Today many design houses must outsource their design fabrication to a third party which is often an overseas foundry. Split-fabrication is proposed for combining the FEOL capabilities of an advanced but untrusted foundry with the BEOL capabilities of a trusted foundry. Hardware security in this business model relates directly to the front-end foundry's ability to interpret the partial circuit design it receives in order to reverse engineer or insert malicious circuits. The published experimental results indicate that a relatively large percentage of the split nets can be correctly guessed and there is no easy way of detecting the possibly inserted Trojans.
INTRODUCTION
Due to the continuously increasing cost of chip manufacturing, maintaining a self-owned foundry is no longer an option for many design companies. The vast majority of integrated circuit (IC) companies follow the fabless manufacturing business model to save substantial capital and operating costs. In the globalized semiconductor industry each step of the chip building process including design, verification, manufacturing, testing, and packaging can be outsourced to an individual third party, which is often overseas. This trend leads to hardware security and trust vulnerabilities since the third party has access to some of the design secrets related to the services it offers. The main threats are: design piracy, IC overbuilding, hardware-based Trojan insertion, side channel attack, counterfeit ICs, and reverse engineering [1] . To regain a trustworthy design, many countermeasures have been proposed for different threats, such as split-fabrication, logic encryption, physical unclonable functions (PUFs), design obfuscation, IC camouflaging, etc. [1] [2] .
During the IC design and production stages, the foundry has complete access to the final GDSII files including all the physical information of the chip, has the full control of the fabrication, and has the testing vectors and test plans. An untrusted foundry is a critical source of security vulnerabilities. It can reconstruct the design by physically inspecting the transistors and connections, which may lead to design piracy and counterfeit concerns. It can overbuild the ICs and sell them to black markets. It can even modify the design and insert malicious circuits and Trojans to hurt reliability and performance, steal information, create additional operating modes, take over the system's control, etc. To prevent the threats from an untrusted foundry, split-fabrication has been proposed [3] [4] [5] . It combines the Front End of Line (FEOL) capabilities of an advanced but untrusted semiconductor foundry with the Back End of Line (BEOL) capabilities of a trusted semiconductor foundry. The transistors and the lower metal layers are manufactured as the FEOL process by an untrusted foundry_1, and then BEOL is processed by a trusted foundry_2 to finalize the chip. In this scheme, foundry_1 does not have the complete information about the chip, which makes it difficult for this foundry to reconstruct the design. However, foundry_1 may exploit the heuristics used in floorplanning, placement, and routing CAD tools to make good guesses of net connections. Reference [6] demonstrates that a substantial portion of the missing BEOL connections could be reconstructed by the proximity attacks.
Besides the threats of design reconstruction, design modifications which include inserting malicious circuits and hardware-based Trojans are possible by the untrusted foundry_1. Trojans and malicious circuits are critical because they could change the chip's functions, behaviors, performance, durability, etc. Many works to prevent and detect Trojans have been proposed [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] . The detection methods can be generally categorized into three types: (1) logical test [10] [11]; (2) side-channel analysis, such as delay measurement [12] [13] [14] [15] , current sensing [16] , thermal and power map [17] , temperature tracking [18] ; and (3) reverse engineering [19] . However, these techniques need additional efforts of test pattern generation, introduce circuit overhead, require precise measurements, or perform destructive and costly reverse engineering.
In this paper, we propose a secure split-fabrication for Vertical Slit Field Effect Transistor (VeSFET)-based ICs. We propose the design flow that addresses vulnerabilities that exist in conventional approaches. The scheme outlined here does not require a trusted foundry. The proposed methodology prevents the untrusted foundries from reconstructing the design, prevents piracy and Trojan insertion. It also provides methods for Trojan detection. This methodology leverages the VeSFET's two-side accessibility property [20] [21] [22] , which provides great benefits in wire connection and monolithic 3D integration. In a monolithic VeSFET 3D chip designed with the proposed methodology, some transistors are physically hidden from the FEOL foundry_1's view, which causes that it is impossible for this foundry to reconstruct the circuit. In contrast to the conventional split-fabrication approach, in which most of the wires are connected by the trusted foundry_2, in the methodology we propose most of the wires are made by foundry_1. Only a very small fraction of the wires is made by foundry_2. The existence of a Trojan can be detected by leakage current: if any of the existing transistors is shifted or any extra transistors are added, a huge VDD-VSS crowbar current flows and can be easily detected. There is no extra circuit required to detect Trojans.
We propose algorithms for partitioning the wires to be made by two foundries, hiding the transistors in a 3D chip case, and camouflaging the space created by the hidden transistors. 10 MCNC LGSynth'91 benchmark circuits were designed by applying the proposed flow and then an attack was executed by the in-house developed proximity attacker with the objective to reconstruct the missing wire connections by foundry_1. With 5% nets manufactured by foundry_2, the average percentage of the correctly reconstructed partitioned nets is less than 1%. Section 2 describes the possible security threats of the splitfabrication method. An overview of VeSFET technology is given in Section 3. Section 4 describes the complete methodology and Section 5 provides implementation details. The experiment settings and security assessment results are shown in Section 6. Section 7 concludes this paper.
SECURITY THREATS
For the chips made by conventional spilt-fabrication methods, the design is divided into two parts to be manufactured by independent foundries. The IC design house provides two GDSII files: (1) GDSII-1 for the untrusted foundry_1 which includes the information of all transistors, floorplan, placement, a fraction of interconnects, all the pins' interconnect shapes on lower metal layers, and the location of empty space; (2) GDSII-2 for the trusted foundry_2 which contains only the remaining interconnects and the elements required for packaging. Foundry_1 could use the provided information to make a reasonable guess about the missing interconnects and then reconstruct a portion or even the complete design. Figure 1 shows the flow and the possible attacks by the untrusted foundry_1. The design reconstruction may lead to the threats of design secret exposure, piracy concern, chip counterfeit, and IC overbuilding.
Usually, a portion of a chip is occupied by decoupling capacitors (DeCaps) or is intentionally left as empty space due to design considerations such as IR drop, signal integrity, design rule requirements, etc. Foundry_1 can use this knowledge to insert additional circuits and modify the chip's functionality without the design house's awareness. This kind of attack injects malicious circuits or Trojans to the chip for the purpose of degrading reliability or performance, creating a backdoor for remotely taking over the control, adding hidden functions, etc.
To mitigate security threats of the split-fabrication method and to create a trustworthy design, it is essential (1) to make the design reconstruction very difficult, and (2) to have easy and effective methods of Trojan prevention and detection. The conventional split-fabrication method still requires a trusted foundry_2 to connect most of the wires to increase design reconstruction difficulty for the untrusted foundry_1. The requirement of using one trusted foundry reduces the IC design houses' freedom of selecting the foundry. It costs extra efforts to prove a foundry trustable and maintain the relationship. However, for very sensitive designs such as those for military applications, none of the foundries should be assumed trusted.
VESFET OVERVIEW
VeSFET is a twin-gate device with a horizontal channel and four metal pillars implementing vertical terminals (Gate 1, Gate 2, Source, and Drain) [20] . The metal pillars are cylindrical structures with identical radius (r) and height (h). The technology feature size is defined by the radius r. The pillar height h corresponds to CMOS transistor's channel width. The equivalent channel width is 2h, since VeSFET is a twin-gate structure. A transistor can be formed at any location of the array defined by a smallest square with pillars at its corners. All the lithography patterns to form a transistor are based on the circle with radius r. This leads to the potentially OPC-free process flow against the more and more complicated rectangle-based CMOS patterning [20] . The footprint of a VeSFET is 4r x 4r. All transistors are fabricated as arrays called canvases, which form highly regular structures [23] [24] . All transistors in the same canvas have the same height h. The width quantization effect like that occurring for FinFETs is also present in the VeSFET designs. Figure 3 shows the minimum-size inverters implemented with three different fundamental canvases: the basic canvas, the full canvas, and the chain canvas. In the basic canvas, transistors do not share terminals. In the full canvas design, the neighboring two transistors can share two pillars to save the area and capacitance seen on a terminal. In the chain canvas design, each transistor is 45-degree rotated with at most one pillar shared by two transistors. Each canvas offers different benefits for different design considerations.
In contrast to conventional transistors such as MOSFET, FinFET, SOI, etc., VeSFET's terminals can be accessed from both top and bottom of the pillars. This characteristic leads to the possibility of two-side routing and offers a friendly monolithic 3D integration [20] [21] [22] [25] . Reference [26] shows that a VeSFET-based 3D chip has better thermal performance than a FinFET-based 3D chip. Monolithic 3D integration allows building 3D VeSFET chips with increased density and mitigates the vertical channel count constraints of TSV-based 3D integration [27] [28] [29] . Figure 4 illustrates differences between the VeSFET-based and the conventional MOSFET-based monolithic 3D integration. Figure 5 shows the flow of creating a monolithic 3D VeSFET-based design. In a MOSFET-based monolithic 3D design, the main design overhead comes from the high aspect ratio inter-tier VIAs, which consume additional area and create fabrication difficulties. As for the VeSFET-based design, pillars naturally create numerous vertical connection channels and thermal dissipation paths.
THE PROPOSED METHODOLOGY 4.1 2D Designs
A powerful and unique characteristic of VeSFET technology is the two-side accessibility of transistor terminals. Foundry_2 can access every transistor directly at the backside of a VeSFET array, which highly increases the freedom of net partitioning for splitfabrication. In a conventional split-fabrication flow, either foundry_1 or foundry_2 sees the complete transistor connections on Metal 1. In a VeSFET-based design, the nets (interconnects) can be partitioned such that either foundry only sees a portion of the transistor connections on Metal 1 layers (front and back sides).
In a 2D chip design as shown in Figure 6 , all the devices and the majority of interconnects are manufactured by foundry_1, only a small portion of interconnects is selected to be made by foundry_2 on the backside. The net partition guidelines are: (1) it should be difficult for foundry_1 to reconstruct the design, and (2) as few as possible nets should be manufactured by foundry_2. The majority of interconnects will be made by foundry_1, because (1) it makes the chip performance more predictable, and (2) to limit foundry_2's information since it finishes the chip. Besides the functional nets, foundry_2 creates interconnects which enable Trojan detection features and are hidden from foundry_1. There is no area or power overhead for this Trojan detection scheme because it does not require any circuit. An extra benefit of those VDD/VSS interconnects fabricated by foundry_2 is the increased the power network capacitance, which mitigates power bouncing when chip operates
3D Designs
To leverage the existing 2D EDA tools for 3D designs, standard cell structures can be designed as shown in Figure 8 . The VeSFETs are fabricated as arrays, in which all the transistors locations are predefined by the pillar positions. Thus the pillars and the possible transistor locations are vertically aligned, and the locations of used and unused transistors are easily identifiable. A cell is designed with the same footprint on multiple tiers which are directly vertically connected. By controlling the existence of inter-tier connections, the equivalent transistor width can be adjusted by the total pillar height h connected. The pillar height h of each tier could be different. A cell can be designed using different transistor pillar height h combinations to mitigate channel width quantization effect.
In a 3D design, besides the security features that exist in the 2D design, a portion of transistors in the lower tiers could be hidden and invisible to foundry_1. Figure 9 shows four inverters with the same footprint but different characteristics. As seen by foundry_1, only INV2X fully uses all the transistors; in the other implementations some transistors are unused. Foundry_2 can use these leftover transistors to build functional circuits by creating backside interconnects. The original circuit can be partitioned such that a portion of it is constructed from these hidden unused transistors positioned under the existing circuits. When the hidden transistors are used, foundry_1 cannot reconstruct the design because a portion of the design is invisible to it. Although foundry_2 may understand the functionality of these extra circuits, these standalone circuits do not provide foundry_2 with enough information to reconstruct the design. Figure 10 shows the splitfabrication method for a 3D design; the transistors A, B, and C are unused by foundry_1 and hidden from its view. They will be used by foundry_2 to build some functional circuits.
The Trojan detection method in a 3D chip is similar to the method used in 2D chips but with an extra Trojan Detection Scan Path (TD_Scan). Since there are multiple tiers in the 3D chip, foundry_1 may only change the upper transistor tiers. This change breaks the crowbar current path (front to back sides). Figure 11 shows the Trojan detection methods for a 3D chip. The TD_Scan path chains the pillars of non-functional transistors and prevents any modification on the design. Two attack scenarios are possible. In scenario 1, foundry_1 moves or adds transistors but is unaware of TD_Scan; these changes break the TD_Scan path or form crowbar current paths that could be easily detected. In scenario 2, foundry_1 only changes the upper tiers of the design knowing that TD_Scan exists, and it tries to reconnect the scan path. This attack could be detected by measuring the active current change on TD_Scan. Details of the TD_Scan are discussed in Section 5.3.
To enhance the overall security, logical encryption was proposed [30] [31] [32] . The idea is that a valid key must be provided to correctly activate the chip. A simple implementation with Flip-Flops (FFs) and XORs is shown in Figure 12 , the function F' is determined by the KEY provided by the user and stored in the KEY-FF. In this paper, we consider logical encryption as one of security features but it is not necessary for the proposed methodology. The TD_Scan path can share the KEY-FFs to save area or it can use dedicated FFs if the design is not logically encrypted. After the scan detection, the KEYs are scanned through the same path to decrypt the chip. If TD_Scan shares the KEY-FFs, the only area and power overhead come from the scanning circuit pushing data into TD_Scan and checking the results from it. This scanning circuit can share parts of the circuits scanning the decrypting KEYs since their functions are very similar. Table 1 summarizes the possible attacks and the scenarios seen by the two untrusted foundries, for both 2D and 3D designs. For design reconstruction threats, foundry_1 may succeed for 2D designs, but it is very unlikely if the nets are well partitioned. It has no way to reconstruct a 3D chip since a portion of the transistors are hidden. For Trojan threats, the detection method is proposed to detect any change made by foundry_1. Foundry_2 has no control of devices and has very limited knowledge of the design to insert functional Trojans. As for reverse engineering and IC overbuilding attacks, they are meaningless for foundry_1 since it needs foundry_2 to finalize the chip or needs to guess the missing connections and circuits which is very difficult. Foundry_2 cannot perform these two attacks because the source wafer count is limited by foundry_1.
IMPLEMENTATION DETAILS 5.1 Net Partition
The nets are partitioned to make the design reconstruction difficult for foundry_1. This kind of reconstruction is usually performed by proximity attacks, which rely on the pin locations and the known circuit structures [6] . Since foundry_2 has a full access to every transistor, there are no constraints for selecting nets to be partitioned and fabricated by foundry_2. It is intuitive that it is harder to reconstruct a missing net if (1) there are many missing nets clustered in a small region and (2) the net has many fan-outs (FO), as shown in Figure 13 . The algorithm to select candidate nets to be partitioned applies the rules illustrated in Figure 14 .
First, the high FO net driven by an FF's output Q-pin is selected followed by the net connecting to the same FF's input D-pin. This selection process searches FFs until the number of selected nets reaches the specified upper bound or all the FFs have been selected. All the selected Q and D pins are stored in the list List_DQ. The reasons for starting from FFs are (1) misconnections to FFs result in pipeline errors and (2) in general, FFs tend to have greater FOs than combinational gates. Next, two approaches with a given weighting are performed to select remaining nets: (1) distance-first search and (2) FO-first search. These two approaches are based on the FF pin locations on the nets selected in the first step. In both approaches, for a Q-D pin pair from the List_DQ we select a pin or pins on several nets and partition the nets connecting to those pins. Then, the next pin pair in List_DQ is processed. This process repeats until the number of partitioned nets reaches the specified upper-bound. On average, the number of partitioned nets related to each pin pair in the List_DQ is similar in this searching process.
In the distance-first search method, a pin in a predefined searching window Ws_dis connecting to an un-partitioned net is selected when it has the minimum distance to the currently processed pin pair in the List_DQ. If there are multiple pins having the same distance, then the pin of a net with the highest FO is selected. The FO-first search method selects the pin connecting to a net having the highest FO in the searching window Ws_fo. If there are multiple-pins having the same FO, the one having the shortest distance is selected. All the selected candidate nets will be manufactured by foundry_2. Foundry_1 would have to guess these net connections to reconstruct the design.
Transistor Hiding and Pin Shaking
In a 3D design, transistors could be hidden in the lower transistor tiers. Figure 15 illustrates how it works. In the Figure, small rectangles indicate footprints of standard cells, circles are pins related to partitioned nets, and the numbers mean the count of available transistors in the lower tiers of cells. If all the nets connecting to the standard cell are partitioned to be fabricated by foundry_2, this cell is a candidate for hiding. First, we check availability of unused transistors accessible for foundry_2 in the lower tiers of the nearby cells in a searching window Ws_hide. If the available transistor count is enough, then this candidate cell is removed to be reconstructed by foundry_2 using the distributed lower tier transistors and interconnects. Since this cell is physically hidden from foundry_1, it is impossible for foundry_1 to correctly guess the nets connecting to it. An empty space is created by the hidden cell. It could provide clues for foundry_1. We move some nearby cells to this area to obfuscate layout for any distance-based proximity attackers designed to guess the missing nets. The area utilization factor is defined to control the upper bound of the empty area recovery. A candidate cell to be moved to the empty area satisfies the following two conditions: (1) at least one net corresponding to its pins is partitioned and this partitioned net is different from any of the partitioned nets connecting to the hidden cell, and (2) the cell's area is not greater than the available area of the empty space. The searching window is divided into grids, and at most one cell is selected from a grid. The selected candidate cells are then moved and evenly distributed in the empty space.
Trojan Detection Scan Path
Trojan detection scan path (TD_Scan) is specific to the 3D designs, because the crowbar current path may be broken if foundry_1 changes only the upper tiers. Figure 16 shows the 3D structure of the TD_Scan and two attack scenarios as described in Section 4.2. If any of the four transistors adjacent to a pillar is used, the pillar must be used as a gate, a source, or a drain terminal. Thus there is no need to chain all the pillars. Besides the chained non-functional pillars (i.e. no transistor has this pillar as a terminal or it is a terminal of an unused transistor), all other nonfunctional pillars are connected to VSS by foundry_2 as shown in Figure 16 (c). For DeCap cells as shown in Figure 16 The TD_Scan path may be broken or a crowbar current path to VSS may be formed. In attack scenario 2, foundry_1 inserts Trojans using the upper tier transistors only and reconstructs the TD_Scan path, thus avoids breaking it and forming a crowbar current path.
Scenario 2 can be detected by measuring the active current of TD_Scan as shown in Figure 17 . The original TD_Scan is designed to be phase aligned on all chained pillars, thus all pillars in the same pipeline stages are either all logic-0 or 1. First, we scan logic-zero to every stage in the chain; each pillar is now at logic-0 state. Then, we scan a logic-1 into the chain followed by an all logic-0 sequence. This logic-1 passes through the chain at a cycle n and is scanned into the pipeline stage n. It consumes a charge current For all the other stages maintaining logic-0, no current is consumed besides the leakage current , which exists in all pipeline stages. The Ivdd measured in cycle n can be written as (1) . Any modification of the chain changes the RC within the stage n and then changes the measured Ivdd (n), thus the attack can be detected. 
SECURITY EVALUATION
To evaluate effectiveness of this methodology, 10 MCNC
LGSynth'91 benchmark circuits were designed using the proposed methodology in a three-tier 3D design fashion. NAND3, NOR3, XOR, and Flip-Flop gates; they can be categorized in three groups of (1) using tier 1 transistors only, (2) using tiers 1 and 2, and (3) using all three tiers. Thus, three different driving strengths are provided for the same cell footprint. Next, a FF & XOR based logical encryption is performed; the KEY-FFs and XOR gates are randomly inserted with an upperbound of 5% area overhead. As discussed in Section 4, logical encryption is not required for this methodology, but it is included here for completing an entire security methodology. Then, the designs are floorplanned and placed by Cadence Encounter Digital Implementation System (EDI). The design aspect ratio is set to 1 and the placement utilization is 80%. On-the-fly design optimization is performed during placement, thus the circuit structure may be changed.
The placement records of cell and pin locations, and the optimized netlists are reported by EDI. Then, they are processed by the tools we developed to perform net partitioning, transistor hiding, and pin shaking, which construct the design that foundry_1 sees. 5% of the total nets are selected to be partitioned, 25% of them are high fan-out FFs related, and the remaining 75% are selected based on distance-first and FO-first search in 1:1 weighting. The searching window of distance-first Ws_dis is set to 6 cell-rowheights (RH) x 6 RH. The searching window of FO-first Ws_fo is 10 RH x 10 RH. After net partitioning, transistor hiding and pin shaking are performed. All the feasible cells are selected and hidden. The searching window Ws_hide is set to 10 RH x 10 RH, and the filling utilization of the empty space created by transistor hiding in pin shaking stage is set to 70%.
We developed a proximity attacker which attempts to reconstruct the missing interconnects. The net reconstruction is based on the distance of open pins due to net partitioning and the circuit structure. First, it connects each output pin (o-pin) and the nearest input pin (i-pin) if this connection does not create a combinational loop in the circuit. Then, it connects the remaining i-pins to their nearest o-pin if (1) this connection does not create a combinational loop and (2) every i-pin of a cell is driven by a different o-pin. To check the strength of this attacker, the benchmark circuits were randomly partitioned and attacked. Four partition cases were simulated: (1) 5% of the total nets were included in the partition, the nets having 1 fan-out only (FO1) were selected; (2) 5% of nets with no fan-out constraint (FOAny); (3) 10% of nets with FO1 constraint, and (4) 10% of nets with no fan-out constraint (FOAny). Each circuit and each case was simulated 100 times. The results indicating the percentage of correct nets reconstructed are shown in Figure 18 ; some cases are 100% correctly reconstructed. The results show that (1) the more nets partitioned, the harder it is to reconstruct them; and (2) high fan-out nets make reconstruction much more difficult since all fan-out pins have to be correctly connected. Figure 19 shows the results for the designs implemented by our methodology. Three implementations (1) net partition only (NEARFF), which is feasible for both 2D and 3D designs, (2) NEARFF with cells hidden (NEARFF + HIDE), which is only feasible in 3D designs, and (3) NEARFF + HIDE with pins shaken (NEARFF + HIDE + SHAKE), which is only feasible in 3D designs as well. The other two data sets are the averages of 100 random runs of 5% and 10% nets with no fan-out constraints (FOAny) as shown in Figure 18 . With our proposed methodology, the percentage of correct net reconstruction is dramatically reduced. In some circuits, not even a single net is correctly guessed. The average percentages of the correct nets reconstructed for the ten circuits in the three cases are: 1% in NEARFF, 0.58% in NEARFF + HIDE, and 0.69% in NEARFF + HIDE + SHAKE.
CONCLUSION
This paper proposes a secure split-fabrication design methodology for the VeSFET based 2D and 3D integrated circuits. The design partition and piracy prevention, hardware Trojan insertion prevention, and Trojan detection methods are described. In our approach, the design is fabricated by two independent untrusted foundries. By taking advantage of the VeSFET's unique and powerful two-side accessibility and monolithic 3D integration capability, several unique split-fabrication features are feasible, such as (1) the complete freedom of net partitioning, (2) making some transistors invisible to foundry_1, and (3) Trojan prevention and detection techniques enabled by foundry_2, which are invisible to foundry_1. These invisible features make it difficult or even impossible for foundry_1 to reconstruct the design since some transistors are hidden. If foundry_1 moves any of the existing transistors or adds any extra transistors, this is easily detected by the crowbar current flow in 2D and 3D designs, or by active current measurement in 3D designs. Ten MCNC
LGSynth'91 benchmark circuits were designed with this methodology. With 5% nets manufactured by foundry_2, the average percentage of the correctly reconstructed partitioned nets is less than 1%. 
