阅读说明：本技术 一种基于mux环形振荡器的硬件木马检测方法 (Hardware Trojan horse detection method based on MUX ring oscillator ) 是由 赵毅强 赵鑫宇 马浩诚 刘燕江 叶茂 于 2020-05-19 设计创作，主要内容包括：本发明公开了一种基于MUX环形振荡器的硬件木马检测方法,根据电路中少态节点的分布对电路进行划分,分别将MUX环形振荡器置入不同区域,通过采样程序对环形振荡器的输出结果进行采样,以计数值的方式显示振荡器的振荡频率。最后通过与可信模型的输出结果进行比较来达到检测硬件木马的目的。该方法在引入较小面积及功耗开销的条件下,实现了较高的检测精度。(The invention discloses a hardware Trojan horse detection method based on a MUX (multiplexer) ring oscillator, which is characterized in that a circuit is divided according to the distribution of few-state nodes in the circuit, the MUX ring oscillator is respectively arranged in different areas, the output result of the ring oscillator is sampled through a sampling program, and the oscillation frequency of the oscillator is displayed in a count value mode. And finally, the purpose of detecting the hardware Trojan horse is achieved by comparing the hardware Trojan horse with the output result of the credible model. The method realizes higher detection precision under the condition of introducing smaller area and power consumption overhead.)

1. A hardware Trojan horse detection method based on a MUX ring oscillator is characterized by comprising the following steps:

the method comprises the following steps: calculating the turnover probability of the node in the test circuit, and setting the threshold TP of the turnover probability of the circuit node_thPicking out the probability of turnover lower than TP_thDetermining the distribution of the nodes of the minority carrier waves;

step two: dividing a test circuit area according to the distribution of the few-state nodes, and determining the number of ring oscillators required;

step three: manufacturing a ring oscillator based on MUX into Hard Macro, and arranging the ring oscillator according to divided areas to complete regional configuration;

step four: enabling the MUX-RO, and sequentially sampling each inserted MUX-RO output result through a sampling program;

step five: and analyzing the output result of the count value of each ring oscillator, comparing the output result with the output result of the count value of the credible model to determine whether the test circuit contains the Trojan horse, and determining the insertion position of the hardware Trojan horse according to the deviation degree of the output results of different ring oscillators and the count values of the credible model.

2. The method of claim 1, wherein the MUX-based ring oscillator is configured as follows:

the ring oscillator comprises a first-level NAND and a fourth-level MUX, wherein a NAND output end is connected with a channel selection control signal end of the MUX, the output of each later-level MUX is connected with the channel selection control signal end of the next-level MUX, the output end of the last-level MUX is connected with an input end of the NAND, the output end of the last-level MUX is used as oscillation output, another port of the input end of the NAND level is an enable signal for controlling whether the oscillator is started, each level MUX has two input ends which are a VCC end and a GND end respectively, the VCC end is connected with a power supply network, the GND end is connected with the ground, when an enable end EN is 1, the ring oscillator starts oscillation, the round-trip switching between VCC and GND is carried out along with the change of the channel selection control signal of each level MUX, so that the high-low level of each level output is turned over, and the oscillation effect is achieved.

Technical Field

The invention belongs to the technical field of integrated circuit security detection, and particularly relates to a hardware Trojan horse detection method based on a MUX ring oscillator.

Background

Today's commercial globalization, the design and fabrication of integrated circuit chips is gradually becoming global. The marketing of integrated circuit chips is required to go through four stages of design, fabrication, packaging, and testing. Due to the advancement and complexity of integrated circuit products, and the more reasonable utilization of resources and capital allocation, the design and fabrication of monolithic integrated circuits is performed by a combination of entities, which is inexpensive to a co-venture or a foreign venture. The separation of the design and manufacturing processes of the integrated circuit brings great risks to the security of the integrated circuit, for example, a large number of third-party IP cores are multiplexed in the design stage, an untrusted mask exists in the manufacturing process, redundant packaging may exist in the packaging process, and the like, so that vulnerabilities for hardware security exist in each stage. These vulnerabilities give an attacker the opportunity to embed functionality not claimed in the device specification, which may reveal confidential information to the attacker, even disabling the device at some particular time in the future. Such malicious modification is defined as a hardware trojan.

The hardware trojan problem is threatening the safety of the integrated circuit seriously, once the chip inserted into the hardware trojan is applied to military equipment and the national economic core field, immeasurable loss is brought. Whether the hardware trojan exists in the integrated circuit is always a difficult problem and is gradually concerned by various countries, and researches on the detection and protection technology of the hardware trojan are gradually carried out. In recent years, with the development of hardware Trojan horse detection technology, a plurality of detection methods with obvious effects appear. At present, methods for hardware trojan detection mainly include: reverse engineering analysis, logic testing and side channel analysis. The three methods all belong to off-chip Trojan horse detection technologies and have certain limitations. Although reverse engineering analysis has high detection precision, the cost is high, the process is time-consuming, and irrecoverable damage can be caused to a circuit, and the reverse engineering analysis does not have certain universality. The logic test is a test method with the least noise influence and the highest stability, but the test mode generation is complex, and the Trojan horse which only changes the logic function of the internal circuit without changing the output result cannot be detected. The side channel analysis is a popular hardware Trojan horse detection technology at present due to high detection precision and few condition limitations. However, the side channel acquisition mode in the side channel analysis is easily affected by process variables and various noises, and may greatly affect the final test accuracy. In order to improve the detection accuracy, researchers have focused on the study of on-chip test methods. The on-chip test method realizes real-time monitoring of the test circuit by directly implanting the built-in self-test module into the FPGA, reduces the influence of noise on the test result and greatly improves the precision of the test result. In addition, the self-detection circuit is simple in structure and easy to design. The test process is convenient to operate, expensive test equipment is not needed, great convenience is brought to the safety test of the integrated circuit, and the test method has good universality.

Disclosure of Invention

The application provides a hardware Trojan detection method based on a MUX ring oscillator aiming at the problem that a smaller explicit Trojan detection effect is not obvious by the ring oscillator based on the inverter.

In order to achieve the purpose of the invention, the invention provides a hardware Trojan horse detection method based on a MUX ring oscillator, which comprises the following steps:

the method comprises the following steps: calculating the turnover probability of the node in the test circuit, and setting the threshold TP of the turnover probability of the circuit node_thPicking out the probability of turnover lower than TP_thDetermining the distribution of the nodes of the minority carrier waves;

step two: dividing a test circuit area according to the distribution of the few-state nodes, and determining the number of ring oscillators required;

step three: manufacturing a ring oscillator based on MUX into Hard Macro, and arranging the ring oscillator according to divided areas to complete regional configuration;

step four: enabling the MUX-RO, and sequentially sampling each inserted MUX-RO output result through a sampling program;

step five: and analyzing the output result of the count value of each ring oscillator, comparing the output result with the output result of the count value of the credible model to determine whether the test circuit contains the Trojan horse, and determining the insertion position of the hardware Trojan horse according to the deviation degree of the output results of different ring oscillators and the count values of the credible model.

The structure of the ring oscillator based on the MUX is as follows:

the ring oscillator comprises a first-level NAND and a fourth-level MUX, wherein a NAND output end is connected with a channel selection control signal end of the MUX, the output of each later-level MUX is connected with the channel selection control signal end of the next-level MUX, the output end of the last-level MUX is connected with an input end of the NAND, the output end of the last-level MUX is used as oscillation output, another port of the input end of the NAND level is an enable signal for controlling whether the oscillator is started, each level MUX has two input ends which are a VCC end and a GND end respectively, the VCC end is connected with a power supply network, the GND end is connected with the ground, when an enable end EN is 1, the ring oscillator starts oscillation, the round-trip switching between VCC and GND is carried out along with the change of the channel selection control signal of each level MUX, so that the high-low level of each level output is turned over, and the oscillation effect is achieved.

Compared with the prior art, the invention has the beneficial effects that the ring oscillator based on the multi-path selector is designed from the aspect of enhancing the voltage sensitivity of the ring oscillator, and the voltage sensitivity is greatly increased compared with the traditional ring oscillator based on the inverter because the VCC input end of the MUX stage can be directly connected with a power supply network. On the basis, in order to sense the voltage change of the circuit more accurately, an attacker stands for reverse thinking, divides the circuit according to the node distribution of the minority state, arranges the oscillators in different areas, and enables the oscillators to reflect the voltage change of the Trojan horse insertion position more accurately. And the structure is independent of the test circuit and does not influence the normal work of the test circuit. Compared with the circuit monitor directly inserted into the circuit less-state node, the area and power consumption overhead are greatly reduced due to the fact that the number of used gates is reduced, and the influence on a test circuit is small. In addition, the full-automatic sampling of the counting circuit can be realized by using a sampling program, and the Chipscope is used for sampling the counting result, so that the time investment is greatly reduced, the operation is simple, and certain practical significance and application value are realized.

Drawings

FIG. 1 is a flowchart illustrating a hardware Trojan horse detection method based on a MUX ring oscillator according to the present application;

fig. 2 is a schematic structural diagram of the MUX-based ring oscillator structure of the present application.

Detailed Description

It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.

The invention is described in further detail below with reference to the figures and specific examples. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

The patent provides a hardware Trojan horse detection method based on a MUX ring oscillator, and designs a ring oscillator structure. The MUX ring oscillator is composed of an oscillating loop consisting of a first-stage NAND gate and a fourth-stage multiplexer. The circuit is divided according to the distribution of the few-state nodes in the circuit, the MUX ring oscillators are respectively placed in different areas, the output result of the ring oscillator is sampled through a sampling program, and the oscillation frequency of the oscillator is displayed in a counting value mode. And finally, the purpose of detecting the hardware Trojan horse is achieved by comparing the hardware Trojan horse with the output result of the credible model. The method realizes higher detection precision under the condition of introducing smaller area and power consumption overhead.

Fig. 1 is a flowchart of a hardware trojan detection method based on a MUX ring oscillator, and the method includes the following steps:

the method comprises the following steps: and calculating the turnover probability of the nodes in the test circuit. According to the turnover probability threshold TP of the set circuit node_thPicking out the probability of turnover lower than TP_thThe circuit node of (2) determines an off-state node distribution.

Step two: and dividing the test circuit area according to the less-state node distribution to determine the number of the required ring oscillators.

Step three: and manufacturing the ring oscillator based on the MUX into Hard Macro, and arranging the ring oscillator according to the divided areas to complete regional configuration.

Step four: the MUX-RO is enabled and each inserted MUX-RO output result is sampled (in count value fashion) in turn by a sampling routine.

Step five: the output of each ring oscillator count value is analyzed and compared to the trusted model (sample, circuit) count value output to determine if the test circuit contains a Trojan horse. And determining the insertion position of the hardware Trojan horse according to the deviation degree of the output result of the count values of different ring oscillators and the credible model.

Figure 2 is a MUX-based ring oscillator architecture consisting of one level NAND and four levels of MUX. The NAND output end is connected with the channel selection control signal end of the MUX, the output of each level of MUX is connected with the channel selection control signal end of the next level of MUX, the output end of the last level of MUX is connected with one input end of the NAND level, and the output end of the last level of MUX is used as oscillation output. The other port of the input end of the NAND stage is an enabling signal for controlling whether the oscillator is started or not. Each level of MUX has two input ends, namely a VCC end and a GND end, the VCC end is connected with a power supply network, and the GND end is connected with the ground. When the enable end EN is 1, the ring oscillator starts to oscillate, and switching between VCC and GND is performed along with the change of the channel selection control signal of each stage of MUX, so that the high and low levels output by each stage are inverted, and the oscillation effect is achieved. The oscillation frequency of the ring oscillator is determined by the total delay of the NAND and MUX, assuming that the delay of the NAND is t_daThe delay of MUX is t_dm. Assuming that the ring oscillator has n stages, the frequency of the n-stage ring oscillator is:

t can be ignored first_daInfluence of (1) primary analysis t_dmThe influence of (c). t is t_dmMainly determined by the circuit voltage drop, higher voltage drops have higher gate delays. The frequency obtained by equation (1) can also be expressed by equation (2) (for convenience of expression, t is assumed to be_da＝t_dm)：

Where α is an expression of velocity saturation exponent, V_DDRepresenting the voltage, V, at which the gate is connected_THRepresents the threshold voltage, μ_gCarrier transportRate, k_gIs the gate correlation constant. In the case of hardware trojan insertion, a voltage drop Δ V is introduced_TROJThereby changing the formula (2) to the formula (3):

from the above equation, it can be seen that if the test circuit voltage changes, the oscillation frequency of the ring oscillator is affected. Therefore, if the output oscillation frequency changes, a hardware trojan may be introduced into the circuit.

The turnover probability of a circuit node is an important parameter for measuring the activity of the circuit node, and the higher the turnover probability of a certain node in a circuit is, the more turnover times of the node are during testing, and the more easily the node is activated. Whether the method is a logic test method or a side channel analysis method, when the activated probability of the node is improved, the detection of the hardware trojan horse by the methods can be facilitated. If the signal probability of the input node of each logic gate in the circuit is known, the signal probability and the turnover probability of the output node of the logic gate can be obtained through calculation, and then the inversion probability of all nodes in the whole circuit can be calculated. Suppose that the probabilities of a certain circuit node being logic values 0 and 1 are p respectively₀And p₁Then the flip probability is defined as:

TP＝p₀×p₁ (4)

in order to make the hardware trojan not easy to be activated in the logic test process, an attacker usually accesses the input end of the hardware trojan to a node with low circuit turnover probability, which greatly increases the test time and the test cost of the logic test. It is based on this principle that we place the built-in self-detection structure at the node where the circuit flip probability is low, thereby more accurately detecting the voltage change at the potential insertion of the trojan. In addition, by making the built-in self-test structure into a Hard Macro, the influence of process variations can be reduced.

The application provides a ring oscillator structure based on MUX, and the ring oscillator is used for hardware Trojan horse detection as a built-in self-detection structure. The structure can be directly connected with a power supply network and is more sensitive to voltage change. Aiming at the condition that the ring oscillator network has larger area overhead, the circuit is divided according to the less-state node distribution in the circuit which is lower than a set threshold value, and a proper number of ring oscillators are selected to be arranged in the areas. The method can be used for more accurately detecting the voltage change at the potential hardware Trojan horse insertion position, optimizing the number of the ring oscillators and greatly reducing the area overhead. Can be flexibly matched with other hardware Trojan horse detection methods, and has certain practical significance and reference value

The technical means not described in detail in the present application are known techniques.

The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.