
LOC pattern application technique
TDGP
Scan chain repartitioning
slide 10
Scan chain Repartitioning
slide 11
Eliminate longest chain connections among scan FFs ( remove allconnections)
Then reorder the scan cells so as to stitched them together using thenearest neighbor criteria
Reconnect them
Scan out
Scan in
Scan chain Repartitioning
slide 12
Figure. Proposed scan partition of s1238 benchmark, (a) Original
scan chains, (b) Connections removed and repartitioned according to
the algorithm, (c) reconnection scan cells
[1] Y. Bonhomme, P. Girard, L. Guiller, C. Landrault et al., “Design of routing-constrained low power scan chains,” Design, Automation and Test in Europe
Conference and Exhibition (DATE), pp. 62-67, 2004
We perform layout synthesis so that the scan chain repartition technique can have layout awareness
Technique
Our proposed technique consist of four sections:
Scan chain repartitioning
Scan chain segmentation
LOC pattern application technique
TDGP
slide 13
Scan chain segmentation
slide 14[1] K. Hong, K. Cheong, K. Sung, “A New Scan Partition Scheme for Low-Power Embedded Systems,” Electronics and Telecommunications Research
Institute (ETRI) journal, vol. 30, no. 3, pp. 412-420, 2008.
The scan segmentation architecture similar to [1] with little modification.
In [1] they segment so as the scan chain rippling is restricted during the scan
shift operation where we propose in launch operation.
fixed number of length-balancedsegments Add additional hardware for Gated clock controller Any segment can activate inde-Pendently by clock gating
Technique
Our proposed technique consist of four sections:
Scan chain repartitioning
Scan chain segmentation
LOC pattern application technique
TDGP
slide 15
LOC pattern application technique
slide 16
launch-on-capture (LOC) mode
Scan_EN=1, all the segments are active (shifting starts)
Vector, v1 is shifting into chain FFs
Scan_EN=0, v1 is set
First functional clock is applied, generates vector, v2
Ignore the capture response, r
Figure: The modified LOC technique for segment seg2_1
One segment gets clock
Others hold the previous value (frozen)
Technique
Our proposed technique consist of four sections:
Scan chain repartitioning
Scan chain segmentation
LOC pattern application technique
TDGP
slide 17
TDGP
slide 18
Trojan detection golden pattern (TDGP) is defined as the highest power consumption pattern during launch cycle.
TDGPs are based on switching power fingerprints
TDGPs are applied in detection phase to detect Troy
No. of TDGPs are small so the detection time is minimized
Detection
slide 19
PCPD (x) =𝑃𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷(𝑥)−𝑃𝑇𝐷𝐺𝑃(𝑥)
𝑃𝑇𝐷𝐺𝑃(𝑥)
Detection is performed by power consumption percentage difference (PCPD) matrix
Where, 𝑃𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷 = measured dynamic power after
applying TDGP 𝑃𝑇𝐷𝐺𝑃 = Golden power fingerprint
If Power difference is significant, we can detect Trojan
Results on Experiment
slide 20
Our proposed method is applied into s1238 benchmark of ISCAS89
The original design is synthesized using Synopsys Design Compiler and IC Compiler with 90nm technology.
The scan chain repartitioning and reordering algorithm is performed with C program.
Transition delay test vectors are generated by Synopsys TetraMax ATPG tool.
The Synopsys Verilog Compiler (VCS) is used to analyze switching activity of Trojans and
the power consumption is analyzed in Synopsys Prime Time
Results on Experiment
slide 21
To evaluate our method we segments the s1238 benchmark circuit into 4 with 2 scan chains
Each scan chain has 9 FFs
We insert a small combinational Trojan (2 AND + 1 NAND) into the Segment0_2 of scan chain-1.
It occupies only <0.6% of area of total circuit area (504 Gates)
24 transition delay test vectors are generated for each segment.
Therefore, our proposed method has total 96 (24×4) test patterns
Results on Experiment
slide 22
For comparative analysis we design two more methods and insert same Trojan.
The first method (method-1) is normal LOC without segmentation and clock gating.
The second method (method-2) has clock gating for scan chains only but not for segmentations.
For method-1 we apply 10 TDGPs and record 10 power fingerprints.
Similarly, we get 20 power fingerprints from method-2 when apply 20 TDGPs (10 for each scan chain).
Results on Experiment
slide 23
The values are in %difference in golden and measured power
TDGP ID
Meth.-1 Method-2 Method-3 (Proposed)
Entire chain-1 chain-2 Seg0_1 Seg0_2 Seg1_1 Seg1_2
0 5.51 8.40 0.46 0.25 22.9 0.34 0.521 2.33 15.1 0.30 0.49 5.64 0.54 0.082 2.08 5.50 0.16 0.09 7.28 0.7 0.033 8.06 7.40 0.80 0.42 18.1 0.4 0.304 3.67 12.5 0.44 0.64 13.4 0.7 0.275 6.62 5.92 0.46 0.39 11.10 0.58 0.216 2.86 10.78 0.28 0.39 10.78 0.78 0.137 6.78 10.06 0.26 0.30 10.14 0.32 0.228 7.97 0.69 0.50 0.24 10.22 0.32 0.239 3.37 6.53 0.27 0.75 6.39 0.58 0.11
Max 8.06 15.11 22.96
Table: Trojan detection summary for 1238 benchmark
Results on Experiment
slide 24
0
5
10
15
20
25
Seg0_1 Seg0_2 Seg1_1 Seg1_2 Original Chain-1 Chain-2
TDGP vs. Power difference
TDGP-1 TDGP-2 TDGP-3 TDGP-4 TDGP-5
Fig. 5. A column chart of 3-methods for combinational Trojan
• As our proposed method has clock gating for both segmentations
and scan chains, 40 TDGPs are applied (10 for each segment)
and got 40 power fingerprints.
Conclusions
slide 25
This proposed technique is an effective method aiming to
magnify detection sensitivity.
The results showed that switching in most of the non-target
segments reduced significantly.
The impact of the smaller segment’s size and test application
method designated that this technique could effectively detect
the Trojans.
The detection sensitivity of this method delivered the rank of
efficiency of this technique.
Future extension:
we will address process variations and
introduce a new detection technique without golden references.
slide 26
Thank You All