Abstract-Electronic Design Automation (EDA) industry heavily reuses third party IP cores which are vulnerable to insertion of Hardware Trojans (HTs) at design time by third party IP core providers. State of the art research has shown that existing HT detection techniques, which claim to detect all publicly available HT benchmarks, can still be defeated by carefully designing new sophisticated HTs. The reason being that these techniques consider the HT landscape to be limited only to the publicly known HT benchmarks. However the adversary is not limited to these HTs and may devise new HT design principles to bypass these countermeasures. In this paper, we discover certain crucial properties of trigger activated HTs which lead to the definition of an exponentially large class of Deterministic Hardware Trojans HD that an adversary can (but is not limited to) design. The discovered properties serve as HT design principles which help us understand the tremendous ways available to an adversary to design a HT, and show that the existing publicly known HT benchmarks are just the tip of the iceberg on this huge landscape.
I. INTRODUCTION
Modern electronic systems heavily use third party IP cores as their basic building blocks. These IP cores give rise to a critical security problem: how to make sure that the IP core does not contain a Hardware Trojan (HT)? A significant amount of research has been done during the past decade to design efficient tools for HT detection. Hicks et al. [1] proposed Unused Circuit Identification (UCI) which centers on the fact that the HT circuitry mostly remains inactive within a design, and hence such minimally used logic can be distinguished from the other parts of the circuit. However later works [2] , [3] showed how to design HTs which can defeat the UCI detection scheme. Zhang et al. [4] and Waksman et al. [5] proposed detection schemes called VeriTrust and FANCI respectively and showed that they can detect all HTs from the TrustHub [6] benchmark suite. Yet again, a more recent technique called DeTrust [7] introduces new Trojan designs which can evade both VeriTrust and FANCI.
The reason behind this cat-and-mouse game between attackers and defenders is that the current HT detection tools offer critically low HT coverage and typically only cover a small constant set of publicly known HT benchmarks such as TrustHub. Whereas an adversary may design new HTs which are different from the publicly known HTs in that they can bypass the detection tool, as demonstrated by DeTrust [7] . It is unclear to what extent the existing HT detection tools are effective for publicly unknown HTs. This work, therefore, stresses that instead of guaranteeing a certain (low) false negative rate for a small constant set of publicly known HTs, a rigorous HT detection tool should guarantee the detection of an exponentially large class (exponential in number of wires in IP core) of HTs with negligible false negative rate. In this paper, we limit ourselves to trigger activated digital HTs which have digital payloads. HTs that are always active and/or exploit side channels for their payloads are out of scope of this paper.
This paper
1 extends the design space of trigger activated and deterministic digital HTs by introducing their four crucial properties (d, t, α, l) which characterize a large and complex class H D . These properties, determining the stealthiness of HTs, lead to a much more detailed classification of such HTs and hence assign well defined boundaries to the scope of the existing and new countermeasures on the huge landscape of HTs. In our model, H D represents the HTs which are embedded in a digital IP core whose output is a function of only its input, and the algorithmic specification of the IP core can exactly predict the IP core behavior. A brief highlight of the properties of H D is as follows:
Trigger Signal Dimension d represents the number of wires used by HT trigger circuitry to activate the payload circuitry in order to exhibit malicious behavior. Large d shows a complicated trigger signal, hence harder to detect. Payload Propagation Delay t is the number of cycles required to propagate malicious behavior to the output port after the HT is triggered. Large t means it takes a long time after triggering until the malicious behavior is seen, hence less likely to be detected during testing. Implicit Behavior Factor α represents the probability that given a HT gets triggered, it will not (explicitly) manifest malicious behavior; this behavior is termed as implicit malicious behavior. Higher probability of implicit malicious behavior means higher stealthiness. Trigger Signal Locality l shows the spread of trigger signal wires of the HT across the IP core. Large l means that these wires are spread out in the circuit, hence the HT is harder to detect.
Based on this framework, we discover that the current publicly known HTs have small d (mostly d = 1 for TrustHub) and hence they are the simplest ones. Fig. 1 unclear what security guarantees they offer outside TrustHub. This framework allows us to design new stealthy HTs which cannot be efficiently detected by ordinary means (design knowledge of the HT itself needs to be incorporated in the detection tool).
II. CHARACTERIZATION OF HARDWARE TROJANS
A Hardware Trojan (HT) is malicious extra circuitry embedded inside a larger circuit, which results in data leakage or harm to the normal functionality of the circuit once activated. We define extra circuitry as redundant logic added to the IP core without which the core can still meet its design specifications 3 . A trigger activated HT activates upon some special event, whereas an always active HT remains active all the time to deliver the intended payload.
Trigger activated HTs typically consist of two parts: a trigger circuitry and a payload circuitry. The trigger circuitry is implemented semantically as a comparator which compares the value(s) of certain wires(s) of the circuit with a specified boolean value called trigger condition. The HT trigger circuitry sends its comparator's output to the payload circuitry over certain other wire(s) called the trigger signal. Once the trigger signal is asserted, the payload circuitry performs the malicious operation called 'payload' as intended by the adversary. The trigger signal must not be confused with trigger condition; trigger condition is an event which causes the HT activation, whereas trigger signal is the output of trigger circuitry which tells the payload circuitry to show malicious behavior.
We first characterize the trigger activated HTs based on the payload channels they use once activated, as shown in Fig. 2 . St refers to the Trojans using only standard I/O channels, whereas Si represents the Trojans which also use side channels to deliver the payload. If a Trojan delivers some of its payload over the timing channel (or other side channels), then we define it to be in Si. If a Trojan delivers all of its payload using the standard usage of I/O channels, then we define it to be in St.
We further refine our description of St Trojans by subdividing them in H D and H ND groups based on the IP core behavior in which they are embedded and their algorithmic specifications. H D Trojans are the ones which are: (1) Embedded in an IP core whose output is a function of only its inputi.e. the logical functionality of the IP core is deterministic, and, (2) The algorithmic specification of the IP core can exactly predict the IP core behavior. If any of the two above mentioned A true random number generator (TRNG), for example, is a non-deterministic IP core since its output cannot be predicted and verified by logic testing against an expected output. 4 Any St HT in such a core is considered H ND . A pseudo random number generator (PRNG), on the other hand, is considered a deterministic IP core as its output depends upon the initial seed and is therefore predictable (hence H D ). Similarly, if the algorithmic specification allows coin flips generated by a TRNG then we consider the HT to be H ND , whereas if the coin flips are from a PRNG then we regard the HT as H D .
The non-deterministic behavior of IP cores and/or their functional specification which accepts small probabilistic fluctuations within some acceptable range allows a covert channel for H ND Trojans to embed some minimal malicious payload in the standard output without being detected by an external observer [9] . The external observer considers these small fluctuations as part of the functional specification. Hence, the non-deterministic nature of H ND Trojans prohibits the development of a logic testing based tool to detect these Trojans with overwhelming probability. The Trojan affected circuit in Fig. 3 produces a malicious output S = 1 for trigger condition A = B = 1 which is distinguishable from otherwise normal output (S = 0). However, the same circuit produces a (so called) malicious output S = 0 for trigger condition A = B = 0 which is the same as otherwise normal output and cannot be distinguished from the 'normal' behavior of the circuit. This observation leads us to the definition of explicit vs. implicit malicious behaviors:
III. ADVANCED PROPERTIES OF CLASS H D
Definition 1: Explicit malicious behavior refers to a behavior of a HT where the HT generated output is distinguishable from a normal output.
Definition 2: Implicit malicious behavior refers to a behavior of a HT where the HT generated output is indistinguishable from a normal output. Notice that an adversary may exploit the implicit malicious behavior to bypass the functional testing phase of the detection tools. Once the infected circuit has passed the testing and is deployed, it can then manifest explicit malicious behavior to actually deliver the payload. In other words, implicit malicious behavior can lead to false negatives. In the following discussion, we introduce some crucial properties of H D Trojans that characterize their complexity and stealthiness, and explain them using the above mentioned example.
A. Trigger Signal Dimension (d)
When a trigger condition of a HT occurs, regardless of the other subsequent user interactions, its trigger circuitry gets activated and outputs a certain binary value on a certain trigger signal T rig to activate the payload circuitry which manifests malicious behavior. A trigger signal T rig is represented as a labeled binary vector of one or more wires/registers/flipflops (each carrying a 0 or 1), e.g. in Fig. 3 , Sel = 1 is a trigger signal. In other words, T rig represents a trigger state of the circuit through which the circuit must have passed before manifesting malicious behavior. Hence a HT can be represented by a set of trigger states T ; i.e. the states which always lead to malicious behavior (implicit or explicit). In other words, d shows the width of the widest trigger signal bit-vector of a HT. E.g. for Fig. 3b, d (T ) = 1 since the trigger signal Sel is only 1-bit wide (and hence easy to detect). Obviously, it becomes difficult to detect HTs which only have high dimensional sets of trigger states, i.e. multi-bit trigger signals. The set of possible values of a given trigger signal T rig grows exponentially in d = |T rig| and only one value out of this set can be related to the occurrence of the corresponding trigger condition. Clearly, since in theory d can be as large as the number of wires n in the IP core, H D represents an exponentially (in n) large class of possible HTs.
B. Payload Propagation Delay (t)
For a set T of trigger states, we know that if the HT manifests malicious behavior, then it must have transitioned through a trigger state T rig ∈ T at some previous clock cycle. Therefore, we define the payload propagation delay t as follows:
Definition 5: Payload Propagation Delay t(T ) of a HT represented by a set of trigger states T is defined as the maximum number of clock cycles taken to propagate the malicious behavior to the output after entering a trigger state in T .
I.e., the number of clock cycles from the moment when a trigger signal is asserted till its resulting malicious behavior shows up at the output port. E.g., consider a counter-based HT where malicious behavior immediately (during the same clock cycle) appears at the output as soon as a counter reaches a specific value. Then, t({T rig}) = 0 for the trigger signal T rig which represents the occurrence of the specific counter value, say X (i.e. the trigger condition). However, notice that any counter value j clock cycles before X can also be considered as a trigger signal T rig with t({T rig}) = j, because eventually after j cycles this T rig manifests the malicious behavior. To detect a HT with a large value of t(T ), the memory requirement and complexity of logic testing based detection tool is increased. However, for any HT, typically there exists a set T having a small t because of a small number of register(s) between the trigger signal and the output port.
C. Implicit Behavior Factor (α)
In addition to previously discussed properties of Trojans, the IP core in which the Trojan is embedded plays a critical role in its stealthiness. According to the definition of implicit malicious behavior, it may not always be possible to distinguish a malicious output from a normal output just by monitoring the output ports. Consequently, the implicit malicious behavior adds to the stealthiness of the HT since it creates a possibility of having a false negative under logic testing based techniques. We quantify this possibility by defining the implicit behavior factor α as follows:
Definition 6: Implicit Behavior Factor α(T ) of a HT is the probability that given the HT is triggered, it will manifest implicit malicious behavior.
In other words, the higher the value of α, the lower the chance of detection by logic testing even if the HT gets triggered and hence the higher the overall stealthiness of the HT. E.g. for the HT from Fig. 3b with the trigger condition A = B, if (A, B) = (1, 1) then the malicious output S = 1 is distinguishable from the normal output (i.e. S = 0). However for (A, B) = (0, 0), the malicious 5 output S = 0 is indistinguishable from the normal output (i.e. S = 0), i.e. the implicit malicious behavior comes into the picture. Hence, given that this particular HT activates, the probability that the HT-generated (malicious) output is indistinguishable from the normal output is α(T ) = 0.5 which represents the implicit behavior factor of this HT. 
D. Trigger Signal Locality (l)
We notice that the individual wires of a HT trigger signal of dimension d are located in the close vicinity of each other in the circuit netlist/layout. This is because eventually these wires need to coordinate (through some combinational logic) with each other to perform the malicious operation. Based on this observation, we introduce the idea of locality in gate level circuits, similar to the region based approach in [10] .
Consider the simple combinational circuit from Fig. 4a for which we draw a locality graph shown in Fig. 4b . The nodes of the graph represent the wires of the circuit and each edge between any two nodes represents connectivity of the corresponding two wires through a combinational logic level. In other words, each logic gate of the circuit is replaced by multiple edges (three in this case) in the graph which connect together the nodes corresponding to its inputs and the output. For any two nodes (i.e. wires) i and j in a locality graph, we define dist(i, j) as the shortest distance between i and j. Hence dist(i, j) represents the minimum number of basic combinational or sequential logic levels (e.g. logic gates and/or flip flops) between wires i and j. 
IV. DISCUSSION & CONCLUSION
We provide the first rigorous framework of Hardware Trojans within which "Deterministic Trojans", the class H D is introduced. We discover several stealthiness parameters of the Hardware Trojans from H D which show that the current publicly known Hardware Trojans are the simplest ones in terms of stealthiness, and hence they represent just the tip of the iceberg at the huge landscape of Hardware Trojans. This framework leads us to design much more stealthy Hardware Trojans. In particular, a counter based Trojan with trigger signal dimension d = 2, and a generic high dimensional Trojan called XOR-LFSR are presented in the extended version of this paper [8] .
We conclude that our framework allows the Hardware Trojan research community to rigorously reason about the stealthiness of different Hardware Trojans and the effectiveness of existing countermeasures. The Hardware Trojan design principles introduced in this paper encourage and assist in designing new and even stronger countermeasures for highly stealthy and sophisticated Hardware Trojans.
ACKNOWLEDGMENT
This project was supported in part by AFOSR MURI under award number FA9550-14-1-0351.
