CN112487503A - Detection system and method based on hardware Trojan horse data information statistics - Google Patents
Detection system and method based on hardware Trojan horse data information statistics Download PDFInfo
- Publication number
- CN112487503A CN112487503A CN202011447625.4A CN202011447625A CN112487503A CN 112487503 A CN112487503 A CN 112487503A CN 202011447625 A CN202011447625 A CN 202011447625A CN 112487503 A CN112487503 A CN 112487503A
- Authority
- CN
- China
- Prior art keywords
- trojan
- detection
- integrated circuit
- hardware
- horse
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 295
- 238000001514 detection method Methods 0.000 title claims abstract description 173
- 238000000034 method Methods 0.000 title claims description 36
- 238000012360 testing method Methods 0.000 claims abstract description 40
- 238000012795 verification Methods 0.000 claims abstract description 22
- 238000004519 manufacturing process Methods 0.000 claims description 58
- 238000013461 design Methods 0.000 claims description 17
- 230000008569 process Effects 0.000 claims description 17
- 238000005259 measurement Methods 0.000 claims description 16
- 238000011156 evaluation Methods 0.000 claims description 12
- 230000006870 function Effects 0.000 claims description 12
- 230000006399 behavior Effects 0.000 claims description 11
- 238000007619 statistical method Methods 0.000 claims description 11
- 241000283086 Equidae Species 0.000 claims description 9
- 238000007405 data analysis Methods 0.000 claims description 7
- 239000013067 intermediate product Substances 0.000 claims description 7
- 238000011144 upstream manufacturing Methods 0.000 claims description 7
- 238000004458 analytical method Methods 0.000 claims description 5
- 238000004422 calculation algorithm Methods 0.000 claims description 5
- 238000007789 sealing Methods 0.000 claims description 5
- 230000009466 transformation Effects 0.000 claims description 5
- XUIMIQQOPSSXEZ-UHFFFAOYSA-N Silicon Chemical compound [Si] XUIMIQQOPSSXEZ-UHFFFAOYSA-N 0.000 claims description 4
- 230000007123 defense Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000005498 polishing Methods 0.000 claims description 4
- 229910052710 silicon Inorganic materials 0.000 claims description 4
- 239000010703 silicon Substances 0.000 claims description 4
- 230000001066 destructive effect Effects 0.000 claims description 3
- 238000013507 mapping Methods 0.000 claims description 3
- 238000004806 packaging method and process Methods 0.000 claims description 3
- 238000007689 inspection Methods 0.000 claims description 2
- 238000012545 processing Methods 0.000 claims description 2
- 238000004088 simulation Methods 0.000 claims description 2
- 238000003780 insertion Methods 0.000 abstract 1
- 230000037431 insertion Effects 0.000 abstract 1
- 239000003795 chemical substances by application Substances 0.000 description 8
- 230000008901 benefit Effects 0.000 description 3
- 235000012431 wafers Nutrition 0.000 description 3
- 230000004913 activation Effects 0.000 description 2
- 230000006378 damage Effects 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013100 final test Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 238000005293 physical law Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/76—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in application-specific integrated circuits [ASIC] or field-programmable devices, e.g. field-programmable gate arrays [FPGA] or programmable logic devices [PLD]
Abstract
The invention discloses a detection system and a detection method based on hardware Trojan horse data information statistics, which comprises the following steps: host equipment, a database system and a detection system; the host equipment is used for counting the common information and the specific information of the hardware trojan and inputting the common information and the specific information into the database system, and the other party can feed part of the related information back to the verification and test equipment of the integrated circuit while judging the hardware credibility according to the related data of the database system. The database system is used for storing the hardware trojans detected historically and feeding back the hardware trojan data to the host device, so that the host device can evaluate the credibility of the trojans. The detection system is directed at different insertion stages and different types of hardware Trojan detection equipment, Trojan data uploaded to a host by the equipment has a relatively uniform standard, and Trojan detection time can be reduced to a certain extent along with the richness of a Trojan database.
Description
Technical Field
The invention relates to the technical field of hardware safety, in particular to a detection system and a detection method for resisting various hardware trojans, which are established by adopting a trojan database to carry out statistical analysis on trojan information based on an Agent modeling theory.
Background
With the innovation of integrated circuit design, simulation, verification, manufacture and package test technology and the continuous reduction of transistor dimensions, any link of the integrated circuit production cycle is expensive, and this makes it possible that the design, manufacture and package test factories of modern integrated circuits are not in the same unit, but the design and manufacture units entrust the downstream link of the integrated circuit production cycle to other units by outsourcing. These outsourced units can damage the desired integrated circuits due to various complications. The most important means of destruction is to insert some malicious circuits, which are collectively called hardware trojans, into the link of the catcher of the destructor in the production cycle of the integrated circuit for attack.
In this case, the hardware trojan can appear at any stage of the production cycle of the integrated circuit, and the integrated circuit has different forms in different production stages, and is a series of binary files before manufacturing, including behavioral level description, RTL description, gate level netlist description and layout document GDSII of the circuit, and is a physical entity after manufacturing or packaging, and the description conforms to the physical laws of nature. In addition, even if the hardware trojans are in the same expression form, the characteristics of the hardware trojans are very different, for example, some hardware trojans which are large in area and low in triggering rate, trojans which are difficult to detect based on a time method, and trojans which are difficult to detect based on reverse engineering or other layout detection methods can be detected quickly. The different expression forms and different behavior modes bring great difficulty to the unified detection standard of the hardware trojans, so that a detection standard or a detection means capable of dealing with all the hardware trojans is not proposed in the academic world and the industrial world at present.
The hardware trojan is also characterized by strong concealment, which brings great difficulty to the detection of the hardware trojan. After obtaining a batch of integrated circuits, the detection means in time mainly comprises two methods of side channel analysis and logic test, while the detection means in space mainly adopts the means of reverse engineering to disassemble the integrated circuits and obtain the layout information of the integrated circuits by using a scanning electron microscope. Time-based Trojan horse detection methods mostly require Trojan horse activation, while space-based detection methods require a slight change to be found in complex layouts of integrated circuits. The main evasion detection measures adopted by Trojan horse designers are exactly directed to the detection methods, so that on one hand, the trigger probability of Trojan horses can be greatly reduced according to the characteristics of intermediate signals of integrated circuits, and on the other hand, the areas and the positions of Trojan horses can be skillfully arranged according to the layout characteristics of the integrated circuits, so that the Trojan horses are difficult to detect by adopting a reverse engineering means. Therefore, the detection of hardware trojans is very time consuming, which also constitutes a great threat to hardware security.
Aiming at the current situation that the detection of the Trojan horse has no unified standard and consumes time, from the perspective of a system, hardware Trojan horses with different expression forms are abstracted into unified data standards by an abstraction method, the data standards are made into a hardware Trojan horse database, the hardware Trojan horse is subjected to statistical analysis according to various characteristics and behaviors of the Trojan horse in the Trojan horse database, and the existence possibility of the hardware Trojan horse is obtained by adopting a computer, but the current system model is not perfect.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a detection system and a detection method based on hardware Trojan horse data information statistics, and the defects in the prior art are overcome.
In order to realize the purpose, the technical scheme adopted by the invention is as follows:
a detection system based on hardware Trojan horse data information statistics comprises: the system comprises a host device, a database system and a detection system;
tasks of the host device: firstly, the Trojan information is stored in a Trojan database, and secondly, analysis is carried out according to the database, so that the type of the hardware Trojan contained in the circuit is most likely to appear, and the conclusion that the integrated circuit containing the hardware Trojan is more likely to originate from which manufacturer is obtained. And comprehensively evaluating Trojan type and untrusted manufacturers to obtain credible ratings of the manufacturers, and making judgment basis for comprehensive decision of the integrated circuit supply chain.
The database system comprises a measured integrated circuit and hardware Trojan related information; it serves as one of the inputs to the trojan horse host system for providing the data required by the host system.
The detection system comprises a plurality of detection systems required by the detection method of the hardware trojan. The system is composed of subsystems formed by integrated circuit verification and test equipment of all trusted manufacturers accessing the Trojan horse detection network. These devices include both devices capable of detecting a design file trojan and those capable of detecting a physical implementation of a trojan. The former is mainly a computer using trusted integrated circuit function verification software, while the latter includes a logic function tester, an oscilloscope, a vector network analyzer, a microwave and antenna measurement system and a process-based detection system. Wherein the process based detection system comprises a mass spectrometer, an electron microscope, an energy spectrometer and a series of polishing devices for reverse engineering detection.
Each subsystem included in the detection system is accessed to a computer for generating a Trojan detection report, the computers capable of generating the detection report are connected with a host device through a network bus, and the host device is connected with a Trojan database. The detection subsystems firstly verify or test the integrated circuit to obtain direct data, and then obtain a detection result through the transformation of a Trojan detection proprietary method. The detection results are input into a computer capable of generating a detection report, and the detection results and corresponding information of the integrated circuit are input into the detection report computer by a Trojan horse detector according to a uniform data standard. The computers upload the detection results to the host system through the network bus. The host system performs logic judgment on the detection results, and inputs the Trojan horse information and the integrated circuit information into a Trojan horse database.
Further, the host device includes: the system comprises a Trojan evaluation system, a Trojan learning system, a Trojan decision system and a Trojan prediction system;
the Trojan evaluation system is used for: and obtaining the detection rate, the identification rate and the false alarm rate of the whole system according to the result of the whole detection system, forming the evaluation result of the whole Trojan horse detection system, and adjusting the detection range of the Trojan horse in time by the system.
The Trojan horse learning system is used for: and learning the type of the Trojan horse by adopting a corresponding algorithm according to the result generated by the evaluation system through detecting the Trojan horse data uploaded by the system.
The Trojan decision system is used for: and generating feedback reports for the Trojan detection system according to the results generated by the Trojan learning system and the results of the Trojan prediction system, and knowing which detection process should be executed with emphasis after the production results of a batch of third parties are input according to the Trojan types reflected by the feedback reports.
The Trojan prediction system is used for: and analyzing the possible evolution direction of the future Trojan horse according to enough existing Trojan horse types, and giving a possible result.
Further, the database system includes: trojan database and integrated circuit database
The Trojan database is used for: storing the acquired Trojan data information, wherein the hardware Trojan data information comprises: the method comprises the following steps of hardware trojan horse type, trigger system composition, payload system composition, behavior description or RTL description or netlist description or layout description.
The integrated circuit database is used for: storing the acquired data information of the integrated circuit, wherein the data information of the integrated circuit comprises: an integrated circuit upstream production link without access to the network, a type of integrated circuit, a Trojan horse appearing or modified module.
Further, the detection system comprises integrated circuit verification and test equipment of all trusted manufacturers accessing the Trojan horse detection network.
The verification device is constituted by a computer in which trusted emulation verification software is installed, and it exists in the design manufacturer of the integrated circuit. The method is used for checking Trojan horses which may exist in behavior, RTL, netlist and layout files. These trojans are mainly from an untrusted IP core of a third party, and the implanted link is the design stage of the integrated circuit. And these computers can also directly generate trojan detection reports. The expression form of the trojan horse which can be dealt with by the device comprises the following steps: and the hardware trojan is formed by malicious modification existing in HDL codes, behavior level files, RTL files, netlist files and layout files.
The test equipment includes two types, one is process-based detection equipment, and the other is input-output-based detection equipment.
The process-based detection equipment consists of a microscope, an energy spectrometer, a mass spectrometer, grinding equipment and a computer for generating a detection report. Wherein, the detection equipment in the credible manufacturer in the manufacturing link does not comprise the grinding equipment, and the credible manufacturer in the sealing and testing link comprises the grinding equipment. The reason is that the latter tested integrated circuits are often packaged or fabricated on a wafer, and if a process-based testing method is used, a reverse engineering approach is required to troubleshoot trojans. The expression form of the trojan horse which can be dealt with by the device comprises the following steps: the integrated circuit of the spliced Trojan layout, the Trojan module added after packaging, the Trojan added into the original layout, the modified Trojan for layout and wiring of the original layout, and the Trojan for modifying the doping of the original integrated circuit. This method, however, takes a very long time. The computer is used for generating a test report, and possible transformation is needed to be carried out on the Trojan horse detection direct result to obtain an indirect result convenient for Trojan horse detection.
The input and output based detection equipment comprises a logic function tester, an oscilloscope, a vector network analyzer, a microwave and antenna measurement system and a computer capable of generating a Trojan horse detection report. The logic function tester can realize a hardware Trojan detection method based on logic function test, and other physical quantity detection equipment can realize a Trojan detection method based on side channel analysis. These methods have the advantage of being much faster relative to reverse engineering, however the types of trojans that can be handled are extremely limited. The Trojan horse detection method based on the logic function test can only deal with Trojan horses with modification functions and requires high activation probability, while the detection method based on the side channel analysis requires that the Trojan horses have large modification on integrated circuits and can distinguish the existence of process deviation and the Trojan horse circuits. These test devices are mainly present in trusted manufacturers of integrated circuits, and the computer not only performs the generation of test reports, but also requires the transformation of direct measurement results.
The invention also discloses a detection method based on hardware Trojan horse data information statistics, which comprises the following steps:
the method comprises the following steps: the Trojan horse detection equipment obtains the expression forms of the integrated circuit in different production stages in the production cycle: IP cores from third parties, GDSII documents, silicon wafers with or without integrated circuits packaged.
Step two: aiming at the design link, a Trojan testability design means is added, and a Trojan detection means is added in the verification link. Aiming at the manufacturing link, a hardware Trojan horse layout detection means is added before manufacturing. For the sealing and testing link, part of samples are taken from the same batch of integrated circuit production for destructive Trojan detection, and part of samples are taken for nondestructive Trojan detection. The selection of the detection method is mainly carried out according to the feedback result of the current host equipment.
Step three: the three links input all Trojan detection results and the sources of integrated circuit intermediate products into interface software of a Trojan defense system through local computer equipment and upload the results to host equipment of a Trojan detection center through a network bus.
The information that needs to be input to the bus includes the following: verification or test report of Trojan, verification software manufacturer, name and manufacturer of test equipment, number of detected integrated circuits, existence and occurrence frequency of Trojan, detected data result, and upstream production link of integrated circuits without accessing network.
Step four: the host device obtains hardware trojan data from the system bus, and the data are sourced from trusted integrated circuit manufacturers of various access networks.
Step five: for the integrated circuit with Trojan, the relevant information of Trojan is input into a Trojan database, the relevant information of the integrated circuit with Trojan is input into an integrated circuit database, and the Trojan data and the corresponding integrated circuit data form a mapping relation in the two databases. For an integrated circuit without Trojan, relevant information of the integrated circuit is input into an integrated circuit database.
Step six: and counting each type of information of the hardware Trojan and the integrated circuit, and obtaining the relation among the hardware Trojan, the integrated circuit and a third-party production link according to relevant operation and independence test means in statistical analysis.
And introducing a data analysis algorithm to form the relationship between the occurrence frequency of the manufacturers and the Trojan horse, and then obtaining the result of data analysis to obtain which manufacturer is more likely to have the Trojan horse and which manufacturer is less likely to have the Trojan horse in the whole production cycle of the integrated circuit. The information can form a comprehensive index of hardware Trojan horse detection.
From these indices the following conclusions can be drawn:
1. the hardware trojan type that integrated circuits may exhibit.
2. A certain class of hardware trojans may be present in the integrated circuit production.
3. Integrated circuit locations where a certain class of hardware trojans may be present.
4. Which manufacturers are more likely to have hardware trojans.
5. Among the manufacturers who appear hardware trojans, a hardware trojan type which is easier to appear for a specific manufacturer.
Step seven: and judging the statistical analysis result to obtain the most likely stage, the integrated circuit position and the production node of a certain kind of Trojan horse, and feeding back the most likely stage, the integrated circuit position and the production node to a credible integrated circuit manufacturer.
Step eight: and (4) introducing a credibility measurement parameter, substituting the credibility measurement parameter into a credibility measurement parameter expression according to the statistical analysis result of the step four, and giving credibility rating of the third-party integrated circuit intermediate product source.
Compared with the prior art, the invention has the advantages that:
1. the adaptability of the hardware Trojan is evaluated through data, and the existing Trojan detection method can be integrated to a certain extent, so that the detection of the hardware Trojan with different expression forms is realized.
2. And learning and judging through Trojan detection data, and feeding back to each Trojan detection manufacturer. The Trojan horse detection process can be simplified to a certain extent according to the statistical result. After the manufacturer credibility rating is generated, which detection means can be selected according to the emphasis of the manufacturer.
Drawings
FIG. 1 is a block diagram of a system for detecting types based on Trojan horse in accordance with an embodiment of the present invention;
FIG. 2 is a block diagram of a Trojan horse detection system based on an integrated circuit production cycle according to an embodiment of the present invention;
FIG. 3 is a general operation process of the Trojan horse detection system in the embodiment of the invention;
FIG. 4 is a model of an Agent-based Trojan horse detection system in accordance with an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings by way of examples.
Although the representation form of the hardware trojan is different, the hardware trojan is closely related to the type, behavior characteristics and production cycle of the integrated circuit. Firstly, no matter which hardware trojan has, the common characteristic data exists, and secondly, the common characteristic data can be abstracted from the same type of hardware trojan. In the design, manufacture and package test process of the integrated circuit, if a verification system and a test system of a credible manufacturer, which can detect the hardware Trojan horse, can be connected to the hardware Trojan horse detection network, the existence of the hardware Trojan horse can be monitored in real time. If the hardware trojans are detected in each verification and test link, the common characteristics, types and type characteristics of the hardware trojans and the upstream production link of the integrated circuit to be tested are sent to a detection center host through a communication bus, as shown in fig. 1. The host computer is used for storing the Trojan information into a Trojan database and analyzing according to the database so as to draw a conclusion that the hardware Trojan contained in the circuit is most likely to appear and an integrated circuit containing the hardware Trojan is more likely to originate from which manufacturer. And comprehensively evaluating Trojan type and untrusted manufacturers to obtain credible ratings of the manufacturers, and making judgment basis for comprehensive decision of the integrated circuit supply chain. In addition, after the Trojan database is gradually enriched, the host system can make more accurate judgment, the Trojan hit rate is improved, the time complexity of hardware Trojan detection can be reduced, and the time consumption required by Trojan detection is reduced.
As shown in fig. 2, when a trusted manufacturer obtains an IP core, a design document, or a manufactured silicon chip of an integrated circuit of a third party, a detection means for dealing with the hardware trojan is added in the design, verification, and test links, and verification, a final test result, and acquired information related to the hardware trojan, related to the third party source of the integrated circuit are automatically input into interface software of an integrated circuit detection network and are uploaded to a host device of a hardware trojan detection center through a network bus. The host device obtains the existence of the Trojan horse and the data information of each common characteristic and type characteristic according to the detection reports, and then stores the data information into the integrated circuit database system. The integrated circuit database system comprises two parts, wherein the first part is a Trojan database of a hardware Trojan, and the second part is a tested integrated circuit database. The Trojan data is stored in a Trojan database, and the integrated circuit without Trojan and the integrated circuit with Trojan are stored in the tested integrated circuit database. The host system can judge the possibility of generating the hardware trojan according to the two databases, and feed back the occurrence frequency, the type and the occurrence frequency of the trojan inserted into each stage and the relationship with a third party source to a credible integrated circuit production link. Meanwhile, the host can grade the credibility of the third-party manufacturer, so that the integrated circuits of some untrusted manufacturers are subjected to key investigation in the production period. The operation flow is shown in fig. 3.
The whole defense system adopts an Agent modeling-based method, as shown in FIG. 4. Each trusted integrated circuit production link can be modeled as a sensor part of an Agent, and a trojan is input into a host.
The host system comprises an Agent learning element, a performance element, a problem generator and an evaluation element. The Trojan horse evaluation system is used as an evaluation element for performing statistical processing on hardware Trojan horse data from the Trojan horse database to obtain common characteristics and classified characteristics of the hardware Trojan horses. It can feedback the behavior of learning elements, performance elements. The evaluation criteria come from the trojan database on the one hand and also from the knowledge of other systems of trojan detection on the other hand. The Trojan horse learning system is used as a learning element, gives out logic judgment according to the statistical result and the feedback result of the judging element, and inputs the result to the Trojan horse decision system used as a performance element. The Trojan horse decision system finally obtains the general conclusion of Trojan horse detection and provides relevant information in Trojan horse detection through the feedback of the detection system serving as an actuator. The Trojan detection system comprises a sensor and an actuator part of the Agent. The sensor is represented as a software interface of the Trojan detection system and a network bus, and a detection result obtained by the Trojan detection system and the related information of the integrated circuit are used as sensor input of the Agent. The actuator is a Trojan horse detection system carried by a credible integrated circuit manufacturer, and comprises a verification system and a test system.
The Agent is characterized by having learning ability, and comprehensively evaluating the hardware trojan according to data characteristics of multiple aspects by inputting by a trusted trojan detection manufacturer and knowledge existing in a hardware trojan database and an integrated circuit database. With the increasing number of Trojan cases, the judgment of the host system on Trojan detection is quicker and more accurate. For the detection system, the Trojan information fed back by the host system can more accurately select the currently adopted hardware Trojan detection means, so that the guessing time is reduced.
Trojan detection equipment flow:
the method comprises the following steps: obtaining the expression of the integrated circuit in different production stages in the production cycle: IP cores from third parties, GDSII documents, silicon wafers with or without integrated circuits packaged.
Step two: aiming at the design link, a Trojan testability design means is added, and a Trojan detection means is added in the verification link. Aiming at the manufacturing link, a hardware Trojan horse layout detection means is added before manufacturing. For the sealing and testing link, part of samples are taken from the same batch of integrated circuit production for destructive Trojan detection, and part of samples are taken for nondestructive Trojan detection. The selection of the detection method is mainly carried out according to the feedback result of the current host equipment.
Step three: the three links input all Trojan detection results and the sources of integrated circuit intermediate products into interface software of a Trojan defense system through local computer equipment and upload the results to host equipment of a Trojan detection center through a network bus.
The information that needs to be input to the bus includes the following: verification or test report of Trojan, verification software manufacturer, name and manufacturer of test equipment, number of detected integrated circuits, existence and occurrence frequency of Trojan, detected data result, and upstream production link of integrated circuits without accessing network.
The host device process:
the method comprises the following steps: hardware trojan data is obtained from the system bus, and the data is sourced from trusted integrated circuit manufacturers of various access networks.
Step two: for the integrated circuit with Trojan, the relevant information of Trojan is input into the hardware Trojan database, the relevant information of the integrated circuit with Trojan is input into the integrated circuit database, and the Trojan data and the corresponding integrated circuit data form a mapping relation in the two databases. For an integrated circuit without Trojan, relevant information of the integrated circuit is input into an integrated circuit database.
The data information of the hardware trojan horse comprises the following data information: the method comprises the following steps of hardware trojan horse type, trigger system composition, payload system composition, behavior description or RTL description or netlist description or layout description.
The data information of the integrated circuit includes: production links upstream of the integrated circuit without access to the network, the kind of integrated circuit, trojan horse presence or modified modules (if any).
Step three: and counting each type of information of the hardware Trojan and the integrated circuit, and obtaining the relation among the hardware Trojan, the integrated circuit and a third-party production link according to relevant operation and independence test means in statistical analysis.
Therefore, the host should have a strong data analysis capability, a relationship between manufacturers and the occurrence frequency of trojans is formed by introducing a data analysis algorithm, and then a result of the data analysis is used to obtain a result of which manufacturers are more likely to have trojans and which manufacturers are less likely to have trojans in the whole production cycle of the integrated circuit. The information can form a comprehensive index of hardware Trojan horse detection.
From these indices the following conclusions can be drawn:
3.1 hardware Trojan horse types that may be present in integrated circuits.
3.2 a hardware trojan of a certain class may be present in the integrated circuit production.
3.3 location of integrated circuits where a certain class of hardware trojans may be present.
3.4 which manufacturers are more prone to hardware trojans.
3.5 of these vendors that present hardware trojans, hardware trojan types that are more likely to be present by a particular vendor.
Step four: and judging the statistical analysis result to obtain the most likely stage, the integrated circuit position and the production node of a certain specific type of the Trojan horse, and feeding back the most likely stage, the integrated circuit position and the production node to a credible integrated circuit manufacturer.
The names and the credibility measurement results of the manufacturers are fed back to verification and test equipment, if more credible manufacturers pass through the production process of the integrated circuit, the whole detection link of the hardware trojan horse can be correspondingly simplified, and the detection time is reduced. If the more untrusted are manufacturers that the integrated circuit production process passes, the most accurate reverse engineering is used for thorough inspection.
Step five: and (4) introducing a credibility measurement parameter, substituting the credibility measurement parameter into a credibility measurement parameter expression according to the statistical analysis result of the step four, and giving credibility rating of the third-party integrated circuit intermediate product source.
It will be appreciated by those of ordinary skill in the art that the examples described herein are intended to assist the reader in understanding the manner in which the invention is practiced, and it is to be understood that the scope of the invention is not limited to such specifically recited statements and examples. Those skilled in the art can make various other specific changes and combinations based on the teachings of the present invention without departing from the spirit of the invention, and these changes and combinations are within the scope of the invention.
Claims (5)
1. A detection system based on hardware trojan data information statistics is characterized by comprising: the system comprises a host device, a database system and a detection system;
tasks of the host device: firstly, storing the Trojan information into a Trojan database, and secondly, analyzing according to the database, thereby obtaining the most probable type of the hardware Trojan contained in the circuit and the conclusion that the integrated circuit containing the hardware Trojan is more likely to come from which manufacturer; comprehensively evaluating Trojan type and untrusted manufacturers to obtain credible ratings of the manufacturers and making judgment basis for comprehensive decision of the integrated circuit supply chain;
the database system comprises a measured integrated circuit and hardware Trojan related information; the data processing device is used for providing data required by the host device;
the detection system is composed of integrated circuit verification and test equipment of all trusted manufacturers accessing the Trojan horse detection network as a detection subsystem; the method comprises the steps of detecting a Trojan horse of a design file and detecting a Trojan horse of a physical implementation; the former is a computer using trusted integrated circuit function verification software, and the latter comprises a logic function tester, an oscilloscope, a vector network analyzer, a microwave and antenna measurement system and a process-based detection system; wherein the process-based detection system comprises a mass spectrometer, an electron microscope, an energy spectrometer and a series of polishing devices for reverse engineering detection;
each subsystem contained in the detection system is accessed into a computer for generating a Trojan detection report, the computer is connected with host equipment through a network bus, and the host equipment is connected with a Trojan database; the detection subsystems firstly verify or test the integrated circuit to obtain direct data, and then obtain a detection result through the transformation of a Trojan detection proprietary method; inputting the detection results into a computer capable of generating a detection report, and inputting the detection results and corresponding information of the integrated circuit into the detection report computer by a Trojan horse detector according to a uniform data standard; the computers upload the detection results to the host system through a network bus; the host system performs logic judgment on the detection results, and inputs the Trojan horse information and the integrated circuit information into a Trojan horse database.
2. The detection system based on hardware trojan horse data information statistics as claimed in claim 1, wherein: the host device includes: the system comprises a Trojan evaluation system, a Trojan learning system, a Trojan decision system and a Trojan prediction system;
the Trojan evaluation system is used for: according to the result of the whole detection system, obtaining the detection rate, the identification rate and the false alarm rate of the whole system, forming the evaluation result of the whole Trojan horse detection system, and adjusting the detection range of the Trojan horse in time by the system;
the Trojan horse learning system is used for: the Trojan horse data uploaded by the detection system is used for learning the type of the Trojan horse by adopting a corresponding algorithm according to the result generated by the evaluation system;
the Trojan decision system is used for: generating feedback reports for the Trojan detection system according to results generated by the Trojan learning system and results of the Trojan prediction system, and knowing which detection process should be executed in a focused manner after production results of a plurality of third parties are input according to the Trojan types reflected by the feedback reports;
the Trojan prediction system is used for: and analyzing the possible evolution direction of the future Trojan horse according to enough existing Trojan horse types, and giving a possible result.
3. The detection system based on hardware trojan horse data information statistics as claimed in claim 1, wherein: the database system includes: trojan database and integrated circuit database
The Trojan database is used for: storing the acquired Trojan data information, wherein the hardware Trojan data information comprises: the method comprises the following steps of (1) the type of a hardware Trojan horse, the composition of a trigger system, the composition of an effective load system, behavior description or RTL description or netlist description or layout description;
the integrated circuit database is used for: storing the acquired data information of the integrated circuit, wherein the data information of the integrated circuit comprises: an integrated circuit upstream production link without access to the network, a type of integrated circuit, a Trojan horse appearing or modified module.
4. The detection system based on hardware trojan horse data information statistics as claimed in claim 1, wherein: the detection system comprises integrated circuit verification equipment and test equipment of all trusted manufacturers accessing the Trojan horse detection network;
the verification device is composed of a computer provided with credible simulation verification software and exists in a design manufacturer of the integrated circuit; the verification equipment is used for checking Trojan horses possibly existing in behavior, RTL, a netlist and a layout file; the verification device can directly generate a Trojan detection report; the expression form of the trojan horse which can be dealt with by the device comprises the following steps: the hardware trojan is formed by malicious modification existing in an HDL code, a behavior level file, an RTL file, a netlist file and a layout file;
the test equipment comprises two types, one type is detection equipment based on a process, and the other type is detection equipment based on input and output;
the detection equipment based on the process consists of a microscope, an energy spectrometer, a mass spectrometer, grinding equipment and a computer for generating a detection report; wherein, the detection equipment in the credible manufacturer in the manufacturing link does not comprise polishing equipment, and the credible manufacturer in the sealing and testing link comprises polishing equipment; the Trojan representation forms which the process-based detection equipment can cope with comprise: the integrated circuit of the spliced Trojan layout, the added Trojan module after packaging, the Trojan added into the original layout, the modified Trojan for layout and wiring of the original layout, and the Trojan for modifying the doping of the original integrated circuit; the computer for generating the detection report is not only used for generating the test report, but also needs to carry out possible transformation on the direct result of the Trojan horse detection to obtain an indirect result convenient for detecting the Trojan horse;
the detection equipment based on input and output comprises a logic function tester, an oscilloscope, a vector network analyzer, a microwave, an antenna measurement system and a computer capable of generating a Trojan horse detection report; the logic function tester can realize a hardware Trojan detection method based on logic function test, and other physical quantity detection-based equipment can realize a Trojan detection method based on side channel analysis; the input-output based detection device exists in a trusted integrated circuit package tester, and the computer not only needs to complete the generation of a test report, but also needs to transform the direct measurement result.
5. The detection method of the hardware Trojan horse data information statistics-based detection system according to one of the claims 1 to 4, characterized by comprising the following steps:
the method comprises the following steps: the detection system obtains the representation forms of the integrated circuit in different production stages in the production cycle: an IP core from a third party, a GDSII document, a silicon chip with or without an integrated circuit packaged;
step two: aiming at a design link, adding a Trojan testability design means, and adding a Trojan detection means in a verification link; aiming at the manufacturing link, a hardware Trojan horse layout detection means is added before manufacturing; aiming at the sealing and testing link, taking part of samples from the same batch of integrated circuit production for destructive Trojan detection, and simultaneously taking part of samples for nondestructive Trojan detection; the selection of the detection method is mainly carried out according to the feedback result of the current host equipment;
step three: inputting all Trojan detection results and the sources of integrated circuit intermediate products into interface software of a Trojan defense system through local computer equipment, and uploading the Trojan detection results and the sources of the integrated circuit intermediate products to host equipment of a Trojan detection center through a network bus;
the information that needs to be input to the bus includes the following: verification or test report of Trojan, verification software manufacturer, name and manufacturer of test equipment, number of detected integrated circuits, existence and occurrence frequency of Trojan, detected data result, and upstream production link of integrated circuits not accessed to network;
step four: the host equipment acquires hardware trojan data from a system bus, and the data are sourced from trusted integrated circuit manufacturers of various access networks;
step five: for an integrated circuit with a Trojan, inputting the relevant information of the Trojan into a Trojan database, inputting the relevant information of the integrated circuit with the Trojan into an integrated circuit database, and forming a mapping relation between the Trojan data and the corresponding integrated circuit data in the two databases; for an integrated circuit without Trojan, inputting relevant information of the integrated circuit into an integrated circuit database;
step six: counting each type of information of the hardware trojan and the integrated circuit, and obtaining the relation among the hardware trojan, the integrated circuit and a third-party production link according to relevant operation and independence inspection means in the statistical analysis;
introducing a data analysis algorithm to form a relationship between manufacturers and the occurrence frequency of Trojan horse, and then obtaining the whole production cycle of the integrated circuit according to the data analysis results, wherein Trojan horse is more likely to occur by which manufacturer and Trojan horse is less likely to occur by which manufacturer; the information can form a comprehensive index for hardware Trojan detection;
from these indices the following conclusions can be drawn:
1. hardware trojan types that may occur with integrated circuits;
2. a certain class of hardware trojans may appear in the integrated circuit production link;
3. location of an integrated circuit where a certain class of hardware trojans may appear;
4. which manufacturers are more likely to have hardware trojans;
5. among the manufacturers who appear the hardware trojans, the hardware trojan type which is easier to appear by a specific manufacturer;
step seven: judging the statistical analysis result to obtain the most likely stage, integrated circuit position and production node of a certain kind of Trojan horse, and feeding back to a credible integrated circuit manufacturer;
step eight: and (4) introducing a credibility measurement parameter, substituting the credibility measurement parameter into a credibility measurement parameter expression according to the statistical analysis result of the step four, and giving credibility rating of the third-party integrated circuit intermediate product source.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011447625.4A CN112487503A (en) | 2020-12-09 | 2020-12-09 | Detection system and method based on hardware Trojan horse data information statistics |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011447625.4A CN112487503A (en) | 2020-12-09 | 2020-12-09 | Detection system and method based on hardware Trojan horse data information statistics |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112487503A true CN112487503A (en) | 2021-03-12 |
Family
ID=74941533
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011447625.4A Pending CN112487503A (en) | 2020-12-09 | 2020-12-09 | Detection system and method based on hardware Trojan horse data information statistics |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112487503A (en) |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104850804A (en) * | 2015-05-28 | 2015-08-19 | 清华大学 | Hardware Trojan detecting method based on circuit characteristic analysis |
US20180004941A1 (en) * | 2016-07-01 | 2018-01-04 | Hewlett Packard Enterprise Development Lp | Model-based computer attack analytics orchestration |
CN107656839A (en) * | 2017-08-11 | 2018-02-02 | 天津大学 | Research on Integrated Circuit Security is assessed and detection method |
CN107886012A (en) * | 2017-10-28 | 2018-04-06 | 天津大学 | One shot hardware Trojan horse detection method based on gate leve architectural feature |
CN108898034A (en) * | 2018-06-27 | 2018-11-27 | 天津大学 | Hardware Trojan horse side channel detection method based on algorithm of dividing and ruling |
CN109472171A (en) * | 2018-10-31 | 2019-03-15 | 北京航空航天大学 | A kind of FPGA hardware Trojan horse detection system based on man-machine interface and current monitoring |
CN109960879A (en) * | 2019-03-25 | 2019-07-02 | 福州大学 | A kind of system level chip Security Design Methods based on insincere IP kernel |
CN110096907A (en) * | 2019-04-09 | 2019-08-06 | 西北工业大学深圳研究院 | A kind of hardware Trojan horse detection method based on Information Flow Security verifying |
CN110135161A (en) * | 2019-05-23 | 2019-08-16 | 电子科技大学 | A kind of On-wafer measurements method of hardware Trojan horse |
US20200104485A1 (en) * | 2018-09-28 | 2020-04-02 | Amida Technology Solutions, Inc. | Method, system and apparatus for security assurance, protection, monitoring and analysis of integrated circuits and electronic systems in relation to hardware trojans |
-
2020
- 2020-12-09 CN CN202011447625.4A patent/CN112487503A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104850804A (en) * | 2015-05-28 | 2015-08-19 | 清华大学 | Hardware Trojan detecting method based on circuit characteristic analysis |
US20180004941A1 (en) * | 2016-07-01 | 2018-01-04 | Hewlett Packard Enterprise Development Lp | Model-based computer attack analytics orchestration |
CN107656839A (en) * | 2017-08-11 | 2018-02-02 | 天津大学 | Research on Integrated Circuit Security is assessed and detection method |
CN107886012A (en) * | 2017-10-28 | 2018-04-06 | 天津大学 | One shot hardware Trojan horse detection method based on gate leve architectural feature |
CN108898034A (en) * | 2018-06-27 | 2018-11-27 | 天津大学 | Hardware Trojan horse side channel detection method based on algorithm of dividing and ruling |
US20200104485A1 (en) * | 2018-09-28 | 2020-04-02 | Amida Technology Solutions, Inc. | Method, system and apparatus for security assurance, protection, monitoring and analysis of integrated circuits and electronic systems in relation to hardware trojans |
CN109472171A (en) * | 2018-10-31 | 2019-03-15 | 北京航空航天大学 | A kind of FPGA hardware Trojan horse detection system based on man-machine interface and current monitoring |
CN109960879A (en) * | 2019-03-25 | 2019-07-02 | 福州大学 | A kind of system level chip Security Design Methods based on insincere IP kernel |
CN110096907A (en) * | 2019-04-09 | 2019-08-06 | 西北工业大学深圳研究院 | A kind of hardware Trojan horse detection method based on Information Flow Security verifying |
CN110135161A (en) * | 2019-05-23 | 2019-08-16 | 电子科技大学 | A kind of On-wafer measurements method of hardware Trojan horse |
Non-Patent Citations (1)
Title |
---|
佟鑫等: "SVM算法在硬件木马旁路分析检测中的应用" * |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112382582B (en) | Wafer test classification method and system | |
JP6770060B2 (en) | Correlation between manufacturing segment and end-user device performance | |
Benware et al. | Determining a failure root cause distribution from a population of layout-aware scan diagnosis results | |
Hasegawa et al. | Hardware trojan detection utilizing machine learning approaches | |
US11567126B2 (en) | Methods and systems for fault injection testing of an integrated circuit hardware design | |
US11416662B1 (en) | Estimating diagnostic coverage in IC design based on static COI analysis of gate-level netlist and RTL fault simulation | |
US10691855B2 (en) | Device and method for detecting points of failures | |
Moein et al. | An attribute based classification of hardware trojans | |
Potluri et al. | Deep learning based efficient anomaly detection for securing process control systems against injection attacks | |
Chen et al. | AI maintenance: a robustness perspective | |
CN108073674B (en) | Early development of fault identification database for system defects in integrated circuit chips | |
Cha et al. | A resizing method to minimize effects of hardware trojans | |
Di et al. | A hardware threat modeling concept for trustable integrated circuits | |
US7356787B2 (en) | Alternative methodology for defect simulation and system | |
Kharchenko et al. | Cyber security of FPGA-based NPP I&C systems: Challenges and solutions | |
CN112487503A (en) | Detection system and method based on hardware Trojan horse data information statistics | |
Bodhe et al. | Diagnostic Fail Data Minimization Using an $ N $-Cover Algorithm | |
CN106919748B (en) | Device and method for improving FPGA prototype verification efficiency | |
CN114238956B (en) | Hardware Trojan horse searching and detecting method based on automatic attribute extraction and formal verification | |
Khasawneh et al. | Real-time monitoring of test fallout data to quickly identify tester and yield issues in a multi-site environment | |
Wang | Data learning based diagnosis | |
Xama et al. | Machine learning-based defect coverage boosting of analog circuits under measurement variations | |
US10268786B2 (en) | System and method for capturing transaction specific stage-wise log data | |
Karabacak et al. | RF circuit authentication for detection of process trojans | |
Apolinário et al. | FingerCI: generating specifications for critical infrastructures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
AD01 | Patent right deemed abandoned |
Effective date of abandoning: 20231229 |
|
AD01 | Patent right deemed abandoned |