2021
Sisejkovic, Dominik; Merchant, Farhad; Reimann, Lennart M; Srivastava, Harshit; Hallawa, Ahmed; Leupers, Rainer
Challenging the Security of Logic Locking Schemes in the Era of Deep Learning: A Neuroevolutionary Approach Journal Article
In: J. Emerg. Technol. Comput. Syst., vol. 17, no. 3, 2021, ISSN: 1550-4832.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{10.1145/3431389,
title = {Challenging the Security of Logic Locking Schemes in the Era of Deep Learning: A Neuroevolutionary Approach},
author = {Dominik Sisejkovic and Farhad Merchant and Lennart M Reimann and Harshit Srivastava and Ahmed Hallawa and Rainer Leupers},
url = {https://doi.org/10.1145/3431389},
doi = {10.1145/3431389},
issn = {1550-4832},
year = {2021},
date = {2021-01-01},
journal = {J. Emerg. Technol. Comput. Syst.},
volume = {17},
number = {3},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Logic locking is a prominent technique to protect the integrity of hardware designs throughout the integrated circuit design and fabrication flow. However, in recent years, the security of locking schemes has been thoroughly challenged by the introduction of various deobfuscation attacks. As in most research branches, deep learning is being introduced in the domain of logic locking as well. Therefore, in this article we present SnapShot, a novel attack on logic locking that is the first of its kind to utilize artificial neural networks to directly predict a key bit value from a locked synthesized gate-level netlist without using a golden reference. Hereby, the attack uses a simpler yet more flexible learning model compared to existing work. Two different approaches are evaluated. The first approach is based on a simple feedforward fully connected neural network. The second approach utilizes genetic algorithms to evolve more complex convolutional neural network architectures specialized for the given task. The attack flow offers a generic and customizable framework for attacking locking schemes using machine learning techniques. We perform an extensive evaluation of SnapShot for two realistic attack scenarios, comprising both reference combinational and sequential benchmark circuits as well as silicon-proven RISC-V core modules. The evaluation results show that SnapShot achieves an average key prediction accuracy of 82.60% for the selected attack scenario, with a significant performance increase of 10.49 percentage points compared to the state of the art. Moreover, SnapShot outperforms the existing technique on all evaluated benchmarks. The results indicate that the security foundation of common logic locking schemes is built on questionable assumptions. Based on the lessons learned, we discuss the vulnerabilities and potentials of logic locking uncovered by SnapShot. The conclusions offer insights into the challenges of designing future logic locking schemes that are resilient to machine learning attacks.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Logic locking is a prominent technique to protect the integrity of hardware designs throughout the integrated circuit design and fabrication flow. However, in recent years, the security of locking schemes has been thoroughly challenged by the introduction of various deobfuscation attacks. As in most research branches, deep learning is being introduced in the domain of logic locking as well. Therefore, in this article we present SnapShot, a novel attack on logic locking that is the first of its kind to utilize artificial neural networks to directly predict a key bit value from a locked synthesized gate-level netlist without using a golden reference. Hereby, the attack uses a simpler yet more flexible learning model compared to existing work. Two different approaches are evaluated. The first approach is based on a simple feedforward fully connected neural network. The second approach utilizes genetic algorithms to evolve more complex convolutional neural network architectures specialized for the given task. The attack flow offers a generic and customizable framework for attacking locking schemes using machine learning techniques. We perform an extensive evaluation of SnapShot for two realistic attack scenarios, comprising both reference combinational and sequential benchmark circuits as well as silicon-proven RISC-V core modules. The evaluation results show that SnapShot achieves an average key prediction accuracy of 82.60% for the selected attack scenario, with a significant performance increase of 10.49 percentage points compared to the state of the art. Moreover, SnapShot outperforms the existing technique on all evaluated benchmarks. The results indicate that the security foundation of common logic locking schemes is built on questionable assumptions. Based on the lessons learned, we discuss the vulnerabilities and potentials of logic locking uncovered by SnapShot. The conclusions offer insights into the challenges of designing future logic locking schemes that are resilient to machine learning attacks.
2020
Karfa, Chandan; Chouksey, Ramanuj; Pilato, Christian; Garg, Siddharth; Karri, Ramesh
Is Register Transfer Level Locking Secure? Proceedings Article
In: 2020 Design, Automation Test in Europe Conference Exhibition (DATE), pp. 550-555, 2020, ISSN: 1558-1101.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@inproceedings{Karfa2020rtl,
title = {Is Register Transfer Level Locking Secure?},
author = {Chandan Karfa and Ramanuj Chouksey and Christian Pilato and Siddharth Garg and Ramesh Karri},
doi = {10.23919/DATE48585.2020.9116261},
issn = {1558-1101},
year = {2020},
date = {2020-03-01},
booktitle = {2020 Design, Automation Test in Europe Conference Exhibition (DATE)},
pages = {550-555},
abstract = {Register Transfer Level (RTL) locking seeks to prevent intellectual property (IP) theft of a design by locking the RTL description that functions correctly on the application of a key. This paper evaluates the security of a state-of-the-art RTL locking scheme using a satisfiability modulo theories (SMT) based algorithm to retrieve the secret key. The attack first obtains the high-level behavior of the locked RTL, and then use an SMT based formulation to find so-called distinguishing input patterns (DIP)1 The attack methodology has two main advantages over the gate-level attacks. First, since the attack handles the design at the RTL, the method scales to large designs. Second, the attack does not apply separate unlocking strategies for the combinational and sequential parts of a design; it handles both styles via a unifying abstraction. We demonstrate the attack on locked RTL generated by TAO [1], a state-of-the-art RTL locking solution. Empirical results show that we can partially or completely break designs locked by TAO.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Register Transfer Level (RTL) locking seeks to prevent intellectual property (IP) theft of a design by locking the RTL description that functions correctly on the application of a key. This paper evaluates the security of a state-of-the-art RTL locking scheme using a satisfiability modulo theories (SMT) based algorithm to retrieve the secret key. The attack first obtains the high-level behavior of the locked RTL, and then use an SMT based formulation to find so-called distinguishing input patterns (DIP)1 The attack methodology has two main advantages over the gate-level attacks. First, since the attack handles the design at the RTL, the method scales to large designs. Second, the attack does not apply separate unlocking strategies for the combinational and sequential parts of a design; it handles both styles via a unifying abstraction. We demonstrate the attack on locked RTL generated by TAO [1], a state-of-the-art RTL locking solution. Empirical results show that we can partially or completely break designs locked by TAO.
Zuzak, Michael; Srivastava, Ankur
ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design Proceedings Article
In: International Symposium on Memory Systems (MEMSYS), 2020.
BibTeX | Tags: Evaluation of Obfuscation
@inproceedings{Zuzak2020,
title = {ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design},
author = {Michael Zuzak and Ankur Srivastava},
year = {2020},
date = {2020-01-01},
booktitle = {International Symposium on Memory Systems (MEMSYS)},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Hoque, Tamzidul; Chakraborty, Rajat Subhra; Bhunia, Swarup
Hardware Obfuscation and Logic Locking: A Tutorial Introduction Journal Article
In: IEEE Design Test, pp. 1-1, 2020, ISSN: 2168-2364.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{9050810,
title = {Hardware Obfuscation and Logic Locking: A Tutorial Introduction},
author = {Tamzidul Hoque and Rajat Subhra Chakraborty and Swarup Bhunia},
doi = {10.1109/MDAT.2020.2984224},
issn = {2168-2364},
year = {2020},
date = {2020-01-01},
journal = {IEEE Design Test},
pages = {1-1},
abstract = {Hardware obfuscation relates to the transformation of design to protect it against reverse engineering, piracy, and malicious alteration. It typically aims at both locking a design based on a secret key as well as hiding the design intent through structural transformation. In this article, we provide a tutorial introduction to hardware obfuscation highlighting the motivation, key concepts, the emerging landscape of obfuscation methods, and their merits as well as shortcomings.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Hardware obfuscation relates to the transformation of design to protect it against reverse engineering, piracy, and malicious alteration. It typically aims at both locking a design based on a secret key as well as hiding the design intent through structural transformation. In this article, we provide a tutorial introduction to hardware obfuscation highlighting the motivation, key concepts, the emerging landscape of obfuscation methods, and their merits as well as shortcomings.
2019
Alaql, Abdulrahman; Forte, Domenic; Bhunia, Swarup
Sweep to the Secret: A Constant Propagation Attack on Logic Locking Proceedings Article
In: 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 1-6, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@inproceedings{9006720,
title = {Sweep to the Secret: A Constant Propagation Attack on Logic Locking},
author = {Abdulrahman Alaql and Domenic Forte and Swarup Bhunia},
url = {https://ieeexplore.ieee.org/document/9006720},
doi = {10.1109/AsianHOST47458.2019.9006720},
year = {2019},
date = {2019-12-01},
booktitle = {2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {1-6},
abstract = {The development of hardware intellectual properties (IPs) has faced many challenges due to malicious modifications and piracy. One potential solution to protect IPs against these attacks is to perform a key-based logic locking process that disables the functionality and corrupts the output of the IP when the incorrect key value is applied. However, many attacks on logic locking have been introduced to break the locking mechanism and obtain the key. In this paper, we present SWEEP, a constant propagation attack that exploits the change in characteristics of the IP when a single key-bit value is hard-coded. The attack process starts with analyzing design features that are generated from the synthesis tool and establishes a correlation between these features and the correct key values. In order to perform the attack, the logic locking tool needs to be available. The level of accuracy of the extracted key mainly depends on the type of logic locking approach used to obfuscate the IP. Our attack was applied to ISCAS85, and MCNC benchmarks obfuscated using various logic locking techniques and has obtained an average accuracy of 92.09%.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
The development of hardware intellectual properties (IPs) has faced many challenges due to malicious modifications and piracy. One potential solution to protect IPs against these attacks is to perform a key-based logic locking process that disables the functionality and corrupts the output of the IP when the incorrect key value is applied. However, many attacks on logic locking have been introduced to break the locking mechanism and obtain the key. In this paper, we present SWEEP, a constant propagation attack that exploits the change in characteristics of the IP when a single key-bit value is hard-coded. The attack process starts with analyzing design features that are generated from the synthesis tool and establishes a correlation between these features and the correct key values. In order to perform the attack, the logic locking tool needs to be available. The level of accuracy of the extracted key mainly depends on the type of logic locking approach used to obfuscate the IP. Our attack was applied to ISCAS85, and MCNC benchmarks obfuscated using various logic locking techniques and has obtained an average accuracy of 92.09%.
Shamsi, Kaveh; Pan, David Z.; Jin, Yier
IcySAT: Improved SAT-based Attacks on Cyclic Locked Circuits Proceedings Article
In: 2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp. 1-7, IEEE, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation, Logic Locking
@inproceedings{Shamsi2019c,
title = {IcySAT: Improved SAT-based Attacks on Cyclic Locked Circuits},
author = {Kaveh Shamsi and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/IcySAT.pdf},
doi = {10.1109/ICCAD45719.2019.8942049},
year = {2019},
date = {2019-11-05},
booktitle = {2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)},
pages = {1-7},
publisher = {IEEE},
abstract = {“Cyclic” circuit locking/camouflaging is a recently proposed direction in logic obfuscation for thwarting foundry and end-user reverse engineering. As opposed to traditional schemes, these techniques create cycles in the obfuscated circuit in a way that confuses the attacker but does not disrupt the combinational nature of the circuit. While these schemes can thwart the baseline SAT-based attack, the CycSAT attack was proposed recently to break these schemes through a preprocessing step that builds a Boolean condition to avoid cyclic solutions/keys during the attack. However, follow-up work has suggested that extracting these conditions requires enumerating all cycles in the circuit, or that instead of relying on these conditions preemptively, cyclic solutions must be banned individually on the fly. In this paper, we present new algorithms for performing SAT-based attacks on cyclic circuits. We first propose an algorithm that can produce non-cyclic conditions in polynomial time with respect to the size of the circuit, avoiding the potentially exponential runtime of explicit key-banning or cycle enumeration. We then take a deeper look at the problem, discussing some of the fundamental limitations of extracting precise non-cyclic conditions and propose a more complex but complete procedure for cyclic deobfuscation. We evaluate our attacks on densely cyclic obfuscated benchmark circuits.},
keywords = {Evaluation of Obfuscation, Logic Locking},
pubstate = {published},
tppubtype = {inproceedings}
}
“Cyclic” circuit locking/camouflaging is a recently proposed direction in logic obfuscation for thwarting foundry and end-user reverse engineering. As opposed to traditional schemes, these techniques create cycles in the obfuscated circuit in a way that confuses the attacker but does not disrupt the combinational nature of the circuit. While these schemes can thwart the baseline SAT-based attack, the CycSAT attack was proposed recently to break these schemes through a preprocessing step that builds a Boolean condition to avoid cyclic solutions/keys during the attack. However, follow-up work has suggested that extracting these conditions requires enumerating all cycles in the circuit, or that instead of relying on these conditions preemptively, cyclic solutions must be banned individually on the fly. In this paper, we present new algorithms for performing SAT-based attacks on cyclic circuits. We first propose an algorithm that can produce non-cyclic conditions in polynomial time with respect to the size of the circuit, avoiding the potentially exponential runtime of explicit key-banning or cycle enumeration. We then take a deeper look at the problem, discussing some of the fundamental limitations of extracting precise non-cyclic conditions and propose a more complex but complete procedure for cyclic deobfuscation. We evaluate our attacks on densely cyclic obfuscated benchmark circuits.
Shamsi, Kaveh; Li, Meng; Plaks, Kenneth; Fazzari, Saverio; Pan, David Z.; Jin, Yier
IP Protection and Supply Chain Security through Logic Obfuscation: A Systematic Overview Journal Article
In: ACM Transactions on Design Automation of Electronic Systems (TODAES), vol. 24, no. 6, pp. 1-36, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{Shamsi2019d,
title = {IP Protection and Supply Chain Security through Logic Obfuscation: A Systematic Overview},
author = {Kaveh Shamsi and Meng Li and Kenneth Plaks and Saverio Fazzari and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/kaveh2019ip.pdf},
doi = {10.1145/3342099},
year = {2019},
date = {2019-09-01},
journal = {ACM Transactions on Design Automation of Electronic Systems (TODAES)},
volume = {24},
number = {6},
pages = {1-36},
abstract = {The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defenses and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defenses and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.
Shamsi, Kaveh; Pan, David Z.; Jin, Yier
On the Impossibility of Approximation-Resilient Circuit Locking Proceedings Article
In: 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 161-170, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation, Logic Locking
@inproceedings{Shamsi2019b,
title = {On the Impossibility of Approximation-Resilient Circuit Locking},
author = {Kaveh Shamsi and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/kaveh2019on.pdf},
doi = {10.1109/HST.2019.8741035},
year = {2019},
date = {2019-05-06},
booktitle = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
journal = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {161-170},
abstract = {Logic locking, and Integrated Circuit (IC) Camouflaging, are techniques that try to hide the design of an IC from a malicious foundry or end-user by introducing ambiguity into the netlist of the circuit. While over the past decade an array of such techniques have been proposed, their security has been constantly challenged by algorithmic attacks. This may in part be due to a lack of formally defined notions of security in the first place, and hence a lack of security guarantees based on long-standing hardness assumptions. In this paper, we take a formal approach. We define the problem of circuit locking (cL) as transforming an original circuit to a locked one which is “unintelligible” without a secret key (this can model camouflaging and split-manufacturing in addition to logic locking). We define several notions of security for cL under different adversary models. Using long-standing results from computational learning theory we show the impossibility of exponentially approximation-resilient locking in the presence of an oracle for large classes of Boolean circuits. We then show how exact-recovery-resiliency and a more relaxed notion of security that we coin “best-possible” approximation-resiliency can be provably guaranteed with polynomial overhead. Our theoretical analysis directly results in stronger attacks and defenses which we demonstrate through experimental results on benchmark circuits.},
keywords = {Evaluation of Obfuscation, Logic Locking},
pubstate = {published},
tppubtype = {inproceedings}
}
Logic locking, and Integrated Circuit (IC) Camouflaging, are techniques that try to hide the design of an IC from a malicious foundry or end-user by introducing ambiguity into the netlist of the circuit. While over the past decade an array of such techniques have been proposed, their security has been constantly challenged by algorithmic attacks. This may in part be due to a lack of formally defined notions of security in the first place, and hence a lack of security guarantees based on long-standing hardness assumptions. In this paper, we take a formal approach. We define the problem of circuit locking (cL) as transforming an original circuit to a locked one which is “unintelligible” without a secret key (this can model camouflaging and split-manufacturing in addition to logic locking). We define several notions of security for cL under different adversary models. Using long-standing results from computational learning theory we show the impossibility of exponentially approximation-resilient locking in the presence of an oracle for large classes of Boolean circuits. We then show how exact-recovery-resiliency and a more relaxed notion of security that we coin “best-possible” approximation-resiliency can be provably guaranteed with polynomial overhead. Our theoretical analysis directly results in stronger attacks and defenses which we demonstrate through experimental results on benchmark circuits.
Chakraborty, Prabuddha; Cruz, Jonathan; Bhunia, Swarup
SURF: Joint Structural Functional Attack on Logic Locking Proceedings Article
In: 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 181-190, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@inproceedings{8741028,
title = {SURF: Joint Structural Functional Attack on Logic Locking},
author = {Prabuddha Chakraborty and Jonathan Cruz and Swarup Bhunia},
doi = {10.1109/HST.2019.8741028},
year = {2019},
date = {2019-05-01},
booktitle = {2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {181-190},
abstract = {To help protect hardware Intellectual Property (IP) blocks against piracy and reverse engineering, researchers have proposed various obfuscation techniques that aim at hiding design intent and making black-box usage difficult. A dominant form of obfuscation, referred to as logic locking, relies on the insertion of key gates (e.g., XOR/XNOR) at strategic locations in a design followed by logic synthesis. Recently, it has been shown that such an approach leaves predictable structural signatures, which make them susceptible to machine learning (ML) based structural attacks. These attacks are shown to deobfuscate a design by learning the deterministic nature of transformations incorporated by commercial synthesis tools. They are attractive for unraveling the design intent. However, they may not be able to provide a working design. In this paper, we introduce a novel attack on obfuscation techniques, called Structural Functional (SURF) attack, which, for the first time to our knowledge, accomplishes key extraction through scalable functional analysis while leveraging the output of structural attacks. We have developed complete flow and an automatic tool for the attack, which shows promising results. We are able to retrieve, on average, ~90% keybits for obfuscated ISCAS-85 benchmarks (100% in several cases) with > 98% output accuracy. We observe that SURF attack, unlike any known attack, can enable both discovering design intent as well as black-box usage. It is effective for all major variants of logic locking, scalable to large designs, and unlike SAT based attacks, is effective for all design types (e.g., multipliers, where SAT based attacks typically fail).},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
To help protect hardware Intellectual Property (IP) blocks against piracy and reverse engineering, researchers have proposed various obfuscation techniques that aim at hiding design intent and making black-box usage difficult. A dominant form of obfuscation, referred to as logic locking, relies on the insertion of key gates (e.g., XOR/XNOR) at strategic locations in a design followed by logic synthesis. Recently, it has been shown that such an approach leaves predictable structural signatures, which make them susceptible to machine learning (ML) based structural attacks. These attacks are shown to deobfuscate a design by learning the deterministic nature of transformations incorporated by commercial synthesis tools. They are attractive for unraveling the design intent. However, they may not be able to provide a working design. In this paper, we introduce a novel attack on obfuscation techniques, called Structural Functional (SURF) attack, which, for the first time to our knowledge, accomplishes key extraction through scalable functional analysis while leveraging the output of structural attacks. We have developed complete flow and an automatic tool for the attack, which shows promising results. We are able to retrieve, on average, ~90% keybits for obfuscated ISCAS-85 benchmarks (100% in several cases) with > 98% output accuracy. We observe that SURF attack, unlike any known attack, can enable both discovering design intent as well as black-box usage. It is effective for all major variants of logic locking, scalable to large designs, and unlike SAT based attacks, is effective for all design types (e.g., multipliers, where SAT based attacks typically fail).
Shamsi, Kaveh; Meade, Travis; Li, Meng; Pan, David Z.; Jin, Yier
On the Approximation Resiliency of Logic Locking and IC Camouflaging Schemes Journal Article
In: IEEE Transactions on Information Forensics and Security (TIFS), vol. 14, no. 2, pp. 347-359, 2019.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{Shamsi2019cb,
title = {On the Approximation Resiliency of Logic Locking and IC Camouflaging Schemes},
author = {Kaveh Shamsi and Travis Meade and Meng Li and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/kaveh2019onappro.pdf},
doi = {10.1109/TIFS.2018.2850319},
year = {2019},
date = {2019-02-01},
journal = {IEEE Transactions on Information Forensics and Security (TIFS)},
volume = {14},
number = {2},
pages = {347-359},
abstract = {The SAT-based attacks are extremely successful in deobfuscating the traditional combinational logic locking and IC camouflaging schemes. While several SAT-resilient protection schemes that increase the minimum query count of the attack have been proposed recently, none of them satisfy the output corruptibility (error) criteria. Therefore, most of them were combined with high corruptibility schemes to achieve both corruptibility and high query count. These “compound” schemes are successful since existing SAT attacks are agnostic to the corruptibility of the protection scheme. In this paper, we propose an approximate SAT-based attack framework that focuses on the iterative convergence of an attack toward a better solution. This helps our attack reduce a compound scheme to a standalone SAT-resilient scheme. In addition, we relate the problem of minimum query count to a well-known graph problem, and we propose a novel technique to increase the corruptibility of SAT-resilient protection schemes in a controllable manner. This creates protection schemes that have both high query count and corruptibility. Furthermore, due to the approximation resiliency property of these schemes, approximate attacks provide no advantage over exact attacks when attacking them.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
The SAT-based attacks are extremely successful in deobfuscating the traditional combinational logic locking and IC camouflaging schemes. While several SAT-resilient protection schemes that increase the minimum query count of the attack have been proposed recently, none of them satisfy the output corruptibility (error) criteria. Therefore, most of them were combined with high corruptibility schemes to achieve both corruptibility and high query count. These “compound” schemes are successful since existing SAT attacks are agnostic to the corruptibility of the protection scheme. In this paper, we propose an approximate SAT-based attack framework that focuses on the iterative convergence of an attack toward a better solution. This helps our attack reduce a compound scheme to a standalone SAT-resilient scheme. In addition, we relate the problem of minimum query count to a well-known graph problem, and we propose a novel technique to increase the corruptibility of SAT-resilient protection schemes in a controllable manner. This creates protection schemes that have both high query count and corruptibility. Furthermore, due to the approximation resiliency property of these schemes, approximate attacks provide no advantage over exact attacks when attacking them.
Hoque, Tamzidul; Yang, Kai; Karam, Robert; Tajik, Shahin; Forte, Domenic; Tehranipoor, Mark; Bhunia, Swarup
Hidden in Plaintext: An Obfuscation-Based Countermeasure against FPGA Bitstream Tampering Attacks Journal Article
In: ACM Trans. Des. Autom. Electron. Syst., vol. 25, no. 1, 2019, ISSN: 1084-4309.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{10.1145/3361147,
title = {Hidden in Plaintext: An Obfuscation-Based Countermeasure against FPGA Bitstream Tampering Attacks},
author = {Tamzidul Hoque and Kai Yang and Robert Karam and Shahin Tajik and Domenic Forte and Mark Tehranipoor and Swarup Bhunia},
url = {https://doi.org/10.1145/3361147},
doi = {10.1145/3361147},
issn = {1084-4309},
year = {2019},
date = {2019-01-01},
journal = {ACM Trans. Des. Autom. Electron. Syst.},
volume = {25},
number = {1},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Field Programmable Gate Arrays (FPGAs) have become an attractive choice for diverse applications due to their reconfigurability and unique security features. However, designs mapped to FPGAs are prone to malicious modifications or tampering of critical functions. Besides, targeted modifications have demonstrably compromised FPGA implementations of various cryptographic primitives. Existing security measures based on encryption and authentication can be bypassed using their side-channel vulnerabilities to execute bitstream tampering attacks. Furthermore, numerous resource-constrained applications are now equipped with low-end FPGAs, which may not support power-hungry cryptographic solutions. In this article, we propose a novel obfuscation-based approach to achieve strong resistance against both random and targeted pre-configuration tampering of critical functions in an FPGA design. Our solution first identifies the unique structural and functional features that separate the critical function from the rest of the design using a machine learning guided framework. The selected features are eliminated by applying appropriate obfuscation techniques, many of which take advantage of “FPGA dark silicon”—unused lookup table resources—to mask the critical functions. Furthermore, following the same obfuscation principle, a redundancy-based technique is proposed to thwart targeted, rule-based, and random tampering. We have developed a complete methodology and custom software toolflow that integrates with commercial tools. By applying the masking technique on a design containing AES, we show the effectiveness of the proposed framework in hiding the critical S-Box function. We implement the redundancy integrated solution in various cryptographic designs to analyze the overhead. To protect 16.2% critical component of a design, the proposed approach incurs an average area overhead of only 2.4% over similar redundancy-based approaches, while achieving strong security.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Field Programmable Gate Arrays (FPGAs) have become an attractive choice for diverse applications due to their reconfigurability and unique security features. However, designs mapped to FPGAs are prone to malicious modifications or tampering of critical functions. Besides, targeted modifications have demonstrably compromised FPGA implementations of various cryptographic primitives. Existing security measures based on encryption and authentication can be bypassed using their side-channel vulnerabilities to execute bitstream tampering attacks. Furthermore, numerous resource-constrained applications are now equipped with low-end FPGAs, which may not support power-hungry cryptographic solutions. In this article, we propose a novel obfuscation-based approach to achieve strong resistance against both random and targeted pre-configuration tampering of critical functions in an FPGA design. Our solution first identifies the unique structural and functional features that separate the critical function from the rest of the design using a machine learning guided framework. The selected features are eliminated by applying appropriate obfuscation techniques, many of which take advantage of “FPGA dark silicon”—unused lookup table resources—to mask the critical functions. Furthermore, following the same obfuscation principle, a redundancy-based technique is proposed to thwart targeted, rule-based, and random tampering. We have developed a complete methodology and custom software toolflow that integrates with commercial tools. By applying the masking technique on a design containing AES, we show the effectiveness of the proposed framework in hiding the critical S-Box function. We implement the redundancy integrated solution in various cryptographic designs to analyze the overhead. To protect 16.2% critical component of a design, the proposed approach incurs an average area overhead of only 2.4% over similar redundancy-based approaches, while achieving strong security.
2018
Chakraborty, Prabuddha; Cruz, Jonathan; Bhunia, Swarup
SAIL: Machine Learning Guided Structural Analysis Attack on Hardware Obfuscation Proceedings Article
In: 2018 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 56-61, 2018.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@inproceedings{8607163,
title = {SAIL: Machine Learning Guided Structural Analysis Attack on Hardware Obfuscation},
author = {Prabuddha Chakraborty and Jonathan Cruz and Swarup Bhunia},
doi = {10.1109/AsianHOST.2018.8607163},
year = {2018},
date = {2018-12-01},
booktitle = {2018 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {56-61},
abstract = {Obfuscation is a technique for protecting hardware intellectual property (IP) blocks against reverse engineering, piracy, and malicious modifications. Current obfuscation efforts mainly focus on functional locking of a design to prevent black-box usage. They do not directly address hiding design intent through structural transformations, which is an important objective of obfuscation. We note that current obfuscation techniques incorporate only: (1) local, and (2) predictable changes in circuit topology. In this paper, we present SAIL, a structural attack on obfuscation using machine learning (ML) models that exposes a critical vulnerability of these methods. Through this attack, we demonstrate that the gate-level structure of an obfuscated design can be retrieved in most parts through a systematic set of steps. The proposed attack is applicable to all forms of logic obfuscation, and significantly more powerful than existing attacks, e.g., SAT-based attacks, since it does not require the availability of golden functional responses (e.g., an unlocked IC). Evaluation on benchmark circuits show that we can recover an average of about 84% (up to 95%) transformations introduced by obfuscation. We also show that this attack is scalable, flexible, and versatile.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Obfuscation is a technique for protecting hardware intellectual property (IP) blocks against reverse engineering, piracy, and malicious modifications. Current obfuscation efforts mainly focus on functional locking of a design to prevent black-box usage. They do not directly address hiding design intent through structural transformations, which is an important objective of obfuscation. We note that current obfuscation techniques incorporate only: (1) local, and (2) predictable changes in circuit topology. In this paper, we present SAIL, a structural attack on obfuscation using machine learning (ML) models that exposes a critical vulnerability of these methods. Through this attack, we demonstrate that the gate-level structure of an obfuscated design can be retrieved in most parts through a systematic set of steps. The proposed attack is applicable to all forms of logic obfuscation, and significantly more powerful than existing attacks, e.g., SAT-based attacks, since it does not require the availability of golden functional responses (e.g., an unlocked IC). Evaluation on benchmark circuits show that we can recover an average of about 84% (up to 95%) transformations introduced by obfuscation. We also show that this attack is scalable, flexible, and versatile.
Azar, Kimia Zamiri; Kamali, Hadi Mardani; Homayoun, Houman; Sasan, Avesta
SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks Journal Article
In: IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2019, no. 1, pp. 97-122, 2018.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation
@article{Azar_Kamali_Homayoun_Sasan_2018,
title = {SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks},
author = {Kimia Zamiri Azar and Hadi Mardani Kamali and Houman Homayoun and Avesta Sasan},
url = {https://tches.iacr.org/index.php/TCHES/article/view/7335},
doi = {10.13154/tches.v2019.i1.97-122},
year = {2018},
date = {2018-11-01},
journal = {IACR Transactions on Cryptographic Hardware and Embedded Systems},
volume = {2019},
number = {1},
pages = {97-122},
abstract = {In this paper, we introduce the Satisfiability Modulo Theory (SMT) attack on obfuscated circuits. The proposed attack is the superset of Satisfiability (SAT) attack, with many additional features. It uses one or more theory solvers in addition to its internal SAT solver. For this reason, it is capable of modeling far more complex behaviors and could formulate much stronger attacks. In this paper, we illustrate that the use of theory solvers enables the SMT to carry attacks that are not possible by SAT formulated attacks. As an example of its capabilities, we use the SMT attack to break a recent obfuscation scheme that uses key values to alter delay properties (setup and hold time) of a circuit to remain SAT hard. Considering that the logic delay is not a Boolean logical property, the targeted obfuscation mechanism is not breakable by a SAT attack. However, in this paper, we illustrate that the proposed SMT attack, by deploying a simple graph theory solver, can model and break this obfuscation scheme in few minutes. We describe how the SMT attack could be used in one of four different attack modes: (1) We explain how SMT attack could be reduced to a SAT attack, (2) how the SMT attack could be carried out in Eager, and (3) Lazy approach, and finally (4) we introduce the Accelerated SMT (AccSMT) attack that offers significant speed-up to SAT attack. Additionally, we explain how AccSMT attack could be used as an approximate attack when facing SMT-Hard obfuscation schemes.},
keywords = {Evaluation of Obfuscation},
pubstate = {published},
tppubtype = {article}
}
In this paper, we introduce the Satisfiability Modulo Theory (SMT) attack on obfuscated circuits. The proposed attack is the superset of Satisfiability (SAT) attack, with many additional features. It uses one or more theory solvers in addition to its internal SAT solver. For this reason, it is capable of modeling far more complex behaviors and could formulate much stronger attacks. In this paper, we illustrate that the use of theory solvers enables the SMT to carry attacks that are not possible by SAT formulated attacks. As an example of its capabilities, we use the SMT attack to break a recent obfuscation scheme that uses key values to alter delay properties (setup and hold time) of a circuit to remain SAT hard. Considering that the logic delay is not a Boolean logical property, the targeted obfuscation mechanism is not breakable by a SAT attack. However, in this paper, we illustrate that the proposed SMT attack, by deploying a simple graph theory solver, can model and break this obfuscation scheme in few minutes. We describe how the SMT attack could be used in one of four different attack modes: (1) We explain how SMT attack could be reduced to a SAT attack, (2) how the SMT attack could be carried out in Eager, and (3) Lazy approach, and finally (4) we introduce the Accelerated SMT (AccSMT) attack that offers significant speed-up to SAT attack. Additionally, we explain how AccSMT attack could be used as an approximate attack when facing SMT-Hard obfuscation schemes.
2009
Chakraborty, Rajat Subhra; Bhunia, Swarup
HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 28, no. 10, pp. 1493-1502, 2009, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation, Logic Locking, Obfuscation
@article{5247148,
title = {HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection},
author = {Rajat Subhra Chakraborty and Swarup Bhunia},
doi = {10.1109/TCAD.2009.2028166},
issn = {1937-4151},
year = {2009},
date = {2009-10-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
volume = {28},
number = {10},
pages = {1493-1502},
abstract = {Hardware intellectual-property (IP) cores have emerged as an integral part of modern system-on-chip (SoC) designs. However, IP vendors are facing major challenges to protect hardware IPs from IP piracy. This paper proposes a novel design methodology for hardware IP protection using netlist-level obfuscation. The proposed methodology can be integrated in the SoC design and manufacturing flow to simultaneously obfuscate and authenticate the design. Simulation results for a set of ISCAS-89 benchmark circuits and the advanced-encryption-standard IP core show that high levels of security can be achieved at less than 5% area and power overhead under delay constraint.},
keywords = {Evaluation of Obfuscation, Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Hardware intellectual-property (IP) cores have emerged as an integral part of modern system-on-chip (SoC) designs. However, IP vendors are facing major challenges to protect hardware IPs from IP piracy. This paper proposes a novel design methodology for hardware IP protection using netlist-level obfuscation. The proposed methodology can be integrated in the SoC design and manufacturing flow to simultaneously obfuscate and authenticate the design. Simulation results for a set of ISCAS-89 benchmark circuits and the advanced-encryption-standard IP core show that high levels of security can be achieved at less than 5% area and power overhead under delay constraint.