{"title":"可信RTL:预硅设计中的特洛伊木马检测方法","authors":"Mainak Banga, M. Hsiao","doi":"10.1109/HST.2010.5513114","DOIUrl":null,"url":null,"abstract":"In this paper, we propose a four-step approach to filter and locate malicious insertion(s) implanted in a third party Intellectual Property (3PIP). In our approach, we first remove those easy-to-detect signals whose activation and propagation are easy using functional vectors. The remaining signals are subjected to a N-detect full-scan ATPG tool to identify those which are functionally hard-to-excite and/or propagate. But unlike recognizing hard-to-detect signal(s), behavioral change brought about by these insertion(s) needs to be taken into account to narrow down their implantation locations. So in our third step, detection condition of suspect signals are cross checked against the spec by a suspect-signal-guided equivalence checking set-up. Finally, a region isolation approach is applied on the filtered signals to determine clusters of untestable gates in the circuit. Experimental results on ISCAS'89 benchmarks show that we are able to return a very small set of candidate locations where the stealthy malicious insertion could reside.","PeriodicalId":6367,"journal":{"name":"2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)","volume":"2 1","pages":"56-59"},"PeriodicalIF":0.0000,"publicationDate":"2010-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"117","resultStr":"{\"title\":\"Trusted RTL: Trojan detection methodology in pre-silicon designs\",\"authors\":\"Mainak Banga, M. Hsiao\",\"doi\":\"10.1109/HST.2010.5513114\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this paper, we propose a four-step approach to filter and locate malicious insertion(s) implanted in a third party Intellectual Property (3PIP). In our approach, we first remove those easy-to-detect signals whose activation and propagation are easy using functional vectors. The remaining signals are subjected to a N-detect full-scan ATPG tool to identify those which are functionally hard-to-excite and/or propagate. But unlike recognizing hard-to-detect signal(s), behavioral change brought about by these insertion(s) needs to be taken into account to narrow down their implantation locations. So in our third step, detection condition of suspect signals are cross checked against the spec by a suspect-signal-guided equivalence checking set-up. Finally, a region isolation approach is applied on the filtered signals to determine clusters of untestable gates in the circuit. Experimental results on ISCAS'89 benchmarks show that we are able to return a very small set of candidate locations where the stealthy malicious insertion could reside.\",\"PeriodicalId\":6367,\"journal\":{\"name\":\"2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)\",\"volume\":\"2 1\",\"pages\":\"56-59\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2010-06-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"117\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/HST.2010.5513114\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/HST.2010.5513114","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Trusted RTL: Trojan detection methodology in pre-silicon designs
In this paper, we propose a four-step approach to filter and locate malicious insertion(s) implanted in a third party Intellectual Property (3PIP). In our approach, we first remove those easy-to-detect signals whose activation and propagation are easy using functional vectors. The remaining signals are subjected to a N-detect full-scan ATPG tool to identify those which are functionally hard-to-excite and/or propagate. But unlike recognizing hard-to-detect signal(s), behavioral change brought about by these insertion(s) needs to be taken into account to narrow down their implantation locations. So in our third step, detection condition of suspect signals are cross checked against the spec by a suspect-signal-guided equivalence checking set-up. Finally, a region isolation approach is applied on the filtered signals to determine clusters of untestable gates in the circuit. Experimental results on ISCAS'89 benchmarks show that we are able to return a very small set of candidate locations where the stealthy malicious insertion could reside.