🤖 AI Summary
Existing hardware Trojan detection methods struggle to identify stealthy Trojans embedded within standard cell libraries provided by untrusted vendors, creating a critical blind spot in security verification. This work proposes the first automated framework capable of generating cell-level hardware Trojans by identifying standard cell instances activated under rare input conditions in post-mapping circuits and injecting malicious payloads that trigger only under those specific conditions. By integrating circuit mapping analysis, rare-input pattern detection, and trigger-payload template injection, the approach supports diverse cell types in both combinational and sequential circuits. High-stealth Trojans generated on open-source benchmark circuits demonstrate the practical feasibility of such attacks, exposing a fundamental gap in current zero-trust IC design flows: the absence of cell-level verification mechanisms.
📝 Abstract
Hardware Trojans (HTs) pose significant threats across the Integrated Circuit (IC) design lifecycle because they can be inserted by untrusted entities at different stages under the zero-trust model. When triggered under rare conditions, HTs can compromise the functionality, reliability, or security of the fabricated chip. HT assessment is typically performed by modeling realistic Trojan insertion scenarios in RTL implementation or gate-level netlists. While this model is useful for evaluating detection methods, it does not capture attacks where malicious behavior is hidden inside standard-cell implementations from a compromised library supplied by an untrusted vendor. This paper presents a novel framework for automatically generating cell-embedded hardware Trojans using compromised standard-cell implementations. Our proposed framework analyzes a mapped design, identifies candidate cell instances with rare input conditions, and applies payload templates that corrupt the selected cell output only when the trigger condition is satisfied. Experiments on open-source combinational and sequential benchmark designs show that our proposed framework can generate valid and stealthy Trojan instances across different cell types and design sizes. The results highlight a critical gap in current Trojan detection assumptions and show the need for cell-aware validation of standard-cell implementations in zero-trust IC design flows.