The threat of hardware Trojans (HTs) and their detection is a widely studied field. While the effort for inserting a Trojan into an application-specific integrated circuit (ASIC) can be considered relatively high, especially when trusting the chip manufacturer, programmable hardware is vulnerable to Trojan insertion even after the product has been shipped or during usage. At the same time, detecting dormant HTs with small or zero-overhead triggers and payloads on these platforms is still a challenging task, as the Trojan might not get activated during the chip verification using logical testing or physical measurements. In this work, we present a novel Trojan detection approach based on a technique known from integrated circuit (IC) failure analysis, capable of detecting virtually all classes of dormant Trojans. Using laser logic state imaging (LLSI), we show how supply voltage modulations can awaken inactive Trojans, making them detectable using laser voltage imaging techniques. Therefore, our technique does not require triggering the Trojan. To support our claims, we present two case studies on 28 SRAM- and flash-based field-programmable gate arrays (FPGAs). We demonstrate how to detect with high confidence small changes in sequential and combinatorial logic as well as in the routing configuration of FPGAs in a non-invasive manner. Finally, we discuss the practical applicability of our approach on dormant analog Trojans in ASICs.
翻译:硬金字塔(HT)的威胁及其探测是一个广泛研究的领域。 将特洛伊木马插入应用专用集成电路( ASIC) 的努力可以被视为相对较高, 特别是在相信芯片制造商的情况下, 可编程硬件即使在产品发运或使用期间, 也易被插入Trojan。 同时, 用小型或零顶触发器和这些平台的有效载荷探测潜伏的HT, 仍是一项艰巨的任务, 因为特洛伊在使用逻辑测试或物理测量进行芯片核查时可能不会被激活。 在这项工作中, 我们根据综合电路故障分析(IC)中已知的技术, 提出一种新的特洛伊探测方法, 能够探测几乎所有类型的休眠特洛伊。 使用激光逻辑成像(LLSI), 我们展示了供应伏调调调调能如何唤醒不活跃的Trojans, 使这些技术能够使用激光电压成像技术被检测。 因此, 我们的技术并不需要触发特罗扬。 为了支持我们的主张, 我们提出了关于基于SRAM和闪测的实地探测方法的两种案例研究,, 我们用高频定型的轨道定位阵列在高频阵列中, 我们用高的逻辑阵列中以探测。