More Related Content


More from 奈良先端大 情報科学研究科(20)


Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware Trojan

  1. slide 1 Fakir Sharif Hossain PhD student Graduate School of Information Science Scan Segmentation Approach to Magnify Detection Sensitivity for Tiny Hardware Trojan Nara Institute of Science and technology (NAIST)
  2. slide 2 Hardware Trojan Detail from "The Procession of the Trojan Horse in Troy“, Giovanni Domenico Tiepolo  A malicious modifications of an IC during design or fabrication in an untrusted design house or foundry  'Trojan horse' is used as a metaphor for a something that appears friendly but actually conceals a secret attacker
  3. Threats slide 3 Insertion Phase and Location Figure: Vulnerable phases of IC development cycle: Chakraborty, Narasimhan & Bhunia (2010)  Modify Functionality  Modify Specification  Leak Information  Denial of Service HighProbabilitytobeuntrusted
  4. HT Taxonomy slide 4 This is a Trust-Hub Taxonomy The HINT project shows the following: → 4 (effects) × 5 (locations) × 5 (insertion phases) × 6 (abstraction levels) × 5 (activation mechanisms) = 3000 different HTs! → Very rich taxonomy! → Impossible to implement them all, and then detect them
  5. Challenges of Hardware Trojan Detection slide 5 Challenges: • lack of observability and controllability after fabrication • complexity  due to existence of billions of nano-scale components  due to high volume of soft and hard integrated IP cores • overhead associated with physical inspection of nanometer feature sizes for reverse engineering  could be intrusive • difficulty to activate a Trojan • increasing fabrication and environmental variations with technology scaling
  6. Countermeasure Techniques slide 6 Prevention:  Prevention at Design  Prevention at Fabrication  Prevention at Post-Fabrication Detection:  Destructive  Non-destructive  Invasive  Non-invasive  Runtime  Logic Testing  Side-Channel Analysis
  7. Objective of Our Proposed Method  To magnify the Trojan detection sensitivity for small hardware Trojan. • We perform design for security (DFS)  Scan chain partitioning technique  Scan chain segmentation technique • Generate Test pattern to detect HT into post fabricated IC  TDGP • Power-based side-channel analysis Switching current slide 7
  8. General Program Flow slide 8 Figure: The Activity diagram of the whole process of HT detection Design layout Feb Testing RTL Specification Layout information Netlist information All chip with power ports Data: power, leakage power Physical chip UntrustedTrusted Always Trusted
  9. Scan Chain Repartitioning Scan Segmentation by Clock Gating Trojan Detection Golden Pattern (TDGP) and Golden Power Fingerprint Generation Apply TDGP to IC and Measure Power Compare Measured Power and Golden Fingerprint whether Trojan is inserted or not Circuit w/ Layout Information Modified Circuit TDGPGolden Fingerprint Measured Power Design Phase Detection Phase Manufactured IC Proposed Working Diagram
  10. Technique Our proposed technique consist of four sections:  Scan chain repartitioning  Scan chain segmentation  LOC pattern application technique  TDGP  Scan chain repartitioning slide 10
  11. Scan chain Repartitioning slide 11  Eliminate longest chain connections among scan FFs ( remove all connections)  Then reorder the scan cells so as to stitched them together using the nearest neighbor criteria  Reconnect them Scan out Scan in
  12. Scan chain Repartitioning slide 12 Figure. Proposed scan partition of s1238 benchmark, (a) Original scan chains, (b) Connections removed and repartitioned according to the algorithm, (c) reconnection scan cells [1] Y. Bonhomme, P. Girard, L. Guiller, C. Landrault et al., “Design of routing-constrained low power scan chains,” Design, Automation and Test in Europe Conference and Exhibition (DATE), pp. 62-67, 2004  We perform layout synthesis so that the scan chain repartition technique can have layout awareness
  13. Technique Our proposed technique consist of four sections:  Scan chain repartitioning  Scan chain segmentation  LOC pattern application technique  TDGP slide 13
  14. Scan chain segmentation slide 14 [1] K. Hong, K. Cheong, K. Sung, “A New Scan Partition Scheme for Low-Power Embedded Systems,” Electronics and Telecommunications Research Institute (ETRI) journal, vol. 30, no. 3, pp. 412-420, 2008.  The scan segmentation architecture similar to [1] with little modification.  In [1] they segment so as the scan chain rippling is restricted during the scan shift operation where we propose in launch operation.  fixed number of length-balanced segments  Add additional hardware for Gated clock controller  Any segment can activate inde- Pendently by clock gating
  15. Technique Our proposed technique consist of four sections:  Scan chain repartitioning  Scan chain segmentation  LOC pattern application technique  TDGP slide 15
  16. LOC pattern application technique slide 16 launch-on-capture (LOC) mode Scan_EN=1, all the segments are active (shifting starts) Vector, v1 is shifting into chain FFs  Scan_EN=0, v1 is set  First functional clock is applied, generates vector, v2  Ignore the capture response, r Figure: The modified LOC technique for segment seg2_1  One segment gets clock  Others hold the previous value (frozen)
  17. Technique Our proposed technique consist of four sections:  Scan chain repartitioning  Scan chain segmentation  LOC pattern application technique  TDGP slide 17
  18. TDGP slide 18  Trojan detection golden pattern (TDGP) is defined as the highest power consumption pattern during launch cycle.  TDGPs are based on switching power fingerprints  TDGPs are applied in detection phase to detect Troy  No. of TDGPs are small so the detection time is minimized
  19. Detection slide 19 PCPD (x) = 𝑃 𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷(𝑥)−𝑃 𝑇𝐷𝐺𝑃(𝑥) 𝑃 𝑇𝐷𝐺𝑃(𝑥)  Detection is performed by power consumption percentage difference (PCPD) matrix Where, 𝑃 𝑀𝐸𝐴𝑆𝑈𝑅𝐸𝐷 = measured dynamic power after applying TDGP 𝑃 𝑇𝐷𝐺𝑃 = Golden power fingerprint  If Power difference is significant, we can detect Trojan
  20. Results on Experiment slide 20  Our proposed method is applied into s1238 benchmark of ISCAS89  The original design is synthesized using Synopsys Design Compiler and IC Compiler with 90nm technology.  The scan chain repartitioning and reordering algorithm is performed with C program.  Transition delay test vectors are generated by Synopsys TetraMax ATPG tool.  The Synopsys Verilog Compiler (VCS) is used to analyze switching activity of Trojans and  the power consumption is analyzed in Synopsys Prime Time
  21. Results on Experiment slide 21  To evaluate our method we segments the s1238 benchmark circuit into 4 with 2 scan chains  Each scan chain has 9 FFs  We insert a small combinational Trojan (2 AND + 1 NAND) into the Segment0_2 of scan chain-1.  It occupies only <0.6% of area of total circuit area (504 Gates)  24 transition delay test vectors are generated for each segment.  Therefore, our proposed method has total 96 (24×4) test patterns
  22. Results on Experiment slide 22  For comparative analysis we design two more methods and insert same Trojan.  The first method (method-1) is normal LOC without segmentation and clock gating.  The second method (method-2) has clock gating for scan chains only but not for segmentations.  For method-1 we apply 10 TDGPs and record 10 power fingerprints.  Similarly, we get 20 power fingerprints from method-2 when apply 20 TDGPs (10 for each scan chain).
  23. Results on Experiment slide 23 The values are in %difference in golden and measured power TDGP ID Meth.-1 Method-2 Method-3 (Proposed) Entire chain-1 chain-2 Seg0_1 Seg0_2 Seg1_1 Seg1_2 0 5.51 8.40 0.46 0.25 22.9 0.34 0.52 1 2.33 15.1 0.30 0.49 5.64 0.54 0.08 2 2.08 5.50 0.16 0.09 7.28 0.7 0.03 3 8.06 7.40 0.80 0.42 18.1 0.4 0.30 4 3.67 12.5 0.44 0.64 13.4 0.7 0.27 5 6.62 5.92 0.46 0.39 11.10 0.58 0.21 6 2.86 10.78 0.28 0.39 10.78 0.78 0.13 7 6.78 10.06 0.26 0.30 10.14 0.32 0.22 8 7.97 0.69 0.50 0.24 10.22 0.32 0.23 9 3.37 6.53 0.27 0.75 6.39 0.58 0.11 Max 8.06 15.11 22.96 Table: Trojan detection summary for 1238 benchmark
  24. Results on Experiment slide 24 0 5 10 15 20 25 Seg0_1 Seg0_2 Seg1_1 Seg1_2 Original Chain-1 Chain-2 TDGP vs. Power difference TDGP-1 TDGP-2 TDGP-3 TDGP-4 TDGP-5 Fig. 5. A column chart of 3-methods for combinational Trojan • As our proposed method has clock gating for both segmentations and scan chains, 40 TDGPs are applied (10 for each segment) and got 40 power fingerprints.
  25. Conclusions slide 25  This proposed technique is an effective method aiming to magnify detection sensitivity.  The results showed that switching in most of the non-target segments reduced significantly.  The impact of the smaller segment’s size and test application method designated that this technique could effectively detect the Trojans.  The detection sensitivity of this method delivered the rank of efficiency of this technique. Future extension: we will address process variations and introduce a new detection technique without golden references.
  26. slide 26 Thank You All