Trusted RTL: Trojan detection methodology in pre-silicon designs

In this paper, we propose a four-step approach to filter and locate malicious insertion(s) implanted in a third party Intellectual Property (3PIP). In our approach, we first remove those easy-to-detect signals whose activation and propagation are easy using functional vectors. The remaining signals are subjected to a N-detect full-scan ATPG tool to identify those which are functionally hard-to-excite and/or propagate. But unlike recognizing hard-to-detect signal(s), behavioral change brought about by these insertion(s) needs to be taken into account to narrow down their implantation locations. So in our third step, detection condition of suspect signals are cross checked against the spec by a suspect-signal-guided equivalence checking set-up. Finally, a region isolation approach is applied on the filtered signals to determine clusters of untestable gates in the circuit. Experimental results on ISCAS'89 benchmarks show that we are able to return a very small set of candidate locations where the stealthy malicious insertion could reside.