Identification of Hardware Trojans triggering signals Giorgio Dinatale, Sophie Dupuis, Marie-Lise Flottes, Bruno Rouzeyre LIRMM (Université Montpellier II /CNRS UMR 5506) Montpellier, France Abstract — Hardware Trojans are malicious alterations to a circuit. These modifications can be inserted either during the design phase or during the fabrication process. Due to the diversity of Hardware Trojans (HTs), detecting and/or locating them are challenging tasks. Numerous approaches have been proposed to address this problem. Methods based on logic testing consist in trying to activate potential Hardware Trojans in order to detect erroneous outputs during simulation. However, traditional ATPG testing may not be sufficient to detect Hardware Trojans. Hardware Trojans are indeed stealthy in nature i.e. mostly inactive unless they are triggered by a rare value. The activation of a Hardware Trojan is therefore a major concern. In this paper, we propose a procedure to identify circuit sites where a possible HT may be easily inserted. The selection of the sites is based on the assumption that the HT is triggered (i) by signals that have potential rare values, (ii) in paths that are not critical, and (iii) combining multiple gates that are close one to the other in the circuit’s layout, and close to available space. This identification is then used to automatically generate test patterns able to excite these sites. Keywords-Hardware Trojan; Hardware Trojan Detection; Hardware Trojan Activation; Logic testing. I. INTRODUCTION With ever-shrinking transistor technologies, the cost of new fabrication facilities is becoming prohibitive and outsourcing the fabrication process to low-cost locations has become a major trend in IC industry in the last decade. This raises the question about untrusted foundries in which circuit descriptions can be manipulated with the possible insertion of malicious circuitry or alterations, referred to as Hardware Trojans (HTs) [1]. Besides, recent issues arose from the possibility of getting HTs from untrusted IP vendors [2]. Due to the diversity of HTs, different classifications have been proposed. The proposed classification in [5] is based on the activation mechanism (referred as the triggering) and the introduced effect (referred as the payload). The triggering logic monitors a set of inputs to activate the payload at the proper event. A taxonomy is also presented in which HTs are classified based on their trigger and payload mechanisms (digital, analog, combinational, sequential…). The focus of our work is on digital, combinational HTs. The fundamental assumption in that case is that the HT activation should occur under very rare conditions i.e. the trigger is attached on nodes with low controllability. In addition, also for reasons of stealthiness, it is often assumed that the payload is attached on nodes with low observability. This is referred in [5] as rare values based HTs. A model of this type of HT is presented in Figure 1. Figure 1. Rare value based HT circuit model [5]. HTs detection methods are divided into two categories: methods based on side-channel analysis [3, 4], or logic testing [5, 6]. In the latter case, if an erroneous behavior of the IC is observed, it can be inferred that a HT has been inserted in the IC. The most important advantage of logic testing is that, as opposed to side channel analysis, it is robust with respect to environment and process variability. It seems therefore more suitable for the detection of small HTs (whose effects can be beyond the threshold of variability). Yet, traditional ATPG test vectors are not sufficient to detect HTs. The assumption is indeed that an attacker will try to hide the HT of ICs’ functional behavior i.e. a HT is mostly inactive and is triggered under very rare conditions. The main concern is therefore to be able to activate potential HTs i.e. to find test vectors that can maximize the chances of triggering potential HTs. Design for hardware trust methods exist also. These methods consist in incorporating into the ICs some features that should improve the HT detectability [7, 8]. In this paper, we propose a procedure to identify circuit sites where a possible HT may be easily inserted. The selection of the sites is based on the assumption that the HT is triggered (i) by gates that have potential rare values as proposed in [5, 6], (ii) in paths that are not critical, and (iii) combining multiple gates that are close one to the other in the circuit’s layout, and close to available space. This paper is organized as follows. In Section II, we recall the different proposed logic testing HTs detection methods. In Section III, we present our technique. Finally, Section IV concludes the paper. II. PRIOR WORK In order to be able to detect a potential HT by logic testing, the main concern is to be able to activate the HT. The assumption is that a HT has a stealthy nature and is activated under very rare conditions. Based on this Trigger b1 s1 Node with s2 low controllability Trojan a2 low observability a1 Nodes with Payload b2