2019
Shamsi, Kaveh; Pan, David Z.; Jin, Yier
IcySAT: Improved SAT-based Attacks on Cyclic Locked Circuits Proceedings Article
In: 2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp. 1-7, IEEE, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation, Logic Locking
@inproceedings{Shamsi2019c,
title = {IcySAT: Improved SAT-based Attacks on Cyclic Locked Circuits},
author = {Kaveh Shamsi and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/IcySAT.pdf},
doi = {10.1109/ICCAD45719.2019.8942049},
year = {2019},
date = {2019-11-05},
booktitle = {2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)},
pages = {1-7},
publisher = {IEEE},
abstract = {“Cyclic” circuit locking/camouflaging is a recently proposed direction in logic obfuscation for thwarting foundry and end-user reverse engineering. As opposed to traditional schemes, these techniques create cycles in the obfuscated circuit in a way that confuses the attacker but does not disrupt the combinational nature of the circuit. While these schemes can thwart the baseline SAT-based attack, the CycSAT attack was proposed recently to break these schemes through a preprocessing step that builds a Boolean condition to avoid cyclic solutions/keys during the attack. However, follow-up work has suggested that extracting these conditions requires enumerating all cycles in the circuit, or that instead of relying on these conditions preemptively, cyclic solutions must be banned individually on the fly. In this paper, we present new algorithms for performing SAT-based attacks on cyclic circuits. We first propose an algorithm that can produce non-cyclic conditions in polynomial time with respect to the size of the circuit, avoiding the potentially exponential runtime of explicit key-banning or cycle enumeration. We then take a deeper look at the problem, discussing some of the fundamental limitations of extracting precise non-cyclic conditions and propose a more complex but complete procedure for cyclic deobfuscation. We evaluate our attacks on densely cyclic obfuscated benchmark circuits.},
keywords = {Evaluation of Obfuscation, Logic Locking},
pubstate = {published},
tppubtype = {inproceedings}
}
“Cyclic” circuit locking/camouflaging is a recently proposed direction in logic obfuscation for thwarting foundry and end-user reverse engineering. As opposed to traditional schemes, these techniques create cycles in the obfuscated circuit in a way that confuses the attacker but does not disrupt the combinational nature of the circuit. While these schemes can thwart the baseline SAT-based attack, the CycSAT attack was proposed recently to break these schemes through a preprocessing step that builds a Boolean condition to avoid cyclic solutions/keys during the attack. However, follow-up work has suggested that extracting these conditions requires enumerating all cycles in the circuit, or that instead of relying on these conditions preemptively, cyclic solutions must be banned individually on the fly. In this paper, we present new algorithms for performing SAT-based attacks on cyclic circuits. We first propose an algorithm that can produce non-cyclic conditions in polynomial time with respect to the size of the circuit, avoiding the potentially exponential runtime of explicit key-banning or cycle enumeration. We then take a deeper look at the problem, discussing some of the fundamental limitations of extracting precise non-cyclic conditions and propose a more complex but complete procedure for cyclic deobfuscation. We evaluate our attacks on densely cyclic obfuscated benchmark circuits.
Shamsi, Kaveh; Pan, David Z.; Jin, Yier
On the Impossibility of Approximation-Resilient Circuit Locking Proceedings Article
In: 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 161-170, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation, Logic Locking
@inproceedings{Shamsi2019b,
title = {On the Impossibility of Approximation-Resilient Circuit Locking},
author = {Kaveh Shamsi and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/kaveh2019on.pdf},
doi = {10.1109/HST.2019.8741035},
year = {2019},
date = {2019-05-06},
booktitle = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
journal = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {161-170},
abstract = {Logic locking, and Integrated Circuit (IC) Camouflaging, are techniques that try to hide the design of an IC from a malicious foundry or end-user by introducing ambiguity into the netlist of the circuit. While over the past decade an array of such techniques have been proposed, their security has been constantly challenged by algorithmic attacks. This may in part be due to a lack of formally defined notions of security in the first place, and hence a lack of security guarantees based on long-standing hardness assumptions. In this paper, we take a formal approach. We define the problem of circuit locking (cL) as transforming an original circuit to a locked one which is “unintelligible” without a secret key (this can model camouflaging and split-manufacturing in addition to logic locking). We define several notions of security for cL under different adversary models. Using long-standing results from computational learning theory we show the impossibility of exponentially approximation-resilient locking in the presence of an oracle for large classes of Boolean circuits. We then show how exact-recovery-resiliency and a more relaxed notion of security that we coin “best-possible” approximation-resiliency can be provably guaranteed with polynomial overhead. Our theoretical analysis directly results in stronger attacks and defenses which we demonstrate through experimental results on benchmark circuits.},
keywords = {Evaluation of Obfuscation, Logic Locking},
pubstate = {published},
tppubtype = {inproceedings}
}
Logic locking, and Integrated Circuit (IC) Camouflaging, are techniques that try to hide the design of an IC from a malicious foundry or end-user by introducing ambiguity into the netlist of the circuit. While over the past decade an array of such techniques have been proposed, their security has been constantly challenged by algorithmic attacks. This may in part be due to a lack of formally defined notions of security in the first place, and hence a lack of security guarantees based on long-standing hardness assumptions. In this paper, we take a formal approach. We define the problem of circuit locking (cL) as transforming an original circuit to a locked one which is “unintelligible” without a secret key (this can model camouflaging and split-manufacturing in addition to logic locking). We define several notions of security for cL under different adversary models. Using long-standing results from computational learning theory we show the impossibility of exponentially approximation-resilient locking in the presence of an oracle for large classes of Boolean circuits. We then show how exact-recovery-resiliency and a more relaxed notion of security that we coin “best-possible” approximation-resiliency can be provably guaranteed with polynomial overhead. Our theoretical analysis directly results in stronger attacks and defenses which we demonstrate through experimental results on benchmark circuits.
2017
Shamsi, Kaveh; Li, Meng; Meade, Travis; Zhao, Zheng; Pan, David Z.; Jin, Yier
AppSAT: Approximately deobfuscating integrated circuits Proceedings Article
In: 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 95–100, IEEE 2017.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{shamsi2017appsat,
title = {AppSAT: Approximately deobfuscating integrated circuits},
author = {Kaveh Shamsi and Meng Li and Travis Meade and Zheng Zhao and David Z. Pan and Yier Jin},
doi = {10.1109/HST.2017.7951805},
year = {2017},
date = {2017-05-01},
booktitle = {2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {95--100},
organization = {IEEE},
abstract = {In today's diversified semiconductor supply-chain, protecting intellectual property (IP) and maintaining manufacturing integrity are important concerns. Circuit obfuscation techniques such as logic encryption and IC camouflaging can potentially defend against a majority of supply-chain threats such as stealthy malicious design modification, IP theft, overproduction, and cloning. Recently, a Boolean Satisfiability (SAT) based attack, namely the SAT attack has been able to deobfuscate almost all traditional circuit obfuscation schemes, and as a result, a number of defense solutions have been proposed in literature. All these defenses are based on the implicit assumption that the attacker needs a perfect deobfuscation accuracy which may not be true in many practical cases. Therefore, in this paper by relaxing the exactness constraint on deobfuscation, we propose the AppSAT attack, an approximate deobfuscation algorithm based on the SAT attack and random testing. We show how the AppSAT attack can deobfuscate 68 out of the 71 benchmark circuits that were obfuscated with state-of-the-art SAT attack defenses with an accuracy of, n being the number of inputs. AppSAT shows that with current SAT attack defenses there will be a trade-off between exact-attack resiliency and approximation resiliency.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
In today's diversified semiconductor supply-chain, protecting intellectual property (IP) and maintaining manufacturing integrity are important concerns. Circuit obfuscation techniques such as logic encryption and IC camouflaging can potentially defend against a majority of supply-chain threats such as stealthy malicious design modification, IP theft, overproduction, and cloning. Recently, a Boolean Satisfiability (SAT) based attack, namely the SAT attack has been able to deobfuscate almost all traditional circuit obfuscation schemes, and as a result, a number of defense solutions have been proposed in literature. All these defenses are based on the implicit assumption that the attacker needs a perfect deobfuscation accuracy which may not be true in many practical cases. Therefore, in this paper by relaxing the exactness constraint on deobfuscation, we propose the AppSAT attack, an approximate deobfuscation algorithm based on the SAT attack and random testing. We show how the AppSAT attack can deobfuscate 68 out of the 71 benchmark circuits that were obfuscated with state-of-the-art SAT attack defenses with an accuracy of, n being the number of inputs. AppSAT shows that with current SAT attack defenses there will be a trade-off between exact-attack resiliency and approximation resiliency.
Yasin, Muhammad; Sengupta, Abhrajit; Nabeel, Mohammed Thari; Ashraf, Mohammed; Rajendran, Jeyavijayan; Sinanoglu, Ozgur
Provably-secure logic locking: From theory to practice Proceedings Article
In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1601–1618, Dallas, Texas, USA, 2017.
Abstract | Links | BibTeX | Tags: Design For Trust, Hardware Trojan, Logic Locking, Obfuscation
@inproceedings{yasin2017provably,
title = {Provably-secure logic locking: From theory to practice},
author = {Muhammad Yasin and Abhrajit Sengupta and Mohammed Thari Nabeel and Mohammed Ashraf and Jeyavijayan Rajendran and Ozgur Sinanoglu},
doi = {10.1145/3133956.3133985},
year = {2017},
date = {2017-01-01},
booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
pages = {1601–1618},
address = {Dallas, Texas, USA},
series = {CCS '17},
abstract = {Logic locking has been conceived as a promising proactive defense strategy against intellectual property (IP) piracy, counterfeiting, hardware Trojans, reverse engineering, and overbuilding attacks. Yet, various attacks that use a working chip as an oracle have been launched on logic locking to successfully retrieve its secret key, undermining the defense of all existing locking techniques. In this paper, we propose stripped-functionality logic locking (SFLL), which strips some of the functionality of the design and hides it in the form of a secret key(s), thereby rendering on-chip implementation functionally different from the original one. When loaded onto an on-chip memory, the secret keys restore the original functionality of the design. Through security-aware synthesis that creates a controllable mismatch between the reverse-engineered netlist and original design, SFLL provides a quantifiable and provable resilience trade-off between all known and anticipated attacks. We demonstrate the application of SFLL to large designs (>100K gates) using a computer-aided design (CAD) framework that ensures attaining the desired security level at minimal implementation cost, 8%, 5%, and 0.5% for area, power, and delay, respectively. In addition to theoretical proofs and simulation confirmation of SFLL's security, we also report results from the silicon implementation of SFLL on an ARM Cortex-M0 microprocessor in 65nm technology.},
keywords = {Design For Trust, Hardware Trojan, Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Logic locking has been conceived as a promising proactive defense strategy against intellectual property (IP) piracy, counterfeiting, hardware Trojans, reverse engineering, and overbuilding attacks. Yet, various attacks that use a working chip as an oracle have been launched on logic locking to successfully retrieve its secret key, undermining the defense of all existing locking techniques. In this paper, we propose stripped-functionality logic locking (SFLL), which strips some of the functionality of the design and hides it in the form of a secret key(s), thereby rendering on-chip implementation functionally different from the original one. When loaded onto an on-chip memory, the secret keys restore the original functionality of the design. Through security-aware synthesis that creates a controllable mismatch between the reverse-engineered netlist and original design, SFLL provides a quantifiable and provable resilience trade-off between all known and anticipated attacks. We demonstrate the application of SFLL to large designs (>100K gates) using a computer-aided design (CAD) framework that ensures attaining the desired security level at minimal implementation cost, 8%, 5%, and 0.5% for area, power, and delay, respectively. In addition to theoretical proofs and simulation confirmation of SFLL's security, we also report results from the silicon implementation of SFLL on an ARM Cortex-M0 microprocessor in 65nm technology.
2015
Plaza, Stephen M; Markov, Igor L
Solving the Third-Shift Problem in IC Piracy With Test-Aware Logic Locking Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 34, no. 6, pp. 961–971, 2015, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@article{plaza2015solving,
title = {Solving the Third-Shift Problem in IC Piracy With Test-Aware Logic Locking},
author = {Stephen M Plaza and Igor L Markov},
doi = {10.1109/TCAD.2015.2404876},
issn = {1937-4151},
year = {2015},
date = {2015-06-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
volume = {34},
number = {6},
pages = {961--971},
publisher = {IEEE},
abstract = {The increasing IC manufacturing cost encourages a business model where design houses outsource IC fabrication to remote foundries. Despite cost savings, this model exposes design houses to IC piracy as remote foundries can manufacture in excess to sell on the black market. Recent efforts in digital hardware security aim to thwart piracy by using XOR-based chip locking, cryptography, and active metering. To counter direct attacks and lower the exposure of unlocked circuits to the foundry, we introduce a multiplexor-based locking strategy that preserves test response allowing IC testing by an untrusted party before activation. We demonstrate a simple yet effective attack against a locked circuit that does not preserve test response, and validate the effectiveness of our locking strategy on IWLS 2005 benchmarks.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {article}
}
The increasing IC manufacturing cost encourages a business model where design houses outsource IC fabrication to remote foundries. Despite cost savings, this model exposes design houses to IC piracy as remote foundries can manufacture in excess to sell on the black market. Recent efforts in digital hardware security aim to thwart piracy by using XOR-based chip locking, cryptography, and active metering. To counter direct attacks and lower the exposure of unlocked circuits to the foundry, we introduce a multiplexor-based locking strategy that preserves test response allowing IC testing by an untrusted party before activation. We demonstrate a simple yet effective attack against a locked circuit that does not preserve test response, and validate the effectiveness of our locking strategy on IWLS 2005 benchmarks.
Subramanyan, Pramod; Ray, Sayak; Malik, Sharad
Evaluating the security of logic encryption algorithms Proceedings Article
In: Hardware Oriented Security and Trust (HOST), 2015 IEEE International Symposium on, pp. 137–143, IEEE 2015.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{subramanyan2015evaluating,
title = {Evaluating the security of logic encryption algorithms},
author = {Pramod Subramanyan and Sayak Ray and Sharad Malik},
doi = {10.1109/HST.2015.7140252},
year = {2015},
date = {2015-05-01},
booktitle = {Hardware Oriented Security and Trust (HOST), 2015 IEEE International Symposium on},
pages = {137--143},
organization = {IEEE},
abstract = {Contemporary integrated circuits are designed and manufactured in a globalized environment leading to concerns of piracy, overproduction and counterfeiting. One class of techniques to combat these threats is logic encryption. Logic encryption modifies an IC design such that it operates correctly only when a set of newly introduced inputs, called key inputs, are set to the correct values. In this paper, we use algorithms based on satisfiability checking (SAT) to investigate the security of logic encryption. We present a SAT-based algorithm which allows an attacker to “decrypt” an encrypted netlist using a small number of carefully-selected input patterns and their corresponding output observations. We also present a “partial-break” algorithm that can reveal some of the key inputs even when the attack is not fully successful. We conduct a thorough evaluation of our attack by examining six proposals for logic encryption from the literature. We find that all of these are vulnerable to our attack. Among the 441 encrypted circuits we examined, we were able to decrypt 418 (95%). We discuss the strengths and limitations of our attack and suggest directions that may lead to improved logic encryption algorithms.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Contemporary integrated circuits are designed and manufactured in a globalized environment leading to concerns of piracy, overproduction and counterfeiting. One class of techniques to combat these threats is logic encryption. Logic encryption modifies an IC design such that it operates correctly only when a set of newly introduced inputs, called key inputs, are set to the correct values. In this paper, we use algorithms based on satisfiability checking (SAT) to investigate the security of logic encryption. We present a SAT-based algorithm which allows an attacker to “decrypt” an encrypted netlist using a small number of carefully-selected input patterns and their corresponding output observations. We also present a “partial-break” algorithm that can reveal some of the key inputs even when the attack is not fully successful. We conduct a thorough evaluation of our attack by examining six proposals for logic encryption from the literature. We find that all of these are vulnerable to our attack. Among the 441 encrypted circuits we examined, we were able to decrypt 418 (95%). We discuss the strengths and limitations of our attack and suggest directions that may lead to improved logic encryption algorithms.
2012
Rajendran, Jeyavijayan; Pino, Youngok; Sinanoglu, Ozgur; Karri, Ramesh
Security analysis of logic obfuscation Proceedings Article
In: Proceedings of the 49th Annual Design Automation Conference, pp. 83–89, ACM 2012, ISSN: 0738-100X.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{rajendran2012security,
title = {Security analysis of logic obfuscation},
author = {Jeyavijayan Rajendran and Youngok Pino and Ozgur Sinanoglu and Ramesh Karri},
doi = {10.1145/2228360.2228377},
issn = {0738-100X},
year = {2012},
date = {2012-06-01},
booktitle = {Proceedings of the 49th Annual Design Automation Conference},
pages = {83--89},
organization = {ACM},
abstract = {Due to globalization of Integrated Circuit (IC) design flow, rogue elements in the supply chain can pirate ICs, overbuild ICs, and insert hardware trojans. EPIC [1] obfuscates the design by randomly inserting additional gates; only a correct key makes the design to produce correct outputs. We demonstrate that an attacker can decipher the obfuscated nctlist, in a time linear to the number of keys, by sensitizing the key values to the output. We then develop techniques to fix this vulnerability and make obfuscation truly exponential in the number of inserted keys.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Due to globalization of Integrated Circuit (IC) design flow, rogue elements in the supply chain can pirate ICs, overbuild ICs, and insert hardware trojans. EPIC [1] obfuscates the design by randomly inserting additional gates; only a correct key makes the design to produce correct outputs. We demonstrate that an attacker can decipher the obfuscated nctlist, in a time linear to the number of keys, by sensitizing the key values to the output. We then develop techniques to fix this vulnerability and make obfuscation truly exponential in the number of inserted keys.
2009
Chakraborty, Rajat Subhra; Bhunia, Swarup
HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 28, no. 10, pp. 1493-1502, 2009, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation, Logic Locking, Obfuscation
@article{5247148,
title = {HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection},
author = {Rajat Subhra Chakraborty and Swarup Bhunia},
doi = {10.1109/TCAD.2009.2028166},
issn = {1937-4151},
year = {2009},
date = {2009-10-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
volume = {28},
number = {10},
pages = {1493-1502},
abstract = {Hardware intellectual-property (IP) cores have emerged as an integral part of modern system-on-chip (SoC) designs. However, IP vendors are facing major challenges to protect hardware IPs from IP piracy. This paper proposes a novel design methodology for hardware IP protection using netlist-level obfuscation. The proposed methodology can be integrated in the SoC design and manufacturing flow to simultaneously obfuscate and authenticate the design. Simulation results for a set of ISCAS-89 benchmark circuits and the advanced-encryption-standard IP core show that high levels of security can be achieved at less than 5% area and power overhead under delay constraint.},
keywords = {Evaluation of Obfuscation, Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Hardware intellectual-property (IP) cores have emerged as an integral part of modern system-on-chip (SoC) designs. However, IP vendors are facing major challenges to protect hardware IPs from IP piracy. This paper proposes a novel design methodology for hardware IP protection using netlist-level obfuscation. The proposed methodology can be integrated in the SoC design and manufacturing flow to simultaneously obfuscate and authenticate the design. Simulation results for a set of ISCAS-89 benchmark circuits and the advanced-encryption-standard IP core show that high levels of security can be achieved at less than 5% area and power overhead under delay constraint.
2008
Roy, Jarrod A; Koushanfar, Farinaz; Markov, Igor L
EPIC: Ending piracy of integrated circuits Proceedings Article
In: Proceedings of the conference on Design, automation and test in Europe, pp. 1069–1074, 2008, ISSN: 1558-1101.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{roy2008epic,
title = {EPIC: Ending piracy of integrated circuits},
author = {Jarrod A Roy and Farinaz Koushanfar and Igor L Markov},
doi = {10.1109/DATE.2008.4484823},
issn = {1558-1101},
year = {2008},
date = {2008-03-01},
booktitle = {Proceedings of the conference on Design, automation and test in Europe},
pages = {1069--1074},
abstract = {As semiconductor manufacturing requires greater capital investments, the use of contract foundries has grown dramatically, increasing exposure to mask theft and unauthorized excess production. While only recently studied, IC piracy has now become a major challenge for the electronics and defense industries. We propose a novel comprehensive technique to end piracy of integrated circuits (EPIC). It requires that every chip be activated with an external key, which can only be generated by the holder of IP rights, and cannot be duplicated. EPIC is based on (i) automatically-generated chip IDs, (ii) a novel combinational locking algorithm, and (Hi) innovative use of public-key cryptography. Our evaluation suggests that the overhead of EPIC on circuit delay and power is negligible, and the standard flows for verification and test do not require change. In fact, major required components have already been integrated into several chips in production. We also use formal methods to evaluate combinational locking and computational attacks. A comprehensive protocol analysis concludes that EPIC is surprisingly resistant to various piracy attempts.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
As semiconductor manufacturing requires greater capital investments, the use of contract foundries has grown dramatically, increasing exposure to mask theft and unauthorized excess production. While only recently studied, IC piracy has now become a major challenge for the electronics and defense industries. We propose a novel comprehensive technique to end piracy of integrated circuits (EPIC). It requires that every chip be activated with an external key, which can only be generated by the holder of IP rights, and cannot be duplicated. EPIC is based on (i) automatically-generated chip IDs, (ii) a novel combinational locking algorithm, and (Hi) innovative use of public-key cryptography. Our evaluation suggests that the overhead of EPIC on circuit delay and power is negligible, and the standard flows for verification and test do not require change. In fact, major required components have already been integrated into several chips in production. We also use formal methods to evaluate combinational locking and computational attacks. A comprehensive protocol analysis concludes that EPIC is surprisingly resistant to various piracy attempts.