Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Sensor-Assisted Self-Authentication for Hardware Trojan Detection Min Li*, Azadeh Davoodi*, Mohammad Tehranipoor** * University of Wisconsin-Madison.

Published byOswald Owen McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "A Sensor-Assisted Self-Authentication for Hardware Trojan Detection Min Li*, Azadeh Davoodi*, Mohammad Tehranipoor** * University of Wisconsin-Madison."— Presentation transcript:

1 A Sensor-Assisted Self-Authentication for Hardware Trojan Detection Min Li*, Azadeh Davoodi*, Mohammad Tehranipoor** * University of Wisconsin-Madison **University of Connecticut WISCAD Electronic Design Automation Lab http://wiscad.ece.wisc.edu

2 2 Challenges of Hardware Trojan Detection Challenges: –lack of observability and controllability after fabrication –complexity due to existence of billions of nano-scale components due to high volume of soft and hard integrated IP cores –overhead associated with physical inspection of nanometer feature sizes for reverse engineering could be intrusive –difficulty to activate a Trojan –increasing fabrication and environmental variations with technology scaling

3 3 Fundamental Challenge Trojan-free or Golden IC (GIC) –required in any (generic) IC authentication process create a reference fingerprint from the transient behavior of GIC and compare with fingerprint obtained from target IC –existence and identification of GIC cannot be guaranteed if inserted in GDSII file, or if the foundry alters the mask to insert a Trojan, GIC will not exist if an IC passes a rigorous test, in theory one cannot conclude that it is a GIC

4 4 Contributions A framework to use custom-designed on-chip detection sensors to alleviate the need on a golden IC by providing a self-authentication On-chip “detection sensor” –a compact (small area) representation of a design can be designed by searching for common “features” in a design –shares common sources of uncertainty with the design due to realization on the same chip e.g., process and environmental variations Assumptions –Trojan may infect the design paths, the detection sensor, or both –the detection sensor is obfuscated within the design’s layout i.e., an adversary will not be able to distinguish it

5 5 Proposed Framework Design and integration of custom-generated detection sensors capturing within-die variability Design stage On-chip delay fingerprint of detection sensors On-chip delay fingerprint of arbitrary design paths PASS ? Alert Trojan Offline analysis of fingerprint correlation NO Post-silicon self-authentication process

6 6 Design stage Post-Silicon detection sensor: a compact representative of the design measured on-chip delays of design paths and of detection sensors analyze correlation -- Finds most frequent “layout features” which are design-dependent and technology-sensitive -- Main Idea: Addition of Trojan disturbs the expected delay correlation between the design and the detection sensor detect Trojan

7 7 Design of the Detection Sensor Steps –logic design via netlist analysis 1.sequence matching 2.feature discovery –physical design of sensors layout integration delay measurement

8 8 Design of A Detection Sensor An optimization framework for finding frequent sequences in a netlist* –modeled using a graph representation of the design’s netlist –break (all or some portions) of the graph into collection of “similar” sequences –similar sequences grouped together and represented by one sensor –given a budget for total area used by the detection sensors, the goal is to maximize coverage of graph with formed sequences *Li and Davoodi, “Custom On-Chip Sensors for Post-Silicon Failing Path Isolation in the Presence of Process Variations”, Technical Report, 2011

9 9 Design of the Detection Sensor Constraints: 1.sequence constraints a sequence is made of consecutive edges 2.similarity constraints “similar” sequences are mapped to the same sensor similarity defined based on delay correlation in the presence of uncertainties such as process variations 3.area constraint summation of the areas of detection sensors are bounded original netlist extended graph after modification simplified version for illustration

10 10 Variation-Aware Delay Modeling [Agarwal et al, ASPDAC’03] a c ba

11 11 Design of A Detection Sensor Benefits of the formulation –flexible definition of similarity between sequences mapped to the same sensor, for example similar sequences could be: –structually identical (e.g., same sequence of logic gates) –have the same timing distribution –highly correlated in their timing characteristic –in general can define similarity with respect to sensitivity to technology parameters –flexible objective if edge weights are equal, objective is maximizing netlist coverage can modify to also ensure spatial coverage from different regions of the chip

12 12 Design Post-Silicon detection sensor: a compact representative of the design measured on-chip delays of design paths and of detection sensors analyze correlation detect Trojan -- e.g., BIST technology -- First check BIST is healthy (e.g., by verifying delays of embedded ring oscillators)

13 13 Examples –Path-RO [Tehranipoor et al ICCAD08] requires inserting measurement circuitry at the pre-silicon stage along the desired representative paths –Shrinking clock signal [Abraham et al GLSVLSI 2010] On-Chip Path Delay Measurement

14 14 Design Post-Silicon detection sensor: a compact representative of the design measured on-chip delays of design paths and of detection sensors analyze correlation detect Trojan -- Detection scenarios: Trojan may be added to the design, the detection sensor, or both -- The timing correlation between the design and its detection sensors will be different in the presence of a Trojan

15 15 Detection Scenarios 1.Trojan inserted in the design paths –actual delay range: obtained from direct path delay measurement considering measurement error –predicted delay range: computed using actual sensor delay and predicting the remainder of the path using worst/base-case values Trojan-infected path used for actual delay range path used for predicted delay range sensor matched case-based estimate sensor

16 16 Detection Scenarios 1.Trojan inserted in the design paths –underestimation of path delays that are Trojan infected –detects Trojan if predicted delay range does not overlap with the measured range sensor

17 17 Detection Scenarios 2.Trojan inserted in the detection sensor –actual delay range: obtained from direct path delay measurement considering measurement error  correct range –predicted delay range: computed using Trojan-infected sensor delay and predicting the remainder of the path using worst/base- case values path used for actual delay range path used for predicted delay range sensor matched case-based estimate sensor

18 18 Detection Scenarios 2.Trojan inserted in the detection sensor –overestimation of the predicted range of the design paths –correctly detects existence of Trojan if the two ranges don’t overlap –can identify that detection sensor is infected sensor

19 19 Detection Scenarios 3.Trojan inserted simultaneously in the design and detection sensor –actual and predicted ranges both erroneous –depending on how the Trojan impact each one, different cases can happen sensor path used for actual delay range path used for predicted delay range

20 20 Detection Scenarios 3.Trojan inserted simultaneously in the design and detection sensor –can only predict that Trojan exists if the predicted and measured ranges do not overlap, otherwise it doesn’t generate any output sensor

21 21 Simulation Setup Randomly selected a subset of critical design paths from the ISCAS89 suite For each considered path –inserted a Trojan at a random location on the path –sensor area budget is 15% –repeated many times for varying Trojan delays 3 to 10% of the delay of the longest path in the circuit (30 different values uniformly selected from the range) –assumed on-chip measurement error of 3% for measuring the delays of the infected paths –variation modeling assumed process variations in channel length and threshold voltage of transistors according to variation setting for 45nm technology and a 5-level spatial correlation model considered 10K scenarios of variations

22 22 Trojan Inserted in Design sensor and path informationDR (Trojan in design) Bench|P|%A sensor MRW/O sensorsSensor-assisted s1423921310.580.68 s1488161210.600.67 s1494161210.480.50 s5378201120.840.620.66 s92341691010.690.71 s132073311210.670.73 s15850136150.970.750.85 s359321765130.960.700.73 s384171587120.990.720.77 s3858411121410.640.80 MR: fraction of the paths which are matched with at least one sensor DR: detection ratio

23 23 Trojan Insertion in Detection Sensor sensor and path informationDR (Trojan in design) Bench|P|%A sensor MRW/O sensorsSensor-assisted s1423921310.030.67 s1488161210.040.69 s1494161210.040.60 s5378201120.840.030.58 s92341691010.010.75 s132073311210.010.77 s15850136150.970.010.70 s359321765130.960.010.93 s384171587120.990.020.78 s3858411121410.000.97 MR: fraction of the paths which are matched with at least one sensor DR: detection ratio

24 24 Trojan Detection Rate in s13207 % Trojan delay/delay of longest path detection rate

25 25 Conclusions Benefits of the detection framework –alleviates the need on a GIC –does not output a wrong answer –detection at a finer granularity –faster detection of Trojan –captures both layout-dependency and technology-dependency Limitations –spatial correlation modeling –path delay measurement accuracy –layout integration

Download ppt "A Sensor-Assisted Self-Authentication for Hardware Trojan Detection Min Li*, Azadeh Davoodi*, Mohammad Tehranipoor** * University of Wisconsin-Madison."

Similar presentations

IC TESTING.

IC TESTING.
Design of Experiments Lecture I

Design of Experiments Lecture I
Copyright 2001, Agrawal & BushnellVLSI Test: Lecture 31/22alt1 Lecture 31 System Test (Lecture 22alt in the Alternative Sequence) n Definition n Functional.

Copyright 2001, Agrawal & BushnellVLSI Test: Lecture 31/22alt1 Lecture 31 System Test (Lecture 22alt in the Alternative Sequence) n Definition n Functional.
Courtesy RK Brayton (UCB) and A Kuehlmann (Cadence) 1 Logic Synthesis Sequential Synthesis.

Courtesy RK Brayton (UCB) and A Kuehlmann (Cadence) 1 Logic Synthesis Sequential Synthesis.
Apr. 20, 2001VLSI Test: Bushnell-Agrawal/Lecture 311 Lecture 31 System Test n Definition n Functional test n Diagnostic test  Fault dictionary  Diagnostic.

Apr. 20, 2001VLSI Test: Bushnell-Agrawal/Lecture 311 Lecture 31 System Test n Definition n Functional test n Diagnostic test  Fault dictionary  Diagnostic.
Using MVL (Multi-Valued Logic) Signal in Test Application Baohu Li, Bei Zhang, Vishwani Agrawal Auburn University.

Using MVL (Multi-Valued Logic) Signal in Test Application Baohu Li, Bei Zhang, Vishwani Agrawal Auburn University.
Yasuhiro Fujiwara (NTT Cyber Space Labs)

Yasuhiro Fujiwara (NTT Cyber Space Labs)
VARIUS: A Model of Process Variation and Resulting Timing Errors for Microarchitects Sarangi et al Prateeksha Satyamoorthy CS 8501 1.

VARIUS: A Model of Process Variation and Resulting Timing Errors for Microarchitects Sarangi et al Prateeksha Satyamoorthy CS
Data Mining Methodology 1. Why have a Methodology  Don’t want to learn things that aren’t true May not represent any underlying reality ○ Spurious correlation.

Data Mining Methodology 1. Why have a Methodology  Don’t want to learn things that aren’t true May not represent any underlying reality ○ Spurious correlation.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Coupling-Aware Length-Ratio- Matching Routing for Capacitor Arrays in Analog Integrated Circuits Kuan-Hsien Ho, Hung-Chih Ou, Yao-Wen Chang and Hui-Fang.

Coupling-Aware Length-Ratio- Matching Routing for Capacitor Arrays in Analog Integrated Circuits Kuan-Hsien Ho, Hung-Chih Ou, Yao-Wen Chang and Hui-Fang.
Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.

Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.
Variability-Driven Formulation for Simultaneous Gate Sizing and Post-Silicon Tunability Allocation Vishal Khandelwal and Ankur Srivastava Department of.

Variability-Driven Formulation for Simultaneous Gate Sizing and Post-Silicon Tunability Allocation Vishal Khandelwal and Ankur Srivastava Department of.
Introduction to CMOS VLSI Design Clock Skew-tolerant circuits.

Introduction to CMOS VLSI Design Clock Skew-tolerant circuits.
Chapter 10 Quality Control McGraw-Hill/Irwin

Chapter 10 Quality Control McGraw-Hill/Irwin
X-Compaction Itamar Feldman. Before we begin… Let’s talk about some DFT history: Design For Testability (DFT) has been around since the 1960s. The technology.

X-Compaction Itamar Feldman. Before we begin… Let’s talk about some DFT history: Design For Testability (DFT) has been around since the 1960s. The technology.
Lecture 8: Clock Distribution, PLL & DLL

Lecture 8: Clock Distribution, PLL & DLL
1 Variability Characterization in FPGAs Brendan Hargreaves 10/05/2006.

1 Variability Characterization in FPGAs Brendan Hargreaves 10/05/2006.
TH EDA NTHU-CS VLSI/CAD LAB 1 Re-synthesis for Reliability Design Shih-Chieh Chang Department of Computer Science National Tsing Hua University.

TH EDA NTHU-CS VLSI/CAD LAB 1 Re-synthesis for Reliability Design Shih-Chieh Chang Department of Computer Science National Tsing Hua University.
Penn ESE535 Spring 2008 -- DeHon 1 ESE535: Electronic Design Automation Day 14: March 19, 2008 Statistical Static Timing Analysis.

Penn ESE535 Spring DeHon 1 ESE535: Electronic Design Automation Day 14: March 19, 2008 Statistical Static Timing Analysis.

Similar presentations

Ads by Google