A ring oscillator-based detection circuit is employed herein to see whether there exists any hardware Trojans, and a path tracking algorithm and a multiplexer are presented as well. The detection performance is tested on the ISCAS85 c17 benchmark.

A combination of a ring oscillator

This work aims to present an effective hardware Trojan detection technique and to improve the wire and the net coverages using a combination of a ring oscillator, a 2-to-1 multiplexer and a path tracking algorithm. Illustrated in Fig. 4 is a ring oscillator in the ISCAS85 c17 benchmark.

Fig. 4
figure 4

A combination of the ISCAS85 c17 benchmark and a ring oscillator. A hardware Trojan detection example is illustrated for the ISCAS85 c17 benchmark circuit

A 2-to-1 multiplexer precedes a ring oscillator so as to choose a specific path for detection. With a 2-to-1 multiplexer as a controlled switch, a circuit under test can work in a way as expected, or ring oscillator can operate to detect hardware Trojans.

An alternative way for hardware Trojan detection

A hardware Trojan can be detected once there is a frequency shift in a ring oscillator. However, the frequency shift is susceptible to the way that the hardware Trojan is inserted.

Hardware Trojans are categorized according to the way they are inserted. An original detection circuit is illustrated in Fig. 5, where PATH represents a chosen path and D denotes an added circuit for Trojan detection with the frequency

$$F = frac{1}{2 times N times D}$$

(1)

where N represents the number of inverters, and D represents the delay of a single inverter.

Hardware Trojans can be inserted at any position in a circuit. As categorized in Fig. 6a to 6d, it is important to understand the various ways that the Trojans are inserted. Therefore, a short circuit path is added to the original circuit to represent a frequency change in a ring oscillator. Based on the original detection circuit, Trojan detections are classified into two types according to the added path configuration. A path is on a single route in Type 1, while a path is across multiple routes in Type 2, and both types are illustrated as follows.

Fig. 5
figure 5

An original detection circuit. A Trojan detection circuit is added to a chosen path to detect hardware Trojans

Fig. 6
figure 6

a Mode 1 Trojan path, b Mode 2 Trojan path, c Mode 3 Trojan path, d Type 2 detection cases. Based on the original detection circuit, Trojan detections are classified into two types according to the added path configuration. A path is on a single route in Type 1, while a path is across multiple routes in Type 2. Path is on a single route, and Type 1 is further categorized into three modes

Path is on a single route, and Type 1 is further categorized into three modes below.

As illustrated in Fig. 6a, a path is inserted between the input and PATH. Taking into account the added path, the frequency of the detection circuit is modified as

$$F = frac{1}{{2 times (D_{ip} + D_{p} + D_{d} )}}$$

(2)

where Dip, Dp and Dd represent the delay between the input and PATH, the delay of PATH and the delay of the added inverters, respectively.

As illustrated in Fig. 6b, a path is inserted between the output and PATH. Taking into account the added path, the frequency of the detection circuit is now modified as

$$F = frac{1}{{2 times (D_{op} + D_{p} + D_{d} )}}$$

(3)

where Dop, Dp and Dd represent the delay between the output and PATH, the delay of PATH and the delay of the added inverters, respectively.

Mode 3 is further classified into five cases, and the frequency is now modified as

$$F = frac{1}{{2 times (D_{ex} + D_{p} + D_{d} )}}$$

(4)

where Dex, Dp and Dd represent the delay of the added path, the delay of PATH and the delay of the added inverters for detection.

As illustrated in Fig. 6c, a path is added inside PATH in case 1, is added outside PATH in case 2, is added within the detection circuit in case 3, is added between the detection circuit and input/output in case 4, and is added inside the detection circuit and PATH in case 5.

Not as in Type 1, a path is added between PATHs. As illustrated in Fig. 6d, Type 2 is further categorized into 8 cases, that is, a path is added between input 1 and input 2 in case 1, is added between output 1 and output 2 in case 2, is added between input 1 and output 2 in case 3, is added between PATH 1 and PATH 2 in case 4, is added between input 1 and PATH 2 in case 5, is added between output 1 and PATH 2 in case 6, is added between the detection circuits D1 and D2 in case 7, and is added between D1 and PATH 2 in case 8.

As explicitly stated previously, paths are added across PATHs, meaning that it is rather difficult to analyze the frequency of Type 2 cases. Besides, added paths in either type are found to demonstrate a strong effect on the frequency.

Detection circuits for series and parallel configurations

Detection circuits are categorized into two types according to the way they are configured, i.e., series, parallel and mixed configurations, and are detailed in turn as follows. Illustrated in Fig. 7 is the configuration of an original detection circuit.

Fig. 7
figure 7

A single detection circuit. Detection circuits are categorized into two types according to the way they are configured, i.e., series, parallel and mixed configurations

Firstly illustrated is the series configuration, and is then the parallel configuration which is further categorized into two cases. A mixed configuration is finally described.

Series configuration is illustrated in Fig. 8, and all the PATHs are connected in series. A loop is formed by a detection circuit D1 and the PATHs so as to detect a hardware Trojan.

Fig. 8
figure 8

A series detection circuit. All the PATHs are connected in series and a loop is formed by a detection circuit D1 to detect a hardware Trojan

Parallel configuration is further classified into two types according to the configuration of added paths. A path is added to a single PATH in Type 1 configuration, while is added between PATHs in Type 2 configuration.

It is assumed that a hardware Trojan is inserted into a single PATH, and a detection circuit is built across each PATH accordingly, as illustrated in Fig. 9a. However, Fig. 9a can be simplified into Fig. 9b, due to the fact that there is a frequency change once a hardware Trojan is inserted into an arbitrary PATH.

Fig. 9
figure 9

Type 1 configuration, a a complicated detection circuit, b a simplified version of (a). In Type 1 parallel configuration, a path is added to a single PATH. A hardware Trojan is inserted into a single PATH, and a detection circuit is built across each PATH accordingly. Figure 9b is a simplified version of Fig. 9a

As illustrated in Fig. 10a, a hardware Trojan is inserted into a path, shown in blue, between PATHs. In this context, there is no way that the inserted Trojan can be detected using the configuration in Fig. 10a, but instead can be detected using the configuration in Fig. 10b where a detection circuit Dex, shown in red, is inserted into the blue path.

Fig. 10
figure 10

Type 2 configuration, a a parallel detection circuit, b a modified version of (a). In Type 2 parallel configuration, a path is added between PATHs. A hardware Trojan is inserted into a path, shown in blue, between PATHs. Figure 10b is a modified version of Fig. 10a

The mixed configuration is finally illustrated in Fig. 11, where a mixture of the above-stated series and parallel configurations is employed for hardware Trojan detection.

Fig. 11
figure 11

A combination of parallel and series detection circuits. The mixed configuration is a mixture of series and parallel configurations to detect hardware Trojans

Algorithm

In a large-scale integrated circuit, there are tens of thousands of paths. Therefore, path selection is seen as critical for the circuit detection performance optimization.

A brief flowchart

As illustrated in Fig. 12, a Verilog file is first read for getting the configuration information of a circuit. Subsequently, matrices are built for path search using the Verilog file, and path match is performed to locate the optimal path and then to assign the input nodes to the chosen path. The above steps comprise the path tracking algorithm herein, while the rest is referred to as the multiplexer match algorithm aiming to improve the coverage in an attempt to reach a 100% detection.

Fig. 12
figure 12

Brief flowchart of a path tracking algorithm. A Verilog file is first read to build matrices of a circuit configuration. Subsequently, a path tracking and multiplexer match algorithms are presented to improve the detection coverage

As illustrated in Fig. 13, a Verilog file contains the information on each gate and its inputs. A total of 2 matrices are created using the Verilog file.

Fig. 13
figure 13

Contents of a Verilog file. A Verilog file contains the circuit interconnection information

The first of the two matrices clearly specifies the configuration between nodes, according to which path tracking is performed until all the edges are detected. A logic 0 and a logic 1 represent the existence and non-existence of interconnection between nodes, respectively. The second matrix clearly specifies the configuration between nodes and inputs, due to which path match can be performed efficiently. A logic 0 and a logic 1 in this matrix represent the same things as in the first matrix. The “path search” step, illustrated in Fig. 12, involves the first matrix.

Path tracking algorithm

Path tracking is performed as a prerequisite of the “path match” step, and is illustrated as follows.

figure a

Line 5 in algorithm 1 performs the intersection of a prebuilt matrix containing the information on the node connections and sought paths, as illustrated in Fig. 14, and then locates the path with the greatest number of intersections.

Fig. 14
figure 14

Intersection of all the paths and the edges. This figure presents the information for the node connections and sought paths

Line 7 indicates the number of edge traversals using the first matrix, as listed in Table 3.

Table 3 Number of edge traversals

Subsequently, lines 15–21 perform the intersection of the node configurations and path, as illustrated in Fig. 14. Paths with the intersection containing the largest number of elements are chosen, as illustrated in Table 4.

Path tracking is optimized using Table 4, and is described as follows. Path with the least number of edge traversals is chosen for optimization, since it is likely to have an inadequate number of inputs. In this case, path 4 is chosen for the reason that merely edges 3 and 6 are traversed.

Line 22 assigns the chosen paths to an input using the second matrix, as shown in Table 5.

Table 5 Connections between inputs and nodes

As illustrated in Table 4, node 2 is the first node in path 4, and a corresponding gate is chosen. In this case, two inputs are available for choice, either of which can be taken to form a path and a ring oscillator-based detection circuit accordingly.

Lines 23–25 delete part of the chosen inputs, edges and paths, constituting a detection circuit, to avoid repetition, meaning that an input is unlikely to be assigned to two different paths. For instance, deletion of path 4 and input 6 gives Tables 6, 7 and 8.

Table 6 Influence of deleting path 4
Table 7 Influence of deleting edge 3 and 6
Table 8 Influence of deleting input 6

The path tracking algorithm terminates once the following conditions, i.e., those listed on line 9, are fulfilled.

Condition 1

All the edges are traversed, while a number of inputs may not get involved.

Condition 2

Contrary to condition 1, all the inputs are involved, while not all the edges are traversed.

Condition 3

Part of the edges cannot be traversed, using the remaining inputs.

Condition 1 is detailed as follows. It is that all the edges are covered by the paths, meaning that a hardware Trojan detection may not involve all the inputs. Condition 1 is further classified into two cases. In the first case, a Trojan is maliciously inserted right at the input of a circuit, and the introduction of a ring oscillator requires a multiplexer, leading to a rise in the cost. In contrast with the first case, there is no point to handle the second case.

Condition 2 is due to the shortage of inputs. It is that the inputs are all involved, while not all the edges are traversed, meaning that the path match can be performed by no means anymore. There are solutions to the hardware limitation, e.g., use of alternative multiplexers, while the issue is not addressed herein.

Condition 3, as opposed to condition 2, frequently occurs in large scale circuits, and is simply due to a shortage of edges.

The above steps are illustrated as a flowchart in Fig. 15, where path match mechanism is highlighted gray. To begin with, paths are chosen from those given in the “path search” step, and the output of the final step is determined as the path for building a ring oscillator.

Fig. 15
figure 15

A flowchart of the path matches. A path match mechanism is terminated if the three listed conditions are satisfied

Multiplexer match algorithm

An algorithm, designated as the multiplexer match algorithm and listed below, is developed to improve the coverage, since a 100% coverage cannot be reached by a single use of the above-stated path tracking algorithm, and the use of a multiplexer is found to be a key factor in the determination of the coverage.

figure b

Line 29 gives the value of N as a function of the number of paths involving an input, and line 30 specifies the required multiplexer. For instance, an 8-to-1 multiplexer is required in the case of UIN = 7.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Disclaimer:

This article is autogenerated using RSS feeds and has not been created or edited by OA JF.

Click here for Source link (https://www.springeropen.com/)

Loading