ABSTRACT The rising trend of globalization in the integrated circuits' design process has increased their vulnerabilities against malicious intrusions. The security vulnerability analysis using conventional design time simulations is computationally intensive and incomplete by nature. Formal verification has the potential to overcome these limitations of simulation techniques; however, the existing state-of-the-art formal verification techniques cannot be used as such to analyze the effects of hardware Trojans (HTs) that may impact the performance of the circuit without altering its functionality. In this paper, we propose a novel model checking-based formal framework for a priori assessment of circuit vulnerabilities against both the functional and parametric HTs at the early stages of the design. This framework is characterized by the gatelevel side channel parameters, i.e., dynamic power, leakage power, and propagation delay, to examine the impacts of malicious circuitry insertion. An algorithm based on the temporal logic properties is proposed, which computes the bounds for the side channel parameters to define the expected secure regions of circuit operation. Moreover, we propose a second algorithm for formally analyzing the security vulnerabilities in the circuit by introducing partitions, which significantly reduces the size of state space. We evaluate the masking effects on the intrusions while considering 3-sigma variation in the process. We demonstrate the effectiveness of our proposed approach by analyzing the security vulnerabilities on a set of ISCAS85 and 74× benchmarks.
I. INTRODUCTION
The complexity and economic constraints in IC design has witnessed an increasing trend of outsourcing development and fabrication to the untrusted third party foundries. This makes the IC development cycle severely vulnerable to hardware Trojan (HT) based attacks [1] , [2] in which the attacker can secretly modify an IC with a malicious intent during the design, fabrication or assembling phase.
A. BACKGROUND
HTs generally comprise of two parts, as depicted in Fig. 1(a) .
1) Trigger:
The activation mechanism of HT is referred to as Trigger, which is typically partitioned into two categories: The internal activation is either always-on that can disrupt the functionality of an IC at any time, or condition-based which is inactive until a specific condition is met, e.g., a logic pattern. HT can also be activated externally by an antenna or a sensor. 2) Payload: The part of HT that affects IC is called the Payload which can either be leakage of information through a power trace, or modification of a functional block.
An attacker can intrude a single module of a system to compromise the security of all the intercommunicating components. For instance, HT embedded in Module 2, shown in Fig. 1(a) , can be used to subvert the operation of all modules that are interconnected with the system bus.
HTs are broadly classified into functional (FHT) and parametric (PHT) types based on their trigger and payload mechanism. FHTs change the system functionality by adding or deleting functional units in an IC. For example, a combinational FHT, shown in Fig. 1(b) , flips the logic signal S when the trigger is generated by a specific input combination. PHTs affect circuit parameters, such as power, performance and noise margins, without altering the functionality of the system. For example, security mechanism of a crypto engine can be subverted by an attacker designed payload that uses binary pseudo-random number generator (PRNG) to modulate each key bit by a XOR operation, as depicted in Fig. 1(b) . The inserted HT does not alter the normal functionality of the crypto unit, and the capacitive load (C) can be used to leak key bits via a covert side channel when a logic transition occurs [3] . In general, malicious intrusion in ICs may lead to three types of security attacks by: 1) Leakage of confidential information covertly to adversary (confidentiality attack). 2) Modifying the specifications or functionality (integrity attack). 3) Unreliability, degraded performance and destruction of a complete IC or its module (availability attack). This can potentially have catastrophic impacts on security-critical applications in the domains of military, space, communications, Internet of Things (IoTs), nuclear facilities etc. [4] - [7] .
In the recent past, various HT detection techniques have been proposed which are mainly categorized as logic based testing [8] - [10] , and side channel analysis [11] , [12] . Logic based testing involves complexity of generating patterns [13] . It fails to detect the PHTs, which are independent of the IC functionality [14] . The side channel techniques are based on analyzing power signature [15] - [18] and propagation delay [19] - [21] , which pose the following limitations: 1) These techniques use extensive simulations on the circuits and thus require an enormous amount of time, and resources. Therefore, it is implausible to provide 100% coverage for larger circuits as depicted in Fig. 2 . For example, analyzing the vulnerabilities in the 74181 circuit [22] with 100% coverage for all gates (61) would approximately require 7.3 ×10 8 years if the tests are executed at a rate of 100 patterns per second. Moreover, the analysis of all possible nodes (75) would require 1.2 ×10 13 years at the same pattern rate for 100% coverage. Similarly analysis with all possible inputs for circuits takes significantly longer time. For example, a circuit with 30 inputs would require approximately 125 days to perform vulnerability analysis with respect to all possible input cases.
2) The measurements acquired are prone to experimental noise [23] , and generate an extensive amount of data, which is difficult to handle with conventional automation techniques [24] . To overcome the above-discussed requirements of immense resources and time for analysis at the design time, various methodologies (e.g. [25] - [28] ) have been proposed which perform the vulnerability analysis of circuit models using formal verification. However, these techniques analyze the models only against their functional characteristics, and do not consider their parametric behavior, and therefore, can only analyze the effects of FHTs.
In this paper, we build upon our preliminary work in [29] , which introduced a model checking based formal framework to analyze the effects of FHTs and APHTs (activity dependent PHTs) using switching power, and propagation delay parameters. The framework in [29] needs to be integrated with the parametric behavior of leakage and short circuit power parameters, to analyze the effects of SPHTs (stealthy PHTs which remain inactive during the testing phase). Moreover, the effects of process variations (PV) are required to be incorporated, to accurately investigate HTs impact under the uncertain behavior of side-channel parameters.
B. ASSOCIATED RESEARCH CHALLENGES
The existing simulation based, and formal verification based techniques for analyzing the HTs pose the following key research challenges: 1) Extensiveness: Integrating all-encompassing parametric behavior (i.e., dynamic power, leakage power, and propagation delay), and effects of PV to ensure a precise analysis of security vulnerabilities, even in the presence of SPHTs. 2) Completeness: Performing the vulnerability analysis with complete coverage for all gates, and nodes with respect to all possible input patterns. 3) Viability: Reducing the time for complete analysis for all gates, and nodes with respect to all possible input patterns. VOLUME 6, 2018 FIGURE 2. Time and patterns required by simulation based method to perform vulnerability analysis with 100% coverage in different 74x benchmarks. 
C. NOVEL CONTRIBUTIONS
To address the above-stated research challenges, we propose a model checking based formal framework (McSeVIC) for all-encompassing vulnerability analysis of integrated circuits. The main contributions of this paper are: 1) Gate-level mathematical modeling (Section IV A) of subthreshold leakage (LP), and short circuit power (P sc ), while considering the effects of PV on various technology parameters, e.g., threshold voltage (V th ), effective channel length (L), and thickness oxide (t ox ). This jointly accounts for analyzing SPHTs, along with other types of HTs in the presence of PV. 2) Model checking based analysis method (Section IV A) for a complete coverage of vulnerability analysis, against various types of intrusions at different locations.
3) Model verification (Section IV B) using a vector computation algorithm to accurately identify maximum and minimum bounds of side channel parameters. 4) Vulnerability analysis (Section IV C) algorithm to examine the undesirable behavior of circuits while complementing the reduction of state-space.
D. PAPER ORGANIZATION
The rest of the paper is organized as follows: Section II presents the related work, Section III describes an overview of model checking and nuXmv tool along with the performance parameters used in our gate models. In Section IV, we explain the proposed framework for verification and vulnerability analysis. The gate-level modeling technique is discussed in section IV-A, followed by the verification in section IV-B, and vulnerability analysis in section IV-C. Section V presents the results and the key observations made during experimentation.
II. RELATED WORK
The objective of analyzing the security vulnerabilities is to determine the parts of the circuits which are more susceptible to HT insertion. The vulnerability assessment techniques involve thorough circuit analysis, and can be broadly classified into simulation or modeling types. The simulation type comprises of test vector (TV) generation, and constrained random vector (CV) driven analysis, whereas, modeling can be categorized into mathematical and formal verification based analysis. To reduce the resources and time of analysis in design phase, different analytical techniques for vulnerability assessment of potential attacks have been developed, which analyze the equivalent behavioral, functional and performance model against the design constraints and functionality characteristics. A brief comparison of the state-of-the-art methodologies is given in Table 1 . A design vulnerability assessment flow performing power, delay and structural analysis has been proposed in [30] and [31] , which examines the susceptibility of gatelevel netlist to HT insertion and quantifies the vulnerability of specific sections of IC. An integration based framework given in [32] demonstrates the security analysis at gatelevel to identify the vulnerabilities during integration and optimization of information sensitive modules. This method exposes the design to different vulnerabilities that can violate information policies of integrity and confidentiality. Similarly, a testability metric for vulnerability assessment based on simulation and signal probabilities has been proposed to estimate HT detectivity profile of gate-level circuits [33] . However, the above-stated TV and CV based simulation methodologies cannot encompass all the possible test cases in complex systems by virtue of the floating point inaccuracies [38] and inherent computational constraints [39] .
Statistical analysis proposed in [40] employs modeling of gate sequences to identify abnormal circuits. The rules are inferred based on the conditional probabilities of gate co-occurrence, whereas, HTs are expressed as netlist fragments with low probabilities. Similarly, machine learning based techniques [41] , [42] are proposed to extract the features of gate-level netlists. These features are used for identification of vulnerable nodes based on the learned classifiers. However, the above-discussed techniques do not guarantee 100% coverage, and there is a likelihood to have number of false positives.
Formal verification [38] , [43] based methods can address the limitations posed by the logic simulations owing to their inherent soundness and completeness. These methods are based on model checking [44] or equivalence checking (EC) [45] which are realized on the top of basic Boolean reasoning techniques [46] , such as automatic test-pattern generation (ATPG), binary decision diagrams (BDDs), and boolean satisfiability checking methods (SAT). The vulnerability assessment techniques proposed in [25] and [26] apply SAT solving, multistage assertion based verification (ABV), equivalence theorems, code coverage analysis, and sequential ATPG. However, these SAT based approaches provide incomplete analysis owing to user-specified number of iterations [46] . An ATPG based vulnerability assessment framework [34] quantitatively evaluates the susceptibility of gate-level finite state machine (FSM) against different types of attacks. Using this framework, the designer can identify security vulnerabilities in FSMs at an early design stage. Similarly, the methodologies presented in [27] and [35] are based on the assertions derived from temporal logic, and their translation into synthesizable property checker. The formal ABV then employs the property checkers for identification of critical behavioral invariants, followed by the generation of error trace in case of the failed functional properties. These methods do not perform vulnerability assessment at netlist and layout levels, and thus can only analyze the behavior of FHTs.
Model checking based approaches offer rigorous verification of all possible behaviors of the circuit model, and thus can precisely analyze the vulnerabilites against different types of attacks. The approach, given in [37] , verifies functional properties deduced from system specifications using model checking. For effective assessment of the potential vulnerabilities, this method uses a defined set of malicious characteristics. The counterexamples generated by the failed linear temporal logic (LTL) properties are subsequently used to analyze potential attack paths. Likewise, other model checking based techniques [28] , [36] generate the functional patterns of specific units into the corresponding state-space models to analyze the malicious behavior in designs. The counterexamples generated in these methodologies are used to identify the relevant signals that can be monitored in hardware designs. These model checking techniques are based on the functional verification of the designs, which fails to analyze the behavior of malicious intrusions in circuit if the payload is not triggered. Although, the model checking based approaches provide the comprehensive vulnerability analysis, they pose the state-space explosion problem, i.e., the inability to rigorously explore large design space, due to limited computational resources, for complex systems [47] . Additionally, the available techniques fail to identify PHTs, which either intend to exhaust system's resources in terms of power or leak information covertly through capacitive loads. The model checking based framework in [29] mathematically models the side-channel parameters of gate-level circuits including switching power and propagation delay. This method has an inherent advantage of analyzing vulnerabilities posed by FHTs and APHTs, however, it does not provide the means of examining susceptibility of gate-level netlist towards SPHTs. These SPHTs usually remain inactive during the testing phase and even after the deployment using internal and external triggering mechanism, which may lead to leakage of sensitive information or denial of service (DoS) attacks. Moreover, this approach does not account for the uncertain behavior and masking induced by PV, which may lead to a number of false positives. To overcome these issues, we propose a formal framework to analyze security vulnerabilities in circuits using side channel parameters while considering the effects of PV.
III. PRELIMINARIES
In this section, we provide a brief overview of model checking and performance parameters, i.e., dynamic power, leakage power and propagation delay for better understanding of the proposed contributions.
A. MODEL CHECKING AND nuXmv
The model checking based analysis of any system comprises three essential steps: (1) The system is first translated to a state-space based model using the specified formal language of the model checker. ( 2) The set of behavioral or functional properties to be verified for the given system are identified and subsequently formalized using the property specification language. (3) Finally, the model checker is invoked for the automatic verification to check whether the system meets its desired requirements. The model checker exhaustively verifies that the properties hold for the given system while providing a counterexample in case of a failing property.
The nuXmv is a symbolic model checker [48] for finite and infinite-state transition systems. It builds upon NuSMV open source model checker [49] and complements its verification techniques by sharing basic functionalities, such as flattening of design, Boolean encoding of scalar variables, VOLUME 6, 2018 and representation of finite state machines at different levels of abstraction. The nuXmv gives novel functionalities in order to facilitate the modeling and the understanding of complex designs. For dealing with infinite state-space, nuXmv introduces new data types of Reals and unbounded Integers to represent the continuous values, and it provides the support of advanced Satisfiability Modulo Theories (SMT) based model checking, using MathSAT interface [50] . We use these features to model the dynamic power, leakage power and propagation delay. Moreover, this open source tool supports bounded model checking (BMC) [47] , which effectively addresses state-space explosion by means of searching the state-space within k-bound levels to discover the counterexample for a specified property. The properties to be checked can be expressed in nuXmv using LTL and computational tree logic (CTL). The specifications are expressed in nuXmv with the help of logical operations like, AND (&), OR (|), implication (->), and temporal operators, like Globally (G), Finally (F), Next (X), and Until (U). Similarly, the CTL specifications can be written by combining logical operations with quantified temporal operators, like exists finally (EF) and always globally (AG).
B. GATE-LEVEL PERFORMANCE PARAMETERS
We perform the vulnerability analysis of circuits based on characterization of each gate in terms of the following side channel performance parameters.
1) DYNAMIC POWER
Dynamic power is dissipated in a circuit during the state transitions at the individual nodes and it has two components [51] . (i) Switching power (P sw ) is consumed during (dis)charging of load capacitances associated with transistors and wires. The model of P sw is as follows [51] :
where V dd is the supply voltage, f is the operating clock frequency, and C total is the total capacitance that is (dis)charged in a transition. The switching activity factor (α ∈ [0, 1]) is the probability that a clock event results in a power consuming event at the gate output. Moreover, the total output capacitance is the sum of parasitic capacitances of the individual gate and load capacitances at the output node.
(ii) Short circuit power (P sc ) is dissipated when both pullup and pulldown networks are partially ON during transitions, inducing a direct current path from V dd to the ground. The model of P sc for a rising or falling transition is given as follows [52] :
where t sc represents the time when devices in the pullup and pulldown networks are conducting, and I peak is the maximum saturation current of the load transistor.
2) SUBTHRESHOLD LEAKAGE POWER
Subthreshold leakage power is dissipated in a circuit primarily due to the undesirable flow of subthreshold current in the channel from V dd to ground nodes, when transistors are in the Off state [53] . With the devices being continuously scaled in the recent decades to achieve higher density and performance, leakage power has become a significant portion of the total power consumption in the nanoscale CMOS process technologies [54] . Leakage current is independent of the switching activity, and becomes a major component within the total power consumption as it continuously flows through the devices even in the steady-state. This gives an inherent advantage of using subthreshold leakage power to analyze malicious intrusions and ghost circuitry [31] , [55] , in comparison to dynamic power and path delay, which depend upon (dis)charging of internal and node capacitances [29] . The subthreshold leakage current of NMOS (PMOS) per transistor width is represented as [56] :
where W is the gate width, n is the transistor subthreshold slope factor, C ox is oxide capacitance, µ is effective carrier mobility, σ is the drain induced barrier lowering (DIBL) factor, φ t = KT /q is thermal voltage, K is Boltzmann constant, T is temperature, and q is the magnitude of electrical charge on the electron. Given the optimal supply voltage V dd , we model leakage power of a MOSFET as LP = V dd · I Leakage .
3) PROPAGATION DELAY
The propagation delay of a CMOS gate is determined by the time it takes to (dis)charge the internal parasitic capacitances and external load [51] . We model the gate-level propagation delays on individual transitions at the gate inputs using the Elmore delay model [52] , which computes the delay by defining each circuit in the form of a Resistor-Capacitor (RC) tree. The voltage source is the root of this tree, and capacitors are leaves at the ends of the branches. The Elmore delay approximation is equivalent to the first-order time constant of the network:
where C k is the capacitance at node k, and R ik is the shared resistance among the paths from the root to node k and leaf i. We formulate gate-level delay model as D = ln(2) · τ elmore .
C. PROCESS VARIATIONS (PV)
PV are the manufacturing deviations in the transistor parameter values from their nominal specifications, due to industrial CMOS scaling [57] . Such parametric variations in nanoscale CMOS technologies are more prominent, as dimensions of devices do not appear to be scaling at the same rate [58] .
There are two parameters in particular, i.e., V th , and L that are greatly affected due to these variations [31] . Therefore, it is inevitable for the side channel parameters of circuits, such as power and propagation delay to deviate from their nominal design values. In this work, we consider V th , L, and t ox of NMOS and PMOS transistors, respectively, as variable parameters to examine the uncertain behavior due to PV. We model the effects of PV by assuming 3-sigma variation in these parameters, as defined by the SG13S CMOS process specifications from IHP technologies.
IV. McSeVIC: FRAMEWORK FOR VULNERABILITY ANALYSIS
McSeVIC analyzes vulnerabilities in the state-space model that is translated from the gate-level netlist of a circuit. The vulnerability analysis framework consists of three major segments as depicted in Fig. 3 , and explained in the subsequent sections.
A. MODELING
The modeling segment of the framework is executed in the following three steps: 1) The mathematical models for the individual gates are defined to compute their dynamic power, leakage power and propagation delay. The side channel parameters are computed using the structural configuration of gates which depends on the respective input transitions. 2) The gate-level netlist of the circuit is translated into corresponding state-space model using the netlist translator and gate models from the library. 3) The intrusions are modeled to analyze the behavior of FHTs and PHTs. These intrusions comprise of gate(s) or components, and their behavior is translated into corresponding state-space using the library of gate models.
1) GATE MODELING
CMOS technology supports the construction of any gate or logic using the appropriate configuration of the transistors in the pull-up and pull-down networks, and same can be used to model the respective side channel parameters. For instance, the computation of dynamic power and propagation delay mainly depends on the intrinsic and load capacitances in the gate structure that are switched at the logic transitions. Similarly, the subthreshold leakage power of a single gate is modeled based on the configuration of Off transistors at the respective inputs, while taking the stack effect of MOS transistors [59] into consideration. In this work, we develop VOLUME 6, 2018
the mathematical models of the universal gates, i.e., NAND, NOR and NOT. Each gate model determines the total capacitances that are switched, defines the outputs, and computes the switching activity factor based on the inputs and their probabilities. These components along with the technology parameters are used to compute the side channel parameters of the individual gate. The models for the multi-input complex gates are build using the universal gates, and a comprehensive library is developed that comprises of all gate modules. It is pertinent to mention that modeling technique is generic, and the models for multi-input complex gates may be developed independently based on the composition of their transistors. For illustration purposes, we describe the two input NAND gate model as shown in Fig. 4 . Similarly, all the other gate models can be developed with different parameter values based on their transistor level structure. 
a: DYNAMIC POWER
We model the dynamic power (DP) of an individual gate as a sum of P sw and P sc :
We compute α by using the transition probability of the node that it switches from Low-to-High. The total capacitance at the output of the gate is equal to C total = C load + C diff . The load capacitance (C load ) at the output of a single gate is the sum of gate capacitances of individual gates connected at the output node [52] :
The gate capacitance (C gMOS ) for an individual nMOS (pMOS) transistor is modeled as [52] :
where FO represents the fanout of the gate, WR is the width ratio, C GDO and C GSO are the overlap capacitances between gate and drain (source), and W min is the minimum width.
The internal diffusion capacitance (C diff ), also referred to as the intrinsic capacitance, depends on both the sidewall perimeter (PD) and area (AD) of the drain (source) diffusion region [51] , and derived for the NAND gate as:
where C ndmin and C pdmin are the minimum diffusion capacitances for the nMOS and pMOS transistors, respectively. The minimum drain diffusion capacitance (C dmin ) for a single transistor is computed as C dmin = AD · C jbd + PD· C jbsdw [51] , where, C jbd is the capacitance per unit area between the body and bottom of the drain, and C jbsdw is the capacitance per unit length of the junction between the body and side walls of the drain. The minimum source diffusion capacitance (C smin ) is computed in a similar manner. Short circuit power dissipation in (2) is proportional to the switching activity, similar to the P sw dissipation. The period t sc , during which a DC current path exists between V dd and ground, is modeled as [52] :
where V thn (V thp ) is the nMOS (pMOS) threshold voltage, t r(f ) is the rise (fall) time of the transition [52] , and derived for the NAND gate as:
We compute t r as a transition time for the gate output to go from 10% to 90% of its full value, and vice versa for the t f , while considering the lumped RC load driven at different inputs. We model the resistance [60] . The maximum saturation current in (2) is determined as I peak = FO · W min · I sc , where, peak current per transistor width (I sc ) is computed as [61] .
b: SUBTHRESHOLD LEAKAGE POWER
The gate-level leakage current is modeled using the components mentioned in (3). The gate oxide capacitance is calculated as C ox = ε ox /t ox [52] , where, ε ox = 3.9 · ε o is the oxide permittivity. In CMOS based circuits, half of the total transistors are always in the Off state for any given vector. The stacking of Off transistors in series significantly reduces the subthreshold leakage compared to a single Off transistor [53] . The two nMOS transistors in the NAND gate, shown in Fig. 4 , are in series and as a result of the stack effect on input vector 00, the total leakage current reduces by a factor 10
due to Kirchhoff's current law [51] . The leakage power modeling for the two input NAND gate at different states is depicted in Table 2 . 
c: PROPAGATION DELAY
We use Elmore's delay model to determine the time required for (dis)charging the intrinsic and load capacitances at different inputs. Moreover, we model the effects of (dis)charging capacitances at the internal nodes of transistors stacks. For instance, capacitance is required to be charged at the nMOS stack of the NAND gate when nMOS1 transistor, shown in Fig. 4 , is On and nMOS2 is Off. Table 3 indicates the Elmore delay relationship for 6 possible transitions of the NAND gate. 
2) CIRCUIT MODELING
The gate-level netlist of the circuit is transformed into its state-space using the mathematical models of the gates. For this, we developed a gate-level netlist translator, which uses the available connectivity information, and translates it to the corresponding state-space model. Moreover, the library of CMOS gates is used to imitate the description of circuits as per the instances given in the netlists. The transition probabilities, along with outputs, are passed to all the gates connected at the output node of an individual gate. Similarly, the total load driven by the gate is computed by adding its intrinsic capacitance with the gate capacitances of the connected gates at the output node. For illustration, we define a state-space model of a single inverter, which drives the load of another inverter and a two input NAND gate as depicted in Fig. 5 . The total capacitance at the output node is equivalent to the sum of the gate capacitances of NOT2 (C gnot ), NAND (C gnand ), and diffusion capacitance (C d ) of gate NOT1. The status of compute dynamic power (CDP), compute leakage power (CLP) and estimate delay (ED) flags indicates whether power has been dissipated or delay has been propagated at a specified state. For instance, if input I transitions to low from State 1, then out goes to high as the total capacitance is required to be charged at State 3. However, if the input remains high, neither dynamic power is consumed nor the delay is propagated, and only leakage power is dissipated at State 2 as depicted by the respective flags.
3) INTRUSION MODELING
We model the intrusion behavior for the HT attacks which encompass inserting extra gate(s) [62] , adding components [63] , and resizing of gates in existing circuit [31] . These gate(s) may be inserted within the circuit paths to change the functionality [64] , or added in parallel to the computational paths to effect the performance of the circuit [65] . Figure 6 shows a single gate intrusion within and parallel to the computational paths at the input and intermediate stages of the C17 benchmark. These intrusions affect the side channel parameters of circuit in a diversified manner, depending on their size and location. To analyze the behavior of such types VOLUME 6, 2018 of HTs, we translate them into corresponding state-space models using the information available in the gate library. These models are subsequently integrated into the SMV model of the circuit, by defining the connectivity of adjacent nodes and transition probabilities. Moreover, the effects of the capacitances which are switched during transitions are also modeled. For example, the total switching capacitance of the driving gate is changed to C total = C load + C diff + C int as depicted in Fig. 4 , where C int is the gate capacitance of the HT gate. The effects of capacitances are integrated into all the relevant states of the intruded circuit model to evaluate their impact on the performance parameters of the circuit.
B. MODEL VERIFICATION
In the next step, McSeVIC validates the developed models of circuits against the set of identified properties using the BMC support of nuXmv model checker. The functional verification of the model is first executed as per the specified operations that the circuit is intended to perform. This involves defining LTL properties using the global temporal operator (G) over input Boolean vectors with assigned operations. Following the functional check, the performance properties are verified to ascertain that the given circuit remains between the specified boundaries defined for dynamic power, leakage power and propagation delay. The performance verification of the circuit model comprises of three main segments.
1) Identification of the circuit input vectors which may induce the maximum/minimum values of the side channel parameters. 2) Computation of each side channel parameter using the respective input vectors that are identified. 3) Verification of the circuit model using the upper/lower computed value as the bound of parameter.
1) ALGORITHM FOR BOUND COMPUTATION
We propose Algorithm 1 to implement the first two segments of the performance verification. The abstract model of the circuit is first developed using gate-level models, by defining their functionality, based on the inputs and corresponding outputs. Moreover, each state of the individual gate is assigned with an integer weight based on the value of parameter that is computed on the state. The minimum weight is assigned to the state, which computes the minimum value of the parameter, and similarly, remaining transitions are assigned with the weights in ascending order. Moreover, the states which compute to the same value are assigned with the similar weights. For example, state 00 depicted in Table 2 computes the lowest value of leakage power for the NAND gate, and assigned with the weight 1. The algorithm executes in following steps in order to compute the upper/lower bounds of the parameters: 1) Bound Integer (BI ) is initialized for each of the respective parameter, and its value is equal to the sum of maximum/minimum weight assigned to each gate (i) in the circuit (path in case of propagation delay), i.e., n i=1 (Max/Min wt of parameter) i . 2) For each parameter, the true value of BI is determined by recursively applying a CTL property on the abstract model using nuXmv model checker, while decrementing/incrementing BI at each step, until this property becomes TRUE.
3) The first set comprising of a current and next state input vectors is determined for dynamic power and propagation delay from the counterexample trace generated by LTL property defined for each parameter. For leakage power, only current state input vector is required to be identified. 4) The remaining set of vectors are identified from the counterexample traces generated from the recursive execution of another LTL property defined using the G operator. 5) For each of the identified input vector, the corresponding real value of the side channel parameter is computed using a gate-level model of the circuit. This model is developed mathematically for the circuit under test, by using the technology specifications and equations defined for each parameter. The maximum/minimum value computed from the model is used as upper/lower of the side channel parameter. We discuss the CTL and LTL properties that are used in nuXmv model checker to identify the input vectors for bound computation as below:
a: DYNAMIC POWER
To determine the true value of BI (p) for the dynamic power, we propose to use Property I as shown in Line 1. The property verification is repeatedly executed while decreasing the BI (p) by one each time until Property I becomes True.
EF(DP = BI (p)) (I)
The first set of two input vectors, i.e., current (W 1 ) and next state vectors (W 1n ), is determined from the counterexample trace generated by Property II as shown in Line 4.
G !(X (DP) = BI (p)) (II)
Subsequently, we identify all pairs of remaining input vectors from the counterexample traces generated by recursive execution of Property III, as shown in Line 5. The True (T) status of vector pair generated from each counterexample is added into Property III after every execution, until this property becomes True.
This is followed by the computation of dynamic power using each pair of identified input vectors. The maximum computed value of dynamic power (DP max ) is used as an upper bound for verification.
b: LEAKAGE POWER
We compute maximum/minimum bound of the leakage power by first identifying the true value of BI (l) using Property IV. This property is recursively executed while decreasing/increasing BI (l) for the respective bound by one each time until it becomes True. The input vectors are subsequently identified by applying Properties V and VI as shown in Lines 12 and 13, respectively. The leakage power is computed against each of the identified vectors, and the maximum/minimum computed value is assigned as the leakage bound (LP max/min ).
EF(L
We identify the input vector pairs to compute maximum propagation delay (D max ) of a specific path using Properties VII-IX, as depicted by Lines 17 to 23.
The maximum value computed from the identified vectors defines the upper bound D max (k) for the k th path delay.
2) VERIFICATION OF CIRCUIT MODEL
In the last segment, we verify the model of circuit against the set of LTL properties using non-deterministic assignment of inputs. It is important to note that we do not consider verification of minimum dynamic power and path delays as these values are always zero in the steady-state condition.
The successful verification of all the specified properties (Max wt of D) substantiates the validity of the circuit model. On the other hand, the failure of a property identifies a modeling error, which can be corrected followed by a re-verification. The verification of the state-space model of a circuit with total n gates is performed in the nuXmv model checker using the following performance properties.
a: LTL PROPERTY FOR DYNAMIC POWER VERIFICATION
We verify the dynamic power of the model using Property X, which states that the maximum dynamic power of the circuit is greater than or equal to the sum of dynamic powers of the individual gates.
G(DP max >= DP 1 + DP 2 + .. + DP n ) (X) VOLUME 6, 2018
b: LTL PROPERTY FOR LEAKAGE POWER VERIFICATION
We verify the leakage power dissipation of the circuit model against the specified bounds for the maximum and minimum leakage using Property XI.
G(LP max/min >= / <= LP
1 + LP 2 + ... + LP n ) (XI) c
: LTL PROPERTIES FOR PROPAGATION DELAY VERIFICATION
We propose Property XII for the verification of propagation delay of k th path in circuit, where m is the total number of gates in the specified path.
In the next phase of proposed methodology, different types of HTs are inserted in the circuit model to analyze their effects. The behavior of attacks is imitated by intruding the model at different locations using functional and parametric HTs comprising of different number of gates. The model checker generates a number of counterexamples during the verification process of intruded circuit model, depending upon the type and instances of HTs. This follows the diagnosis process to assess the impact of HTs on the adjacent nodes by performing the detailed analysis of individual traces generated by the counterexamples.
1) ALGORITHM FOR VULNERABILITY ANALYSIS
We propose an algorithm that analyzes the behavior of circuit using a set of LTL properties. These properties are based on the upper and lower bounds of the side channel parameters as depicted in Algorithm 2.
We propose Property XIII to analyze the behavior of the dynamic power in circuit, which defines that there exists a state in the model in which dynamic power is above the upper bound, which is TRUE if the intrusion has a significant effect on the total dynamic power consumption. Conversely, if the property is FALSE then it indicates the scenario when either there is no intrusion in the circuit or this parameter fails to detect the HTs.
If the effects of intrusion are depicted by Property XIII, then we use Property X to generate the error trace as shown in Line 2. The counterexample driven analysis is performed to identify the affected nodes and the vulnerable locations in the circuit. After the analysis, the counterexample is added as an exception in Property XIII, and the process is repeated until all generated counterexamples are analyzed and this property becomes FALSE. Similarly, we propose Properties XIV and XI to assess the effects on the leakage power as shown in Lines 5 to 8.
A similar iterative process is adapted to translate the effects of propagation delay by using Properties XV and XII, Generate counterexample using Property X; 3: Add counterexample as an exception; 4: end while 5: while (Property XIV = TRUE) do 6: Generate counterexample using Property XI; 7: Add counterexample as an exception; 8: end while 9: while (Property XV = TRUE) do 10: Generate counterexample using Property XII; 11: Add counterexample as an exception; 12: end while as depicted in Line 9 and 10, respectively.
The nuXmv model checker provides the counterexample in the form of finite sequence of transitions through different states using its SMT solver. The counterexamples, generated by the formal verification of the above-mentioned properties, allows us to check the behavior of circuits against a variety of intrusions. The analysis of power and propagation delay at the specific nodes under diverse intrusions illustrates the sensitivity of these nodes to variation in side channel parameters. During the verification process, the values of the input bits are non-deterministically provided, and the counterexample analysis manifests the specific inputs vectors, which result in violating the bounds at a particular state of an intruded circuit model. For the larger circuits, the number of variables in the circuit model increases, and counterexample analysis may take longer time. However, Algorithm 2 aids in reducing the complexity by allowing to construct and analyze the dynamic power, leakage power and delay models separately. This division of the state-space into corresponding simpler state-space reduces the number of variables to be examined, making analysis comparatively simpler and faster.
V. RESULTS AND DISCUSSION
We evaluate the effectiveness of McSeVIC on a set of 74X series and ISCAS85 benchmarks. The experimental setup used for the implementation of framework is depicted in Fig. 7 . We performed our experiments on Windows 10 Professional OS installed on a Core i7 processor, 3.4 GHz, with 12 GB memory, and using the following tools: 1) nuXmv Version 1.1.1 for the identification of bound computation vectors using Algorithm 1, verification of the netlist employing LTL properties, and vulnerability analysis using Algorithm 2. 2) Matlab 9.1 (R2016b) [66] to compute bounds from the mathematical model of the netlist, and identified sets of input vectors. 3) Visual Studio (2013) to translate the netlist from benchmarks to the corresponding state-space model. We built gate-level models using the SG13S CMOS technology node parameters. Similarly, we divided the experimental setup into two parts: (1) verification of translated model against the specified LTL properties is performed for the HT-free netlist; and (2) vulnerability analysis of the HT-infected netlist is performed to investigate the effects on the side channel parameters.
A. COMPUTATIONAL RESOURCES FOR VERIFICATION
The correctness of the model is first ensured by verifying functional and behavioral characteristics. For each of the benchmark, we compute upper and lower bounds of the side channel parameters using Algorithm 1. This follows the verification of each model using LTL Properties X, XI and XII for dynamic power, leakage power and propagation delay, respectively. The resources expended by the model checker in terms of memory in megabytes (MB) and time in seconds (S) for the verification of the circuit models are depicted in Fig. 8 . Following are the major observations from the verification results:
1) The verification of dynamic power requires more resources in comparison to the leakage power and propagation delay. This demonstrates the fact that model for dynamic power involves more computational complexity by virtue of its composition, i.e., P sw and P sc , estimation of α at each node, and dependency on the individual transitions from the preceding state. 2) Verification time and memory requirement for the larger circuits increases due to the expansion of the respective state-space. For instance, 88% increase in the area of benchmark circuit, increases the verification time of dynamic power by 224%, as depicted by the observation points A1 and A2. Similarly, memory requirement increases by 84.5% as shown by B1 and B2, respectively. 3) With the increase in size of a circuit, the proportional increase in computational resources for leakage power and propagation delay are slightly less when compared to that of dynamic power. The increase in verification time and memory for leakage power is 168% and 71%, as depicted by labels I1, I2, and J1, J2, respectively. Similarly, the percentage increase in resources for critical path delay is 159% and 60.25%, as depicted by labels S1, S2, and T1, T2, respectively.
B. VULNERABILITY ANALYSIS
After the accuracy of the model is ascertained, the translated model is analyzed for vulnerabilities by applying the effects of multiple types of intrusions. Our threat model assumes that the attacker can insert malicious gate(s) in the circuit [62] . These extra gates may be inserted within the computational paths of the circuit to subvert the intended functional component [63] , or in parallel to the computational paths to affect the performance of the circuit [65] . To perform comprehensive analysis for each benchmark, we consider two cases: (i) malicious gates are inserted within the computational paths at the input, output, and intermediate nodes, and (ii) malicious gates are inserted in parallel to computational paths at the input, output, and intermediate nodes without altering the functionality of circuit. We examine the noticeable variations that affect the side channel parameters of the circuit in a diversified manner depending on the type and location of malicious intrusions. We first perform the analysis by considering nominal values of technology parameters with no variation. In the second step, we analyze the impact VOLUME 6, 2018 of HTs, while considering 3-sigma variation in the nominal values of specific technology parameters.
1) ANALYSIS WITHOUT PROCESS EFFECTS
The variation of side channel parameters due to a single gate intrusion at the input, output and the intermediate stages in terms of percentage changes are demonstrated in Fig. 9 . Following are the major observations from the analysis of benchmarks:
1) The impact on the dynamic power is more obvious when the circuit is intruded at the output and intermediate stages in comparison to the input stage. This is attributable to the effects of dynamic power that are propagated to all the subsequent gates in the connected paths due to variations in their corresponding activity factors. Therefore, intrusion within computational path at the input and intermediate stages decrease the switching activity of the succeeding nodes, which result in slightly less power dissipation in comparison to the intrusion at the outputs of circuits.
2) The percentage increase in the propagation delay of the individual data paths is slightly more in case of intrusion at the intermediate and output stages. This is due to the loading effects of intruded gates that are translated to the preceding stages which in turn increase the driven capacitive load at their output nodes.
3) The percentage change in delay of the non-critical path is significantly higher than the critical path. This is due to the fact that non-critical paths have lesser number of gates, and any increase in the capacitive load due to the inserted HT gates has a substantial effect on the total propagation time of the signal compared to the critical path. Moreover, it is observed that there is no significant impact on the propagation delay, when the intrusion is embedded in parallel to the computational paths at inputs as shown in Fig. 9(c) . It stems to the fact that any additional capacitive load in parallel to the circuit inputs has no considerable effect on the path propagation time. 4) The change in leakage power is more obvious at the input stage of the circuits in comparison to the intermediate and output stages. This is due to the fact that logic gates at the intermediate and output stages have inputs that are strictly dependent on the configuration of preceding gates. However, intrusions at the input stage have more significant impact on the overall leakage dissipation, since there is more probability for having the input vectors that induce maximum leakage from these gates.
2) ANALYSIS WITH PV
We performed the vulnerability analysis of all the benchmarks mentioned in Fig. 9 under the effects of PV. The effects of 3-Sigma variation in process are modeled, i.e., 28%, 8%, and 7% variation in the nominal values of V th , t ox , and L in SG13S, respectively. For understanding, we present the behavioral analysis of the 74181 benchmark in Fig. 10 . The 74181 is a bit slice arithmetic logic unit (ALU), implemented as a 74X series TTL circuit. It has 14 inputs, 8 outputs, and 61 gates. For vulnerability analysis, we intruded 74181 with the behavior of multiple HTs at different locations. The observations from the results are discussed as follows:
1) The effects on dynamic power due to intrusions within the computational path are overshadowed by PV until the number of intruded gates at the output of ALU are 3 (3.1% of 74181) as depicted by label X1 in Fig. 10(a) . However, beyond this point the effects of the intrusions become dominant and vary depending upon the locations. For instance, their is more than 6% change in the dynamic power when the intrusion size is 6 along the computational path at the output. However, the percentage change in dynamic power is less than 4 when the same number of gates are intruded along the input of the computational path. Similarly, Fig. 10(a) shows that the effects of intrusions in parallel to the computational path at the output are slightly more compared to intermediate and output stages.
2) The effects of PV on the leakage power parameter are more noticeable relative to dynamic power and propagation delay as depicted in Fig. 10(b) . This is due to the fact that a small change in V th induces a large variation in leakage power. The intrusion effects mostly remain under the process envelop until the number of intruded gates are 5 (7.6% of 74181) as depicted by label Y1. Moreover, it is observed that the effects of intrusions at the input stage of computational paths are more prominent compared to intermediate and output stages.
3) The propagation delay is more sensitive to intrusions within the computational path as shown in Fig. 10(c) . However, if the intrusions are parallel to the computational path then their effect remains under the PV envelop until the size of the intrusion is 4 as depicted by label Z2 in Fig. 10 (c).
3) PERFORMANCE EVALUATION OF VULNERABILITY ANALYSIS ALGORITHM
The implementation of Algorithm 2 generates number of counterexamples during vulnerability analysis of a circuit depending on intruded gates, their size and locations. Moreover, the time required by the nuXmv model checker to detect intrusions and generate counterexample traces depends on the number of inputs and composition of the logic gates in a circuit, i.e., size of the state-space model. Table 4 shows the time (T) and memory (M) required for detection, and corresponding number (N) of counterexamples with their generation time (T) when the intrusion size in 74181 ALU is 6 at the respective locations. It is indicated in Table 4 that the intrusion along the computational path generates only 2 counterexamples. This supports the fact that no counterexamples are generated due to PV until the intrusion size at the input stage is 5. However, 6 counterexamples are generated for intrusions at each of the intermediate and output stages, due to their loading effects at the preceding gates. Besides, the verification of leakage power parameter generates 2 counterexample traces each for the intrusion within the computational path at the respective locations. This shows that the leakage parameter is mostly affected by the PV and no counterexamples are generated until the intrusion size is 5 at each location. The intrusion affects on propagation delay are more obvious at the output, critical path and non-critical path where 8 counterexamples are generated for each case. However, when the intrusion is parallel to computational paths, the number of generated traces significantly decreases. It is also observed that intrusion detection and trace generation for the dynamic power takes more resources in terms of memory and time compared to other parameters. During the analysis of counterexamples, individual gates and specific nodes are identified, which perpetrate towards the failure of the defined bounds. After adding the individual counterexample as an exception, the model is re-verified using the revised LTL properties to search for additional counterexamples. This process is repeated until the model is completely verified using Algorithm 2.
McSeVIC has a substantial advantage over the simulation based techniques owing to its inherent soundness and completeness. Fig. 11 shows the comparison between McSeVIC and some of the state-of-the-art simulation based techniques [12] , [31] , [67] in terms of probabilities for detecting single HT in ISCAS benchmark c432. The proposed technique always detects the presence of HT in the intruded model of the circuit based on the non-deterministically provided input patterns by the nuXmv model checker. This stems to the fact that encoding the complex models of the circuits over the abstract state-space allows the model checker to provide significantly larger coverage than the simulation based techniques. Thus, the chances of not detecting a HT during the vulnerability analysis of the intruded circuit are almost nil. It can be concluded from the results that input nodes of the circuits are comparatively more vulnerable with respect to the dynamic power and propagation delay parameters. Although, intrusions at the inputs make leakage power changes comparatively more visible than intermediate and output nodes, but this parameter is considerably effected from PV. Moreover, it has been demonstrated that intrusions which are parallel to the computational paths, and do not alter the functionality of circuits, causes lesser variations in the side channel parameters under the process effects. Therefore, it can be asserted from the analysis that HT attacks that are designed to consume the resources of system in terms of power, or leaking the secret information, without disrupting the functionality of the system are more concealable. The comparative analysis of the side channel parameters provides a purposeful direction towards the types of monitoring units that can be deployed in circuits. For instance, it is more viable to monitor propagation delay or dynamic power at the output of critical nodes. Moreover, the benefit of using multi-parameters for vulnerability analysis is evident from the fact that it can provide more flexibility in identifying the appropriate monitoring units for the vulnerable paths and locations.
VI. CONCLUSION
In this paper, we proposed a generic formal framework that can analyze vulnerabilities in the circuits against functional and parametric HTs. We used nuXmv model checker to model and validate dynamic power, leakage power and path delay parameters for comprehensive behavioral analysis of the circuits under the effects of process variations. The proposed formal framework handles the constraints of simulation based methodologies by providing exhaustive and complete analysis. Moreover, we suggest an innovative means of modeling side channel parameters to analyze stealthy HTs that can modify properties of a circuit without altering functionality. By performing the analysis based on the counterexample traces, we have quantified vulnerability of a region in the circuit. We evaluated our methodology on different benchmarks to illustrate the benefits of using multi-parameters for analyzing impacts of intrusions. The presented methodology provides a meaningful guidance towards HT prevention during the IC development phase.
APPENDIX LIST OF ABBREVIATIONS
The following His research interests are in computer architecture, power-and energyefficient systems, robust computing covering various aspects of dependability and fault tolerance, hardware security, emerging computing trends, such as neuromorphic and approximate computing, neurosciences, emerging technologies, and nanosystems, self-learning and intelligent/cognitive systems, FPGAs, MPSoCs, and embedded systems. His research has a special focus on cross-layer analysis, modeling, design, and optimization of computing and memory systems covering various layers of the hardware and software stacks, as well as their integration in application use cases from Internet-ofThings, Cyber-Physical Systems, and ICT for Development domains.
He holds one U.S. patent and over 180 papers in premier journals and conferences. He is a Senior Member of the IEEE Signal Processing Society and a member of the ACM, SIGARCH, SIGDA, SIGBED, and HiPEAC. He received the prestigious 2015 ACM/SIGDA Outstanding New Faculty Award, six gold medals in educational career, and several best paper awards and nominations at prestigious conferences, such as DATE, DAC, ICCAD, and CODES+ISSS, the Best Master Thesis Award, and the Best Lecturer Award. He served as the TPC Co-Chair of ESTIMedia and LPDC, the General Chair of ESTIMedia, and the Track Chair at DATE and FDL. He has given several invited talks, tutorials, and keynotes. He has also organized many special sessions at premier venues, such as DAC, ICCAD, DATE, and ESWeek, and served as the Guest Editor for the IEEE Design and Test Magazine and the IEEE TRANSACTIONS ON SUSTAINABLE COMPUTING. He has served on the program committees of several IEEE/ACM conferences, such as ICCAD, ISCA, DATE, CASES, FPL, and ASPDAC. VOLUME 6, 2018 
