Analytical Estimation and Localization of Hardware Trojan Vulnerability in RTL Designs

Offshoring the proprietary Intellectual property (IP) has recently increased the threat of malicious logic insertion in the form of Hardware Trojan (HT). A potential and stealthy HT is triggered with nets that switch rarely during regular circuit operation. Detection of HT in the host design requires exhaustive simulation to activate the HT during pre- and postsilicon. Although the nets with variable switching probability less than a threshold are primarily chosen as a good candidate for Trojan triggering, there is no systematic fine-grained approach for earlier detection of rare nets from word-level measures of input signals. In this paper, we propose a high-level technique to estimate the nets with the rare activity of arithmetic modules from word-level information. Specifically, for a given module, we use the knowledge of internal construction of the architecture to detect "low activity" and "local regions" without resorting to expensive RTL and other low-level simulations. The presented heuristic method abstracts away from the low-level details of design and describes the rare activity of bits (modules) in a word (architecture) as a function of signal statistics. The resulting quick estimates of nets in rare regions allows a designer to develop a compact test generation algorithm without the knowledge of the bit-level activity. We determine the effect of different positions of the breakpoint in the input signal to calculate the accuracy of the approach. We conduct a set of experiments on six adder architectures and four multiplier architectures. The average error to calculate the rare nets between RTL simulation and estimated values are below 2% in all architectures.