fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TMSCS.2016.2584052, IEEE
Transactions on Multi-Scale Computing Systems
1
AbstractField programmable gate arrays (FPGAs) are being increasingly used in a wide range of critical applications including
industrial, automotive, medical, and military systems. Since FPGA vendors are typically fabless, it is more economical to outsource
device production to off-shore facilities. This introduces many opportunities for the insertion of malicious alterations of FPGA Devices in
the foundry, referred to as hardware Trojan attacks, that can cause logical and physical malfunctions during field operation. The
vulnerability of these devices to hardware attacks raises serious security concerns regarding hardware and design assurance. In this
paper, we present a taxonomy of FPGA-specific hardware Trojan attacks based on activation and payload characteristics along with
Trojan models that can be inserted by an attacker. We also present an efficient Trojan detection method for FPGA based on a
combined approach of logic-testing and side-channel analysis. Finally, we propose a novel design approach, referred to as Adapted
Triple Modular Redundancy (ATMR), to reliably protect against Trojan circuits of varying forms in FPGA devices. We compare ATMR
with the conventional TMR approach. The results demonstrate the advantages of ATMR over TMR with respect to power overhead,
while maintaining the same or higher level of security and performances as TMR. Further improvement in overhead associated with
ATMR is achieved by exploiting reconfiguration and time-sharing of resources.
Fig. 2. General model of a hardware Trojan circuit realized through malicious modification of a hardware; (b) an example of combinational Trojan;
(c) an example of sequential Trojan.
approach, and low side-channel signature to evade Design 2.2 Fault versus Trojan
for Security (DfS) hardening mechanisms. Conventional fault models can properly represent hard-
ware Trojans; however, standard functional/structural test-
The condition of Trojan activation is referred to as the ing methods, as well as fault tolerance schemes cannot
trigger, and the node affected by the Trojan is referred as its adequately protect against diverse Trojan attacks. The major
payload. Trojans can be classified based on their triggering differences are that unanticipated behavior is not included
conditions or payload mechanisms. The trigger mechanism in the fault list [24], and hardware Trojans usually have a
can be either digital or analog. Digitally triggered Trojans covert trigger condition, which is expected to rarely occur
can be classified into combinational and sequential Trojans. during normal field operation. On the contrary, traditional
Trojan can also be classified into digital and analog based faults, run-time failures, and soft-errors typically occur at
on the payload mechanisms. Digital Trojans invert the logic random locations and are sensitized through arbitrary, typ-
values at internal nodes or modify the contents of memory ically non-rare and hence easily detectable condition.
locations, while the analog payload Trojans may change Due to the random occurrence of faults, in many cases they
circuit parameters, such as performance, power, and noise may turn out to be ineffective or benign [26]. The payload
margin. of a Trojan, however, is likely to be carefully selected by
an adversary to cause critical system failure or information
A combinational Trojan is activated on the simultane- leakage.
ous occurrences of a particular condition at certain inter- With respect to post-silicon validation or run-time toler-
nal nodes, while a sequential Trojan acts as a time-bomb, ance, the difference between faults and Trojans are two-fold.
exhibiting its malicious effect due to a sequence of rare First, faults induced by manufacturing defects are static, and
events after a long period of operation. Fig. 2(a) illustrates run-time failures are one-cycle transient failures. However,
the general scenario of a Trojan attack in a design, where hardware Trojans are dynamic, causing malfunction for one
a Trojan is realized through the malicious modification of or more cycles after triggering, and can also go back to a
the circuit with a trigger condition and payload. Fig. 2(b) benign state after causing the malicious effect. In a spatial
shows an example of combinational Trojan which does not sense, manufacturing faults and soft errors can occur ran-
contain any sequential elements, and depends only on the domly in any part of a design. However, hardware Trojans
simultaneous occurrence of a set of rare node conditions. are inserted by intelligent adversaries and hence are likely
Conversely, the sequential Trojans shown in Fig. 2(c) un- placed at strategic locations (e.g. in the key-dependent logic
dergo a sequence of state transitions before triggering a of a crypto-chip, enabling key leakage) while being hard-to-
malfunction. The 3-bit counter causes a malfunction at the detect.
node S on reaching a particular count, and the count is
increased only when the condition a = 1, b = 0 is satisfied at
the positive clock-edge. 3 H ARDWARE T ROJAN ATTACKS IN FPGA
Before we describe the taxonomy of hardware Trojans in
Protection against hardware Trojan has been widely reconfigurable hardware, it is necessary to understand why
explored [25, 30-40] by researchers. These approaches are such Trojans can be inserted in the foundry. Reconfigurable
based on the following three approaches: (1) specialized hardware consists of a regular array of identical repro-
functional testing [14] that rely on triggering an unknown grammable cells and other modules connected through
Trojan and observing its effect in output ports of a design; a distributed programmable interconnect structure. Since
(2) side-channel analysis that rely on observing a Trojan most of the chip is occupied by the regular structure of
effect in physical parameters, such as supply current or path logic blocks and interconnect, it is relatively easy (compared
delay [25, 40]; and (3) design/integration approaches [31-35] to ASICs) for an attacker to reverse engineer the device
that either prevent a Trojan insertion or facilitate detection and identify the regular structures as well as additional
during production test. modules. For example, a DSP core or clock manager can be
easily identified from the layout of the FPGA and can be a temperature, delay). At the lowest level, logic-based FPGA
potential target for hardware attacks as described in the next Trojans can be further divided into IP dependent and IP
section [27] While the proposed Trojan models and detection independent subcategories which we will discuss in detail
methods may be applicable to many programmable logic with examples.
devices, we focus on hardware Trojans in the widely-used IP-dependent Trojans: IP-dependent Trojans represent a
SRAM-based FPGAs subclass of Trojans whose trigger signals depend on the
Programmability in FPGAs can be used to change the design implemented in the device. Fig. 4 shows a simplified
logic and electrical properties of a system [3]. Although this architecture of FPGAs consisting of a regular array of pro-
programmability provides flexibility to designers to quickly grammable logic blocks and interconnects. As shown in Fig.
implement their designs according to their requirements, 4, an adversary can insert a malicious circuit which monitors
it can be exploited by an adversary to mount attacks to the logic values of several nodes such as configuration logic,
cause malfunction, leak sensitive information, and even outputs of logic modules, or look-up table (LUT) values.
cause physical damage [3], [5]. This also differentiates FPGA When triggered, such a Trojan can cause malfunction in
hardware Trojans from ASIC Trojans where the former alter many different ways, e.g. by altering the values stored in
the state of the system through malicious reprogramming LUTs or configuration cells in the interconnect network to
after configuration. cause incorrect routing between logic blocks, or writing
Wang, Tehranipoor, and Plusquellic proposed a taxon- random values into the embedded memory.
omy of hardware Trojans in ICs [6]. In this paper, we present Since the final IP design is not available to the foundry
a taxonomy of FPGA-specific hardware Trojans that alter during device fabrication, an attacker who plans to insert
the programmed state of logic and I/O blocks. We classify design-dependent hardware Trojans must do so without as-
the variety of FPGA hardware Trojans into two main cate- suming anything about the IP. Even though the probability
gories as shown in Fig. 3 according to their activation and of such a Trojan becoming active is very low, an attacker
payload characteristics. While it may be possible to classify may distribute many such Trojans over the entire chip to
FPGA Trojans based on other characteristics such as size increase the likelihood of causing malfunction. Given the
or distribution, we believe that the proposed classification growing scope of the FPGA domain, IP-dependent Trojans
covers most FPGA Trojans and is adequate to evaluate the are a practical threat that must be considered for hardware
capabilities and limitations of detection methods. assurance.
IP-independent Trojans: An intelligent attacker can also
3.1 Activation Characteristics insert Trojans whose activation conditions do not depend
Based on the activation characteristics, Trojans can fall into on the final design. Such Trojans can be inserted to alter the
two subcategories marked as condition-based and always- functionality of critical modules of the device. For example,
on in Fig. 3. Always-on Trojans are always active and per- Xilinx Spartan-3, Virtex-II, Virtex-II Pro FPGAs contain a
form their defined purpose of malfunction or leaking sensi- separate module for clock management known as the digital
tive information. An example in this subcategory would be a clock manager (DCM) as shown in Fig. 5. This module
Trojan that inverts all the bits of the configuration bitstream contains a delay locked loop (DLL) for reconditioning clock
as the device is being programmed. This class of Trojans signals. Additionally, it contains a frequency synthesizer
may not be inserted by an intelligent adversary since they for producing multiples or divisions of the input clock.
can be easily detected during conventional testing. Configuration parameters for the DCM are stored in its local
Condition-based FPGA Trojans, on the other hand, wait SRAM. A simple Trojan design could simply increment an
until a particular condition is met before they become n-bit counter each clock edge until a particular number is
active and cause malfunction. At this level, Trojans can reached, and then modify the configuration to produce a
be further classified as logic-based and sensor-based (e.g. faster clock. This in turn can cause the critical path logic to
Fig. 4. Simplified architecture of an FPGA showing the trigger points that Fig. 6. Programmable I/O block containing hardware Trojans to cause
a Trojan may use. logical and electrical malfunction.
Fig. 5. Simplified schematic of digital clock manager (DCM) in Xilinxs Trojans for malfunction: Trojans in this category can be
Virtex-5.
further classified into two subcategories based on whether
they cause logical malfunction or physical malfunction.
fail in a sequential circuit. Trojans presented in the previous sections cause logic mal-
As another example of IP-independent Trojans, consider function by modifying the values in the LUTs, causing
a simplified programmable I/O block shown in Fig. 6 which undesired routing between two logic modules, etc. Fig. 7
contains buffers, enable logic, slew rate control, and level shows additional examples of payloads affected by Trojans.
shifters for logic level compatibility. Similar to the DCM, the Trojans intended to cause physical damage can create
configuraiton of the I/O block is stored in local SRAM. A electrical conflicts at the I/O ports or at the programmable
counter-based Trojan could be inserted in the device; when interconnects. Consider the programmable I/O block in
activated, this could modify the output-slew control, disable Fig. 6. When a I/O port is configured to be an input by
the output logic, or cause physical damage with logic-level a design, the configuration cells in the I/O block should
incompatibility at the I/O port. Again, these Trojans could disable the output block to prevent internal conflicts. A
be distributed in many I/O blocks to improve the chances counter-based Trojan can be inserted in the foundry which
of causing malfunction. detects the state of the I/O port and begins counting.
When the counter counts to the final value, the Trojan may
enable the output logic when the port is configured as an
3.2 Payload Characteristics input. This would cause a high short-circuit current to flow
Hardware Trojans can also be classified based on their between the FPGA and the external device, possibly dam-
intended behavior. Trojans can be inserted for causing mal- aging the system. These Trojans are similar to the M ELT
function or for leaking sensitive information. In the former viruses described in [3] except that Trojans causing physical
case, Trojans alter the functionality of the design in some destruction may also be inserted in the foundry.
way, while Trojans designed for leaking sensitive informa- IP-leak Trojans: Since IP designs involve a high develop-
tion may do so without modifying the logic functionality of ment cost and contain sensitive information, security is of
the design. utmost importance Many high-end FPGAs such as Xilinxs
tionalities like shift register, FIFO etc. in addition to acting detecting faults Using input vectors, all the programmable
as Random Access Memory (RAM). The control circuitry logic blocks can be tested to function correctly without
shown in Fig. 9(b) decides between normal read operation faults. For example, a stuck-at-0 fault in the programmable
and shift register operation inside the EMBs. The inserted logic blocks can be detected by mapping an AN D function
logic or Trojan conditionally affects the shift operation inside in the blocks and applying all-1 inputs. However, since
a EMB by using adjacent memory contents and so can be Trojan models are very different from fault models, a better
triggered at run-time. It can be noted that the similar trigger approach is required to detect Trojans. For example, an
conditions can also be effectively used to leak the contents attacker can insert a Trojan which uses many values of the
of the memory to the output port. Such malfunctions can be LUT SRAM cells or configuration cells as trigger nodes, and
achieved by changing the address bits of the memory blocks such a Trojan will not be detected using testing based on
in different clock cycles and reading out the immediate next fault models.
location of the memory in each and every cycle so as to Due to the availability of a large number of pro-
obtain the complete memory contents stored in a particular grammable blocks containing countless nodes, exhaustive
EMB or a set of EMBs. testing of all combinations of nodes is infeasible. For a k -
k
input LUT, having L=2k cells in the logic block, F =22
4 T ROJAN D ETECTION M ETHODS FOR FPGA distinct functions are possible. For a n-input Trojan, the
inputs can be chosen in L C2 ways from the L cells. Since
In this section, we discuss some detection methods for
each combination can in turn be one out of 2n values,
detecting FPGA hardware Trojans. These methods must be
the total number of functions that need to be mapped to
used by the FPGA vendors when they receive the chips from k
exhaustively test a logic block becomes F =22 2n . For
the off-shore foundry. We assume that the testing facility
example, for a 2-input LUT having 4 cells, a 2-input Trojan
used by a FPGA vendor is secure, eliminating the possibility
can be chosen from the 4 cells in 4C2 =6 ways. If the chosen
that an adversary in the testing facility could intentionally
two cells are designated a and b, then the trigger values for
not detect malicious alterations. Detection methods can be
the Trojan can be (ab, ab, ab, ab), requiring 24 functions to be
classified into 3 categories: Visual detection techniques, logic
mapped. However, since entire functions are mapped onto
testing, and side-channel analysis.
the LUTs, mapping one function with values a, b, c, d can
Visual Detection methods: This class of detection meth-
detect several Trojans such as ab, bc, cd, etc., thus requiring
ods uses imaging to identify any malicious insertions
fewer functions to be mapped.
in the chip. These techniques include using X-ray imag-
ing [10], scanning optical microscopy (SOM), scanning elec- Still, if the trigger nodes are distributed among logic
tron microscopy (SEM) [11], and picosecond imaging circuit blocks, the sheer number of logic blocks, LUTs, and configu-
analysis (PICA), among others. These methods, however, ration cells makes it impossible for exhaustive testing to be
can be expensive in cost and analysis time. Moreover, used for Trojan detection. Due to this restriction, we propose
these techniques suffer from lack of resolution to decipher a statistical approach of iterative self-checking based on the
logic/transistor/interconnect level information, primarily MERO test approach [14] as shown in Fig. 10 Since the
due to the obstruction by the stack of metal layers in probability of activating a Trojan using the logic testing
modern FPGAs [12]. With increasing device density due to approach decreases with the number of trigger inputs, we
technology scaling, effectiveness of the imaging techniques assume that the number of trigger nodes n is small (2 to 4)
is expected to reduce significantly. Partial de-layering of and only distributed within nearby CLBs.
ICs appears more effective [13]; however, it may in turn Algorithm 1 shows the major steps in the proposed sta-
render an FPGA non-functional. Due to the above limita- tistical test approach. We begin with a cluster of logic blocks
tions, imaging analysis may not be a viable Trojan detection of size S , the number of nodes B , random configuration set
technique. C , and input pattern set I . For each configuration mapped
Logic-based testing: Standard logic testing of FPGAs by to the logic blocks, we activate the nodes to logic-0 and logic-
automatic test pattern generation (ATPG) tools is used for 1 several times using different input patterns. This proce-
Algorithm 1 The Statistical FPGA Testing Approach garding all the gates in the chip (including malicious
Inputs: Cluster of logic blocks of size S , the number of gates/transistors). Trojans causing physical damage by cre-
nodes B , random configuration set C and input pattern set ating electrical conflicts can also be detected using side-
I channel analysis since these Trojans result in a large current
Outputs: Trojan-free ICs flow through the power supply. A simple design file can be
loaded which configures I/O ports as inputs and then mea-
1: for all S = 2Y such that 0 Y K do sures the supply current. If these Trojans simultaneously try
2: for all nodes in S do to configure the port as an output, then a very large current
3: for all configurations in C do can be detected by current sensors in the device, indicating
4: for all vector vi in I do a malicious modification. Since on-chip current sensors may
5: propagate values to ORAs (simultaneously test also be tampered in the foundry during production, they
other clusters of same size) must be tested thoroughly to identify any tampering. An
6: observe outputs of ORAs alternative and secure strategy would be to use an on-board
7: end for current sensor to detect short-circuit conditions.
8: end for Trojans which do not cause physical damage and only
9: end for cause logical malfunction may be extremely difficult to
10: end for
detect by analyzing static power. This is due to the difficulty
in isolating the contribution of the malicious insertions from
the measured power traces in ICs containing many millions
dure is done concurrently with the other remaining clusters of transistors. On the other hand, transient or dynamic
of logic blocks, such that for each configuration all clusters power can be controlled by applying input vectors to re-
are tested simultaneously. The outputs of the clusters can be veal information about a few gates which are switching
tested by a few logic blocks configured as output response at any given time. The advantage of this type of analysis
analyzers (ORA). These ORAs can be exhaustively tested at is that, unlike logic-based testing, a Trojan does not have
the beginning of the test procedure. Any activated Trojan to become active for detection; it merely needs to cause
that is activated will be observed at the primary outputs. switching in the Trojan to consume dynamic power. For
Then, the cluster size is iteratively increased (e.g. to include the IP-independent Trojans presented in section 3, transient
two neighboring logic blocks) and the process is repeated. power analysis can be an effective detection method. For ex-
Such a statistical approach of testing can be effective since an ample, a counter-based Trojan inserted in the clock manager
attacker does not know the exact test procedure to cleverly module can be detected by applying a clock signal to the
insert malicious circuits. Moreover, for larger combinational FPGA and applying constant inputs to prevent logic blocks
and sequential Trojans, this approach can be useful to cause from switching. An extraneous counter or any sequential
partial activation of Trojans for detection using side-channel circuit will consume transient power as it transitions from
techniques. one state to another. This contribution to dynamic power can
Redundancy and reconfigurability are two key features be identified and associated with malicious insertions after
that are helpful for Trojan detection. Just as these features accounting for process noise and clock coupling power.
are used are used to counter run-time failures in FPGAs,
so can they be used to counter against FPGA hardware
and design Trojans. In the case of FPGA hardware, recon-
5 H ARDWARE T ROJAN TOLERANCE IN FPGA
figurability allows the activation of several nodes in the
logic blocks through different logic values. Redundancy can In this section, we propose a novel approach to protect
be used during testing, for example, by using N-modular against Trojan circuits of varying forms in FPGA devices
redundancy to ensure that the trigger nodes present in the (as discussed in Section 3). The protection approach is
ORAs can also be detected by comparing the outputs of based on tolerating Trojan effects during operation by either
many ORAs. This is under the assumption that Trojans in containing the Trojan effect (through activation detection)
FPGA hardware (localized or distributed) do not affect all or bypassing the effect of Trojan activation using redundant
the resources in the same way. This can be coupled with logic. The proposed Trojan tolerance approach takes its in-
dynamic run-time reconfigurability to improve the level of spiration from existing run-time fault tolerance approaches
security. [15], [16]. The focus of the Trojan tolerance approach is to
Side-channel Analysis: Logic-based testing may not be ef- achieve maximum confidence with respect to trusted oper-
fective for activating large combinational or sequential Tro- ation in the presence of Trojans in FPGA hardware, while
jans due to the extremely large number of possible trigger minimizing the area, power, and performance overhead.
nodes. Side-channel analysis involves the measurement and It is a challenge to maintain a satisfactory level of sur-
analysis of information obtained from an ICs side-channels. vivability with minimum cost. Each user requires differ-
The information could be based on timing, power consump- ent survivability level, optimizing some attributes at the
tion, or electromagnetic radiation. Side-channel analysis has expense of others. A single Trojan mitigation scheme may
been proposed previously as a powerful technique to detect not be satisfactory to all FPGA users; therefore various
malicious insertions in an IC [14]. In this section, we specifi- schemes can be combined in a coherent way to satisfy
cally concentrate on side-channel information obtained from different users requirements. We propose a hybrid scheme
power consumption in the device. of hardware Trojan tolerance that combines adapted Triple
Static power contains comprehensive information re- Modular redundancy (TMR) and dynamic reconfiguration.
Case 2a: When two adders are from the same module, the
tolerant FPGAs. The variants would differ in both LUT set of adders that are affected by similar Trojan instances =
and programmable interconnect structures while maintain- {Oi , Ri }, where i = 1, 2, 3, or4.
ing the functional behavior and parametric specifications Case 2b: When two adders are from different modules,
(e.g. critical path delay). One possible approach to making the set of adders that trigger Trojans = {Oi , Rj }, where
variants is finding non-delay critical gates and regrouping i, j = 1, 2, 3, or4andi 6= j .
them. It ensures that the content of the LUT and the layout Case 2a can be mitigated by using the variants of adders
of the design will be changed while the delay remains for Oi and Ri . It is highly unlikely that both adders (Oi
the same. We regroup the logic gates to change both LUT and Ri ) will simultaneously trigger the same Trojan because
content and their interconnection possibly changing the different implementations involve different logic blocks,
required number of LUT resources. Next, we convert the storage elements, logic structures, and memory locations.
regrouped LUTs as hard macros (so that they are not Thus a judicious design of structural variants can avoid si-
optimized again by the synthesis tool). The last step is to re- multaneous activation. Case 2b cannot be handled by using
synthesize the circuit including the macros with the original only one spare adder with the highest level of security. Two
time constraints. Thus even when both replicas are infected spare adders S1 and S2 may be required in order to achieve
with a Trojan, the Trojan is very unlikely to be activated in the highest level of trust in the case of two simultaneous
both the original and replica modules simultaneously. Thus, failures as in Case 2b (in general, to tolerate n number of
the proposed scheme can overcome the limitation of TMR simultaneous failures with n max#of modules, we need
in that it can protect the circuit from multiple Trojan effects n spares). Each spare resource is used to determine and
by employing variants of a processing unit. Fig. 12 shows replace a faulty adder in each module.
the flow chart for implementing the variants. Worst-case Scenario: If multiple adders from multiple
modules trigger Trojans simultaneously, the set of adders
5.3 Exploiting Reconfigurability to Reduce Overhead that trigger Trojans = {X1 , X2 , X3 , X4 }, where X = OorR.
Many real time applications do not require the highest level In the worst-case scenario, the highest level of security
of security and spare resources can be time-shared among can be achieved at the expense of four spare adders because
the faulty modules. For example, instead of using a dedi- different implementations for Oi and Ri ensure that both
cated third redundant component, n number of redundant adders will not trigger the same Trojans at the same time.
components can be shared among m (n < m) number of
faulty modules, depending on the required level of security. Thus the number of spare resources (Si ) varies from zero
Then the arbiter can select the component on demand allow- to four to achieve the highest level of security, depending
ing efficient and flexible use of resources. Reconfiguration on the number and the location of Trojan affected adders
also allows time-sharing of hardware components. Fig. 13 (Fig. 13). However, many real time applications do not
shows several modules and their time sharing of spare require the highest level of security and (Si ) can be time-
resources. shared among the faulty modules. The proposed hybrid
Different Trojan triggering scenarios and their Trojan scheme that combines adapted TMR with reconfiguration
tolerance are discussed below. has the potential to reduce the overhead/power consump-
Case 1: If only one adder triggers Trojans, then the Trojan tion associated with TMR by decreasing the usage of re-
infected adder can be detected by using the spare adder S1 dundancies while allowing reconfiguration. The proposed
as explained in Fig. 11. scheme can also overcome the limitation of TMR in that
Case 2: If two adders trigger Trojans, then the following it can protect the circuit from multiple single event upsets
cases can occur. (SEUs) by employing variants of adders.
TABLE 1
Comparison of design overhead between TMR and ATMR without variants, with variants, and with time-shared resources
TABLE 3
Comparison of Design Overhead for TMR and ATMR Correction Techniques on a DLX Processor
Area (LEs) Flipflops RegFile (bits) Delay (ns) Power (mW) x Impr. (Area) x Impr. (Lat.) x Impr. (Pow.)
IF 199 128 0 5.6 6.89 - - -
TMR IF 813 384 0 5.7 20.1 4.1X 1X 2.9X
ATMR IF 835 384 0 5.7 11.4 4.2X 1X 1.7X
ID 222 128 2048 4.9 11.96 - - -
TMR ID 988 384 6144 4.9 33.96 4.5X 1X 2.8X
ATMR ID 1011 384 6144 4.9 21.4 4.6X 1X 1.8X
EX 1512 133 0 18 23.0 - - -
TMR EX 4747 399 0 19.7 71.98 3.1X 1.1X 3.1X
ATMR EX 4770 399 0 19.7 38.03 3.2X 1.1X 1.7X
MEM 105 101 0 5 2.03 - - -
TMR MEM 487 303 0 5 11.05 4.6X 1X 5.4X
ATMR MEM 510 303 0 5 5.5 4.9X 1X 2.7X
WB 44 0 0 4 1.24 - - -
TMR WB 186 0 0 4 3.09 4.2X 1X 2.5X
ATMR WB 209 0 0 4 2.05 4.8X 1X 1.7X
DLX 2082 490 2048 18 29.04 - - -
TMR DLX 7221 1470 6144 19.7 89.7 3.5X 1.1X 3.1X
ATMR DLX 7244 1470 6144 19.7 48.5 3.5X 1.1X 1.7X
affecting the same circuit and increased complexity in Further improvements in overhead (power and resources)
reconfiguration, but less controller/comparator overhead have been achieved by exploiting reconfiguration and reuse
and delay. Table 2 shows the area/delay/power overheads of the resources in ATMR without compromising security.
for component level and ALU level TMR and ATMR ap-
proaches. While component level TMR / ATMR provides R EFERENCES
more security, it increases reconfiguration latency and over- [1] DARPA, TRUST in Integrated Circuits (TRUST), 2008. Avail-
all system latency (1.6x), while incurring greater area (8.6x) able [Online] http://www.darpa.mil/mto/programs/trust/index.
and power (5.7x) overhead. Conversely, ALU-level TMR html.
and ATMR provide less security, but incur smaller area [2] S. Trimberger, Trusted design in FPGAs, 44th Design Automation
Conference, 2007.
(3.9x) and power (3.5x) overhead, while delay remains un- [3] I. Hadzic, S. Udani, J. Smith, FPGA viruses, Ninth International
changed; again, the power consumption for ATMR is further Workshop on Field-Programmable Logic and Applications, 1999.
reduced (2.3x) because of the conditionally-enabled third [4] S. Drimer, Volatile FPGA design security: a survey, Cambridge
University, 2008.
instance. These tradeoffs enable designers to fine-tune the [5] T. Huffmire, Handbook of FPGA design security, 44th Design
system security while considering relevant overheads in the Automation Conference, 2007.
resultant hardware. [6] X. Wang, M. Tehranipoor, J. Plusquellic, Detecting Malicious In-
clusions in Secure Hardware: Challenges and Solutions, IEEE
International Workshop Hardware- Oriented Security and Trust, pp. 15-
19, 2008.
8 C ONCLUSION [7] S. Trimberger, Method and apparatus for protecting proprietary
decryption keys for programmable logic devices, US Patent
Malicious alterations to a design are possible at various 6654889, 2003.
stages of the design flow. In this paper, we focused on [8] Aletar: Military Anti-Tampering Solutions Using Programmable
possible malicious changes that can be inserted into FPGA Logic. [Online]. Available: http://www.altera.com/literature/cp/
CP-01007.pdf.
devices during production. We presented a taxonomy of [9] L. Lin, W. Burleson, C. Paar, MOLES: malicious off-chip leakage
hardware Trojan models specific to FPGAs, including mod- enabled by side-channels, Intl. Conf. on Computer-Aided Design,
els of Trojans that cause logical malfunctions and/or phys- 2009.
ical damage, and can be inserted by an attacker in the [10] A. Schropp et al, Non-destructive and quantitative imaging of a
nano-structured microchip by ptychographic hard X-ray scanning
foundry without knowledge of the final design. We ex- microscopy, Journal of Microscopy, 2010.
plained multiple detection strategies that could be used [11] J. Soden, R. Anderson and C. Henderson, IC Failure Analysis
to non-invasively test FPGAs to identify the presence of Tools and Techniques Magic, Mystery, and Science, International
Test Conference, Lecture Series II - Practical Aspects of IC Diagnosis and
Trojans. As FPGAs are being increasingly used in a wide
Failure Analysis: A Walk through the Process, pp. 1-11, 1996.
field of applications, the hardware Trojan models must be [12] V. Nagabudi, Extraction Based Verification Method for off the
fully understood before reliable detection strategies can be Shelf Integrated Circuits, M.S. Thesis, CWRU, 2010.
developed to provide hardware assurance. In addition, we [13] K.K. Yu and C.N. Berglan, Automated system for extracting
design and layout information from an integrated circuit, United
proposed a novel Trojan tolerance scheme, namely ATMR, States Patent 5,086,477, 1992
that protects FPGA devices against Trojans of varying sizes [14] R.S. Chakraborty, F. Wolff, S. Paul, C. Papachristou, and S. Bhunia,
and functionalities. We compared the proposed scheme with MERO: A Statistical Approach for Hardware Trojan Detection,
the conventional TMR approach and demonstrated that CHES, 2009.
[15] H. Kubatova and P. Kubalik, Fault-Tolerant and Fail-Safe Design
ATMR requires less power overhead, while maintaining the Based on Reconfiguration, Design and Test Technology for Dependable
same or higher level of security and performances as TMR. Systems-on-Chip, pp. 175-194, 2011.
[16] N. Gaitanis, The Design of Totally Self-Checking TMR Fault- ysis, ACM SIGSAC Conference on Computer & Communications Secu-
Tolerant Systems, IEEE Transaction on Computers, vol. 37, no. 11, rity, pp. 697-708, 2013.
1988. [41] N. Yoshimizu, Hardware Trojan detection by symmetry breaking
[17] R. S. Chakraborty, S. Narasimhan, and S. Bhunia, Hardware in path delays, IEEE International Symposium on Hardware-Oriented
Trojan: Treats and Emerging Solutions, IEEE International High Security and Trust, 2014.
Level Design Validation and Test Workshop, pp. 166-171, 2009.
[18] M. Tehranipoor and F. Koushanfar, A Survey of Hardware Trojan
Taxonomy and Detection, IEEE Design and Test of Computers, vol.
27, no. 1, pp. 10-25, 2010.
[19] F. Lima, C. Carmichael, J. Fabula, R. Padovani, R. Reis, A Fault
Injection Analysis of Vertex FPGA TMR Design Methodology,
European Conference on Radiation and Its Effects on Components and
Systems, pp. 275 - 282, 2001.
[20] M. Abramovici and P. Bradley, Integrated Circuit Security - New
Threats and Solutions, Annual Workshop on Cyber Security and
Information Intelligence Research, pp. 1-3, 2009.
[21] S. Srinivasan, A. Gayasen, N. Vijaykrishnan, M. Kandemir, Y. Xie,
M.J. Irwin, Improving Soft-error Tolerance of FPGA Configuration
Bits, IEEE/ACM International conference on Computer-aided design,
2004.
[22] D. McIntyre, F. Wolff, C. Papachristou and S. Bhunia, Trustworthy
Computing in a Multi-core System using Distributed Scheduling,
IEEE International On-Line Testing Symposium), 2010.
[23] R.V. Kshirsagar and R.M. Patrikar, Design of a novel fault-
tolerant voter circuit for TMR implementation to improve reliability
in digital circuits, Microelectronics Reliability, vol. 49, pp. 1573-1577,
Dec. 2009.
[24] F. Wolff, C. Papachristou, S. Bhunia, R.S. Chakraborty, Towards
Trojan-Free Trusted ICs: Problem Analysis and Detection Scheme,
Design, Automation and Test in Europe, 2008.
[25] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, B. Sunar, Tro-
jan detection using IC fingerprinting, IEEE Symposium on Security
and Privacy, 2007.
[26] M. Rebaudengo et al., Analysis of SEU effects in a pipelined
processor, IEEE International On-Line Testing Workshop, 2002.
[27] R. Torrance and D. James, The State-of-the-Art in IC Reverse En-
gineering, Cryptographic Hardware and Embedded Systems (CHES),
pp. 363-381, 2009.
[28] T. Ban and L.A.B. Naviner, A simple fault-tolerant digital voter
circuit in TMR nanoarchitectures, 8th IEEE International NEWCAS
Conference, pp. 269 - 272, 2010.
[29] T.J. Bauer and S.P. Young, FPGA Architecture with Deep Look-up
Table RAMs, US Patent 6288568 B1, 2001.
[30] Y. Lin, C. Zhang, D. Jefferson and S. Reddy,Memory Array
Operating as Shift Registers, US Patent 6288568 B1, 2006.
[31] J.M. Bearfield, Introduction to Hot Swap, [Online]
http://eetimes.com/design/analog-design/4018093/Introduction-to-Hot-
Swap, Nov 2011.
[32] K. Xiao and M. Tehranipoor, BISA: Built-In-Self-Authentication
for Preventing Hardware Trojan Insertion, IEEE Int. Workshop on
Hardware Oriented Trust and Security, pp. 45-50, 2013.
[33] F. Imeson, A. Emtenan, S. Garg, and M.V. Tripunitara, Securing
computer hardware using 3D integrated circuit (IC) technology and
split manufacturing for obfuscation, USENIX conference on Security,
2013.
[34] S. Narasimhan, W. Yueh, X. Wang, S. Mukhopadhyay, and S.
Bhunia, Improving IC Security against Trojan Attacks through
Integration of Security Monitors, IEEE Design & Test of Computers,
2012.
[35] J. Rajendran, V. Jyothi, O. Sinanoglu, and R. Karri, Design and
analysis of ring oscillator based Design-for-Trust technique, VLSI
Test Symposium, 2011.
[36] H. Salmani, M. Tehranipoor, and J. Plusquellic, A Novel Tech-
nique for Improving Hardware Trojan Detection and Reducing
Trojan Activation Time, IEEE Transactions on VLSI, 2011.
[37] M. Banga and M. Hsiao, ODETTE: A non-scan design-for-test
methodology for Trojan detection in ICs, IEEE Int. Workshop on
Hardware Oriented Trust and Security, pp. 18-23, 2011.
[38] G. T. Becker, F. Regazzoni, C. Paar, and W. P. Burleson, Stealthy
dopant-level hardware Trojans: extended version, Journal of Crypto-
graphic Engineering, pp. 1-13, 2014.
[39] S. Wei and M. Potkonjak, Scalable hardware trojan diagnosis,
IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol.
20, pp. 1049-1057, 2012.
[40] A. Waksman, M. Suozzo, and S. Sethumadhavan, FANCI: Iden-
tification of stealthy malicious logic using Boolean functional anal-
We are grateful to all the reviewers and the Associate Editor for their valuable
suggestions and comments that helped us in improving the paper. We have carefully
considered all the comments. We have provided responses to all comments and made
necessary revisions in the manuscript.
AE Comments:
Response: We thank the Associate Editor for the feedback. We have tried to address
all the reviewers comments and have reformatted the manuscript to meet the journal
guidelines.
Reviewer #1
This work attempts to classify Trojans as applicable to FPGA domain. With increasing
usage of reconfigurable logic in modern day applications, the threat of Trojans emerges
as a concern for the FPGA community as well. This work tries to address this issue by
first categorizing the type of threats possible and then providing a few solutions to
avoid/detect Trojan intrusions.
The paper is easy to read in general although there are repetitions in parts that could be
avoided reducing the length. There are sufficient citations which are relevant to the
context.
The following changes/additions can make it more useful for future readers:
1. The figures are of poor quality in terms of resolution. There is nothing like Fig 5(a),
Fig 12 (a) and Fig 12(b). This is a mistake and should be corrected. Fig 12 is barely
legible. It should be redrawn appropriately. This applies to fig 4 and Fig 5 as well.
Response: We thank the author for pointing out these issues. We have fixed the
references problems and we have also improved the resolution of the figures.
2. On page 4, the authors have mentioned that a DSP core or clock manager can be
easily identified from the layout of the FPGA and can be a potential target for HW
attacks. Claims like this should be substantiated with appropriate references or
experimental results.
Response: We have added a reference to show that reverse engineering of layout can
be done to identify common building blocks in a design.
Reviewer #2
Comments:
Strong Points:
1. The paper has shown a clearly and results of the proposed approaches which
can against the hardware Trojan attacks by minor changing the previous TMR method.
2. Further improved by designing variants and exploiting reconfigurability, the
proposed ATMR provides higher security level with lower design overhead.
3. The discussion part are given detailed about the relevant issues Trojans that
can affect voter or in RTL/netlist level, sufficient resources of the system, and the
balance of granularity.
Response: We appreciate the reviewers comments on the strong points of the paper.
Weak Points:
1. Whether the proposed method can against hardware Trojan which is inserted in
RTL or netlist level needs more exhaustive discussion.
2. Although its a good paper, therere too many contents in the first half of the
paper. The simulation part needs to be more detailed.
Response: We thank the reviewer for pointing these out. Note that we have
distinguished between Trojan in RTL or netlist level IPs mapped to FPGAs versus
Trojans in an FPGA device (Section III). We have revised that part of the paper to
clarify this distinction.
We have also reorganized the paper to reduce the content of the first half and focus
more on the simulation part.
Reviewer #3
Comments:
1. Please follow the format of computer society.
Response: We have updated the format of the paper based on the computer society
guidelines.
2. This paper only gives an overview of the Trojan on FPGA. However, more theoretic
analysis should be presented to clearly demonstrate the
Response: We are not sure what the reviewer intended to ask here. We have revisited
the Trojan in FPGA part (Section III) and improved the description. Please note that
the goal of the paper is to show that FPGA structures are vulnerable to Trojan insertion,
where the Trojan can be IP-dependent or IP-independent. We have provided
appropriate reasoning and examples to illustrate this vulnerability.
3. For the effect of the Trojan, this paper is hard to follow since there is no concrete
exampe on how exactly the Trojan is inserted and how it works.
Response: Note that the entirety of Section III of the paper is devoted to Trojan designs
of various forms and sizes possible in FPGA. Figs. 4, 5, 6, 7, 8, and 9 are all example
Trojan instances in FPGA.
3. It seems the authors refer IP to identical property throughout this paper. However, it
was first explained in line 42, page 3, left column. Before that, it is not clear what it
refers.
Response: Note that IP stands for Intellectual Property, which was mentioned in Page
2 (Section I). We have moved this definition to Page 1, right column, in the second
paragraph of the manuscript.
4. It looks that the statistical FPGA Testing Approach is nothing but an exhaustive
search. There is nothing innovative or interesting.
Response: We do not agree with the reviewer. To our knowledge statistical testing is
new in the context of FPGAs. By definition, statistical testing is not it is not exhaustive
testing since it does not exercise the entire input space.
5. For the proposed ATMR approach, the authors did not clearly present how it works.
Definitely we need more details about the flow. Based on the information provided by
the authors, the only improvement of ATMR compared to TMR is that ATMR
conditionally uses the third replica. The contribution is small.
Response: The goal of the proposed approach is a Trojan tolerance approach, similar
to fault tolerance. To our knowledge, that itself has novelty. We believe combining that
with adaptive TMR to reduce power consumption as well as to apply the concept of
variant circuitry to improve Trojan coverage is a significant and novel contribution.