CN109557449B - Integrated circuit detection method and system based on selection of difficult-to-test path - Google Patents

Integrated circuit detection method and system based on selection of difficult-to-test path Download PDF

Info

Publication number
CN109557449B
CN109557449B CN201811235172.1A CN201811235172A CN109557449B CN 109557449 B CN109557449 B CN 109557449B CN 201811235172 A CN201811235172 A CN 201811235172A CN 109557449 B CN109557449 B CN 109557449B
Authority
CN
China
Prior art keywords
integrated circuit
probability
path
tested
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811235172.1A
Other languages
Chinese (zh)
Other versions
CN109557449A (en
Inventor
叶靖
井鹏飞
李晓维
李华伟
胡瑜
赵鑫
王莉菲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201811235172.1A priority Critical patent/CN109557449B/en
Publication of CN109557449A publication Critical patent/CN109557449A/en
Application granted granted Critical
Publication of CN109557449B publication Critical patent/CN109557449B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G01MEASURING; TESTING
    • G01RMEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
    • G01R31/00Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
    • G01R31/28Testing of electronic circuits, e.g. by signal tracer
    • G01R31/2851Testing of integrated circuits [IC]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Tests Of Electronic Circuits (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method for selecting a path difficult to test of an integrated circuit. The invention comprises the following steps: calculating and calibrating the probability of a logic value of 0 or 1 by utilizing dynamic and static state cooperative analysis; according to the calculated probability, searching a path with small transmission probability along the jump from the output direction to the input direction; and generating a test vector for the selected path and judging the path validity. According to the invention, the probability calculation precision is improved by a dynamic and static cooperative analysis method, so that a path which is difficult to test in the integrated circuit is effectively found, and an important support is provided for ensuring the test coverage rate of the integrated circuit.

Description

Integrated circuit detection method and system based on selection of difficult-to-test path
Technical Field
The invention relates to the field of information security and integrated circuits, belongs to a selection method of a difficult-to-test path of an integrated circuit, and particularly relates to a detection method and a detection system of the integrated circuit based on the selection of the difficult-to-test path.
Background
The new trend of outsourcing design and manufacturing services, reliance on third party Intellectual Property (IP) cores, and electronic design automation tools make integrated circuits increasingly vulnerable to hardware trojans at different stages of their lifecycle. When untrusted components or people are involved in the IC lifecycle, malicious design modifications may exist at various stages therein, which present a new set of trust verification challenges for the malicious modifications. In particular, this also entails the need for reliable detection of malicious design modifications generated by untrusted manufacturers during post-manufacturing testing. At the same time, a need for trust verification of an IP core obtained from an untrusted third party vendor is also presented.
For the detection of hardware trojans, there are two main methods: one is hardware trojan detection before silicon, which mainly aims at codes in the design process of an integrated circuit, including RTL level, net list level, layout level and the like, and finds malicious codes hidden in the codes; the other is hardware Trojan horse detection after silicon, which mainly aims at manufactured integrated circuits, such as an FPGA (field programmable gate array) and a three-dimensional integrated circuit, and finds malicious circuits hidden in the integrated circuits.
The post-silicon hardware Trojan horse detection method comprises destructive and non-destructive methods, wherein the non-destructive post-silicon detection method is divided into online detection and offline detection. The off-line detection method is generally implemented by comparing a chip to be detected with a reference chip, and if certain characteristics of the chip to be detected, such as power consumption, output response and the like, are far from the reference chip, the chip to be detected is considered to have a hardware Trojan after silicon. The ideal reference chip characteristics, also called golden model, should be the characteristics of the chip to be tested when the hardware is trojan horse after no silicon. The method for detecting the hardware trojan after the silicon is tested mainly comprises two methods: an activation detection method and a side channel detection method.
The activation detection method focuses on test vector generation and activation of the trojan horse circuit and observes its malicious impact on the load at the raw output. This approach is similar in methodology to the traditional stuck-at-fault test, however, the Trojan horse model differs significantly from the fault model. Manufacturing defects are typically modeled as stuck-at faults, with their internal nodes stuck at a particular logical value. The difficulty in testing these faults is to stimulate all internal nodes to all possible logic values and observe the effects at some raw output. Nodes that are difficult to excite or observe are referred to as low controllability nodes and low observability nodes. As the number of gates increases, the number of nodes that are difficult to test also increases, making testing all nodes to achieve full fault coverage an exponentially difficult task. On the other hand, trojan is modeled as a cleverly inserted gate (or set of gates) that is triggered only under rare conditions, exhibiting some malicious functionality. The number of trojan circuits of a particular type and size is an exponential function of the number of circuit nodes, and for a sequential trojan that requires multiple activation of rare events, malicious functions caused by the trojan may not be observed during testing. Finally, because the number of possible trojans is enormous, conventional techniques for estimating fault detection coverage are not well suited for trojan detection. Jha et al propose a randomization-based probabilistic approach to detecting trojans. Wolff et al analyzed rare net combinations in the design, treated these rarely activated nets as Trojan triggers, and low observability nets as payloads, generated a set of test vectors that activated these nets, and combined the test vectors with the traditional ATPG test vectors to activate Trojan.
On the other hand, the side channel analysis method is based on the fact that: any malicious insertion in the IC should be reflected in certain side channel parameters such as leakage current or quiescent supply current (IDDQ), dynamic power trajectory (IDDT), path delay characteristics, electromagnetic radiation (EM) due to switching activity, or a combination of these parameters. For example, if the original circuit has NorigDoor, consumption IorigQuiescent current, N inserted in the circuit for implementing trojan horseorigAn additional gate will increase the current by IorigI can be observed by measuring the power supply current under normal conditionsorig. It is generally considered that the main drawback of these methods is the susceptibility to process and environmental noise, and even noise introduced by the measurement setup can interfere with the analysis, leading to erroneous inferences about the presence of trojans in the circuit. Thus, the Trojan detection problem is considered a statistical event, with the goal of maximizing detection probability while minimizing false alarm rate. Since the trojan circuit is inserted in a factory by modifying the layout of the original design, the size of the trojan circuit is generally considered to be smaller than that of the original design, and an attacker is considered to insert a small amount of extra gates by using the blank space in the layout and rewire the circuit to achieve the malicious purpose. However, the side channel approach has the major advantage over the logical test approach that it can be detected without activating the trojan. Therefore, they are very effective for detecting passive load trojans that do not cause malicious functions but leak secret information through side channels. If the process noise can be calibrated, the loopEnvironmental and measurement noise can be eliminated and the presence of the trojan circuit must be reflected in the measurement parameters.
The hardware trojan based on path delay is a new hardware trojan implantation method which is recently appeared. The method makes the output result of the circuit go wrong under the condition of specific input jumping by modifying the time delay of the logic gate on a complete path in the circuit, thereby achieving the specific purpose of an attacker.
The existing hardware trojan detection method mainly aims at the hardware trojan based on logic, namely the activation condition of the hardware trojan is that a specific signal line meets a specific logic value. However, in the hardware trojan based on the path delay, the triggering condition is that a certain jump can propagate through a specific path, and each logic gate on the path has a certain slight delay variation, so that finally the accumulated delay variation of the circuit is enough to constitute the malicious behavior of the hardware trojan. Because the behavior mechanisms of the hardware trojans are completely different, the existing detection method is difficult to detect the hardware trojans, namely the hardware trojans with paths with smaller transmission probability, and the paths with smaller transmission probability are not searched in the prior art. Therefore, a method for selecting a hard path of an integrated circuit is needed, and such a hardware trojan based on path delay is discovered through testing the hard path.
Disclosure of Invention
In order to solve the above technical problems, the present invention aims to detect a hardware trojan hidden in a "path with a low transmission probability", i.e., a difficult circuit.
Specifically, the invention discloses an integrated circuit detection method based on untenable path selection, which comprises the following steps:
step 1, acquiring an integrated circuit to be tested, and determining the output probability of each logic gate in the integrated circuit to be tested for outputting a specific logic value according to the logic and connection sequence of the logic gates in the integrated circuit to be tested;
step 2, obtaining logic value jump propagation probability of each propagation path of the integrated circuit to be tested according to the output probability, and searching a propagation path corresponding to the logic value jump propagation probability lower than a preset value as a path to be selected;
and 3, generating a test vector, and judging whether the test vector can transmit a logic value jump from the input end to the output end of the path to be selected, if so, taking the path to be selected as a path difficult to test for detecting the hardware Trojan, otherwise, deleting the path to be selected.
The integrated circuit detection method based on the difficult path selection is characterized in that the specific logic value is 0 or 1.
The integrated circuit detection method based on the selection of the difficult path, wherein the step 1 further comprises the following steps:
step 11, inputting the random vector to the input end of the integrated circuit to be tested, and carrying out logic calculation on the output end of the integrated circuit to be tested to obtain a logic value of each connecting line in the integrated circuit to be tested;
step 12, calculating the dynamic probability of each connection line in the integrated circuit to be tested outputting the specific logic value according to the following formula;
Figure BDA0001838031010000041
wherein, Pd(i) Is the dynamic probability of the ith line, n is the total number of the random vectors, n1(i) Under the input of n random vectors, the logical value of a connecting line i is the number of the vectors of the specific logical value;
step 13, setting the static probability of the specific logic value input to the input end of the integrated circuit to be tested to be 0.5, so as to calculate the logic probability to the output end of the integrated circuit to be tested, obtaining the static probability of each connection line in the integrated circuit to be tested outputting the specific logic value,
and step 14, calibrating the static probability according to the dynamic probability and the calibration function to obtain the calibration probability of each connecting line in the integrated circuit to be tested for outputting the specific logic value, and taking the calibration probability as the output probability.
The integrated circuit detection method based on the selection of the difficult-to-detect path, wherein the process of searching the path to be selected in the step 2 specifically comprises the following steps: and searching towards the input end by taking the output logic gate of the integrated circuit to be detected as a starting point, selecting the input connecting line with the smallest logic value jump propagation probability as a jump edge transmission end, and continuously searching towards the input end by taking the logic gate outputting the input connecting line as a new starting point until the input end of the integrated circuit to be detected is reached, and finishing the searching of a path to be selected.
The integrated circuit detection method based on the selection of the difficult-to-test path, wherein the calibration function in step 14 comprises: arithmetic mean function, geometric mean function, harmonic mean function.
The invention also discloses an integrated circuit detection system based on the selection of the unmanaged path, which comprises the following steps:
the output probability calculation module is used for acquiring an integrated circuit to be tested and determining the output probability of each logic gate in the integrated circuit to be tested for outputting a specific logic value according to the logic and connection sequence of the logic gates in the integrated circuit to be tested;
the path searching module is used for obtaining the logic value jump propagation probability of each propagation path of the integrated circuit to be tested according to the output probability and searching a propagation path corresponding to the logic value jump propagation probability lower than a preset value as a path to be selected;
and the Trojan horse detection module is used for generating a test vector and judging whether the test vector can transmit a logic value jump from the input end to the output end of the to-be-selected path, if so, the to-be-selected path is taken as a difficult-to-test path and is used for detecting the hardware Trojan horse, and if not, the to-be-selected path is deleted.
The integrated circuit detection system based on the routing difficulty is characterized in that the specific logic value is 0 or 1.
The integrated circuit detection system based on the difficult path selection, wherein the output probability calculation module further comprises:
inputting the random vector to the input end of the integrated circuit to be tested, and carrying out logic calculation on the output end of the integrated circuit to be tested to obtain the logic value of each connecting line in the integrated circuit to be tested;
calculating the dynamic summary of each connection line in the IC to be tested outputting the specific logic value according to the following formulaRate;
Figure BDA0001838031010000051
wherein, Pd(i) Is the dynamic probability of the ith line, n is the total number of the random vectors, n1(i) Under the input of n random vectors, the logical value of a connecting line i is the number of the vectors of the specific logical value;
setting the static probability of the specific logic value input to the input end of the integrated circuit to be tested to be 0.5, so as to calculate the logic probability to the output end of the integrated circuit to be tested to obtain the static probability of each connection line in the integrated circuit to be tested outputting the specific logic value,
and calibrating the static probability according to the dynamic probability and the calibration function to obtain the calibration probability of each connecting line in the integrated circuit to be tested for outputting the specific logic value, and taking the calibration probability as the output probability.
The integrated circuit detection system based on the selection of the difficult-to-test path specifically comprises the following steps of: and searching towards the input end by taking the output logic gate of the integrated circuit to be detected as a starting point, selecting the input connecting line with the smallest logic value jump propagation probability as a jump edge transmission end, and continuously searching towards the input end by taking the logic gate outputting the input connecting line as a new starting point until the input end of the integrated circuit to be detected is reached, and finishing the searching of a path to be selected.
The integrated circuit detection system based on the difficult path selection, wherein the calibration function comprises: arithmetic mean function, geometric mean function, harmonic mean function.
Therefore, the invention can check whether the circuit has the hardware trojan existing in the path with the smaller transmission probability by determining the difficult path in the circuit.
Drawings
FIG. 1 is a structural design framework of the present invention;
FIG. 2 is a schematic diagram of an example dynamic analysis process of the present invention;
FIG. 3 is a diagram illustrating an example of dynamic analysis results according to the present invention;
FIG. 4 is a diagram illustrating an example of static analysis results according to the present invention;
FIG. 5 is a diagram illustrating an example of dynamic and static analysis results according to the present invention;
FIG. 6 is a schematic diagram of valid test vector generation.
Detailed Description
When the inventor conducts research on the hardware trojan based on the path delay, the principle of the trojan is deeply analyzed, and two important factors which cause the hardware trojan to be difficult to detect are found out:
(1) the hardware trojan with error circuit output after input jump caused by increasing path delay has wider potential activation conditions and is more difficult to detect in actual work or random vector test.
(2) The hardware trojan based on the path delay can add certain small time delay to each logic gate on the path, the small time delay can only cause final output errors after being accumulated, and if only a part of logic gates are selected, the accumulated small time delay can not cause circuit output errors, so that the detection difficulty is also increased.
The inventor provides a brand new circuit detection method for overcoming the two factors through intensive research on the two reasons. Firstly, a method for the output connection line of a dynamic and static cooperative calibration logic gate to be 1 (or 0) probability is provided, and higher probability calculation precision is realized. And secondly, by finding out a plurality of paths with lower transmission probability of the hop edges to cover more logic gates, the probability of detecting the hardware trojan giving path delay is improved. It should be noted that finding a path with a lower transmission probability and covering more logic gates are two objectives, that is, by finding a path with a lower transmission probability and covering more logic gates as much as possible, the probability of detecting a hardware trojan is improved. The present invention is directed to such hardware trojans based on paths with a lower transmission probability. It is not known which path the actual hardware trojan is using at the time of actual testing, so finding a path with a lower transmission probability and covering more logic gates will increase the probability of detecting the actual hardware trojan.
The invention discloses an integrated circuit detection method based on untested path selection, which comprises the following steps:
step 1, acquiring an integrated circuit to be tested, and determining the output probability of each logic gate in the integrated circuit to be tested for outputting a specific logic value according to the logic and connection sequence of the logic gates in the integrated circuit to be tested;
step 2, obtaining logic value jump propagation probability of each propagation path of the integrated circuit to be tested according to the output probability, and searching a propagation path corresponding to the logic value jump propagation probability lower than a preset value as a path to be selected;
and 3, generating a test vector, and judging whether the test vector can transmit a logic value jump from the input end to the output end of the path to be selected, if so, taking the path to be selected as a path difficult to test for detecting the hardware Trojan, otherwise, deleting the path to be selected.
The integrated circuit detection method based on the difficult path selection is characterized in that the specific logic value is 0 or 1.
The integrated circuit detection method based on the selection of the difficult path, wherein the step 1 further comprises the following steps:
step 11, inputting the random vector to the input end of the integrated circuit to be tested, and carrying out logic calculation on the output end of the integrated circuit to be tested to obtain a logic value of each connecting line in the integrated circuit to be tested;
step 12, calculating the dynamic probability of each connection line in the integrated circuit to be tested outputting the specific logic value according to the following formula;
Figure BDA0001838031010000071
wherein, Pd(i) Is the dynamic probability of the ith line, n is the total number of the random vectors, n1(i) Under the input of n random vectors, the logical value of a connecting line i is the number of the vectors of the specific logical value;
step 13, setting the static probability of the specific logic value input to the input end of the integrated circuit to be tested to be 0.5, so as to calculate the logic probability to the output end of the integrated circuit to be tested, obtaining the static probability of each connection line in the integrated circuit to be tested outputting the specific logic value,
and step 14, calibrating the static probability according to the dynamic probability and the calibration function to obtain the calibration probability of each connecting line in the integrated circuit to be tested for outputting the specific logic value, and taking the calibration probability as the output probability.
The integrated circuit detection method based on the selection of the difficult-to-detect path, wherein the process of searching the path to be selected in the step 2 specifically comprises the following steps: and searching towards the input end by taking the output logic gate of the integrated circuit to be detected as a starting point, selecting the input connecting line with the smallest logic value jump propagation probability as a jump edge transmission end, and continuously searching towards the input end by taking the logic gate outputting the input connecting line as a new starting point until the input end of the integrated circuit to be detected is reached, and finishing the searching of a path to be selected.
In order to make the aforementioned features and effects of the present invention more comprehensible, embodiments accompanied with figures are described in detail below.
Therefore, the invention provides a detection method aiming at a hardware Trojan horse possibly existing based on path delay, and the steps are as follows:
A. for the integrated circuit to be tested, the probability that all the connecting lines output logic values of 1 or 0 is calculated by adopting a dynamic and static cooperative analysis method, and 1 is taken as an example for introduction in the following, wherein:
a11, step A, the dynamic analysis method means that the circuit to be tested is simulated by using the random vector, so as to obtain the dynamic probability P that all the connection logic values are 1dIn an integrated circuit, an input vector is composed of 0 and 1 bits, for example, in fig. 2, the circuit has 8 inputs, and when viewed from the vertical, the first column 00011001 is an input vector, and the second column 11000000 is an input vector, where:
each random vector described in step a111 and step a11 refers to input data containing logic values with equal probability of 0 and 1, and the number of random vectors is determined by the tester, for example, in fig. 2, the circuit has 8 inputs, so the bit number of each input vector is 8, and in fig. 2, a total of 5 input vectors (5 columns are illustrated), and the number of input vectors is 5. The larger the number, the more accurate the probability is, but the longer the time is, conversely, the smaller the number, the shorter the time is, but the accuracy of the probability is lost;
a112, the simulation in the step A11 means that the random vector in the step A111 is input into the circuit to be tested, then the logic calculation is carried out from the input end to the output end of the circuit, and the logic value of the output connecting line of each logic gate with known input logic value is calculated until all the connecting lines of the circuit to be tested calculate the logic value;
a113, step A11, wherein the probability that the connection logical value is 1 is as follows:
Figure BDA0001838031010000081
wherein, Pd(i) The dynamic probability is obtained by simulation of the ith connecting line, n is the total number of the random vectors A11, and n is1(i) The number of vectors with the logic value of 1 of a connecting line i under the input of n random vectors is referred to.
A12, the static analysis method of step A, means that the static probability Ps of the input logic value 1 (or 0) of the circuit to be tested is set to be 0.5, the logic probability calculation is performed from the input end to the output end, for a logic gate, according to the logic, under the condition that the static probabilities of all the inputs of the logic gate are known, the static probability of the output connection line of the logic gate is calculated, until the static probability is calculated for all the connection lines of the circuit to be tested. Wherein, Ps(i) The static probability of the wire is output for the ith logic gate.
A13 the dynamic and static cooperative analysis method of step A, which is a result P of dynamic analysis methoddResult P of the calibration of the static analysis methodsFinally, obtaining a calibration probability P (i) with a calibrated connection logic value of 1, comprising the following steps:
a131, setting the calibration probability of all inputs of a circuit to be tested to be 0.5;
a132, carrying out logic probability calculation from the input end to the output end of the circuit, and calculating the output static probability of a logic gate according to the logic of the logic gate under the condition that the input calibration probability of the logic gate is known;
a133, if Pd(i) Is equal to Ps(i) Then P (i) ═ Pd(i)=Ps(i) Otherwise, P (i) ═ Func { Pd(i),Ps(i) The Func function is a calibration function, defined by the tester according to the actual situation, and 3 calibration functions are listed below, but not limited to the 3 calibration functions:
a1331, arithmetic mean function, | Pd(i)-Ps(i)|<Δ1Then, then
Figure BDA0001838031010000082
Otherwise, P (i) ═ Pd(i);
A1332, geometric mean function, | Pd(i)-Ps(i)|<Δ2Then, then
Figure BDA0001838031010000083
Otherwise, P (i) ═ Ps(i);
A1333, harmonic mean function, when | Pd(i)-Ps(i)|<Δ3Then, then
Figure BDA0001838031010000091
Otherwise, ". Wherein, Delta1、Δ2、Δ3Can be determined by the tester from the actual circuit.
And A134, if all the connecting lines of the circuit to be tested calculate the calibration probability, finishing the calculation, and otherwise, returning to A12 to continue the calculation.
B. And searching a path with low logic value jump propagation probability from the circuit to be tested according to the calibration probability, wherein the path with low logic value jump propagation probability is input with a jump to the path, and the output of the path also has low probability of jumping. For example, if the input of a path is originally 0, the 0 is changed into 1, a transition from 0 to 1 is generated, and then the output of the path is originally 1, because the propagation probability of the path is small, the output is likely to be 1 after the input is transitioned, and no change occurs. The method comprises the following steps:
b1, selecting the output connection L which is selected least and has the smallest calibration probability from the circuit to be testedj,LjIs a logic gate GjThe output connection of (1);
b2 as GjAs a starting point, to GjThe input direction of (2) selects a logic gate, and the logic gate G is arrangedjRespectively is Lj1,Lj2,Lj3…..LjnP (j1), P (j2), P (j3) …. P (jn) are Lj1,Lj2,Lj3…..LjnAccording to the logic of the logic gate, the probability of the logic value jump of all input connecting lines of the logic gate to the output connecting line of the logic gate is calculated, and 3 cases are searched forward, namely for the logic gate GjIn other words, a logic gate G is providedjZ-th input line Ljz(1<z is less than or equal to n) the probability of propagating the logic value jump to the output line of the logic gate is PPz(j):
B21, if logic gate GjZ-th input connection line Ljz(1<z ≦ n) has not been selected and PPz(j)=Min{PP1(j),PP2(j)…..PPn(j) Selecting the z-th input connection line as a logic value edge-jumping transmission line, and continuously selecting a logic gate in the input direction by taking the logic gate outputting the connection line as a new starting point until the input end of the circuit to be tested is found, and finishing the path searching;
b22, if logic gate GjIf several input lines have been selected, the slave logic gate GjSelecting a minimum connection line L of PPp (j) from all unselected connection linesjp(1<p is less than or equal to n), the p-th input connection line is used as a logic value edge-skipping transmission line, the logic gate outputting the connection line is used as a new starting point, the logic gate is continuously selected towards the input direction until the input end of the circuit to be detected is found, and one path is found to be finished;
b23, if logic gate GjHas been selected, the slave logic gate GjAn input connecting line with the least selected times is selected from all the connecting lines to be used as a logic value edge-skipping transmission line,and taking the logic gate outputting the connection line as a new starting point, and continuously selecting the logic gate towards the input direction until the input end of the circuit to be tested is found, and one path finding is finished.
And B3, finishing searching one path, judging whether the number of searched paths exceeds m, finishing the searching if the number of searched paths exceeds m, and returning to the step B to continue searching if the number of searched paths exceeds m, wherein m is defined by a tester.
C. And generating effective test vectors for the searched path, wherein the effective test vectors meet the requirement that a logic value jump can be transmitted from the input end to the output end of the searched path, if the effective test vectors exist, the effective test vectors are reserved, and if the effective test vectors do not exist, the path is deleted. Where generating a valid test vector for a path refers to generating a vector that is capable of propagating transitions from the input of the path to the output of the path. For example, in FIG. 6, there are three inputs a, b, and c, and a valid test vector is generated for path a- > d- > e, i.e. it is expected that when a changes from 0 to 1, e can also change from 0 to 1 (or from 1 to 0, i.e. a transition occurs). Then in this circuit the valid test vector is abc to 010, when a changes from 0 to 1, d changes from 0 to 1 because b is 1, and e also changes from 0 to 1 because c is 0.
In order to make the aforementioned features and effects of the present invention more comprehensible, embodiments accompanied with figures are described in detail below.
Fig. 1 is a structural design framework diagram of the present invention, and the Trojan horse detection method includes the following four main modules:
module 1: and the dynamic analysis module inputs 0 and 1 logic values of equal probability to the circuit to be tested, and respectively calculates the probability that the output logic value is 1 (or 0), namely the dynamic probability, through simulating the output connecting line of each logic gate of the circuit. The calculation accuracy of the dynamic analysis depends on the number of input logic values, and the more the input logic values are, the more accurate the calculation is, and the closer the calculation is to the real value.
Further, for the sake of understanding, the following description will be given by taking fig. 2 as an example. In fig. 2, 5 input vectors are illustrated. For logic gate G1In other words, the output line L14 of the analog logic values of (1),10, then logic gate G1Dynamic probability of
Figure BDA0001838031010000101
For logic gate G10In other words, the output line L10Has 21 s and 3 0 s, then the logic gate G10Dynamic probability of
Figure BDA0001838031010000102
Figure BDA0001838031010000103
The dynamic probability of the output connection of other logic gates can be obtained in the same way. We further modeled more input vectors and the resulting dynamic probabilities are shown in fig. 3.
And (3) module 2: and the static analysis module is used for setting the probability that the input logic value of the circuit to be tested is 1 (or 0) to be 0.5 and calculating the output connection from the input end to the output end through the logic characteristics of different logic gates.
Further, for ease of understanding, the static analysis of fig. 4 will be described as an example. The probability of inputting the logic values of 0 and 1 of the circuit to be tested is set to be 0.5, and calculation is carried out from the input end to the output end. Wherein: logic OR gate G1The probability of inputting logic value 1 at two input ends is 0.5, only when G is1When at least one of the inputs is 1, the output logic value is 1, so that the output connection L is1Static probability P ofs(1) 1-0.5 × 0.5-0.75. Logic AND gate G9The probabilities of an input logic value of 1 are 0.25 and 0.75, respectively, only if G is present9When the input of (1) is all 1, the output logic value is 1, so the output connection line L is9Static probability P ofs(9) 0.25 × 0.75-0.1875. Logic exclusive-or gate G10The probabilities of inputting a logic value of 1 are 0.203125 and 0.1875, respectively, only if G is10When the input of (1) is 0 and the output is 1, the output is connected to the line L10Static probability P ofs(10) 1- (0.203125 × 0.1875) - (1-0.203125) × (1-0.1875) ═ 0.314453. The same way can get the static probability of the output connection of other logic gates.
And a module 3: and the dynamic and static analysis module combines dynamic analysis and static analysis and obtains the calibration probability of the circuit to be tested through a calibration function. During the calibration process, the calibration is performed while calculating, and the output connecting line can be used as the input of the next logic gate only after the calibration is performed.
Further, for the convenience of understanding, the following description will be given by taking the dynamic and static analysis of fig. 5 as an example. For logic gate G in the circuit to be tested1~G8Is connected to the output line L1~L8Since the dynamic probability and the static probability are equal, the calibration probability P (i) ═ Pd(i)=Ps(i) (1. ltoreq. i.ltoreq.8, for logic gate G9Is connected to the output line L9Dynamic probability P ofd(9) 0, static probability Ps(9) 0.1875, calibrated using an arithmetic mean function, i.e. when | Pd(9)-Ps(9)|<Δ110.2), the probability is calibrated
Figure BDA0001838031010000111
Figure BDA0001838031010000112
At this time, the calibrated output line L9As logic gate G10The input of (2) is calculated next.
And (4) module: the path testing module comprises two steps of searching and testing a path. Wherein: the path searching means that a path with smaller transmission probability of a multi-hop edge is searched from the calibrated circuit to be tested; path testing refers to generating valid test vectors for the found paths.
Further, for the convenience of understanding, the following description will be given by taking the dynamic and static analysis of fig. 5 as an example. Starting from the output of the calibrated circuit, i.e. logic gate G11As a starting point, looking for in the direction of the input, logic gate G11Respectively is L7And L10To output a connection line L7Is a logic gate G11First input connection, output connection L10Is a logic gate G11The second input connection line of the first circuit can obtain PP2(11)=Min{PP1(11),PP2(11) 0.258790, so as to output L10Logic gate G10For the starting point to continue looking for the input, logic gate G10Respectively is L8And L9To output a connection line L8Is a logic gate G10First input connection, output connection L9Is a logic gate G10The second input connection line of the first circuit can obtain PP2(10)=Min{PP1(10),PP2(10) 0.09375, so as to output L9Logic gate G9For the starting point to continue looking for the input, logic gate G9Respectively is L3And L6To output a connection line L3Is a logic gate G9First input connection, output connection L6Is a logic gate G9The second input connection line of the first circuit can obtain PP1(9)=Min{PP1(9),PP2(9) 0.25, so as to output L3Logic gate G3For the starting point to continue looking for the input, logic gate G3The input connection of (a) is the input end of the circuit, and a path search is finished.
Starting again from the output, i.e. logic gate G11As a starting point, looking for in the direction of the input, logic gate G11Respectively is L7And L10To output a connection line L7Is a logic gate G11First input connection, output connection L10Is a logic gate G11The second input connection line of the first circuit can obtain PP2(11)=Min{PP1(11),PP2(11) 0.258790, so as to output L10Logic gate G10For the starting point to continue looking for the input, logic gate G10Respectively is L8And L9But in the previous path L9Is selected, so that the output L is selected8Logic gate G8For the starting point to continue looking for the input, logic gate G8Respectively is L3And L5To output a connection line L3Is a logic gate G8First input connection, output connection L5Is a logic gate G8Second strip of (2)Inputting the connection line to obtain PP1(8)=Min{PP1(8),PP2(8) 0.25 so as to output L3Logic gate G3For the starting point to continue looking for the input, logic gate G3The input connection of (a) is the input end of the circuit, and a path search is finished. Similarly, a transmission path with smaller transmission at m hop edges can be found.
After the transmission path is found, a test vector is generated and an invalid path is eliminated, taking the two found paths as an example: in the first path, when the test vector is transmitted to the logic gate G9When the transmission is interrupted, the edge-hopping cannot continue, and the first path is G3->G9->G10->G11 in fig. 5, it can be seen that if a transition occurs at one input of G3, then the output of G3 will transition as long as the other input of G3 is 1, so that the transition can propagate from the input of this path to the output of G3. However, if the output of G3 changes from 0 to 1, then one input of G9 changes from 0 to 1, and the other input, i.e., the output of G6, changes from 1 to 0, so the output of G9 remains 0 and does not change from 0 to 1, i.e., the transition at the output of G3 cannot propagate to the output of G9. Logic gate G9The output of (1) is always 0, so this path cannot generate test vectors and is an invalid path. In the second path, the jump edge of the test vector can be effectively transmitted to the output end, so the path can smoothly generate the test vector, and the test vector can be used for detecting the hardware trojan, for example, after a path which is difficult to be detected is selected, only the corresponding test vector needs to be input to the circuit, whether the output of the circuit is correct is observed, and the process of observing the output by the input vector is completely the same as the general test process.
Because the invention needs to test the hardware trojans based on the path with smaller transmission probability, and the path has smaller transmission probability, and the existing test method does not consider the hardware trojans, the used test vector rarely propagates a jump from the input to the output of the path. The method comprises the steps of searching a plurality of paths with lower transmission probability, generating a vector for each path, and enabling jump to propagate from the input to the output of the paths, wherein the more the searched paths are, the higher the probability of successfully detecting the actual hardware Trojan is.
The following are system examples corresponding to the above method examples, and this embodiment can be implemented in cooperation with the above embodiments. The related technical details mentioned in the above embodiments are still valid in this embodiment, and are not described herein again in order to reduce repetition. Accordingly, the related-art details mentioned in the present embodiment can also be applied to the above-described embodiments.
The invention also discloses an integrated circuit detection system based on the selection of the unmanaged path, which comprises the following steps:
the output probability calculation module is used for acquiring an integrated circuit to be tested and determining the output probability of each logic gate in the integrated circuit to be tested for outputting a specific logic value according to the logic and connection sequence of the logic gates in the integrated circuit to be tested;
the path searching module is used for obtaining the logic value jump propagation probability of each propagation path of the integrated circuit to be tested according to the output probability and searching a propagation path corresponding to the logic value jump propagation probability lower than a preset value as a path to be selected;
and the Trojan horse detection module is used for generating a test vector and judging whether the test vector can transmit a logic value jump from the input end to the output end of the to-be-selected path, if so, the to-be-selected path is taken as a difficult-to-test path and is used for detecting the hardware Trojan horse, and if not, the to-be-selected path is deleted.
The integrated circuit detection system based on the routing difficulty is characterized in that the specific logic value is 0 or 1.
The integrated circuit detection system based on the difficult path selection, wherein the output probability calculation module further comprises:
inputting the random vector to the input end of the integrated circuit to be tested, and carrying out logic calculation on the output end of the integrated circuit to be tested to obtain the logic value of each connecting line in the integrated circuit to be tested;
calculating the dynamic probability of each connecting line in the integrated circuit to be tested outputting the specific logic value according to the following formula;
Figure BDA0001838031010000131
wherein, Pd(i) Is the dynamic probability of the ith line, n is the total number of the random vectors, n1(i) Under the input of n random vectors, the logical value of a connecting line i is the number of the vectors of the specific logical value;
setting the static probability of the specific logic value input to the input end of the integrated circuit to be tested to be 0.5, so as to calculate the logic probability to the output end of the integrated circuit to be tested to obtain the static probability of each connection line in the integrated circuit to be tested outputting the specific logic value,
and calibrating the static probability according to the dynamic probability and the calibration function to obtain the calibration probability of each connecting line in the integrated circuit to be tested for outputting the specific logic value, and taking the calibration probability as the output probability.
The integrated circuit detection system based on the selection of the difficult-to-test path specifically comprises the following steps of: and searching towards the input end by taking the output logic gate of the integrated circuit to be detected as a starting point, selecting the input connecting line with the smallest logic value jump propagation probability as a jump edge transmission end, and continuously searching towards the input end by taking the logic gate outputting the input connecting line as a new starting point until the input end of the integrated circuit to be detected is reached, and finishing the searching of a path to be selected.
The integrated circuit detection system based on the difficult path selection, wherein the calibration function comprises: arithmetic mean function, geometric mean function, harmonic mean function.

Claims (8)

1. An integrated circuit detection method based on a difficult path selection is characterized by comprising the following steps:
step 1, acquiring an integrated circuit to be tested, and determining the output probability of each logic gate in the integrated circuit to be tested for outputting a specific logic value according to the logic and connection sequence of the logic gates in the integrated circuit to be tested;
step 2, obtaining logic value jump propagation probability of each propagation path of the integrated circuit to be tested according to the output probability, and searching a propagation path corresponding to the logic value jump propagation probability lower than a preset value as a path to be selected;
step 3, generating a test vector, and judging whether the test vector can transmit a logic value jump from the input end to the output end of the path to be selected, if so, taking the path to be selected as a path difficult to test for detecting the hardware Trojan, otherwise, deleting the path to be selected;
the process of searching the candidate path in step 2 specifically includes: and searching towards the input end by taking the output logic gate of the integrated circuit to be detected as a starting point, selecting the input connecting line with the smallest logic value jump propagation probability as a jump edge transmission end, and continuously searching towards the input end by taking the logic gate outputting the input connecting line as a new starting point until the input end of the integrated circuit to be detected is reached, and finishing the searching of a path to be selected.
2. The method of claim 1, wherein the specific logic value is 0 or 1.
3. The integrated circuit detection method based on the selection of the difficult path as claimed in claim 2, wherein the step 1 further comprises:
step 11, inputting the random vector to the input end of the integrated circuit to be tested, and carrying out logic calculation on the output end of the integrated circuit to be tested to obtain a logic value of each connecting line in the integrated circuit to be tested;
step 12, calculating the dynamic probability of each connection line in the integrated circuit to be tested outputting the specific logic value according to the following formula;
Figure FDA0002300992690000011
wherein, Pd(i) Is the dynamic probability of the ith line, n is the total number of the random vectors, n1(i) Refers to n random vectorsUnder the input, the logic value of the connecting line i is the vector number of the specific logic value;
step 13, setting the static probability of the specific logic value input to the input end of the integrated circuit to be tested to be 0.5, and calculating the logic probability to the output end of the integrated circuit to be tested to obtain the static probability of each connecting line in the integrated circuit to be tested outputting the specific logic value;
and step 14, calibrating the static probability according to the dynamic probability and the calibration function to obtain the calibration probability of each connecting line in the integrated circuit to be tested for outputting the specific logic value, and taking the calibration probability as the output probability.
4. The method of claim 3, wherein the calibration function in step 14 comprises: arithmetic mean function, geometric mean function, harmonic mean function.
5. An integrated circuit detection system based on untestable path selection, comprising:
the output probability calculation module is used for acquiring an integrated circuit to be tested and determining the output probability of each logic gate in the integrated circuit to be tested for outputting a specific logic value according to the logic and connection sequence of the logic gates in the integrated circuit to be tested;
the path searching module is used for obtaining the logic value jump propagation probability of each propagation path of the integrated circuit to be tested according to the output probability and searching a propagation path corresponding to the logic value jump propagation probability lower than a preset value as a path to be selected;
the Trojan horse detection module is used for generating a test vector and judging whether the test vector can transmit a logic value jump from the input end to the output end of the path to be selected, if so, the path to be selected is taken as a path which is difficult to test and is used for detecting the hardware Trojan horse, and if not, the path to be selected is deleted;
the process of searching the candidate path in the path searching module specifically includes: and searching towards the input end by taking the output logic gate of the integrated circuit to be detected as a starting point, selecting the input connecting line with the smallest logic value jump propagation probability as a jump edge transmission end, and continuously searching towards the input end by taking the logic gate outputting the input connecting line as a new starting point until the input end of the integrated circuit to be detected is reached, and finishing the searching of a path to be selected.
6. The integrated circuit detection system based on untestable path selection as claimed in claim 5, wherein the specific logic value is 0 or 1.
7. The integrated circuit detection system based on untestable path selection of claim 5, wherein the output probability calculation module further comprises:
inputting the random vector to the input end of the integrated circuit to be tested, and carrying out logic calculation on the output end of the integrated circuit to be tested to obtain the logic value of each connecting line in the integrated circuit to be tested;
calculating the dynamic probability of each connecting line in the integrated circuit to be tested outputting the specific logic value according to the following formula;
Figure FDA0002300992690000021
wherein, Pd(i) Is the dynamic probability of the ith line, n is the total number of the random vectors, n1(i) Under the input of n random vectors, the logical value of a connecting line i is the number of the vectors of the specific logical value;
setting the static probability of the specific logic value input to the input end of the integrated circuit to be tested to be 0.5 so as to calculate the logic probability of the output end of the integrated circuit to be tested and obtain the static probability of each connecting line in the integrated circuit to be tested outputting the specific logic value;
and calibrating the static probability according to the dynamic probability and the calibration function to obtain the calibration probability of each connecting line in the integrated circuit to be tested for outputting the specific logic value, and taking the calibration probability as the output probability.
8. The integrated circuit detection system based on untestable path selection of claim 7, wherein the calibration function comprises: arithmetic mean function, geometric mean function, harmonic mean function.
CN201811235172.1A 2018-10-23 2018-10-23 Integrated circuit detection method and system based on selection of difficult-to-test path Active CN109557449B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811235172.1A CN109557449B (en) 2018-10-23 2018-10-23 Integrated circuit detection method and system based on selection of difficult-to-test path

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811235172.1A CN109557449B (en) 2018-10-23 2018-10-23 Integrated circuit detection method and system based on selection of difficult-to-test path

Publications (2)

Publication Number Publication Date
CN109557449A CN109557449A (en) 2019-04-02
CN109557449B true CN109557449B (en) 2020-04-03

Family

ID=65865015

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811235172.1A Active CN109557449B (en) 2018-10-23 2018-10-23 Integrated circuit detection method and system based on selection of difficult-to-test path

Country Status (1)

Country Link
CN (1) CN109557449B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104215895A (en) * 2014-09-02 2014-12-17 工业和信息化部电子第五研究所 Hardware Trojan horse detection method and hardware Trojan horse detection system based on test vectors
CN104239616A (en) * 2014-09-02 2014-12-24 工业和信息化部电子第五研究所 Design method of integrated circuit and hardware trojan detection method
CN104715121A (en) * 2015-04-01 2015-06-17 中国电子科技集团公司第五十八研究所 Circuit safety design method for defending against threat of hardware Trojan horse based on triple modular redundancy
CN107239620A (en) * 2017-06-06 2017-10-10 西南交通大学 A kind of anti-hardware Trojan horse method of designing integrated circuit and system
CN107478978A (en) * 2017-07-27 2017-12-15 天津大学 Hardware Trojan horse optimal inspection vector generation method based on population

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100031353A1 (en) * 2008-02-04 2010-02-04 Microsoft Corporation Malware Detection Using Code Analysis and Behavior Monitoring
CN106918773B (en) * 2017-03-01 2019-07-05 中国电子产品可靠性与环境试验研究所 Craft type hardware Trojan horse monitoring method and device
CN108062477A (en) * 2017-12-12 2018-05-22 北京电子科技学院 Hardware Trojan horse detection method based on side Multiple Channel Analysis
CN108446555A (en) * 2018-02-11 2018-08-24 复旦大学 The method that hardware Trojan horse is monitored in real time and is detected
CN108647533B (en) * 2018-02-14 2021-10-08 清华大学 Automatic generation method of safety assertion for detecting hardware trojan
CN108667822B (en) * 2018-04-23 2020-09-01 电子科技大学 Method for checking network-on-chip hardware security
CN108681669A (en) * 2018-04-23 2018-10-19 东南大学 A kind of hardware Trojan horse detection system and method based on multi-parameter side Multiple Channel Analysis

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104215895A (en) * 2014-09-02 2014-12-17 工业和信息化部电子第五研究所 Hardware Trojan horse detection method and hardware Trojan horse detection system based on test vectors
CN104239616A (en) * 2014-09-02 2014-12-24 工业和信息化部电子第五研究所 Design method of integrated circuit and hardware trojan detection method
CN104715121A (en) * 2015-04-01 2015-06-17 中国电子科技集团公司第五十八研究所 Circuit safety design method for defending against threat of hardware Trojan horse based on triple modular redundancy
CN107239620A (en) * 2017-06-06 2017-10-10 西南交通大学 A kind of anti-hardware Trojan horse method of designing integrated circuit and system
CN107478978A (en) * 2017-07-27 2017-12-15 天津大学 Hardware Trojan horse optimal inspection vector generation method based on population

Also Published As

Publication number Publication date
CN109557449A (en) 2019-04-02

Similar Documents

Publication Publication Date Title
Huang et al. MERS: statistical test generation for side-channel analysis based Trojan detection
Huang et al. Scalable test generation for Trojan detection using side channel analysis
US20180045780A1 (en) Timing-aware test generation and fault simulation
CN106291324B (en) A kind of on piece differential delay measuring system and recycling integrated circuit recognition methods
EP3246717A1 (en) On-chip monitor circuit and semiconductor chip
US10657207B1 (en) Inter-cell bridge defect diagnosis
US10592625B1 (en) Cell-aware root cause deconvolution for defect diagnosis and yield analysis
US7836366B2 (en) Defect localization based on defective cell diagnosis
Exurville et al. Resilient hardware Trojans detection based on path delay measurements
Cha et al. Efficient Trojan detection via calibration of process variations
US11416662B1 (en) Estimating diagnostic coverage in IC design based on static COI analysis of gate-level netlist and RTL fault simulation
Liou et al. Path selection for delay testing of deep sub-micron devices using statistical performance sensitivity analysis
Kutzner et al. Hardware trojan design and detection: a practical evaluation
Saha et al. Testability based metric for hardware trojan vulnerability assessment
Cha et al. A resizing method to minimize effects of hardware trojans
Wang et al. Test generation for combinational hardware Trojans
Kochte et al. Accurate X-propagation for test applications by SAT-based reasoning
Becker et al. Massive statistical process variations: A grand challenge for testing nanoelectronic circuits
CN109557449B (en) Integrated circuit detection method and system based on selection of difficult-to-test path
Chowdhury et al. Two-pattern∆ IDDQ test for recycled IC detection
Yao et al. Verification of power-based side-channel leakage through simulation
Gomez et al. Pinhole latent defect modeling and simulation for defect-oriented analog/mixed-signal testing
Jacob et al. Detection of malicious circuitry using transition probability based node reduction technique
CN109583240B (en) Integrated circuit testing method and system
Giridharan et al. A MUX based Latch Technique for the detection of HardwareTrojan using Path Delay Analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
EE01 Entry into force of recordation of patent licensing contract
EE01 Entry into force of recordation of patent licensing contract

Application publication date: 20190402

Assignee: Zhongke Jianxin (Beijing) Technology Co.,Ltd.

Assignor: Institute of Computing Technology, Chinese Academy of Sciences

Contract record no.: X2022990000752

Denomination of invention: Integrated circuit detection method and system based on difficult path selection

Granted publication date: 20200403

License type: Exclusive License

Record date: 20221009