**ORIGINAL RESEARCH**



# **Comprehensive Analysis on Hardware Trojans in 3D ICs: Characterization and Experimental Impact Assessment**

**Zhiming Zhang1 · Jaya Dofe<sup>2</sup> · Pruthvy Yellu1 · Qiaoyan Yu[1](http://orcid.org/0000-0002-7232-8529)**

Received: 4 April 2020 / Accepted: 8 June 2020 / Published online: 16 July 2020 © Springer Nature Singapore Pte Ltd 2020

#### **Abstract**

Three-dimensional (3D) integration facilitates to integrate an increasing number of transistors into a single package. Despite improved performance and power efficiency, the integration of multiple dies in the same package potentially leads to new security threats, such as 3D hardware Trojans. This work conducts a thorough survey on hardware Trojans reported in 3D integrated circuits (ICs) and systems, and proposes a comprehensive characterization of 3D hardware Trojans. Several case studies are performed to validate the feasibility of 3D hardware Trojan implementation. Our experimental results indicate that 3D ICs indeed provide a better environment for inserting stealthy thermal-based Trojans than 2D ICs. Multiple FPGA boards are utilized to conceptually emulate the stacked 3D ICs that experience multi-tier hardware Trojans. The stealthiness and efectiveness of the proposed multi-tier Trojans are validated in our case studies. The emulation results further show that the existing current-based self-referencing Trojan detection method designed for 2D Trojans will result in a lower detection rate in 3D scenarios.

**Keywords** Three-dimensional integration · Hardware Trojan · Trojan model · Side-channel analysis attack · Interconnect · Power distribution network (PDN) · Network-on-chip (NoC)

# **Introduction**

Three-dimensional (3D) integration is an emerging technology to ensure further growth in transistor density and performance of future integrated circuits  $(ICs)$   $[1, 2]$  $[1, 2]$  $[1, 2]$  $[1, 2]$ . It has been demonstrated that 3D techniques can be leveraged to reduce package size and power consumption while signifcantly improving bandwidth [\[3](#page-11-2)[–5](#page-11-3)]. Unfortunately, 3D techniques also bring in unique and unexplored security threats to 3D ICs [\[6](#page-11-4)]. Due to higher integration density and wider process/ voltage/temperature (PVT) variation [[7,](#page-11-5) [8\]](#page-11-6), it may be more challenging to address the security threats in 3D ICs than in 2D planar chips [\[9\]](#page-11-7).

This article is part of the topical collection "Hardware-Assisted Security Solutions for Electronic Systems" guest edited by Himanshu Thapliyal, Saraju P. Mohanty, Wujie Wen and Yiran Chen.

 $\boxtimes$  Oiaoyan Yu qiaoyan.yu@unh.edu

<sup>1</sup> University of New Hampshire, Durham, NH, USA

<sup>2</sup> California State University, Fullerton, CA, USA

Since 2007, hardware Trojans inserted in 2D ICs have been well studied in the literature [[10–](#page-11-8)[14](#page-11-9)]. To facilitate Trojan detection, researchers categorize hardware Trojans based on their distribution, structure, size, and logic type. Depending on the activation mechanism, a hardware Trojan can be classifed as internally or externally triggered. Based on how often hardware Trojans are triggered, the work [[15\]](#page-11-10) presents three types of Trojans: always-on, combinational condition triggered, and sequential condition triggered. Once the Trojan trigger condition arrives, the Trojan payload will execute the defned malicious operations, such as transmitting confdential information, modifying function, degrading performance, and consuming extra power.

Thanks to the mature models for 2D Trojans, various functional testing and side-channel analysis approaches have been proposed to detect diferent kinds of hardware Trojans in 2D ICs [\[11,](#page-11-11) [16–](#page-11-12)[18](#page-11-13)]. However, Trojan detection methods for 3D Trojans have not been widely explored yet. One important reason for that is the lack of a well-established 3D Trojan model. Due to the vertical integration of multiple tiers, 3D Trojans appear with diferent characteristics than 2D Trojans [\[19](#page-11-14)]. Thus, the commonly used Trojan detection

methods for 2D Trojans may not be efective to protect chips from 3D Trojans.

The preliminary version of this work introduces four 3D hardware Trojan models. In this work, we highlight the difference between 2D and 3D Trojans using architectural comparison and quantitative assessment with practical implementations. More specifcally, the main contributions of this work are summarized as follows.

- 1. Together with the preliminary version [\[19\]](#page-11-14), our work does the frst thorough survey on hardware Trojans in 3D ICs. Security threats and hardware Trojan models reported in the existing literature are compared in this work.
- 2. Four representable high-level 3D hardware Trojan cases are characterized. Practical examples for each Trojan model are provided for quantitative analysis. The diference between 2D and 3D Trojans are highlighted in our study.
- 3. As the thermal issue is prominent in 3D ICs, we designed a thermal-induced 3D hardware Trojan and examined its triggering speed and resilience against Trojan detection in a 3D environment for a pass-code authentication.
- 4. Multiple FPGA boards were utilized to emulate the multi-tier collaborative hardware Trojans, through which attackers can manipulate the function of the target tier without direct tampering on the victim circuit.
- 5. We examined the success rate of an existing 2D hardware Trojan detection method in the context of 3D ICs. Our simulation results show that the 2D approach operated in 3D chips is not as efective as it works in the 2D scenario.
- 6. Comparing to our preliminary work [\[19](#page-11-14)], this work provides new simulation and FPGA emulation examples for case 2 and case 3 Trojan models and also examines the Trojan detection rate of an existing 2D-level Trojan detection in the 3D scenario.

The rest of this paper is organized as follows: Sect. ["Our](#page-1-0) [Survey on Existing Hardware Trojans in 3D Integrated Cir](#page-1-0)[cuits and Systemss](#page-1-0)" summarizes the security threats and hardware Trojan models for 3D ICs discussed in the existing literature. Section ["Proposed Comprehensive Charac](#page-2-0)[terization of3D Hardware Trojans"](#page-2-0) proposes comprehensive characterization models for 3D Trojans and their practical implementations. Simulation and emulation results for the 3D Trojans are presented in Sect. ["Proposed Comprehensive](#page-2-0) [Characterization of3D Hardware Trojans"](#page-2-0), too. The efectiveness of a 2D hardware Trojan detection method applied in the scenario of 3D IC is examined in Sect. "[Examination](#page-9-0) [of A 2D Trojan DetectionApproach in 3D IC"](#page-9-0). This paper is concluded in Sect. ["Conclusion](#page-10-0)".

# <span id="page-1-0"></span>**Our Survey on Existing Hardware Trojans in 3D Integrated Circuits and Systems**

The increased number of dies in 3D ICs and vertical-dimension integration potentially leaves more attack surfaces open for adversaries to implement hardware Trojans. As multiple dies are vertically integrated into 3D systems, additional manufacturing steps are needed in 3D IC fabrication fow than in their 2D counterparts. Multiple foundries for dies and vertical interconnects will be involved in the 3D integration. In the current semiconductor business model, more and more chip designs are outsourced for fabrication. As a result, neither all single die fabrication foundries nor vertical interconnect manufacturers are trusted [\[6](#page-11-4), [20](#page-11-15)[–23,](#page-12-0) [26](#page-12-1)]. The die-to-die bonding may be performed in an untrusted foundry, too. In Fig. [1](#page-2-1), we label the possible attack surfaces for 3D Trojan insertion. Trojans can be placed by the singledie manufacturing foundries, independently or cooperatively. Since the bonding foundries have access to all the single dies, they have a more likely-hood to implement a Trojan involving multiple dies.

Based on the existing literature, we categorize the 3D Trojans in Table [1](#page-2-2), where we highlight the threat model with special emphasis on threat source and attack target. In addition to Trojan trigger and payload mechanisms, we also identify Trojan locations in 3D ICs. From Table [1](#page-2-2), we can see the nature of the 3D IC structure creates new opportunities for hardware Trojan design, for instance, thermal-based Trojans and cross-tier Trojans. In the next three subsections, we discuss the existing literature listed in Table [1](#page-2-2) according to their special trigger mechanisms and Trojan locations.

# **Thermal‑Triggered 3D Trojans**

The fact of poor heat dissipation in a stacked 3D IC can be exploited to develop Trojan triggers. Although the techniques such as heat sink, liquid cooling, thermal-driven floorplanning and routing, and thermal TSV insertion [[27](#page-12-2)] could address the thermal issue in 3D ICs at certain degree, the heat dissipation along a path could harm the tiers and degrade the chip performance [\[28](#page-12-3)]. The heat generated and accumulated in the chip will change the electrical parameters of transistors and the switching speed of logic gates. Thus, the system may have new (and unspecifed) transition states. The unexpected transition glitches can be employed to design Trojan triggers. As indicated in [\[20,](#page-11-15) [21](#page-11-16)], thermaltriggered Trojans can be inserted by any malicious foundries with access to the layout of designs. Those Trojans likely congregate near the middle tier, where heat dissipation is harder than in other tiers [\[21\]](#page-11-16). The work [[6](#page-11-4)] demonstrates that a thermal triggered Trojan may be hidden in 3D interposers. Thermal Trojans can speed up circuit component

#### <span id="page-2-2"></span>**Table 1** Existing work on hardware Trojan in 3D ICs





<span id="page-2-1"></span>**Fig. 1** 3D hardware Trojan insertion in untrusted foundries

aging and consequently lead to a Denial-of-Service (DoS) attack [[6\]](#page-11-4).

#### **Cross‑Tier 3D Trojans**

The multiple-die structure of 3D ICs allows attackers to spread the circuit for a Trojan to multiple tiers. This type of Trojans could be inserted by untrusted die manufacturers, interconnect foundries, and unifed foundries. The cross-tier concept means that either the trigger and payload circuits of cross-tier Trojans are separated into diferent tiers, or the trigger circuit split in multiple tiers is activated jointly to enable the payload [[22\]](#page-12-4). The cross-tier Trojans may not be detected by functional testing performed on each individual die since the Trojan trigger condition is extremely rare. The work [[23\]](#page-12-0) demonstrates a Trojan located in a diferent tier than the encryption unit facilitates to leak the secret key. Even if the untrusted foundry only has partial knowledge of the 3D chip, they can launch cross-tier Trojan attacks.

## **Trojans Exploiting Other 3D Features**

The work [[24](#page-12-5)] envisions a new hardware Trojan in stacked 3D ICs: a malicious die is placed between other tiers in the 3D stack. That malicious die, carrying Trojan circuits, may interrupt normal operations in other 3D tiers or store secret information passing through the Trojan tier. Due to the prominent process variation in 3D chips, it is not easy to diferentiate the extra delay induced by the 3D hardware Trojan. This type of Trojan can be inserted by untrusted die assemblers. For instance, the work [[25](#page-12-6)] describes that attackers from the bonding foundry could leverage outsourced dies to implement 3D Trojans. In [\[26\]](#page-12-1), the adversary is an untrusted die manufacturing foundry with access to GDSII fles.

# <span id="page-2-0"></span>**Proposed Comprehensive Characterization of 3D Hardware Trojans**

The existing literature mentioned in Table [1](#page-2-2) showcases diverse 3D Trojans, but they neither have a thorough discussion on the exact Trojan models nor provide quantitative impact assessment. This work flls the gap by characterizing four representable 3D hardware Trojan cases and quantitatively analyzing their practical examples in the following sections.

The major diference between 2D and 3D hardware Trojans is whether or not the Trojan trigger and payload circuits are located in the same tier where the target circuit resides. In 2D chips, the Trojan circuit co-exists with the victim in the same tier. One could perform testing or side-channel analysis to detect the presence of 2D Trojans. In contrast,

conventional testing on 3D chips is typically done in a separate fashion. The die for each tier is tested individually before 3D integration. Once the good dies are stacked vertically, limited testing will be performed to detect the defects between die-to-die connections, rather than extensively examining the correctness of the 3D system's behavior [\[29](#page-12-7)].

Based on our survey in Sect. ["Our Survey on Existing](#page-1-0) [Hardware Trojans in 3D Integrated Circuits and Systemss](#page-1-0)", we characterize the 3D hardware Trojan with four cases shown in Fig. [2](#page-3-0). To the best of our knowledge, our prior pub-lication [[19\]](#page-11-14) and this work are the first efforts that introduce comprehensive characterization for 3D hardware Trojans. The following subsections present four 3D Trojan cases in detail.

#### **Case 1: Cross‑tier Trojan Trigger**

#### **Characteristics**

In case 1, the trigger circuit of the 3D Trojan is placed in tier 1 while the payload circuit is located near the Trojan target. This type of 3D Trojan is similar to the 2D Trojans that are triggered by an external signal  $[30]$  $[30]$  $[30]$ , but it is more difficult to mitigate compared to the 2D Trojan. In 2D chips, the passive attack from the external trigger signals can be alleviated by adding shielding material or using unit isolation. In contrast, in 3D ICs, the external attack may be originated from the adjacent tiers, which are not removable after the 3D chip fabrication is completed. As heterogeneous 3D integration emerges, varieties of external trigger mechanisms could be implemented in the other 3D tiers, thus challenging the prevention of 3D Trojans. Moreover, since the payload circuit may never or rarely



<span id="page-3-0"></span>**Fig. 2** Proposed characterization of 3D hardware Trojans **Fig. 3** Thermal-triggered cross-tier Trojan

be enabled without the valid cross-tier trigger signal, the symptom of Trojan attacks will not be observed in typical functional testing. Thus, this type of Trojan is stealthy.

We illustrate the case 1 Trojan with an example shown in Fig. [3](#page-3-1). The trigger circuit is a heat generator in the top tier. The payload circuit is a temperature-sensitive resistor, which is built in the authentication unit in the middle tier. When the heat from the top tier propagates to the middle tier, the temperature-sensitive resistor could alter the delay of the critical path or cause timing violations, thus resulting in a malfunction of the authentication unit. As reported in [[21\]](#page-11-16), the heat from the middle tier of a 3D vertical stacking structure is accumulated easily due to the relatively long dissipation path to the heat sink. Hence, the thermal triggered Trojans will be more likely deployed in 3D integrated circuits and systems than its 2D counterpart.

We performed a transistor-level simulation in Cadence Virtuoso to demonstrate the impact of middle-tier heat dissipation on neighboring tiers. We collected the transient current of the nodes for load connection in the middle tier of our 3D power distribution network (PDN) model [[9\]](#page-11-7) to evaluate the thermal efect. Our target module for the thermal efect investigation is an 8-bit S-box module of AES. In the middle tier, we had 30 load nodes arranged as 5 rows by 6 columns and then captured the current of each node for 10 ns. The current collected in the 8th ns is shown in the contour graphs in Fig. [4](#page-4-0). Generally, the 3D PDN carries greater currents than the 2D PDN. Although the highest current for both 2D and 3D cases appears in the bottom left area where the S-box is located, the current distribution near the S-box is diferent in the 3D PDN compared to the 2D PDN. We highlight the diference with red dashed rectangles in Fig. [4](#page-4-0)a, b. Those observations make sense because any single tier in the 3D chip is not isolated but impacted by its neighboring tiers. Since the thermal dissipation of a circuit is proportional to its current, it is reasonable to believe that the temperature surrounding our target is infuenced by its neighboring tiers.



<span id="page-3-1"></span>

SN Computer Science A SPRINGER NATURE journal



<span id="page-4-0"></span>**Fig. 4** Current contour maps of **a** 2D and **b** 3D PDNs

#### **Example Analysis**

To perform quantitative analysis for the cross-tier 3D hardware Trojan, we conducted a case study on a platform composed of Xilinx Nexys3 Spartan-6 FPGA, TI MSP430FR6989 LaunchPad board, IRF540 MOSFET transistor, and an NTC thermistor. The purpose of this case study is to verify the implementation feasibility of the thermal Trojan (similar to the one shown in Fig. [3\)](#page-3-1) and compare its activation efficiency between the scenarios of 2D and 3D ICs. The overview of our experimental setup is depicted in Fig. [5.](#page-4-1) The main component of the heat generator circuit is a MOSFET driven by the FPGA board. The MOSFET could burn when its gate voltage exceeds a voltage threshold and the MOSFET temperature can be as high as 175 ◦C. The sensor circuit composed of an NTC thermistor and multiple resistors in series is powered by the TI microcontroller. When the thermistor senses an increase in the temperature in the surrounding air, its resistance starts to drop. This leads to a reduction in the voltage across the thermistor. To emulate the 2D scenario for comparison, we added a heat sink for the heat generator circuit, to provide a better heat dissipation which is commonly available in 2D ICs.



<span id="page-4-1"></span>**Fig. 5** Experimental setup for the emulation of thermal-triggered hardware Trojan in 3D ICs

An authentication system is programmed in the microcontroller to examine the password provided externally. The microcontroller also detects the voltage level of the thermistor. A Trojan trigger logic is programmed in the FPGA to monitor the two input signals controlled by the two switches on the FPGA board. The triggered Trojan turns on the MOS-FET (thus it starts to burn) to heat the temperature in the surrounding area. Once the thermistor senses the increased temperature, the microcontroller detects the change on voltage and then drives the authentication system to jump to the password reset status, which is usually only available to legal users. We successfully mimicked a 3D thermal-triggered hardware Trojan and overwrote the authentication password in our hardware demo [\[31](#page-12-9)].

Next, we compared the activation speed of the thermaltriggered Trojans for 2D and 3D scenarios. We used the microcontroller to implement a threshold comparator to examine the voltage level of the thermistor. If the voltage of a thermistor exceeds the threshold, the Trojan payload will reset the authentication password. We warmed the air surrounding the thermistor with and without the heat sink to mimic 2D and 3D scenarios, respectively. A timer is used to measure the time that the thermistor takes to drop the voltage below the threshold for each case. The results shown in Table [2](#page-5-0) indicate that the Trojan activation time in the 2D scenario is almost twice compared to the 3D case. This means it is easier to implement thermal-triggered Trojans in 3D ICs than in 2D chips. We also measured the speed of temperature changing, which is refected in the resistance of the thermistor. The dropping trend of the resistance in Fig. [6](#page-5-1)

<span id="page-5-0"></span>**Table 2** Trojan activation efficiency





<span id="page-5-1"></span>**Fig. 6** Resistance dropping of the thermistor used in Fig. [5](#page-4-1)

implies that the NTC thermistor's resistance for the 3D case drops faster than the 2D. This fact further confrms that heat can be better accumulated in 3D than 2D. Thus, 3D ICs will provide a better environment to facilitate the implementation of thermal-based Trojans than 2D ICs.

#### **Case 2: Cross‑tier Trojan Payload**

#### **Characteristics**

In the Trojan described in case 2, the payload is located in the top tier (tier 1), from where it is relatively easy to probe and measure side-channel signals than from the middle tier. The motivation of this type of 3D Trojan is to steal confdential information from the victim unit. Essentially, the stacked structure of 3D ICs provides a reliable medium for attackers to collect information from the middle and bottom tiers. In addition, as the payload resides in another tier, the efect of this kind of Trojans will not be observable while testing on the individual tiers. Here, we assume that the trigger circuit is small enough to hide its area, delay, and power overhead. This assumption is as reasonable as what we usually have in 2D ICs.

The cross-tier Trojan can facilitate the development of a covert channel to leak information. The victim unit could be an encryption engine, such as the one shown in Fig. [7](#page-5-2). The crypto key is loaded from the volatile memory in the top tier. To prevent the leaked key from being visible during the middle tier testing, the pilfered key is frst transformed into another format (i.e., obfuscated key), and then the Trojan passes the obfuscated key to the rarely used main memory



<span id="page-5-2"></span>**Fig. 7** An example of key leaking via the covert channel formed by a hardware Trojan in a stacked 3D IC

<span id="page-5-3"></span>**Table 3** Parameters for TSV and wire model

| TSV Model (per TSV) [32]                           |  |                                     |                                                |                 |  |  |  |  |
|----------------------------------------------------|--|-------------------------------------|------------------------------------------------|-----------------|--|--|--|--|
| Diameter                                           |  |                                     | Height Pitch Resistance Inductance Capacitance |                 |  |  |  |  |
| $10 \mu m$                                         |  | $60 \mu m$ 20 $\mu$ m 20 m $\Omega$ |                                                | 34.94 pH 283 fF |  |  |  |  |
| RC Model for Local Wire Interconnect (per mm) [33] |  |                                     |                                                |                 |  |  |  |  |
| Resistance                                         |  | Capacitance                         |                                                |                 |  |  |  |  |
| $3.31 \text{ k}\Omega$                             |  | 170.59 fF                           |                                                |                 |  |  |  |  |

in the top tier. When we test the top tier, the main memory functions normally. The separated testing on the middle tier will not reveal the presence of the 3D Trojan because the key is obfuscated. However, the key will be leaked by the covert channel built by the cross-tier 3D Trojan since the attacker knows how to de-obfuscate the key.

#### <span id="page-5-4"></span>**Example Analysis**

In this subsection, we use a combination of transistor-level simulation and FPGA emulation to demonstrate the feasibility of leaking the AES secret key via cross-tier Trojans. We implemented the cross-tier hardware Trojan and the 3D system shown in Fig. [8](#page-6-0) in Cadence Virtuoso with a 45 nm NCSU FreePDK technology [[32\]](#page-12-10). The PDN in each tier of the stacked 3D structure is mainly composed of a global power grid and a virtual grid. TSVs connect the global power grids in nearby tiers. The parameters for the TSV and wire model are listed in Table [3](#page-5-3). The parameters are verifed by [[32,](#page-12-10) [33\]](#page-12-11). Our transistor-level 3D circuit nearly matches the practical 3D IC. The crypto unit adopted here is a transistor-level AES S-box. To ensure the unipolarity of the channel between key and TSV, a bufer is located in the middle of the channel (not shown in the diagram) so that we can prevent the power data from being transmitted



<span id="page-6-0"></span>

back to the S-box to hinder normal operation. The hardware Trojan shown in Fig. [8](#page-6-0) stealthily passes the secret key to a nearby 3D tier. The main component of the Trojan is a capacitor connected with the PDN. Each key is assigned to one Trojan capacitor. The Trojan capacitors are charged or discharged based on the key bits transmitted through TSVs. The charges stored in the Trojan capacitor  $C_T$  will facilitate the side-channel analysis for the crypto key retrieval. The capacitor  $C_T$  acts like a decoupling capacitor, which can keep the supply power stable. In this way, the normal function of the nearby tier will not be afected so that the stealthiness of the inserted Trojan can be achieved.

In our experiment, we set the key bits to "11111111", and varied  $C_T$  from 10fF, 1132fF, to 11320fF. The power consumption of the S-box without Trojan or with diferent Trojan loads was measured and compared. As shown in Fig. [9](#page-6-1)a, a smaller Trojan capacitor leads to a smaller power change, but the power diference induced by the Trojan is still less than 2.5% even though we increase  $C_T$  to 11320fF. However, the power profles for diferent Trojan capacitors are consistent. The slight but consistent variation on the power profle is an important quality to ensure the stealthiness of the cross-tier Trojan. We kept the capacitance of the Trojan as 11320fF but changed the key bits from "11111111", "00000000", "01010101", to "01001011". The power consumption for these four cases is shown in Fig. [9](#page-6-1)b. It can be observed that the power consumption for each key is unique. Thus, we can correlate the new power profle with the key used in the crypto unit.

Next, we used a SAKURA-G FPGA assessment kit to conduct a side-channel analysis on an AES affected by the cross-tier Trojan. The Trojan model AES-T1000 published on Trust-hub was modifed to mimic the 3D Trojan described in Fig. [8.](#page-6-0) The main diference is, we used FPGA pins to mimic the Trojan capacitors. Each key bit additionally drives eight FPGA pins. Due to the capacitor induced by the Trojan, the total power consumption of the AES module is slightly changed. However, the power diference due to the Trojan accelerates the correlation power analysis (CPA)



<span id="page-6-1"></span>**Fig. 9** Impact of cross-tier Trojans on the power consumption of an AES S-box. **a** Power diferences caused by the Trojans implemented with diferent Trojan capacitors, and **b** unique power profles induced by the same Trojan that snoops the AES S-box with diferent keys

attack. The key retrieval processes for cases of without Trojan and with Trojan are shown in Fig. [10.](#page-7-0) The red lines represent the 16 key bytes of AES. As the number of analyzed traces increases, the red lines are getting out of the green zone, which means the key bytes are being retrieved. As a result, the CPA attack on the AES with Trojan is able to retrieve all the key bytes within the use of 6000 power traces. Given the same amount of power traces, the CPA attack without Trojan retrieves only 14 key bytes out of 16 since two lines are still buried in the green zone. This indicates that the Trojan implemented in this example could ease the CPA attack.

#### **Case 3: Multi‑tier Collaborative Trojan**

## **Characteristics**

There may emerge another kind of 3D Trojan, multi-tier collaborative Trojan, which is more sophisticated than the cross-tier Trojan trigger and payload. The multi-tier Trojan



<span id="page-7-0"></span>**Fig. 10** Correlation power analysis for the AES **a** without Trojan and **b** with Trojan

in case 3 shown in Fig. [2](#page-3-0) is activated by the two trigger circuits from tiers 1 and 2, respectively. Compared to hardware Trojans in 2D ICs, the multi-tier Trojan trigger has signifcantly lower Trojan triggering probability due to a larger pool of trigger signals. Moreover, the collaborative Trojan trigger could be a combination of diferent trigger mechanisms (e.g., temperature, voltage level, and electromagnetic fux). Multi-tier collaborative Trojans represent the scenario that attackers exploit the security weaknesses of other tiers in the 3D system to breach the target tier with strong security mechanisms, instead of compromising the target tier directly. In terms of cost and efectiveness, multitier Trojans are more likely to appear in 3D chips than a single-tier Trojan.

We implemented an example of a multi-tier collaborative Trojan in a 3D system with four tiers. Two FPGA boards, each including two FPGA chips, were utilized to emulate the 3D system. The schematic diagram and FPGA setup are shown in Fig. [11a](#page-7-1), b, respectively. Tiers 1 and 2 are weak in the sense of resistance against hardware Trojan insertion. Thus, two hardware Trojan triggers were placed in those two tiers. The 3D Trojan manipulates the signals passing images from tiers 1 and 2 to tier 3. Due to their low trigger probability, sequential hardware Trojan (SHT) triggers were applied in this example. When the SHT trigger is active, the vertical data communication is compromised such that the valid indication signals  $vd_a$  and  $vd_b$  will allow improper operands *a* and *b* to propagate to tier 3. Consequently, the

SN Computer Science A SPRINGER NATURE journal



<span id="page-7-1"></span>**Fig. 11** Multi-tier collaborative hardware Trojan. **a** Conceptual diagram, **b** multi-FPGAs experimental setup, **c** normal output, and **d** Trojan afected output

compromised inputs  $\widetilde{vd}_a$  and  $\widetilde{vd}_b$  lead the Trojan target circuit to behave differently  $(\widetilde{g})$  than the normal specification  $(g)$ . Once the valid signals are compromised by the 3D Trojans, the integrity of the images received by tier 3 will be sabotaged. As a result, image-based authentication will fail.

#### **Example Analysis**

In the FPGA platform, we connected those FPGA chips with external wires so that the tier-to-tier communication can be manipulated and observed via the oscilloscope. Figure [11c](#page-7-1) illustrates that the square-wave signal from tier 1 (the yellow line on the top) is not passed to tier 3 (as the blue signal on the bottom is fat). When the Trojan is triggered, a portion of the yellow line is copied to the blue signal as shown in Fig. [11d](#page-7-1). This indicates that the multi-tier collaborative Trojan manipulates the signal flter, which is controlled by the valid signal, and transfers invalid or even malicious data to the target tier. Assume tier 3 in the 3D system examines

whether the images from the top two tiers are highly correlated and then enables the critical mission programmed in tier 3. If the valid signals  $vd_a$  and  $vd_b$  are tampered by the multi-tier collaborative Trojan, dummy image rows will be dumped to tier 3. Five images shown in Fig. [12](#page-8-0) are adopted for correlation analysis in the 3D system mentioned above. Clearly, Fig. [12](#page-8-0)b–e are diferent than Fig. [12](#page-8-0)a, thus the image correlation cannot get close to 0.9. However, when the valid signals for enabling image transfer between tiers are compromised, the image correlation could approach to 0.9 if the hardware Trojan is able to manipulate  $vd_a$  and  $vd_b$  for a time period long enough to dump 100 dummy image rows.

#### **Case 4: Multi‑tier Synergic Trojan Payload**

#### **Characteristics**

When an IC is expended from planar to vertical dimension, the corresponding Trojan payload will be distributed to multiple tiers as well. In case 4 shown in Fig. [2,](#page-3-0) the Trojan circuit snoops the data (or even the side-channel signal) available in tier 2. As a result, the confdential information is leaked from tier 2 to other tiers. Often time, both the Trojan trigger and payload are located in the diferent tiers than the target one. Alternatively, a thin Trojan tier can be integrated into the 3D stack structure to provide fexible and precise control on the snooped information without incurring

<span id="page-8-0"></span>**Fig. 12** Impact of multi-tier collaborative hardware Trojans in an image authentication application. **a** Image generated in tier 1, **b**–**e** images for comparison provided by tier 2, and **f** correlation analysis results obtained from tier 3

noticeable delay overhead [\[24\]](#page-12-5). We further envision that a 3D Trojan payload could achieve a synergic attack efect in multiple tiers, rather than infuencing each tier independently. In summary, a multi-tier synergic Trojan has the potential to impact a bigger area than a 2D Trojan. It will be challenging for module-level testing for a subsystem to identify the underlying security threat in the 3D system. The symptom of a synergic Trojan may seem benign from the viewpoint of a small local area. More importantly, the increased impact area of the synergic Trojan payload will make the technique of isolating malicious hardware inefective or unrealistic since multiple tiers are involved.

#### **Example Analysis**

3D network-on-chip (NoC) [\[34](#page-12-12), [35\]](#page-12-13) has been demonstrated as a promising infrastructure to integrate increasing transistors in multiple tiers. 3D NoC eliminates the need for long global interconnects and reduces the voltage droop and power consumption on long wires. A rogue 2D NoC leads to information leaking and bandwidth depletion [\[36](#page-12-14)]. If NoC-based 3D ICs have a synergic Trojan placed in some IP cores or 3D switches, that Trojan leads to a similar consequence, as shown in Fig. [13](#page-9-1). The rogue IP core sends an NoC instruction packet to the rogue switch. Next, the rogue switch passes that malicious packet to the victim IP core in the bottom tier. As a result, the multi-tier synergic Trojan



SN Computer Science A SPRINGER NATURE journal

<span id="page-9-1"></span>



eventually causes the victim IP core to have malfunctions. Or, the rogue switch in the middle tier could trigger a livelock between the middle and bottom tiers. The proposed multi-tier synergic Trojan is stealthy because the hardware of the rogue IP core and switch has high similarity with the normal ones and the 'rogue' feature is only visible at the arrival time of special NoC packets. Figure [13](#page-9-1) illustrates another practical example of the case 4 Trojan model. The rogue switch and IP core tampered by a hardware Trojan monitor the special packet transferring through the middle tier and the packet of interest in the rogue IP core is stored for future use and analysis. In the case of passing malicious packets in NoCs, the rogue IP core is the Trojan trigger to initialize the attack by issuing the malicious instructions. The rogue 3D switch is the payload, which causes malfunction by delivering malicious instructions to the victim IP cores. The trigger and payload are from diferent tiers but none of them is in the same tier where the victim locates. In the case of information leaking, the payload formed by a rogue 3D switch is responsible for leaking NoC packets. Although the trigger and payload for this case are in the same tier, they remotely control the victims in other tiers. The Trojan type proposed in this subsection is non-invasive. Moreover, the snooping attack is hidden in the normal data transmission of the middle tier. Side-channel analysis of the entire system may not be able to detect the presence of such hardware Trojans.

# <span id="page-9-0"></span>**Examination of a 2D Trojan Detection Approach in 3D IC**

The existing Trojan detection methods are mainly designed for the Trojans in 2D ICs. Due to the unique characteristics of 3D Trojans, as analyzed in Sect. "[Proposed Comprehen](#page-2-0)[sive Characterization of3D Hardware Trojans"](#page-2-0), they may not work well in 3D scenarios. Split manufacturing may impact the hardware Trojan insertion in 3D ICs at some

SN Computer Science A SPRINGER NATURE journal

level. However, the adversaries in untrusted foundries with partial design details might be able to reverse engineer the whole design. Once the design is recovered, attackers can continue to insert Trojans. On the other hand, split manufacturing is not for securing the stacked 3D ICs in which every single tier is complete. This type of 3D IC is addressed in this work. New countermeasures specifcally for 3D Trojans are needed.

In this section, we applied an existing approach  $[11]$  $[11]$  $[11]$ , originally designed for 2D Trojans, to a 3D system and compared the efectiveness of Trojan detection in 2D and 3D ICs. As 3D chips have severe internal noise, we suspect that Trojan detection using side-channel signals will lose its detection accuracy. Thus, we chose a current based Trojan detection method.

## **Description of Trojan Detection Method for 2D ICs**

The Trojan detection method we examined is Temporal Self-Referencing (TeSR) [[11\]](#page-11-11). In TeSR, a special test vector generator offers the input sequence to ensure the system go through the identical state transitions in a period of time. A Trojan-free system should obtain identical current signatures in two consecutive time windows when it goes through the same state transitions. Any mismatch between the two current signatures will indicate the presence of a hardware Trojan. This method may not work well in 3D scenarios because of the greater internal noise in 3D ICs.

#### **Targeted Hardware Trojan**

In the following experiment, we inserted the same MOLES Trojan mentioned in [\[37\]](#page-12-15) to the 2D and 3D circuits. The MOLES Trojan is composed of a set of registers as a ring generator to generate a series of random numbers, which will be XORed with the key information. The XOR outputs will drive a set of capacitors. Attackers who know the implementation details of the ring generator can decode the

obfuscated key information via power analysis. However, the power consumed in the load capacitors seems like noise if the random sequence is unknown. In the 2D case, MOLES was implemented as an external circuit on the same tier of the target circuit. In the 3D scenario, MOLES and the victim circuit were placed in two diferent tiers.

# **Efficiency of TeSR Trojan Detection Method in 2D and 3D ICs**

We adopt the metric *point-wise Euclidean distance (PWED)* between the two current signatures to assess Trojan detection efficiency, following the similar process used in the work [\[11\]](#page-11-11). The PWED for the Trojan-free case (i.e. TrojanFree) is considered as the noise threshold. If the PWED measured from the Trojan injected case (i.e., *PWED<sub>TroimIn</sub>*) is higher than that measured from the Trojan-free case (i.e., *PWED<sub>rojan</sub>*, the hardware Trojan is detected.

We implemented the TeSR Trojan detection method in the transistor-level 3D IC model built with a 45nm NCSU FreePDK technology [[32\]](#page-12-10). The detailed setting is as same as what described in Sect. ["Example Analysis"](#page-5-4)). One, two, four, six, and eight S-boxes were applied for the purpose of sweeping the size of the victim circuit. The number of registers in the MOLES ring generator was varied to observe the impact of Trojan size on Trojan detection efficiency.

Our simulation results shown in Fig. [14](#page-10-1) confrm that the TeSR Trojan detection method is generally less efective in the 3D scenarios than in the 2D cases. The inserted MOLES Trojan can be successfully detected in the 2D environment for all victim sizes tested in the experiment. In contrast, the Trojan in the 3D scenario is not detected in most of the cases because the 3D  $PWED$ <sub>Troian</sub><sup>1</sup><sub>Inian</sub><sup>1</sup> is lower than  $PWED$ <sub>TroianFree</sub>. We further zoom in the PWEDs for diferent test cases and define the confidence level of Trojan detection *Confidence*<sub>HTD</sub> as the expression shown in Eq.  $(1)$  $(1)$ .

$$
Confidence_{HTD} = \frac{PWED_{TrojanIn} - PWED_{TrojanFree}}{PWED_{TrojanFree}}
$$
\n(1)

Table [4](#page-10-3) shows *Confidence<sub>HTD</sub>* for all the test cases reported in Fig. [14](#page-10-1). A positive percentage means that the Trojan is detected. A higher percentage stands for better confdence in the detection result. If the positive percentage is too small, our detection conclusion may be changed by the interruption from some internal noise or process variations. Although TeSR achieves a positive confdence value in the 3D TrojanIn with 2 S-boxes case, the percentage of 12.61% is not as high as that in most of the 2D cases. A negative percentage in Table [4](#page-10-3) indicates that the TeSR fails to capture the Trojan. To conclude, the MOLES Trojans in most of the 3D scenarios are not recognized by the TeSR approach.



<span id="page-10-1"></span>**Fig. 14** Trojan detection results achieved by the TeSR approach applied in **a** 2D and **b** 3D ICs with diferent sizes of victim circuits

<span id="page-10-3"></span>**Table 4** Trojan detection confdence for diferent victim sizes

|            |            | +80.06%                                     | $+48.00\%$<br>$-28.74\%$ |
|------------|------------|---------------------------------------------|--------------------------|
| $-21.99\%$ | $+12.61\%$ | $+31.07\%$ $+11.84\%$ $+12.80\%$<br>-61.30% | $-24.32\%$               |

<span id="page-10-2"></span>Next, we swept the size of the MOLES Trojans from 20 to 80 registers and obtained the corresponding PWED shown in Fig. [15](#page-11-17). As can be seen, the PWED for all 3D TrojanIn cases is less than the TrojanFree case. This indicates that the TeSR approach fails to detect the MOLES Trojans inserted in the 3D circuits even if the Trojan size increases. Another observation we had from our case study is, the PWED does not monotonically increase or decrease with the Trojan size. This is summarized in Table [5](#page-11-18).

# <span id="page-10-0"></span>**Conclusion**

Three-dimensional integration techniques for integrated circuits leverage vertical-dimension space to increase the chip density and provide better performance than two-dimensional



<span id="page-11-17"></span>**Fig. 15** Trojan detection efficiency of TeSR against 3D MOLES Trojans with diferent sizes

<span id="page-11-18"></span>**Table 5** Trojan detection confdence for diferent Trojan sizes

| 3D TrojanIn | 3D TrojanIn | 3D TrojanIn | 3D TrojanIn |
|-------------|-------------|-------------|-------------|
| 20 regs     | 30 regs     | 40 regs     | 80 regs     |
| $-21.99\%$  | $-46.34\%$  | $-16.94\%$  | $-33.15%$   |

chips. However, the increased number of transistors in a small footprint leaves more exploration space for attackers to insert stealthy hardware Trojans. Trojans in planar integrated circuits are well modeled and understood, but there is limited work available to investigate hardware Trojans specifcally in 3D ICs. This work summarizes the existing effort on 3D hardware Trojans. To improve the awareness of potential attacks that could succeed in 3D ICs, this work characterizes four representable 3D hardware Trojan cases and provides practical simulation/emulation examples for each model. To the best of our knowledge, this is the frst comprehensive work that analyzes the 3D Trojan models, especially for cross-tier and multi-tier Trojans, and demonstrates their impact with the quantitative assessment. Our experimental results show that 3D Trojans are feasible to be implemented in 3D integrated circuits and systems. We advocate the research community to investigate unique Trojan detection methods for 3D hardware Trojans.

**Acknowledgements** This work was supported in part by Semiconductor Research Corporation (SRC) and National Science Foundation award no. 1717130.

## **Compliance with Ethical Standards**

**Conflict of interest** The authors declare that they have no confict of interest.

# **References**

<span id="page-11-0"></span>1. Labrak L, O'Connor I. Heterogeneous system design platform and perspectives for 3D integration. In Proceeding of IEEE International Conference on Microelectronics, 2009; pp. 161–164.

- <span id="page-11-1"></span>2. Xue L, Liu CC, Kim H-S, Kim SK, Tiwari S. Three-dimensional integration: technology, use, and issues for mixed-signal applications. IEEE Trans Electron Devices. 2003;50(3):601–9.
- <span id="page-11-2"></span>3. Tummala RR. 3d system package architecture as alternative to 3d stacking of ics with tsv at system level. In: *2017 IEEE International Electron Devices Meeting (IEDM)*, 2017; pp. 3.4.1–3.4.3.
- 4. Tanaka T, 3d-ic technology and reliability challenges. In: *2017 17th International Workshop on Junction Technology (IWJT)*, 2017; pp. 51–53.
- <span id="page-11-3"></span>5. Li L, Su P, Xue J, Brillhart M, Lau J, Tzeng PJ, Lee CK, Zhan CJ, Dai MJ, Chien HC, Wu ST. Addressing bandwidth challenges in next generation high performance network systems with 3d ic integration. In: 2012 IEEE 62nd electronic components and technology conference, 2012; pp. 1040–1046.
- <span id="page-11-4"></span>6. Dofe J, Yu Q, Wang H, Salman E. Hardware security threats and potential countermeasures in emerging 3D ICs. In: Proceedings of GLSVLSI'16. ACM, 2016; pp. 69–74.
- <span id="page-11-5"></span>Juan D, Garg S, Marculescu D. Statistical thermal evaluation and mitigation techniques for 3D Chip-Multiprocessors in the presence of process variations. In: Proceedings of DATE'11, 2011; pp. 1–6.
- <span id="page-11-6"></span>8. Garg S, Marculescu D. System-level process variability analysis and mitigation for 3D MPSoCs. In: *Proceedings of DATE'09*, 2009; pp. 604–609.
- <span id="page-11-7"></span>9. Dofe J, Yu Q. Exploiting PDN Noise to Thwart Correlation Power Analysis Attacks in 3D ICs. In: 2018 ACM/IEEE International Workshop on System Level Interconnect Prediction (SLIP), 2018; pp. 1–6.
- <span id="page-11-8"></span>10. Tehranipoor M, Koushanfar F. A survey of hardware trojan taxonomy and detection. IEEE Des Test Comput. 2010;27(1):10–25.
- <span id="page-11-11"></span>11. Narasimhan S, Wang X, Du D, Chakraborty RS, Bhunia S, TeSR: A robust Temporal Self-Referencing approach for Hardware Trojan detection. In: 2011 IEEE International Symposium on Hardware-Oriented Security and Trust, 2011, pp. 71–74.
- 12. Bhasin S, Regazzoni F. A survey on hardware trojan detection techniques. In: IEEE International Symposium on Circuits and Systems (ISCAS). 2015;2015:2021–4.
- 13. Li H, Liu Q, Zhang J. A survey of hardware trojan threat and defense. Integration. 2016;55:426–37.
- <span id="page-11-9"></span>14. Francq J, Frick F, Introduction to hardware trojan detection methods. In: Design, Automation Test in Europe Conference Exhibition (DATE). 2015;2015:770–5.
- <span id="page-11-10"></span>15. Inoue T, Hasegawa K, Yanagisawa M, Togawa N, Designing hardware trojans and their detection based on a svm-based approach. In: Proceedings of ASICON'17, 2017; pp. 811–814.
- <span id="page-11-12"></span>16. Zarrinchian G, Zamani MS. Latch-based structure: a high resolution and self-reference technique for hardware trojan detection. IEEE Trans Comput. 2017;66(1):100–13.
- 17. Salmani H, Tehranipoor M, Plusquellic J. A novel technique for improving hardware trojan detection and reducing trojan activation time. IEEE Trans Very Large Scale Integr VLSI Syst. 2012;20(1):112–25.
- <span id="page-11-13"></span>18. Banga M, Hsiao MS. Odette: A non-scan design-for-test methodology for trojan detection in ics. In: IEEE international symposium on hardware-oriented security and trust. 2011;2011:18–23.
- <span id="page-11-14"></span>19. Zhang Z, Yu Q, Modeling Hardware Trojans in 3D ICs. In: Proceedings of 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), 2019; pp. 483–488.
- <span id="page-11-15"></span>20. Mossa SF, Hasan SR, Elkeelany O. Hardware trojans in 3-D ICs due to NBTI effects and countermeasure. Integration. 2017;59:64–74.
- <span id="page-11-16"></span>21. Hasan SR, Mossa SF, Elkeelany OSA, Awwad F. Tenacious hardware trojans due to high temperature in middle tiers of 3-d ics. In:

2015 IEEE 58th International Midwest Symposium on Circuits and Systems (MWSCAS), 2015; pp. 1–4.

- <span id="page-12-4"></span>22. Dofe J, Gu P, Stow D, Yu Q, Kursun E, Xie Y. Security threats and countermeasures in three-dimensional integrated circuits. In: Proceedings of the on Great Lakes Symposium on VLSI 2017. ACM, 2017; pp. 321–326.
- <span id="page-12-0"></span>23. Madani S, Bayoumi M. A Security-Aware Pre-partitioning Technique for 3D Integrated Circuits. In: Proceedings of MTV'17, 2017; pp. 57–61.
- <span id="page-12-5"></span>24. Alhelaly S, Dworak J, Manikas T, Gui P, Nepal K, Crouch AL. Detecting a trojan die in 3D stacked integrated circuits. In: 2017 IEEE North Atlantic Test Workshop (NATW), May 2017; pp. 1–6.
- <span id="page-12-6"></span>25. Madani S, Madani MR, Dutta IK, Joshi Y, Bayoumi M. A hardware obfuscation technique for manufacturing a secure 3D IC. In: Proceedings of MWSCAS'18, 2018; pp. 318–323.
- <span id="page-12-1"></span>26. Yang P, Marek-Sadowska M. Making split-fabrication more secure. In: 2016 IEEE/ACM international conference on computer-aided design (ICCAD), 2016; pp. 1–8.
- <span id="page-12-2"></span>27. Salah K, Survey on 3d-ics thermal modeling, analysis, and management techniques. In: 2017 IEEE 19th electronics packaging technology conference (EPTC), 2017; pp. 1–4.
- <span id="page-12-3"></span>28. King Jr CR, Thermal management of three-dimensional integrated circuits using inter-layer liquid cooling. Ph.D. dissertation, Georgia Institute of Technology (2012).
- <span id="page-12-7"></span>29. Marinissen EJ, Challenges and emerging solutions in testing TSVbased 2 1 over 2D- and 3D-stacked ICs. In: Proceedings of DATE '12, 2012; pp. 1277–1282.
- <span id="page-12-8"></span>30. Ngo XT, Najm Z, Bhasin S, Roy DB, Danger J-L, Guilley S. Integrated sensor: a backdoor for hardware trojan insertions? In: Proceedings of 2015 Euromicro conference on digital system design, 2015; pp. 415–422.
- <span id="page-12-9"></span>31. Zhang Z, Yu Q. 3D Thermal Triggered Hardware Trojan. Hardware Demo. In: IEEE International Symposium on Hardware Oriented Security and Trust (HOST), 2019. [https://easychair.org/](https://easychair.org/smart-program/HOST2019/2019-05-08.html#talk:90210) [smart-program/HOST2019/2019-05-08.html#talk:90210.](https://easychair.org/smart-program/HOST2019/2019-05-08.html#talk:90210)
- <span id="page-12-10"></span>32. Satheesh SM, Salman E. Power distribution in TSV-based 3-D processor-memory stacks. IEEE J Emerg Select Top Circ Syst. 2012;2(4):692–703.
- <span id="page-12-11"></span>33. Nguyen VH, Christie P, Heringa A, Kumar A, Ng R. An analysis of the efect of wire resistance on circuit level performance at the 45-nm technology node. In: Proceedings of IITC'05, 2005; pp. 191–193.
- <span id="page-12-12"></span>34. Jabbar MH, Houzet D, Hammami O. 3D multiprocessor with 3D NoC architecture based on Tezzaron technology. In: *Proceedings of 3DIC '11*, 2012; pp. 1–5.
- <span id="page-12-13"></span>35. Jiang L, Xu Q, Fault-Tolerant 3D-NoC architecture and design: recent advances and challenges. In Proceedings of NOCS '15, 2015; pp. 7:1–7:8. [https://doi.org/10.1145/2786572.2788709.](https://doi.org/10.1145/2786572.2788709)
- <span id="page-12-14"></span>36. Frey J, Yu Q, A hardened network-on-chip design using runtime hardware Trojan mitigation methods. Integration, the VLSI Journal, 2017; 56, 15–31. Available: [http://www.sciencedirect.com/](http://www.sciencedirect.com/science/article/pii/S0167926016300311) [science/article/pii/S0167926016300311.](http://www.sciencedirect.com/science/article/pii/S0167926016300311)
- <span id="page-12-15"></span>37. Lin L, Burleson W, Paar C. MOLES: Malicious off-chip leakage enabled by side-channels. *2009 IEEE/ACM International Conference on Computer-Aided Design - Digest of Technical Papers*, 2009; pp. 117–122.

**Publisher's Note** Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional afliations.