Abstract-Globalization of semiconductor design and manufacturing has led to a concern of trust in the final product. The effect of any modifications made by an adversary can be catastrophic in critical applications. Because of the stealthy nature of such insertions, it is extremely difficult to detect them using traditional testing and verification methods. In this paper, we propose a novel technique for detection of malicious alteration(s) in a third party soft intellectual property (IP) using a clever combination of sequential equivalence checking (SEC) and test generation. The use of powerful inductive invariants can prune a large illegal state space, and test generation helps to provide a sensitization path for nodes of interest. Results for a set of hard-to-verify designs show that our method can either ensure that the suspect design is free from the functional effect of any malicious change(s) or return a small group of most likely malicious signals.
I. INTRODUCTION
Modern semiconductor products include Integrated Circuits (ICs) designed and manufactured from anywhere in the world. A third-party IP used in the component is vulnerable to malicious alterations by an adversary or a malicious insider. The alterations may cause system failure at a critical moment, leak secret key information or give erroneous output. The trustworthiness of these devices has drawn much attention and concern in recent years in hardware security community [1] .
Any embedded malicious insertion (also known as Hardware Trojan) is a minute and stealthy alteration in the design made to activate and show its effect under potentially rare internal signal conditions. The characteristics of Trojans are different from anomalous behavior in manufacturing defects or functional errors. As a result, they cannot be easily detected by conventional functional verification or Automatic Test Pattern Generation (ATPG). The existence, behavior and activation criteria of Trojans in a third-party IP would be unknown to the system integrator. Trojans have been classified according to insertion phase, abstraction level, activation mechanism, effects and location [2] , [3] . They can be inserted at any phase of IC development cycle and have different functionalities according to the insertion phase.
However, most of the research works so far have been focused only on the detection of Trojans inserted at the fabrication stage. This leads to the need of efficient and cost-effective mechanisms to reliably detect and/or prevent the Trojan effects at earlier IC design stages. Hardware Trojans can be inserted at pre-silicon stage at Resistor-Transfer Level (RTL) or Gate level with ease. For instance, one can easily embed stealthy Trojan logic in RTL code in IPs obtained from third-party vendors by manipulating state machine, adding extra logic, erasing a portion of logic or modifying the existing logic [4] . The untrusted standard cell libraries used during synthesis can also be infested with Trojans [3] . Trojans inserted at pre-silicon stage, if not detected before fabrication step, would make their presence in all manufactured ICs.
Researchers have proposed many non-invasive techniques to detect embedded Trojans in the fabricated chips [5] - [10] assuming that Trojans are inserted during manufacturing. In [5] , [6] , the authors use side channel power analysis to differentiate malicious and genuine ICs. In [7] , the authors present a method of maximizing switching activities in the targeted circuit regions. A sustained vector methodology is proposed to minimize circuit activities and identify extraneous toggles caused by Trojan circuit in [8] . In addition, the authors of [9] discuss the method to measure the path delay at the output ports for a set of input vectors and identify the additional delay introduced by Trojans in the path where it resides. A high-precision path delay measurement test structure having extremely low overhead is proposed to detect path delays introduced by Hardware Trojans in [10] .
On the other hand, there have been some recent research works targeting Trojans inserted at pre-silicon stages based on formal verification, code coverage analysis and ATPG methods. In [11] , a Design for Trojan Test (DFTT) technique is developed in which user-generated RTL code is converted into DFTT compliant code and probe cells are inserted at sensitive paths (paths susceptible to Trojan insertions). In [4] , IP acquisition and delivery protocol is proposed in which IP vendors provide not only HDL codes but also the proof of security properties. Different pre-silicon trust verification strategies involving formal verification, code coverage analysis and techniques to reduce suspicious signals by redundancy removal, equivalence analysis and sequential ATPG are studied in [12] . The authors of [13] propose a methodology to compare the functionality of two untrusted similar third-party IPs. The number of inputs is made identical in both IPs by encapsulation of wrapper in one of them. Then the two circuits are unrolled to multiple timeframes to remove the internal states and make the outputs functions of only present and past inputs. However, in most of the designs, it is impossible to make outputs independent of state variables. An approach which involves N-detect full-scan ATPG method, along with suspect-signal-guided sequential equivalence checking (SSG-SEC) to identify malicious signals corresponding to hard-to-detect faults is presented in [14] . A region isolation method is employed to locate the Trojan signals in the design. During SSG-SEC, a triple miter is constructed using two copies of suspicious circuit and a copy of the spec circuit. However, it may increase the problem size unnecessarily. Hence, the use of a traditional miter circuit (containing only two circuits instead of three) would be a better solution. Nevertheless, SEC is a difficult problem, especially when the spec and suspect circuits may differ drastically, in terms of both the number of gates and the number of state variables. Therefore, methods to reduce this complexity are necessary to make SEC-based approaches feasible.
In this paper, we propose a novel detection technique for malicious Trojans in a third party IP using a combination of constrained SEC and test generation. We assume that the Trojan has been implanted in HDL (or gate level) by an unknown adversary and the design is available to us in netlist form. We also expect the Trojan to be minute (one or few gates), trigger on rare internal signal conditions and change the functionality of circuit. The objective is to guarantee that either the design is trusted or identify the Trojan signals in the design. We construct miter circuit using each copy of suspect and spec circuits. If the list of true invariants among the suspect and spec circuits are not sufficient to prove their equivalence, we apply our two-step approach to conclude about each of the suspicious signals. In the first step, we make sure that the suspicious signal under consideration in the suspect circuit is activated and propagated to a primary output with an ATPG. And in the second step, counterexample guided equivalence checking is employed to check the output behavior of two circuits. Results for a set of hard-to-verify designs show that our method can either ensure that the suspect design is free from the functional effect of any malicious change(s) or return a small group of most likely malicious signals, all in a short amount of time.
The rest of the paper is organized as follows: Section II describes few basic concepts. Section III explains our proposed method. Section IV describes the experimental setup and results. Section V concludes the paper.
II. PRELIMINARIES A. Equivalence Checking
Equivalence Checking is a technique to ensure if the two circuits-under-verification (CUVs) are functionally equivalent. Simulation-based methods work only for small circuits, as they cannot cover all allowable input-combinations for all reachable states in large designs. Much research has been focused on formal equivalence checking based on Binary Decision Diagrams (BDDs) and Boolean Satisfiability (SAT) [15] - [17] which practically can now handle modern industrial sized designs [15] .
During SAT-based formal equivalence checking, a miter circuit is created from two CUVs by tying their corresponding primary input (PI) pairs together, XORing the corresponding primary output (PO) pairs (and ORing these XOR outputs if multiple PO pairs are present). Top of Fig. 1 shows a miter Flip-flops at left-most timeframe are treated as pseudoprimary inputs and those on the other timeframes are converted into buffers between the adjacent timeframes. The final state elements at the right-most timeframe are considered as pseudo-primary outputs (PPOs). A propositional formula in Conjunctive Normal Form (CNF) can be easily generated from the miter circuit that can be interpreted by a SAT solver [18] . If a SAT solver (or ATPG) gives a valid satisfying solution for the final OR gate to be logic '1', it signifies that there exists at least one vector that can distinguish the two circuits.
B. Invariants and Implications
Invariants are relationships among signals in the circuit. Static logic implications (invariants which hold true for all states of the design) have been studied extensively over the past few decades [19] . They are not powerful in pruning the search space since they cannot be used to separate the unreachable from the reachable ones. Inductive invariants, on the other hand, are those relations that definitely hold true in the reachable state space of the design but may not be true in the unreachable states. For example, an invariant (a∧b∨c) indicates that in every legal state of the circuit, either both a and b have to be true, or c must be true. However, some unreachable states may exist which violate this relation. Hence, inductive invariants can help to constrain the state space by avoiding the unreachable states that violate them.
Random simulation also allows us to learn a list of potential invariants among the state variables and internal signals in the miter by observing at the relationship between signals on the fly. Both two-node invariants (can be cross-timeframe relations) and multi-node potential invariants are identified. The relations may be among the variables within the same CUV or between the CUVs. For instance, consider three signals a, b and c. If we do not observe the pattern 010 during simulation, we will generate a potential invariant (a 0 ∨¬b 0 ∨c 0 ). For any vector, if (a=1) for vector v i and (b=0) for vector v (i+y) are absent during simulation, then the invariant (¬a 0 ∨b y ) are generated. Invariants involving four or more nodes can result in a huge number of potential invariants, but may be needed eventually to completely constrain unreachable states. Since the random simulation covers very small reachable state space, only a portion of the potential invariants may be really true for all reachable state space. Consider three potentially true invariants I 1 , I 2 and I 3 as shown in Fig. 2 . Invariant I 1 is true for just a portion of reachable state space. That s why, it needs to be falsified. Invariant I 2 and I 3 are true for entire reachable state space, but I 3 is not needed because its inclusion does not contribute to constrain any of the illegal states.
Before proving invariants, we compute direct and indirect two-node and three-node static implications and use them to drop static invariants. E.g. if there exists a static implication a→b, then its corresponding invariant (¬a∨b) can be dropped. The methods of inductively proving invariants and sufficiencybased equivalence checking are discussed in [15] .
III. OUR APPROACH
As discussed earlier, formal and semi-formal (combination of both simulation-based and formal) equivalence checking methods need a reference circuit called golden model (easily available in fully-trusted environment) to verify the functionality of CUV. However, for untrusted IP, the availability of ideal golden model is a question. One way is to prepare unoptimized and quickly synthesized circuit from the specifications [14] . Another way is to use second untrusted third-party IP assuming that only one of the two untrusted IPs is likely to contain Trojans [13] . Our technique assumes that the reference circuit is an unoptimized (potentially much larger) circuit free from malicious insertions prepared in a trusted environment.
At first, we construct a miter circuit using the untrusted IP core as suspect circuit and a reference spec circuit explained above. One should note that the two circuits may be drastically different in terms of gate and flip-flop counts with no or little structural similarities. Traditional equivalence checking that rely on structural similarities [16] , [17] would be ineffective in such cases. Next, we logic simulate the miter circuit using N random input test vectors. During simulation, we keep track of switching activities of internal signals in suspect circuit for the instances in which state variables are fully specified. Now, we divide all the internal signals of the suspect circuit into suspicious and non-suspicious signals. Suspicious signals are those which toggle little during circuit operation (perfect signal to be exploited by Trojan), having very few activation sequences, or those which flip a lot but their activation effects do not seem to affect the output. The non-suspicious signals are categorized to be benign and thus need no further analysis. The set of p suspicious signals in the suspect circuit is S = {S 1 , S 2 , S 3 . . .S p }.
If SEC declares that the CUVs are equivalent, we can conclude that the suspect circuit shows exactly the same output behavior as it should at any reachable state. Thus, we can For the latter two cases, we check the effect of activation of suspicious signals in the output behavior of suspect circuit. We have to activate a suspicious signal, propagate it to the output and formally prove that the output behavior is malicious. We need to apply the following two steps for each suspicious signal to declare about its behavior:
Step 1: Suspect Signal Activation and Propagation The first step is to activate a suspicious signal and find a path to propagate its effect to a PO. We first create a miter circuit using two unrolled copies of the suspect circuit. We inject a stuck-at fault on the suspicious signal in only one timeframe of one copy of the circuit. We assume that there is no fault in the rest of the timeframes in both circuits. This makes our method different from traditional ATPG methods where the fault is present at all unrolled timeframes. Let us consider the unroll bound of K timeframes. We simply tie the initial flip-flop pairs of the two circuits. We want to activate the target suspect signal in a timeframe and propagate its effect to PO(s) within the given unroll bound. We make sure that the activation gets propagated to the output, not to PPO. This is because, in later stages, when we compare it with spec circuit, we cannot compare the PPOs of the spec circuit since they may have different number of flip-flips with no resemblance at all. Since we know that a suspect signal may be activated at any reachable state, we cannot constrain the left-most timeframe by a known state. One way to restrict a portion of unreachable state space is to use the true invariants related to suspect circuit. We cannot apply these invariants in faulty CUV because the signal relations might have changed because of fault injection. To make it more reliable, we unroll additional K timeframes at the beginning, force their output to logic '0' and inject the fault instead at (K ) th timeframe as shown in Fig. 3 . This addition increases the probability of flip-flops in (K ) th timeframe to be reachable.
We start with an initial unroll depth k as K +1. All the timeframes in the fault-free CUV are constrained by true invariants. Iteratively, all POs are forced to be logic '0' in timeframes 0 to k-2 and to logic'1' at timeframe k-1. If the suspect and spec circuits were declared not equivalent in an earlier step, we apply the known reachable state in which the two circuits were distinguished as a constraint at timeframe k-1. We want to check if the non-equivalence is due to the suspect signal. To do so, we need to set a logic value rarebit at the fault site. If the SAT solver returns a satisfying assignment, it means that fault is excited at timeframe K and its effect is propagated through the sensitized path to the PO at k-1 in the faulty circuit. Meanwhile, in the fault-free suspect circuit, due to the assignment rare-bit at K , the suspicious signal is activated and its effect is propagated to the PO at timeframe k-1 through the identical sensitized path. The signal assignments along the sensitized path serve as a witness to the activation and propagation of the suspicious signal, and thus are extremely useful. These sensitization values are saved as a counterexample to narrow down the search space for SEC in the next step.
On the other hand, if the SAT solver cannot give any satisfying solution, we increment k by 1 and repeat the process till k = K +K. If there is no satisfying solution at all, we can conclude that either the signal cannot be excited and propagated to the primary output in any reachable state (benign signal), or the given unroll depth is not enough to propagate the activated signal to the output. Therefore, we cannot declare about this suspicious signal.
Step 2: Counterexample Guided Equivalence Checking
The counterexample obtained in Step 1 does not guarantee that the activation effect of suspicious signal under consideration is malicious. In this step, we check if that activation effect is really malicious. Fig. 4 illustrates the setup for this method. Let us say the suspicious signal in fault-free suspect circuit is activated in (K ) th timeframe and is detected in (k-1) th timeframe as in Step 1. We create a miter circuit using suspect (fault-free) circuit and spec circuit and unroll it for k timeframes. True invariants are applied to miter circuit at all timeframes. All the POs are forced to logic '0'. A counterexample sensitized path values obtained from Step 1 are applied to the suspect circuit starting from timeframe K to k-1. This makes sure that the path for the suspect signal has been sensitized to a PO. In addition, the use of initial K timeframes with outputs forced to '0' in these timeframes makes the state at timeframe K most likely reachable. If the suspicious signal is malicious and the sensitized path propagates the malicious effect to the output, no state in suspect circuit exists that can show same behavior as the malicious output in the suspect circuit. The propositional formula is given to the SAT solver to check if there exists any (most likely reachable) state in spec circuit that can show the same output behavior as suspect circuit in which the suspicious signal has been activated and its effect has been propagated to the primary output. If the SAT solver returns a satisfying assignment, we cannot declare about the property of the suspicious signal because (a) the satisfying flipflop assignments in both circuits can be reachable that makes suspicious signal activation effect trustworthy for at least one state and therefore, suspicious signal activation can be considered benign, and (b) the satisfying flip-flop assignments are unreachable from which we cannot conclude anything about the suspicious signal. Most likely, it is a benign signal.
Fig. 4. Counterexample guided Equivalence Checking
However, if the SAT solver cannot return any satisfying solution, it may be because (a) the flip-flop state in suspect circuit may be reachable during activation and propagation of suspicious signal and there exists no state (among reachable and a subset of unreachable states) in spec circuit that can make the output behavior same as that of suspicious signal, making suspicious signal malicious, and (b) flip-flop state in suspect circuit is unreachable and the subset of unreachable states that may produce same output behavior as suspect signal is blocked by inductive invariants. Therefore, we can conclude that this suspicious signal is most likely a malicious signal.
IV. EXPERIMENTAL SETUP AND RESULTS
Our proposed detection methodology was implemented in C++ with an Intel Core-i5, 2.5 GHz PC, 4 GB RAM running 32-bit Ubuntu 12.04. A suite of hard-to-verify SEC benchmarks [15] was constructed from gray and one hot encodings of ITC99 benchmark circuits. The two circuits in SEC benchmarks had different number of flip-flops and gate counts with very few internal equivalent nodes. Very minute and hard Trojans were created by selecting the points having minimum switching activities during logic simulation of original design by adding inverter(s), deleting inverter(s) or changing the gate type. After Trojan insertion, we performed parallel logic simulation in suspect benchmark miters using 100,000 random vectors altogether. We dropped those Trojans that logic simulation was enough to distinguish the two circuits. During the simulation process, we also identified potential invariants and separated signals into suspicious and non-suspicious groups. The maximum number of suspicious signals was limited to 500. The unroll depths K and K of miter circuit were both limited to 10. However, these could be easily adjusted. We used Zchaff [18] as the SAT Solver.
We have summarized our results in Table I . For each benchmark, the second column gives the Trojan insertion index. The third column reports the total number of two-node same-timeframe invariants, two-node cross-timeframe invariants and three-node invariants respectively. The fourth column shows the total number of suspicious signals considered in the suspect circuit. In the fifth column, we present the result of equivalence checking using inductive invariants. It consists of three sub-columns where the three cases whether the circuits are declared equivalent or not equivalent, or the invariants are insufficient to prove equivalence are included. In the sixth column, we tabulate the decisions made by SAT solver in
Step 1 which is divided into three sub-columns. The first subcolumn represents the number of suspicious signals which are declared SAT and thus eligible for Step 2. The second subcolumn represents the number of UNSAT suspicious signals. The properties of these UNSAT signals cannot be declared. In the third sub-column, we report total time taken by Step 1 to solve all suspicious signals in seconds. The last column shows the decisions made by SAT solver in Step 2. It is also divided into three sub-columns. The first sub-column presents the number of SAT suspicious signals whose behavior cannot be declared whereas the second sub-column represents the number of UNSAT suspicious signals. These signals are declared as the most likely Trojan signals. The last sub-column shows the total time taken by Step 2 to declare suspicious signals in seconds.
Two-node inductive invariants were computed among all the signals and state variables, whereas three-node invariants were computed only for state variables. The circuits containing alterations were equivalent for all cases in b03 and b06 we studied. Many alterations in other circuits, e.g. Trojan #7 of b08, Trojan #5 of b09, and Trojans #1 and #2 of b13 also resulted equivalent during SEC. Therefore, such insertions will not harm the circuit and are benign. Consider insertion #1 of b09. SEC distinguished spec and suspect circuits. Out of 137 suspicious signals identified for this Trojan, 25 signals failed to activate and propagate at the primary output in Step 1. Counterexample guided Equivalence Checking in Step 2 could declare 55 suspicious signals as most likely malicious signals.
Step 1 took 348 seconds whereas Step 2 took just 2 seconds. The payload of Trojan signal was present among 55 signals. Consider insertion #3 of T1. This insertion was made by an addition of an inverter at first input of an AND gate. Out of 384 suspicious signals only 5 were declared most likely malicious. All five of them were in the fanout cone of the actual Trojan signal! Experimental results show that our methodology is effective in finding functional Trojans inserted in designs. For detection of other Trojan effects such as leaking the key information through side channel power, radiation, etc. without any change in functionality, other methods should be employed.
V. CONCLUSION AND FUTURE WORKS
In this paper, we have proposed a novel technique that combines constrained SEC and ATPG to detect hardware Trojans in IP cores received from an untrusted third party. We first identify a set of suspicious signals in the circuit, and learn and prove powerful invariants among the state variables. Then, we check the property of those suspicious signals using a two-step method that involves activation and propagation of effect suspicious signals to primary output, and constrained equivalence checking using sensitized path assignments as counterexample. Results on hard Trojan instances show that the methodology is very effective in ensuring the trust in hardware designs. In the future, we will explore the use of multiple counterexamples to make the scheme more efficient.
