slide 1
Fakir Sharif Hossain
PhD student
Graduate School of Information Science
Scan Segmentation Approach to Magnify Detection
Sensitivity for Tiny Hardware Trojan
Nara Institute of Science and technology (NAIST)

slide 2
Hardware Trojan
Detail from "The Procession of the Trojan
Horse in Troy“, Giovanni Domenico Tiepolo
 A malicious modifications of an IC during design or
fabrication in an untrusted design house or
foundry
 'Trojan horse' is used as a metaphor for a
something that appears friendly but actually
conceals a secret attacker

Threats
slide 3
Insertion Phase and Location
Figure: Vulnerable phases of IC development cycle: Chakraborty, Narasimhan & Bhunia (2010)
 Modify Functionality
 Modify Specification
 Leak Information
 Denial of Service
HighProbabilitytobeuntrusted

HT Taxonomy
slide 4
This is a Trust-Hub Taxonomy
The HINT project shows the following:
→ 4 (effects) × 5 (locations) × 5 (insertion phases) × 6 (abstraction levels) × 5
(activation mechanisms) = 3000 different HTs!
→ Very rich taxonomy!
→ Impossible to implement them all, and then detect them

Challenges of Hardware Trojan Detection
slide 5
Challenges:
• lack of observability and controllability after fabrication
• complexity
 due to existence of billions of nano-scale components
 due to high volume of soft and hard integrated IP cores
• overhead associated with physical inspection of
nanometer feature sizes for reverse engineering
 could be intrusive
• difficulty to activate a Trojan
• increasing fabrication and environmental variations with
technology scaling

Countermeasure Techniques
slide 6
Prevention:
 Prevention at Design
 Prevention at Fabrication
 Prevention at Post-Fabrication
Detection:
 Destructive
 Non-destructive
 Invasive
 Non-invasive
 Runtime
 Logic Testing
 Side-Channel Analysis

Objective of Our Proposed Method
 To magnify the Trojan detection sensitivity for small
hardware Trojan.
• We perform design for security (DFS)
 Scan chain partitioning technique
 Scan chain segmentation technique
• Generate Test pattern to detect HT into post fabricated IC
 TDGP
• Power-based side-channel analysis
Switching current
slide 7

General Program Flow
slide 8
Figure: The Activity diagram of the whole process of HT detection
Design layout Feb Testing
RTL
Specification
Layout information
Netlist information
All chip with power ports
Data: power, leakage power
Physical chip
UntrustedTrusted Always Trusted

Scan Chain Repartitioning
Scan Segmentation by Clock Gating
Trojan Detection Golden Pattern (TDGP)
and Golden Power Fingerprint Generation
Apply TDGP to IC and Measure Power
Compare Measured Power and Golden Fingerprint whether
Trojan is inserted or not
Circuit w/
Layout Information
Modified Circuit
TDGPGolden Fingerprint
Measured Power
Design Phase
Detection Phase
Manufactured IC
Proposed Working Diagram

Technique
Our proposed technique consist of four sections:
 Scan chain repartitioning
 Scan chain segmentation
 LOC pattern application technique
 TDGP
 Scan chain repartitioning
slide 10

Scan chain Repartitioning
slide 11
 Eliminate longest chain connections among scan FFs ( remove all
connections)
 Then reorder the scan cells so as to stitched them together using the
nearest neighbor criteria
 Reconnect them
Scan out
Scan in

Scan chain Repartitioning
slide 12
Figure. Proposed scan partition of s1238 benchmark, (a) Original
scan chains, (b) Connections removed and repartitioned according to
the algorithm, (c) reconnection scan cells
[1] Y. Bonhomme, P. Girard, L. Guiller, C. Landrault et al., “Design of routing-constrained low power scan chains,” Design, Automation and Test in Europe
Conference and Exhibition (DATE), pp. 62-67, 2004
 We perform layout synthesis so that the scan chain repartition technique
can have layout awareness

Technique
Our proposed technique consist of four sections:
 Scan chain repartitioning
 Scan chain segmentation
 LOC pattern application technique
 TDGP
slide 13

Scan chain segmentation
slide 14
[1] K. Hong, K. Cheong, K. Sung, “A New Scan Partition Scheme for Low-Power Embedded Systems,” Electronics and Telecommunications Research
Institute (ETRI) journal, vol. 30, no. 3, pp. 412-420, 2008.
 The scan segmentation architecture similar to [1] with little modification.
 In [1] they segment so as the scan chain rippling is restricted during the scan
shift operation where we propose in launch operation.
 fixed number of length-balanced
segments
 Add additional hardware for
Gated clock controller
 Any segment can activate inde-
Pendently by clock gating

Technique
Our proposed technique consist of four sections:
 Scan chain repartitioning
 Scan chain segmentation
 LOC pattern application technique
 TDGP
slide 15

LOC pattern application technique
slide 16
launch-on-capture (LOC) mode
Scan_EN=1, all the segments are active (shifting starts)
Vector, v1 is shifting into chain FFs
 Scan_EN=0, v1 is set
 First functional clock is applied, generates vector, v2
 Ignore the capture response, r
Figure: The modified LOC technique for segment seg2_1
 One segment gets
clock
 Others hold the
previous value
(frozen)

Technique
Our proposed technique consist of four sections:
 Scan chain repartitioning
 Scan chain segmentation
 LOC pattern application technique
 TDGP
slide 17

TDGP
slide 18
 Trojan detection golden pattern (TDGP) is defined as
the highest power consumption pattern during launch
cycle.
 TDGPs are based on switching power fingerprints
 TDGPs are applied in detection phase to detect Troy
 No. of TDGPs are small so the detection time is
minimized

Detection
slide 19
PCPD (x) =
𝑃 𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷(𝑥)−𝑃 𝑇𝐷𝐺𝑃(𝑥)
𝑃 𝑇𝐷𝐺𝑃(𝑥)
 Detection is performed by power consumption percentage
difference (PCPD) matrix
Where, 𝑃 𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷 = measured dynamic power after
applying TDGP
𝑃 𝑇𝐷𝐺𝑃 = Golden power fingerprint
 If Power difference is significant, we can detect Trojan

Results on Experiment
slide 20
 Our proposed method is applied into s1238 benchmark
of ISCAS89
 The original design is synthesized using Synopsys Design
Compiler and IC Compiler with 90nm technology.
 The scan chain repartitioning and reordering algorithm is
performed with C program.
 Transition delay test vectors are generated by Synopsys
TetraMax ATPG tool.
 The Synopsys Verilog Compiler (VCS) is used to analyze
switching activity of Trojans and
 the power consumption is analyzed in Synopsys Prime
Time

Results on Experiment
slide 21
 To evaluate our method we segments the s1238
benchmark circuit into 4 with 2 scan chains
 Each scan chain has 9 FFs
 We insert a small combinational Trojan (2 AND + 1 NAND)
into the Segment0_2 of scan chain-1.
 It occupies only <0.6% of area of total circuit area (504
Gates)
 24 transition delay test vectors are generated for each
segment.
 Therefore, our proposed method has total 96 (24×4) test
patterns

Results on Experiment
slide 22
 For comparative analysis we design two more methods
and insert same Trojan.
 The first method (method-1) is normal LOC without
segmentation and clock gating.
 The second method (method-2) has clock gating for scan
chains only but not for segmentations.
 For method-1 we apply 10 TDGPs and record 10 power
fingerprints.
 Similarly, we get 20 power fingerprints from method-2
when apply 20 TDGPs (10 for each scan chain).

Results on Experiment
slide 23
The values are in %difference in golden and measured power
TDGP ID
Meth.-1 Method-2 Method-3 (Proposed)
Entire chain-1 chain-2 Seg0_1 Seg0_2 Seg1_1 Seg1_2
0 5.51 8.40 0.46 0.25 22.9 0.34 0.52
1 2.33 15.1 0.30 0.49 5.64 0.54 0.08
2 2.08 5.50 0.16 0.09 7.28 0.7 0.03
3 8.06 7.40 0.80 0.42 18.1 0.4 0.30
4 3.67 12.5 0.44 0.64 13.4 0.7 0.27
5 6.62 5.92 0.46 0.39 11.10 0.58 0.21
6 2.86 10.78 0.28 0.39 10.78 0.78 0.13
7 6.78 10.06 0.26 0.30 10.14 0.32 0.22
8 7.97 0.69 0.50 0.24 10.22 0.32 0.23
9 3.37 6.53 0.27 0.75 6.39 0.58 0.11
Max 8.06 15.11 22.96
Table: Trojan detection summary for 1238 benchmark

Results on Experiment
slide 24
0
5
10
15
20
25
Seg0_1 Seg0_2 Seg1_1 Seg1_2 Original Chain-1 Chain-2
TDGP vs. Power difference
TDGP-1 TDGP-2 TDGP-3 TDGP-4 TDGP-5
Fig. 5. A column chart of 3-methods for combinational Trojan
• As our proposed method has clock gating for both segmentations
and scan chains, 40 TDGPs are applied (10 for each segment)
and got 40 power fingerprints.

Conclusions
slide 25
 This proposed technique is an effective method aiming to
magnify detection sensitivity.
 The results showed that switching in most of the non-target
segments reduced significantly.
 The impact of the smaller segment’s size and test application
method designated that this technique could effectively detect
the Trojans.
 The detection sensitivity of this method delivered the rank of
efficiency of this technique.
Future extension:
we will address process variations and
introduce a new detection technique without golden references.

slide 26
Thank You All