Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Programmable EM Sensor Array for Golden-Model Free Run-time Trojan Detection and Localization

Hanqiu Wang, Max Panoff, Zihao Zhan, Shuo Wang, Christophe Bobda, Domenic Forte

TL;DR

This work introduces a programmable on-chip EM sensor array (PSA) to enable run-time hardware Trojan detection, localization, and identification without relying on external measurement setups. The PSA uses a reconfigurable crossbar-like wire grid with transmission-gate switches to adapt sensor shape, size, and position, achieving significantly higher SNR and precise HT localization. Experimental validation on a 65 nm AES-128 test chip demonstrates HT detection and identification in under 10 ms with a 100% detection rate and strong resilience to voltage and temperature variations. The approach offers a practical, low-overhead path to real-time HT monitoring, improving security for trusted production flows and post-fabrication diagnostics.

Abstract

Side-channel analysis has been proven effective at detecting hardware Trojans in integrated circuits (ICs). However, most detection techniques rely on large external probes and antennas for data collection and require a long measurement time to detect Trojans. Such limitations make these techniques impractical for run-time deployment and ineffective in detecting small Trojans with subtle side-channel signatures. To overcome these challenges, we propose a Programmable Sensor Array (PSA) for run-time hardware Trojan detection, localization, and identification. PSA is a tampering-resilient integrated on-chip magnetic field sensor array that can be re-programmed to change the sensors' shape, size, and location. Using PSA, EM side-channel measurement results collected from sensors at different locations on an IC can be analyzed to localize and identify the Trojan. The PSA has better performance than conventional external magnetic probes and state-of-the-art on-chip single-coil magnetic field sensors. We fabricated an AES-128 test chip with four AES Hardware Trojans. They were successfully detected, located, and identified with the proposed on-chip PSA within 10 milliseconds using our proposed cross-domain analysis.

Programmable EM Sensor Array for Golden-Model Free Run-time Trojan Detection and Localization

TL;DR

This work introduces a programmable on-chip EM sensor array (PSA) to enable run-time hardware Trojan detection, localization, and identification without relying on external measurement setups. The PSA uses a reconfigurable crossbar-like wire grid with transmission-gate switches to adapt sensor shape, size, and position, achieving significantly higher SNR and precise HT localization. Experimental validation on a 65 nm AES-128 test chip demonstrates HT detection and identification in under 10 ms with a 100% detection rate and strong resilience to voltage and temperature variations. The approach offers a practical, low-overhead path to real-time HT monitoring, improving security for trusted production flows and post-fabrication diagnostics.

Abstract

Side-channel analysis has been proven effective at detecting hardware Trojans in integrated circuits (ICs). However, most detection techniques rely on large external probes and antennas for data collection and require a long measurement time to detect Trojans. Such limitations make these techniques impractical for run-time deployment and ineffective in detecting small Trojans with subtle side-channel signatures. To overcome these challenges, we propose a Programmable Sensor Array (PSA) for run-time hardware Trojan detection, localization, and identification. PSA is a tampering-resilient integrated on-chip magnetic field sensor array that can be re-programmed to change the sensors' shape, size, and location. Using PSA, EM side-channel measurement results collected from sensors at different locations on an IC can be analyzed to localize and identify the Trojan. The PSA has better performance than conventional external magnetic probes and state-of-the-art on-chip single-coil magnetic field sensors. We fabricated an AES-128 test chip with four AES Hardware Trojans. They were successfully detected, located, and identified with the proposed on-chip PSA within 10 milliseconds using our proposed cross-domain analysis.
Paper Structure (22 sections, 1 equation, 5 figures, 2 tables)

This paper contains 22 sections, 1 equation, 5 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Threat Model and Prior Work
  3. Run-time Verification Versus Test-phase Verification
  4. EM Side-channel Data Collection Methods
  5. Programmable Sensor Array (PSA)
  6. PSA Topology and Structure
  7. PSA Comparison with Prior Work
  8. PSA's Tamper-resilience
  9. Case 1: Malicious 3PIP
  10. Case 2: Malicious Foundries
  11. PSA implementation on A Test Chip
  12. Integrating PSA on AES-128 Test Chip
  13. T-gate Design and PSA Implementation Cost
  14. Evaluation on Test Chip
  15. Test and Data Collection Platform Setup
  16. ...and 7 more sections

Figures (5)

  • Figure 1: (a)3D structure of on-chip PSA where top-level metals form the coils and transmission gate switches in the active layer control the size and shape at each intersection. (Only one MOSFET is shown for simplicity) (b)An example of PSA topology forming a 2-turn coil. The red dots denote the locations where switches are on. (c)T-gate layout.
  • Figure 2: Sensor deployment, IO pin assignment, and Amoeba module view on the AES128 test chip.
  • Figure 3: Spectrum magnitude comparison between those from the PSA and an external EM probe.
  • Figure 4: Frequency response captured by sensors 10 and 0 for different HTs: red and blue colors represent the Trojan active and inactive cases, respectively.
  • Figure 5: Time-domain signals of the identified prominent frequency components collected from the PSA sensor 10 were recovered with zero-span mode to differentiate different HTs successfully.