Catching the Flu: Emerging Threats from a Third Party Power
Management Unit
ABSTRACT
Power management units (PMU) have come into the spotlight with energy efficiency becoming a first order constraint
in modern MPSoC designs. To cater to the exponential rise
in power events due to the high device density, and to meet
the demands of tight power and energy budgets, PMUs are
evolving to more complex and intelligent designs. In an era
defined by energy efficient computing, a malicious circuit
embedded in a third party PMU can adversely affect the
operation of the entire MPSoC.
This work presents and evaluates two covert security vulnerabilities, P-VIRUS and DROWSY, for the MPSoC systems, designed using a malicious third party PMU. Further, we propose a non-invasive IP risk assessment module
to monitor the trustworthiness of the deployed PMU. Our
techniques help flag malicious activities in the PMU with
less than 1% area and power overheads.

1.

INTRODUCTION

The phenomenal growth and integration of transistor devices has reshaped our notion of reliable and trustworthy
hardware. Several emerging trends in hardware integration and user computing practices are exposing new challenges for secure hardware design. First, high performance
Multiprocessor-System-on-Chips (MPSoCs) are emerging as
an alternative to many general purpose and embedded processors [23]. Second, these MPSoCs promote unprecedented
integration of Third Party Intellectual Property (3PIP) components, for reducing cost and design complexity. Third,
MPSoC integrators are reluctant to re-verify the procured
3PIP, due to sky-rocketing verification costs and aggressive
time-to-market schedules [3]. Fourth, the 3PIP vendors are
averse to expose their internal design RTL to the MPSoC
integrator to protect their competitive advantages, which
creates a stiff barrier to many existing hardware trust assurance techniques relying on gate-level introspection [20, 22].
In this ecosystem, an MPSoC integrator cannot ensure full
trustworthiness of every 3PIP.
In this context, security assurance of the 3PIP power management unit (PMU) has profound implications for future
MPSoC designs. PMUs offer a host of services ranging from
dynamic control of power rails, voltage scaling, managing
power states, to system start-up and shutdown. Traditional
simple PMUs for low cost power conversion are now evolving
into feature rich, hardware controlled and intelligent power
management IPs (PMIPs). These PMIPs are expected to
increase energy efficiency and provide flexible power management in high-end MPSoCs [18]. In fact, the global PMU
semiconductor market has seen the fastest growth, among
all analog designs. PMUs accounted for nearly 50% of the
total analog IC revenue in 2012 [9], and are projected to
grow at over 7.87% during 2013-2018 [19]. These emerging
trends can combine together to create a potent economic
threat in the presence of a malicious PMU (M-PMU).
In this evolving PMU market, a key research question is
how can we assure security and trustworthiness of
third party PMUs? The evolution of this industry has

created a dynamic, volatile and competitive landscape, resulting in many new suppliers entering the niche market,
raising the possibility of 3PIP M-PMUs. A trojan embedded in a 3PIP M-PMU can cause sporadic errors, reliability
issues, or even catastrophic failures. These attacks can lead
to data corruption, denial of service, or degrade the system
performance and energy efficiency. For example, a malicious
increase in the supply voltage can cause a surge in the peak
power and chip temperature, leading to thermal throttling or
functional errors due to chip failure. In this work, we explore
two specific attack models and security assurance techniques
in the presence of a M-PMU. Our schemes forego reliance on
popular trojan detection techniques that are likely to be ineffective for 3PIP trojans [20,22], outlining a transformative
approach to promote trustworthy computing.
Our contributions in this paper are as follows:
• We trace the determinant of the cataclysmic security loophole in the PMU, and evaluate two covert attacks from the
PMU: P-VIRUS and DROWSY, that adversely affect the
system’s energy efficiency and performance (Section 3).
• We propose an IP risk assessment module (IPRAM) that
can be implemented by the MPSoC integrator and realizes
our security assurance techniques: a P-VIRUS Monitor
(PM) and a Wakeup Alarm (WA) (Section 4).
• We present a thorough evaluation of false positive/negative
detections in the IPRAM caused due to variability effects
in the PMU. Our results show that PM and WA can effectively detect malicious PMU attacks, while incurring low
overheads (less than 1%) in area and power (Section 6).

2. RELATED WORK
Recent works in hardware security range from protection against malicious circuit modifications in outsourced
foundries to protection of IPs against side-channel attacks
[20]. However, these mechanisms are ineffective to protect
against malicious 3PIPs integrated in an MPSoC. The concept of task duplication proposed by Chen et al. [12] is an
important step in securing 3PIPs, but it is unable to protect
against a M-PMU due to the absence of multiple PMUs. The
concept of security in power management is unfamiliar and
is principally limited to traditional verification techniques.
Existing literature involves power management robustness
analysis [4], power grid verification [15], and thermal monitoring [13], to ensure the chip’s functionality and reliability.
The central focus of this work is exposing the security vulnerability in power management—an uncharted territory.

3. THREAT EVALUATION
In this section, we identify the loopholes in current and
forthcoming power management solutions, and evaluate the
impact of a M-PMU attack on MPSoC architectures. We
outline the life cycle of a M-PMU trojan (Section 3.1), discuss trojan activation mechanisms (Section 3.2), and present
two covert attacks: (a) PMU - Voltage driven Immunity
Reduction and Unhealth Syndrome P-VIRUS (Section 3.3)
and (b) DROWSY (Section 3.4). We then discuss the potency and design footprints of these attacks (Section 3.6).

(b) P-VIRUS implementation.
(a) P-VIRUS environment.
Figure 1: Conceptual block diagram of a P-VIRUS attack. The PMU corrupts the voltage request sending a higher operating
voltage to the processor. Figure 1b illustrates the manipulation of the VID signal to inflict a P-VIRUS attack.
Req. VCC VIDT F
VIDF EV
VCCF
3.1 Life Cycle of a 3PIP M-PMU Trojan
1.65V
74
7C
AC
1.73V
- 2.02V
We outline the sequence of phases to realize a generic
1.8V
87
8B - BB 1.88V - 2.02V
hardware trojan in the 3PIP PMU.
Table 1: VID manipulation example. Req. VCC is the voltage
• Trojan Insertion: A few key engineers on the PMU 3PIP
requested by the core by sending VIDT F (Hex). The LFSR
team can insert the malicious circuit during the design or
generates random values between 001 to 111 and manipulates
test phase [22]. We have seen many cases of disgruntled
the VIDT F to a value in the range of VIDF EV (Hex). VCCF
employees involved in unprofessional practices motivated
is the range of infected voltage supplied to the core.
by vengeance or personal gain. The Volkswagen scandal
voltage request made by a processor for a set frequency,
exposed the presence of corporate sabotage to ward off
leading to improper voltage-frequency (VF) assignments.
competition [2]. Recently, a key player in the processor
sector was accused of using its position to ward off competition [5]. In such scenarios, an unsuspecting IP vendor
will end up supplying a trojan embedded IP to its clients.
• Trojan Activation: The attacker can employ a variety of
subtle activation mechanisms that can either be triggered
by the internal or the external environment [20]. Another
class of trojan triggers involves the coalition of softwarehardware, where an application running on the hardware
can send a sequence of cryptic messages/requests to activate a dormant trojan in the 3PIP PMU [11].
• Trojan Operation: Once activated, the trojan can inflict a
plethora of attacks on the on-chip components, adversely
affecting the overall system behavior. In this work, we
demonstrate two specific attacks that can cause a substantial degradation in energy efficiency and performance.

3.2 M-PMU Activation
The activation phase is particularly important to a trojan
design. Careful choice of a rare event trigger can conceal
the trojan during the pre-deployment testing of the chip.
We envisage a software-hardware coalition based sequential
trigger that takes advantage of the voltage change requests
made by the on-chip components. Analogous to the idea
presented by Waksman and Sethumadhavan (sequence cheat
code) in their work [21], we use a sequence of power event requests such as specific voltage identification (VID) patterns
to trigger the underlying trojan. An unsuspecting software
can be designed, to send a particular sequence of voltage
change requests in the form of VID signals to the PMU.
The embedded trojan in the 3PIP PMU monitors the staggered incoming requests for the complex sequence of power
events. In modern processors, VID signals are typically 6 to
8 bits and a sequence of these requests can potentially have
an enormous state space resulting in astronomic test times.
The complexity of trojan activation during testing due to
the logic depth is investigated in Section 6.1.

3.3.1 P-VIRUS - Attack Environment
Figure 1a, illustrates the environment of a P-VIRUS attack. The processor requests the PMU for a specific voltage
level based on the decision made by a dynamic voltage frequency scaling (DVFS) control algorithm. For example, the
Intel processors use a Serial Voltage IDentification (SVID)
interface to communicate the VID requests to the PMU,
which in turn decodes the VID and supplies the corresponding voltage to the the processor through the power rails.
Specifically, in Intel’s i7-4650 processor line, the 8-bit VID
signal (00h-FFh) can request for a voltage ranging between
0 to 3.04V , though the specified processor operating voltage
range is between 1.64V to 1.85V [10].

3.3.2 P-VIRUS - Attack Variants
We envisage three variants in a P-VIRUS attack, based
on the manipulation of the voltage request and the resulting
behavior. The three variants are discussed next.

3.3 P-VIRUS

• FRACTURE (Vsupply < Vrequest ): The voltage supplied
by the PMU is less than the requested voltage. The processor circuit cannot meet the timing constraints for the
particular frequency due to the higher delay caused by the
lower supply voltage, leading to functional errors.
• FEVER (Vsupply > Vrequest ): The supply voltage is higher
than the requested voltage. The higher supply voltage
will result in a loss of energy efficiency, and cause a rise in
the on-chip temperature, similar to the onset of a fever.
Such a subtle manipulation of the supply voltage can also
keep the attack stealthy. To mitigate the elevated temperature, the system may lower the operating frequency,
thereby degrading the processor performance.
• STROKE (Vsupply >> Vrequest ): The supplied voltage
is substantially higher than the requested voltage. The
excess heat dissipation due to a sudden increase in the
temperature can lead to a catastrophic failure and chip
burnout, mimicking a stroke attack.

Our first attack model, P-VIRUS, targets the energy efficiency and performance of the MPSoC. The embedded trojan in the PMU, inconspicuously manipulates the supply

To demonstrate that even a modest voltage manipulation
can significantly affect the system behavior, in this paper we
model the FEVER variant of P-VIRUS.

(a) DROWSY environment.
(b) DROWSY implementation.
Figure 2: Figure 2a shows the trends in the power management granularity. Figure 2b shows the DROWSY implementation.
DROWSY is a random focused attack, where the blocks under attack vary at different epochs to keep the attack stealthy.
the operating system (OS) is responsible for the idle state
3.3.3 P-VIRUS - Implementation
management of blocks. To achieve the fine grain control in
Figure 1b shows the detailed implementation of the Pemerging architectures, a layer of hardware control in the
VIRUS attack. The VID decoder block deciphers the incomform of PMIP is introduced, in addition to the OS control.
ing VID signal and the trojan manipulates the deciphered
VID signal. To keep the attack stealthy, the degree of at3.4.2 DROWSY - Attack Variants
tack is constrained by altering only 3 bits (4, 5 & 6) of the
We envisage several incarnations in the DROWSY attack:
VID signal in a random fashion using a linear feedback shift
register (LFSR). The infected VID (VIDF EV ) request is for• Delayed Sleep: The PMU delays the sleep signal, allowing
warded to the control circuit. The control block manages
the components to be active even when unused, thereby
requests from various on-chip components and instructs the
degrading the energy efficiency of the system.
regulator to scale the voltage to the required level. The reg• Delayed Wake up: The delay in wake up can result in
ulator block outputs the scaled voltage to the power rail corresource unavailability. Latency sensitive applications will
responding to the block that requested the voltage change.
suffer from performance degradation.
The P-VIRUS infected supply voltage value (VCCF ) cor• Abrupt Sleep: Abrupt transition of blocks to sleep states
responding to the VIDF EV is constrained within the Max.
results in loss of data and performance degradation.
Core VCC 1 . The limitations and randomness in the degree
In this paper, we demonstrate the delayed wake up scenario.
of voltage manipulation obscures the attack, while ensuring that the manipulation is significant enough to cause a
3.4.3 DROWSY implementation
considerable degradation in system behavior.
Figure 2b shows the operation of the DROWSY attack.
Table 1 gives an example of the VID manipulation for an
When the on-chip resources are idle, they are put to sleep to
incoming request of 1.65V . A 3-bit LFSR generates a ransave power. The control circuit manages the requests comdom number between 001 to 111, to inflict an inconsistent
ing from the PMIP or the OS and puts the corresponding
attack and circumvent the generation of identifiable patterns
block to the sleep state. When the OS requests for the rein system behavior. On adding it to VIDT F , we get a range
source to wake-up and resume operation, the PMU delays
of possible VIDF EV (Column 3). Note that the VCCF is limthe response to this request, adversely affecting the appliited to a maximum of 2.02V (Max. Core VCC ) though the
cation performance. During an epoch, one or many blocks
VIDF EV corresponds to a voltage range of 1.73V to 2.21V.
may send the wake-up request to the control circuit in the
PMU. A block select module randomly chooses a subset of
3.4 DROWSY
blocks to inflict a sluggish response. The response to these
In our second attack, DROWSY, the M-PMU tampers
blocks are delayed by a random, but bounded time, using
with the sleep and wake up requests of the on-chip compothe delay block fed by the LFSR. The randomness in attack,
nents. The attack mimics the effects of drowsiness, affecting
the constraint in delay threshold, and the incoherent focus
the availability of on-chip resources.
on a subset of blocks, obscure the DROWSY attack.

3.4.1 DROWSY - Attack Environment
Figure 2a illustrates the emerging trend in the granularity of control for dynamic power management (DPM). Compared to the conventional independent power domains, the
emerging architectures have control grains that are an order of magnitude smaller [18]. In densely integrated modern
MPSoCs, the number of independently controllable blocks
rise to hundreds, thereby increasing the complexity and latency involved for run-time monitoring of individual blocks.
DPM techniques involve selectively turning off the unused
components, based on the speculated idle time and the history of execution patterns. In conventional architectures,
1
Max. Core VCC is the voltage beyond which permanent
damage is likely.

3.5 Evaluation Methodology
We evaluate the effects of the trojan using Sniper6.0 [6].
We model the Intel i7-4650U processor (Table 2) and inject
the trojan in it. To model the effect of P-VIRUS, we tamper with the operating voltages of processor performancestates (p-states), while running the Splash2 benchmarks. A
widely-used on-demand DVFS algorithm is used for p-state
assignment [16]. A peak thermal design power (TDP) is set.
The frequency is throttled down when the dynamic power
(thermal load) rises beyond the set TDP, to shun assignments that can lead to a chip burn-out or system failure.
To model the effect of DROWSY, we repurpose the cost
associated with sleep periods and add an extra latency whenever a block resumes from a sleep state.

30

% Energy Increase

FEVER Infected

20

25

Peak Power (W)

50

15

20

45

10

15

40

10

35
30

fft cont rnes cont race mm cont sity .nsq cont sky rage
t f .n dio ter lu. ole ve
.
an ba lu.n ray
n
ch a
ea ra wa
oc

e
oc

5
0

%Performance Degradation

Ideal

55

fft cont rnes cont race mm cont sity .nsq cont sky rage
t f .n dio ter lu. ole ve
.
an ba lu.n ray
n
ch a
ea ra wa
oc

e
oc

5
0
-5

fft cont rnes cont race mm cont sity .nsq cont sky rage
t f .n dio ter lu. ole ve
.
an ba lu.n ray
n
ch a
ea ra wa
oc

e
oc

% Performance
Degradataion

(a) Effect of P-VIRUS on peak power.
(b) Effect of P-VIRUS on energy.
(c) Effect of P-VIRUS on performance.
Figure 3: Effect of the P-VIRUS trojan on the peak power, energy and performance of applications. Peak power increases as a
result of increased operating voltage. Energy increases due to the increased power and degradation in application performance.
Performance degrades due to the thermal throttling to ensure chip safety.
60
transition cannot be accessed, thereby preventing any func50
tional errors due to DROWSY. The energy overhead is neg40
ligible, as the blocks consume minimal power during sleep.
30
20
10
0

3.6.2 Design Footprint
fft cont rnes cont race mm cont sity .nsq cont sky rage
f .n dio ter lu. ole ve
n. ba lu.n rayt
n
ea
ch a
ea ra wa
oc
oc

Figure 4: Performance degradation due to DROWSY.
Parameters
Processor Configuration
Intel
i7-4650U (22nm)
CPU Type
Out-of-Order Engine (OoO)
Frequencies
(1.7, 2.1, 2.4, 2.7, 3.0, 3.3) GHz
Voltages
(1.6,1.65, 1.70,1.75, 1.80,1.84) V
Table 2: Configuration used to model the impact of trojan.

3.6 Potency and Design Footprint
We evaluate the potential of the threat in terms of increase in energy consumption, peak power and degradation
in performance (Section 3.6.1). We also present the design
footprint to realize these trojans in the PMU (Section 3.6.2).

3.6.1 Potency
P-VIRUS : Figure 3a shows the comparison of peak power
between the P-VIRUS free and P-VIRUS infected executions. On an average, the peak power increases by 19% with
ocean.cont incurring the highest increase in peak (23%). The
rise in peak power is limited by the thermal design power
(TDP), beyond which the operating frequency of the processor is throttled down to prevent a thermal failure.
Figure 3b shows the impact of P-VIRUS on the energy
consumed. On an average, the energy consumed increases
by 18% with fft incurring the highest increase in energy consumption (26%). We observe an anomaly for the ocean.cont
benchmark, which incurs a meager 5% increase in energy.
Figure 3c, reveals that ocean.cont does not incur any performance degradation. For this benchmark, the processor is
able to operate at a higher voltage without breaching the set
TDP. The loss in energy efficiency is purely due to the increased power. For the other benchmarks, Figure 3c shows
the degradation in processor performance due to thermal
throttling (up to 26%). Overall, the trojan degrades the
system behavior in all the three measured metrics.
DROWSY : Figure 4 shows the performance degradation
due to DROWSY. The sluggish responses to wake-up requests increase the number of idle cycles, resulting in a
maximum performance degradation of 59% (average across
benchmarks = 34%). The blocks in sleep or those under

To evaluate the footprint of P-VIRUS and DROWSY, we
augment the PMU RTL of the OpenSPARC T2 processor
[14]. We implement the logic discussed in Sections 3.3 and
3.4, and synthesize with the TSMC 45nm library using the
Synopsys Design Compiler. P-VIRUS incurs area and power
overheads of 1.39% and 1.06%, respectively. DROWSY incurs an overhead of 1.84% in area and 1.92% in power.

4. M-PMU DETECTION
In this section, we explore a novel Intellectual Property
Risk Assessment Module (IPRAM), designed by the MPSoC integrator and placed at the interface of critical
3PIP blocks. The IPRAM assumes no support from the
3PIP PMU vendor and effectively detects malicious activities in PMUs, across various vendors. The IPRAM consists
of two low complexity blocks: (a) P-VIRUS Monitor (Section 4.2) and (b) Wakeup Alarm (Section 4.3).

4.1 IPRAM OVERVIEW
Figure 5a shows the block diagram of the proposed IPRAM.
The outgoing power management requests from the 3PIP
blocks are in parallel sent to the IPRAM and the corresponding response from the PMU is forwarded to it too. Since the
IPRAM is placed in parallel to the communication between
a 3PIP core and the PMU, it does not add to the latency
of the power management state changes. The novel blocks
in the IPRAM match the requests to responses and identify
the presence of a malicious activity in the PMU’s response.

4.2 P-VIRUS Monitor
P-VIRUS Monitor (PM) is based on the insight that the
supply voltage (Vcc ) of a digital circuit profoundly influences
its delay. By characterizing the delay of a known circuit, we
can estimate the imposed supply voltage on the block.
Figure 5a presents the interface of PM, modeled as a delay
estimation block (DEB ), fed by the same supply line as that
of the 3PIP block. Figure 5b shows a detailed operation of
the DEB. The control unit power gates the DEB when not
in use, to curtail the power consumption overhead. A series of cascaded delay buffers (DB) in the form of a tunable
replica circuit are used to estimate the parasitic delay of the
circuit [7]. The cascaded buffers are sampled at equal epochs
to capture the state transition at different stages and thereby

(c) DROWSY attack detection.
(b) P-VIRUS attack detection.
(a) IPRAM.
Figure 5: Conceptual overview of the IPRAM. The IPRAM is designed in-house by the MPSoC integrator and placed at the interface
of a 3PIP block to be monitored. Figures 5b and 5c show the detailed designs for the detection of P-VIRUS and DROWSY attacks.
SL
Area Power
TP
Time (years)
estimate the delay for the imposed Vcc . The estimated de8
0.38%
0.17%
5.42 × 10−20
2.92 × 108
lay is correlated to the values stored in the look up table to
−39
16
0.87%
0.40%
2.94 × 10
5.40 × 1027
obtain the VID corresponding to the delay. The look up ta−155
ble is filled, based on the post-silicon time characterization.
64
3.40%
2.10%
7.46 × 10
2.13 × 10143
The identified VID from the look up table is then matched
Table 3: Area and power overhead, and state space exploration
to the VID request in the comparator unit, by ignoring the
time for the proposed trigger. TP represents trigger probability.
2 least significant bits to grant a margin for error. If the
WA: Since WA identifies DROWSY via a FSM, based on
values do not match, the DEB flags an anomalous behavior.
the incoming signals, we evaluate WA by implementing a
Verilog RTL model. We use Xilinx ISIM to perform exhaus4.3 Wake Up Alarm
tive tests and observe the behavior for different scenarios.
Wake Up Alarm (WA) is a finite state machine (FSM)
We implement the blocks of IPRAM in Verilog RTL and
to observe the arrival of requests and responses of the sleep
synthesize the RTL with the TSMC 45nm library using Synstate transitions. Delayed and unprompted state changes
opsys Design Compiler to find the design overheads.
triggered by the malicious PMU can be detected.
WA is modeled as a response audit block (RAB ) in Figure
6. EXPERIMENTAL RESULTS
5a, where the wake up request sent to the PMU is also sent
In this section, we evaluate the complexity of trojan acin parallel to the RAB. Figure 5c shows a detailed diagram of
tivation
during the pre-deployment test (Section 6.1). We
the RAB. MPSoC blocks usually have multiple sleep states,
then present the results for PM and WA based on two metvarying in state transition times and power saving capabilrics: efficacy (Section 6.2) and design overhead (Section 6.3).
ities. The control circuit in the RAB feeds a multiplexer
to select the appropriate delay associated with the sleep-to6.1 Limitations of Post Silicon Testing
wake transition. This delay is imposed on the request and
The necessity for the IPRAM arises from the limitations
forwarded to the capture circuit, that consists of a FSM with
of post-silicon testing, as demonstrated in Table 3. Our
3 states, default (D), wait (W ) and anomaly detected (T ).
evaluation reveals the magnitude of complexity involved in
The FSM is in the D state until it detects a signal from the
guaranteed trojan activation during testing [8]. A modern
3PIP. The state transitions are discussed below.
PMU can be tested by applying test patterns (VID), and
observing the resulting voltage levels. However, unlike a
• D → W : On receiving a wake-up request from the 3PIP,
logic circuit, one must wait for voltage stabilization before
the state changes from D to W.
running subsequent tests. Typical voltage level stabilization
• W → D: If the PMU response is observed within the ventimes lie between 0.1 to a few milliseconds [1]. With these
dor specified response time, it triggers a transition from
considerations, we present the data for an 8-bit VID and seW to D. The 3PIP resumes its operation.
quence lengths (SL) of 8, 16 and 64 signals. For the SL of 8,
• W → T : If the PMU response is delayed, the delay block
we see a meager area (0.38%) and power (0.17%) overhead,
triggers a transition from W to T, flagging the anomalous
while the state space exploration time is enormous. The
behavior— a delayed wake up attack.
data shows the extremely low probability of activating the
• T → D: Once the attack is flagged, the signals and moniM-PMU during the post-silicon tests, thereby emphasizing
tor blocks are reset, and the state transitions to the default
the need for the proposed security assurance techniques.
(D) state to wait for the next request.
• D → T : An unsolicited shutdown/wake-up signal from
6.2 Solution Efficacy
the PMU, is captured and flagged— an abrupt attack.
PM : Figure 6 illustrates two representative cases of PM.
In Figure 6a, we see the worst case scenario for detection,
5. METHODOLOGY
where the difference between VCCF (1.73V) and VCC (1.65V)
is a mere 0.08V. This is the lowest increment in voltage that
In this section, we discuss the methodology used to evalthe FEVER can impose, based on the trojan design (Secuate the efficacy and overhead of the IPRAM.
tion 3.3). The overlap in the distribution implies that these
PM : To evaluate the efficacy of PM, we model the casdelay values can occur both in the presence and absence of
caded buffers present in the DEB, in HSPICE and obtain the
a P-VIRUS attack leading to an inaccuracy in trojan detecdelay characteristics for different VCC values. To account for
tion (false detection). Figure 6c represents a typical case,
process variation, we include a Monte Carlo analysis by crewhere P-VIRUS increases the voltage by 0.1V . For attacks
ating a Gaussian distribution of three parameters: threshold
with a voltage increment greater than 0.1V , the distribution
voltage, effective channel length and transistor width [17].

8

1.1

1.2

2

1.2

4

1.2

Delay (in ns)

6

1.2

8

1.2

FP

80
60
40
20
0
6
1.1

8

1.1

1.2

2

1.2

4

1.2

Delay (in ns)

6

1.2

VCC

VCC

F

140
120
100
80
60
40
20
0

1.1

2

1.1

4

1.1

6

1.1

8

1.1

1.2

Delay (in ns)

FP

FN

100

False Detections (%)

FN

100

Population Distribution

VCC

F

False Detections (%)

Population Distribution

VCC
120
100
80
60
40
20
0
6
1.1

80
60
40
20
0
1.1

2

1.1

4

1.1

6

1.1

Delay (in ns)

8

1.1

1.2

(a) Worst case
(b) FP and FN analysis
(c) Typical case
(d) FP and FN analysis
Figure 6: Results from the PM. 2 representative cases of the delay characteristics for P-VIRUS detection. Figure 6a, shows the
worst case when the difference between the infected voltage (VCCF ) and the requested value (VCC ) is minimum (0.08V). Figure
6c shows the typical case (VCCF - VCC = 0.1V). Figures 6b and 6d show the FP and FN analysis for various threshold values.
ules incur marginal overheads and have a FDR of 5%, while
detecting anomalous behaviors inflicted by the M-PMU.
(a) Correct PMU response

(b) DROWSY attack due to delayed response

(c) DROWSY attack by an unsolicited signal
Figure 7: Important scenarios of WA. Figure 7a illustrates the
correct behavior. Figure 7b shows a delayed response attack
detection. Figure 7c detects unsolicited response.
curve is distinct (no overlap), implying that there exists an
optimum delay threshold with zero false detections.
Threshold Selection: Delay threshold indicates the minimum bound on the delay that can occur for a chosen voltage. If a voltage higher than the requested value is supplied,
the obtained delay value will ideally be below the chosen
threshold. Smart threshold selection helps reduce the number of false positives (FP) and false negatives (FN). Figure
6b, shows the FP and FN analysis of the worst case, for
different delay threshold values. With an optimum threshold of 1.22ns, the FP is a mere 1% and FN is 4%, giving a
total false detection rate (FDR) of 5%. As we move away
from the optimum threshold, the FDR increases rapidly in
both directions. In the typical case, the tolerance for error
in optimum threshold selection increases (Figure 6d), as the
FDR remains less than 3% for a range of delay thresholds
(1.14ns to 1.16ns). Meticulous profiling during the testing
stage helps set accurate thresholds to reduce the FDR.
WA: Figure 7 shows the three important cases of DROWSY
detection. The states 00, 01 and 11 indicate the states D, W
and T, respectively. Figure 7b illustrates an attack scenario.
The 3PIP core sends a wake-up request, but the response is
delayed by the PMU. WA flags the trojan, once the vendor
specified time expires without a PMU response.

6.3 Implementation Overhead
PM and WA incurs area overheads of 0.97% and 0.14%,
respectively. The power overheads are negligible, as blocks
in the IPRAM are power gated when not in use.

7.

CONCLUSION

This work outlines a novel security threat stemming from
a malicious third party PMU that can adversely impact the
MPSoC’s system behavior. To detect anomalous M-PMU
behavior, we propose a low complexity IPRAM. Our mod-

8. REFERENCES
[1] Single-Phase Wide VIN Range DC/DC Controller for Intel
IMVP-6/IMVP-6.5 CPUs.
http://cds.linear.com/docs/en/datasheet/3816f.pdf.
[2] Auerbach, D. VolkswagenâĂŹs Villains. http://www.slate.com/
articles/technology/bitwise/2015/10/volkswagen_s_emissions_
scandal_has_a_villain_and_it_s_the_not_the_people.html.
[3] Baily, B. and others Scalable Verification: Evolution or
Revolution?: Panel Discussion on Test and Verification. Session
in DAC, 2015.
[4] Bembaron, F. and others Low power verification methodology
using upf. Proceedings of DVCon (2009), 228–233.
[5] Brill, J. The intersection of consumer protection and
competition in the new world of privacy. Competition Pol’y
Int’l 7 (2011), 7–313.
[6] Carlson, T. E. and others Sniper: exploring the level of
abstraction for scalable and accurate parallel multi-core
simulation. In Proc. of SC (2011).
[7] Chakraborty, A. and others Dynamic thermal clock skew
compensation using tunable delay buffers. In ISLPED (2006),
pp. 162–167.
[8] Chakraborty, R. S. and others MERO: A Statistical Approach
for Hardware Trojan Detection. In CHES (2009), pp. 396–410.
[9] Gartner Inc. Competitive Landscape: Power Management IC
and Power Semiconductor Vendors. Gartner Research, 2012.
[10] Intel. Intel Core i7-4650U Processor.
http://ark.intel.com/products/75114/
Intel-Core-i7-4650U-Processor-4M-Cache-up-to-3-30-GHz.
[11] King, S. T. and others Designing and Implementing Malicious
Hardware. vol. 8, pp. 1–8.
[12] Liu, C. and others Shielding heterogeneous MPSoCs from
untrustworthy 3PIPs through security-driven task scheduling.
In Proc. of DFT (2013), pp. 101–106.
[13] Mesa-Martinez, F. J. and others Power model validation
through thermal measurements. In ISCA (2007), pp. 302–311.
[14] Nawathe, U. G. and others Implementation of an 8-core,
64-thread, power-efficient sparc server on a chip. J. of
Solid-State Circ. 43, 1 (2008), 6–20.
[15] Nizam, M. and others Power grid voltage integrity verification.
In ISLPED (2005), pp. 239–244.
[16] Pallipadi, V., and Starikovskiy, A. The ondemand governor. In
Proc. of the Linux Symposium (2006), vol. 2, pp. 215–230.
[17] Sarangi, S. and others VARIUS:A Model of Process Variation
and Resulting Timing Errors for Microarchitects. IEEE Trans.
on Semiconductor Manufacturing 21 (2008), 3 –13.
[18] Sonics Inc. ICE-Grain Power Architecture for Mainstream SoC
Designs-the Semiconductor IP Industrys First Power
Management Solution, 2015.
[19] TechNavio. Global Power Management Semiconductor IC
Market 2014-2018. TechNavio, 2014.
[20] Tehranipoor, M., and Wang, C. Introduction to Hardware
Security and Trust. Springer, 2011.
[21] Waksman, A., and Sethumadhavan, S. Silencing Hardware
Backdoors. In Proc. of Security and Privacy (2011), pp. 49–63.
[22] Waksman, A. and others FANCI: identification of stealthy
malicious logic using boolean functional analysis. In Proc. of
CCS (2013), pp. 697–708.
[23] Wolf, W. and others Multiprocessor System-on-Chip
(MPSoC) Technology. TCAD 27, 10 (2008), 1701–1713.

