DISTROY: Detecting Integrated Circuit Trojans with Compressive Measurements by Vlah, Dario et al.
 
DISTROY: Detecting Integrated Circuit Trojans with Compressive
Measurements
 
 
(Article begins on next page)
The Harvard community has made this article openly available.
Please share how this access benefits you. Your story matters.
Citation Gwon, Youngjune, H.T. Kung, and Dario Vlah. 2011. DISTROY:
Detecting integrated circuit Trojans with compressive
measurements. Paper presented at 6th USENIX Workshop on Hot
Topics in Security (HotSec 2011), San Francisco, CA, August 9,
2011.
Accessed February 19, 2015 10:53:49 AM EST
Citable Link http://nrs.harvard.edu/urn-3:HUL.InstRepos:10000798
Terms of Use This article was downloaded from Harvard University's DASH
repository, and is made available under the terms and conditions
applicable to Other Posted Material, as set forth at
http://nrs.harvard.edu/urn-3:HUL.InstRepos:dash.current.terms-of-
use#LAADISTROY: Detecting Integrated Circuit Trojans
with Compressive Measurements
Youngjune L. Gwon, H. T. Kung and Dario Vlah
Harvard University
{gyj,htk,dario}@eecs.harvard.edu
Abstract
Detecting Trojans in an integrated circuit (IC) is an
important but hard problem. A Trojan is malicious
hardware—itcanbeextremelysmallinsizeanddormant
until triggered by some unknown circuit state. To al-
low wake-up, a Trojan could draw a minimal amount of
power, for example, to run a clock or a state machine, or
to monitor a triggering event. We introduce DISTROY
(Discover Trojan), a new approach that can efﬁciently
and reliably detect extremely small background power
leakage that a Trojan creates and as a result, we can de-
tect the Trojan. We formulate our method based on com-
pressive sensing, a recent advance in signal processing,
which can recover a signal using the number of measure-
ments approximately proportional to its sparsity rather
than size. We argue that circuit states in which the Tro-
jan background power consumption stands out are rare,
and thus sparse, so that we can apply compressive sens-
ing. We describe how this is done in DISTROY so as
to afford sufﬁcient measurement statistics to detect the
presence of Trojans. Finally, we present our initial sim-
ulation results that validate DISTROY and discuss the
impact of our work in the ﬁeld of hardware security.
1 Introduction
Many semiconductor companies today are fabless. They
outsource the manufacturing of their integrated circuit
(IC) products to cheaper or more advanced fabrication
facilities. While this go-with-remote-foundries model
provides a compelling option, it makes easier for an at-
tackerto compromisethe fabricationprocess andinsert a
Trojan, malicious hardware that not only alters the orig-
inal design but also performs security attacks.
Trojans comprise a subtle addition to an IC. A Tro-
jan can be as small as a single gate, or as large as a
microcontroller capable of launching systematic secu-
rity attacks [12]. Detecting Trojans is challenging partly
because their structure is unknown, which makes it in-
feasible to perform functional tests of the IC to detect
the Trojans based on the circuit functionality. Trojans
are also dormant at times, and in general, there is no a
priori knowledge of their activation mechanism.
The two premises available to a Trojan detector is that
a Trojan will draw some power [1] and alter the physi-
cal structure of the circuit [2]. However, detecting the
latter–circuit alteration–is difﬁcult and often impracti-
cal as it may require costly destructive inspection of the
circuit, performed using expensive equipment. Further-
more, a Trojan designer can anticipate and make sure
that circuit analysis techniques such as path-length mea-
surement will fail to reveal the Trojan. Therefore, we are
left with power usage as the main detection vector.
We assume that a Trojan designer’s only option is to
increase the power consumption of the circuit. We argue
that this is a reasonable assumption based on the follow-
ing two cases:
1. The Trojan designer does not know the circuit de-
sign. In this case, the designer will merely add Tro-
jan gates without modifying the original circuit.
2. The Trojan designer knows the circuit design. In
this case, the designer can ﬁrst optimize the circuit
to reduce its power consumption, and then insert
the Trojan gates, leaving the power consumption
unchanged. However, we can assume this case is
avoidable by making the original circuit slack-free,
so that no further power reduction is possible.
In this paper we focus on combinatorial circuits, that
is, circuits where the inputs and outputs of each gate are
determined by the inputs to the circuit. Such circuits
may serve as basic blocks of larger, possibly stateful cir-
cuits, and can be gated–selectively powered on–to allow
testing in isolation. In contrast, we don’t restrict the
Trojan circuits to be combinatorial; a Trojan may, for
instance, run a clock, a state machine, or monitor trig-
gering events for its activation.
Logic gates consume orders of magnitude different
amounts of power depending on their inputs. Thus, to
expose the Trojan power consumption, it is important
to discover circuit inputs, or test vectors, which lead to
low circuit power consumption by, for example, putting
as many gates as possible into low power states. This
is generally a hard problem with a number of heuristic
solutions based on solving instances of SAT (satisﬁabil-
ity) [10]. We will call such low power consumption-
inducing inputs the revealing test vectors. In signal
processing parlance, we say that with such test vectorsthe SNR is high, where the desired signal is the Trojan
powerconsumption, andthenoisethedeviationinpower
use from expected in the non-Trojan parts of the circuit.
We propose DISTROY (Discover Trojan), a new ap-
proach that substantially reduces the I/O requirement in
detecting small power leakage due to Trojans embedded
in ICs. With reduced I/O, the approach still allows off-
chip Trojan detectors to recover the most signiﬁcant in-
dicators of Trojan-induced power variations. DISTROY
relies on the assumption that revealing test vectors are
rare, or sparse. Compressive sensing [3], a recent tech-
nique developed in signal processing, forms the basis
of DISTROY that enables simple encoding and accurate
reconstruction of the most signiﬁcant power consump-
tion anomalies among the test vectors applied. We show
that DISTROY can robustly detect the presence of power
leakage resulting from the background power consump-
tion of on-chip Trojans even when the drawn power is
extremely small.
2 Compressive Sensing
Baraniuk [3] and Cand` es and Wakin [4] provide good tu-
torialintroductionsofcompressivesensingforinterested
readers. We provide here some basic results required to
follow the technical details of the paper.
Consider a real-valued, length-N input vector x =
￿x1x2 ...x N￿. Suppose the vector has an alternative
representation in a basis Ψ, x = Ψs, where only K ele-
ments of s are non-zero. We will say that such a vector
x is K-sparse. When K ￿ N, we regard x as compress-
ible.
Compressive sensing encodes x by producing mea-
surements y = Φx. Here, the matrix Φ of size M × N
is called a measurement matrix. We can reconstruct x
by solving the system of equations y = Φx where there
are more unknowns (N) than equations (M). Note that
in compressive sensing, the number of equations is the
number of (compressive) measurements.
Compressive sensing theory states that we can restore
s, the K-sparse form of x, with high probability when
Φ is a random matrix and when M ≥ cK log(N/K)
where c is a small constant. Linear programming solves
for x by minimizing the ￿1-norm of s:
min
s∈RN ￿s￿￿1 subject to y = Φx,x = Ψs. (1)
An interesting property of the ￿1-minimization is that
thequalityofthedecodingisafunctionofM. Thelarger
M is, the more accurate the reconstruction becomes.
Furthermore, recovery is incremental—using small M
we recover the largest components of s, and if we wish
to recover more components, we grow M accordingly.
Another powerful feature of compressive sensing is
the care-free, low-complexity encoding unlike conven-
tionalcodingorcompressionschemes. Itiscoupledwith
Table 1: Leakage current mean and standard deviation of a 2-
input NAND gate (source: Singh et al. [10]).
Input (state) µ (nA) σ (nA)
00 .223 .082
01 or 10 4.578 3.026
11 13.109 16.785
the ﬂexibility of incorporating any Ψ in decoding that
transforms x to a sparse form, which makes compres-
sive sensing potentially a ground-breaking solution for
many security problems such as intrusion detection and
identiﬁcation of spam and DDoS attacks (or more gener-
ically any form of anomaly).
3 How Trojans May Be Detected
In this section we provide some background on circuit
characterization based on power consumption statistics
and describe a simple, baseline method for Trojan de-
tection.
3.1 Background: Log-normal Leakage
Current Model
ICs typically operate at a ﬁxed voltage. Since power is
a product of voltage and current, we will refer to current
and power interchangeably. When a circuit’s inputs are
held constant, the circuit still consumes a certain amount
of power because logic gates typically pass a small, but
non-zero amount of current. The current consumed in
such a static circuit is referred to as leakage current.
The leakage current of a gate depends on its inputs.
For example, Table 1 shows the leakage current values
for a 2-input NAND gate manufactured in a certain pro-
cess, for 3 different input combinations. We will refer
to each input combination as a gate state. Note that the
leakage currents of different gate states can vary by or-
ders of magnitude! The leakage current varies from gate
to gate, because the physical dimensions of gate features
vary in manufacturing. Since the physical variations are
typically normally distributed, and have an exponential
effect on current, a common way to model leakage cur-
rent is using the log-normal distribution [5].
To predict the total power consumption of a circuit,
we must know the inputs to each gate, which, for a
combinatorial circuit, can be derived from the circuit in-
puts. For example, consider a circuit depicted in Fig-
ure 1. There will be 3 · 3=9possible combinations
of gate states and 23 =8test vectors (over input bits
X, Y , and Z). Note that circuits often have some gate
states that are physically unrealizable. We can then ob-
tain the leakage current distribution for each test vector
as the distribution of a sum of log-normal random vari-
ables, each corresponding to one gate in a speciﬁc state.
For example, consider applying test vector ￿0,0,0￿ toFigure 1’s circuit, that is, X =0 ,Y =0 ,Z =0 .
It follows that gate A will have inputs ￿0,0￿ and gate
B inputs ￿1,0￿, and so we can expect that these gates
will draw log-normally distributed amounts of current
with parameters from the ﬁrst two rows in Table 1, re-
spectively. We can see that the total current consumed
by the circuit in this example will be the random vari-
able ITOTAL = LN(0.223,0.082)+LN(4.578,3.026)
where LN(µ,σ) denotes a log-normally distributed ran-
dom variable with the given parameters.
At present, no closed-form is known for the probabil-
ity distribution of ITOTAL. However, there are many ap-
proximation methods which work well in practice, such
as that by Fernandes and Vemuri [5], which we adopted
for this paper.
3.2 Baseline Approach
Figure 2 depicts a baseline approach for detecting Tro-
jans. WeapplyN testvectorsv1,v 2,...,v N totheCUT,
obtaining N power measurements x1,x 2,...,x N, one
for each vector. For the same N test vectors, we com-
pute, as outlined in the previous subsection, the expected
values of the leakage current distribution for each test
vector, xG = ￿g1,g 2,...,g N￿. Note that these ground-
truth values can be obtained ofﬂine.
Next, we compare the power measurements xi with
the expected power measurements to decide whether or
not Trojans are present in the CUT. When there are no
Trojans present, any deviation from the expected mea-
surement consists of only one source—the chip fabrica-
tion variations, which is accounted for by the gate mod-
els. However, when there are Trojans present, the gates
comprising the Trojan draw additional leakage current
and thus shift the probability distribution of total cir-
cuit current as depicted schematically in Figure 3. We
choose a rejection threshold α such that if the total cur-
rent is above α then we declare that the circuit contains
Trojans.
There always exists some likelihood of error. Refer-
ring to Figure 3, we can see errors could occur either
1) when there is no Trojan, but total leakage current is
larger than the rejection threshold–an event called a false
positive, or2)whenthereisaTrojanbutthetotalleakage
current falls below the threshold, an event called a false
negative. We can reduce the likelihood of both of these
events by testing groups of multiple chips as described
in the following subsection.
X 
Y 
Z 
Out 
A 
B 
Figure 1: Example circuit with 2 NAND gates.
Circuit ﾠ
Under ﾠ
Test ﾠ
(CUT)
N test ﾠvectors
v1 vN v2 } x1 xN x2 }
N corresponding ﾠpower ﾠ
measurements ﾠon ﾠ
N test ﾠvectors
Simulator xG
Corresponding ﾠN
reference ﾠ
measurements
Compare
Result
N ﾠtest ﾠvectors
Done offline
v1 vN v2 }
Database ﾠof ﾠgate ﾠcharacteristics ﾠ
specific ﾠto ﾠthe ﾠmanufacturing ﾠprocess
Figure 2: Baseline approach.
3.3 Testing Multiple Chips from Same
Process to Improve Detection Reliabil-
ity
We can improve the detection reliability by testing mul-
tiple chips manufactured with the same fabrication pro-
cess. We consider the following two ways to use mul-
tiple chips, which reduce the false positive and negative
rates, respectively:
1) Reducing False Positives. To reduce false posi-
tives, we can test groups of P chips, for some P greater
than one, and require that for all of them, the total leak-
age current exceeds the rejection threshold before we
can declare a Trojan. The larger P is, the fewer false
positives are expected. Note that increasing P also in-
creases the false negative rate; this can be mitigated by
the following method.
2) Reducing False Negatives. To reduce the chance
of false negatives, we can declare a Trojan if at least P
out of Q chips exhibit leakage current past the rejection
threshold, where P is deﬁned earlier in 1) and Q>P .
For a given P, the larger Q is, the fewer false negatives
are expected.
A detailed analysis of tuning the parameters α, P and
Q is beyond the scope of this paper, but a simple strat-
egy may consist of the following four steps. 1) Choose
α which gives approximately equal rates of both types
of error. 2) Increase P until the desired false positive
rate is reached. This may result in increased false neg-
ative rates. 3) Increase Q until the false negative rate is
low enough. This may increase the false positive rate

		


 
 

	


 


 
!"
Figure 3: Diagram of probability distributions of total circuit
leakage current for a clean and Trojan-infected circuit. The
probability mass is shifted to the right by the magnitude of the
added Trojan current.Circuit ﾠ
Under ﾠ
Test ﾠ
(CUT)
N test ﾠvectors
v1 vN v2 }
y1 = ﾠ¦ M1jxj
y2 = ﾠ¦ M2jxj
yM = ﾠ¦ MMjxj
x1 xN x2 }
Compressive ﾠsensing
M measurements
(M << ﾠN)
Corresponding ﾠ
leakage ﾠcurrent ﾠ
measurements ﾠ
for ﾠN test ﾠvectors
Figure 4: The DISTROY front-end applies N randomly cho-
sen test vectors to a CUT, measures corresponding leakage cur-
rents, and compresses to M linear combinations.
again. 4) Repeat steps 2 and 3 until both error rates are
at acceptable levels.
4 DISTROY
DISTROY consists of the front-end scanner and back-
end analyzer. In this section we describe these compo-
nents of DISTROY in detail.
4.1 The Front-end
Figure 4 depicts the DISTROY front-end. The front-
end applies N test vectors v1,v 2,...,v N to a CUT,
obtaining corresponding leakage current measurements
x1,x 2,...,x N. We next use the compressive sensing
matrix Φ to reduce the measurements xi down to M lin-
earcombinationsyj. Thus, insteadofoutputtingN mea-
surements from the chip, we now output only M mea-
surements, with M< <N . Unlike a typical data pro-
cessing (e.g., compression) scheme that performs a sig-
niﬁcant amount of processing at acquisition, DISTROY
handles the incoming data in a relatively light-weight
manner by simply multiplying with Φ.
4.2 The Back-end
The back-end performs the decoding of compressive
measurements yi using the minimization of Equa-
tion (1). However, as noted in Section 2, to make de-
coding work with high probability, the variables under
optimization must be K-sparse. But neither the ex-
pected measurements nor those of the CUT are sparse
by themselves; how can we recover them using com-
pressive sensing decoding?
Note that we are interested in ﬁnding the measure-
ments which signiﬁcantly deviate from the expected
ones. Let us deﬁne a new set of variables, d1,d 2,...,d N
describing these deviations; more speciﬁcally, di =
xi − gi. We can see that the deviations are going to
be relatively more sparse; for example, in the ideal case
without process variations, we would expect di =0un-
less a Trojan circuit is present. Normalizing by the stan-
dard deviation σ of leakage current, we can decode di
Double-C17 (from ISCAS-85 Benchmark)  
i0 
i1 
i2 
i3 
i4 
i8 
i9 
i10 
i11 
i12 
i5 
i6 
i13 
i14 
i7 
i15 
o0 
o1 
o2 
o3 
Figure 5: double-c17 combines two ISCAS-85 c17s.
Double-C17x5 (100 NAND Gates)  
Double-C17 
Double-C17 
Double-C17 
Double-C17 
Double-C17 
16 
I 
[0:15] 
2  2 
2 
o0 
o1 
o2 
o3 
o4 
o5 
o6 
o7 
2 
Figure 6: 100-NAND gate double-c17x5 benchmark cir-
cuit used for evaluation.
using Equation (1)’s minimization as follows:
min
￿￿
￿ ￿
￿
di
σi
￿
￿ ￿
￿ subj. y = Φ


 


g1 + d1
g2 + d2
...
gN + dN


 


(2)
The normalization is needed because of the “largest-
ﬁrst” decoding property of compressive sensing. With-
out the 1/σi factor in the objective function, the largest
values we decoded might not be Trojan power consump-
tion outliers, but merely largest power consumptions oc-
curing in test vectors with high variance.
Having obtained the deviations di, we can now use the
same types of statistical tests as in the baseline case of
Section 3.
5 Evaluation
Our evaluation features a benchmark circuit that con-
tains 100 NAND gates. We performed a logic simula-
tion of the circuit and applied the Fernandes and Vemuri
method [5] to model log-normal leakage current distri-
butions. This section explains our evaluation methodol-
ogy and discusses empirical results.
5.1 Benchmark Circuit and Trojans
The original c17 circuit from the ISCAS-85 benchmark
suite [6] consists of 6 NAND gates; we combine two
c17 blocks to create double-c17, which contains 20
NAND gates as depicted in Figure 5. Lastly, we use
ﬁve double-c17 blocks to produce double-c17x5
shown in Figure 6.The double-c17x5 circuit takes a 16-bit input,
which yields a test vector space size of 216. Since this
is a relatively small set, our simulation uses all possi-
ble test vectors and obtains corresponding gate states of
the circuit for each vector. Furthermore, we compute the
distribution of the sum of leakage currents through all
gates in the circuit as described in Section 3.1.
Inserting Trojans. We prepared ﬁve unmodiﬁed
double-c17x5s and placed one to ﬁve NAND
gates at random locations to create trojan-1,. . . ,
trojan-5. (That is, the smallest Trojan circuit is a
single NAND gate.) We then ran logic simulations for
the Trojan circuits and again used approximation to de-
termine their leakage current distributions.
5.2 Performance Metrics
Achieved compression gain N/M. Enabled by com-
pressive sensing, DISTROY can detect Trojans with M
measurements for off-chip analysis that are several times
fewer than the original N.
False positive rate. False positives occur when DIS-
TROY pronounces a clean circuit Trojan-infected.
False negative rate. False negatives occur when DIS-
TROY fails to detect a Trojan-infected circuit.
5.3 Trojan Detection Decision
We adopt the baseline detection method described in
Section 3.2 and extend it to take advantage of multiple
test vectors per chip, as well as multiple chips. First, for
a single test vector, similar to Section 3.2, we declare the
test vector a Trojan witness if its leakage current exceeds
the mean by more than some threshold value 2σ.
Let us deﬁne an equivalence class of test vectors to
be a set of test vectors that result in equal gate state
counts. For example, if the test vectors v3 and v7
produce the state counts ￿C0 = 32,C 1 = 50,C 2 = 18￿
where C0 represents the total number of 2-NAND gates
with input 00, C1 with input 01 or 10, and C2 with input
11, then the two test vectors are members of the same
equivalence class.
We use equivalence classes as a convenient, easy to
precompute tool to jointly reason about the statistics of
multiple test vectors. Speciﬁcally, we apply the follow-
ing criteria. We ﬁrst divide the N test vectors used in a
test into their equivalence classes. Then, we throw out
all equivalence classes that have less than some number
NReq of member test vectors. Lastly, if we ﬁnd that at
least L% of test vectors in one of the remaining equiva-
lence classes are Trojan witnesses, we declare the CUT
Trojan-infected.
5.4 Discussion
DISTROY measures leakage currents induced by test
vectors and compresses normalized deviations from the
100 200 300 400 500 600 700 800
0
0.1
0.2
0.3
0.4
M (number of measurements)
R
a
t
e
(a) Trojan size = 1 gate
 
 
100 200 300 400 500 600 700 800
0
0.1
0.2
0.3
0.4
M (number of measurements)
R
a
t
e
(b) Trojan size = 5 gates
 
 
False positive for N = 1000 random test vectors
False positive for N = 1000 optimal test vectors
False negative for N = 1000 random test vectors
False negative for N = 1000 optimal test vectors
False positive for N=1000 random test vectors
False positive for N=1000 optimal test vectors
False negative for N=1000 random test vectors
False negative for N=1000 optimal test vectors
Figure 7: False positive and negative rates obtained from cir-
cuits containing Trojans of size 1 and 5 gates.
ideal values. We run N =1 ,000 random test vectors
on a clean, Trojan-free double-c17x5 and Trojan-
infected double-c17x5s of ﬁve Trojan sizes, com-
press the current leakages with varying number of mea-
surements (M), and count the number of Trojan wit-
nesses.
Figure 7 depicts the false positive and false negative
rates for our smallest and largest Trojan circuits. We
used parameters NReq = 20 and L = 50%. We have an-
alyzed the leakage current distribution of all equivalence
classes (using Fernandes and Vemuri [5]), ranked them,
and selected test vectors from the lowest-power inducing
equivalence classes to force the effect of additional gates
from Trojan circuits more pronounced. We note that us-
ing some optimal set of test vectors we can reduce false
positive and false negative rates.
We ﬁnd that DISTROY can achieve up to 5- or 4-to-1
compression ratio, which justiﬁes the use of compres-
sive sensing for Trojan detection. We can think of com-
pression as a speedup in the Trojan detection time by
reducing the chip’s output bandwidth requirement.
In Section 3.3, we discussed the use of multiple chips
fabricated under the same process to improve reliability
of the test. Figure 8 exhibits such an improvement. We
consider the case for M = 200 (i.e., the compression
gain of 5). We ran 100 test cases using P =1to 10
chips from the same process and recorded the reduction
offalsepositiverate. Usingeitherrandomoroptimaltest
vectors, we were able to achieve no false positives. The
similar result holds true for false negative rate. Fixing
P =2and varying Q from 2 to 10, we were able to
eliminate false negatives starting with Q =6 .
6 Related Work
Agrawal et al. [1] introduced IC ﬁngerprinting, a sig-
nal processing technique using side-channel power anal-
ysis to detect the presence of additional circuits. IC ﬁn-
gerprinting assumes a gold circuit fabricated physically1 2 3 4 5 6 7 8 9 10
0
0.02
0.04
0.06
0.08
0.1
P (# of chips fabricated under same process for testing)
R
a
t
e
False positive rate over P (Trojan size = 1 gate)
 
 
2 3 4 5 6 7 8 9 10
0
0.05
0.1
0.15
0.2
Q (# of chips from which P=2 chips are chosen for testing)
R
a
t
e
False negative rate over Q (Trojan size = 1 gate)
 
 
False positive for N=1000 random test vectors with M=200
False positive for N=1000 optimal test vectors with M=200
False negative for N=1000 random test vectors with M=200
False negative for N=1000 optimal test vectors with M=200
Figure 8: Using multiple chips fabricated under the same pro-
cess improves false positive and negative rates.
to extract the reference ﬁngerprint used in testing that
serves decision criteria. The compressive sensing based
approach offers a possible implementation direction for
ﬁngerprinting methods. Nelson et al. [9] presented gate-
level characterization (GLC) techniques to model power
and delay characteristics more precisely. GLC relies on
statistical methods, singular value decomposition (SVD)
in particular, to solve for a characterization vector used
to detect a Trojan circuit. The compressive sensing ap-
proachofthispapercanbeneﬁtfromusingsuchmethods
in selecting Trojan-revealing test vectors.
More recently, Trojan detection in ICs has attracted
considerable research efforts at the IEEE Symposium on
Security&Privacy(Oakland). TheyincludeHuffmireet
al. [8], an isolation primitive for hardware components
to run on FPGAs that can help interconnect traceability
among others but provides little protection against po-
tentially malicious central component such as a Trojan-
infected microcontroller chip. Hicks et al. [7] proposed
Unused Circuit Identiﬁcation (UCI) to detect malicious
hardware hidden in circuits at design time by identifying
pairs of dependent signals replaceable by a wire without
affecting any test vector outcome. Sturton et al. [11]
demonstrated a valid attack against UCI by showing that
it is possible to build malicious circuits exhibiting hid-
den behavior upon receiving a special trigger and by-
passing the UCI detection successfully.
All these approaches are orthogonal to the compres-
sive sensing-based approach of this paper, which has the
goal of reducing I/O requirements without compromis-
ing important information for detecting Trojans.
7 Conclusion
Trojansareahardproblemandserioussecuritythreatfor
today’s fabless IC business model. We have presented
DISTROY, a novel and unconventional use of compres-
sive sensing to address the Trojan detection problem.
Because of the largest-ﬁrst decoding property, compres-
sive sensing decodes the largest abnormal power con-
sumption values ﬁrst. From the decoded values, we can
detect the Trojans reliably and accurately.
We have used a reasonable benchmark circuit for our
evaluation and also for illustrative purposes. In the near
future, we plan to validate DISTROY in implementation,
applying it to real circuits.
Acknowledgments
This material is based on research sponsored by Air Force Re-
search Laboratory under agreement numbers FA8750-10-2-0115 and
FA8750-10-2-0180. The U.S. Government is authorized to repro-
duce and distribute reprints for Governmental purposes notwithstand-
ing any copyright notation thereon. The views and conclusions con-
tained herein are those of the authors and should not be interpreted as
necessarily representing the ofﬁcial policies or endorsements, either
expressed or implied, of Air Force Research Laboratory or the U.S.
Government. The authors would like to thank the Ofﬁce of the Secre-
tary of Defense (OSD/ASD(R&E)/RD/IS&CS) for their guidance and
support of this research. In addition, we’d like to thank our HotSec’11
reviewers for their helpful comments.
References
[1] AGRAWAL,D . ,B AKTIR,S . ,K ARAKOYUNLU,D . ,R OHATGI,
P., AND SUNAR, B. Trojan Detection Using IC Fingerprinting.
In IEEE Symposium on Security and Privacy (2007).
[2] ALKABANI,Y . ,AND KOUSHANFAR, F. Consistency-based
characterization for IC Trojan detection. In Proc. of ICCAD
(2009).
[3] BARANIUK, R. G. Compressive Sensing. Lecture Notes in IEEE
Signal Processing Magazine vol. 24, no. 4 (Jul. 2007).
[4] CAND´ ES,E .J . ,AND WAKIN, M. B. An Introduction To Com-
pressive Sampling. IEEE Sig. Proc. Mag. 25, 2 (2008), 21–30.
[5] FERNANDES,R . ,AND VEMURI, R. Accurate estimation of vec-
tor dependent leakage power in the presence of process varia-
tions. In Proc. of ICCD (2009).
[6] HANSEN,M .C . ,Y ALCIN,H . ,AND HAYES, J. P. Unveiling the
ISCAS-85 Benchmarks: A Case Study in Reverse Engineering.
IEEE Design & Test 16 (July 1999), 72–80.
[7] HICKS,M . ,F INNICUM,M . ,K ING,S .T . ,M ARTIN,M .M .K . ,
AND SMITH, J. M. Overcoming an Untrusted Computing Base:
Detecting and Removing Malicious Hardware Automatically. In
IEEE Symposium on Security and Privacy (Oakland) (2010).
[8] HUFFMIRE,T . ,B ROTHERTON,B . ,W ANG,G . ,S HERWOOD,
T., KASTNER,R . ,L EVIN,T .E . ,N GUYEN,T .D . ,AND
IRVINE, C. E. Moats and Drawbridges: An Isolation Primitive
for Reconﬁgurable Hardware Based Systems. In IEEE Sympo-
sium on Security and Privacy (Oakland) (2007).
[9] NELSON,M . ,N AHAPETIAN,A . ,K OUSHANFAR,F . ,AND
POTKONJAK,M . SVD-Based Ghost Circuitry Detection.
Springer-Verlag, Berlin, Heidelberg, 2009, pp. 221–234.
[10] SINGH,A . ,G ULATI,K . ,AND KHATRI, S. Minimum Leakage
Vector Computation Using Weighted Partial MaxSAT. In IEEE
Midwest Symposium on Circuits and Systems (2010).
[11] STURTON,C . ,H ICKS,M . ,W AGNER,D . ,AND KING,S .T .
Defeating UCI: Building Stealthy and Malicious Hardware. In
IEEE Symposium on Security and Privacy (Oakland) (2011).
[12] WAKSMAN,A . ,AND SETHUMADHAVAN, S. Silencing Hard-
ware Backdoors. In IEEE Symposium on Security and Privacy
(Oakland) (2011).