Programmable EM Sensor Array for Golden-Model Free Run-time Trojan Detection and Localization

Programmable EM Sensor Array for Golden-Model Free Run-time T rojan Detection and Localization Hanqiu W ang ECE Department, Univ ersity of Florida Gainesville, FL 32611 USA wanghanqiu@ufl.edu Max Panof f ECE Department, Univ ersity of Florida Gainesville, FL 32611 USA m.panoff@ufl.edu Zihao Zhan ECE Department, Univ ersity of Florida Gainesville, FL 32611 USA zhan.zihao@ufl.edu Shuo W ang ECE Department, Univ ersity of Florida Gainesville, FL 32611 USA shuo.wang@ece.ufl.edu Christophe Bobda ECE Department, Univ ersity of Florida Gainesville, FL 32611 USA cbobda@ece.ufl.edu Domenic Forte ECE Department, Univ ersity of Florida Gainesville, FL 32611 USA dforte@ece.ufl.edu Abstract —Side-channel analysis has been pr oven effective at detecting hardware T rojans in integrated circuits (ICs). Howev er , most detection techniques rely on large exter nal probes and antennas for data collection and require a long measur ement time to detect T r ojans. Such limitations make these techniques impractical for run-time deployment and ineffecti ve in detecting small T rojans with subtle side-channel signatures. T o overcome these challenges, we propose a Programmable Sensor Array (PSA) for run-time hardware T rojan detection, localization, and identification. PSA is a tampering-resilient integrated on-chip magnetic field sensor array that can be re-programmed to change the sensors’ shape, size, and location. Using PSA, EM side- channel measur ement results collected from sensors at different locations on an IC can be analyzed to localize and identify the T rojan. The PSA has better performance than con ventional external magnetic pr obes and state-of-the-art on-chip single-coil magnetic field sensors. W e fabricated an AES-128 test chip with four AES Hard ware T rojans. They wer e successfully detected, located, and identified with the proposed on-chip PSA within 10 milliseconds using our proposed cross-domain analysis. Index T erms —EM sensor , side-channel, Hardwar e T rojan I . I N T R O D U C T I O N Hardware T rojans (HTs) are malicious modifications in- serted into ICs by adversaries during the fabrication or design process. These alterations can disrupt system functionality , causing security and priv acy issues such as priv acy leakage, denial-of-service and privile ge escalation, etc. As the reliance on third-party designs and manufacturing continues to grow , the threat posed by HTs becomes more alarming. Over the years, researchers ha ve discov ered that HTs often produce de- tectable anomalies through side-channels like po wer consump- tion and electromagnetic (EM) emanations. The anomalies in side-channels can be detected after the chip is f abricated, either during the test phase or in run time, but often require costly external sensing setups and a golden model, a Trojan-free circuit used as a reference. This makes deploying some of these approaches in run time not applicable. Moreov er , many side-channel oriented techniques suffer from low resolution of the collected traces. As a result, on-chip sensors hav e gained attraction as a preferred solution. These sensors can intrinsically collect traces from EM side-channels through magnetic field coupling at run time with higher resolutions, thus ruling out the need for external measurement equipment (e.g., external probes, moving stages, etc.). Previous research by Jiaji et al. [1] used a single coil cov ering the entire chip area, which has low signal-to-noise ratio (SNR) issues. Consequently , this ap- proach couldn’t detect small HTs with few gates and required ov er 10,000 measurements to detect larger HTs. Its long mean time to detect (MTTD) limits its practical effecti veness. In this paper , we propose a Programmable Sensor Array (PSA) to address the limitations of Jiaji’ s work. Our im- prov ed design, sho wn in Figure 1a, consists of a crossbar-like structure. The PSA can be programmed to dif ferent sizes and shapes, allowing it to cover or uncover specific parts of the chip for better SNR and HT localization. At each crossing point in the wire grid, a transmission gate (T -gate) controls the node’ s connectivity . This allows the sensor array to hav e different shapes, locations, and sizes. The size of a single sensor within the PSA can also be programmed to approx- imately match the size of a HT , ensuring the highest magnetic field emanations from HTs are captured. The improved SNR of PSA enables almost instant runtime detection, reducing MTTD significantly . The contributions of this paper can be summarized as follows: • A no vel on-chip PSA for EM side-channel measurement with big advantages over e xisting techniques was pro- posed, dev eloped and validated. • A silicon demonstration of the proposed PSA to detect and localize active HTs on an AES design implemented with TSMC 65nm technology . • Significant SNR improvements with the proposed PSA compared to prior work. • Experimental validation of the PSA ’ s capability to detect, locate, and identify digital HTs within 10 ms with the proposed nov el cross-domain analysis technique. M e t a l 8 Via P o l y s i l i c o n ( G a t e o f M O S F ET ) T r a n s mi s s i o n G a t e S u b s tr a t e M e t a l 7 (a) Cross section Metal7 Metal8 Metal8 Metal7 Substrate Cross section M1 - M6 la yers and Insulator V ia T ransmission Gate V o+ V o - (b) A c tiv e r e g i o n P o l y si l i c o n M e t al 1 V i a V i a M e t al 2 Co n t r o l Co n t r o l _ b ar Co n t r o l 4 u m 3 . 2 u m (c) Fig. 1: (a)3D structure of on-chip PSA where top-level metals form the coils and transmission gate switches in the active layer control the size and shape at each intersection. (Only one MOSFET is shown for simplicity) (b)An example of PSA topology forming a 2-turn coil. The red dots denote the locations where switches are on. (c)T -gate layout. I I . T H R E AT M O D E L A N D P R I O R W O R K A. Run-time V erification V ersus T est-phase V erification The distinction between run-time and test-phase verifica- tions hinges primarily on the approach to HT detection. During the test phase, efforts are concentrated on the detection of HTs that can be intentionally triggered. The ef fectiv eness of HT detection is ev aluated based on the accuracy of feature and trace categorizations as well as the number of attempts needed to activ ate the T rojan. Most research focuses on developing algorithms to successfully trigger HTs within the minimum amount of time [2] [3]. Con versely , during run time, potential adversaries must first acti v ate an HT before it can be detected if the whole batch of ICs is infected with HT , which is also the assumption of this paper . The primary metric is the duration between the Trojan’ s acti vation and its detection. This encompasses recognizing the system’ s acti vation and discerning the triggering conditions, often referred to as the Mean T ime to Detect (MTTD) [4]. T o reduce the hardware overhead during the ev aluations, lightweight measurement and data processing components should be used. Bai et al. de veloped RASCv2 board, a compact 2cm x 2cm board that can replace an oscilloscope for side- channel analysis to detect malware [5] [6]. The board consists of two analog-to-digital conv erters (ADCs) for sampling EM and power side-channel traces, an EM antenna for signal capture, and an FPGA for data processing. The data processed by the FPGA are monitored by a security house via an onboard Bluetooth module, making run-time side-channel verification feasible. In this paper , we will integrate the concept of employing the RASC board (manufactured at a trusted facility) for data processing with the PSA ’ s on-chip measurement capabilities to detect HTs in a real-time and trusted manner . B. EM Side-channel Data Collection Methods There are sev eral existing techniques to detect and an- alyze EM side-channel leakage. T raditionally , external EM probes and oscilloscopes are used to collect EM side-channel emanation traces over IC packages. The captured signals will be analyzed in either the time or frequency domains to identify HTs [7]–[9]. T o improv e the quality of the collected traces and reduce overhead, He et al. introduced a single- winding on-chip EM sensor covering the whole chip to replace external probes [1]. In [9], Nguyen et al. introduced an EM backscattering-based T rojan detection approach. A transmitter antenna injects carrier signals into the IC, and the reflection signals that hav e been modulated with the acti vities of HTs are subsequently captured with a receiv er antenna to identify HTs. This technique can detect impedance variations resulting from HT acti vities, even if these HTs have very small current consumption. Compared with our proposed PSA detailed in Section III, existing measurement techniques hav e problems of low SNR, limited spatial resolution, complex implementations, etc. These issues result in the limitations of HT detection rates, HT localization, and runtime deplo yment. A comprehensi ve comparison will be presented in Section III-B. I I I . P R O G R A M M A B L E S E N S O R A R R AY ( P S A ) One of the main challenges of on-chip EM sensors is the balance among sensing area, accuracy , and cost. A single large sensing coil covering the entire chip is relativ ely easy to design and implement; howe ver , it could be inaccurate due to magnetic flux self-cancellation 1 . Multiple smaller coils on the same layer may improve the overall resolution but would have smaller signal magnitudes and coverage. Using coils across multiplemetal layers can a void these issues, b ut with e xtra cost. T o mitigate these problems, we propose the PSA technique that enables the customization of sensor size and position on the chip at run time. A. PSA T opology and Structur e PSA utilizes a wire grid that spans two metal layers, with a switch positioned at ev ery intersection. Each switch is essentially a transmission gate (T -gate), depicted in Figure 1c, comprising a single PMOS and NMOS gate connected in 1 Magnetic flux forming a small loop within a large sensor induces no voltage on it. parallel. The shape, size, and location of a sensing array can be programmed at run time by controlling specific switches, as shown in Figure 1b. The size and location of PSA can be programmed via T -gates by connecting or disconnecting different cross-points on the wire grid or lattice. The lattice, comprising sev eral rectangular sensing regions, can be used as part of the sensing array within the PSA. Adjusting the shape and size of the PSA enables the PSA to circumvent the self-cancellation issue highlighted in [1], with many advantages. For instance, it facilitates the localization of any detected HTs by reshaping the sensing array . It also elim- inates sensing boundary limitations or the need for significant ov erlap when employing multiple coils. Implementing such side-channel sensors on chip will raise concerns on PSA ’ s ability to execute side-channel attacks (SCA). Indeed, PSA itself does not protect from SCAs. But if adversaries can physically access the chip and conduct SCAs, it may be vulnerable to SCA regardless of the presence of PSA. Additionally , raw EM traces are not transmitted ov er any communication channels. Only processed data should be sent, and this can help prev ent SCAs. B. PSA Comparison with Prior W ork T o highlight the improv ement of the PSA-based HT de- tection technique over prior works, we made a comprehensive comparison in T able I. This comparison considers five criteria: HT detection accuracy , spatial resolution of the measurement, required number of traces, SNR, and feasibility for run-time deployment. The approaches relying on traces collected from con ven- tional external probes [7], [8] and on-chip single coils [1] fail to detect small HT with few gates (implemented as T3 in our chip in T able II). While Nguyen et al. [9] reports a 100% detection rate, their approach shares a common limitation with others: the inability to pinpoint the exact location of the HT on the chip. On the other hand, our PSA approach not only ensures a 100% detection rate b ut also stands out with the enhanced spatial resolution, pro viding the distinct capability of precisely identifying the HTs’ physical location. Due to low SNR, prior works often rely on statistical analysis, requiring numerous measurements to detect T ro- jans. For instance, Xiaolong et al. [7] and Jiaji et al. [1] compare the Euclidean distance between traces or explore the Euclidean distance distributions. Nguyen et al. [9] use Principal Component Analysis and K-means algorithm to categorize the collected spectra. These approaches require 100 to more than 10,000 measurements. In contrast, the EM side- channel traces from PSA exhibit sufficiently high SNR with an apparent difference between HT -inactiv e and HT -acti ve traces. Therefore, fewer than ten measurements are needed, leading to a significantly shorter MTTD and faster T rojan detection. For implementation complexity , unlike prior works necessi- tating cumbersome measurement devices [7]–[9], the PSA ap- proach does not need external probes so it has high feasibility for run-time deployment. Fujimoto et al. also exploited the on- chip power noise measurement(OCM) to execute Correlational T A B L E I : C O M P A R I S ON O F E M S I D E - C H A NN E L DAT A C O L LE C - T I O N M E T H OD S . Featur es External Probe [7], [8] Nguyen [9] On-chip Single Coil [1] PSA (pro- posed) HT Detection rate Low High Low High HT Localization No No No Y es Measurement# > 10,000 100 > 10,000 < 10 SNR 14.3dB N/A 30.5dB 41.0dB Run-time analysis No No Y es Y es Power Analysis with high SNR [10], [11], it is also possible to use such OCM to detect HT , but that requires further in vestigation. I V . P S A ’ S T A M P E R - R E S I L I E N C E Hardware T rojan risk primarily originates from Third Party Intellectual Property (3PIP) vendors and malicious foundries. Our PSA approach is tampering-resilient and can ef fectiv ely reduce the risks under both attacking scenarios. The effec- tiv eness of PSA in detecting and locating HTs will be prov ed with the experimental results of Subsection VI-D. This section introduces a fe w case studies demonstrating PSA ’ s resistance to tampering from either source. A. Case 1: Malicious 3PIP For malicious 3PIP attacks, as PSA is implemented on the two topmost metal layers after synthesizing the Register T ransfer Level (R TL) code and is isolated from the main circuit, it would not interact with any 3PIP . Therefore, any pre-silicon modifications, including all potential 3PIP attacks, made prior to the layout phase will not compromise the PSA. B. Case 2: Malicious F oundries When dealing with malicious foundries, the PSA itself may be modified. Howe ver , tampering with such a mixed digital and analog structure is challenging. The adversary must modify additional circuitry , increasing the attack’ s complexity , thus lowering the attack’ s success rate. Additionally , any modifications that disable the PSA will trigger alarms during the test phase, as the PSA will return testing values. Even if the attacker successfully completes the modifica- tions, designers can easily detect them by re verse-engineering the two topmost metal layers. They are typically the thickest metal layers and are relativ ely easy to be rev erse-engineered. Alternativ ely , designers can outsource the fabrication of the two topmost metal layers to other trusted foundries, a split- manufacturing method similar to those discussed in [12]. This provides an additional layer of security , making the PSA a robust defense against HT attacks. V . P S A I M P L E M E N TA T I O N O N A T E S T C H I P A. Inte grating PSA on AES-128 T est Chip T o assess the performance of PSA in both test and run- time phases we implemented and fabricated the PSA on the two top metal layers of an Advanced Encryption Standard (AES128) encryption design using TSMC65nm technology . 1 4 3 2 0 5 PS A _ c o n tr o l 6 7 8 9 10 11 12 13 14 15 T1 T3 T4 T2 A E S _ c o r e U A R T_ FI F O S e n so r 4+ S e n so r 4- S e n so r 3+ S e n so r 3- S e n so r 2+ S e n so r 2- S e n so r 1+ S e n so r 1- VD D V S S U A R T_ i n U A R T_ o u t PS A _ sel [3:0] VD D e n _ T2 i n v _ o u t l o ad _ o u t e n _ T3 d y _ o u t e n _ T4 V S S e n _ T1 am _ o u t CLK r s t _ n e n _ U A R T e n _ LF S R D r d y 1 sen so r E M Pr o b e 1mm 1mm Zoom-in View of Each Small Square in the left figure Fig. 2: Sensor deployment, IO pin assignment, and Amoeba module view on the AES128 test chip. The proposed PSA was situated on layers Metal 7 and Metal 8 of the chip, covering the entire chip. It is a lattice including 36 horizontal wires, 36 vertical wires, and 1296 switches. The lattice wire measures 16 µ m in length and 1 µ m in width. Frequency sweeping is used to determine the optimal length and width that maximize the signal magnitude in the desired frequency range of 10MHz-100MHz. For this test chip, the entire area was uniformly divided into 16 square sensing areas or sensors. Each sensor shares 33% of its area with adjacent sensors to ensure adequate circuitry sampling near the borders between any two sensors. Main Circuit The underlying main circuit is an AES-128- LUT core, integrated with an RS232 U AR T communication module [13]. The clock frequency was set to 33MHz. The layout of the routing wires of the test chip, along with the indices of the PSA sensors, is illustrated in Figure 2. HT Design The design incorporates four distinct HTs, mod- ified from Trust-Hub [14] [15]. T1 is an amplitude modulation radio carrier T rojan capable of emitting an electromagnetic (EM) wa ve at a frequency of 750KHz. T2 is a chain of in verters connected to a key wire to amplify its leakage current. If T2 is implanted, attackers could recover the key via po wer analysis. T3 is a Code Division Multiple Access (CDMA) channel Trojan designed to leak the key , and T4 is a simple denial-of-service Trojan that elev ates po wer consump- tion, potentially causing the IC to overheat. The four Trojans employ digital standard cells and each has unique triggering conditions. The 4 HT’ s locations are sho wn in the Amoeba view in Figure 2. IO Pin Assignment The test chip uses a QFN 6mm x 6mm package and has 8 IO pins on each side. The IO pins’ names are shown in Figure 2. The PSA uses the 8 IO pins on the right side. 2 IO pins are needed to measure the induced differential output voltage of one sensor , so we ha ve 4 output channels, from sensor1+/- to sensor4+/-. The 4 sensors on each row use the channel on the same row . For example, sensor 0,1,5,6 in the figure uses sensor1 channel. The PSA control signals use 4 of 8 IO pins on the bottom side. They were decoded into T A B L E I I : T R OJA N G A T E S C O U N T A N D P E R C E N T AG E Circuit Overall T1 T2 T3 T4 Standard Cell Number 28806 1881 2132 329 2181 Percentage 100 6.52 7.40 1.14 7.57 gate signals for T -gates with the fully combinational decoder in the figure. HT T riggering Condition T1 is acti vated periodically when a counter reaches 21’h1F FFFF under the 33MHz clock. T2 is triggered when the first four bytes of the plaintext are 16’hAAAA. T3 and T4 are the always-on HTs, and we added external enable signals as triggers in e xperiments. The gate number counts and area ratios of these four HTs are shown in T able II. W e assess the performance of the PSA in detecting and locating HTs by activ ating and deactiv ating sensors during the ex ecution of AES encryption. As depicted in Figure 2, the green box represents the area of a 6-turn-coil sensor , where most HT circuits are implemented. The orange arcs represent the size of a circle-shape external EM probe. The main circuit primarily falls under sensors 2, 3, 4, 7, 8, 9, 10, 11, and 14. Of these sensors, sensor 10 offers the most coverage of both T rojan payloads and triggers. B. T -gate Design and PSA Implementation Cost Due to the absence of the T -gates that fulfill our require- ments in the standard cell library , we designed our own customized T -gates, which are illustrated within a 3.2µm x 4µm customized cell layout in Figure 1c. A single finger of the NMOS and PMOS devices in the design exhibit an aspect ratio of 500nm/60nm and 610nm/60nm respectiv ely to hav e a similar current conducting capability . For enhanced performance, each of these MOSFETs incorporates 10 fingers. T o ensure a lo w turn-on resistance, the layout features two PMOS and two NMOS de vices, effecti vely creating a pair of T -gates connected in parallel. As a result, this T -gate configuration achiev es a resistance of approximately 34 Ohms. For po wer overhead, the dynamic power consumption of PSA sensors is negligible and lar gely contributed by the leakage power from the transistors. Therefore, PSA ’ s impact on the ov erall power profile is minimal. For area and resource allocation, the T -gates used in PSA account for an additional 5% of the total chip area, with the PSA located on metal layers M7 and M8. Despite this, the design effecti vely preserves routing capacity by aligning PSA wires parallel to main circuit wires, reducing top-layer routing capacity by just 6.25%. In contrast to Jiaji’ s single-coil structure [1], which utilizes 100% of the top layer’ s routing capacity , PSA proves to be more efficient. V I . E V A L UAT I O N O N T E S T C H I P A. T est and Data Collection Platform Setup The test chip was mounted on a PCB board with voltage- lev el shifters and open-loop OP-AMPs. The output of each output channel of the PSA is amplified by a THS4504D Fig. 3: Spectrum magnitude comparison between those from the PSA and an external EM probe. OP-AMP with 50dB DC gain and 200MHz UGB, aligning well with our target frequenc y range from DC to 120MHz. A 33MHz crystal oscillator is used to generate the clock signal. The e v aluation is conducted while the test chip e xecutes AES-128 encryption. It recei ves plaintext from and sends ciphertext to a laptop through serial communications. During this operation, an oscilloscope or a spectrum analyzer triggered by the rising edge of the clock signal captures the amplified PSA output and generates the related frequency spectrum for further analysis. Additionally , we use the zero-span mode of the spectrum analyzer to measure the time-domain signal of the PSA ’ s output at a desired single frequency . For run-time deployment, a system integrated on the PCB board can replace the oscilloscopes, spectrum analyzers, and computers to measure and analyze side-channel data. B. Signal-to-Noise Ratio (SNR) Measur ement T o demonstrate the improv ed measurement quality offered by the PSA sensor array , we conducted SNR measurements and compared the results with those from an external Langer- EMV LF1 probe. W e employ He’ s SNR measurement ap- proach as detailed in [1]. Noise traces are first collected from the powered-up chip without an y encryption acti vity . Signal traces are then gathered while the chip performs AES encryp- tion. The SNR is calculated based on the root mean square (RMS) voltage ratio of these two data sets, as demonstrated in Equation (1). S N R = 20 log  V r ms sig nal V r ms noise  (1) The SNR of the PSA is 41.0 dB, surpassing both the e xternal probe’ s 14.3 dB and the single-coil on-chip sensor’ s 30.5 dB as reported in [1]. In Figure 3, the green spectrum represents the difference in dB between the spectra from the sensor array and the external probe, demonstrating that the spectrum from the PSA can be up to 55 dB higher than that from an external EM probe. Overall, the proposed PSA structure offers significantly superior SNR results in comparison to either external probes or single-coil on-chip sensors. The best state-of-the-art external probe is the ICR HH100-6 set with a diameter of 100 µ m manufactured by the Langer EMV -T echnik. Based on the manufacturers documents, the SNR of ICR probe is approximately 34dB below 120 MHz, so the best probe is still worse than our proposed PSA. C. PSA P erformance under Differ ent Supply V olta ges and Differ ent Ambient T emperatur es W e hav e conducted comprehensi ve e valuations of PSA ’ s performance under v arying operational conditions to confirm its suitability for runtime deployment across a wide range of applications. W e performed simulations and experiments at different supply voltages, spanning from 0.8V to 1.2V , which cov ers the voltage supply voltage range for TSMC 65nm chips. Additionally , we carried out simulations under different ambient temperatures, ranging from − 40 ◦ C to 125 ◦ C . 1) V olta ge: Theoretically , a supply v oltage increase results in a reduction of the turn-on resistance of T -gates. In the V ir- tuoso simulation, there was only a 4dB drop in the impedance of a single PSA sensor when the v oltage supply was raised from 0.8V to 1.2V . W e also made an experiment to measure the current response of the PSA by adding a 70mV frequency sweeping chirp signal to one sensor of the PSA and varying the supply voltage from 0.8V to 1.25V . The current does not change significantly , which agrees with the simulation results. 2) T emperatur e: Theoretically , an ambient temperature change only slightly affects the impedance of the PSA. Our simulations demonstrate that the impedance remains relatively stable, fluctuating within a range of 4dB. D. Runtime Cr oss-Domain Analysis For each of the 16 sensors, EM traces are recorded under fiv e scenarios: when HTs T1, T2, T3, and T4 are indi vidually activ ated and in the absence of any acti ve HT . F or always-on HTs, we use external enable signals to activ ate them. Each trace spans a frequency band from DC to 120MHz, populated with 2000 sample points. W e a veraged five collected traces to deriv e the spectrum shown in Figure 4. Notably , when examining the output from Sensor 10, as shown in Figure 4a, 4b, 4c, and 4d, two prominent frequency components at 48MHz and 84MHz, the sideband frequency components of the 1st and 3rd order clock harmonics, sho w up in the spectrum when HTs are activ e. W e also record the traces from Sensor 0 as sho wn in Figure 4e, where no HTs are implemented beneath the sensor . There is hardly any spectrum difference that can distinguish HT’ s activities. This result further prov es that our proposed PSA has the high spatial resolution needed to locate HTs. In the experiments, we only need fewer than ten traces collected to detect a HT , resulting in less than 10 ms MTTD, a significant improv ement over one single on-chip coil. After identifying prominent frequency components related to HT’ s activities, we further switch back to the time domain by employing the zero-span mode of the spectrum analyzer to examine the time-domain waveforms of the two frequency components. Zero-span mode allo ws us to analyze the pattern of a time-domain signal at a desired fixed frequency . The time- domain wav eforms at 48MHz when T1, T2, T3 and T4 are activ e are sho wn in Figure 5a, 5b, 5c, and 5d. It is sho wn that e ven if different Trojans leaked their information at the same frequency , the difference in their time-domain signals at 48MHz can still clearly differentiate dif ferent T rojans. This T1 Spectrum Orange Circles indicate HT activation 1e8 (a) T1 activ e, Sensor 10 T2 Spectrum 1e8 (b) T2 activ e, Sensor 10 T3 Spectrum 1e8 (c) T3 activ e, Sensor 10 1e8 T4 Spectrum (d) T4 activ e, Sensor 10 T1 Spectrum (Sensor 0) 1e8 (e) T1 activ e, Sensor 0 Fig. 4: Frequency response captured by sensors 10 and 0 for different HTs: red and blue colors represent the Trojan activ e and inactive cases, respectiv ely . is because dif ferent HTs result in dif ferent modulation pat- terns for clock frequency , and the information on modulation patterns is included in the time-domain wa veforms of the side band frequency components. Therefore, by identifying the unique patterns in the time-domain signals, we can suc- cessfully classify all 4 HTs without full supervision. (a) T1 activ e (b) T2 activ e (c) T3 activ e (d) T4 activ e Fig. 5: Time-domain signals of the identified prominent frequency components collected from the PSA sensor 10 were reco vered with zero-span mode to dif ferentiate different HTs successfully . V I I . C O N C L U S I O N In this paper , we proposed an integrated on-chip EM sensor array , PSA, that can be programmed to change its shape, size, and location. The PSA was implemented and tested in a 65nm technology node. The proposed PSA has a lower overhead than existing state-of-the-art on-chip coil sensor designs with much higher SNR and the capability of locating HTs. Furthermore, the MTTD during the runtime verification has been significantly reduced to less than 10 ms. The proposed cross-domain analysis can identify prominent frequency components that include the acti vity information of different T rojans in the frequency domain and differentiate different T rojans by examining the time-domain signals of these prominent frequency components by switching to the time domain. V I I I . A C K N O L E D G E M E N T This work was supported by the Office of Na val Research under A ward Number N00014-19-1-2405. R E F E R E N C E S [1] J. He, X. Guo, H. Ma, Y . Liu, Y . Zhao, and Y . Jin, “Runtime trust ev aluation and hardware trojan detection using on-chip em sensors, ” in 2020 57th ACM/IEEE Design Automation Conference (DA C) , 2020, pp. 1–6. [2] R. S. Chakraborty , F . W olff, S. Paul, C. Papachristou, and S. Bhunia, “Mero: A statistical approach for hardware trojan detection, ” in Interna- tional W orkshop on Cryptogr aphic Har dwar e and Embedded Systems . Springer , 2009, pp. 396–410. [3] Y . Huang, S. Bhunia, and P . Mishra, “Mers: statistical test generation for side-channel analysis based trojan detection, ” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security , 2016, pp. 130–141. [4] D. Forte, C. Bao, and A. Srivasta va, “T emperature tracking: An in- nov ative run-time approach for hardware trojan detection, ” in 2013 IEEE/ACM International Confer ence on Computer-Aided Design (IC- CAD) , 2013, pp. 532–539. [5] Y . Bai, A. Stern, J. Park, M. T ehranipoor, and D. Forte, “Rascv2: Enabling remote access to side-channels for mission critical and iot sys- tems, ” A CM T ransactions on Design Automation of Electr onic Systems (TOD AES) , vol. 27, no. 6, pp. 1–25, 2022. [6] Y . Bai, J. Park, M. T ehranipoor , and D. Forte, “Real-time instruction- lev el verification of remote iot/cps devices via side channels, ” Discover Internet of Things , vol. 2, no. 1, p. 1, 2022. [7] J. He, Y . Zhao, X. Guo, and Y . Jin, “Hardware trojan detection through chip-free electromagnetic side-channel statistical analysis, ” IEEE T rans- actions on V ery Larg e Scale Inte gration (VLSI) Systems , vol. 25, no. 10, pp. 2939–2948, 2017. [8] S. Faezi, R. Y asaei, and M. A. Al Faruque, “Htnet: Transfer learning for golden chip-free hardware trojan detection, ” in 2021 Design, Automation & T est in Eur ope Confer ence & Exhibition (D A TE) , 2021, pp. 1484– 1489. [9] L. N. Nguyen, B. B. Y ilmaz, M. Prvulovic, and A. Zajic, “ A novel golden-chip-free clustering technique using backscattering side channel for hardware trojan detection, ” in 2020 IEEE International Symposium on Har dware Oriented Security and T rust (HOST) , 2020, pp. 1–12. [10] D. Fujimoto, M. Nagata, S. Bhasin, and J.-L. Danger , “ A novel methodology for testing hardware security and trust exploiting on-chip power noise measurement, ” in The 20th Asia and South P acific Design Automation Conference , 2015, pp. 749–754. [11] D. Fujimoto, N. Miura, M. Nagata, Y . Hayashi, N. Homma, Y . Hori, T . Katashita, K. Sakiyama, T .-H. Le, J. Bringer, P . Bazargan-Sabet, and J.-L. Danger, “On-chip power noise measurements of cryptographic vlsi circuits and interpretation for side-channel analysis, ” in 2013 Interna- tional Symposium on Electr omagnetic Compatibility , 2013, pp. 405–410. [12] J. Rajendran, O. Sinanoglu, and R. Karri, “Is split manufacturing secure?” in 2013 Design, Automation & T est in Eur ope Conference & Exhibition (D ATE) , 2013, pp. 1259–1264. [13] S. Morioka and A. Satoh, “ An optimized s-box circuit architecture for low power aes design, ” in International W orkshop on Cryptogr aphic Har dware and Embedded Systems . Springer , 2002, pp. 172–186. [14] B. Shakya, T . He, H. Salmani, D. Forte, S. Bhunia, and M. T ehranipoor , “Benchmarking of hardware trojans and maliciously affected circuits, ” Journal of Har dwar e and Systems Security , v ol. 1, no. 1, pp. 85–102, 2017. [15] H. Salmani, M. T ehranipoor , and R. Karri, “On design vulnerability analysis and trust benchmarks development, ” in 2013 IEEE 31st Inter- national Confer ence on Computer Design (ICCD) , 2013, pp. 471–474.