| With the ever-increasing hardware complexity and a large number of third parties involved in the design and fabrication process of integrated circuits (ICs), today's IC products are vulnerable to a wide range of malicious alterations, namely hardware Trojans (HTs). HTs implemented by adversaries are able to serve as backdoors to subvert or compromise the normal operation of infected devices, which could lead to functionality changes, sensitive information leakages, or Denial of Service attacks. As a result, it poses a serious threat to the security of computing systems and has called upon the attention of several academia and industries.;HT identification and implementation techniques are like arms race, wherein designers update security measures to protect their system while attackers respond with more tricky HTs. There are basically two types of HT identification techniques targeting on the HTs inserted at design and manufacturing stages. For design-level HTs, the dynamic detection technique, unused circuit identification (UCI), can only cover a limited set of HTs due to the simple definition of unused circuit, while the static detection technique, FANCI, can miss some sequential HTs without considering the sequential logics. For manufacturing-level HTs, the mainstream HT detection method based on side-channel analysis (SCA), however, are either sensitive to process variation (PV) or un-scalable due to the high computational complexity.;With state-of-the art HT identification techniques, no doubt to say, adversaries would adjust their tactics accordingly and it is hence essential to examine whether new types of HTs can be designed to defeat these HT detection techniques. Previous works mainly focused on the the application of HTs, such as supporting software attacks or side-channel attacks, and ignored the importance of the HT implementation.;To address the above problem, this thesis aims to investigate the HT identification and implementation separately. In terms of HT identification, firstly, this thesis proposes a novel verification technique for design-level HTs, namely VeriTrust, which automatically identifies potential HT trigger inputs by examining verification corners; secondly, this thesis proposes a novel signature outlier identification technique for manufacturing-level HTs, namely HTOutlier, which is PV-resistant and scalable; thirdly, this thesis proposes an identification technique for one type of HTs, called Trojan side-channels (TSCs) which leaks secret keys via covert side channels, by leveraging the correlation between the key and the covert sidechannels. In terms of HT implementation, firstly, this thesis proposes a systematic HT design and implementation methodology to defeat UCI techniques with novel implementation code models; secondly, this thesis proposes another systematic HT design methodology to defeat FANCI and VeriTrust by carefully spreading the trigger logic into multiple sequential level and combining the trigger logic with the normal logic. |
