A Sensor-Assisted Self-Authentication for Hardware Trojan Detection Min Li*, Azadeh Davoodi*, Mohammad Tehranipoor** * University of Wisconsin-Madison.

Slides:



Advertisements
Similar presentations
IC TESTING.
Advertisements

Design of Experiments Lecture I
Copyright 2001, Agrawal & BushnellVLSI Test: Lecture 31/22alt1 Lecture 31 System Test (Lecture 22alt in the Alternative Sequence) n Definition n Functional.
Courtesy RK Brayton (UCB) and A Kuehlmann (Cadence) 1 Logic Synthesis Sequential Synthesis.
Apr. 20, 2001VLSI Test: Bushnell-Agrawal/Lecture 311 Lecture 31 System Test n Definition n Functional test n Diagnostic test  Fault dictionary  Diagnostic.
Using MVL (Multi-Valued Logic) Signal in Test Application Baohu Li, Bei Zhang, Vishwani Agrawal Auburn University.
Yasuhiro Fujiwara (NTT Cyber Space Labs)
VARIUS: A Model of Process Variation and Resulting Timing Errors for Microarchitects Sarangi et al Prateeksha Satyamoorthy CS
Data Mining Methodology 1. Why have a Methodology  Don’t want to learn things that aren’t true May not represent any underlying reality ○ Spurious correlation.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7.3 Secure and Resilient Location Discovery in Wireless.
Coupling-Aware Length-Ratio- Matching Routing for Capacitor Arrays in Analog Integrated Circuits Kuan-Hsien Ho, Hung-Chih Ou, Yao-Wen Chang and Hui-Fang.
Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.
Variability-Driven Formulation for Simultaneous Gate Sizing and Post-Silicon Tunability Allocation Vishal Khandelwal and Ankur Srivastava Department of.
Introduction to CMOS VLSI Design Clock Skew-tolerant circuits.
Chapter 10 Quality Control McGraw-Hill/Irwin
X-Compaction Itamar Feldman. Before we begin… Let’s talk about some DFT history: Design For Testability (DFT) has been around since the 1960s. The technology.
Lecture 8: Clock Distribution, PLL & DLL
1 Variability Characterization in FPGAs Brendan Hargreaves 10/05/2006.
TH EDA NTHU-CS VLSI/CAD LAB 1 Re-synthesis for Reliability Design Shih-Chieh Chang Department of Computer Science National Tsing Hua University.
Penn ESE535 Spring DeHon 1 ESE535: Electronic Design Automation Day 14: March 19, 2008 Statistical Static Timing Analysis.
10/25/2007 ITC-07 Paper Delay Fault Simulation with Bounded Gate Delay Model Soumitra Bose Design Technology, Intel Corp. Folsom, CA Hillary.
Chung-Kuan Cheng†, Andrew B. Kahng†‡,
January 16, '02Agrawal: Delay testing1 Delay Testing of Digital Circuits Vishwani D. Agrawal Agere Systems, Murray Hill, NJ USA
Jieyi Long and Seda Ogrenci Memik Dept. of EECS, Northwestern Univ. Jieyi Long and Seda Ogrenci Memik Dept. of EECS, Northwestern Univ. Automated Design.
Chapter #6: Sequential Logic Design 6.2 Timing Methodologies
BIST vs. ATPG.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
Statistical Critical Path Selection for Timing Validation Kai Yang, Kwang-Ting Cheng, and Li-C Wang Department of Electrical and Computer Engineering University.
UC San Diego Computer Engineering VLSI CAD Laboratory UC San Diego Computer Engineering VLSI CAD Laboratory UC San Diego Computer Engineering VLSI CAD.
Machine Learning in Simulation-Based Analysis 1 Li-C. Wang, Malgorzata Marek-Sadowska University of California, Santa Barbara.
University of Toronto Department of Computer Science © 2001, Steve Easterbrook CSC444 Lec22 1 Lecture 22: Software Measurement Basics of software measurement.
Introduction to Statistical Quality Control, 4th Edition Chapter 7 Process and Measurement System Capability Analysis.
Testimise projekteerimine: Labor 2 BIST Optimization
Accuracy-Configurable Adder for Approximate Arithmetic Designs
Alec Stanculescu, Fintronic USA Alex Zamfirescu, ASC MAPLD 2004 September 8-10, Design Verification Method for.
Mutual Exclusion in Wireless Sensor and Actor Networks IEEE SECON 2006 Ramanuja Vedantham, Zhenyun Zhuang and Raghupathy Sivakumar Presented.
1 UCR Hardware Security Primitives with focus on PUFs Slide credit: Srini Devedas and others.
Blind Pattern Matching Attack on Watermark Systems D. Kirovski and F. A. P. Petitcolas IEEE Transactions on Signal Processing, VOL. 51, NO. 4, April 2003.
Energy-Aware Scheduling with Quality of Surveillance Guarantee in Wireless Sensor Networks Jaehoon Jeong, Sarah Sharafkandi and David H.C. Du Dept. of.
Modern VLSI Design 4e: Chapter 8 Copyright  2008 Wayne Wolf Topics Testability and architecture. Design methodologies. Multiprocessor system-on-chip.
Slide No. 1 Course: Logic Design Dr. Ali Elkateeb Topic: Introduction Course Number: COMP 1213 Course Title: Logic Design Instructor: Dr. Ali Elkateeb.
New Modeling Techniques for the Global Routing Problem Anthony Vannelli Department of Electrical and Computer Engineering University of Waterloo Waterloo,
ECE Advanced Digital Systems Design Lecture 12 – Timing Analysis Capt Michael Tanner Room 2F46A HQ U.S. Air Force Academy I n t e g r i.
1 5. Application Examples 5.1. Programmable compensation for analog circuits (Optimal tuning) 5.2. Programmable delays in high-speed digital circuits (Clock.
Statistical Sampling-Based Parametric Analysis of Power Grids Dr. Peng Li Presented by Xueqian Zhao EE5970 Seminar.
European Test Symposium, May 28, 2008 Nuno Alves, Jennifer Dworak, and R. Iris Bahar Division of Engineering Brown University Providence, RI Kundan.
1 Compacting Test Vector Sets via Strategic Use of Implications Kundan Nepal Electrical Engineering Bucknell University Lewisburg, PA Nuno Alves, Jennifer.
Penn ESE370 Fall DeHon 1 ESE370: Circuit-Level Modeling, Design, and Optimization for Digital Systems Day 26: October 31, 2014 Synchronous Circuits.
A Passive Approach to Sensor Network Localization Rahul Biswas and Sebastian Thrun International Conference on Intelligent Robots and Systems 2004 Presented.
Outline Introduction: BTI Aging and AVS Signoff Problem
CHAPTER 8 Developing Hard Macros The topics are: Overview Hard macro design issues Hard macro design process Physical design for hard macros Block integration.
QuickYield: An Efficient Global-Search Based Parametric Yield Estimation with Performance Constraints Fang Gong 1, Hao Yu 2, Yiyu Shi 1, Daesoo Kim 1,
Min Li and Azadeh Davoodi
Hardware Trojan (HT) Detection in 3-D IC Wafi Danesh Instructor: Dr. Christopher Allen EECS 713 High-Speed Digital Circuit Design Final Project Presentation.
Patricia Gonzalez Divya Akella VLSI Class Project.
September 28, 2000 Improved Simultaneous Data Reconciliation, Bias Detection and Identification Using Mixed Integer Optimization Methods Presented by:
U of Minnesota DIWANS'061 Energy-Aware Scheduling with Quality of Surveillance Guarantee in Wireless Sensor Networks Jaehoon Jeong, Sarah Sharafkandi and.
Quality Control Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill.
1 Chapter 5 Branch-and-bound Framework and Its Applications.
Proximity Optimization for Adaptive Circuit Design Ang Lu, Hao He, and Jiang Hu.
CUHK Test and Fault-Tolerance for Timing Error Presenter: Feng Yuan.
Unified Adaptivity Optimization of Clock and Logic Signals Shiyan Hu and Jiang Hu Dept of Electrical and Computer Engineering Texas A&M University.
VLSI Physical Design Automation
Partial Reconfigurable Designs
VLSI Testing Lecture 14: System Diagnosis
Timing Analysis 11/21/2018.
FPGA Glitch Power Analysis and Reduction
Post-Silicon Calibration for Large-Volume Products
VLSI Testing Lecture 7: Delay Test
MS Thesis Defense Presentation by Mustafa Imran Ali COE Department
Presentation transcript:

A Sensor-Assisted Self-Authentication for Hardware Trojan Detection Min Li*, Azadeh Davoodi*, Mohammad Tehranipoor** * University of Wisconsin-Madison **University of Connecticut WISCAD Electronic Design Automation Lab

2 Challenges of Hardware Trojan Detection Challenges: –lack of observability and controllability after fabrication –complexity due to existence of billions of nano-scale components due to high volume of soft and hard integrated IP cores –overhead associated with physical inspection of nanometer feature sizes for reverse engineering could be intrusive –difficulty to activate a Trojan –increasing fabrication and environmental variations with technology scaling

3 Fundamental Challenge Trojan-free or Golden IC (GIC) –required in any (generic) IC authentication process create a reference fingerprint from the transient behavior of GIC and compare with fingerprint obtained from target IC –existence and identification of GIC cannot be guaranteed if inserted in GDSII file, or if the foundry alters the mask to insert a Trojan, GIC will not exist if an IC passes a rigorous test, in theory one cannot conclude that it is a GIC

4 Contributions A framework to use custom-designed on-chip detection sensors to alleviate the need on a golden IC by providing a self-authentication On-chip “detection sensor” –a compact (small area) representation of a design can be designed by searching for common “features” in a design –shares common sources of uncertainty with the design due to realization on the same chip e.g., process and environmental variations Assumptions –Trojan may infect the design paths, the detection sensor, or both –the detection sensor is obfuscated within the design’s layout i.e., an adversary will not be able to distinguish it

5 Proposed Framework Design and integration of custom-generated detection sensors capturing within-die variability Design stage On-chip delay fingerprint of detection sensors On-chip delay fingerprint of arbitrary design paths PASS ? Alert Trojan Offline analysis of fingerprint correlation NO Post-silicon self-authentication process

6 Design stage Post-Silicon detection sensor: a compact representative of the design measured on-chip delays of design paths and of detection sensors analyze correlation -- Finds most frequent “layout features” which are design-dependent and technology-sensitive -- Main Idea: Addition of Trojan disturbs the expected delay correlation between the design and the detection sensor detect Trojan

7 Design of the Detection Sensor Steps –logic design via netlist analysis 1.sequence matching 2.feature discovery –physical design of sensors layout integration delay measurement

8 Design of A Detection Sensor An optimization framework for finding frequent sequences in a netlist* –modeled using a graph representation of the design’s netlist –break (all or some portions) of the graph into collection of “similar” sequences –similar sequences grouped together and represented by one sensor –given a budget for total area used by the detection sensors, the goal is to maximize coverage of graph with formed sequences *Li and Davoodi, “Custom On-Chip Sensors for Post-Silicon Failing Path Isolation in the Presence of Process Variations”, Technical Report, 2011

9 Design of the Detection Sensor Constraints: 1.sequence constraints a sequence is made of consecutive edges 2.similarity constraints “similar” sequences are mapped to the same sensor similarity defined based on delay correlation in the presence of uncertainties such as process variations 3.area constraint summation of the areas of detection sensors are bounded original netlist extended graph after modification simplified version for illustration

10 Variation-Aware Delay Modeling [Agarwal et al, ASPDAC’03] a c ba

11 Design of A Detection Sensor Benefits of the formulation –flexible definition of similarity between sequences mapped to the same sensor, for example similar sequences could be: –structually identical (e.g., same sequence of logic gates) –have the same timing distribution –highly correlated in their timing characteristic –in general can define similarity with respect to sensitivity to technology parameters –flexible objective if edge weights are equal, objective is maximizing netlist coverage can modify to also ensure spatial coverage from different regions of the chip

12 Design Post-Silicon detection sensor: a compact representative of the design measured on-chip delays of design paths and of detection sensors analyze correlation detect Trojan -- e.g., BIST technology -- First check BIST is healthy (e.g., by verifying delays of embedded ring oscillators)

13 Examples –Path-RO [Tehranipoor et al ICCAD08] requires inserting measurement circuitry at the pre-silicon stage along the desired representative paths –Shrinking clock signal [Abraham et al GLSVLSI 2010] On-Chip Path Delay Measurement

14 Design Post-Silicon detection sensor: a compact representative of the design measured on-chip delays of design paths and of detection sensors analyze correlation detect Trojan -- Detection scenarios: Trojan may be added to the design, the detection sensor, or both -- The timing correlation between the design and its detection sensors will be different in the presence of a Trojan

15 Detection Scenarios 1.Trojan inserted in the design paths –actual delay range: obtained from direct path delay measurement considering measurement error –predicted delay range: computed using actual sensor delay and predicting the remainder of the path using worst/base-case values Trojan-infected path used for actual delay range path used for predicted delay range sensor matched case-based estimate sensor

16 Detection Scenarios 1.Trojan inserted in the design paths –underestimation of path delays that are Trojan infected –detects Trojan if predicted delay range does not overlap with the measured range sensor

17 Detection Scenarios 2.Trojan inserted in the detection sensor –actual delay range: obtained from direct path delay measurement considering measurement error  correct range –predicted delay range: computed using Trojan-infected sensor delay and predicting the remainder of the path using worst/base- case values path used for actual delay range path used for predicted delay range sensor matched case-based estimate sensor

18 Detection Scenarios 2.Trojan inserted in the detection sensor –overestimation of the predicted range of the design paths –correctly detects existence of Trojan if the two ranges don’t overlap –can identify that detection sensor is infected sensor

19 Detection Scenarios 3.Trojan inserted simultaneously in the design and detection sensor –actual and predicted ranges both erroneous –depending on how the Trojan impact each one, different cases can happen sensor path used for actual delay range path used for predicted delay range

20 Detection Scenarios 3.Trojan inserted simultaneously in the design and detection sensor –can only predict that Trojan exists if the predicted and measured ranges do not overlap, otherwise it doesn’t generate any output sensor

21 Simulation Setup Randomly selected a subset of critical design paths from the ISCAS89 suite For each considered path –inserted a Trojan at a random location on the path –sensor area budget is 15% –repeated many times for varying Trojan delays 3 to 10% of the delay of the longest path in the circuit (30 different values uniformly selected from the range) –assumed on-chip measurement error of 3% for measuring the delays of the infected paths –variation modeling assumed process variations in channel length and threshold voltage of transistors according to variation setting for 45nm technology and a 5-level spatial correlation model considered 10K scenarios of variations

22 Trojan Inserted in Design sensor and path informationDR (Trojan in design) Bench|P|%A sensor MRW/O sensorsSensor-assisted s s s s s s s s s s MR: fraction of the paths which are matched with at least one sensor DR: detection ratio

23 Trojan Insertion in Detection Sensor sensor and path informationDR (Trojan in design) Bench|P|%A sensor MRW/O sensorsSensor-assisted s s s s s s s s s s MR: fraction of the paths which are matched with at least one sensor DR: detection ratio

24 Trojan Detection Rate in s13207 % Trojan delay/delay of longest path detection rate

25 Conclusions Benefits of the detection framework –alleviates the need on a GIC –does not output a wrong answer –detection at a finer granularity –faster detection of Trojan –captures both layout-dependency and technology-dependency Limitations –spatial correlation modeling –path delay measurement accuracy –layout integration