Trojan Awakener: Detecting Dormant Malicious Hardware Using Laser Logic State Imaging (Extended Version). (arXiv:2107.10147v5 [cs.CR] UPDATED)

The threat of hardware Trojans (HTs) and their detection is a widely studied
field. While the effort for inserting a Trojan into an application-specific
integrated circuit (ASIC) can be considered relatively high, especially when
trusting the chip manufacturer, programmable hardware is vulnerable to Trojan
insertion even after the product has been shipped or during usage. At the same
time, detecting dormant HTs with small or zero-overhead triggers and payloads
on these platforms is still a challenging task, as the Trojan might not get
activated during the chip verification using logical testing or physical
measurements. In this work, we present a novel Trojan detection approach based
on a technique known from integrated circuit (IC) failure analysis, capable of
detecting virtually all classes of dormant Trojans. Using laser logic state
imaging (LLSI), we show how supply voltage modulations can awaken inactive
Trojans, making them detectable using laser voltage imaging techniques.
Therefore, our technique does not require triggering the Trojan. To support our
claims, we present three case studies on 28 and 20 SRAM- and flash-based
field-programmable gate arrays (FPGAs). We demonstrate how to detect with high
confidence small changes in sequential and combinatorial logic as well as in
the routing configuration of FPGAs in a non-invasive manner. Finally, we
discuss the practical applicability of our approach on dormant analog Trojans
in ASICs.