This work addresses a critical security vulnerability in advanced process nodes, where standard cells with distinct logic functions can become visually indistinguishable in scanning electron microscopy (SEM) images, enabling highly stealthy hardware Trojans. The paper introduces, for the first time, the concept of “Trojanability” along with a quantitative evaluation methodology. Leveraging the publicly available SEM dataset from S&P 2023, the authors propose novel metrics to decouple the effects of image quality, Trojan insertion strategies, and inherent cell library characteristics on Trojan detectability. Through reverse engineering of standard cells and functional comparison, they successfully implement an invisible inverter-based privilege escalation backdoor in the Ibex RISC-V processor, empirically validating the threat. Based on these findings, the study concludes with targeted mitigation recommendations.

At S&P 2023, Puschner et al. made a valuable dataset for hardware Trojan detection research publicly available. It contains a complete set of Scanning Electron Microscope (SEM) images of four different digital Integrated Circuits (ICs) fabricated at progressively smaller semiconductor technology nodes. Puschner et al. reported preliminary evidence that feature sizes affect Trojan detection performance, but they were unable to disentangle effects caused by insertion strategies or by degrading image quality from those intrinsic to the underlying standard cell libraries. Distinguishing those causes, however, is crucial to understand whether improved tooling (e.g., higher resolution imaging equipment) can remove the observed technology bias, or whether susceptibility to stealthy hardware Trojans is indeed an inherent property of a cell library. In this work, we dive deep into the S&P 2023 dataset to answer these questions. We first show that, using Puschner et al.'s metrics, such a separation is indeed difficult to establish. We then devise alternative metrics to more meaningfully assess and compare the potential susceptibility of standard cell libraries. We find clear differences between the evaluated libraries. However, in all cases we identify cells that implement distinct logic functions yet are visually indistinguishable in SEM images. We exploit this property to construct stealthy, standard-cell-based hardware Trojans and present a concrete case study: a privilege-escalation backdoor in an Ibex RISC-V core. Our results demonstrate that cell libraries can - and should - be evaluated for their potential "Trojanizability", and we recommend practical defenses.