to traditional digital hardware Trojans, the analog trigger
maintains a high level of stealth and controllability, while
dramatically reducing the impact on area, power, and timing due to the attack. An added benefit of a fabrication-time
attack compared to a design-time attack (when digital-only
triggers tend to get added) is that it has to pass through fewer
3. 1. Single stage trigger circuit
Based on our threat model, the high-level design objectives
of our analog trigger circuit are as follows:
1. Functionality: The trigger circuit must be able to detect
toggling events of a target victim wire similar to a digital counter and the trigger circuit should be able to
reset itself if the trigger sequence is not completed in a
2. Small area: The trigger circuit should be small enough
to be inserted into the empty space of an arbitrary finished chip layout. Small area overhead also implies
better chance to escape detection.
3. Low power: The trigger circuit is constantly monitor-
ing the victim signals, therefore its power consump-
tion must be minimized to hide within the normal
fluctuations of the entire chip’s power consumption.
4. Negligible timing perturbation: The added trigger cir-
cuit must not affect the timing constraints for normal
operation and its timing perturbations should not be
easily separable from the noise common to path delays.
5. Standard cell compatibility: Since all digital designs
are based on standard cells with fixed cell height, the
analog trigger circuit must fit into the height and only
use the lowest metal layer for routing.a These require-
ments are important for insertion into existing chip
layout and makes the trojan more difficult to detect in
To achieve these design objectives, we propose an attack
based on charge accumulation inside capacitors. A capacitor performs analog integration of charge from a victim wire
while at the same time being able to reset itself through
leakage current. A behavior model of capacitor based trigger circuits comprises charge accumulation and leakage as
shown in Figure 2.
Every time the victim wire that feeds the trigger circuit’s
capacitor toggles, the capacitor increases in voltage by some
DV. After a number of toggles, the capacitor’s voltage exceeds
a predefined threshold voltage and enables the trigger’s
output—deploying the attack payload. The time it takes to
activate the trigger is defined as trigger time (Figure 2).
On the other hand, leakage current exists all the time
and it dumps charge from the trigger circuit’s capacitor.
The attacker can design the capacitor’s leakage to be weaker
than its accumulation when the trigger input is active. On
the other hand, when the trigger input is inactive, leakage
gradually reduces the capacitor’s voltage, eventually dis-
abling an already activated trigger. This mechanism ensures
that the attack is not expressed when no intentional attack
happens. The time it takes to reset trigger output after trig-
ger input stops is defined as retention time.
Because of leakage, a minimum toggling frequency must
be reached to successfully trigger the attack. At the minimum frequency, charge added in each cycle equals charge
leaked away. Trigger time and retention time are the two main
design metrics in the analog trigger circuits that we can
make use of to create flexible trigger conditions and more
complicated trigger patterns as discussed in Section 3. 2.
A stricter triggering condition (i.e., faster toggling rate and
more toggling cycles) reduces the probability of a false trigger during normal operation or testing, but non-idealities
in circuits and process, temperature and voltage variations
can cause the attack to fail—impossible to trigger or trivial
to accidentally trigger—for some chips. As a result, a trade-off should be made between a reliable attack that can be
expressed in every chip and a more stealthy attack that can
only be triggered for certain chips under certain conditions.
The conventional current-based charge pump is not suitable for the attack due to area and power constraints. A new
charge pump circuit based on charge sharing is specifically
designed for the attack purpose as shown in Figure 3. During
the negative phase of Clk, Cunit is charged to VDD. Then during positive phase of Clk, the two capacitors are shortened
together, causing the two capacitors to share charges. After
charge sharing, final voltage of the two capacitors is the
same and DV on Cmain is as,
× − ∆=
0 ( ) Cunit VDD V V
where V0 is initial voltage on Cmain before the transition
happens. We can achieve different trigger time by sizing the
two capacitors. The capacitor keeps leaking over time and
finally DV equals the voltage drop due to leakage, which sets
the maximum capacitor voltage.
A transistor-level schematic of the proposed analog trig-
ger is as shown in Figure 4. Cunit and Cmain are implemented
a Several layers of metal wires are used in modern CMOS technologies to
connect cells together, lower level metal wires are closer to transistors at
bottom for short interconnections, while higher metal layers are used for
Figure 2. Behavior model of proposed analog trigger circuit.