2021
Zeng, Wei; Davoodi, Azadeh; Topaloglu, Rasit Onur
ObfusX: Routing Obfuscation with Explanatory Analysis of A Machine Learning Attack Proceedings Article
In: IEEE/ACM Asia and South Pacific Design Automation Conference, 2021.
Abstract | Links | BibTeX | Tags: Obfuscation
@inproceedings{zeng2021obfusx,
title = {ObfusX: Routing Obfuscation with Explanatory Analysis of A Machine Learning Attack},
author = {Wei Zeng and Azadeh Davoodi and Rasit Onur Topaloglu},
url = {https://dl.acm.org/doi/10.1145/3394885.3431600},
doi = {10.1145/3394885.3431600},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
booktitle = {IEEE/ACM Asia and South Pacific Design Automation Conference},
abstract = {This is the first work that incorporates recent advancements in "explainability" of machine learning (ML) to build a routing obfuscator called ObfusX. We adopt a recent metric---the SHAP value---which explains to what extent each layout feature can reveal each unknown connection for a recent ML-based split manufacturing attack model. The unique benefits of SHAP-based analysis include the ability to identify the best candidates for obfuscation, together with the dominant layout features which make them vulnerable. As a result, ObfusX can achieve better hit rate (97% lower) while perturbing significantly fewer nets when obfuscating using a via perturbation scheme, compared to prior work. When imposing the same wirelength limit using a wire lifting scheme, ObfusX performs significantly better in performance metrics (e.g., 2.4 times more reduction on average in percentage of netlist recovery).},
keywords = {Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
This is the first work that incorporates recent advancements in "explainability" of machine learning (ML) to build a routing obfuscator called ObfusX. We adopt a recent metric---the SHAP value---which explains to what extent each layout feature can reveal each unknown connection for a recent ML-based split manufacturing attack model. The unique benefits of SHAP-based analysis include the ability to identify the best candidates for obfuscation, together with the dominant layout features which make them vulnerable. As a result, ObfusX can achieve better hit rate (97% lower) while perturbing significantly fewer nets when obfuscating using a via perturbation scheme, compared to prior work. When imposing the same wirelength limit using a wire lifting scheme, ObfusX performs significantly better in performance metrics (e.g., 2.4 times more reduction on average in percentage of netlist recovery).
2017
Shamsi, Kaveh; Li, Meng; Meade, Travis; Zhao, Zheng; Pan, David Z.; Jin, Yier
AppSAT: Approximately deobfuscating integrated circuits Proceedings Article
In: 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 95–100, IEEE 2017.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{shamsi2017appsat,
title = {AppSAT: Approximately deobfuscating integrated circuits},
author = {Kaveh Shamsi and Meng Li and Travis Meade and Zheng Zhao and David Z. Pan and Yier Jin},
doi = {10.1109/HST.2017.7951805},
year = {2017},
date = {2017-05-01},
booktitle = {2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)},
pages = {95--100},
organization = {IEEE},
abstract = {In today's diversified semiconductor supply-chain, protecting intellectual property (IP) and maintaining manufacturing integrity are important concerns. Circuit obfuscation techniques such as logic encryption and IC camouflaging can potentially defend against a majority of supply-chain threats such as stealthy malicious design modification, IP theft, overproduction, and cloning. Recently, a Boolean Satisfiability (SAT) based attack, namely the SAT attack has been able to deobfuscate almost all traditional circuit obfuscation schemes, and as a result, a number of defense solutions have been proposed in literature. All these defenses are based on the implicit assumption that the attacker needs a perfect deobfuscation accuracy which may not be true in many practical cases. Therefore, in this paper by relaxing the exactness constraint on deobfuscation, we propose the AppSAT attack, an approximate deobfuscation algorithm based on the SAT attack and random testing. We show how the AppSAT attack can deobfuscate 68 out of the 71 benchmark circuits that were obfuscated with state-of-the-art SAT attack defenses with an accuracy of, n being the number of inputs. AppSAT shows that with current SAT attack defenses there will be a trade-off between exact-attack resiliency and approximation resiliency.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
In today's diversified semiconductor supply-chain, protecting intellectual property (IP) and maintaining manufacturing integrity are important concerns. Circuit obfuscation techniques such as logic encryption and IC camouflaging can potentially defend against a majority of supply-chain threats such as stealthy malicious design modification, IP theft, overproduction, and cloning. Recently, a Boolean Satisfiability (SAT) based attack, namely the SAT attack has been able to deobfuscate almost all traditional circuit obfuscation schemes, and as a result, a number of defense solutions have been proposed in literature. All these defenses are based on the implicit assumption that the attacker needs a perfect deobfuscation accuracy which may not be true in many practical cases. Therefore, in this paper by relaxing the exactness constraint on deobfuscation, we propose the AppSAT attack, an approximate deobfuscation algorithm based on the SAT attack and random testing. We show how the AppSAT attack can deobfuscate 68 out of the 71 benchmark circuits that were obfuscated with state-of-the-art SAT attack defenses with an accuracy of, n being the number of inputs. AppSAT shows that with current SAT attack defenses there will be a trade-off between exact-attack resiliency and approximation resiliency.
Yasin, Muhammad; Sengupta, Abhrajit; Nabeel, Mohammed Thari; Ashraf, Mohammed; Rajendran, Jeyavijayan; Sinanoglu, Ozgur
Provably-secure logic locking: From theory to practice Proceedings Article
In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1601–1618, Dallas, Texas, USA, 2017.
Abstract | Links | BibTeX | Tags: Design For Trust, Hardware Trojan, Logic Locking, Obfuscation
@inproceedings{yasin2017provably,
title = {Provably-secure logic locking: From theory to practice},
author = {Muhammad Yasin and Abhrajit Sengupta and Mohammed Thari Nabeel and Mohammed Ashraf and Jeyavijayan Rajendran and Ozgur Sinanoglu},
doi = {10.1145/3133956.3133985},
year = {2017},
date = {2017-01-01},
booktitle = {Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security},
pages = {1601–1618},
address = {Dallas, Texas, USA},
series = {CCS '17},
abstract = {Logic locking has been conceived as a promising proactive defense strategy against intellectual property (IP) piracy, counterfeiting, hardware Trojans, reverse engineering, and overbuilding attacks. Yet, various attacks that use a working chip as an oracle have been launched on logic locking to successfully retrieve its secret key, undermining the defense of all existing locking techniques. In this paper, we propose stripped-functionality logic locking (SFLL), which strips some of the functionality of the design and hides it in the form of a secret key(s), thereby rendering on-chip implementation functionally different from the original one. When loaded onto an on-chip memory, the secret keys restore the original functionality of the design. Through security-aware synthesis that creates a controllable mismatch between the reverse-engineered netlist and original design, SFLL provides a quantifiable and provable resilience trade-off between all known and anticipated attacks. We demonstrate the application of SFLL to large designs (>100K gates) using a computer-aided design (CAD) framework that ensures attaining the desired security level at minimal implementation cost, 8%, 5%, and 0.5% for area, power, and delay, respectively. In addition to theoretical proofs and simulation confirmation of SFLL's security, we also report results from the silicon implementation of SFLL on an ARM Cortex-M0 microprocessor in 65nm technology.},
keywords = {Design For Trust, Hardware Trojan, Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Logic locking has been conceived as a promising proactive defense strategy against intellectual property (IP) piracy, counterfeiting, hardware Trojans, reverse engineering, and overbuilding attacks. Yet, various attacks that use a working chip as an oracle have been launched on logic locking to successfully retrieve its secret key, undermining the defense of all existing locking techniques. In this paper, we propose stripped-functionality logic locking (SFLL), which strips some of the functionality of the design and hides it in the form of a secret key(s), thereby rendering on-chip implementation functionally different from the original one. When loaded onto an on-chip memory, the secret keys restore the original functionality of the design. Through security-aware synthesis that creates a controllable mismatch between the reverse-engineered netlist and original design, SFLL provides a quantifiable and provable resilience trade-off between all known and anticipated attacks. We demonstrate the application of SFLL to large designs (>100K gates) using a computer-aided design (CAD) framework that ensures attaining the desired security level at minimal implementation cost, 8%, 5%, and 0.5% for area, power, and delay, respectively. In addition to theoretical proofs and simulation confirmation of SFLL's security, we also report results from the silicon implementation of SFLL on an ARM Cortex-M0 microprocessor in 65nm technology.
2015
Plaza, Stephen M; Markov, Igor L
Solving the Third-Shift Problem in IC Piracy With Test-Aware Logic Locking Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 34, no. 6, pp. 961–971, 2015, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@article{plaza2015solving,
title = {Solving the Third-Shift Problem in IC Piracy With Test-Aware Logic Locking},
author = {Stephen M Plaza and Igor L Markov},
doi = {10.1109/TCAD.2015.2404876},
issn = {1937-4151},
year = {2015},
date = {2015-06-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
volume = {34},
number = {6},
pages = {961--971},
publisher = {IEEE},
abstract = {The increasing IC manufacturing cost encourages a business model where design houses outsource IC fabrication to remote foundries. Despite cost savings, this model exposes design houses to IC piracy as remote foundries can manufacture in excess to sell on the black market. Recent efforts in digital hardware security aim to thwart piracy by using XOR-based chip locking, cryptography, and active metering. To counter direct attacks and lower the exposure of unlocked circuits to the foundry, we introduce a multiplexor-based locking strategy that preserves test response allowing IC testing by an untrusted party before activation. We demonstrate a simple yet effective attack against a locked circuit that does not preserve test response, and validate the effectiveness of our locking strategy on IWLS 2005 benchmarks.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {article}
}
The increasing IC manufacturing cost encourages a business model where design houses outsource IC fabrication to remote foundries. Despite cost savings, this model exposes design houses to IC piracy as remote foundries can manufacture in excess to sell on the black market. Recent efforts in digital hardware security aim to thwart piracy by using XOR-based chip locking, cryptography, and active metering. To counter direct attacks and lower the exposure of unlocked circuits to the foundry, we introduce a multiplexor-based locking strategy that preserves test response allowing IC testing by an untrusted party before activation. We demonstrate a simple yet effective attack against a locked circuit that does not preserve test response, and validate the effectiveness of our locking strategy on IWLS 2005 benchmarks.
Subramanyan, Pramod; Ray, Sayak; Malik, Sharad
Evaluating the security of logic encryption algorithms Proceedings Article
In: Hardware Oriented Security and Trust (HOST), 2015 IEEE International Symposium on, pp. 137–143, IEEE 2015.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{subramanyan2015evaluating,
title = {Evaluating the security of logic encryption algorithms},
author = {Pramod Subramanyan and Sayak Ray and Sharad Malik},
doi = {10.1109/HST.2015.7140252},
year = {2015},
date = {2015-05-01},
booktitle = {Hardware Oriented Security and Trust (HOST), 2015 IEEE International Symposium on},
pages = {137--143},
organization = {IEEE},
abstract = {Contemporary integrated circuits are designed and manufactured in a globalized environment leading to concerns of piracy, overproduction and counterfeiting. One class of techniques to combat these threats is logic encryption. Logic encryption modifies an IC design such that it operates correctly only when a set of newly introduced inputs, called key inputs, are set to the correct values. In this paper, we use algorithms based on satisfiability checking (SAT) to investigate the security of logic encryption. We present a SAT-based algorithm which allows an attacker to “decrypt” an encrypted netlist using a small number of carefully-selected input patterns and their corresponding output observations. We also present a “partial-break” algorithm that can reveal some of the key inputs even when the attack is not fully successful. We conduct a thorough evaluation of our attack by examining six proposals for logic encryption from the literature. We find that all of these are vulnerable to our attack. Among the 441 encrypted circuits we examined, we were able to decrypt 418 (95%). We discuss the strengths and limitations of our attack and suggest directions that may lead to improved logic encryption algorithms.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Contemporary integrated circuits are designed and manufactured in a globalized environment leading to concerns of piracy, overproduction and counterfeiting. One class of techniques to combat these threats is logic encryption. Logic encryption modifies an IC design such that it operates correctly only when a set of newly introduced inputs, called key inputs, are set to the correct values. In this paper, we use algorithms based on satisfiability checking (SAT) to investigate the security of logic encryption. We present a SAT-based algorithm which allows an attacker to “decrypt” an encrypted netlist using a small number of carefully-selected input patterns and their corresponding output observations. We also present a “partial-break” algorithm that can reveal some of the key inputs even when the attack is not fully successful. We conduct a thorough evaluation of our attack by examining six proposals for logic encryption from the literature. We find that all of these are vulnerable to our attack. Among the 441 encrypted circuits we examined, we were able to decrypt 418 (95%). We discuss the strengths and limitations of our attack and suggest directions that may lead to improved logic encryption algorithms.
2012
Rajendran, Jeyavijayan; Pino, Youngok; Sinanoglu, Ozgur; Karri, Ramesh
Security analysis of logic obfuscation Proceedings Article
In: Proceedings of the 49th Annual Design Automation Conference, pp. 83–89, ACM 2012, ISSN: 0738-100X.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{rajendran2012security,
title = {Security analysis of logic obfuscation},
author = {Jeyavijayan Rajendran and Youngok Pino and Ozgur Sinanoglu and Ramesh Karri},
doi = {10.1145/2228360.2228377},
issn = {0738-100X},
year = {2012},
date = {2012-06-01},
booktitle = {Proceedings of the 49th Annual Design Automation Conference},
pages = {83--89},
organization = {ACM},
abstract = {Due to globalization of Integrated Circuit (IC) design flow, rogue elements in the supply chain can pirate ICs, overbuild ICs, and insert hardware trojans. EPIC [1] obfuscates the design by randomly inserting additional gates; only a correct key makes the design to produce correct outputs. We demonstrate that an attacker can decipher the obfuscated nctlist, in a time linear to the number of keys, by sensitizing the key values to the output. We then develop techniques to fix this vulnerability and make obfuscation truly exponential in the number of inserted keys.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
Due to globalization of Integrated Circuit (IC) design flow, rogue elements in the supply chain can pirate ICs, overbuild ICs, and insert hardware trojans. EPIC [1] obfuscates the design by randomly inserting additional gates; only a correct key makes the design to produce correct outputs. We demonstrate that an attacker can decipher the obfuscated nctlist, in a time linear to the number of keys, by sensitizing the key values to the output. We then develop techniques to fix this vulnerability and make obfuscation truly exponential in the number of inserted keys.
2009
Chakraborty, Rajat Subhra; Bhunia, Swarup
HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection Journal Article
In: IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 28, no. 10, pp. 1493-1502, 2009, ISSN: 1937-4151.
Abstract | Links | BibTeX | Tags: Evaluation of Obfuscation, Logic Locking, Obfuscation
@article{5247148,
title = {HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection},
author = {Rajat Subhra Chakraborty and Swarup Bhunia},
doi = {10.1109/TCAD.2009.2028166},
issn = {1937-4151},
year = {2009},
date = {2009-10-01},
journal = {IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems},
volume = {28},
number = {10},
pages = {1493-1502},
abstract = {Hardware intellectual-property (IP) cores have emerged as an integral part of modern system-on-chip (SoC) designs. However, IP vendors are facing major challenges to protect hardware IPs from IP piracy. This paper proposes a novel design methodology for hardware IP protection using netlist-level obfuscation. The proposed methodology can be integrated in the SoC design and manufacturing flow to simultaneously obfuscate and authenticate the design. Simulation results for a set of ISCAS-89 benchmark circuits and the advanced-encryption-standard IP core show that high levels of security can be achieved at less than 5% area and power overhead under delay constraint.},
keywords = {Evaluation of Obfuscation, Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {article}
}
Hardware intellectual-property (IP) cores have emerged as an integral part of modern system-on-chip (SoC) designs. However, IP vendors are facing major challenges to protect hardware IPs from IP piracy. This paper proposes a novel design methodology for hardware IP protection using netlist-level obfuscation. The proposed methodology can be integrated in the SoC design and manufacturing flow to simultaneously obfuscate and authenticate the design. Simulation results for a set of ISCAS-89 benchmark circuits and the advanced-encryption-standard IP core show that high levels of security can be achieved at less than 5% area and power overhead under delay constraint.
2008
Roy, Jarrod A; Koushanfar, Farinaz; Markov, Igor L
EPIC: Ending piracy of integrated circuits Proceedings Article
In: Proceedings of the conference on Design, automation and test in Europe, pp. 1069–1074, 2008, ISSN: 1558-1101.
Abstract | Links | BibTeX | Tags: Logic Locking, Obfuscation
@inproceedings{roy2008epic,
title = {EPIC: Ending piracy of integrated circuits},
author = {Jarrod A Roy and Farinaz Koushanfar and Igor L Markov},
doi = {10.1109/DATE.2008.4484823},
issn = {1558-1101},
year = {2008},
date = {2008-03-01},
booktitle = {Proceedings of the conference on Design, automation and test in Europe},
pages = {1069--1074},
abstract = {As semiconductor manufacturing requires greater capital investments, the use of contract foundries has grown dramatically, increasing exposure to mask theft and unauthorized excess production. While only recently studied, IC piracy has now become a major challenge for the electronics and defense industries. We propose a novel comprehensive technique to end piracy of integrated circuits (EPIC). It requires that every chip be activated with an external key, which can only be generated by the holder of IP rights, and cannot be duplicated. EPIC is based on (i) automatically-generated chip IDs, (ii) a novel combinational locking algorithm, and (Hi) innovative use of public-key cryptography. Our evaluation suggests that the overhead of EPIC on circuit delay and power is negligible, and the standard flows for verification and test do not require change. In fact, major required components have already been integrated into several chips in production. We also use formal methods to evaluate combinational locking and computational attacks. A comprehensive protocol analysis concludes that EPIC is surprisingly resistant to various piracy attempts.},
keywords = {Logic Locking, Obfuscation},
pubstate = {published},
tppubtype = {inproceedings}
}
As semiconductor manufacturing requires greater capital investments, the use of contract foundries has grown dramatically, increasing exposure to mask theft and unauthorized excess production. While only recently studied, IC piracy has now become a major challenge for the electronics and defense industries. We propose a novel comprehensive technique to end piracy of integrated circuits (EPIC). It requires that every chip be activated with an external key, which can only be generated by the holder of IP rights, and cannot be duplicated. EPIC is based on (i) automatically-generated chip IDs, (ii) a novel combinational locking algorithm, and (Hi) innovative use of public-key cryptography. Our evaluation suggests that the overhead of EPIC on circuit delay and power is negligible, and the standard flows for verification and test do not require change. In fact, major required components have already been integrated into several chips in production. We also use formal methods to evaluate combinational locking and computational attacks. A comprehensive protocol analysis concludes that EPIC is surprisingly resistant to various piracy attempts.