A Multi-Faceted Approach to FPGA-Based Trojan Circuit Detection Michael Patterson, Aaron Mills, Ryan Scheel, Julie Tillman, Evan Dye, Joseph Zambreno Electrical and Computer Engineering, Iowa State University, Ames, Iowa, USA Email: {mjpatter, ajmills, rascheel, tillmanj, emdye, zambreno}@iastate.edu Abstract—Three general approaches to detecting Trojans em- bedded in FPGA circuits were explored in the context of the 2012 CSAW Embededed Systems Challenge: functional testing, power analysis, and direct analysis of the bitfile. These tests were used to classify a set of 32 bitfiles which include Trojans of an unknown nature. The project is a step towards developing a framework for Trojan-detection which leverages the strengths of a variety of testing techniques. I. MOTIVATION AND BACKGROUND In recent years, the vulnerability of chips to hardware Trojans has garnered a great deal of attention [1], [2], [3], [4]. Many types of Trojans have been detected, and work has even been done to classify such Trojans [5]. It has been realized that malicious attackers can secretly insert Trojans into chips dur- ing the manufacturing process. This vulnerability is especially troublesome because of the degree to which chip manufacturing is outsourced to foreign countries, which may not share the interests of those ordering the manufacturing [6]. The customers send their designs off to be manufactured, but have no way of ensuring the chips they receive back contain only their original design and not a Trojan. There are a few options to mitigate this vulnerability. Trusted foundries could be used during manufacturing to ensure a reliable final product. However, this is usually not economically feasible or desirable. Another option is to perform destructive testing on the final product to detect the presence of a Trojan, but there are some obvious drawbacks to this approach. It destroys the chip under test, it requires specialized and often expensive equipment, and it doesn’t guarantee that the untested chips are also Trojan-free. What is more, the technique is not useful for FPGAs, since the end-application is not a physical construct on the chip. Non-destructive testing methods need not suffer from these limitations, and are therefore the focus of this paper. This paper discusses three testing methods we explored in order to detect the Trojans presented in the 2012 CSAW Em- bedded Systems Challenge. It details our testing setup as well as listing our classification for each of the provided FPGA bitfiles and our evidence for each classification. Our testing methods are compared to similar published methods, and various possibilities for future work are discussed. II. TESTING TECHNIQUES The goal of the 2012 CSAW Embedded Systems Challenge was to correctly identify which among the 32 provided bitfiles contained Trojans. As shown in Figure 1, there were two circuits provided; the ISCAS85 benchmark C6288 consisting of only combinational logic (circuit type A), and the ISCAS89 bench- mark S9234 which includes sequential logic (circuit type B) and a 147 flipflop scan chain. Only rudimentary documentation was         (a) Design A, the C6288 ISCAS85 benchmark            (b) Design B, the S9234 ISCAS85 benchmark Fig. 1: Circuit designs for the 2012 CSAW Embedded Systems Challenge. provided for these circuits, and nothing was known in advance of the Trojans they contained. Although numerous testing strategies were considered, we decided to focus on the following three. Our results indicate that these techniques can also be generalized to non-FPGA circuits. Bitfile analysis might appear to be the exception, but in general chip design flows will produce a netlist before fabrication, so the process is comparable. A. Functional Testing In functional testing, the correct output for each input over a given range is first calculated. Then, the chip being tested is given the same range of inputs, and the corresponding outputs are recorded. These output sets are compared, and if any inconsistencies are found, it can be concluded that the chip has a Trojan. However, even if the outputs are all the same, it cannot be definitively said that the chip does not have a Trojan, as the Trojan may not modify the functionality. Functional testing is an effective way to test for Trojans, but it does have several limitations. It is most effective for combinational circuits. Sequential circuits have an intractably large input space, making exhaustive functional testing impossi- ble. Additionally, the Trojan could have a trigger that activates only at a certain time or under other circumstances completely independent of input. It is also not useful for detecting Trojans that don’t affect the output. Even for combinational circuits, functional testing becomes less effective as the possible number of inputs increases. For each extra bit of input, the time to completely test a combinational circuit increases by a factor of two, so testing the entire input space quickly becomes impractical. However, even with all these limitations, functional testing is often the best way to begin testing for Trojans. Under the correct circumstances, it can provide a relatively easy method to conclusively prove that a chip does have a Trojan.