CN111460529A - Hardware Trojan horse detection and positioning method and system - Google Patents

Hardware Trojan horse detection and positioning method and system Download PDF

Info

Publication number
CN111460529A
CN111460529A CN202010184947.8A CN202010184947A CN111460529A CN 111460529 A CN111460529 A CN 111460529A CN 202010184947 A CN202010184947 A CN 202010184947A CN 111460529 A CN111460529 A CN 111460529A
Authority
CN
China
Prior art keywords
chip
electromagnetic radiation
signal
electromagnetic
hardware trojan
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010184947.8A
Other languages
Chinese (zh)
Other versions
CN111460529B (en
Inventor
侯波
王力纬
恩云飞
雷登云
黄云
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Electronic Product Reliability and Environmental Testing Research Institute
Original Assignee
China Electronic Product Reliability and Environmental Testing Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Electronic Product Reliability and Environmental Testing Research Institute filed Critical China Electronic Product Reliability and Environmental Testing Research Institute
Priority to CN202010184947.8A priority Critical patent/CN111460529B/en
Publication of CN111460529A publication Critical patent/CN111460529A/en
Application granted granted Critical
Publication of CN111460529B publication Critical patent/CN111460529B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/76Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R31/00Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
    • G01R31/28Testing of electronic circuits, e.g. by signal tracer
    • G01R31/2851Testing of integrated circuits [IC]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Data Mining & Analysis (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Artificial Intelligence (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Biology (AREA)
  • Evolutionary Computation (AREA)
  • Tests Of Electronic Circuits (AREA)

Abstract

The invention relates to a hardware Trojan horse detection and positioning method and a system, wherein the method comprises the following steps: applying an excitation signal; comprises inputting square wave signal at the clock input end of the chip to be detected, applying working voltage V between the power input end and the ground wireDD(ii) a Detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal; acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, judging that the chip to be detected has no hardware Trojan; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is generated by testing a normal chip at the excitationThe electromagnetic radiation under the signal is obtained. The invention can effectively improve the measurement rate of the hardware Trojan horse.

Description

Hardware Trojan horse detection and positioning method and system
Technical Field
The invention relates to circuit testing, in particular to a hardware Trojan horse detection and positioning method and a hardware Trojan horse detection and positioning system.
Background
The global development of the Integrated Circuit (IC) industry and the Foundry (Foundry) model have enabled the distribution of an Integrated Circuit industry chain, previously located in one country, around the world. In addition, to shorten the design cycle of an integrated circuit, the widespread use of third party IP (3PIP) and EDA (electronic design automation) tools in integrated circuit design has resulted in the integrated circuit industry being not fully controllable, and malicious attackers may implant malicious circuits, called "hardware trojans," into the integrated circuit/chip. A hardware trojan is a malicious circuit implanted into an integrated circuit to realize a specific function, and fig. 1 shows an integrated circuit industry chain and a possible implanted link of the hardware trojan.
A hardware trojan is a circuit structure that is implanted during the design and manufacture of an integrated circuit and is activated when the circuit is in operation. Compared with the software trojans which can be cleared through antivirus software, the hardware trojans cannot be changed after the ICs are manufactured, and the hardware trojans can be cleared only by replacing the ICs. Hazardness and concealment are fundamental characteristics of hardware trojans. The harm of the hardware trojan horse mainly comprises information leakage, service denial, function change, performance reduction and the like.
Disclosure of Invention
Accordingly, there is a need for a hardware Trojan horse detection and positioning method and system.
A hardware Trojan horse detection and positioning method comprises the following steps: applying an excitation signal; comprises inputting square wave signal at the clock input end of the chip to be detected, applying working voltage V between the power input end and the ground wireDD(ii) a Detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal; acquiring electromagnetic data of each region of a normal chip, and comparing the electromagnetic radiation signal of each region with the electromagnetic radiation signalComparing the data, and if the electromagnetic radiation signals of each region do not exceed the upper limit and the lower limit of the electromagnetic data, judging that the chip to be detected has no hardware trojan; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
In one embodiment, the square wave signal is a square wave voltage digital signal with a constant period and constant duty cycle.
In one embodiment, the step of detecting the electromagnetic radiation signal of each region of the chip to be inspected under the excitation signal comprises: converting the electromagnetic signal into a voltage signal by an electromagnetic probe; amplifying the voltage signal by an amplifying circuit; voltage data over time were obtained by an oscilloscope.
In one embodiment, the step of testing the electromagnetic radiation of the normal chip under the excitation signal is to test the electromagnetic radiation of a plurality of same normal chips under the excitation signal.
In one embodiment, the testing the electromagnetic radiation of the normal chip under the excitation signal includes: calculating a characteristic value of the data of each area of all normal chips to be tested, classifying the characteristic value of each area through a classification support vector machine, and determining a boundary line; said step of comparing said electromagnetic radiation signal of each said region with said electromagnetic data comprises: and calculating characteristic values of the electromagnetic radiation signals, if the characteristic values of the electromagnetic radiation signals of all the areas are in the boundary line, judging that the chip to be detected has no hardware Trojan, and if the areas with the characteristic values of the electromagnetic radiation signals outside the boundary line exist, judging that the areas have the hardware Trojan.
In one embodiment, the testing the electromagnetic radiation of the normal chip under the excitation signal includes: obtaining a plurality of same normal chips and numbering the chips as ICsk(k 1, 2.. p), p is the number of chips, each normal chip is divided into a grid of m × n and is marked as Netij(i 1, 2.. multidot.m; j 1, 2.. multidot.n); to chip ICkApplying the excitation signal, and testing the electromagnetic radiation signal of each grid to obtain a voltage curve V corresponding to the electromagnetic radiation of each gridij(ii) a Obtaining a voltage curve matrix V after all normal chips are testedk,ij(ii) a According to the voltage curve matrix Vk,ijCalculating characteristic value, classifying by a classification support vector machine, and determining boundary line bdij
In one embodiment, the step of detecting the electromagnetic radiation signal of each region of the chip to be detected under the excitation signal comprises detecting the electromagnetic radiation signal of the chip to be detected divided into m × n grids to obtain a voltage curve V corresponding to the electromagnetic radiation of each griddut,ijAccording to said voltage curve Vdut,ijCalculating a characteristic value Eij(ii) a Said step of comparing said electromagnetic radiation signal of each said region with said electromagnetic data is to compare said characteristic value EijAnd the boundary line bdijA comparison is made.
The present application further provides another hardware Trojan horse detection and positioning method, wherein in the step of applying the excitation signal in any one of the foregoing embodiments, the voltage applied between the power input terminal and the ground is replaced by a second square wave signal, and the high voltage of the second square wave signal is the working voltage VDDThe low voltage is 0 volt.
A hardware trojan detection and location system, comprising: the excitation module is used for inputting a square wave signal at the clock input end of the chip to be detected and applying working voltage between the power supply input end and the ground wire; the electromagnetic field detection module is used for detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal; the Trojan horse determination module is used for acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, determining that the chip to be detected has no hardware Trojan horse; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
A hardware trojan detection and location system, comprising: the excitation module is used for inputting a first square wave signal at the clock input end of the chip to be detected, applying a second square wave signal between the power input end and the ground wire, and the high voltage of the second square wave signal is working voltage VDDThe low voltage is 0 volt; the electromagnetic field detection module is used for detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal; the Trojan horse determination module is used for acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, determining that the chip to be detected has no hardware Trojan horse; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
According to the hardware Trojan horse detection and positioning method and system, a square wave signal is input at the clock input end of the chip to be detected by utilizing the principle that the hardware Trojan horse must be connected to a chip clock network, and an electromagnetic radiation signal of each area of the chip under excitation is acquired and compared with electromagnetic data of each area of a normal chip. Because the chip to be detected and the normal chip use the same excitation signal, the logic gate of the hardware trojan connected to the chip clock network and the metal interconnection line bring the change of the electromagnetic field inevitably, so whether each area of the chip to be detected has the hardware trojan can be judged by comparison. The method and the system for detecting and positioning the hardware Trojan can effectively improve the detection rate of the hardware Trojan without damaging a chip to be detected, can detect the chip containing the hardware Trojan circuit before the chip is used in the system, and ensure the safety of the system.
Drawings
For a better understanding of the description and/or illustration of embodiments and/or examples of those inventions disclosed herein, reference may be made to one or more of the drawings. The additional details or examples used to describe the figures should not be considered as limiting the scope of any of the disclosed inventions, the presently described embodiments and/or examples, and the presently understood best modes of these inventions.
FIG. 1 is a schematic diagram of an integrated circuit industry chain and a hardware Trojan horse that may be implanted;
FIG. 2 is a schematic view of the current and magnetic field distribution of a metal interconnect line;
FIG. 3 is a schematic diagram of an on-chip clock network;
FIG. 4 is a schematic diagram of an on-chip clock network after implantation of a hardware Trojan;
FIG. 5 is a schematic diagram of the detection principle of the present application;
FIG. 6 is a flow diagram of a hardware Trojan horse detection and location method in one embodiment;
FIG. 7 is a diagram illustrating hardware Trojan detection in one embodiment;
FIG. 8 is a flow diagram illustrating the sub-steps of step S120 in one embodiment.
Detailed Description
To facilitate an understanding of the invention, the invention will now be described more fully with reference to the accompanying drawings. Preferred embodiments of the present invention are shown in the drawings. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
It will be understood that when an element or layer is referred to as being "on," "adjacent to," "connected to," or "coupled to" other elements or layers, it can be directly on, adjacent to, connected or coupled to the other elements or layers or intervening elements or layers may be present. In contrast, when an element is referred to as being "directly on," "directly adjacent to," "directly connected to" or "directly coupled to" other elements or layers, there are no intervening elements or layers present. It will be understood that, although the terms first, second, third, etc. may be used to describe various elements, components, regions, layers and/or sections, these elements, components, regions, layers and/or sections should not be limited by these terms. These terms are only used to distinguish one element, component, region, layer or section from another element, component, region, layer or section. Thus, a first element, component, region, layer or section discussed below could be termed a second element, component, region, layer or section without departing from the teachings of the present invention.
Spatial relational terms such as "under," "below," "under," "above," "over," and the like may be used herein for convenience in describing the relationship of one element or feature to another element or feature as illustrated in the figures. It will be understood that the spatially relative terms are intended to encompass different orientations of the device in use or operation in addition to the orientation depicted in the figures. For example, if the device in the figures is turned over, then elements or features described as "below" or "beneath" other elements or features would then be oriented "above" the other elements or features. Thus, the exemplary terms "under" and "under" can encompass both an orientation of above and below. The device may be otherwise oriented (rotated 90 degrees or at other orientations) and the spatial descriptors used herein interpreted accordingly.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term "and/or" includes any and all combinations of the associated listed items.
It should be understood that although the steps in the embodiments of the present application are not necessarily performed in the order indicated by the step numbers. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least some of the steps in various embodiments may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the sub-steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least some of the sub-steps or stages of other steps.
An exemplary method for detecting a hardware trojan is to apply a test vector to a chip to enable the chip to enter a working state, simultaneously test an electromagnetic field on the surface of the chip, and perform hardware trojan detection by comparing the magnetic fields of an original chip and the chip to be detected. The method needs to apply a test vector to a chip, the test vector needs to activate the hardware Trojan horse, and the hardware Trojan horse is extremely difficult to activate due to the characteristic of high concealment of the hardware Trojan horse, so that the method is not strong in practicability and cannot detect the hardware Trojan horse which is difficult to activate.
Another exemplary method for detecting hardware trojan horse is to use the quiescent current of multiple power pads in the chip to detect. The method utilizes a power supply network distributed all over a chip and measures static current (IDDQ) on a plurality of power supply pads connected with the power supply network simultaneously to detect the hardware Trojan horse. Specifically, four power supply pads (PP00, PP01, PP11, PP10) on the chip are connected to the global current source and the local current source through physical switches. The Trojan horse simulation source meter provides power signals for the Trojan horse. The physical switch switches between the global current source table and the local current source table. One of the four power supply pads is sequentially connected with the local current source table, the other three power supply pads are connected with the global current source table, and the current is measured to detect the hardware trojan horse. If a hardware Trojan is implanted near one power supply pad, a larger static current appears on the power supply pad, the hardware Trojan can be detected by adopting the method, and the detection sensitivity of the hardware Trojan is improved by combining a power supply signal calibration technology and a test vector noise reduction technology. The method detects the hardware trojan by simultaneously testing the quiescent current on the power pad connected with the power network. However, after the chip is packaged, the plurality of power supplies are connected together, so that the test cannot be performed on the plurality of power supply pads respectively, the static current value is often very small, the requirement on the precision of the current detection equipment is high, and the test cost is high. In addition, the method cannot realize positioning of the hardware trojan.
The inventive principle of the present application is described as follows:
the integrated circuit is composed of MOS tubes and metal interconnection lines, wherein the metal interconnection lines are used for interconnection among the MOS tubes. When a varying current is passed over the metal interconnect, a magnetic field is generated, as shown in FIG. 2. The magnitude and direction of the magnetic field is related to the magnitude and direction of the current on the metal interconnect line.
A clock (clk) network in an integrated circuit is formed by driving logic gates and metal interconnects throughout the chip to form a clock network, as shown in fig. 3. The triangles in fig. 3 represent the drive logic gates.
When a malicious attacker implants a hardware trojan in a chip, since the hardware trojan needs to be connected to a clock network, as shown in fig. 4, the change of the clock network is brought, and the increased driving logic and metal interconnection lines bring the change of layout and current, which inevitably causes the change of the magnetic field at the position.
Based on the principle that the change of a clock network caused by a hardware trojan further causes the change of a magnetic field of a chip, a schematic diagram of the principle provided by the application is shown in fig. 5. The method comprises the steps of applying a square wave signal to a clock end of a chip, detecting the size of a magnetic field of each point on the surface of the chip through an electromagnetic probe, obtaining a voltage curve through oscilloscope testing, and respectively obtaining the voltage curve of each point on the surface of an original chip (namely the chip without the hardware Trojan horse) and the voltage curve of each point on the surface of a hardware Trojan horse chip.
FIG. 6 is a flowchart of a hardware Trojan horse detection and location method in an embodiment, including the following steps:
s110, applying an excitation signal.
Inputting square wave signal at the clock input end of the chip to be detected, and applying working voltage V between the power input end and the ground wireDD. In one embodiment, the square wave signal is a square wave voltage digital signal with a constant period and constant duty cycle. The square wave signal is input at the clock input end, so that the working state of the chip can be kept stable, and the change of the electromagnetic radiation signal can be distinguished conveniently.
In this embodiment, the excitation signal is applied except that the operating voltage V is applied between the power supply input terminal and the groundDDBesides, only square wave signals need to be input at the clock input end, and signals do not need to be input at other input ends of the chip, namely signals do not need to be input at all the input ends to specifically activate the hardware trojan.
And S120, detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal.
In one embodiment, the chip to be inspected is divided into m × n grids, electromagnetic radiation signals of the grids are detected, and the electromagnetic radiation signals of each grid are recorded separately.
S130, acquiring electromagnetic data of each area of the normal chip, comparing the electromagnetic data with an electromagnetic radiation signal of the chip to be detected, and judging whether Trojan horse exists or not.
The electromagnetic data of the normal chip (namely the original chip) is obtained by testing the electromagnetic radiation of the normal chip under the excitation signal, in one embodiment, the normal chip is also divided into m × n grids, the electromagnetic radiation of each grid is tested and recorded as the electromagnetic data, and the upper limit and the lower limit of the electromagnetic data of each grid are defined according to a conventional method.
According to the hardware Trojan horse detection and positioning method, a square wave signal is input at the clock input end of a chip to be detected by utilizing the principle that the hardware Trojan horse is necessarily connected to a chip clock network, and an electromagnetic radiation signal of each area of the chip under excitation is acquired and compared with electromagnetic data of each area of a normal chip. Because the chip to be detected and the normal chip use the same excitation signal, the logic gate of the hardware trojan connected to the chip clock network and the metal interconnection line bring the change of the electromagnetic field inevitably, so whether each area of the chip to be detected has the hardware trojan can be judged by comparison. After the excitation signal is applied, no matter whether the hardware Trojan is activated, the corresponding electromagnetic radiation signal can be generated, so that the hardware Trojan detection and positioning method can effectively improve the detection rate of the hardware Trojan, does not damage a chip to be detected, can detect the chip containing the hardware Trojan circuit before the chip is used in a system, and ensures the safety of the system.
FIG. 7 is a diagram illustrating hardware Trojan detection in an embodiment. In this embodiment, the step S120 includes the following steps (refer to fig. 8) in detecting each region:
and S122, converting the electromagnetic signal into a voltage signal through the electromagnetic probe.
And placing the electromagnetic probe above the currently detected chip grid, and acquiring an electromagnetic radiation signal of the region. The electromagnetic probe converts the magnetic field into a voltage signal.
And S124, amplifying the voltage signal through an amplifying circuit.
Because the electromagnetic radiation signal collected by the electromagnetic probe is weak, the voltage signal can be amplified by converting the electromagnetic signal into the voltage signal through the amplifying circuit, and the observation can be conveniently carried out through the oscilloscope.
And S126, obtaining voltage data changing along with time through an oscilloscope.
The voltage data may be sent to a data analysis module for analysis, and a mean value thereof calculated, etc.
In one embodiment, the normal chip data obtained in step S130 is obtained by testing electromagnetic radiation of a plurality of identical normal chips under the aforementioned excitation signal. It will be appreciated that these normal chips should be of the same type as the chip to be tested.
In one embodiment, step S130 is to classify the electromagnetic data using a Support Vector Machine (SVM), and determine the boundary lines as the upper and lower limits. Specifically, the step of acquiring electromagnetic data of each area of the normal chip in step S130 includes: calculating a characteristic value of each area data of all normal chips to be tested, and classifying the characteristic value of each area through a classification support vector machine (one classvm) to determine a boundary line. The step of comparing the electromagnetic radiation signal of each region with the electromagnetic data in step S130 includes: and calculating characteristic values of the electromagnetic radiation signals, if the characteristic values of the electromagnetic radiation signals of each area are within the boundary line, judging that the chip to be detected has no hardware Trojan, and if areas of the electromagnetic radiation signals outside the boundary line exist, judging that the areas have the hardware Trojan. In the embodiment, a classification support vector machine mode is adopted, a normal chip is used for training instead of a chip containing the Trojan horse to obtain electromagnetic data, and different types of hardware Trojan horses can be detected.
How to acquire the electromagnetic data of each region of the normal chip in step S130 is described below by a specific example:
s231, obtaining a plurality of same normal chips and numbering the chips as ICsk(k 1, 2.. p.) where p is the number of chips.
S232, dividing each normal chip into m × n grids and recording as Netij(i=1,2,...,m;j=1,2,...,n)。
S233, for the chip ICkApplying an excitation signal, and testing the electromagnetic radiation signal of each grid to obtain the voltage curve corresponding to the electromagnetic radiation of each gridLine Vij. Wherein the excitation signal is on-chip ICkThe clock input end of the chip inputs a square wave signal and the chip ICkBetween the power input terminal and the ground lineDD
S234, repeating the steps S231-S233, and obtaining a voltage curve matrix V after all normal chips are testedk,ij
S235, according to the voltage curve matrix Vk,ijCalculating characteristic value (the characteristic value can be mean value, variance, etc.), and classifying by a classification support vector machine to determine boundary line bdij(ii) a For each grid, the borderline matrix BD ═ BDij}(i=1,2,...,m;j=1,2,...,n)。
Correspondingly, step S120 includes detecting electromagnetic radiation signals of the chip to be inspected which is divided into m × n grids, and obtaining a voltage curve V corresponding to the electromagnetic radiation of each griddut,ijThen according to the voltage curve Vdut,ijCalculating a characteristic value Eij(ii) a Wherein the characteristic value E is calculatedijThe items and methods of (1) are the same as those of step S235.
Accordingly, the step of comparing the electromagnetic radiation signal of each region with the electromagnetic data in step S130 is to perform a comparison of each grid NetijCharacteristic value E ofijTo the boundary line bdijComparing, if each grid NetijCharacteristic value E ofijAre all on the boundary line bdijIf so, judging that the chip to be detected has no hardware Trojan; if there is a characteristic value E of the electromagnetic radiation signalijAt the boundary line bdijAnd judging that hardware trojans exist in the grids outside the grid.
Based on the hardware Trojan detection and positioning method of any one of the above embodiments, the present application correspondingly provides a hardware Trojan detection and positioning system, including:
the excitation module is used for inputting a square wave signal at the clock input end of the chip to be detected and applying working voltage between the power supply input end and the ground wire;
the electromagnetic field detection module is used for detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal;
the Trojan horse determination module is used for acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, determining that the chip to be detected has no hardware Trojan horse; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
The present application further provides another hardware Trojan horse detection and positioning method, which is different from any of the foregoing embodiments in that, in step S110, a signal input between a power input terminal of a chip to be tested and a ground line is controlled by a stable dc operating voltage VDDReplacing the high voltage of the second square wave signal as the working voltage VDDAnd the low voltage is 0. Similarly, the electromagnetic data of each area of the normal chip obtained in step S130 is also obtained by replacing the signal input between the power input terminal and the ground of the normal chip in the excitation signal with a second square wave signal.
Based on the hardware Trojan horse detection and positioning method, the application also provides another hardware Trojan horse detection and positioning system, which comprises:
the excitation module is used for inputting a first square wave signal at the clock input end of the chip to be detected, applying a second square wave signal between the power input end and the ground wire, and the high voltage of the second square wave signal is working voltage VDDThe low voltage is 0 volt;
the electromagnetic field detection module is used for detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal;
the Trojan horse determination module is used for acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, determining that the chip to be detected has no hardware Trojan horse; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
The hardware Trojan horse detection and positioning method and system input a square wave signal at the clock input end of a chip to be detected by utilizing the principle that the hardware Trojan horse must be connected to a chip clock network, acquire an electromagnetic radiation signal of each area of the chip under excitation and compare the electromagnetic radiation signal with electromagnetic data of each area of a normal chip. Because the chip to be detected and the normal chip use the same excitation signal, the logic gate of the hardware trojan connected to the chip clock network and the metal interconnection line bring the change of the electromagnetic field inevitably, so whether each area of the chip to be detected has the hardware trojan can be judged by comparison. The method and the system for detecting and positioning the hardware Trojan can effectively improve the detection rate of the hardware Trojan without damaging a chip to be detected, can detect the chip containing the hardware Trojan circuit before the chip is used in the system, and ensure the safety of the system.
Those skilled in the art will appreciate that all or a portion of the processes in the methods of the embodiments described above may be implemented by computer programs that may be stored in a non-volatile computer-readable storage medium, which when executed, may include the processes of the embodiments of the methods described above, wherein any reference to memory, storage, database or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, non-volatile memory may include read-only memory (ROM), programmable ROM (prom), electrically programmable ROM (eprom), electrically erasable programmable ROM (eeprom), or flash memory, volatile memory may include Random Access Memory (RAM) or external cache memory, RAM is available in a variety of forms, such as static RAM (sram), Dynamic RAM (DRAM), synchronous sdram (sdram), double data rate sdram (ddr sdram), enhanced sdram (sdram), synchronous link (sdram), dynamic RAM (rdram) (rdram L), direct dynamic RAM (rdram), and the like, and/or external cache memory.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (10)

1. A hardware Trojan horse detection and positioning method is characterized by comprising the following steps:
applying an excitation signal; comprises inputting square wave signal at the clock input end of the chip to be detected, applying working voltage V between the power input end and the ground wireDD
Detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal;
acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, judging that the chip to be detected has no hardware Trojan; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
2. The hardware Trojan horse detection and location method according to claim 1, wherein said square wave signal is a square wave voltage digital signal with a constant period and constant duty cycle.
3. The hardware Trojan horse detection and localization method according to claim 1, wherein the step of detecting the electromagnetic radiation signal of each region of the chip to be detected under the excitation signal comprises:
converting the electromagnetic signal into a voltage signal by an electromagnetic probe;
amplifying the voltage signal by an amplifying circuit;
voltage data over time were obtained by an oscilloscope.
4. The hardware Trojan horse detection and localization method according to any one of claims 1 to 3, wherein the testing of the electromagnetic radiation of a normal chip under the excitation signal is testing of the electromagnetic radiation of a plurality of identical normal chips under the excitation signal.
5. The hardware Trojan horse detection and location method according to claim 4, wherein the testing electromagnetic radiation of a normal chip under the excitation signal comprises: calculating a characteristic value of the data of each area of all normal chips to be tested, classifying the characteristic value of each area through a classification support vector machine, and determining a boundary line;
said step of comparing said electromagnetic radiation signal of each said region with said electromagnetic data comprises: and calculating characteristic values of the electromagnetic radiation signals, if the characteristic values of the electromagnetic radiation signals of all the areas are in the boundary line, judging that the chip to be detected has no hardware Trojan, and if the areas with the characteristic values of the electromagnetic radiation signals outside the boundary line exist, judging that the areas have the hardware Trojan.
6. The hardware Trojan horse detection and location method according to claim 5, wherein the testing electromagnetic radiation of a normal chip under the excitation signal comprises:
obtaining a plurality of same normal chips and numbering the chips as ICsk(k 1, 2.., p), p is the number of chips;
dividing each normal chip into a grid of m × n and recording as Netij(i=1,2,...,m;j=1,2,...,n);
To chip ICkApplying the excitation signal, and testing the electromagnetic radiation signal of each grid to obtain a voltage curve V corresponding to the electromagnetic radiation of each gridij
Obtaining a voltage curve matrix V after all normal chips are testedk,ij
According to the voltage curve matrix Vk,ijCalculating characteristic value, classifying by a classification support vector machine, and determining boundary line bdij
7. The hardware Trojan horse detection and positioning method as claimed in claim 6, wherein the step of detecting the electromagnetic radiation signal of each region of the chip to be detected under the excitation signal comprises detecting the electromagnetic radiation signal of the chip to be detected divided into m × n grids to obtain a voltage curve V corresponding to the electromagnetic radiation of each griddut,ijAccording to said voltage curve Vdut,ijCalculating a characteristic value Eij
Said step of comparing said electromagnetic radiation signal of each said region with said electromagnetic data is to compare said characteristic value EijAnd the boundary line bdijA comparison is made.
8. A hardware trojan detection and location system, comprising:
the excitation module is used for inputting a square wave signal at the clock input end of the chip to be detected and applying working voltage between the power supply input end and the ground wire;
the electromagnetic field detection module is used for detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal;
the Trojan horse determination module is used for acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, determining that the chip to be detected has no hardware Trojan horse; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
9. A hardware Trojan horse detection and positioning method, characterized in that in the step of applying the excitation signal according to any one of claims 1 to 7, the voltage applied between the power supply input end and the ground wire is replaced by a second square wave signal, and the high voltage of the second square wave signal is the working voltage VDDThe low voltage is 0 volt.
10. A hardware trojan detection and location system, comprising:
the excitation module is used for inputting a first square wave signal at the clock input end of the chip to be detected, applying a second square wave signal between the power input end and the ground wire, and the high voltage of the second square wave signal is working voltage VDDThe low voltage is 0 volt;
the electromagnetic field detection module is used for detecting an electromagnetic radiation signal of each area of the chip to be detected under the excitation signal;
the Trojan horse determination module is used for acquiring electromagnetic data of each area of a normal chip, comparing the electromagnetic radiation signal of each area with the electromagnetic data, and if the electromagnetic radiation signal of each area does not exceed the upper limit and the lower limit of the electromagnetic data, determining that the chip to be detected has no hardware Trojan horse; if the areas with the electromagnetic radiation signals exceeding the upper limit and the lower limit exist, judging that hardware trojans exist in the areas; wherein the electromagnetic data is obtained by testing electromagnetic radiation of a normal chip under the excitation signal.
CN202010184947.8A 2020-03-17 2020-03-17 Hardware Trojan detection and positioning method and system Active CN111460529B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010184947.8A CN111460529B (en) 2020-03-17 2020-03-17 Hardware Trojan detection and positioning method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010184947.8A CN111460529B (en) 2020-03-17 2020-03-17 Hardware Trojan detection and positioning method and system

Publications (2)

Publication Number Publication Date
CN111460529A true CN111460529A (en) 2020-07-28
CN111460529B CN111460529B (en) 2023-07-14

Family

ID=71683180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010184947.8A Active CN111460529B (en) 2020-03-17 2020-03-17 Hardware Trojan detection and positioning method and system

Country Status (1)

Country Link
CN (1) CN111460529B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112649675A (en) * 2020-12-17 2021-04-13 深圳供电局有限公司 PLC (programmable logic controller) anomaly detection method based on electromagnetic side channel
CN117310452A (en) * 2023-11-29 2023-12-29 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) Method, device, computer equipment and storage medium for determining electromagnetic signal leakage

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103926522A (en) * 2014-04-08 2014-07-16 工业和信息化部电子第五研究所 Hardware Trojan horse detecting and positioning method and system based on voltage
US20180284026A1 (en) * 2015-10-08 2018-10-04 President And Fellows Of Harvard College Ultrahigh Resolution Dynamic IC Chip Activity Detection for Hardware Security
CN108828325A (en) * 2018-04-23 2018-11-16 电子科技大学 Hardware Trojan horse detection method based on FPGA Clock Tree electromagnetic radiation field

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103926522A (en) * 2014-04-08 2014-07-16 工业和信息化部电子第五研究所 Hardware Trojan horse detecting and positioning method and system based on voltage
US20180284026A1 (en) * 2015-10-08 2018-10-04 President And Fellows Of Harvard College Ultrahigh Resolution Dynamic IC Chip Activity Detection for Hardware Security
CN108828325A (en) * 2018-04-23 2018-11-16 电子科技大学 Hardware Trojan horse detection method based on FPGA Clock Tree electromagnetic radiation field

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112649675A (en) * 2020-12-17 2021-04-13 深圳供电局有限公司 PLC (programmable logic controller) anomaly detection method based on electromagnetic side channel
CN117310452A (en) * 2023-11-29 2023-12-29 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) Method, device, computer equipment and storage medium for determining electromagnetic signal leakage
CN117310452B (en) * 2023-11-29 2024-03-26 中国电子产品可靠性与环境试验研究所((工业和信息化部电子第五研究所)(中国赛宝实验室)) Method, device, computer equipment and storage medium for determining electromagnetic signal leakage

Also Published As

Publication number Publication date
CN111460529B (en) 2023-07-14

Similar Documents

Publication Publication Date Title
Aarestad et al. Detecting Trojans Through Leakage Current Analysis Using Multiple Supply Pad ${I} _ {\rm DDQ} $ s
Hapke et al. Cell-aware production test results from a 32-nm notebook processor
CN106291324B (en) A kind of on piece differential delay measuring system and recycling integrated circuit recognition methods
Stellari et al. Verification of untrusted chips using trusted layout and emission measurements
US20090132976A1 (en) Method for testing an integrated circuit and analyzing test data
Tam et al. Systematic defect identification through layout snippet clustering
CN111460529B (en) Hardware Trojan detection and positioning method and system
Madge et al. In search of the optimum test set-adaptive test methods for maximum defect coverage and lowest test cost
Pradhan et al. A survey of digital circuit testing in the light of machine learning
US7415378B2 (en) Methods for analyzing critical defects in analog integrated circuits
Maly et al. Deformations of IC structure in test and yield learning
WO2007113968A1 (en) Semiconductor integrated circuit testing method and information recording medium
US6701477B1 (en) Method for identifying the cause of yield loss in integrated circuit manufacture
Ahmed et al. A novel faster-than-at-speed transition-delay test method considering IR-drop effects
US20240126864A1 (en) Determining electronic component authenticity via electronic signal signature measurement
US7516375B2 (en) Methods and systems for repairing an integrated circuit device
Appello et al. Understanding yield losses in logic circuits
Lee et al. A low-cost concurrent TSV test architecture with lossless test output compression scheme
US8397113B2 (en) Method and system for identifying power defects using test pattern switching activity
Hess et al. Modeling of real defect outlines and parameter extraction using a checkerboard test structure to localize defects
Shen et al. A general framework of hardware Trojan detection: Two-level temperature difference based thermal map analysis
Hess et al. Modeling of test structures for efficient online defect monitoring using a digital tester
Tang et al. Yield learning for complex finfet defect mechanisms based on volume scan diagnosis results
Pomeranz et al. On clustering of undetectable single stuck-at faults and test quality in full-scan circuits
Pomeranz et al. A same/different fault dictionary: An extended pass/fail fault dictionary with improved diagnostic resolution

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant