Description
The rising costs of chip fabrication and increasing design complexity has led to the fabless manufacturing model, where a design house typically sources pre-designed and pre-verified hardware IPs from different vendors including third party IP’s (3PIP’s), integrates them into a system-on-chip (SoC), and outsource the final layout to an off-shore foundry (untrusted) for fabrication. Although this trend has been beneficial in reducing cost and time of production, it has resulted in a plethora of security issues. One of such issues is overproduction of IC’s by untrusted off-shore foundry. Any adversary at the foundry with access to the final GDSII file of the IC design can overproduce the design or sell it to a third party. To overcome this issue, several locking and camouflaging tools such as SURF, SWEEP, LEGO, SAIL, NEOS, NETA, and ObfusGEM have been developed.
Related Tools
- Functional Corruptibility-Guided SAT-Based Attack on Sequential Logic Encryption
- Faciometric Hardware Security Tool
- KHC-Stego Tool: Key-Triggered Hash-Chaining Driven Steganography Tool
- Crypto-Steganography Tool
- ObfusGEM
- SWEEP
- LeGO
- SURF: Structural Functional Attack on Logic Locking
- SAIL: Machine Learning Guided Structural Analysis Attack on Hardware Obfuscation
- NEOS: Netlist Encryption and Obfuscation Suite
- NETA: Netlist Analysis Toolset
Publications
Sengupta, Anirban
Cryptography driven IP steganography for DSP Hardware Accelerators Book Forthcoming
Forthcoming, ISBN: 978-1-83953-306-8.
@book{Sengupta2021Cryptography,
title = {Cryptography driven IP steganography for DSP Hardware Accelerators},
author = {Anirban Sengupta},
isbn = {978-1-83953-306-8},
year = {2021},
date = {2021-01-01},
keywords = {},
pubstate = {forthcoming},
tppubtype = {book}
}
Sengupta, Anirban
Key-triggered Hash-chaining based Encoded Hardware Steganography for Securing DSP Hardware Accelerators Book Forthcoming
Forthcoming, ISBN: 978-1-83953-306-8.
@book{Sengupta2021Key-triggered,
title = {Key-triggered Hash-chaining based Encoded Hardware Steganography for Securing DSP Hardware Accelerators},
author = {Anirban Sengupta},
isbn = {978-1-83953-306-8},
year = {2021},
date = {2021-01-01},
keywords = {},
pubstate = {forthcoming},
tppubtype = {book}
}
Rathor, Mahendra; Sengupta, Anirban
IP Core Steganography Using Switch Based Key-Driven Hash-Chaining and Encoding for Securing DSP Kernels Used in CE Systems Journal Article
In: IEEE Transactions on Consumer Electronics, vol. 66, no. 3, pp. 251-260, 2020, ISSN: 1558-4127.
@article{9129810,
title = {IP Core Steganography Using Switch Based Key-Driven Hash-Chaining and Encoding for Securing DSP Kernels Used in CE Systems},
author = {Mahendra Rathor and Anirban Sengupta},
doi = {10.1109/TCE.2020.3006050},
issn = {1558-4127},
year = {2020},
date = {2020-08-01},
journal = {IEEE Transactions on Consumer Electronics},
volume = {66},
number = {3},
pages = {251-260},
abstract = {Intellectual property (IP) core of digital signal processing (DSP) kernels act as hardware accelerators in consumer electronics (CE) systems. However due to rising threats of cloning and counterfeiting to an IP core, security remains an important subject of research for these hardware accelerators. This paper presents a novel key-driven hash-chaining based hardware steganography for securing such IP cores used in CE systems. The proposed approach is capable to implant secret invisible stego-marks in design using hash-chaining process that incorporates switches, strong large stego-keys, multiple encoding algorithms and hash blocks. The methodology proposed provides massive security against IP cloning and counterfeiting while incurring nominal design overhead (<; 0.3 %). The results of the proposed approach on comparison with state of the art indicated significantly stronger digital evidence (lower probability of co-incidence), stronger key size (in bits) and lower design cost using proposed stego-marks. Further, from an attacker's perspective, the proposed steganography increases an attacker's effort manifold during decoding the valid stego-key value (for generating/extracting original secret stego-mark), compared to existing approaches.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Intellectual property (IP) core of digital signal processing (DSP) kernels act as hardware accelerators in consumer electronics (CE) systems. However due to rising threats of cloning and counterfeiting to an IP core, security remains an important subject of research for these hardware accelerators. This paper presents a novel key-driven hash-chaining based hardware steganography for securing such IP cores used in CE systems. The proposed approach is capable to implant secret invisible stego-marks in design using hash-chaining process that incorporates switches, strong large stego-keys, multiple encoding algorithms and hash blocks. The methodology proposed provides massive security against IP cloning and counterfeiting while incurring nominal design overhead (<; 0.3 %). The results of the proposed approach on comparison with state of the art indicated significantly stronger digital evidence (lower probability of co-incidence), stronger key size (in bits) and lower design cost using proposed stego-marks. Further, from an attacker's perspective, the proposed steganography increases an attacker's effort manifold during decoding the valid stego-key value (for generating/extracting original secret stego-mark), compared to existing approaches.
Zuzak, Michael; Srivastava, Ankur
ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design Proceedings Article
In: International Symposium on Memory Systems (MEMSYS), 2020.
@inproceedings{Zuzak2020,
title = {ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design},
author = {Michael Zuzak and Ankur Srivastava},
year = {2020},
date = {2020-01-01},
booktitle = {International Symposium on Memory Systems (MEMSYS)},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Sengupta, Anirban; Rathor, Mahendra
Structural Obfuscation and Crypto-Steganography-Based Secured JPEG Compression Hardware for Medical Imaging Systems Journal Article
In: IEEE Access, vol. 8, pp. 6543-6565, 2020, ISSN: 2169-3536.
@article{Sengupta2020Structural,
title = {Structural Obfuscation and Crypto-Steganography-Based Secured JPEG Compression Hardware for Medical Imaging Systems},
author = {Anirban Sengupta and Mahendra Rathor},
doi = {10.1109/ACCESS.2019.2963711},
issn = {2169-3536},
year = {2020},
date = {2020-01-01},
journal = {IEEE Access},
volume = {8},
pages = {6543-6565},
abstract = {In modern healthcare technology involving diagnosis through medical imaging systems, compression and data transmission play a pivotal role. Medical imaging systems play an indispensable role in several medical applications where camera/scanners generate compressed images about a patient's internal organ and may further transmit it over the internet for remote diagnosis. However, tampered or corrupted compressed medical images may result in wrong diagnosis of diseases leading to fatal consequences. This paper aims to secure the underlying JPEG compression processor used in medical imaging systems that generates the compressed medical images for diagnosis. The proposed work targets to secure the JPEG compression processor against well-acknowledged threats such as counterfeiting/cloning and Trojan insertion using double line of defense through integration of robust structural obfuscation and hardware steganography. The second line of defense incorporates stego-key based hardware steganography that augments the following: non-linear bit manipulation using S-box (confusion property), diffusion property, alphabetic encryption, alphabet substitution, byte concatenation mode, bit-encoding (converting into stego-constraints) and embedding constraints. The results of the proposed approach achieve robust security in terms of significant strength of obfuscation, strong stego-key size (775 bits for JPEG compression processor and 610 bits for JPEG DCT core) and probability of coincidence of 9.89e-8, at nominal design cost.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
In modern healthcare technology involving diagnosis through medical imaging systems, compression and data transmission play a pivotal role. Medical imaging systems play an indispensable role in several medical applications where camera/scanners generate compressed images about a patient's internal organ and may further transmit it over the internet for remote diagnosis. However, tampered or corrupted compressed medical images may result in wrong diagnosis of diseases leading to fatal consequences. This paper aims to secure the underlying JPEG compression processor used in medical imaging systems that generates the compressed medical images for diagnosis. The proposed work targets to secure the JPEG compression processor against well-acknowledged threats such as counterfeiting/cloning and Trojan insertion using double line of defense through integration of robust structural obfuscation and hardware steganography. The second line of defense incorporates stego-key based hardware steganography that augments the following: non-linear bit manipulation using S-box (confusion property), diffusion property, alphabetic encryption, alphabet substitution, byte concatenation mode, bit-encoding (converting into stego-constraints) and embedding constraints. The results of the proposed approach achieve robust security in terms of significant strength of obfuscation, strong stego-key size (775 bits for JPEG compression processor and 610 bits for JPEG DCT core) and probability of coincidence of 9.89e-8, at nominal design cost.
Rathor, Mahendra; Sengupta, Anirban
Design Flow of Secured N-Point DFT Application Specific Processor Using Obfuscation and Steganography Journal Article
In: IEEE Letters of the Computer Society, vol. 3, no. 1, pp. 13-16, 2020, ISSN: 2573-9689.
@article{Rathor2020Design,
title = {Design Flow of Secured N-Point DFT Application Specific Processor Using Obfuscation and Steganography},
author = {Mahendra Rathor and Anirban Sengupta},
doi = {10.1109/LOCS.2020.2973586},
issn = {2573-9689},
year = {2020},
date = {2020-01-01},
journal = {IEEE Letters of the Computer Society},
volume = {3},
number = {1},
pages = {13-16},
abstract = {An N-point Discrete Fourier Transform (DFT) has wide application such as speech signal amplitude/phase/frequency spectrum analysis and solving complex numerical problems etc. However a N-point DFT Application Specific Processor (ASP) can be prone to several hardware threats such as reverse engineering, counterfeiting, cloning and fraudulent ownership. This letter proposes a novel design flow of secured N-point DFT application specific processor using high-level transformation based structural obfuscation and crypto-steganography. The proposed design methodology integrates both obfuscation and steganography to yield a robust secured N-point DFT application specific processor design that is capable of achieving 75.28 percent obfuscation at gate-level structure and 99.5 percent enhanced in security w.r.t key-size than recent hardware steganography approach.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
An N-point Discrete Fourier Transform (DFT) has wide application such as speech signal amplitude/phase/frequency spectrum analysis and solving complex numerical problems etc. However a N-point DFT Application Specific Processor (ASP) can be prone to several hardware threats such as reverse engineering, counterfeiting, cloning and fraudulent ownership. This letter proposes a novel design flow of secured N-point DFT application specific processor using high-level transformation based structural obfuscation and crypto-steganography. The proposed design methodology integrates both obfuscation and steganography to yield a robust secured N-point DFT application specific processor design that is capable of achieving 75.28 percent obfuscation at gate-level structure and 99.5 percent enhanced in security w.r.t key-size than recent hardware steganography approach.
Alaql, Abdulrahman; Forte, Domenic; Bhunia, Swarup
Sweep to the Secret: A Constant Propagation Attack on Logic Locking Proceedings Article
In: 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 1-6, 2019.
@inproceedings{9006720,
title = {Sweep to the Secret: A Constant Propagation Attack on Logic Locking},
author = {Abdulrahman Alaql and Domenic Forte and Swarup Bhunia},
url = {https://ieeexplore.ieee.org/document/9006720},
doi = {10.1109/AsianHOST47458.2019.9006720},
year = {2019},
date = {2019-12-01},
booktitle = {2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {1-6},
abstract = {The development of hardware intellectual properties (IPs) has faced many challenges due to malicious modifications and piracy. One potential solution to protect IPs against these attacks is to perform a key-based logic locking process that disables the functionality and corrupts the output of the IP when the incorrect key value is applied. However, many attacks on logic locking have been introduced to break the locking mechanism and obtain the key. In this paper, we present SWEEP, a constant propagation attack that exploits the change in characteristics of the IP when a single key-bit value is hard-coded. The attack process starts with analyzing design features that are generated from the synthesis tool and establishes a correlation between these features and the correct key values. In order to perform the attack, the logic locking tool needs to be available. The level of accuracy of the extracted key mainly depends on the type of logic locking approach used to obfuscate the IP. Our attack was applied to ISCAS85, and MCNC benchmarks obfuscated using various logic locking techniques and has obtained an average accuracy of 92.09%.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The development of hardware intellectual properties (IPs) has faced many challenges due to malicious modifications and piracy. One potential solution to protect IPs against these attacks is to perform a key-based logic locking process that disables the functionality and corrupts the output of the IP when the incorrect key value is applied. However, many attacks on logic locking have been introduced to break the locking mechanism and obtain the key. In this paper, we present SWEEP, a constant propagation attack that exploits the change in characteristics of the IP when a single key-bit value is hard-coded. The attack process starts with analyzing design features that are generated from the synthesis tool and establishes a correlation between these features and the correct key values. In order to perform the attack, the logic locking tool needs to be available. The level of accuracy of the extracted key mainly depends on the type of logic locking approach used to obfuscate the IP. Our attack was applied to ISCAS85, and MCNC benchmarks obfuscated using various logic locking techniques and has obtained an average accuracy of 92.09%.
Sengupta, Anirban; Rathor, Mahendra
Crypto-Based Dual-Phase Hardware Steganography for Securing IP cores Journal Article
In: IEEE Letters of the Computer Society, vol. 2, no. 4, pp. 32-35, 2019, ISSN: 2573-9689.
@article{Sengupta2019Crypto,
title = {Crypto-Based Dual-Phase Hardware Steganography for Securing IP cores},
author = {Anirban Sengupta and Mahendra Rathor},
doi = {10.1109/LOCS.2019.2942289},
issn = {2573-9689},
year = {2019},
date = {2019-12-01},
journal = {IEEE Letters of the Computer Society},
volume = {2},
number = {4},
pages = {32-35},
abstract = {In an untrustworthy foundry, an intellectual property (IP) core is susceptible to piracy. Moreover, an adversary can deceitfully claim the ownership of a pirated IP core. In such cases of ownership conflict, the true ownership of an IP core should be provable. This letter presents a novel approach of securing IP cores against piracy/ false claim of ownership using crypto-based dual phase hardware steganography. By detecting the embedded robust stego-mark in the design, the ownership can be awarded to the genuine IP owner. The paper presents a novel security algorithm that leverages crypto-modules and security properties to generate stego-constraints and embeds them into a hardware IP design during two distinct phases of behavioural synthesis. Because of using large size stego-keys and embedding steganography at two distinct phases, the proposed approach achieves robust security and high reliability than existing recent approaches.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
In an untrustworthy foundry, an intellectual property (IP) core is susceptible to piracy. Moreover, an adversary can deceitfully claim the ownership of a pirated IP core. In such cases of ownership conflict, the true ownership of an IP core should be provable. This letter presents a novel approach of securing IP cores against piracy/ false claim of ownership using crypto-based dual phase hardware steganography. By detecting the embedded robust stego-mark in the design, the ownership can be awarded to the genuine IP owner. The paper presents a novel security algorithm that leverages crypto-modules and security properties to generate stego-constraints and embeds them into a hardware IP design during two distinct phases of behavioural synthesis. Because of using large size stego-keys and embedding steganography at two distinct phases, the proposed approach achieves robust security and high reliability than existing recent approaches.
Shamsi, Kaveh; Pan, David Z.; Jin, Yier
IcySAT: Improved SAT-based Attacks on Cyclic Locked Circuits Proceedings Article
In: 2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp. 1-7, IEEE, 2019.
@inproceedings{Shamsi2019c,
title = {IcySAT: Improved SAT-based Attacks on Cyclic Locked Circuits},
author = {Kaveh Shamsi and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/IcySAT.pdf},
doi = {10.1109/ICCAD45719.2019.8942049},
year = {2019},
date = {2019-11-05},
booktitle = {2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)},
pages = {1-7},
publisher = {IEEE},
abstract = {“Cyclic” circuit locking/camouflaging is a recently proposed direction in logic obfuscation for thwarting foundry and end-user reverse engineering. As opposed to traditional schemes, these techniques create cycles in the obfuscated circuit in a way that confuses the attacker but does not disrupt the combinational nature of the circuit. While these schemes can thwart the baseline SAT-based attack, the CycSAT attack was proposed recently to break these schemes through a preprocessing step that builds a Boolean condition to avoid cyclic solutions/keys during the attack. However, follow-up work has suggested that extracting these conditions requires enumerating all cycles in the circuit, or that instead of relying on these conditions preemptively, cyclic solutions must be banned individually on the fly. In this paper, we present new algorithms for performing SAT-based attacks on cyclic circuits. We first propose an algorithm that can produce non-cyclic conditions in polynomial time with respect to the size of the circuit, avoiding the potentially exponential runtime of explicit key-banning or cycle enumeration. We then take a deeper look at the problem, discussing some of the fundamental limitations of extracting precise non-cyclic conditions and propose a more complex but complete procedure for cyclic deobfuscation. We evaluate our attacks on densely cyclic obfuscated benchmark circuits.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
“Cyclic” circuit locking/camouflaging is a recently proposed direction in logic obfuscation for thwarting foundry and end-user reverse engineering. As opposed to traditional schemes, these techniques create cycles in the obfuscated circuit in a way that confuses the attacker but does not disrupt the combinational nature of the circuit. While these schemes can thwart the baseline SAT-based attack, the CycSAT attack was proposed recently to break these schemes through a preprocessing step that builds a Boolean condition to avoid cyclic solutions/keys during the attack. However, follow-up work has suggested that extracting these conditions requires enumerating all cycles in the circuit, or that instead of relying on these conditions preemptively, cyclic solutions must be banned individually on the fly. In this paper, we present new algorithms for performing SAT-based attacks on cyclic circuits. We first propose an algorithm that can produce non-cyclic conditions in polynomial time with respect to the size of the circuit, avoiding the potentially exponential runtime of explicit key-banning or cycle enumeration. We then take a deeper look at the problem, discussing some of the fundamental limitations of extracting precise non-cyclic conditions and propose a more complex but complete procedure for cyclic deobfuscation. We evaluate our attacks on densely cyclic obfuscated benchmark circuits.
Sengupta, Anirban; Rathor, Mahendra
IP Core Steganography for Protecting DSP Kernels Used in CE Systems Journal Article
In: IEEE Transactions on Consumer Electronics, vol. 65, no. 4, pp. 506-515, 2019, ISSN: 1558-4127.
@article{8854311,
title = {IP Core Steganography for Protecting DSP Kernels Used in CE Systems},
author = {Anirban Sengupta and Mahendra Rathor},
doi = {10.1109/TCE.2019.2944882},
issn = {1558-4127},
year = {2019},
date = {2019-11-01},
journal = {IEEE Transactions on Consumer Electronics},
volume = {65},
number = {4},
pages = {506-515},
abstract = {Intellectual Property (IP) core protection of Digital Signal Processing (DSP) kernels is an important subject of research for Consumer Electronics (CE) systems. An IP core may be prone to piracy, forgery and counterfeiting. The need of the hour is developing effective technique that is robust and incurs low overhead to detect IP core infringement. This paper presents a novel `IP core steganography' methodology for DSP kernels that is capable of detecting IP piracy. The proposed methodology is capable of implanting concealed information into the existing IP core design of DSP datapath without using any external signature, to reflect the IP core ownership. The presented `IP core steganography' methodology is non-intuitive in nature indicating that the intended secret information does not attract attention to itself from an adversary's perspective. The implanted information incurs almost no design overhead and yields lower design cost than signature-based IP core protection techniques. Further, in the presented approach the amount of concealed information embedded is fully designer controlled through a `thresholding' parameter, unlike signature-based techniques where signature pattern impacts the robustness and overhead. Results of proposed approach yielded lower cost and stronger proof of authorship compared to a signature-based approach.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Intellectual Property (IP) core protection of Digital Signal Processing (DSP) kernels is an important subject of research for Consumer Electronics (CE) systems. An IP core may be prone to piracy, forgery and counterfeiting. The need of the hour is developing effective technique that is robust and incurs low overhead to detect IP core infringement. This paper presents a novel `IP core steganography' methodology for DSP kernels that is capable of detecting IP piracy. The proposed methodology is capable of implanting concealed information into the existing IP core design of DSP datapath without using any external signature, to reflect the IP core ownership. The presented `IP core steganography' methodology is non-intuitive in nature indicating that the intended secret information does not attract attention to itself from an adversary's perspective. The implanted information incurs almost no design overhead and yields lower design cost than signature-based IP core protection techniques. Further, in the presented approach the amount of concealed information embedded is fully designer controlled through a `thresholding' parameter, unlike signature-based techniques where signature pattern impacts the robustness and overhead. Results of proposed approach yielded lower cost and stronger proof of authorship compared to a signature-based approach.
Shamsi, Kaveh; Li, Meng; Plaks, Kenneth; Fazzari, Saverio; Pan, David Z.; Jin, Yier
IP Protection and Supply Chain Security through Logic Obfuscation: A Systematic Overview Journal Article
In: ACM Transactions on Design Automation of Electronic Systems (TODAES), vol. 24, no. 6, pp. 1-36, 2019.
@article{Shamsi2019d,
title = {IP Protection and Supply Chain Security through Logic Obfuscation: A Systematic Overview},
author = {Kaveh Shamsi and Meng Li and Kenneth Plaks and Saverio Fazzari and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/kaveh2019ip.pdf},
doi = {10.1145/3342099},
year = {2019},
date = {2019-09-01},
journal = {ACM Transactions on Design Automation of Electronic Systems (TODAES)},
volume = {24},
number = {6},
pages = {1-36},
abstract = {The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defenses and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defenses and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.
Li, Meng; Shamsi, Kaveh; Meade, Travis; Zhao, Zheng; Yu, Bei; Jin, Yier; Pan, David Z.
Provably Secure Camouflaging Strategy for IC Protection Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 38, no. 8, pp. 1399-1412, 2019.
@article{Li2019,
title = {Provably Secure Camouflaging Strategy for IC Protection},
author = {Meng Li and Kaveh Shamsi and Travis Meade and Zheng Zhao and Bei Yu and Yier Jin and David Z. Pan },
url = {http://cadforassurance.org/wp-content/uploads/li2019provably.pdf},
doi = {10.1109/TCAD.2017.2750088},
year = {2019},
date = {2019-08-03},
booktitle = {Provably Secure Camouflaging Strategy for IC Protection},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
volume = {38},
number = {8},
pages = {1399-1412},
abstract = {The advancing of reverse engineering techniques has complicated the efforts in intellectual property protection. Proactive methods have been developed recently, among which layout-level integrated circuit camouflaging is the leading example. However, existing camouflaging methods are rarely supported by provably secure criteria, which further leads to an over-estimation of the security level when countering the latest de-camouflaging attacks, e.g., the SAT-based attack. In this paper, a quantitative security criterion is proposed for de-camouflaging complexity measurements and formally analyzed through the demonstration of the equivalence between the existing de-camouflaging strategy and the active learning scheme. Supported by the new security criterion, two camouflaging techniques are proposed, including the low-overhead camouflaging cell generation strategy and the AND-tree camouflaging strategy, to help achieve exponentially increasing security levels at the cost of linearly increasing performance overhead on the circuit under protection. A provably secure camouflaging framework is then developed combining these two techniques. The experimental results using the security criterion show that camouflaged circuits with the proposed framework are of high resilience against different attack schemes with an only negligible performance overhead.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The advancing of reverse engineering techniques has complicated the efforts in intellectual property protection. Proactive methods have been developed recently, among which layout-level integrated circuit camouflaging is the leading example. However, existing camouflaging methods are rarely supported by provably secure criteria, which further leads to an over-estimation of the security level when countering the latest de-camouflaging attacks, e.g., the SAT-based attack. In this paper, a quantitative security criterion is proposed for de-camouflaging complexity measurements and formally analyzed through the demonstration of the equivalence between the existing de-camouflaging strategy and the active learning scheme. Supported by the new security criterion, two camouflaging techniques are proposed, including the low-overhead camouflaging cell generation strategy and the AND-tree camouflaging strategy, to help achieve exponentially increasing security levels at the cost of linearly increasing performance overhead on the circuit under protection. A provably secure camouflaging framework is then developed combining these two techniques. The experimental results using the security criterion show that camouflaged circuits with the proposed framework are of high resilience against different attack schemes with an only negligible performance overhead.
Shamsi, Kaveh; Pan, David Z.; Jin, Yier
On the Impossibility of Approximation-Resilient Circuit Locking Proceedings Article
In: 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 161-170, 2019.
@inproceedings{Shamsi2019b,
title = {On the Impossibility of Approximation-Resilient Circuit Locking},
author = {Kaveh Shamsi and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/kaveh2019on.pdf},
doi = {10.1109/HST.2019.8741035},
year = {2019},
date = {2019-05-06},
booktitle = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
journal = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {161-170},
abstract = {Logic locking, and Integrated Circuit (IC) Camouflaging, are techniques that try to hide the design of an IC from a malicious foundry or end-user by introducing ambiguity into the netlist of the circuit. While over the past decade an array of such techniques have been proposed, their security has been constantly challenged by algorithmic attacks. This may in part be due to a lack of formally defined notions of security in the first place, and hence a lack of security guarantees based on long-standing hardness assumptions. In this paper, we take a formal approach. We define the problem of circuit locking (cL) as transforming an original circuit to a locked one which is “unintelligible” without a secret key (this can model camouflaging and split-manufacturing in addition to logic locking). We define several notions of security for cL under different adversary models. Using long-standing results from computational learning theory we show the impossibility of exponentially approximation-resilient locking in the presence of an oracle for large classes of Boolean circuits. We then show how exact-recovery-resiliency and a more relaxed notion of security that we coin “best-possible” approximation-resiliency can be provably guaranteed with polynomial overhead. Our theoretical analysis directly results in stronger attacks and defenses which we demonstrate through experimental results on benchmark circuits.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Logic locking, and Integrated Circuit (IC) Camouflaging, are techniques that try to hide the design of an IC from a malicious foundry or end-user by introducing ambiguity into the netlist of the circuit. While over the past decade an array of such techniques have been proposed, their security has been constantly challenged by algorithmic attacks. This may in part be due to a lack of formally defined notions of security in the first place, and hence a lack of security guarantees based on long-standing hardness assumptions. In this paper, we take a formal approach. We define the problem of circuit locking (cL) as transforming an original circuit to a locked one which is “unintelligible” without a secret key (this can model camouflaging and split-manufacturing in addition to logic locking). We define several notions of security for cL under different adversary models. Using long-standing results from computational learning theory we show the impossibility of exponentially approximation-resilient locking in the presence of an oracle for large classes of Boolean circuits. We then show how exact-recovery-resiliency and a more relaxed notion of security that we coin “best-possible” approximation-resiliency can be provably guaranteed with polynomial overhead. Our theoretical analysis directly results in stronger attacks and defenses which we demonstrate through experimental results on benchmark circuits.
Chakraborty, Prabuddha; Cruz, Jonathan; Bhunia, Swarup
SURF: Joint Structural Functional Attack on Logic Locking Proceedings Article
In: 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 181-190, 2019.
@inproceedings{8741028,
title = {SURF: Joint Structural Functional Attack on Logic Locking},
author = {Prabuddha Chakraborty and Jonathan Cruz and Swarup Bhunia},
doi = {10.1109/HST.2019.8741028},
year = {2019},
date = {2019-05-01},
booktitle = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {181-190},
abstract = {To help protect hardware Intellectual Property (IP) blocks against piracy and reverse engineering, researchers have proposed various obfuscation techniques that aim at hiding design intent and making black-box usage difficult. A dominant form of obfuscation, referred to as logic locking, relies on the insertion of key gates (e.g., XOR/XNOR) at strategic locations in a design followed by logic synthesis. Recently, it has been shown that such an approach leaves predictable structural signatures, which make them susceptible to machine learning (ML) based structural attacks. These attacks are shown to deobfuscate a design by learning the deterministic nature of transformations incorporated by commercial synthesis tools. They are attractive for unraveling the design intent. However, they may not be able to provide a working design. In this paper, we introduce a novel attack on obfuscation techniques, called Structural Functional (SURF) attack, which, for the first time to our knowledge, accomplishes key extraction through scalable functional analysis while leveraging the output of structural attacks. We have developed complete flow and an automatic tool for the attack, which shows promising results. We are able to retrieve, on average, ~90% keybits for obfuscated ISCAS-85 benchmarks (100% in several cases) with > 98% output accuracy. We observe that SURF attack, unlike any known attack, can enable both discovering design intent as well as black-box usage. It is effective for all major variants of logic locking, scalable to large designs, and unlike SAT based attacks, is effective for all design types (e.g., multipliers, where SAT based attacks typically fail).},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
To help protect hardware Intellectual Property (IP) blocks against piracy and reverse engineering, researchers have proposed various obfuscation techniques that aim at hiding design intent and making black-box usage difficult. A dominant form of obfuscation, referred to as logic locking, relies on the insertion of key gates (e.g., XOR/XNOR) at strategic locations in a design followed by logic synthesis. Recently, it has been shown that such an approach leaves predictable structural signatures, which make them susceptible to machine learning (ML) based structural attacks. These attacks are shown to deobfuscate a design by learning the deterministic nature of transformations incorporated by commercial synthesis tools. They are attractive for unraveling the design intent. However, they may not be able to provide a working design. In this paper, we introduce a novel attack on obfuscation techniques, called Structural Functional (SURF) attack, which, for the first time to our knowledge, accomplishes key extraction through scalable functional analysis while leveraging the output of structural attacks. We have developed complete flow and an automatic tool for the attack, which shows promising results. We are able to retrieve, on average, ~90% keybits for obfuscated ISCAS-85 benchmarks (100% in several cases) with > 98% output accuracy. We observe that SURF attack, unlike any known attack, can enable both discovering design intent as well as black-box usage. It is effective for all major variants of logic locking, scalable to large designs, and unlike SAT based attacks, is effective for all design types (e.g., multipliers, where SAT based attacks typically fail).
Shamsi, Kaveh; Meade, Travis; Li, Meng; Pan, David Z.; Jin, Yier
On the Approximation Resiliency of Logic Locking and IC Camouflaging Schemes Journal Article
In: IEEE Transactions on Information Forensics and Security (TIFS), vol. 14, no. 2, pp. 347-359, 2019.
@article{Shamsi2019cb,
title = {On the Approximation Resiliency of Logic Locking and IC Camouflaging Schemes},
author = {Kaveh Shamsi and Travis Meade and Meng Li and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/kaveh2019onappro.pdf},
doi = {10.1109/TIFS.2018.2850319},
year = {2019},
date = {2019-02-01},
journal = {IEEE Transactions on Information Forensics and Security (TIFS)},
volume = {14},
number = {2},
pages = {347-359},
abstract = {The SAT-based attacks are extremely successful in deobfuscating the traditional combinational logic locking and IC camouflaging schemes. While several SAT-resilient protection schemes that increase the minimum query count of the attack have been proposed recently, none of them satisfy the output corruptibility (error) criteria. Therefore, most of them were combined with high corruptibility schemes to achieve both corruptibility and high query count. These “compound” schemes are successful since existing SAT attacks are agnostic to the corruptibility of the protection scheme. In this paper, we propose an approximate SAT-based attack framework that focuses on the iterative convergence of an attack toward a better solution. This helps our attack reduce a compound scheme to a standalone SAT-resilient scheme. In addition, we relate the problem of minimum query count to a well-known graph problem, and we propose a novel technique to increase the corruptibility of SAT-resilient protection schemes in a controllable manner. This creates protection schemes that have both high query count and corruptibility. Furthermore, due to the approximation resiliency property of these schemes, approximate attacks provide no advantage over exact attacks when attacking them.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
The SAT-based attacks are extremely successful in deobfuscating the traditional combinational logic locking and IC camouflaging schemes. While several SAT-resilient protection schemes that increase the minimum query count of the attack have been proposed recently, none of them satisfy the output corruptibility (error) criteria. Therefore, most of them were combined with high corruptibility schemes to achieve both corruptibility and high query count. These “compound” schemes are successful since existing SAT attacks are agnostic to the corruptibility of the protection scheme. In this paper, we propose an approximate SAT-based attack framework that focuses on the iterative convergence of an attack toward a better solution. This helps our attack reduce a compound scheme to a standalone SAT-resilient scheme. In addition, we relate the problem of minimum query count to a well-known graph problem, and we propose a novel technique to increase the corruptibility of SAT-resilient protection schemes in a controllable manner. This creates protection schemes that have both high query count and corruptibility. Furthermore, due to the approximation resiliency property of these schemes, approximate attacks provide no advantage over exact attacks when attacking them.
Meade, Travis; Portillo, Jason; Zhang, Shaojie; Jin, Yier
NETA: When IP Fails, Secrets Leak Proceedings Article
In: Proceedings of the 24th Asia and South Pacific Design Automation Conference, pp. 90–95, Association for Computing Machinery, Tokyo, Japan, 2019, ISBN: 9781450360074.
@inproceedings{10.1145/3287624.3288739,
title = {NETA: When IP Fails, Secrets Leak},
author = {Travis Meade and Jason Portillo and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2019neta.pdf},
doi = {10.1145/3287624.3288739},
isbn = {9781450360074},
year = {2019},
date = {2019-01-01},
booktitle = {Proceedings of the 24th Asia and South Pacific Design Automation Conference},
pages = {90–95},
publisher = {Association for Computing Machinery},
address = {Tokyo, Japan},
series = {ASPDAC ’19},
abstract = {Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.
Chakraborty, Prabuddha; Cruz, Jonathan; Bhunia, Swarup
SAIL: Machine Learning Guided Structural Analysis Attack on Hardware Obfuscation Proceedings Article
In: 2018 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 56-61, 2018.
@inproceedings{8607163,
title = {SAIL: Machine Learning Guided Structural Analysis Attack on Hardware Obfuscation},
author = {Prabuddha Chakraborty and Jonathan Cruz and Swarup Bhunia},
doi = {10.1109/AsianHOST.2018.8607163},
year = {2018},
date = {2018-12-01},
booktitle = {2018 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {56-61},
abstract = {Obfuscation is a technique for protecting hardware intellectual property (IP) blocks against reverse engineering, piracy, and malicious modifications. Current obfuscation efforts mainly focus on functional locking of a design to prevent black-box usage. They do not directly address hiding design intent through structural transformations, which is an important objective of obfuscation. We note that current obfuscation techniques incorporate only: (1) local, and (2) predictable changes in circuit topology. In this paper, we present SAIL, a structural attack on obfuscation using machine learning (ML) models that exposes a critical vulnerability of these methods. Through this attack, we demonstrate that the gate-level structure of an obfuscated design can be retrieved in most parts through a systematic set of steps. The proposed attack is applicable to all forms of logic obfuscation, and significantly more powerful than existing attacks, e.g., SAT-based attacks, since it does not require the availability of golden functional responses (e.g., an unlocked IC). Evaluation on benchmark circuits show that we can recover an average of about 84% (up to 95%) transformations introduced by obfuscation. We also show that this attack is scalable, flexible, and versatile.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Obfuscation is a technique for protecting hardware intellectual property (IP) blocks against reverse engineering, piracy, and malicious modifications. Current obfuscation efforts mainly focus on functional locking of a design to prevent black-box usage. They do not directly address hiding design intent through structural transformations, which is an important objective of obfuscation. We note that current obfuscation techniques incorporate only: (1) local, and (2) predictable changes in circuit topology. In this paper, we present SAIL, a structural attack on obfuscation using machine learning (ML) models that exposes a critical vulnerability of these methods. Through this attack, we demonstrate that the gate-level structure of an obfuscated design can be retrieved in most parts through a systematic set of steps. The proposed attack is applicable to all forms of logic obfuscation, and significantly more powerful than existing attacks, e.g., SAT-based attacks, since it does not require the availability of golden functional responses (e.g., an unlocked IC). Evaluation on benchmark circuits show that we can recover an average of about 84% (up to 95%) transformations introduced by obfuscation. We also show that this attack is scalable, flexible, and versatile.
Meade, Travis; Shamsi, Kaveh; Le, Thao; Di, Jia; Zhang, Shaojie; Jin, Yier
The Old Frontier of Reverse Engineering: Netlist Partitioning Journal Article
In: Journal of Hardware and Systems Security, vol. 2, no. 3, pp. 201-213, 2018.
@article{Meade2018,
title = {The Old Frontier of Reverse Engineering: Netlist Partitioning},
author = {Travis Meade and Kaveh Shamsi and Thao Le and Jia Di and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2018the.pdf},
doi = {10.1007/s41635-018-0043-4},
year = {2018},
date = {2018-09-10},
journal = {Journal of Hardware and Systems Security},
volume = {2},
number = {3},
pages = {201-213},
abstract = {Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.
Meade, Travis; Zhao, Zheng; Zhang, Shaojie; Pan, David Z.; Jin, Yier
Revisit Sequential Logic Obfuscation: Attacks and Defenses Proceedings Article
In: 2017 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1-4, IEEE, Baltimore, MD, USA , 2017.
@inproceedings{Meade2017,
title = {Revisit Sequential Logic Obfuscation: Attacks and Defenses},
author = {Travis Meade and Zheng Zhao and Shaojie Zhang and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2017revisit.pdf},
doi = {10.1109/ISCAS.2017.8050606},
year = {2017},
date = {2017-05-28},
booktitle = {2017 IEEE International Symposium on Circuits and Systems (ISCAS)},
pages = {1-4},
publisher = {IEEE},
address = {Baltimore, MD, USA },
abstract = {The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.
Meade, Travis; Jin, Yier; Tehranipoor, Mark; Zhang, Shaojie
Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification Proceedings Article
In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1334-1337, IEEE, Montreal, QC, Canada, 2016.
@inproceedings{Meade2016b,
title = {Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification},
author = {Travis Meade and Yier Jin and Mark Tehranipoor and Shaojie Zhang},
url = {http://cadforassurance.org/wp-content/uploads/travis2016gate.pdf},
doi = {10.1109/ISCAS.2016.7527495},
year = {2016},
date = {2016-05-22},
booktitle = {2016 IEEE International Symposium on Circuits and Systems (ISCAS)},
pages = {1334-1337},
publisher = {IEEE},
address = {Montreal, QC, Canada},
abstract = {The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.
Meade, Travis; Zhang, Shaojie; Jin, Yier
Netlist Reverse Engineering for High-Level Functionality Reconstruction Proceedings Article
In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 655-660, ASP-DAC IEEE, Macau, 2016, (Best Paper Award).
@inproceedings{Meade2016,
title = {Netlist Reverse Engineering for High-Level Functionality Reconstruction},
author = {Travis Meade and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2016netlist.pdf},
doi = {10.1109/ASPDAC.2016.7428086},
year = {2016},
date = {2016-01-25},
booktitle = {2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC)},
pages = {655-660},
publisher = {IEEE},
address = {Macau},
organization = {ASP-DAC },
series = {ASP-DAC 16},
abstract = {In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.},
note = {Best Paper Award},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.