Fabless semiconductor companies design system-on-chips (SoC) by using third-party intellectual property (IP) cores and fabricate them in offshore, potentially untrustworthy foundries. Owing to the globally distributed electronics supply chain, security has emerged as a serious concern. In this article, we explore electronics computer-aided design (CAD) software as a threat vector that can be exploited to introduce vulnerabilities into the SoC. We show that all electronics CAD tools-high-level synthesis, logic synthesis, physical design, verification, test, and post-silicon validation-are potential threat vectors to different degrees. We have demonstrated CAD-based attacks on several benchmarks, including the commercial ARM Cortex M0 processor [1] .
parameters can be altered by a malicious CAD tool. Intentionally changing the timing information of a logic gate can incorrectly identify the slowest path in the design resulting in timing violations. Not all vulnerabilities are effective. Some of them will affect the functionality and, hence, can be detected using pre-silicon verification, manufacturing test, and post-silicon validation methods.
Contributions of This Study
This is the first comprehensive study of CAD-based attacks. Contributions of this study are four-fold:
(1) CAD-based attacks that employ tools spanning all steps in an SoC design; (2) Proof-of-concept demonstration of attacks on practical designs (e.g., ARM Cortex processor); The sizes of the compiled binaries and the lines of code are reported for commercial tools and open-source tools, respectively. We did not have access to some of the commercial tools and, hence, their code size is not reported. As one can glean, Synopsys, Mentor and Cadence are the three major commercial CAD tool vendors. CAD ecosystem is vast and vibrant. Please check the DAC exhibits list [8] . These small CAD tool companies develop point solutions and are occasionally acquired by the big three. Post-silicon validation tools are missing from this table, because the only commercial post-silicon validation tool available is Tessent by Mentor Graphics. SigSeT [9] is a free post-silicon validation tool whose binary has a size of 188,551 bytes. Since it is not open-source, we could not report the lines of code. The tools we modified in this article are marked in blue. (3) CAD-based attacks that can be spotted in commercial SoC design flows; (4) High-impact, practical, and scalable CAD-based attacks that bypass detection.
This article does not consider attacks by a malicious OS that can modify CAD binaries to launch attacks. Similarly, it does not consider malware that modifies CAD tools to launch attacks. The list of attacks presented in this article are comprehensive, yet not exhaustive. A future researcher might use this work as a reference to design more attacks and introduce vulnerabilities using current and future CAD tools.
Paper Roadmap
A comprehensive picture of the commercial CAD flow is presented in Section 2. Prior works are discussed in Section 3. Exploration of malicious CAD during high-level synthesis, verification, logic synthesis, placement and routing, static timing analysis, post-silicon validation, and manufacturing testing steps are taken up in Section 4. Each sub-section discusses the considered CAD tool, outlines the attack, and demonstrates feasibility via experiments on benchmarks like ARM Cortex M0 processor and concludes with key takeaways. ARM Cortex M0 is an ARMv6-M architecturebased processor, which is used in commercial devices such as Infineon XMC1000, Toshiba TX00, ST Microelectronics STM32 F0, and so on. Detailed specification of the processor is presented in Table 2 . Currently, it is available only in Verilog. 
CAD-Base: An Attack Vector into the Electronics Supply Chain 38:5

Each attack is evaluated in terms of practicality (how feasible is it to launch the attack standalone?), scalability (how scalable is the tool modification to launch the attack?), stealth (how difficult is it to detect the attack?), and impact (what is the impact of the attack?).
We discuss the attacks in the context of checks and balances by upstream/downstream tools from diverse CAD companies. Section 5 concludes the study.
BACKGROUND 2.1 SoC Design Flow
We will look at the steps in an SoC design illustrated in Figure 1 .
Specification.
The system-level design starts with a high-level description of the SoC. For example, when designing a network router SoC, the system-level design tasks include planning the router functionality, determining the features supported, and finalizing the algorithms implemented at a high level. If the network router design requires compression, then the compression algorithm is determined. However, the implementation details, like whether it should be realized in hardware or software, is not. High-level programs such as C or MATLAB are employed for this purpose.
High-Level
Synthesis. This step translates the high-level specification (described in software-like languages, such as C, MATLAB) into a concrete hardware description (described in hardware description languages, such as Verilog or VHDL). This step explores hardware-specific features such as parallelism, timing, and synchronization. Manual implementation and optimization requires highly trained designers. Hence, automated High-Level Synthesis (HLS) methods are popular [14] . HLS tools use state-of-the-art software compilers (e.g., GCC or LLVM) to extract an intermediate representation. Based on a set of input constraints and the target technology libraries, the HLS tool performs operation-to clock cycle scheduling, operation-to operator resource binding, interconnection binding, and controller synthesis. Popular HLS CAD tools include Xilinx Vivado HLS, Cadence Stratus, and Mentor Catapult. Each of them starts from a different high-level language and targets specific technologies (either FPGA or ASIC) [14] . This is the first work that explores how a malicious HLS tool can be used to introduce vulnerabilities in a design.
Verification.
Once the hardware is modeled using a high-level language, one needs to verify that the functionality is preserved during HLS. There are two approaches for verification: Simulation-based and Formal. In simulation-based verification, the design is simulated on a large number of inputs. There is an abundance of fast, accurate commercial simulators such as Mentor Graphics ModelSim, and Synopsys VCS. Co-simulation approaches are normally used for verification between high-level specifications and RTL descriptions. FPGA-based hardware emulators are also used to accelerate simulation [15] .
Formal verification, however, formally proves the model of a system against a formal specification. Formal verification either proves absence of bugs or generates counterexamples identifying the bugs. It does not use and, hence, does not depend on the input vectors and can find bugs faster than simulation-based methods. Equivalence Checking, Model Checking, and Theorem Proving are the popular verification techniques. Appendix A explains more details on formal verification.
Formal verification techniques result in state-space explosion and, hence, are unsuitable for large designs. There is a large memory requirement to verify all states correctly. Recently, techniques like bounded model checking that perform model checking for a limited time period or on a constrained state space by unrolling the design a specific number of times have been proposed [16] . Although this allows scaling to large designs, it offers limited guarantees.
As seen in Figure 1 , Verification is performed in two phases, once after HLS and once after logic synthesis. Generally, simulation-based verification is used after HLS and equivalence checking between the original RTL, and the generated gate-level netlist is used to ensure equivalence after logic synthesis. Although verification CAD tools have been used to detect security vulnerabilities, malicious applications of them have not been explored before.
Logic Synthesis.
Logic Synthesis transforms an RTL description to an optimized gate-level netlist of combinational and sequential gates from a standard cell library. A typical cell library comprises of AND, OR, D Flip-Flop and other basic gates annotated with parameters such as delay and power. The four main steps of logic synthesis are: logic simplification, logic synthesis, technology mapping, and optimization. Popular CAD tools used for logic synthesis include Synopsys Design Compiler and Cadence Genus. Malicious logic synthesis tools have been used by References [17, 18] to create backdoor in the design. However, in this article, we explain how those attacks are vulnerable, as they can be detected by post-synthesis verification/validation tools like Logical Equivalence Checker.
Placement and
Routing. This step determines how the various gates can be arranged in a die and the wires between them can be routed. Placement and routing (PNR) CAD tools help with these tasks while optimizing the wirelength and area of the die. A PNR tool accepts the gatelevel netlist, design constraints, technology information (Library Exchange Format or lef), macro and standard cell physical and timing libraries (Timing Library File or tlf) as input and carries the design through floorplan, placement, optimization, clock tree synthesis, and routing to produce a physical layout. The layout obtained is subjected to design checks and is readied for tapeout to the chosen foundry for fabrication. Synopsys IC Compiler and Cadence Encounter are popular PNR CAD tools. This is the first time a malicious PNR tool is used to introduce design vulnerabilities.
Timing
Analysis. This step identifies critical paths in a design to determine the clock frequency at which the circuit will operate. The input to a timing analysis tool are the synthesized gate-level netlist and the timing cell library. The timing cell library contains timing information for the various building block cells used in the design. The timing analysis CAD tool identifies possible paths with small delay defects, 2 which can be used by the manufacturing test tools to detect those defects. Commercial tools include Synopsys Primetime and Cadence Tempus. To date, there has not been any research on utilizing malicious timing analysis tools.
Post-Silicon
Validation. This step detects functional faults after the SoC is fabricated. Due to a reduction in feature size and time-to-market pressures, a lot of functional errors escape the pre-silicon verification. Post-silicon validation catches these errors. Although post-silicon validation operates on a manufactured SoC-like manufacturing test (Section 4.9), the former targets functional errors, while the latter targets electrical errors.
The primary problem with post-silicon validation is the limited observability of internal signal states [19] . Scan-chains, which are used for electrical testing, can not be directly employed, since post-silicon validation must be operated at-speed [20] . Some recent design-for-debug techniques like embedded trace buffers improve the circuit observability by storing internal signal states. The untraced signal states are restored. Mentor Tessent is a commercial post-silicon validation tool. The attacks we propose in this article using malicious post-silicon validation tool are completely novel.
Manufacturing Testing.
Once the chip is fabricated, manufacturing testing is performed to detect electrical and manufacturing defects introduced during chip fabrication. Manufacturing testing can be either static or dynamic. Static testing is used to identify faults that modify values at particular nodes in the design. These include stuck-at faults. However, dynamic testing is used to detect delay faults along paths induced during manufacturing. Automatic Test Pattern Generation (ATPG) tools are used in both cases. The ATPG tool accepts the netlist as input and identifies the possible fault locations and generates patterns to activate those faults (if they exist) and propagate their effects to an observable output. Tetramax by Synopsys and Encounter Test by Cadence are popular commercial ATPG tools. We, for the first time, explain how malicious ATPG tools can impair a design flow.
PRIOR WORK
Hardware Trojans are a risk to ICs [28] . A Trojan is excited by a rare condition. The condition that switches on a Trojan is known as the trigger. Since the trigger conditions are rare events, they are not exposed during manufacturing test and generally manifest after continued in-field operation [29] . Trojans can be either digital or analog, depending on the Trigger condition. While digital Trojans are activated by Boolean conditions like an input pattern, analog Trojans can be activated by physical parameters such as temperature and delay [30] . A digital Trojan ç can be further classified as combinational or sequential [23] . A combinational Trojan is activated when specific input values arrive at a particular gate. For example, if an AND gate in the design has very low probability of being turned on, then a 1 at the output of the AND gate can serve as a trigger for a combinational Trojan. However, sequential Trojans are activated only when the inputs follow some sequence over a predetermined number of clock cycles. A simple counter can serve as a sequential Trojan. The effect of a Trojan, the payload, can be many: functional failure (either through errors or denial-of-service) and spilling confidential information through power and timing side-channels [26] . A classification of hardware Trojans based on trigger and payload is presented in Reference [31] .
An SoC is secured against a Trojan by either of these two approaches: (i) using proper Designfor-Security (DfS) mechanisms that can either make Trojan insertion challenging or cause the inserted Trojan to be easily exposed to manufacturing testing or post-silicon validation tests, and (ii) using special test patterns that are crafted to unmask a Trojan. Popular DfS techniques include insertion of dummy cells in the underutilized design space and key obfuscation-based circuit design. However, DfS methodologies incur a substantial area overhead [23] . While test patterns are effective in detecting combinational Trojans, they are not suitable when the Trojans manifest after a long time duration in the field, like sequential Trojans. Apart from specially crafted test patterns, a Trojan inserted in a circuit can be detected by side-channels [32] or using special sensors [33] .
Identifying unused or nearly unused logic for detecting stealthy hardware backdoors has been recommended by various researchers. The two most prominent techniques are UCI [22] and FANCI [34] . However, these methods are not impeccable. Struton et al. [35] have demonstrated that UCI can be defeated in building stealthy hardware. FANCI, however, flags 1% to 8% of all the nodes in a circuit as suspicious, which might not be feasible to analyze for large industrial circuits [36] . Also, FANCI has been observed to report suspicious nodes even when the circuit is Trojan-free [36] . Moreover, both UCI and FANCI operate on an HDL or netlist representation of a design. As explained in Section 4.4.2, HDL or netlist vulnerabilities, if introduced by the Logic Synthesis CAD tool, can be easily detected in post-synthesis verification phase. These techniques are not applicable to the attacks using verification, PNR, STA, testing, and post-silicon validation tools.
Existing Trojan insertion methodologies operate either at the front-end (HDL level) or back-end (layout level). Table 3 illustrates some of the prevailing Trojan insertion approaches suggested in Table 3 . State-of-the-art Hardware Trojan Techniques
Ref.
Hardware Trojan Approach Phase Function [21] Attack H/W Description Lang. leak information [22] Defense H/W Description Lang. modify function [23] Defense H/W Description Lang. modify function [24] Defense Register Transfer Level modify function [25] Defense H/W Description Lang. modify function [2] Attack Layout modify function [26] Attack Layout leak information [27] Attack Register Transfer Level leak information the existing literature. The second column specifies whether the research suggests an attack or a defense mechanism. If the article suggests a defense mechanism, then we have reported the attack model the authors consider to defend against. The last two rows describe a special scenario called multi-level attacks, where two or more participants in the design processes collude to introduce Trojans. CAD tools present another threat to introduce vulnerabilities into a design [27, 37] . CAD tools are essential to any design flow to bring up a design from a concept to silicon. Application of malicious logic synthesis tools to introduce Trojans have been reported in References [17, 18, 38] . All of these approaches consider a design whose Finite-State-Machine (FSM) is not completely specified. The malicious tools introduce undefined transitions in the FSMs that act as Trojans. These extra transitions are triggered by rare conditions. Once triggered, they may lead a circuit to a completely different state, whose functionality is radically different. However, these threat models have limitations and will be explained in Section 4.4.2. Although these attacks can survive standalone, they will be easily detected in a complete tool flow during post-synthesis verification. A completely specified design approach to counter the malicious synthesis tools has been presented in Reference [39] ; however, as indicated by Reference [38] , complete specification of an FSM incurs a considerable area overhead. Application of CAD tools for hardware metering to prevent a malicious foundry from overproduction has been examined by Koushanfar et al. [40] .
CAD-INDUCED SECURITY VULNERABILITIES
In this section, we will show how malicious CAD can be used during design to launch attacks. Front-end and back-end tools can be evaluated with the same benchmarks, since they are all based on RTL designs specified in HDL. However, evaluating HLS requires a C/C++ benchmark.
Threat Model
Malicious CAD tools can be weaponized in two ways-commercial and the nation-state. Leading CAD companies are developing their own IP portfolios in competition with fabless design companies. If a design house creates an IP competing with the one being developed by the CAD company, then both parties have an incentive to sabotage the competition's IP. A malicious CAD could be used to sabotage the competition's IP. Since total function failure is detected and undermines the trust across all design companies, surreptitious performance degradation caused by inappropriate optimizations, crosstalk faults, and IR-drop can stealthily hurt the fabless design house's IP and reputation.
Malicious CAD can be part of nation-state attack arsenal. CAD tools developed in one country can be used to build SoCs in another. The former can force the CAD companies to ship malicious CAD tools using national interest arguments. These malicious CAD tools can insert backdoors without the knowledge of the design houses in the second country noticing it. Once a backdoor is inserted, those SoCs are almost owned and controlled by the first country [31] .
A CAD tool is generally agnostic of the design it is processing. However, it can operate in either of two ways:
• When a rogue employee is present in the design house: In general, R&D engineers of EDA CAD tools develop a lot of backdoors for debug purposes that are unknown to the design house. These backdoors are present in the executable sent to the design house, but can be activated only by a trigger known to the EDA company. The malicious CAD company can create such a backdoor that will introduce these vulnerabilities when turned on. If a rogue employee is present in the design house to whom this information is transmitted, then he does not need to modify his scripts. He can just activate this backdoor to implement the attacks.
• When no rogue employee is present in the design house: In this case, the EDA CAD tool can automatically turn on the backdoor trigger by parsing the design it processes. For example, a malicious HLS tool may be set with a capability to parse the input C code and identify specific patterns to compromise, like rounds of an AES program. If yes, then the HLS tool can automatically turn on the trigger that introduces vulnerabilities.
Malicious High-Level Synthesis
High-Level Synthesis (HLS) generates an RTL description starting from a high-level language (e.g., C, C++, Matlab). An important step during HLS is scheduling, which determines which operations are executed in each clock cycle. This has a twofold effect: it determines the latency of the design and imposes constraints on the resource binding step, where hardware resources are allocated to processes. Operations executing in the same clock cycle require distinct hardware resources. They can be reused by operations executing in other clock cycles. Not all hardware resources are used in every clock cycle. This gives an opportunity for a malicious HLS tool to introduce a stealthy hardware Trojan by reusing these resources to implement a backdoor. Checking the equivalence between RTL designs and high-level specifications is an open problem [41] . It is hard to detect hardware Trojans that are activated only with rare input conditions using simulations.
Attack.
We present two possible attacks. Consider the fragment of C code shown in Figure 2 representing the body of a digital filter. The corresponding scheduled Data Flow Graph (DFG), in Figure 3 (a), uses two adders and two multipliers to execute operations in parallel in states S3 and S4. In the other states, only one resource is used.
A malicious HLS tool can implement a hidden function to corrupt the register storing the output value y1, as shown in Figure 3 without introducing any additional FSM states besides the ones already defined by the scheduled DFG. Therefore, the resulting implementation has no performance overhead, since the critical path is given by the original function being executed, while a few more registers (in red) may be needed to store intermediate values of the hidden backdoor function. When all resources are used in every clock cycle, the backdoor introduces new resources, maintaining the same delay. The FSM requires minimal changes (≈10% overhead in this small example) to produce the additional signals for multiplexers and registers. The overhead further reduces when the size of the design is large relative to the size of the backdoor. These attacks are hard to detect, because they reuse existing design resources. Therefore, methods like FANCI are not able to detect unaffecting or alwaysaffecting dependencies [42] . In fact, corrupting values can effectively affect the outputs when the Trojan is triggered through the output registers. Automatic analysis methods are not able to devise which is the logic path that generates the correct results.
The second attack entails manipulating the Finite State Machines (FSM). The malicious HLS tool modifies the interactions between the hardware resources and the FSM to change the control flow in specific cases. For example, reduced-round attacks are used to compromise the security of symmetric cryptographic algorithms [43, 44] . Consider a hardware module implementing the Advanced Encryption Standard (AES) algorithm that uses a 192 bit-key. The number of rounds for the AES is controlled by a counter, while the round microarchitecture is implemented only once and reused as many times as needed. To secure AES-192, one needs to execute a minimum of 12 rounds. However, the key can be recovered if the number of rounds used is 8 or less [43] . The HLS tool can insert a backdoor to exit from the loop earlier to execute less rounds when the Trojan is activated. There are many different ways to implement this malicious attack, including modifications to the comparator. However, all approaches are conceptually equivalent to that shown in Figure 4 , where the component executes less rounds in the compromised version.
Experiments.
We use Bambu [45] HLS tool to insert Trojans in benchmarks from the CHStone [46] and MachSuite [47] . These benchmarks are specified in C and represent third-party IPs that a designer may want to include in his/her design. We use these benchmarks to evaluate the backdoor attack, while the AES cryptographic benchmark is used to evaluate the FSM manipulation. Since a high-level description of the ARM Cortex processor in C, MATLAB, or any software language was not available, we could not use it for our HLS experiments.
A set of 20 random inputs is applied for each design to generate the golden output values in software. Bambu is used to generate the corresponding Verilog descriptions and testbenches. These are then validated by comparing the simulation outputs with the golden ones. Next, the designs are Trojaned using the malicious Bambu to add backdoor functionality that is activated with a predefined input sequence. When activated, the Trojan provides meaningful but wrong results as output, endangering the system where the components are used.
The resource overhead has two parts: the trigger circuitry to determine the Trojan activation and the payload to provide the malicious function. While the first is fixed and it is determined by the input sequence to detect, the second must be designed in a way that it is small but provides enough entropy in the results to avoid its detection using correlation analysis. Since we start from C functions with a single return point, we aimed at corrupting the register storing the return value of the top module by doing extra computation on the input values. However, no performance or result changes are observed when the Trojan is inactive. Figure 5 shows the area overhead. We obtained a maximum of 13% area overhead (without considering on-chip memories), while the average overhead is less than 5%.
AES-192 is used to evaluate FSM manipulation. The operation incrementing the round loop counter is exploited. When the trigger is turned on by a pre-defined sequence of inputs, the counter is incremented by two; so, half the rounds are performed. This attack is achieved by adjusting the control signals of the FSM and forcing the counter to a different functional unit when the Trojan is activated. The area overhead is less than 2% for the trigger circuitry and the added functional unit.
Possible
Defense. C-to-RTL formal verification is a potential defense method against HLSlevel attacks, but sequential equivalence checking is not well established [41] . Other methods like discrepancy analysis [48, 49] is based on the comparison of hardware and software traces but require exhaustive simulations and it is part of the HLS flow, so untrustable in this context. Hardware monitors can also be used to detect anomalies during the execution of the hardware IP cores [48, 50] . However, a compromised HLS tool might generate compromised monitors. Hence, the generation process of the on-chip monitors must be separated from the HLS of the components.
Malicious Verification Tools
SoC designers use formal verification tools such as bounded model checkers (BMC) to verify not only the functional properties and specifications of a design but also its security properties. The security properties may target presence of design bugs or Trojans. Different types of security bugs are encountered in an SoC [51] . The security properties that are proved may include preventing host software from modifying the internal elements of security controller IP, disabling the firmware from reading the encryption/decryption key from the hardware, and accessing privileged memory or I/O directly, while running in the user mode. Security properties can verify presence of Trojans that either modify the function or leak sensitive information [52, 53] .
Attack.
We consider BMC as the example verification framework. An RTL description of the design and select design properties are inputs to the BMC tool. The design is unrolled for n cycles, either specified by the user or limited by the BMC, to check properties that are activated within n clock cycles. The tool should verify each property and produce counterexamples for failed properties. A malicious BMC can reduce the number of cycles for which the design is unrolled. It can skip certain properties. In both scenarios, the BMC can fail to detect Trojans or bugs in the design. Figure 6 shows the Verilog description of a circuit that triggers a Trojan in AES design provided by Trust-hub. The Trojan targets leaking the least significant 8 bits of the secret key through the load output. The Trojan is activated when a sequence of four input patterns is applied. Consider in this example, if the Trojan is triggered, load leaks the secret key. The BMC should verify the security properties (load i != key j , load i != key j ) to detect the security leakage, which requires unrolling the design for at least 4 cycles to verify these properties. However, a malicious BMC tool can alter this number to any value that is less than 4.
Experimental Results.
We use SymbiYosys BMC [54] , an open-source formal verification tool, to check properties of benchmarks from trust-hub and SymbiYosys website [54, 55] as well as the ARM Cortex M0 processor. We select Trojans that either leak the secret key or change the function. Furthermore, we select designs that include bugs that violate the design specifications. We embed security and safety properties in these benchmarks to detect malicious activities. We unroll each design for 5 clock cycles, which is large enough to detect any malicious activity in the given benchmarks, and run the BMC.
The results in Table 4 show that unrolling the design for 5 clock cycles can detect Trojans/bugs of the given benchmarks except the RISC processor. The verification team should unroll the design for >100 cycles to activate the Trojans embedded in it.
Possible Defense.
A potential defense mechanism can be conducted by the design/ verification teams by intentionally modifying or adding a sub-circuit into the design to violate its specifications after a number of clock cycles, equivalent to the number of clock cycles for which the design is unrolled. If the verification tool reduces the user-defined number of clock cycles for verification, then the design with intentionally introduced bugs will be proven functional. The malicious verification tool can be discarded by the design house. 
Malicious Logic Synthesis
Logic Synthesis converts an RTL description to gate-level netlist. An important step in this conversion is extraction of Finite State Machines (FSMs) and generation of gate-level models from the FSM [56] . Often, there are undefined transitions and states in an FSM, as explained in Section 4.4.1. A malicious synthesis tool can use them to control the FSM and insert undesired transitions in the circuits. These additional transitions provide a backdoor into the circuit and thereby introduce vulnerabilties. An approach to mitigate such problems has been proposed by Dunbar et al. [38] . However, the hardware overhead of such countermeasures is around 90%, which is unrealistic for any practical design.
Attack.
A malicious logic synthesis tool can use different approaches to create backdoors in the circuit. Let us consider the FSM shown in Figure 7 (a). All transitions are not defined in this FSM. For example, the next state of the system when the current state is B and the input is 0 has not been defined. A malicious synthesis tool can take advantage of undefined transitions and create an FSM with an extra transition, as shown in Figure 7 (b). We call this type of attack a Transition Attack. There is a 14% area overhead to add the undesired transition. A malicious synthesis tool can incorporate transitions to create vulnerabilities in the design without changing the original functionality. In the FSM described in Figure 7 (a), if one wants to travel from state B to state A, then she has to travel via state C. In the modified FSM in Figure 7 (b), the malicious CAD tool has created a backdoor for direct transition from state B to A. The attack model in Reference [17] is a variation of the transition attack.
The second attack that we present entails adding an Extra State. This was also proposed in Reference [18] . The malicious synthesis tool finds whether extra states can be added. Consider the FSM in Figure 7 (a). Although 2 flip-flops can completely represent 4 states, this FSM is composed of only 3 states. An adversary can add an additional state to this FSM. Along with the extra state and using the undefined transitions like transition attack, a malicious tool creates vulnerabilities as described in Figure 7(c) . Although the number of flip-flops remains the same, the new state D incurs 14% area overhead. The additional state adds a backdoor to the design. [18, 38] can be detected by Post-Synthesis Verification tools like Logical Equivalence Checker (LEC) in commercial flows. Consider the extra transition B to A, when the input is 0 in Figure 7 (b). Since this transition is not in the original FSM in Figure 7 (a), the LEC tool deals with this as a don't care. When the system is at state B and the input is 0, there are three possible outcomes in the original FSM, transit to A or C or remain in B. However, in case of Figure 7 (b), the LEC tool observes that there is no valid transition from B to C, when input is 0, which was present in Figure 7(a) . This counterexample detects the extra, unauthorized transition.
Limitations. The extra transitions or states proposed in References
Although Reference [17] mentioned that the Trojan escaped LEC check, their example had the default value in a case statement using don't cares. RTLs containing don't care assignments are not a standard commercial coding style for synthesizable RTL, since such RTL can not be simulated [57] . These RTLs create X propagation during simulation, which results in an RTL versus gate simulation mismatch. These types of designs can escape LEC checks only when "SET X Conversion" is set to don't care. Commercial lint tools can identify the "X"s [17] and detect the attacks.
Possible Defense.
As mentioned in Section 4.4.2, a post-synthesis verification tool like LEC checker can easily detect these attacks. The only way the logic synthesis attack can be avoided is by a collusion between the synthesis tool and the validation tool. Even in that case, the attack might be detected if the newly introduced transitions are rare. Existing malicious hardware detection techniques such as UCI [22] and FANCI [34] observe unused and nearly unused elements in a circuit and identify them as potential malicious parts. A rare transition introduced by the Logic Synthesis tool using the transition attack can be detected using these techniques.
Malicious Placement and Routing
PNR tools arrange the components of the design on a die and route the wires between them. Once the design passes through all stages of PNR, Sign-off is performed to establish the design is ready for tapeout. Sign-off checks include: We show how a malicious PNR tool can introduce vulnerabilities by focusing on crosstalk fault attacks and IR-drop attacks.
Crosstalk Fault Attacks.
Crosstalk faults are induced when parasitic coupling capacitance between two wires exceeds a threshold [58] . When a signal transition takes place on a wire, it influences the signal value on an adjoining wire. The first wire is the aggressor, while the second wire is the victim. A signal transition on the aggressor creates an unnecessary voltage fluctuation on the victim. Details on crosstalk faults are illustrated in Appendix B. We describe a two-step crosstalk fault attack. In the first step, the attack is initiated by increasing the coupling capacitances between wires in a chip. In the second step, a false netlist is generated to evade detection by the sign-off appliances. Both these netlists are stored in the design database. The malicious PNR tool can introduce crosstalk by placing rapidly switching aggressor nets near victim nets, introducing timing failures in the victim nets. For example, the malicious tool can include artificial blockages in the design (as shown in Figure 8 ) to achieve this goal. In Figure 8 , there are four units-A, B, C, and D-that need to be connected. When there is no blockage, the wires are routed as shown in Figure 8(a) . However, in Figure 8 (b), a blockage is included in the design, causing the wire from C to D to reroute. The two wires share two blocks, reducing the gap between them and increasing the coupling capacitance. Hence, they are prone to crosstalk faults.
Crosstalk faults can be spotted by signal integrity check during sign-off. To fend off detection, an attacker can follow these steps: The PNR tool generates two netlists (Figure 9 ), one for signoff check and the other for logic versus schematic (LVS) check. However the two netlists are not equivalence checked; both are assumed functionally identical, since they are picked up from a common design database. The malicious PNR tool can generate malicious netlist for the sign-off checks while retaining the original netlist with the crosstalk faults in the design database. Since the sign-off tool analyzes Netlist 1 , it does not find the crosstalk faults and signs-off the altered SoC for tapeout. The foundry does design rule checks and is unable to detect the attack.
IR-Drop Attack.
Power structures are generated by a PNR tool and the strength of the structure is analyzed in terms of IR-drop and effective resistance using a sign-off rail analysis tool. Sign-off rail analysis tools (Figure 9 ) extract the RC information of the power structure and take in the power grid view of all standard cells and macros used in the design. An increase in resistance The number of crosstalk-suspected pairs increases with artificial blockage introduced by the malicious PnR tool. These faults will not be reported, and the design will be sent for sign-off with these faults, thus affecting the overall yield.
causes an IR-drop. Excessive IR-drop reduces switching speed and noise margins in circuits, which might lead to functional failures [59] .
A malicious PNR tool may introduce a high resistivity path or even disconnect power for selected gates of the design. This causes IR-drops in those gates, as a result of which, they receive lower voltages. The gates with the incorrect power structure will be present in Netlist 2 and the GDSII files, which are signed-off for tapeout. However, the BAD PNR tool dumps proper power connectivity without any additional IR drop to the cells in Netlist 1 , which will not report any additional IR-drop. The rail analysis cannot capture the IR-drop/effective resistance/power disconnect violation.
Experimental Results.
To illustrate our crosstalk-attack, we used circuits from the Opencore benchmark suite and ARM Cortex M0 processor. We used Synopsys Design Compiler for Synthesis, Cadence Encounter for PNR, and the gscl45nm library [60] . For each benchmark, two crosstalk-suspected lists are generated, one without blockage and the other with blockage. Each element of the list is a pair of wires whose coupling capacitance exceeds the crosstalk threshold. Since we do not have access to the Encounter source, we created a script to accomplish this.
Comparison of the two crosstalk-suspect lists is presented in Figure 10 . Cuviello et al. [61] has demonstrated that 0.2pF is the threshold for crosstalk glitch. We have used the same value in our experiments. All results indicate increase in number of crosstalk-suspected wires with the blockage.
To demonstrate the IR-drop attack, we used the ARM Cortex-M0 processor design. We used Synopsys PrimeRail as the IR-drop measurement tool. The baseline IR-drop image is shown in Figure 11 (a). The processor layout is color-coded. The color legend is shown at the bottom. Most of the design is blue and green. The PrimeRail image after removing 38 pairs of power vias is shown in Figure 11 (b). Yellow and red regions indicate high IR-drop-and is pointed to by an arrow.
Possible Defense.
In this section, we have proposed two attacks: crosstalk attack and IRdrop attack. Both faults (crosstalk and IR-drop) are generally detected using sign-off tools, used in the next level of the design flow. The sign-off detection can be avoided by generating different netlists, as explained in Section 4.5.1. A possible detection mechanism will involve generating the Netlist 2 from the GDSII file and then performing an equivalence checking with Netlist 1 . Any discrepancy would identify the PNR tool as malicious. However, currently, there exist no GDSIIto-netlist conversion software. It is highly unlikely that two different vendors will insert faults of the same type. Therefore, if the results from two different vendors match, then we can be confident that there are no design vulnerabilities. However, if they do not match, then we can not be sure which tool to trust. Since, currently, no verification is performed on the two netlists, there is no way to know which one is correct. Therefore, we suggest to modify the design flow to allow an equivalence check between the two netlists.
PNR-based Synthesis Attacks
In this section, we describe an approach to apply the Logic Synthesis-style attacks using PNR tools. As seen in Figure 9 , the PNR tool generates two netlists-Netlist 1 is used for timing and formal verification and Netlist 2 is used for tapeout. The equivalence of these two netlists is never checked. The designer assumes that these two netlists are functionally equivalent. A malicious PNR tool can introduce Trojans in Netlist 2 while Netlist 1 remains intact.
At first glance, the PNR tool does not have access to the FSM from the netlist and the synthesis tool to modify the FSM. This can be remedied by altering the PNR tool such that it extracts an FSM from the netlist. The post-synthesis logic equivalence checkers (LEC) do that. The portion of the code that extracts the FSM can be embedded into the PNR tool or the PNR can call those functions. The designer will be unaware of this if the PNR tool does not log these steps. Once the FSM is extracted, the malicious PNR tool can launch the Transition or Extra State attack described in Section 4.4.1. The FSM modifications code can be embedded in the PNR tool or it can call the malicious logic synthesis tool for this purpose. The final Netlist 2 , contains the Trojan, along with the GDSII file, that is sent to tapeout. The process is shown in Figure 12 . The red path shows the generation of the Trojan-inserted netlist, while the black path represents the benign netlist generation.
Possible Defense.
Although modifications in logic synthesis can be detected using LEC checks or tools such as UCI [22] and FANCI [34] , the modifications in this attack are manifested as a GDSII file and not HDL/RTL. Hence, the existing tools will fail to detect the extra transitions or states. A possible defense can be similar to the one described in Section 4.5.4, by equivalence checking both the netlists. However, this will require a GDSII-to-netlist conversion software, which, to date, does not exist.
Malicious Static Timing Analysis
Delay faults are produced when a defect in any gate increases its delay so that the overall inputoutput path delay exceeds the system clock cycle. The value along this path arrives at a storage element later than scheduled. Hence, an incorrect value is stored into it, which causes a wrong output. At the nanometer scale, not all delay faults are detected using the prevailing methods. Small-delay defects (SDDs) model these faults [62] . SDDs are faults created by extremely small delays compared to the clock cycle [63] .
To establish how a malicious CAD tool can not examine all the SDDs, we first present how Automatic Test Pattern Generation (ATPG) tools detect SDDs. Let us look at the timing diagram of a sample circuit with 3 paths in Figure 13 :
ATPG tools focus on paths with maximum slack, such as Path 3. However, SDD detection algorithms target paths with minimum slack. In Figure 13 , this corresponds to Path 1. Synopsys Tetramax tune the max_tmдn parameter for this purpose. Faults on paths with slack less than max_tmдn are set as SDDs, while those with slacks more than max_tmдn are set as normal delay faults. max_tmдn is expressed as a fraction of the total clock cycle. For example, if the system clock cycle is 1ns and the value of max_tmдn is 0.1, paths whose slack is less than 0.1ns are tested for SDDs and the rest are tested for normal path delay violations. A Static Timing Analysis (STA) tool reports the slack along each path.
Attack.
A malicious STA tool can give false timing information to the ATPG tool, which, in turn, generates an incorrect set of timing violation detection patterns. Hence, critical large and small delay faults may go undetected, thus affecting the yield. To report inaccurate information, the malicious STA tool develops a false library and uses it. For example, consider a designer using the lsi_10k library. The STA tool develops a fake library internally, lsi_10k_f ake, with some physical parameters different from the lsi_10k. Examples include a change in the rise time or fall time for one or more gates. Whenever the designer does timing violation tests, the STA tool uses the lsi_10k_f ake library and reports timing information based on the altered parameters, leaving several faults undetected. As we will see shortly, this leads to reduction in yield.
Experimental Results.
We use Synopsys Primetime STA tool [64] . Since we cannot modify Primetime code, we force it to use an altered library. We modify physical parameters to generate an altered library. We changed the timing information of the 4-input AND-OR cell (AO4) and 2-input AND-OR cell (AO2) gates in the fake library. We use designs from Opencores and the ARM Cortex M0 [65] . Details about modification in the AO2 and AO4 gates are presented in Table 5 . We synthesized the designs using the original and fake libraries, perform STA, and generate test patterns for SDD. Statistical delay quality level (SDQL) measures the number of SDDs that remain undetected by an SDD test [66] . Details on SDQL are explained in Appendix C. A higher SDQL indicates higher delay faults. Modifications in Table 5 affect the SDQL. The SDQL information is obtained from Primetime STA. According to Reference [67] , the test escape rates of chips, expressed as Defective Parts Per Million (DPPM) is calculated as: DPPM = S DQL N , where N is the number of delay faults. DPPM is a reliable measure of the probability that a chip is declared defective. Higher SDQL indicates higher DPPM-that is, higher probability of failure. Thus, a modification in the library results in change of SDQL value, which, in turn, changes the DPPM. Figure 14 highlights the shift in DPPM results when the original library is used instead of the fake library. The value of max_tmдn is held constant at 0.25. Figure 14 demonstrates that a malicious STA tool can worsen the yield.
Possible Defense.
Since the results of STA are not checked downstream, this attack is resistant against any further validations. However, care should be taken to affect all process corners approximately equally. If only one corner is affected, then it can be easily fixed by the design house.
Malicious Post-Silicon Validation
Trace buffers are used during post-silicon validation to store some of the internal signal states of a circuit. Since the trace buffer size is limited, only a few signal states can be stored. Therefore, the signals to be stored in the trace buffer have to be chosen carefully. Trace signals are chosen according to their restoration ability. Signal restoration refers to reconstructing an untraced signal state. Signal restoration is explained in Appendix D. Restoration ratio is a parameter to measure the restoration performance of a set of trace signals. It is the ratio of the total number of states restored and the total number of states traced. A higher restoration ratio indicates a stronger restoration performance. Different signal selection approaches such as total restorability-based [19] , simulation-based [68] , and ILP-based [9] have been proposed to maximize the restoration ratio. We used SigSET [9] to demonstrate how a malicious signal selection might impair performance. 
Experimental Results.
We used Opencores benchmarks and the ARM Cortex M0 processor in the experiments. A 32-bit trace buffer is chosen. The modified set of signals is generated by replacing two signals in each list. Care is taken so that signals, which help restore a lot of untraced states, are not touched. Change in restoration ratio due to modified trace signals is presented in Figure 15 . The signals generated by the malicious CAD tool always have less restoration capability compared to the original set. This will affect post-silicon validation. The maximum reduction in restoration ratio is 3.8%. The minimal reduction in restoration ratio does not raise an alarm.
Possible Defense.
The results of post-silicon validation are never verified at a later stage. Moreover, there is no "later stage,' since post-silicon validation is performed after the chip is fabricated. Therefore, these attacks are robust against any downstream checks.
Malicious Manufacturing Testing Tools
Automatic Test Pattern Generation (ATPG) algorithms have two objectives-activate an electrical fault and propagate it to an observable output, which might be a primary output for the circuit or a flip-flop in a scan chain. The ultimate goal of the ATPG algorithm is to reduce test pattern count, thus reducing test time and memory. A malicious ATPG algorithm can undermine either of the two primary objectives by dropping or modifying patterns.
Let us review how a conventional ATPG algorithm operates using the open-source ATALANTA ATPG tool [69] . The inputs to the tool are the design and the Fault list F , which gives a list of potential faults. ATALANTA chooses a single fault f from the Fault list F and generates patterns for it. The don't care bits are filled with 0. This pattern is applied on the design to identify additional faults it can detect. All these faults are added to another set F . The members of F are excluded from F . The pattern is stored in a pattern set P. This process continues until no fault remains in the fault-list F . 3 We will present two attacks targeting general ATPG and test generation for Trojans, respectively.
Malicious Fault Dropping.
In the first attack, some faults are deliberately left undetected by the ATPG tool. The number of faults dropped is kept small, since an unexpected rapid drop in fault coverage will lead to suspicions. If this knowledge is passed on to a malicious foundry, then it can exploit them to introduce defects or Trojans in the design. This is a multi-level attack as proposed by Reference [27] and is unlikely to succeed. Of course, dropping faults will reduce the yield even if the foundry is not in collusion. Malicious fault-dropping by an ATPG is explained in Algorithm 1 in Appendix E.
Malicious Trojan Site Dropping.
Instead of dropping all faults, the fault list can be pruned to drop faults from potential Trojan locations. This will provide the foundry places to introduce Trojans. To identify the Trojan sites, one can adopt MERO [70] . Gates that have the least probability of activation are identified as potential Trojan locations by MERO.
Experimental Results.
To demonstrate fault dropping attack, we used the open-source ATALANTA tool and ISCAS'85 benchmarks. ATALANTA can only run on such combinational benchmarks. 4 However, any commercial ATPG tool operating on a combinational or sequential circuit can utilize the same technique to drop faults by modifying their internal code. Figure 16(a) illustrates the difference in coverage when original ATALANTA is applied and when malicious ATALANTA drops faults. We assumed k = 1 and n = 5. For all benchmarks, the coverage reduces when faults are dropped, the maximum reduction being 1.17%.
The results for malicious Trojan site dropping are presented in Figure 16 (b). The coverage decreases when faults are dropped. However, the drop in coverage is less than Figure 16(a) . This is because the search space is pruned when Trojan locations are dropped, compared to when any 
Possible
Defense. Similar to post-silicon validation, the manufacturing testing results are never verified. Hence, this attack is also robust against downstream checks. Table 6 summarizes key takeaways of this study that reviewed an extensive set of attacks using CAD tools. All attacks are scalable. An attack is practical if it is easy to launch without collusion. An attack is stealthy if it is difficult to detect. HLS, verification, and PNR tools can introduce attacks that have high impact, as they can go undetected even within a commercial CAD flow. STA, test, and post-silicon validation tools can introduce vulnerabilities but require collusion with a malicious foundry. This minimizes impact. Logic synthesis attacks can be similarly detected by checks and balances in the design flow. One way to deal with malicious CAD tools is to use CAD tools from multiple vendors; design tools from one vendor and verification/validation tools from another.
TO CONCLUDE, CAD COULD BE BAD
APPENDIXES A FORMAL VERIFICATION TECHNIQUES
Equivalence Checking is the most popular method employed for formally verifying a circuit [71] . Equivalence of two different circuits is verified using Binary Decision Diagrams (BDDs). Equivalence Checking is fast compared to simulation-based verification. Formality, the equivalence checking tool from Synopsys, can verify a million gate designs in under an hour [72] .
Model Checking is another formal verification procedure in which design models are verified against specifications [73] . Typical design models are automata-based and specifications are either temporal properties or environmental conditions. A model checker either returns a counterexample if the design is flawed or proves the design matches the specification. VIS and SMV are two commercial Model Checkers.
Theorem Proving is the most powerful formal verification procedure [74] . Both the design and specification are expressed as logical formula, and they are checked against each other by proving a theorem. However, this procedure requires human intervention. A high level of human competence is necessary for theorem proving and, hence, it is still limited to academic usage.
B EFFECTS OF CROSSTALK FAULTS
The effects of crosstalk are twofold: glitch and delay. A glitch occurs when only the aggressor wire has a transition, while the victim wire retains a stable value. Figure 17 demonstrates how a glitch is formed on a victim due to signal transition on an aggressor.
Crosstalk delays are caused when both aggressor and victim wires have transitions. The transition on the aggressor wire creates a delay on the transition on the victim wire. If both the transitions are in the same direction, then the delay is negative; that is, the transition on the victim wire occurs faster than expected. However, if both the transitions are in different directions, then the delay is positive; that is, the transition in the victim occurs later. Figure 18 illustrates an example of positive crosstalk delay on the victim wire. 
C STATISTICAL DELAY QUALITY LEVEL
Statistical delay quality level (SDQL) measures the number of SDDs that remain undetected by an SDD test. Consider a circuit with two paths A and B, as shown in Figure 19 . Let A be the longest path in the circuit, i.e., one with the minimal slack; while B is the longest path in the circuit that is sensitized. Slack of B is assumed to be more than A. Let T mc be the system clock and T c be the testing clock. T mar дin is defined as the difference in time between T mc and Path A, while T de is defined as the difference in time between T c and Path B.
As explained by Reference [66] , faults whose delays are less than T mar дin are rejected, while faults with delays greater than T de are detected. Faults with delays in between these two-that is, faults whose delays are greater than T mдn and less than T de -remain undetected. SDQL measures the total number of those faults. If s represents the delay of a fault, then SDQL measures faults such that T mдn ≤ s ≤ T de .
If N is the number of nodes in a design, and 2N is the number of assumed faults (each node can have a rise and a fall delay fault), the SDQL of a chip is expressed by:
A lower SDQL indicates less faults. 
D SIGNAL RESTORATION
Trace signals are chosen according to their restoration ability. Signal restoration refers to reconstructing an untraced signal state. Consider the two input AND gate in Figure 20 . Let a and b be the inputs, and c be the output. Let us examine a case when either of the two inputs is traced. For example, if a is traced and state of a is 0, then the state of output signal c is inferred as 0 as well, since 0 is the dominating input for an AND gate. Thus, tracing a can restore c. This is known as forward restoration, where tracing the inputs helps to restore the output. Now, consider the case when output c is traced. If the value of c is 1, then both a and b are a 1, since 1 is the non-dominating input of an AND gate. This is backward restoration, where tracing the output can restore the inputs. Although we illustrated the example for a two-input AND gate, similar restoration concepts apply to other Boolean gates like OR, NOT, and so on with varying number of inputs. E FAULT DROPPING ALGORITHM Algorithm 1 describes the fault-dropping algorithm for malicious ATPG tool. In Algorithm 1, k indicates the maximum number of bits that are modified for each dropping pattern, and n indicates the maximum number of faults dropped. Typically, n should be less than 5 to ensure minimal reduction in coverage. Patterns that detect only a single fault are identified and up to k bits of those patterns are altered. Thus, each pattern modification will affect only a single fault. n such patterns are altered. Both n and k are regulated by the malicious ATPG tool. After generating a pattern for a fault f , we figure out if a pattern detects only one fault, i.e, if F has only one member. This pattern is now a potential candidate for modification. If we choose to avoid detection of n faults, then we continue this step for n patterns. Find the set of faults F detected by p; F = F − F ; if F = 1 AND count_patterns_modi f ied < n AND f ∈ S then Switch k number of 1's of p to 0; count_patterns_modi f ied = count_patterns_modi f ied + 1; end P = P + p end return P;
F DESIGN FOR TEST (DFT)
In the DFT stage, scan chains are inserted to a synthesized netlist to make the design suitable for Manufacturing Testing [75] . Each flip-flop is converted to a scan flop using a multiplexer that selects the test mode. During functional mode, the flip-flop will act normally. During scan mode, the flip-flop receives data from the scan chain. Scan chains improve the controllability and observability during manufacturing testing. Commercial DFT tools include Synopsys DFTMAX and Cadence Encounter Test.
A possible attack scenario using malicious DFT tools can be to skip some flip-flops in the scan chains. For example, if there are n flip-flops in the design numbered F 1 , F 2 up to F n , then the malicious DFT tool can skip F k where k < n. This will result in the combinational logic close to F k as well as F k itself remaining untested and, hence, a reduction in test coverage. This attack will remain undetected, as there are no methods for scan chain validation. Since this is not a functional modification of the design, equivalence checking will also not be able to detect it. Unfortunately, we could not demonstrate experimental results for this because there are no opensource DFT tools to the best of our knowledge and this attack can not be launched using modified scripts.
