HaTCh: A Formal Framework of Hardware Trojan Design and Detection, by Syed Kamran Haider and Chenglu Jin and Masab Ahmad and Devu Manikantan Shila and Omer Khan and Marten van Dijk

Use of third party 'closed source' IP cores has become a common practice in Electronic Design Automation (EDA) industry. However, these closed source IP cores can potentially contain hardware trojans. Since a closed source IP core is usually provided as a generic gate level netlist which is then instantiated in millions of chips, the adversary can exploit this scalability to infect millions of chips. Therefore, the first observation is that the trojans must be detected in pre-silicon phase; typically done through logic testing. Moreover, existing tools for hardware trojan detection claim to have a certain level of security by guaranteeing a certain (small) false negative rate for publicly available benchmarks. This implies that only this small constant set of benchmarks can be detected with zero (or small) false negative rate. Since an adversary can always create a new trojan which bypasses the detection tool tested on the small constant set of trojan benchmarks, a rigorous security framework of hardware trojans should characterize the potentially exponentially large class of hardware trojans that a tool can detect with negligible false negative rate. We present HaTCh, a first rigorous framework of hardware trojan design and detection within the paradigm of pre-silicon logic testing based tools. We first notice that for the group of non-deterministic hardware trojans/IP cores, no (logic testing based) tool exists that, given a security parameter \lambda, can detect all trojans in this group with overwhelming probability 1 − negl(\lambda). Then we propose, for the other (exponentially large) group of deterministic trojans/IP cores, a detection algorithm which detects any hardware trojan from that group with overwhelming probability 1 − negl(\lambda). If certain global characteristics regarding the stealthiness of such a hardware trojan are known, then detection becomes polynomial in the number of wires of the IP core. We implemented this algorithm and tested it on existing trojan benchmarks and also on a newly designed advanced trojan.