To Detect, Locate, and Mask Hardware Trojans in digital circuits by reverse engineering and functional ECO

During the EDA process, a design may be tampered directly by dishonest engineers (or “industry spy”), or may be tampered indirectly through the use of malicious modules from a third party Intellectual Property (3PIP) block vendor. During integration and fabrication, the chips may also be tampered by untrusted system integrator or even foundry. Particularly for high-end commercial or classified military chips, Hardware Trojan (HT) Detect-Locate-and-Mask (DL&M) is crucially necessary so as to make sure a design is produced exactly as the original specification (golden). Our objectives are (1) to detect any functionality difference which might be caused by bugs or HTs, (2) to locate/output the difference circuitry to correct the bugs or to investigate the tampering intention or purpose, and (3) to “kill” (mask) the HTs by restoring the chip's functionality back to golden with a minimum circuitry change. Besides blocking the plotted damage in an early stage and pointing the spy source by revealing the HT intention, the masking circuit revision must also be minimized to avoid affecting the chip performance (timing) too much. In this paper, we propose a scheme that integrates reverse engineering, formal verification, functional ECO, and logic rewiring to detect, locate and mask Hardware Trojans with minimized cost. This formal verification based scheme can guarantee catching 100% of the hidden combinational circuit HTs and can handle multiple HTs (no number limit) automatically in one run. Some techniques within our scheme won the first places of the CAD Contests at ICCAD 2012, 2013, and 2014 [1-3].

[1]  Premachandran R. Menon,et al.  Logic optimization and equivalence checking by implication analysis , 1997, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[2]  Shih-Chieh Chang,et al.  Perturb and simplify: multilevel Boolean network optimizer , 1996, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[3]  Jeyavijayan Rajendran,et al.  Detecting malicious modifications of data in third-party intellectual property cores , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[4]  Kei-Yong Khoo,et al.  ICCAD-2012 CAD contest in finding the minimal logic difference for functional ECO and benchmark suite: CAD contest , 2012, 2012 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[5]  Malgorzata Marek-Sadowska,et al.  Orthogonal Greedy Coupling - A New Optimization Approach to 2-D FPGA Routing , 1995, 32nd Design Automation Conference.

[6]  Mark R. Beaumont,et al.  Hardware Trojans - Prevention, Detection, Countermeasures (A Literature Review) , 2011 .

[7]  Yu-Liang Wu,et al.  Delete and Correct (DaC): An Atomic Logic Operation for Removing Any Unwanted Wire , 2014, 2014 27th International Conference on VLSI Design and 2014 13th International Conference on Embedded Systems.

[8]  F. Koushanfar,et al.  Confronting the Hardware Trustworthiness Problem , 2010 .

[9]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[10]  Jie Zhang,et al.  DeTrust: Defeating Hardware Trust Verification with Stealthy Implicitly-Triggered Hardware Trojans , 2014, CCS.

[11]  Niklas Sörensson,et al.  An Extensible SAT-solver , 2003, SAT.

[12]  Feng Lu,et al.  ICCAD-2013 CAD contest in technology mapping for macro blocks and benchmark suite , 2013, 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[13]  Po-Kai Huang,et al.  Interpolation-based incremental ECO synthesis for multi-error logic rectification , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[14]  Shih-Chieh Chang,et al.  Logic Synthesis for Engineering Change , 1999, 32nd Design Automation Conference.

[15]  Shi-Yu Huang,et al.  AutoFix: a hybrid tool for automatic logic rectification , 1999, IEEE Trans. Comput. Aided Des. Integr. Circuits Syst..

[16]  Mark Mohammad Tehranipoor,et al.  Guest Editors' Introduction: Confronting the Hardware Trustworthiness Problem , 2010, IEEE Des. Test Comput..

[17]  Ruchir Puri,et al.  DeltaSyn: An efficient logic difference optimizer for ECO synthesis , 2009, 2009 IEEE/ACM International Conference on Computer-Aided Design - Digest of Technical Papers.

[18]  Kei-Yong Khoo,et al.  ICCAD-2014 CAD contest in simultaneous CNF encoder optimization with SAT solver setting selection and benchmark suite: Special session paper: CAD contest , 2014, 2014 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[19]  Yu-Liang Wu,et al.  Coupling reverse engineering and SAT to tackle NP-complete arithmetic circuitry verification in ∼O(# of gates) , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[20]  Ashish Tiwari,et al.  Reverse Engineering Digital Circuits Using Structural and Functional Analyses , 2014, IEEE Transactions on Emerging Topics in Computing.

[21]  Yu-Liang Wu,et al.  Almost every wire is removable: A modeling and solution for removing any circuit wire , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[22]  Malgorzata Marek-Sadowska,et al.  Theory of wire addition and removal in combinational Boolean networks , 2007 .

[23]  Farinaz Koushanfar,et al.  A Survey of Hardware Trojan Taxonomy and Detection , 2010, IEEE Design & Test of Computers.

[24]  Jie Zhang,et al.  On hardware Trojan design and implementation at register-transfer level , 2013, 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[25]  Equivalence checking hardware multiplier designs , 2007 .

[26]  Mark Mohammad Tehranipoor,et al.  Detecting malicious inclusions in secure hardware: Challenges and solutions , 2008, 2008 IEEE International Workshop on Hardware-Oriented Security and Trust.

[27]  Yu-Liang Wu,et al.  A universal macro block mapping scheme for arithmetic circuits , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[28]  André Rossi,et al.  Verification of gate-level arithmetic circuits by function extraction , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[29]  Simha Sethumadhavan,et al.  FANCI: identification of stealthy malicious logic using boolean functional analysis , 2013, CCS.

[30]  Gordon L. Smith,et al.  Boolean Comparison of Hardware and Flowcharts , 1982, IBM J. Res. Dev..

[31]  Jie Zhang,et al.  VeriTrust: Verification for hardware trust , 2013, 2013 50th ACM/EDAC/IEEE Design Automation Conference (DAC).

[32]  Robert K. Brayton,et al.  Using SAT for combinational equivalence checking , 2001, Proceedings Design, Automation and Test in Europe. Conference and Exhibition 2001.

[33]  Yu-Liang Wu,et al.  ECR: A low complexity generalized error cancellation rewiring scheme , 2010, Design Automation Conference.