The broad landscape of new applications requires minimal hardware resources without any sacrifice in Qualityof-Results. Approximate Computing (AC) has emerged to meet the demands of data-rich applications. Although AC applies techniques to improve the energy efficiency of error-tolerant applications at the cost of computational accuracy, new challenges in security threats of AC should be simultaneously addressed. In this paper, we introduce the security vulnerability of the concurrent AC synthesis. We analyze the threat landscape and provide a broader view of the attack and defense strategy. As a case study, we utilize AC synthesis technique to perform malicious modifications in the synthesized approximate netlist. Similarly, we provide a scalable defense framework for trustworthy AC synthesis.
I. INTRODUCTION
There is a growing number of ubiquitous embedded systems (e.g., Internet-of-Things) that have emerged as compelling platforms for complex applications. Application domains ranging from signal processing to machine learning are dataintensive. The potential of these applications is pervasive and widespread. The applications running on small geometries cannot achieve the quality of the results without incurring a high computational cost. Besides, it is difficult to tune design parameters once the design is in the field. Approximate Computing (AC) has evolved in the lower level of computing stack to address escalating challenges towards performance 1 efficiency. AC has created a compelling case towards efficiency beyond traditional low power techniques (e.g., DVFS, clock/voltage gating, etc.). AC leverages the strength of approximation present in arithmetic modules (e.g., adder [1] - [3] and multiplier [4] , [5] ). It offers a trade-off between efficiency and accuracy. In reality, it is a new computing paradigm that designers are currently considering throughout the pre-silicon [6] .
Additionally, there have been significant efforts on softwarelevel approximation techniques that run on top of deterministic hardware [7] - [13] . Even if AC is efficient by itself, security is misconstrued in the AC system that increases the consequences of security failures. In the light of recent security requirement for planet-scale IoT, we should integrate security mechanism into the systems built on AC to ensure information assurance.
Current security practice is oriented from the applicationlevel to the bottom of the system (hardware). To envision 1 Performance refers to power, area, timing, and energy of a system. trustworthy and energy-efficient complex systems, there are examples of attacks in the SW/HW boundary and mitigation strategy. Although the security patch can be easily integrated into unprotected software, vulnerabilities in the lower layer (hardware) are often difficult to predict due to its immutability and nonbypassability [14] . Moreover, the increasing complexity of hardware tends to increase security vulnerability which lacks clear visibility. Further, the rising need for an energyefficient system complicates the detection of security failures during the design process. In light of the complexity and heterogeneity of the system, we should extend the security practice (attack and defense) for the end-to-end AC system.
A large number of error metrics are present in the AC system to evaluate the objective function (accuracy). For example, hamming distances, arithmetic difference, squared error are commonly used as error metrics. However, security requirements are absent both in Approximate Modules (AM) [15] and Approximate Synthesis (AS) [16] - [18] . Moreover, the security demand of the applications running on top of the end user's device (constructed with AM) may vary. Hence, the security model of the module and the synthesis technique can meet the requirements that apply.
In this paper, we focus on the trustworthiness of approximate synthesis that should satisfy the real-time performance. In particular, we provide a comprehensive framework to embed malicious circuitry (also known as Hardware Trojan, HT) in an approximate module that has a shorter activation period and does not decrease the efficiency of the AC system. But this would violate the integrity and trustworthiness of the approximate computing system. We perform such attacks on AS by using AM where some of AM are infected by HT while the rest of AM are HT-free. The module information (HTfree and/or HT-infected) is unknown to the system integrator. As the current AS tool does not discriminate between secure and non-secure AM, HT can be easily retrofitted into the AC system. Moreover, given multi-objective requirements of the AC system, design space exploration is possible, which increases the complexity of HT detection. Hence, the current AS technique can create systems with satisfactory performance without any security guarantee. To enhance attack scalability, arXiv:1912.01209v1 [cs.CR] 3 Dec 2019 the HT in a set of deterministic modules 2 can also be utilized with AM, with no predictable performance degradation from deterministic subsystems.
Accordingly, a defender can employ easily verifiable security metrics to detect the presence of HT. As the error is inherent in the AC system, traditional HT detection approaches should be modified due to the large design space of the AC system. As the design constraints of AM is unknown to a defender, the detection technique also needs to be flexible (e.g., multi-voltage multi-mode analysis). Similarly, due to the large HT space, the defender might additionally be concerned with the security of deterministic modules or subsystems. Hence, for all extant AC systems that lack HT detection capabilities, we provide a robust path based detection technique satisfying the perceived accuracy requirements. To the best of authors' knowledge, this is the first work that quantifies security as a functional requirement which is consequential as regular performance. The novelty and contributions of the proposed approach are:
• scalable and untrustworthy approximate synthesis framework to include out-of-spec components in approximate netlist while maintaining pre-defined accuracy. • comprehensive detection framework using error and path profiling considering the presence of a wide range of HT instances in the approximate netlist. • easy integration of both attack and defense framework into current synthesis flow. The rest of the paper is organized as follows. Section II provides an overview of related works on the security of approximate computing. Sections III and IV describe the attack model and related definitions. Section V proposes the attack and detection mechanism of malicious insertions respectively. Section VI presents the detection rate without any knowledge of the golden design. Section VII draws the conclusion followed by future work.
II. BACKGROUND AND RELATED WORK
In this section, we present the current state of security practice in Approximate Computing, although significant improvement in modeling, error analysis, functional approximation, and CAD have been recognized. As our focus in this paper is to analyze the security vulnerability of AC synthesis, we present the ongoing works that affect the overall trustworthiness of AC.
Regazzoni et al. [19] provide an in-depth study about the possible hardware security for the AC system. Although the authors mention the potential of security failures, the techniques to address these violations are not addressed. Moreover, there is no mention of security enhancement at a higher abstraction level. Yellu et al. [20] mention some progress in security threats of four broad domains, namely, circuit, storage, software, and system for AC. No attempt has been made to define security objectives during synthesis to ensure scalable trustworthiness during pre-and post-silicon AC system. Moreover, many security gaps still exist due to fundamental reusable requirements during any synthesis technique.
Venkataramani et al. [17] propose technique as to how to embed regular Observability Don't Care (ODC) during AC synthesis, which can simplify the Boolean equations. The method reduces the original variables set that do not directly influence the primary outputs. However, techniques remain for inserting Hardware Trojan in Register Transfer Level (RTL) don't care condition [21] . Nepal et al. [16] presented Automated Behavioral Approximate Circuit Synthesis (ABACUS) of RTL description that employs widely used NSGA-II [22] to obtain Pareto frontiers of AC system. Thorough optimizations of Abstract Syntax Tree (AST) from RTL design are utilized to enhance the accuracy of AC circuits with no incorporation of trustworthiness. Lee et al. [18] presented a high-level synthesis (HLS) framework for approximating loop-based program behavior. Although HLS provides a higher abstraction for architectural synthesis, the authors did not mention any synthesis modification towards approximate trustworthiness.
Unlike previous techniques, our technique (a) does consider any attribute of AM that can be exploited to introduce any modifications into existing AC synthesis and (b) presents an effective and scalable approach to detect any such modifications early on during the hardware design life cycle (HDLC).
III. THREAT MODEL
We assume an attacker can control the entire life cycle of the AC system if h/she can include the stealthy behavior into legacy reusable hardware components (e.g., arithmetic modules). Hence, an attacker would modify the specified function with less clear untrusted properties for various attack objectives. Moreover, the fundamental improvements on Commercial Off The Shelf (COTS) intellectual property with no security verification makes security assurance of AC synthesis questionable. During pre-silicon, third-party approximate IP vendors can modify parts of the design and sell to the particular IP buyer where the buyer may be fabless design house. Even if these modifications are visible during functional verification, they are stealthy during trust verification of the composite system. Although the AC system will perform satisfactorily despite the mere presence of untrusted components, the precise specifications of undesired properties (e.g., small change in design) may leak secret information (e.g., key) and synthesis configurations to help in overbuilding, introduce incorrect functionality during rare triggering event, cause early failure of the device, etc.
IV. PROBLEM STATEMENT
Approximate modules constitute a significant source of security vulnerability in approximate computing synthesis. Two fundamental properties, namely, error and power, are inherent in AM and can be exploited during hardware synthesis to perform malicious changes. The changes should appear with the same likelihood as a regular bug in hardware, be extensible to operate during the unsafe condition and have a certain degree of connectivity to appear as payload at design outputs. On the contrary, knowing and understanding the design for security early in HDLC can reduce the related risks and testing of the synthesized netlist.
If we denote approximate module as AM j i with error (E j i ) and power (P j i ), an attacker objective is to modify AM j i with new error (δE j i ) and power (δP j i ). Here i denotes different architectures (e.g., 1-and 2-bit approximate adder) of j type operation (e.g., adder, multiplier). The required changes in error and power are dictated by the synthesis objectives that AC can tolerate on the approximate gate-level netlist. If the synthesized netlist can encompass error (E') and power (P'), the following two constraints must satisfy:
Note that, all AMs can not satisfy the above constraints. Hence, an attacker would resort to iterative approach and develop a non-unified technique. On the contrary, a defender should carefully infer the distribution of error (δE) and power (δP) to detect the presence of modified AMs.
V. PROPOSED ATTACK AND DETECTION TECHNIQUE

A. Malicious insertion in AC synthesis
Current threats on hardware are often focused on the entity that does not participate in HDLC. For example, an attacker in manufacturing and test can embed untrustworthy components in the design. However, opportunities exist for malevolent actors during pre-silicon to exercise high-impact damage and leaks. An attacker can systematically evaluate the AM to gauge its security threats in the future which makes minimal use of AM. We show such an attack framework in Fig. 1 . The description of the framework is given as follows.
Given access to approximate module library (architectures) and synthesis tool, an attacker would exploit the library and tool while still meeting the specified critical requirements of approximate design objectives. For example, approximate adder and multiplier [2] architectures are publicly available. First, we characterize each module architectures in terms of the objective function (accuracy, power, and rare triggering nets). Then, we perform functional simulation to understand whether a particular architecture can be maliciously attacked. To enforce approximate parameters (accuracy and power) while making the module vulnerable, we change the traditional design objectives of approximate synthesis as follows: Cost = W a,p * (Accuracy + P ower) + W r * Rare_nets (3) where, W a,p denotes the combined weights of accuracy and power, and W r indicates the rare switching nets available within a module architecture. We keep priority weights (W a,p and W r ) to 0.5. We perform an independent assessment of each module to determine the suitability of malicious modifications. Then, we rank the architectures of a particular module type (adder or multiplier) that show realistic adversarial behavior while meeting approximation criteria. We impose the following constraints while choosing a module for HT insertion:
• the module showing higher error (less accuracy) is more susceptible to malicious modification. • perform retiming and/or relaxing the paths that show timing error due to approximation and HT. As there lacks standard threat infrastructure, we follow the automated HT insertion framework [23] to measure the success of various HTs. Another challenge lies in checking the HT infected design for attack success, which can be solved by using SCOAP [24] for measuring controllability and observability. To broaden the attack surface and search time, we also provide HT-free modules to the approximate synthesis tool. Depending on synthesis tool configurations, we generate different synthesized netlists of the same functionality and pass it to the lower level (e.g., layout-level). The generated netlist does not include any information related to the vulnerability of design. 
B. Detection of malicious modification in AC synthesis
While approximate systems have seen significant innovation recently, critical issues, namely system-wide security vulnerability detection, remain unanswered. Due to the large design space of the synthesized netlist of approximate systems, there are substantial new challenges to detect any malicious modification. Firstly, the functionality of critical function (e.g., encryption) should not be fault-tolerant; hence, a designer typically avoids approximating such function. However, faulttolerant applications (e.g., image processing) send/receive signals to/from critical function (e.g., biometric authentication). If the modifications are performed in fault-tolerant design (e.g., filter), the potential consequences are disastrous. Secondly, the vast optimization opportunities during approximate synthesis leave the current detection techniques only to the existing attack surface. Thirdly, approximate computing leverages costefficient data movement across different datapath units. Hence, datapath components exhibit a higher potential for intentional modifications. Finally, the security protocol must be able to handle the heterogeneity of accuracy and power objectives of underlying approximate modules at multiple scales.
The security of the approximate system depends on the security of approximate modules plus the deterministic modules. To understand the security vulnerability, it is essential to consider the conditions when any approximate module would be a rogue agent.
Consider the synthesized gate-level netlists from approximate synthesis tool (e.g., [16] ) or industry-standard tool (e.g., Design Compiler) in Fig. 2 . To a defender, he does not have access to a golden netlist or approximate modules. Hence, he has to find a "provably secure and energy-efficient" design using a systematic approach. The search is more expensive if approximate computing circuits are domain-specific and deployed in IoT infrastructure. Hence, ad-hoc security procedures are too expensive to localize malicious modification. While the analysis of design behavior is relatively easy for energy efficiency, the same is not true for security analysis. A defender then requires the formal treatment of energy efficiency of approximate computing to reason about the security vulnerability.
Given n netlists where the HT is carefully crafted for some netlists, a defender has to find the netlist where HT is present and localize the approximate modules with embedded HT.
A key challenge to this localization is that each netlist has an equal probability of being HT-infected and there can be versatile HTs either in approximate or deterministic module(s). For simplicity of analysis, we assume the traditional sidechannel analysis is effective for HT detection in the deterministic module. However, side-channel leakage can be still applied for approximate modules. Further, we consider only combinational HT due to the limitation of the approximate synthesis tool [16] . Different netlists would exhibit a different amount of accuracy. Generally, the Least Significant Bit (LSB) of arithmetic modules is mostly approximated as they are error-tolerant [4] and provide higher savings compared to approximating Most Significant Bit (MSB) of operands.
Among n netlists with no specification of error and power, a defender wants to capitalize on the success of various techniques. As the LSB of an input word provides most approximations, an attacker would fall into embedding malicious components into LSB. As the model for approximation is unknown to the defender, the pervasiveness of error requires a defender to profile the netlist with input vector streams to determine the extent of the error. Due to heterogeneity of the netlist components, it should be possible for a defender to rank order the netlists based on error. Simultaneously, he can perform the path profiling to make it easier to determine N near-critical paths from the multi-voltage multi-mode analysis. During approximation, many near-critical paths show timing error due to voltage scaling. Hence, the paths from the slack distribution that do not violate timing constraints are possible sources of HT. Once these paths are found, one can easily find the modules that contain such path(s). The localization of these modules can be further examined to determine the nature of the module (approximate versus deterministic). However, it should be noted that if the HT is present in both types of modules, it will make it harder to detect the presence and timing of HT triggering signal.
Synthesized
Netlist (1) HT-free 
VI. EXPERIMENTAL RESULTS
To stage an attack in an approximating computing system, we first evaluate the HT vulnerability of approximate adders [2] and approximate multipliers [5] , [25] as mentioned in Section V-A. The accuracy of individual adder and multiplier architecture in the literature [2] , [5] , [25] which we use in Eqn. 3. Next, we simulate the design under 1000 correlated input vectors [26] to determine the power profile of an individual module. For the same input streams, we use Synopsys VCS [27] to calculate the rare triggering nets from the SAIF (Switching Activity Interchange Format) file. To use this information during synthesis, we use Synopsys Library Compiler [28] to build a database of HT vulnerable approximate blocks. Then both HT-free and HT infected module architectures are used as input to a modified version of ABACUS [16] . We generate ten different netlists of a design based on Pareto fronts. We evaluate the proposed attack for two designs (FFT and FIR) available in ABACUS. The attack goal for both DSP cores is to transfer the filter coefficients to the outputs when a particular input sequence occurs. We have observed that with power overhead < 2%, we are able to determine the coefficients without introducing any additional hardware errors.
During detection, we simulate each netlist under random and correlated input streams. After the simulation, we get the error (%) that an approximate netlist can tolerate. We sort the netlists based on the ascending order of error (%). For higher confidence, we perform static timing analysis (STA) using Synopsys Primetime. We extract the paths that do not violate the given timing constraints (here 10ns), and we locate the modules (approximate or deterministic) crossing these paths. We further generate test vectors to test the error resilience of the individual module. The modules having the lowest resilience are confirmed as HT vulnerable.
Similar to attack framework, we apply the above-mentioned detection technique and identify the rare nets responsible for leaking the coefficients in designs (FFT and FIR). We detect the HT vulnerable nets and modules with an average accuracy of 90% (false positive is 8%, and false-negative is 2%).
VII. CONCLUSION AND FUTURE WORK
We present an attack and defense framework for robust modifications and detect such modifications on approximate computing synthesis. During the modifications, an attacker ranks the available approximate modules based on accuracy, power, and rare activity nets. On the contrary, during detection, a defender utilizes the input vectors to characterize the approximate modules followed by robust path profiling. Both frameworks can be integrated seamlessly in regular design automation flow without detailed views of lowerlevel approximate computing circuits. Finally, we use open source approximate modules and approximate synthesis tool to perform attack and defense. In the future, we plan to extend the extending the synthesis tool to include security processing features based on micro-architecture parameters of approximate computing.
