Hardware Trojan with Frequency Modulation by Luft, Ash et al.
ar
X
iv
:2
00
4.
01
35
3v
1 
 [c
s.A
R]
  3
 A
pr
 20
20
Hardware Trojan with Frequency Modulation
Ash LUFT, Mihai SIMA, and Michael McGUIRE
Department of Electrical and Computer Engineering, University of Victoria, British Columbia, Canada
Email: aluft@uvic.ca, msima@ece.uvic.ca, mmcguire@uvic.ca
I. INTRODUCTION
The globalization of the economy is offering the choice of importing designs and third-party Intellectual Property
(IP) cores from multiple vendors located all over the world. An IP can be compromised in an untrusted design
or fabrication facility through the insertion of malicious circuitry referred to as a Hardware Trojan [1], [2], which
triggers a malfunction under rare circuit conditions [3]. Due to the stealthy nature of hardware Trojans, their
detection is challenging [4].
Three methods for the detection of hardware Trojans have been proposed: (i) state-change detection through
Malicious Circuit Activation (MCA), which aims to determine under which conditions the malicious hardware is
activated [5], or alternatively Unused-Circuit Identification (UCI) [9], which aims to determine which circuitry
is not activated under normal operating conditions; (ii) Side-Channel Analysis (SCA), in which circuit parameters
(such as power consumption or propagation delay) are estimated or measured to determine the Trojan’s contribution
[10]–[12]; and (iii) use of Monitoring Architectures (MA), which will indicate if the original layout of the integrated
circuit design has been changed [12], [13].
To facilitate research in this area and improve the detection of malicious alterations, a better understanding of
what hardware Trojans would look like and what impact they would incur to a circuit or an IP is needed [14], [15].
In order to show the weaknesses of current Trojan detection methods, a logic family with frequency modulation for
building hardware Trojans that can evade the first two major detection methods is described. Specifically, since the
Trojan trigger circuitry’s state will never stay constant during ’normal’ operation, UCI-class analyses are evaded.
The power consumption of the Trojan’s trigger circuitry can be balanced into a constant value (thus concealed) with
minimal design effort and supplementary hardware resources. This ensures that the Trojan can evade side-channel
analysis. The hardware Trojan logic family is designed to infect synthesizable IPs for FPGAs, for which an original
physical placement does not exist. This makes the third major detection method, namely the use of monitoring
architectures, immaterial for the rest of the presentation.
The proposed hardware Trojan has a lightweight implementation, as it does not require more Look-Up Tables
(LUT) than standard logic, but only extra Flip-Flops (FF) which are abundantly available in FPGAs. Electrically
it can be classified as Always-On [5], [16], so that it can evade the UCI detection [9]. Functionally it is a
condition-based Trojan [5], which means its payload is activated under a very specific condition, namely a specific
sequence of events. Such a Trojan is therefore unlikely to be activated during functional tests [5] so it will evade the
MCA detection. The payload of the proposed Trojan does not directly control output pins since that would make it
easier to detect the Trojan. Instead, the payload communicates in a controlled fashion through a power consumption
April 6, 2020 DRAFT
side-channel. The proposed logic family is synthesizable; thus, it can be ported to Application-Specific Integrated
Circuits (ASIC) with minimal effort.
To summarize, a logic family which does not exhibit idle states (thus, it is always active and evades the first
detection method), makes the power consumption independent relative to the processed data and/or operations (thus,
it conceals the power consumption and evades the second detection method), and can readily be implemented with
FPGA primitives is proposed. The contributions of this paper are as follows.
• Logic family with Frequency Modulation (FM), which does not exhibit idle states, thus being able to escape
detection schemes based on unused-circuit identification.
• Trojan FM logic circuit augmentation to evade detection schemes based on power consumption.
• Payload which communicates in a controlled fashion through a power consumption side-channel.
• Detection approaches for hardware Trojans built in the proposed logic family with frequency modulation.
II. BACKGROUND
A. FPGA Architecture
Modern FPGA architectures consist of five types of modules: Configurable Logic Blocks (CLB), Digital Signal
Processing (DSP) units, Block Random Access Memories (BRAM), I/O Blocks (IOB), and a configurable Interconnection
Network. The CLBs are part of the fine-grained fabric and are organized as a two dimensional array, where
each CLB includes a configurable Look-Up Table (LUT) to implement bit-level logic functions, carry logic to
support arithmetic operations such as binary / ternary adders [17], dedicated multiplexors, and Flip-Flops (FF).
Software support includes macros and primitives, such as CARRY4 which concatenates four LUTs to build a 4-bit
binary / ternary adder,MUXF7 andMUXF8 which instantiate 2-to-1 multiplexors, and BRLSHFT4 and BRLSHFT8
which instantiate 4-bit and 8-bit barrel shifters, etc. The DSP units are part of the coarse-grained fabric and
implement large two’s-complement multipliers and acumulators. The configurable interconnection network connects
these modules together to implement digital circuits.
Modern FPGAs also integrate Block Random Access Memories (BRAM) on chip. For example, the BRAM in
the Virtex-7 family [18] can operate as either one 36Kb dual-port RAM or two independent 18Kb dual-port RAMs.
These BRAMs can be used as large storage areas or large LUTs with multiple outputs to implement logic functions.
Modern FPGAs offer a large number of flip-flops of different types along with their software primitives [19].
FDSE and FDRE are D flip-flops with clock enable (CE) and synchronous set (S) and reset (R), respectively. When
the (S) / (R) input is High, the (Q) output is set / reset on the Low-to-High clock (C) transition. When (S) / (R) is
Low and (CE) is high the data on the (D) input is loaded into the flip-flop on the Low-to-High clock (C) transition.
The LUT6 primitive refers to a 6-input, 1-output look-up table (LUT) that can either act as an asynchronous
64-bit ROM (that is, with a 6-bit address bus) or implement an arbitrary 6-input logic function. LUTs and flip-flops
are the most basic logic building blocks in FPGA circuitry. They will be used in implementing the Trojan logic
with frequency modulation.
April 6, 2020 DRAFT
III. HARDWARE TROJANS
A hardware Trojan is characterized by its activation mechanism, which is referred to as a trigger, and the
malicious function that it implements, which is referred to as a payload [5], [20]. The activation of a Trojan is a
statistically rare event, such as the end users or the standard verification tests during manufacturing will very likely
not trigger it. In this respect, a hardware Trojan is a stealthy circuit [3].
Based on their trigger mechanism, malicious circuits are classified as follows. Condition-based Trojans are
inactive until a specific condition is met (for example, the attacker provides a special input or a particular value
occurs on the data bus). Always-on Trojans operate continuously, but they are inserted on nodes which are rarely
exercised [15].
The payload can take many forms. In one scenario, sensitive data (such as an encryption key) can be sent to the
attacker through an output port, which normally transmits plain text. In another scenario it is possible to send the
sensitive data to the attacker through side channels in which power consumption or some electromagnetic radiation
originating from the chip can be modulated with the encryption key. The payload can also compromise the operation
of the circuit, or it can even physically destroy the chip.
As mentioned, there are three major detection methods. The first method, the Malicious Circuit Activation
(MCA), is based on applying stimuli at the circuit’s input to determine under which conditions the malicious
hardware is activated [5]. Since hardware Trojans are stealthy circuits, this method can be very time consuming; thus,
it is ineffective at consistently detecting trigger states. The Unused Circuit Identification (UCI) method proposed
by Hicks et al. is complementary to MCA [9]. It flags as suspicious those circuits that are not activated under
normal operating conditions or by design verification tests [9]. Waksman, Souzzo, and Sethumadhavan proposed a
UCI-class analysis for nearly-unused circuit identification [21], which aims to find gates and their inputs that very
rarely impact the outputs of a logic circuit. In the same class of unused circuit identification methods, VeriTrust,
which was proposed by Zhang et al., performs a logic analysis to identify the unused inputs of a logic circuit [22].
Malicious hardware able to evade the UCI analysis are discussed next.
Sturton et al. proposed to create a circuit in which no pair of dependent signals are always equal under the
non-trigger condition [23]. This is equivalent to saying that the logic circuitry inscribed by these signals is not idle.
In their work the authors do not mention whether it is always possible to generate such a circuit and with what
design effort. Circuits with frequency modulation are always active; therefore, there are not any circuit existance
concerns in the proposed logic.
Zhang and Xu [24] and later Zhang, Yuan, and Xu [25] have proposed implementations to evade Trojan detection
through tests in the UCI class. Rather than implementing a very rare global trigger condition, which is not activated
during standard verification but can be captured by UCI and deemed suspicious, the authors propose to implement
sub-trigger conditions that can be each covered by standard verification. This way, the sub-trigger conditions will
not be labeled as suspicious. Then, these sub-trigger conditions are integrated using logic operators. However, the
global trigger condition output is idle until the condition is activated. This is one weakness of this technique. A
second weakness, which is acknowledged by the authors, is that it is nearly impossible to sensitize all non-trigger
April 6, 2020 DRAFT
conditions, which in turn could cause the Trojans to be detected by UCI techniques. To evade the UCI techniques
without exercising all non-trigger conditions, the trigger condition needs to be carefully partitioned such that
the probability of each sub-trigger condition is increased. This requirement is in contradiction with the need of
as-controllable-as-possible Trojan’s payload, making the design and implementation of a hardware Trojan very
challenging [24]. The proposed logic family with frequency modulation can escape the UCI tests while ensuring
the flexibility of controlling the payload.
Krieg, Wolf, and Jantsch have proposed an RTL-level Trojan [26]. Their malicious circuit is triggered under the
control of the software tool at the time when the FPGA bitstream is generated; therefore, any test performed at the
RTL level will not raise suspicion. The described logic family with frequency modulation allows the implementation
of hardware Trojans at the RTL level but without the help of any software tool, which will allow the distribution
of the IP in RTL form.
A second major detection method of malicious circuits is based on side-channel analysis, in which circuit
parameters, such as propagation delay or power consumption, are estimated or measured to determine the Trojan
contribution [10], [12]. Hiding (or concealing) countermeasures maintain a constant power consumption; thus, the
hardware Trojan is stealthy. This is a problem related to attack and defense of cryptosystems based on power
consumption [27]–[29].
In the third major detection method of malicious circuits monitoring architectures can be deployed on chip
to indicate whether the original physical placement or layout of the integrated circuit design has been changed.
Examples in this class include the use of ring oscillators [12], [13]. Recall that the hardware Trojan logic family
is designed to infect synthesizable IPs for FPGAs, for which an original physical placement not yet exists. This
makes the monitoring architectures immaterial for this paper.
IV. LOGIC FAMILY WITH FREQUENCY MODULATION
Similar to the Illinois Malicious Processor, which includes a state machine that looks for a special sequence of
bytes on the data bus to activate the Trojan’s payload [30], the proposed hardware Trojan is activated by a specific
(long) string of processor operation codes. Since each operation code is part of the processor architecture, it will
be sensitized during functional testing and, therefore, will escape a UCI-class analysis. It will be understood that
a Trojan’s activation based on a string of operation codes is given in this paper by way of example and not by
limitation. Other (long) strings of events can be conceived to trigger the proposed Trojan.
In order to evade a UCI-class analysis the output of any gate implementing the trigger circuit must not be
idle. Synthesizable Trojans mapped onto FPGAs would require that gates and circuits with continuous activity be
implemented with standard primitives, which are abundant in the reconfigurable fabric. This is achieved by a logic
family with frequency modulation described below.
In standard logic, the information is encoded into the amplitude of the signal, where Logic ’1’ is encoded
as a large amplitude signal, VDD, and Logic ’0’ is encoded as a small amplitude signal, GND. In the proposed
logic the information is encoded into the frequency of a periodic signal, where Logic ’1’ is encoded as a high
frequency signal, f1, and Logic ’0’ is encoded as a low frequency signal, f0. The signal modulation in frequency
April 6, 2020 DRAFT
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
S
FDSE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
0
1
Gate
Logic
Standard
Set/Reset
D Q
CE
C
R
FDRE
CLK
SYNC
A∆
B∆
F(A∆,B∆)
F∆(A∆,B∆)
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
S
FDSE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
0
1
Set/Reset
D Q
CE
C
R
FDRE
CLK
B∆
B SYNC
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
S
FDSE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
0
1
Set/Reset
D Q
CE
C
R
FDRE
CLK
A∆
A SYNC
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
S
FDSE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
Set/Reset
SYNC
4321STAGE: 5 6 7 8
CSR 0
CSR 1
CSR 2
CSR 3
Fig. 1: Logic gate with frequency modulation implemented with circular shift registers.
is implemented with a set of Circular Shift Registers (CSR), as shown in Figure 1. The remainder of the discussion
will consider CSRs with eight stages if not stated otherwise. Figure 2 summarizes the logic states in the proposed
logic family with frequency modulation in which f1 = 1/4 · fCLK and f0 = 1/8 · fCLK.
Logic Logic States in each Stage
Frequency
Encoding 1 2 3 4 5 6 7 8
0 0 0 0 0 0 0 0 1 1/8 · fCLK
1 0 0 0 1 0 0 0 1 1/4 · fCLK
Fig. 2: Frequency modulation logic stage encoding.
The implementation of a 2-input logic gate with Frequency Modulation (FM) is shown in Figure 1. The circular
April 6, 2020 DRAFT
shift register CSR_0 generates the synchronization signal, SY NC. This is achieved by a FDSE flip-flop on Stage 4.
The other three circular shift registers, CSR_1, CSR_2, and CSR_3, generate the intermediate and final signals.
They each have a FDSE flip-flop on Stage 8. The initial state that occurs after the RESET signal is activated is
shown in Figure 3.
Shift Logic States in each Stage
Frequency
Register 1 2 3 4 5 6 7 8
CSR_0 0 0 0 1 0 0 0 0 not relevant
CSR_1 0 0 0 0 0 0 0 1 1/8 · fCLK
CSR_2 0 0 0 0 0 0 0 1 1/8 · fCLK
CSR_3 0 0 0 0 0 0 0 1 1/8 · fCLK
Fig. 3: Reset states for shift registers shown in Figure 1.
The input signals A and B are first converted from standard logic to FM logic. After eight clock cycles, the
delayed signals A∆ and B∆ become available to drive the standard logic gate (e.g., AND, NAND, OR, NOR, XOR,
XNOR, etc.) to generate F (A∆ ,B∆). After another eight clock cycles the output F ∆(A∆,B∆) is generated. Figure 4
summarizes the operation of the FM OR gate. The standard logic values are combined in Stage 4, and the result
will be stored in Stage 5 in the output shift register. It is apparent that the latency of the FM gate is 8 stage delays,
which is needed for the result to make a complete turn in the circular shift register.
Signals
Logic States in each Stage
Frequency
1 2 3 4 5 6 7 8
Sync 0 0 0 1 0 0 0 0 not relevant
A∆ = 0 0 0 0 0 0 0 0 1 1/8 · fCLK
B∆ = 1 0 0 0 1 0 0 0 1 1/4 · fCLK
F∆1 = 1 1 0 0 0 1 0 0 0 1/4 · fCLK
F∆2 = 1 0 1 0 0 0 1 0 0 1/4 · fCLK
. . .
F∆7 = 1 0 0 1 0 0 0 1 0 1/4 · fCLK
F∆8 = 1 0 0 0 1 0 0 0 1 1/4 · fCLK
Fig. 4: OR gate with frequency modulation.
The standard logic gate and the multiplexor, which are both dark grayed in the figure, can be implemented in a
single LUT, where one input is the synchronization signal, SY NC, and the other two inputs are A∆ and B∆ . It can
be observed that the LUT output will never stay at a constant level; thus, it will evade a UCI analysis.
April 6, 2020 DRAFT
If an FM logic gate with more that five inputs is to be implemented, then multiple LUTs are needed. In this case
it must be ensured that none of the LUT outputs will stay at a constant level. For example, two LUTs are needed
to implement the following seven-input function F :
F = (A∆ ⊕B∆)
︸ ︷︷ ︸
LUT1
+G(X ∆,Y ∆,Z∆,V ∆ ,W ∆,SY NC)
︸ ︷︷ ︸
LUT2
If, for some reason, A∆ = B∆ , then A∆ ⊕B∆ ≡ 0. To avoid a constant value which is detectable through a UCI
analysis, F needs to be implemented with two FM gates, which guarantees activity at each FM gate output.
As mentioned, no activity can be detected through UCI techniques. Only the clock should exhibit a very high
level of activity. Any other function that exhibits such a high level of activity will be suspicious. In FM logic, the
shortest length of the circular shift register is 4, in which case the activity is 25% for FM Logic ’0’ and 50% for
FM Logic ’1’. Figure 1 shows circular shift registers with eight stages, which means that the activity is 12.5%
for FM Logic ’0’ and 25% for FM Logic ’1’. By increasing the length of the circular shift registers the activity
level decreases serving the purpose of hiding the Trojan. An additional benefit of longer circular shift registers is
that they allow for the implementation of multi-level logic. For example, in a circular shift register of length 8,
extra information can be encoded into Stages 2 and 6.
Let a string of four consecutive events α, β, γ, and δ be the very rare combination that triggers the hardware Trojan.
These events can correspond, for example, to four specific operation codes issued in an attacked processor. Figure 5
presents an event synchronization circuitry, which forces the signals A, B, C, and D to be simultaneously ’1’ when
those four operations are issued in the order α−β− γ−δ. This activates the function F ∆(A,B,C,D) = A ·B ·C ·D,
which in turn triggers the hardware Trojan.
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
D Q
CE
C
R
FDRE
CLK
Reset
Event α
A
Reset
Event β
B
Reset
Event γ
C
Reset
Event δ
D
Fig. 5: Event synchronization circuitry.
April 6, 2020 DRAFT
According to Figure 1, it is apparent that the Trojan’s activation is captured into F ∆(A,B,C,D) only if signal
F (A,B,C,D) switches to ’1’ synchronously with signal SY NC. There are no provisions in Figure 5 to ensure
such a synchronization. One possible solution is to program the processor ro read the state of the SY NC signal and
issue the operation codes just in time to achieve the synchronization. A second solution is to issue the triggering
string of operation codes a number of times at different time intervals, such that the synchronization is statistically
achieved.
In Figure 1 it is also apparent that the Trojan’s activation signal, F ∆ , remains active for eight clock cycles. If
this activation needs to be locked, then the locking circuit shown in Figure 6 can be used.
0 0 0 0/1 0 0 10/1
A∆
B∆
FPGA LUT
S5S4
SY NC
X
Y FPGA
Primitive
0
1
Fig. 6: Locking AND gate with frequency modulation.
The proposed logic family supports the implementation of locking gates. As an example, a two-input locking
AND gate with frequency modulation is shown in Figure 6. In the initial state S4 = ’0’. If A∆ and B∆ are
not simultaneously ’1’, then X = ’0’, Y = ’0’, and S5 = ’0’; therefore, the FM state ’0’ is preserved. If
A∆ = B∆ = ’1’, then X = ’1’, Y = ’1’, and S5 = ’1’; thus, the FM state switches to ’1’. After seven cycles
S4 = ’1’, Y = ’1’, and S5 = ’1’, which means that the FM state ’1’ is preserved independently of the input
signals A∆ and B∆ .
The input signals A∆ and B∆ exhibit FM switching activity: S4 = ’0’/’1’ (it carries one bit of information),
S8 = ’1’, and S1 = S2 = S3 = S5 = S6 = S7 = ’0’. As a result, signals X and Y are not constant, which allows
them to escape the UCI detection. Signal SY NC switches periodically, so it does not pose any detection problem.
V. PROTECTING HARDWARE TROJANS WITH FREQUENCY MODULATION TO POWER CONSUMPTION ATTACKS
The deployment of hardware Trojans introduces physical variables. Their implementation provides side-channel
information (e.g. power consumption, electromagnetic emissions, propagation delay) that defenders can use to reveal
their existance. Agrawal et al. have argued that this is a serious threat for malicious hardware, since even a hardware
Trojan that includes only a 16-bit counter, an 8-bit sequential comparator, and a 3-bit combinational comparator is
large enough to consume the power necessary for its detection [31]. These findings are in line with Potkonjak et al.,
who have shown that gate-level characterization based on timing and power consumption measurements can help
with the detection of hardware Trojans [32]. It has also been reported that a network of Ring Oscillators, which
are similar to those used in the proposed logic family with frequency modulation, can provide sufficient sensitivity
to detect changes in power consumption generated by malicious circuitry [12]. In addition, the field-programmable
April 6, 2020 DRAFT
gate arrays are notable for their large power consumption. As a consequence, reconfigurable implementations are
even more vulnerable than ASICs to side-channel analysis [33], [34].
Given the above-mentioned considerations it is apparent that building a stealthy hardware Trojan requires the
elimination of the relationships between data and power consumption, and between operations and power consumption.
There are two ways to achieve this [29]: (i) hiding (also called concealing), which makes the power consumption
independent relative to the processed data and/or operations, and (ii) masking, which randomizes the power
consumption. In this paper, only the hiding technique is used in securing the hardware Trojan.
Recall that the CMOS power consumption has two components: (i) dynamic and (ii) static (also referred to
as leakage). In order for a hardware Trojan to be stealthy, it must be robust enough to evade analyses based
on each and every power consumption component. A common approach is to use Dual-Rail Logic (DRL) [29],
which balances the dynamic power consumption into a constant value through differential encoding in which the
information is encoded with direct and complementary signals. DRL operates in two alternating phases: precharge,
during which both the direct and complementary signals are set to a common Low value, and evaluation, during
which either the direct signal (which encodes logic ’1’) or the complementary signal (which encodes logic ’0’) will
perform a transition to a High value. This way, exactly one High-to-Low transition during the precharge phase and
one Low-to-High transition during the evaluation phase occur in this two-phase operation irrespective of the logic
state (’0’ or ’1’) being encoded. The consequence is a constant dynamic power consumption.
Measures to increase robustness against analyses based on static power consumption have also been proposed
[6]. The main idea in concealing the leakage is to ensure that the number of states in logic ’0’ is always equal to
the number of states in logic ’1’. Since the circuit exhibits symmetry, the leakage power consumption is constant.
0 0 0 0 0 00 1 0 0 0 0 00 11
1 0111111 0 1 011111
(a) FM Logic ’0’
(d) Swapped FM Logic ’1’
(b) FM Logic ’1’
(c) Swapped FM Logic ’0’
Fig. 7: Power consumption concealment.
The power consumption concealment is achieved through hardware replication. Figure 7 shows that the circular
shift register is replicated such that for each CSR storing FM Logic ’0’ (a) there is a dual CSR storing FM Logic
’1’ (b). The CSRs (a) and (b) are replicated into (c) and (d) such that the number of states in standard logic ’0’
equals the number of states in standard logic ’1’. This conceals the leakage power consumption. By providing the
dual FM logic, the number of standard transitions 0-to-1 is always 6, and the number of standard transitions 1-to-0
is always 6. This conceals the dynamic power consumption. Also, both frequencies (1/4 · fCLK and 1/8 · fCLK) will
always be present in the side-channel spectrum, which will defuse attacks based on spectrum analysis.
The proposed implementation is significantly simpler than the dual-rail logic since it lacks the precharge and the
evaluation phases. This is possible since the FM logic is based on circular shift registers, which exhibit repetitive
April 6, 2020 DRAFT
switching behavior. Since the standard logic gate and the multiplexor, which are both dark grayed in Figure 1,
can be implemented in a single LUT, their power consumption can be easily concealed by implementing the dual
function in the dual LUT.
After the hardware Trojan is activated, the concealment of the power consumption is no longer needed. The
replicas used in protecting the Trojan can now be used to implement the payload. In a first scenario, replicas 7-(b),
7-(c), and 7-(d) can be disabled upon the activation of the Trojan. This will make power consumption dependent
on the data and operations implemented with frequency-modulated logic, which in turn will allow the attacker to
retrieve secret information through this side channel. In a second scenario, replicas 7-(c) and 7-(d) are disabled,
but both replicas 7-(a) and 7-(b) hold the same FM logic value. This will double the dependence of the power
consumption on data and operations, with beneficial effects in implementing the payload.
VI. DETECTING HARDWARE TROJANS BUILT WITH FREQUENCY-MODULATED LOGIC
It has been shown that the hardware Trojans built with frequency-modulated logic are robust to tests based on
unused-circuit identification and side-channel analysis. A natural question at this point is how such Trojans can be
detected and/or neutralized given their new behavior.
The logic with Frequency Modulation (FM) require a large number of circular shift registers, where a standard
logic gate (or a LUT), a 2:1 multiplexer, and a circular shift register are needed for each FM gate. This pattern,
which can be regarded as a signature of this type of logic, can be the subject of detection attempted at the RTL
level. However, if the HDL code is encrypted, the detection can only be based on side-channel analyses.
It should be observed that the robustness of dual-rail logic circuits mapped onto FPGAs might not be very good,
since the routing imbalance in reconfigurable arrays lowers the effectiveness of this type of logic [7]. This observation
suggests that the hardware Trojans with frequency modulation should be implemented with FPGA primitives (LUT6,
FDRE, FDSE, MUXF7, and MUXF8 ) rather than behavioral HDL code, and the placement should be controlled
with location attributes and constraints. If the resulting Trojan is robust to side-channel analysis, it is legitimate to
investigate other opportunities in defending the circuit.
If the Trojan’s triggering circuitry cannot be detected, then the only chance to defend the circuit is by neutralizing
the Trojan’s payload. This can be achieved, for example, through a Counter-Trojan deployed on the FPGA by the
defender. The Counter-Trojan will perform a spectral analysis to determine if oscillations with frequencies that are
large fractions of fCLK exist. Then it will trigger its own oscillations on the same frequencies to jam the original
payload, so that the attacker is no longer able to communicate with the Trojan. Other proposed techniques are also
worth investigating [8].
VII. CONCLUSION
Defense measures at the RTL, side-channel analysis, and Counter-Trojan levels have been described to mitigate
the risk of a novel security vulnerability disclosure.
REFERENCES
[1] M. Banga and M. S. Hsiao, “Trusted RTL: Trojan Detection Methodology in Pre-Silicon Designs,” in Proc. 2010 IEEE International
Symposium on Hardware-Oriented Security and Trust (HOST 2010), Anaheim, California, Jul. 2010, pp. 56–59.
April 6, 2020 DRAFT
[2] X. Zhang and M. Tehranipoor, “Case Study: Detecting Hardware Trojans in Third-Party Digital IP Cores,” in Proc. 2011 IEEE International
Symposium on Hardware-Oriented Security and Trust (HOST 2011), San Diego, California, Jun. 2011, pp. 67–70.
[3] F. Wolff, C. Papachristou, S. Bhunia, and R. S. Chakraborty, “Toward Trojan-Free Trusted ICs: Problem Analysis and Detection Scheme,”
in Proc. 2011 Design, Automation & Test in Europe (DATE 2008), Munich, Germany, Mar. 2008, pp. 1362–1365.
[4] R. S. Chakraborty and S. Bhunia, “Security against Hardware Trojan through a Novel Application of Design Obfuscation,” in Proc. 2009
International Conference on Computer-Aided Design (ICCAD 2009), San Jose, California, Nov. 2009, pp. 113–116.
[5] M. Tehranipoor and F. Koushanfar, “A Survey of Hardware Trojan Taxonomy and Detection,” IEEE Design & Test of Computers, vol. 27,
no. 1, pp. 10–25, January/February 2010.
[6] B. Halak, J. Murphy, and A. Yakovlev, “Power Balanced Circuits for Leakage-Power-Attacks Resilient Design,” in 2015 Science and
Information Conference (SAI 2015), London, UK, Jul. 2015, pp. 1178–1183.
[7] K. Tiri and I. Verbauwhede, “A Logic Level Design Methodology for a Secure DPA Resistant ASIC or FPGA Implementation,” in Proc.
Design, Automation, & Test in Europe Conference and Exposition (DATE’04), vol. 1. Paris, France, Feb. 2004, pp. 246–251.
[8] B. Zhou, W. Zhang, S. Thambipillai, J. T. K. Jin, V. Chaturvedi, and T. Luo, “Cost-Efficient Acceleration of Hardware Trojan Detection
Through Fan-Out Cone Analysis and Weighted Random Pattern Technique,” IEEE Transactions on Computer-Aided Design of Integrated
Circuits and Systems, vol. 35, no. 5, pp. 792–805, May 2016.
[9] M. Hicks, M. Finnicum, S. T. King, M. M. Martin, and J. M. Smith, “Overcoming an Untrusted Computing Base: Detecting and Removing
Malicious Hardware Automatically,” in Proc. 2010 IEEE Symposium on Security and Privacy (SP 2010), Oakland, California, May 2010,
pp. 159–172.
[10] L. Lin, M. Kasper, T. Güneysu, C. Paar, and W. Burleson, “Trojan Side-Channels: Lightweight Hardware Trojans through Side-Channel
Engineering,” in Proc. International Workshop on Cryptographic Hardware and Embedded Systems (CHES 2009), ser. Lecture Notes in
Computer Science (LNCS), vol. 5747. Springer, Sep. 2009, pp. 382–395.
[11] R. Rad, J. Plusquellic, and M. Tehranipoor, “A Survey Analysis of Power Signal Methods for Detecting Hardware Trojans under Real
Process and Environmental Conditions,” IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 18, no. 12, pp. 1735–1744,
Dec. 2010.
[12] X. Zhang and M. Tehranipoor, “RON: An On-Chip Ring Oscillator Network for Hardware Trojan Detection,” in Proc. 2011 Design,
Automation & Test in Europe (DATE 2011), Grenoble, France, Mar. 2011.
[13] J. Rilling, D. Graziano, J. Hitchcock, T. Meyer, X. Wang, P. Jones, and J. Zambreno, “Circumventing a Ring Oscillator Approach
to FPGA-Based Hardware Trojan Detection,” in Proc. 29th International Conference on Computer Design (ICCD 2011), Amherst,
Massachusetts, Oct. 2011, pp. 289–292.
[14] Y. Jin, N. Kupp, and Y. Makris, “Experiences in Hardware Trojan Design and Implementation,” in Proc. 2009 IEEE International Symposium
on Hardware-Oriented Security and Trust (HOST 2009), San Francisco, California, Jul. 2009, pp. 50–57.
[15] G. T. Becker, A. Lakshminarasimhan, L. Lin, S. Srivathsa, V. B. Suresh, and W. Burelson, “Implementing Hardware Trojans: Experiences
from a Hardware Trojan Challenge,” in Proc. 29th International Conference on Computer Design (ICCD 2011), Amherst, Massachusetts,
Oct. 2011, pp. 301–304.
[16] R. Karri, J. Rajendran, and M. Tehranipoor, “Trustworthy Hardware: Identifying and Classifying Hardware Trojans,” Computer, vol. 43,
no. 10, pp. 39–46, Oct. 2010.
[17] J. M. Simkins and B. D. Philofsky, “Structures and Methods for Implementing Ternary Adders / Subtractors in Programmable Logic
Devices,” U.S. Patent 7,274,211 B1, Sep. 2007, Xilinx Incorporated.
[18] Xilinx, Inc., “7 Series FPGAs Memory Resources: User Guide,” San Jose, California, User Guide UG473, v1.13, Feb. 2019.
[19] ——, “Vivado Design Suite 7 Series FPGA and Zynq-7000 SoC Libraries Guide,” San Jose, California, User Guide UG953, v2018.3,
Dec. 2018.
[20] X. Wang, M. Tehranipoor, and J. Plusquellic, “Detecting Malicious Inclusions in Secure Hardware: Challenges and Solutions,” in Proc.
2008 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST 2008), Anaheim, California, Jun. 2008, pp. 15–19.
[21] A. Waksman, M. Souzzo, and S. Sethumadhavan, “FANCI: Identification of Stealthy Malicious Logic Using Boolean Functional Analysis,”
in Proc. 2013 ACM/SIGSAC Conference on Computer and Communications Security (CCS ’13), Berlin, Germany, Nov. 2013, pp. 697–708.
[22] J. Zhang, F. Yuan, L. Wei, Y. Liu, and Q. Xu, “VeriTrust: Verification for Hardware Trust,” IEEE Transactions on Computer-Aided Design
of Integrated Circuits and Systems, vol. 34, no. 7, pp. 1148–1161, Jul. 2015.
[23] C. Sturton, M. Hicks, D. Wagner, and S. T. King, “Defeating UCI: Building Stealthy and Malicious Hardware,” in Proc. 2011 IEEE
Symposium on Security and Privacy (SP 2011), Berkeley, California, May 2011, pp. 64–77.
April 6, 2020 DRAFT
[24] J. Zhang and Q. Xu, “On Hardware Trojan Design and Implementation at Register-Transfer Level,” in Proc. IEEE International Workshop
on Hardware-Oriented Security and Trust (HOST 2013), Austin, Texas, Aug. 2013, pp. 107–112.
[25] J. Zhang, F. Yuan, and Q. Xu, “DeTrust: Defeating Hardware Trust Verification with Stealthy Implicitly-Triggered Hardware Trojans,” in
Proc. 2014 ACM/SIGSAC Conference on Computer and Communications Security (CCS ’14), Scottsdale, Arizona, Nov. 2014, pp. 153–166.
[26] C. Krieg, C. Wolf, and A. Jantsch, “Malicious LUT: A Stealthy FPGA Trojan Injected and Triggered by the Design Flow,” in Proc. 2016
IEEE/ACM International Conference on Computer-Aided Design (ICCAD 2016), Austin, Texas, Nov. 2016, pp. 1–8.
[27] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” in Proc. 19th Annual International Cryptology Conference (CRYPTO ’99),
ser. Lecture Notes in Computer Science (LNCS), vol. 1666. Springer, Dec. 1999, pp. 388-397.
[28] E. Brier, C. Clavier, and F. Olivier, “Correlation Power Analysis with a Leakage Model,” in Proc. 6th International Workshop on
Cryptographic Hardware and Embedded Systems (CHES 2004), ser. Lecture Notes in Computer Science (LNCS), vol. 3156, Springer,
Aug. 2004, pp. 16–29.
[29] S. Mangard, E. Oswald, and T. Popp, Power Analysis Attacks: Revealing the Secrets of Smart Cards. Springer Science+Business Media,
2010.
[30] S. T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang, and Y. Zhou, “Designing and Implementing Malicious Hardware,” in First USENIX
Workshop on Large-Scale Exploits and Emergent Threats (LEET ’08), San Francisco, California, Apr. 2008.
[31] D. Agrawal, S. Baktir, D. Karakoyunlu, P. Rohatgi, and B. Sunar, “Trojan Detection using IC Fingerprinting,” in Proc. 2010 IEEE
Symposium on Security and Privacy (SP 2007), Berkeley, California, May 2007, pp. 296–310.
[32] M. Potkonjak, A. Nahapetian, M. Nelson, and T. Massey, “Hardware Trojan Horse Detection Using Gate-Level Characterization,” in Proc.
46th ACM/IEEE Design Automation Conference (DAC 2009), San Francisco, California, Jul. 2009, pp. 688–693.
[33] S. B. Örs, E. Oswald, and B. Preneel, “Power-Analysis Attacks on an FPGA – First Experimental Results,” in Proc. 5th International
Workshop on Cryptographic Hardware and Embedded Systems (CHES 2003), Cologne, Germany, Sep. 2003, pp. 35–50.
[34] F.-X. Standaert, S. B. Örs, J.-J. Quisquater, and B. Preneel, “Power Analysis Attacks Against FPGA Implementations of the DES,” in
Proc. 14th International Conference on Field Programmable Logic and Applications (FPL 2004), ser. Lecture Notes in Computer Science
(LNCS), vol. 3203, Springer-Verlag, Aug.-Sep. 2004, pp. 84–94.
April 6, 2020 DRAFT
