Abstract-There have been a number of hardware Trojan (HT) designs at register-transfer level (RTL) in the literature, which mainly describe their malicious behaviors and trigger mechanisms. Generally speaking, the stealthiness of the HTs is shown with extremely low sensitization probability of the trigger events. In practice, however, based on the fact that HTs are not sensitized with verification test cases (otherwise their malicious behaviors would have manifested themselves), designers could focus on verification corners for HT detection. Consequently, a stealthy HT not only requires to be hard to trigger, but also needs to be able to evade those hardware trust verification techniques based on "unused circuit identification (UCI)". In this paper, we present new HT design and implementation techniques that are able to achieve the above objectives. In addition, attackers would like to be able to control their HTs easily, which is also considered in the proposed HT design methodology. Experimental results demonstrate that HTs constructed with the proposed technique are both hard to be detected and easy to be controlled when compared to existing HTs shown in the literature.
I. INTRODUCTION
Today's integrated circuit (IC) designs usually involve large design teams and many third-parties. Consequently, they are vulnerable to a wide range of malicious alterations that subvert or compromise the normal operation of infected devices, namely hardware Trojans (HTs) [1] . For instance, a backdoor inserted into the Actel/Microsemi chips was recently found [2] , and a report released by U.S. Senate Armed Services Committee claimed that about one million suspected bogus parts have been found in U.S. military aircraft [3] . Consequently, HTs have attracted serious attention from authorities [4], [5] , which motivate a large amount of research efforts.
A. Related Work
HTs can be inserted into an IC at various design stages, e.g., specification, register-transfer level (RTL), layout and fabrication. Among them, HTs inserted at RTL by rogue designers in the design team or integrated into the system with third-party intellectual property (IP) cores are the most serious threats because attackers have high flexibility to implement any malicious function.
HT Detection: Detecting HTs inserted at RTL is extremely difficult since traditional IC verification techniques are not suitable for finding "extra" functionalities beyond circuit specification, especially considering the fact that attackers usually employ a rare event with extremely low activation probability in normal functional mode to trigger HTs. To the best of our knowledge, Hicks et al. [6] made the only attempt to detect HTs at RTL in the literature. Leveraging the fact that a HT usually keeps dormant during verification, the HT detection problem is formulated as an "unused circuit identification (UCI)" problem. That is, if part of circuits in a design is not sensitized with verification test cases, it is likely that such circuitry belongs to a HT. However, how to define "unused circuit" is not quite clear and the authors considered the following: if any pair of related signals are equal throughout all test cases, the intervening circuits between them are regarded as unused circuitry and hence potential HT. From another perspective, those uncovered parts with respect to code coverage metrics 1 during verification can be treated as another type of unused circuits. While UCI techniques are able to detect many existing HT designs shown in the literature to be detailed in Section II, they are sensitive to the actual HT implementation style [7] .
HT Design and Implementation Methodology: HT detection and HT desigdesign are like arms race, wherein defenders constantly update their security measures to protect the system while attackers respond with more tricky HTs to intrude a system. There are a variety of HTs proposed in earlier works, and however they tend to ignore the importance of HT implementation. [8] developed two HTs compromising memory access mechanism and shadow mode mechanism to support software attacks without showing detailed implementation. [9] , [10] presented several HT designs with various trigger methods and malicious behaviors in the embedded system challenge competition. [11] designed two simple HTs controlled by a counter for the RSA encryption circuit. [12] designed the HT to facilitate side-channel attack. However, none of them [8] - [12] provides detailed HT implementation. Recently, TrustHub website [13] has released a list of HT benchmarks, but almost all of them could be detected by UCI techniques as shown in Table I (see Section II) . This is because these HTs are not carefully designed to be hidden as "useful circuits". Sturton et al. [7] designed some HTs that are able to evade [6] . However, their HT design and implementation methodology, on one hand, is based on exhaustive search to locate malicious circuitry that could be used to build HTs rather than a general HT design methodology, and on the other hand, it does not consider the traditional verification as well as code coverage metrics.
B. Summary of Contribution
Motivated by above, in this paper, we propose a systematic HT design and implementation methodology, aiming at making HTs bypass existing HT detection techniques without losing any flexibility of the HT. The approach designs and implements HTs from three aspects. First, to evade traditional verification tests, HTs keep dormant during verification through the selected rare trigger condition. Second, to evade UCI techniques, HTs are hidden as "useful circuit" with the proposed two HT coding models. Third, HTs should be as controllable as possible so that attackers could easily employ them to perform malicious operations.
The remainder of this paper is organized as follows. In Section II, we motivate this paper. Then, we discuss the proposed HT design and implementation methodology in Section III. Experimental results are presented in Section IV. Finally, we conclude this paper in Section V. Table I summarizes the HTs from Trust-Hub [13] identified by traditional verification tests denoted as TV and UCI techniques. The experiment is conducted on a SoC-based platform detailed in Section IV rather than on the original circuits, because there is no test case available for the original circuits. HTs are carefully transferred into the platform by connecting them on expected signals without any modification on the HT implementation. As can be seen, traditional verification tests miss all HTs while UCI techniques, especially [6] , can detect all HTs. The reason is that these HTs are not hidden as "useful circuits". After further examination, we find that implementations of most HTs from the Trust-hub can be summarized as Fig. 1 . One signal, denoted as t en , is used to indicate the occurrence of the trigger condition, which is driven by either a specific pattern or a counter. This HT implementation can evade the traditional verification as long as the trigger condition is not activated, which is easily achieved with the huge state space of the circuit. However, it can be detected by UCI techniques, because code lines, "t en <= 1 b1" and " f <= f m ", would not be executed and " f " would be always equal to " f n " under all non-trigger conditions.
The above motivates us to propose a systematic HT design and implementation methodology to evade all existing HT detecting techniques.
III. HT DESIGN AND IMPLEMENTATION METHODOLOGY
Generally speaking, a HT is composed of its activation mechanism (referred as trigger) and its malicious function (referred as payload). Our objective is to design and implement HTs that can evade both the traditional verification and UCI techniques without sacrificing much flexibility. To achieve it, we consider three design and implementation rules. Firstly, HTs should keep dormant during the verification so as to evade the traditional verification. Secondly, HTs should be hidden as "useful circuit" so as to evade all UCI techniques. Thirdly, to make HTs flexible for attackers to perform malicious operations, it should be as controllable as possible. Since the payload mainly depends on the objective of attackers and also does not affect the stealthiness and the controllability of the HT, we only focus on the trigger design and implementation in this paper.
A. Rule One
Traditional verification and testing detects a HT by triggering it, and hence how to design a rare trigger condition that makes the HT keep silent during the verification becomes a key problem. To achieve it, attackers can generally employ the following four methods.
• Attackers can select trigger inputs whose trigger values are difficult to be sensitized during the verification.
• Attackers can adopt multiple trigger inputs. If there are l trigger inputs denoted as t 1 ,t 2 ,...,t l , the probability of the occurrence of the trigger condition is roughly equal to ∏ l i=1 P t i , wherein P t i is the probability of the trigger input i being the trigger value. However, considering the size of the HT, attackers can only use limited trigger inputs.
• Attackers can adopt a sequence of trigger values.
Consider l trigger inputs, t 1 ,t 2 ,...,t l , and suppose attackers construct the trigger condition by m continuous trigger values. In this way, the probability of the trigger condition can be further reduced, represented as
Similarly, the number of continuous trigger values cannot be too large in the consideration of the hardware cost.
• Attackers can select trigger inputs from components that are less dependent, reducing the probability of the occurrence of trigger values at the same time. This is because the test case used by the designer usually targets on one or some specific normal functionalities.
Given the huge state-space that the HT can hide within a reasonably sized circuit, attackers can easily select some trigger inputs to construct the trigger condition. Consequently, rule one can be illustrated by minimizing the probability of the trigger condition subject to the hardware cost constraint.
The hardware cost of HT is a function of the number of trigger inputs and the number of continues trigger values. Since the HT is implemented by the proposed code models discussed in rule two, we can estimate the HT cost by synthesizing code models in advance. Note that, the trigger condition in Eq. 1 ignores the dependency of signals, because obtaining accurate probability of the trigger condition through simulation is very time-consuming in the iterative algorithm.
Despite the rare trigger condition designed by rule one, HTs, however, could be detected by UCI techniques, as shown in Table I . We would discuss how to resolve this problem in rule two.
B. Rule Two
The main idea behind to make HT evade UCI techniques is to hide it as the "useful circuit" with respect to the definition of the "unused circuit". To achieve this, we propose a novel solution that combines the code writing style and the trigger input selection. As observed in the literature, there are mainly two kinds of triggers: pattern-based trigger and counter-based trigger, and thus we take them as examples to illustrate the proposed code models.
Let us start with the code writing style. We propose two code models for HT implementation based on the pattern-based trigger and counter-based trigger. Code model one is shown in Fig. 2 . Compared to the code model used by HTs from the Trust-Hub [13] shown in Fig. 1 , code model one has three differences. First, since code lines, conditions, FSMs, transitions of signals, branches and paths controlled by the trigger condition are definitely uncovered (e.g., Fig. 1 ), we propose to partition the trigger condition into multiple parts of the trigger condition, namely sub-trigger condition. In this way, all parts of the HT controlled by sub-trigger conditions can be covered, because sub-trigger conditions could be satisfied under certain non-trigger conditions. As shown in Fig. 2 , we employ multiple patterns denoted as pattern 1 , pattern 2 , . . . , and pattern k or multiple counters denoted as counter 1 , counter 2 , . . . , and counter k , and use multiple signals denoted as t en 1 , t en 2 , . . . , and t en k to indicate the occurrence of corresponding sub-trigger conditions. Fig. 2 (a) and Fig. 2 (b) show how to implement a sub-trigger condition that is realized by a specific counter and a part of pattern. Second, since [6] is able to detect the HT whose affected output is always driven by the normal function, we partition the normal function into two sub-normal functions to make the final output be driven by sub-normal functions alternately. As shown, sub-normal functions denoted as f n 1 and f n 2 are controlled by their corresponding conditions denoted as c 1 and c 2 . Third, the final output ( f ) composed of two subnormal functions, malicious function, and their corresponding conditions are integrated by AND, OR, and NOT operators instead of "if-else" or "case" operators, and in this way, the assignment statement of the final output with the malicious function must be executed under non-trigger conditions. Code model two, based on code model one, replaces all "ifelse" and "case" operators in the trigger by AND, OR and NOT operators. Compared to code model one, HTs implemented by code model two can definitely evade condition coverage, FSM coverage, branch coverage and path coverage, because no conditions, FSMs, branches and paths are used. However, code model two would introduce more code lines for the HT, which is likely to attract the attention of designers [8] .
The HT designed according to the two proposed code models can evade all existing UCI-based techniques as long as two conditions are satisfied during the verification: (1) t en 1 , t en 2 ,. . . , and t en k have both 0-to-1 and 1-to-0 transitions. (2) c 1 and c 2 have been set to logic '1' once. If all non-trigger conditions are sensitized, such two conditions can definitely be satisfied. However, it is nearly impossible to make all nontrigger conditions be verified with limited verification time and effort, which could cause HTs to be detected by UCI techniques. For instance, in Fig. 2 , it is possible that part of the trigger condition (e.g., "pattern1 == PAT T ERN1") has never been satisfied, and hence the code line, "t en 1 <= 1 b1", is not covered and the signal, t en 1 , does not have both transitions, which cause the whole HT to be detected by line coverage, toggle coverage and [6] . Similarly, the final output denoted as f could be driven by only one part of normal circuit (e.g., f n 1 ), which makes HTs be identified by [6] . Consequently, HTs should be able to evade all UCI techniques as likely as possible even when the verification test cases are not complete. To achieve this, we are required to carefully select trigger input and partition trigger condition to increase the probability of each sub-trigger condition. Since whether HTs can evade UCI techniques is bounded by the least-likely-triggered sub-trigger condition and less-likelyoccurring sub-normal function, we obtain the HT by maximizing probabilities of the least-likely-triggered sub-trigger condition and less-likely-occurring sub-normal function with the constraint of the number of code lines (NL ex ), given as:
Max(min{P t en 1 , P t en 2 ,...,P t en k });
where P c i and P t en i denote probabilities of the occurrence of the i-th sub-normal function and the i-th sub-trigger condition, and NL(k) denotes the number of code lines for HTs. NL(k) is a linear function of the number of sub-trigger conditions (k) whose coefficients can be obtained from HT code models.
Maximizing the probability of the less-likely-occurring sub-normal function is relatively easy, because it is irrelevant to the trigger and payload design and designers would verify normal functionalities of the circuit as completely as possible. However, maximizing the probability of the least-likelytriggered sub-trigger condition can conflict with minimizing the probability of the trigger condition shown in Eq. 1. Therefore, how to select trigger inputs to not only keep the HT silent but also evade UCI techniques is challenging. We will discuss that in details in Section III.D.
C. Rule Three
Generally, attackers expect the HT designed to be as controllable as possible, increasing the flexibility to perform malicious operations. However, some signals cannot be controlled in terms of attackers (e.g., lacking in the physical access), which hence restricts choices of trigger inputs.
To design flexible HTs, we introduce the un-controllability of each signal that reflects the difficulty of setting a signal to a required value from the perspective of attackers. The un-controllability of each signal is defined as the number of signals that should be manipulated but cannot be manipulated to set a value of this signal from prime inputs, which includes the 0-un-controllability (UC0) and 1-un-controllability (UC1).
We obtain the UC0 and UC1 of each signal by analyzing the circuit netlist. First, we set UC0 and UC1 of each prime inputs for the circuit according to the actual environment. If I, a prime input, cannot be controlled by the attacker, we have UC1(I) = 1, and UC0(I) = 1;
otherwise, UC1(I) = 0, and UC0(I) = 0.
With given UC0 and UC1 of each prime input, the UC0 and UC1 of each signal is calculated in the topology order from prime inputs to prime outputs. Fig. 3 presents the calculation of the un-controllability of each gate. Note that, the calculation With the un-controllability of each signal, attackers can determine trigger inputs with respect to the actual requirement. Suppose attackers choose t 1 ,t 2 ,...,t l as trigger inputs and select their m specific continuous values together as the trigger condition. Then, the un-controllability of the trigger condition is the sum of un-controllability of each trigger input driven by corresponding trigger value, denoted as UC T , which indicates that the number of signals that cannot be controlled to set the trigger condition by the attacker.
D. Overall Flow
As discussed, the above three rules have quite different requirements on the trigger input selection, and therefore how to consider them together in an HT design and implementation is a challenging problem.
In this paper, we emphasize rule two over rule one and rule three. Consequently, the "best" HT is obtained by maximizing the probability of the HT evading UCI techniques with the constraints of the probability of the trigger conditions (P T ex ), the hardware cost (COST ex ), the number of code lines (NL ex ) and un-controllability of the HT (UC T ex ), represented as:
..., P t en k });
Constraints :
We do not maximize probabilities of less-likely-triggered subnormal functions in Eq. 5, because it can be done independently without listed constraints.
Due to the huge solution space for the trigger condition, we solve the above problem by a heuristic algorithm described in Algorithm 1. In the beginning, as attackers, we obtain the probability of each signal by the simulation with guessed test cases as well as un-controllability of each signal (Line 1-2). To reduce the solution space of the trigger condition, we first determine the number of trigger inputs and the number of sequence of trigger values according to constraints of the hardware cost and the number of code lines (Line 3). Then, we sort all signals according to the larger probability between Remove the first signal in the signal list; 11 end while 12 Run simulation and determine the final solution from candidates;
being logic '1' or logic '0' in the descending order (Line 4). After that, the algorithm goes into a loop (Line 5-11).
In each loop, we implement the HT by treating the first l signals in the signal list as trigger inputs and partitioning the trigger condition evenly. If both the probability of the trigger condition and un-controllability of HT are satisfied, we record the current solution. Since we choose l signals that have largest signal probabilities in the signal list each time, it is more likely to build sub-trigger conditions with high probabilities. Finally, we remove the first signal in the signal list and go back. The loop stops if the number of signals is smaller than l or the number of recorded solutions is larger than user-defined parameter N. The reason why we find a number of solutions is that the probabilities of the trigger condition and sub-trigger conditions are not very accurate based on the simple analysis. Consequently, in order to obtain a good HT, we run the simulation again to verify the designed HT, and select the solution that is the most likely to evade the UCI techniques among candidates.
IV. EXPERIMENTAL RESULTS

A. Experimental Setup
We use 24 HTs in our experiments, wherein 20 are HT benchmark circuits from Trust-Hub [13] and the remaining 4 are from previous work [7] , [8] . We believe these HTs are enough to evaluate the proposed HT design and implementation methodology. We keep their payloads but re-design their triggers by the proposed method.
We do not directly conduct experiments on those circuits in which HTs are originally inserted, because verification tests required by both code coverage metrics and [6] for HT detection are not available. Instead, we have selected a SoC design from OpenCores [15], containing a 32-bit RISC microprocessor namely OpenRisc and many peripherals such as UART, USB and MAC, as the hardware platform for HT insertion and detection. We adopt the 17 test cases bundled with this design for verification. We assume attackers know 5 test cases among all for HT design while designers adopt the remaining 12 test cases to verify the design. During the HT design process, we set 1% hardware cost and 5% code line constraints and consider that prime inputs connecting the main memory, UART, USB and MAC can be controlled by attackers. Finally, HTs are carefully designed and inserted into the platform and controlled by different trigger conditions. First, we study the effectiveness of the proposed HT design and implementation method. We adopt the traditional verification denoted as TV and 7 UCI techniques that are line coverage, condition coverage, FSM coverage, toggle coverage, branch coverage, path coverage and [6] to evaluate designed HTs, and results are shown in Fig. 4 . For the traditional verification, we find that it misses all HTs since none of them have been activated during the verification. For UCI techniques, we consider a UCI technique detects an HT if it reports any part of the circuit that belongs to the HT. Therefore, without verification, each UCI technique detects all HTs that they cover. As seen, condition coverage covers none of HTs, because we do not use any conditions in the two code modes. Moreover, for code model one, FSM coverage does not cover all of HTs because some of them are counter-based HTs written without FSMs. Compared to code model one, none of HTs written by code model two are covered by FSM coverage, branch coverage and path coverage. This is because all FSMs, branches and paths are replaced with AND, OR and NOT operators that cannot be recognized by these coverage metrics. With test cases used in the verification, most methods begin to miss some HTs, because all parts of these HTs that UCI techniques focus on are verified. In the end, HTs designed by both code model one and two evade all UCI techniques. As shown in Fig. 4 (a) and Fig. 4 (b) , it is possible to use fewer test cases to detect more HTs, but the fewer test cases would results in more wrongly-identified HTs to be reported, which leads to much more manual effort to further examination. We present the coverage 2 of each UCI technique in Fig. 4 (c) . By comparing to original HTs without any modifications shown in Table I , HTs revised by proposed method are much more likely to evade existing HT detection methods.
B. Results and Discussion
Next, we present the impact of the probability of the trigger condition on designed HTs. The result is shown in Fig. 5 . As can be observed, with the decrease of the probability of the trigger condition, the traditional verification detects fewer and fewer HTs. This is because the HT is likely to keep dormant during the verification if it is controlled by a rare trigger condition. On the contrary, UCI techniques detects more and more HTs with the decrease of the probability of the trigger condition. Since the probability of sub-trigger condition is reduced with the decrease of the probability of trigger condition, any sub-trigger conditions un-activated would cause the whole HT to be detected. Under our experimental environment, when the probability of trigger condition is set to be 1e-16 per clock cycle, HTs designed by proposed method can evade all detection methods. The number of HTs detected Finally, we discuss the impact of the controllability of the HT on its stealthiness. As shown in Fig. 6 , the number of HTs detected decreases with the increase of the un-controllability of the trigger condition. This is because the requirement of the HT controllability could sacrifice some choices of trigger inputs, possibly resulting in poor trigger design. How to balance the controllability and stealthiness of HT mainly depends on the objective of the attacker.
V. CONCLUSION
In this paper, we propose a systematic hardware Trojan design and implementation methodology. Our approach designs and implements HTs that are not only hard to trigger but also easy to evade existing detection techniques based on UCI techniques. In addition, it considers the HT controllability in order to provide flexibility for attackers to control the HT. Experimental results demonstrate that the HTs designed with the proposed method can evade all existing HT detection techniques.
VI. ACKNOWLEDGEMENT
This work was supported in part by a CUHK Direct Grant No. 2050488.
