Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TroLLoc: Logic Locking and Layout Hardening for IC Security Closure against Hardware Trojans

Fangzhou Wang, Qijing Wang, Lilas Alrahis, Bangqi Fu, Shui Jiang, Xiaopeng Zhang, Ozgur Sinanoglu, Tsung-Yi Ho, Evangeline F. Y. Young, Johann Knechtel

TL;DR

The paper tackles the critical problem of hardware Trojans in outsourced IC supply chains by introducing TroLLoc, a proactive defense that combines logic locking with layout hardening. It develops a security-and-design-aware synthesis flow, including a two-stage locking approach, on-demand key lengths, and timing-aware cell selection to maximize security while controlling overhead. Through ISPD'22/23 benchmarks and a battery of second-order attacks (MuxLink, SCOPE, Resynthesis+SCOPE, OMLA), TroLLoc demonstrates robust resistance to Trojan insertion and ML-driven attacks, with measured overheads that remain practical for real-world design. The work also provides release-ready artifacts, underscoring its practical impact for secure IC manufacturing and verification in industry settings.

Abstract

Due to cost benefits, supply chains of integrated circuits (ICs) are largely outsourced nowadays. However, passing ICs through various third-party providers gives rise to many security threats, like piracy of IC intellectual property or insertion of hardware Trojans, i.e., malicious circuit modifications. In this work, we proactively and systematically protect the physical layouts of ICs against post-design insertion of Trojans. Toward that end, we propose TroLLoc, a novel scheme for IC security closure that employs, for the first time, logic locking and layout hardening in unison. TroLLoc is fully integrated into a commercial-grade design flow, and TroLLoc is shown to be effective, efficient, and robust. Our work provides in-depth layout and security analysis considering the challenging benchmarks of the ISPD'22/23 contests for security closure. We show that TroLLoc successfully renders layouts resilient, with reasonable overheads, against (i) general prospects for Trojan insertion as in the ISPD'22 contest, (ii) actual Trojan insertion as in the ISPD'23 contest, and (iii) potential second-order attacks where adversaries would first (i.e., before Trojan insertion) try to bypass the locking defense, e.g., using advanced machine learning attacks. Finally, we release all our artifacts for independent verification [2].

TroLLoc: Logic Locking and Layout Hardening for IC Security Closure against Hardware Trojans

TL;DR

The paper tackles the critical problem of hardware Trojans in outsourced IC supply chains by introducing TroLLoc, a proactive defense that combines logic locking with layout hardening. It develops a security-and-design-aware synthesis flow, including a two-stage locking approach, on-demand key lengths, and timing-aware cell selection to maximize security while controlling overhead. Through ISPD'22/23 benchmarks and a battery of second-order attacks (MuxLink, SCOPE, Resynthesis+SCOPE, OMLA), TroLLoc demonstrates robust resistance to Trojan insertion and ML-driven attacks, with measured overheads that remain practical for real-world design. The work also provides release-ready artifacts, underscoring its practical impact for secure IC manufacturing and verification in industry settings.

Abstract

Due to cost benefits, supply chains of integrated circuits (ICs) are largely outsourced nowadays. However, passing ICs through various third-party providers gives rise to many security threats, like piracy of IC intellectual property or insertion of hardware Trojans, i.e., malicious circuit modifications. In this work, we proactively and systematically protect the physical layouts of ICs against post-design insertion of Trojans. Toward that end, we propose TroLLoc, a novel scheme for IC security closure that employs, for the first time, logic locking and layout hardening in unison. TroLLoc is fully integrated into a commercial-grade design flow, and TroLLoc is shown to be effective, efficient, and robust. Our work provides in-depth layout and security analysis considering the challenging benchmarks of the ISPD'22/23 contests for security closure. We show that TroLLoc successfully renders layouts resilient, with reasonable overheads, against (i) general prospects for Trojan insertion as in the ISPD'22 contest, (ii) actual Trojan insertion as in the ISPD'23 contest, and (iii) potential second-order attacks where adversaries would first (i.e., before Trojan insertion) try to bypass the locking defense, e.g., using advanced machine learning attacks. Finally, we release all our artifacts for independent verification [2].
Paper Structure (37 sections, 2 equations, 5 figures, 8 tables, 1 algorithm)

This paper contains 37 sections, 2 equations, 5 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. Trojans
  4. Real-World Relevance
  5. Working Principles
  6. Threat Modeling
  7. Countermeasures and Their Challenges
  8. Security Closure
  9. Logic Locking
  10. Working Principles
  11. Threat Modeling
  12. Advanced Oracle-Less Attacks
  13. Prior Art and Their Limitations
  14. Locking-Based Trojan Prevention
  15. Layout-Based Trojan Prevention
  16. ...and 22 more sections

Figures (5)

  • Figure 1: High-level overview of work. The two main contributions are the locking scheme, TroLLoc, and the IC security-closure flow. Both are carefully orchestrated together to achieve pre-silicon Trojan prevention.
  • Figure 2: Design of TroLLoc instances. For TroLLoc-MUX or TroLLoc-XOR, respectively, the key-bit is connected to the MUX select line or an XOR/XNOR input. (a) Locking of simple AND/NAND gates. Note that other simple gates are locked similarly, which is not illustrated here. When $K=0$, all TroLLoc instances operate as AND gate; when $K=1$, they function as NAND gate. Therefore, given any such TroLLoc instance, its functionality will remain unknown without the correct key-bit. (b, c) Locking of different types of FFs. For (b), the key-bit dictates which output signal holds Q and which QN; for (c), the key-bit dictates whether Q or QN is put out. For TroLLoc-XOR, we randomly pick only one of the FF's outputs and randomly pick XOR or XNOR as key-gates.
  • Figure 3: Our physical-synthesis flow. (1) Initial synthesis of baseline layouts. (2) Locking of security assets, followed by synthesis. (3) Locking of further components, considering timing and controllability, followed by synthesis.
  • Figure 4: Layout illustrations for the benchmark Camellia under TroLLoc-MUX: (left) baseline layout, i.e., after initial resynthesis; (middle) after first-stage locking of security assets, (right) final protected layout, i.e., after second-stage locking of other cells considering timing and controllability. Cells introduced by TroLLoc-MUX instances are marked in blue, whereas others are marked in grey. The utilization increases from 49.5% (left) to 59.2% (middle), and eventually to 98.9% (right); also recall Footnote \ref{['fn:util']}. Note that layouts heights are reduced here; the original aspect ratio is 1.0.
  • Figure 5: Layout illustrations for the benchmark Camellia, after the Trojan leak targeted is inserted using the ISPD'23 'reg' mode. (Top) Trojan inserted into the baseline layout. (Bottom) Trojan inserted into the final layout as protected by TroLLoc-MUX. All benign cells, including TroLLoc-MUX instances, are marked in grey, whereas Trojan cells are marked in red. Note that layouts heights are reduced here; the original aspect ratio is 1.0.