Hardware Trojans from Invisible Inversions: On the Trojanizability of Standard Cell Libraries

TL;DR

This paper investigates the inherent susceptibility of standard cell libraries to hardware Trojans, revealing that visually indistinguishable cells can be exploited to create stealthy Trojans, emphasizing the need for evaluation and defenses.

Contribution

It introduces new metrics for assessing cell library Trojanizability and demonstrates the feasibility of stealthy Trojans exploiting cell indistinguishability.

Findings

Clear differences between libraries in susceptibility.

Cells with identical visuals can implement different logic functions.

Constructed a stealthy privilege-escalation Trojan in a RISC-V core.

Abstract

At S&P 2023, Puschner et al. made a valuable dataset for hardware Trojan detection research publicly available. It contains a complete set of Scanning Electron Microscope (SEM) images of four different digital Integrated Circuits (ICs) fabricated at progressively smaller semiconductor technology nodes. Puschner et al. reported preliminary evidence that feature sizes affect Trojan detection performance, but they were unable to disentangle effects caused by insertion strategies or by degrading image quality from those intrinsic to the underlying standard cell libraries. Distinguishing those causes, however, is crucial to understand whether improved tooling (e.g., higher resolution imaging equipment) can remove the observed technology bias, or whether susceptibility to stealthy hardware Trojans is indeed an inherent property of a cell library. In this work, we dive deep into the S&P 2023 dataset to answer these questions. We first show that, using Puschner et al.'s metrics, such a separation is indeed difficult to establish. We then devise alternative metrics to more meaningfully assess and compare the potential susceptibility of standard cell libraries. We find clear differences between the evaluated libraries. However, in all cases we identify cells that implement distinct logic functions yet are visually indistinguishable in SEM images. We exploit this property to construct stealthy, standard-cell-based hardware Trojans and present a concrete case study: a privilege-escalation backdoor in an Ibex RISC-V core. Our results demonstrate that cell libraries can - and should - be evaluated for their potential "Trojanizability", and we recommend practical defenses.