| With the evolution of information security techniques,the traditional assumption of absolutely secure hardware is no longer acceptable and the security of hardware itself has been widely concerned.As the malicious circuits keeping dormant in chips when inactivated,hardware Trojans can take over the whole system once activated,which makes hardware Trojans more flexible and severe threats compared to software attacks.Chip manufacturing process and IP design phase are two typical scenes for Trojan insertions,while the mainstream Trojan detections of side-channel analysis techniques during post-silicon can only be applied to Trojans inserted in chip fabrication.With the popularity of IP reuse based design methodology,detection of probable hardware Trojans inserted in the third party IP has already become an emergent problem.Lack of reference design is the main difficulty of detecting such Trojans and the existing detection methods all suffer from certain limitations.So this work was focused on Trojan detection techniques on this IP source attack model which reference model is unavailable,the main efforts and contributions are as follows,· By introducing the testability analysis of integrated circuits design,this work proposes a hardware Trojan detection scheme based on low testability trigger signals identification for reference-free IP source attack model.Based on the analysis of relationships among three testability evaluations,static difference-amplified controllability and dynamic probability and transition analysis based on simulation are proposed.The difference-amplified controllability model proposed in static analysis performs better than simple controllability and observability model in portraying low activity and stealthiness of trigger signals,since it can reflect both the poor testability and low static transition probability.For the processing of difference-amplified controllability,k-means unsupervised clustering is adopted to classify the signals into Trojan list and normal list.To take advantage of test vectors and dynamic simulation,dynamic signal probability and transition probability analysis based on simulation is proposed,which separates Trojan signals from normal ones by analyzing their dynamic signal probability and transitions in simulation.The proposed detection scheme can detect all the Trojans of Trust-HUB benchmarks,and the false positive rates are lower than existed works.· Since the existing Trojan benchmarks always rely on low testability signals,the possibility of Trojan design methods which can eliminate the existence of low testability signals is researched in this work.This work proposes two schemes for holistic Trojan design of trigger and payload,sum of product(SOP)and product of sum(POS),which can eliminate low testability signals by coupling child trigger signals with payload signal one by one.To evade the structure feature detections and balance the controllability and observability values,this work proposes random replacement and register insertion methods,and then a complete automatic Trojan benchmarks generation algorithm is proposed.Analysis and experiments show that these Trojans generated can evade the existing reference-free detection methods.· Propose re-convergent logic detection and logic re-synthesis pre-processing procedure for the probable Trojans with low testability signals eliminated.The complete detection scheme is applied to the 914 benchmarks on Trust-HUB,and all the trigger signals are identified,thus the false negative rate is 0.The highest false positive rate is 11.7% and there are only 16 benchmarks whose false positive rates exceed 4%.Since the proposed detections are based on simulation and logic analysis on pre-silicon gate level netlist,there is no extra chip area consumption.The mainly detection time of dynamic simulation is negligible compared to functional verification since no activation of Trojan is required,and Trojan detection can be conducted with functional verification simultaneously. |
PDF Full Text Request