The document discusses hardware Trojan detection techniques. It describes the objective of detecting Trojans in circuits by analyzing power and delay. It then discusses different Trojan detection techniques like power measurement, path delay measurement, and physical design based testing. It also describes different types of hardware Trojans and provides implementation results of detecting Trojans in circuits like an 8:1 MUX and full adder using LBIST. LBIST was also implemented in an AES core to detect Trojans, achieving high test coverage while detecting minimal changes in area and power between Trojan-free and Trojan-inserted circuits.

1. Hardware Trojan Detection
Guided by
Dr. P. Kalpana
Professor
Department of ECE
PSG College of Technology
Presented by
S. Sri Nishith
15MV32
M.E. VLSI Design

2. Contents
• Objective
• Introduction
• Trojan detection techniques
• Types of hardware Trojan
• Literature survey
• Combinational Trojan
• Synchronous Trojan
• Pulse propagation driven Trojan detection
• Implementation and results
• LBIST architecture
• Conclusion

3. Objective
• The objective is to detect the presence of Trojan in the circuit by analysing power
and delay.
• To implement LBIST (Logic Built in Self-Test) in AES core in order to detect the
hardware Trojan by analysing area, power and test coverage.

4. Introduction
• Hardware Trojan is a malicious modification of the circuitry of an integrated
circuit.
• Extra circuitry added to specified design
•can cause malfunction
•steal secret information
•create backdoor for attack

5. Cont.
• The Trojan circuits cannot be easily detected during normal operating conditions
because it triggers at very rare condition.
• So Hardware Trojan must be detected in an IC before it is used in various
applications.

6. Trojan detection techniques
• To date there are mainly three side channel analysis techniques in hardware Trojan
detection they are
• Power measurement technique
• Path delay measurement
• Physical design based testing

7. Types of Hardware Trojan
Fig: Combinational Trojan Fig: Synchronous Trojan
Fig: Asynchronous Trojan Fig: Hybrid Trojan

8. Literature survey
1. Nan Li, Gunnar Carlsson, Elena Dubrova, Kim Peters´en “Logic BIST: State-of-
the-Art and Open Problems” arXiv:1503.04628v1, 16 Mar 2015.
• The following problems need to be addressed to successfully deploy LBIST in the
industrial practice.
• LBIST methods which take advantage of multiple identical blocks/cores on a
chip need to be developed. Existing LBIST CAD tools do not exploit this
possibility. For example, to reduce the area overhead of LBIST, the same
pseudo-random test pattern generator can be used for testing identical blocks.

9. Cont.
2. Y.Jinand Y.Makris, “Hardware Trojan detection using path delay finger print,” in
Proc. Of the IEEE International Work shop on Hardware-Oriented Security and
Trust (HOST2008), pp.51–57, 2008
• Traditional function testing is less effective in detecting Trojan circuit for the
following reasons,
• The trigger condition of a Trojan rarely appears.
• The harm of Trojan circuits may emerge after a long time after
implementation.

10. Cont.
3. G. Hetherington, T. Fryars, N. Tamarapalli, M. Kassab, A. Hassan, and J. Rajski,
“Logic BIST for large industrial designs: real issues and case studies,” in
Proceedings of International Test Conference (ITC’1999), pp. 358 – 367, 1999.
• LBIST test method is an attractive alternative to ATPG tests which can test an
integrated circuit by its own.
• It operates by exercising the circuit logic and then detecting if the logic behaved as
intended using on chip test generator and test response

11. Combinational Trojan
• Combinational Trojan are one in where the trigger depends on the value of
multiple internal nodes

12. Synchronous Trojan
• Synchronous Trojan gets triggered for some value of counter which is clocked by system clock

13. Pulse propagation driven Trojan detection
• Pulse propagation driven approach for a generalized logic circuit consists of
following key elements
• Pulse sensitization is performed from selected logic circuit input to appropriate
logic circuit output.
• Trojan existence is determined by whether the injected pulse reaches the
circuit output using a pulse detector circuit.

14. PULSE DETECTOR
• The pulse detector circuit is a carefully sized clocked inverter and is integrated inside
the scan flip-flop circuitry.

15. IMPLEMENTATION AND RESULTS

16. Implementation of 8:1 MUX

17. Output response of 8:1 MUX

18. power analysis of 8:1 MUX

19. Implementation of combinational Trojan

20. Output response of combinational Trojan

21. Implementation of 8:1 MUX with combinational Trojan

22. Output response of 8:1 MUX with combinational Trojan

23. Power analysis of 8:1 MUX with combinational Trojan

24. Implementation of Pulse detector

25. Output response of Pulse detector

26. Insertion of pulse detector in 8:1 MUX with Trojan

27. Output response of pulse detector in 8:1 MUX with Trojan

28. Insertion of pulse detector in 8:1 MUX

29. Output response of pulse detector in 8:1 MUX

30. RESULTS
DESIGN POWER WITHOUT TROJAN POWER WITH TROJAN
8:1 MUX 1.4261mW 2.0907mW
POWER ANALYSIS
DELAY ANALYSIS
DESIGN DELAY WITHOUT TROJAN DELAY WITHTROJAN
8:1 MUX 368.4ps 10.64ns

31. Implementation of full adder

32. Output response of full adder

33. power analysis of full adder

34. Implementation of full adder with combinational Trojan

35. Output response of full adder with combinational Trojan

36. Power response of full adder with combinational Trojan

37. Implementation of synchronous Trojan

38. Output response of synchronous Trojan

39. Implementation of full adder with synchronous Trojan

40. Output response of full adder with synchronous Trojan

41. Power response of full adder with synchronous Trojan

42. RESULTS
DESIGN POWER WITH TROJAN
Full adder combinational
Trojan
Full adder synchronous
Trojan
2.5353mW
2.8873mW
POWER ANALYSIS
DELAY ANALYSIS DESIGN DELAY WITHTROJAN
Full adder combinational
Trojan
Full adder synchronous
Trojan
20.0ms
1.697ns

43. LBIST Architecture
• LBIST is one of the important BIST testing mechanism which is gaining
importance in the various industries due to its unique advantages of automatic
testing of IC with high test coverage.
• One of the important point about LBIST is that whenever the system is starting
LBIST could run and checks for the correct signature for the system to work
properly. If the signature mismatches then the system indicates a warning. Hence
LBIST is suited for repeated testing in the field.

44. Cont.
• The following Figure shows the typical LBIST system.
Figure1: A typical LBIST system

45. Cont.
• A typical LBIST system comprises following:
 Logic to be tested, or, as is called Circuit under Test (CUT)
PRPG (Pseudo-Random Pattern Generator)
MISR (Multi-Input Signature Register)
LBIST controller

46. Figure2: LBIST architecture

47. Experimental Setup
• Tools Used
Cadence –RTL Compiler
For including LBIST to the Core and measuring area and power
Cadence -Encounter Test
For measuring the Test Coverage
• Benchmark Circuit Used
 Advanced Encryption System (AES) -128 bit

48. Parameters
• Test Coverage :
• The Test Coverage (TC) is the percentage of detected faults for all detectable faults,
and gives the most meaningful measure of test pattern quality.
Test Coverage (TC)=Faults Detected / Detectable Faults in Faults list

49. Cont.
• Static Faults:
• Stuck-a-0 faults &
• stuck-a-1 faults
• Dynamic Faults:
• A delay fault (known as a dynamic or transition fault) models a specific
physical defect at a specific location.
• Dynamic faults may model the condition where a data transition is slow to rise
(transition from logical 0 to logical 1), or slow to fall (transition from logical 1
to logical 0).

50. Results
• The results for the AES Trojan free and AES Trojan inserted circuits are analysed
for power, area, and test coverage.
Table 1: Area results for AES Trojan free and Trojan inserted
Bench Mark Circuit Area(um)
AES
Trojan free 970477
Trojan inserted 971698

51. Cont.
Bench Mark Circuit Switching power (nW) Leakage power (nW)
AES Trojan free 57750880.22 8414464.17
Trojan inserted 38670689.75 8427960.68
Table 2: Power results for AES Trojan free and Trojan inserted

52. Cont.
Bench Mark Circuit
Test Coverage (%)
LBIST Method
Static Faults Dynamic Faults
AES
Trojan free 86.89 54.54
Trojan inserted 86.81 54.71
Table 3: Coverage results for AES Trojan free and Trojan inserted

53. Conclusion
• 8:1 mux and full adder circuits are implemented with Trojan and without Trojan
and results are compared between them for both power and area.
• The LBIST for AES core for both Trojan free and Trojan inserted circuits and
obtained a high test coverage of 86.89% and 86.81% for static fault and 54.54%
and 54.71% for dynamic fault
• The LBIST method can be used for detecting Trojans in high levels of System on
Chip testing.

54. References
[1] Mitra, S., McCluskey, E J., Makar, S. (2002). Design for testability and testing of IEEE 1149.1
TAP controller. Proceedings 20th IEEE VLSI Test Symposium (VTS’02), pages 247-252.
2] Janusz Rajski, Katarzyna Radecka, Jerzy Tyszer. (1997). Arithmetic Built-In Self-Test for DSP
Cores. IEEE Transactions On Computer-Aided Design Of Integrated Circuits AndSystems.16(11):1-
7.
[3] Tobias Strauch. (2012). Single Cycle Access Structure for Logic Test. IEEE Transactions On Very
Large Scale Integration Systems. 20(5):878 – 891.
[4] Kedarnath J. Balakrishnan, and Nur A. Touba. (2006). Improving Linear Test Data Compression.
IEEE Transactions On Very Large Scale Integration Systems. 14(11):1227-1237.
[5] J. Rajski, J. Tyszer, M. Kassab, and N. Mukherjee, “Embedded deterministic test,” IEEE
Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 23, pp. 776 – 792,
May 2004.

55. Cont.
[6] G. Hetherington, T. Fryars, N. Tamarapalli, M. Kassab, A. Hassan, and J. Rajski, “Logic BIST for
large industrial designs: real issues and case studies,” in Proceedings of International Test Conference
(ITC’1999), pp. 358 – 367, 1999.
[7] Alex Baumgarten, Michael Steffen, Matthew Clausman, Joseph Zambreno, "A case study in
hardware Trojan design and implementation," International Journal of Information Security, Volume
10, Issue 1, pp. 1‐14, 2011.
[8] Y.Jin and Y.Markis “Hardware trojan detection using path delay fingerprint”, IEEE intl. workshop
on Hardware oriented security and trust, pp.51-57,2008.
[9] Kurt Rosenfeld and Ramesh Karri. (2011). Security-Aware SoC Test Access Mechanism. IEEE
29th VLSI Test Symposium (VTS), pages 100-104.
[10] Luke pierce and Spyros Tragoudas. (2011) Multilevel Secure JTAG Architecture. IEEE 17th
International On-Line Symposium, pages 208-209.
[11] Nan Li, Gunnar Carlsson, Elena Dubrova, Kim Peters´en “Logic BIST: State-of-the-Art and Open
Problems” arXiv:1503.04628v1 [cs.AR] 16 Mar 2015

56. Cont.
[12] S. Deyati, B. J. Muldrey, A. Singh, and A. Chatterjee, "High Resolution Pulse Propagation Driven Trojan
Detection in Digital Logic: Optimization Algorithms and Infrastructure," in Test Symposium (ATS), 2014 IEEE
23rd Asian, 2014, pp. 200-205.
[13] M. Banga and M. S. Hsiao, "A Novel Sustained Vector Technique for the Detection of Hardware Trojans,"
in VLSI Design, 2009 22nd International Conference on, 2009, pp. 327-332.
[14] B. Cha and S. K. Gupta, "Trojan detection via delay measurements: A new approach to select paths and
vectors to maximize effectiveness and minimize cost," in Design, Automation & Test in Europe Conference &
Exhibition (DATE), 2013, 2013, pp. 1265-1270.
[15] F. Wolff, C. Papachristou, S. Bhunia, and R. S. Chakraborty, "Towards Trojan-Free Trusted ICs: Problem
Analysis and Detection Scheme," in Design, Automation and Test in Europe, 2008. DATE '08, 2008, pp. 1362-
1365.
[16] J. Yier and Y. Makris, "Hardware Trojan detection using path delay fingerprint," in HOST 2008., pp. 51-57.
[17] R. S. Chakraborty, S. Narasimhan, and S. Bhunia, "Hardware Trojan: Threats and emerging solutions," in
High Level Design Validation and Test Workshop, 2009. HLDVT 2009. IEEE International, 2009, pp. 166-171.
[18] https://en.wikipedia.org/w/index.php?title=Hardware_Trojan& oldid=740716473