Hardware Trojan Threats

• Hardware Trojan threats are deliberate, unauthorized modifications to integrated circuits that embed stealth triggers and concealed payloads.
• They utilize advanced insertion methods such as ML-guided synthesis and LLM-driven design to evade conventional verification techniques.
• Detection strategies employ AI-driven side-channel analytics, structural graph learning, and formal verification to mitigate security risks.

Hardware Trojans constitute a broad class of malicious modifications deliberately introduced into IC designs. They represent a primary threat vector in both digital and mixed-signal systems, especially under the contemporary IC supply chain paradigm that leverages untrusted third-party IP, external EDA tools, and offshore fabrication. Hardware Trojans remain dormant under normal operational and test conditions, activating only on rare or engineered events, and can deliver payloads ranging from information leakage and denial-of-service to software subversion and cryptographic key extraction. The expanding space of Trojan threats is driven by advances in automated insertion techniques, hardware obfuscation, and adversarial ML, while the detection and prevention landscape reflects a combination of side-channel analytics, structural graph learning, formal verification, and system-level redundancy.

1. Taxonomy and Threat Models

Hardware Trojans are defined as any unauthorized modification to a trusted hardware design that adds unwanted or malicious functionality. The canonical decomposition is trigger and payload: the trigger monitors for specific conditions or event sequences—typically engineered to evade conventional verification, ATPG, and side-channel screening—while the payload performs the malicious action once activated (e.g., exfiltration, fault injection, privilege escalation) (Cruz et al., 2022).

Key adversarial models include:

• Design-time insertion: Adversary leverages access at RTL or netlist granularity, often by malicious 3P-IP, tool vendor, or untrusted contractor.
• Fabrication-stage insertion: Foundry insider modifies GDSII/layout, exploiting filler cells, unused routing, or analog effects to add minimal footprint Trojans (Trippel et al., 2019, Moschos et al., 2024).
• Field-time/in-field modification: Particularly relevant for FPGAs, where the bitstream can be overwritten or manipulated post-deployment (Ender et al., 2019).

Specialized threat classes include side-channel–resilient Trojans that conceal their activation in power, EM, or timing signatures (Luft et al., 2020, Omidi et al., 2024), and software-interfaced threats (HeisenTrojans) that weaponize bugs in EDA tools to hijack the tool host itself rather than modifying the design (Mavurapu et al., 2023).

2. Techniques for Trojan Insertion and Evasion

The insertion landscape spans manual netlist-level attacks and fully automated ML- or LLM-guided methods.

• Machine Learning–Guided Insertion (MIMIC): The MIMIC framework models known Trojan features as a multi-dimensional space—including signal probability, toggle rate, controllability/observability, structural locality—and then learns a generative model (Bayesian GMM) to synthesize and bind new “virtual Trojans” optimized for stealth (e.g., low activation probability, high structural concealment) (Cruz et al., 2022). Validation leverages randomized forests for trigger/payload identification, ATPG/formal pruning for trigger feasibility, and feature-matching for optimality.
• LLMs (SENTAUR): SENTAUR leverages a pre-trained LLM (GPT-4) to produce synthesizable Verilog/VHDL implementing trigger and payload modules guided by natural-language specifications of intended behaviors (triggers, payloads) (Bhandari et al., 2024). The flow integrates LLM prompt engineering, iterative synthesis sanitization, and formal simulation to ensure practical synthesizability, correctness, and stealth parity with hand-crafted Trojans.
• Analog, Frequency-Modulated, and Side-Channel Evasive Trojans: Frequency-modulated Trojans utilize free-running shift registers to encode trigger and payload bits as periodic toggling at distinct frequencies, ensuring every net is always toggling at normal activity rates. Dynamic and leakage power are concealed by dual-rail and replicated logic, masking all data-dependent power signatures and making unused-circuit-identification and side-channel detection ineffective (Luft et al., 2020). Adversarial power-trace Trojans inject noise synchronized with activation windows to thwart ML-based side-channel detectors, using minimal hardware (single transistor or small bank of oscillators/DSPs) (Omidi et al., 2024).
• Interrupt-Resilient Trojans in CPUs: Interrupt-resilient Trojans (IRTs) embed multi-bit, context-switch–aware triggers in datapaths that remain primed or latched across arbitrary operating-system or hardware interrupts. This ensures payload delivery (e.g., MMU exception suppression) even under heavy OS-induced context switching, with physical overhead measured at 20 ps delay and undetectable by rare-net, side-channel, or functional scan (Moschos et al., 2024).

3. Detection and Prevention Methodologies

Recent approaches span non-invasive, golden-free, and explainable structural analytics to in-depth failure analysis and formal verification.

• AI-Driven Side-Channel Methods: Machine-learning classifiers using dual-domain power-trace features (e.g., mean, RMS, entropy, spectral centroid, bandwidth, contrast, THD) achieve high detection performance for high-signal Trojans (AUC >99%), but only moderate accuracy for stealthy Trojans (AUC 70–80%) (Puspa et al., 2024). Adaptive attackers can defeat such classifiers with adversarial