2019
Portillo, Jason; Meade, Travis; Hacker, John; Zhang, Shaojie; Jin, Yier
RERTL: Finite State Transducer Logic Recovery at Register Transfer Level Proceedings Article
In: 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 1-6, ASIAN-HOST IEEE, Xi'an, P.R. China, 2019.
Abstract | Links | BibTeX | Tags: Reverse Engineering
@inproceedings{Portillo2019,
title = {RERTL: Finite State Transducer Logic Recovery at Register Transfer Level},
author = {Jason Portillo and Travis Meade and John Hacker and Shaojie Zhang and Yier Jin},
url = {https://ieeexplore.ieee.org/document/9006699},
doi = {10.1109/AsianHOST47458.2019.9006699},
year = {2019},
date = {2019-12-16},
booktitle = {2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {1-6},
publisher = {IEEE},
address = {Xi'an, P.R. China},
organization = {ASIAN-HOST },
series = {ASIAN-HOST 19},
abstract = {Increasingly complex Intellectual Property (IP) design, coupled with shorter Time-To-Market (TTM), breeds flaws at various levels of the Integrated Circuit (IC) production. With access to IPs at all stages of production, design defects can easily be found and corrected, i.e., knowledge of the Register Transfer Level (RTL) code allows for the option of easy defect detection. However, third-party IPs are typically delivered as hard IPs or gate-level netlists, which complicates the defect detection process. The inaccessibility of source RTL code and the lack of RTL recovery tools make the task of finding high-level security flaws in logic intractable. Upon this request, in this paper, we present an RTL recovery tool suite named RERTL that leverages advanced graph algorithms including Lengauer-Tarjan's dominator tree and Euler tour tree technique to assist in netlist analysis. Supported by RERTL, logical states and their interactions are recovered from the initial design in the format of gate-level netlists. After the recovery of state interaction, RERTL further converts the full design into human-readable RTL. A series of netlist case studies were examined using RERTL covering benign logic structures, designs with accidental defects, and designs with deliberate backdoors. The experimental results show that all of our designs at various complexities were recoverable within seconds.},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {inproceedings}
}
Increasingly complex Intellectual Property (IP) design, coupled with shorter Time-To-Market (TTM), breeds flaws at various levels of the Integrated Circuit (IC) production. With access to IPs at all stages of production, design defects can easily be found and corrected, i.e., knowledge of the Register Transfer Level (RTL) code allows for the option of easy defect detection. However, third-party IPs are typically delivered as hard IPs or gate-level netlists, which complicates the defect detection process. The inaccessibility of source RTL code and the lack of RTL recovery tools make the task of finding high-level security flaws in logic intractable. Upon this request, in this paper, we present an RTL recovery tool suite named RERTL that leverages advanced graph algorithms including Lengauer-Tarjan's dominator tree and Euler tour tree technique to assist in netlist analysis. Supported by RERTL, logical states and their interactions are recovered from the initial design in the format of gate-level netlists. After the recovery of state interaction, RERTL further converts the full design into human-readable RTL. A series of netlist case studies were examined using RERTL covering benign logic structures, designs with accidental defects, and designs with deliberate backdoors. The experimental results show that all of our designs at various complexities were recoverable within seconds.
Meade, Travis; Portillo, Jason; Zhang, Shaojie; Jin, Yier
NETA: When IP Fails, Secrets Leak Proceedings Article
In: Proceedings of the 24th Asia and South Pacific Design Automation Conference, pp. 90–95, Association for Computing Machinery, Tokyo, Japan, 2019, ISBN: 9781450360074.
Abstract | Links | BibTeX | Tags: Reverse Engineering
@inproceedings{10.1145/3287624.3288739,
title = {NETA: When IP Fails, Secrets Leak},
author = {Travis Meade and Jason Portillo and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2019neta.pdf},
doi = {10.1145/3287624.3288739},
isbn = {9781450360074},
year = {2019},
date = {2019-01-01},
booktitle = {Proceedings of the 24th Asia and South Pacific Design Automation Conference},
pages = {90–95},
publisher = {Association for Computing Machinery},
address = {Tokyo, Japan},
series = {ASPDAC ’19},
abstract = {Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {inproceedings}
}
Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.
2018
Meade, Travis; Shamsi, Kaveh; Le, Thao; Di, Jia; Zhang, Shaojie; Jin, Yier
The Old Frontier of Reverse Engineering: Netlist Partitioning Journal Article
In: Journal of Hardware and Systems Security, vol. 2, no. 3, pp. 201-213, 2018.
Abstract | Links | BibTeX | Tags: Reverse Engineering
@article{Meade2018,
title = {The Old Frontier of Reverse Engineering: Netlist Partitioning},
author = {Travis Meade and Kaveh Shamsi and Thao Le and Jia Di and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2018the.pdf},
doi = {10.1007/s41635-018-0043-4},
year = {2018},
date = {2018-09-10},
journal = {Journal of Hardware and Systems Security},
volume = {2},
number = {3},
pages = {201-213},
abstract = {Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {article}
}
Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.
2017
Magaña, Jonathon Crandall; Shi, Daohang; Melchert, Jackson; Davoodi, Azadeh
Are Proximity Attacks a Threat to the Security of Split Manufacturing of Integrated Circuits? Journal Article
In: IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 25, no. 12, pp. 3406-3419, 2017, ISSN: 1557-9999.
Abstract | Links | BibTeX | Tags: Reverse Engineering
@article{Magaña2017Are,
title = {Are Proximity Attacks a Threat to the Security of Split Manufacturing of Integrated Circuits?},
author = {Jonathon Crandall Magaña and Daohang Shi and Jackson Melchert and Azadeh Davoodi},
doi = {10.1109/TVLSI.2017.2748018},
issn = {1557-9999},
year = {2017},
date = {2017-12-01},
journal = {IEEE Transactions on Very Large Scale Integration (VLSI) Systems},
volume = {25},
number = {12},
pages = {3406-3419},
abstract = {Split manufacturing is a technique that allows manufacturing the transistor-level and lower metal layers of an integrated circuit (IC) at a high-end, untrusted foundry, while manufacturing only the higher metal layers at a smaller, trusted foundry. Using split manufacturing is only viable if the untrusted foundry cannot reverse engineer the higher metal layer connections (and thus the overall IC design) from the lower layers. This paper studies the effectiveness of proximity attack as a key step to reverse engineer a design at the untrusted foundry. We propose and study different proximity attacks based on how a set of candidates are defined for each broken connection. The attacks use both placement and routing information along with factors which capture the router's behavior such as per-layer routing congestion. Our studies are based on designs having millions of nets routed across nine metal layers and significant layer-by-layer wire size variation. Our results show that a common, Hamming distance-based proximity attack seldom achieves a match rate over 5%. But our proposed attack yields a relatively small list of candidates which often contains the correct match. Finally, we propose a procedure to artificially insert routing blockages in a design at a desired split level, without causing any area overhead, in order to trick the router to make proximity-based reverse engineering significantly more challenging.},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {article}
}
Split manufacturing is a technique that allows manufacturing the transistor-level and lower metal layers of an integrated circuit (IC) at a high-end, untrusted foundry, while manufacturing only the higher metal layers at a smaller, trusted foundry. Using split manufacturing is only viable if the untrusted foundry cannot reverse engineer the higher metal layer connections (and thus the overall IC design) from the lower layers. This paper studies the effectiveness of proximity attack as a key step to reverse engineer a design at the untrusted foundry. We propose and study different proximity attacks based on how a set of candidates are defined for each broken connection. The attacks use both placement and routing information along with factors which capture the router's behavior such as per-layer routing congestion. Our studies are based on designs having millions of nets routed across nine metal layers and significant layer-by-layer wire size variation. Our results show that a common, Hamming distance-based proximity attack seldom achieves a match rate over 5%. But our proposed attack yields a relatively small list of candidates which often contains the correct match. Finally, we propose a procedure to artificially insert routing blockages in a design at a desired split level, without causing any area overhead, in order to trick the router to make proximity-based reverse engineering significantly more challenging.
Meade, Travis; Zhao, Zheng; Zhang, Shaojie; Pan, David Z.; Jin, Yier
Revisit Sequential Logic Obfuscation: Attacks and Defenses Proceedings Article
In: 2017 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1-4, IEEE, Baltimore, MD, USA , 2017.
Abstract | Links | BibTeX | Tags: Reverse Engineering
@inproceedings{Meade2017,
title = {Revisit Sequential Logic Obfuscation: Attacks and Defenses},
author = {Travis Meade and Zheng Zhao and Shaojie Zhang and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2017revisit.pdf},
doi = {10.1109/ISCAS.2017.8050606},
year = {2017},
date = {2017-05-28},
booktitle = {2017 IEEE International Symposium on Circuits and Systems (ISCAS)},
pages = {1-4},
publisher = {IEEE},
address = {Baltimore, MD, USA },
abstract = {The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {inproceedings}
}
The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.
2016
Meade, Travis; Jin, Yier; Tehranipoor, Mark; Zhang, Shaojie
Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification Proceedings Article
In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1334-1337, IEEE, Montreal, QC, Canada, 2016.
Abstract | Links | BibTeX | Tags: Reverse Engineering
@inproceedings{Meade2016b,
title = {Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification},
author = {Travis Meade and Yier Jin and Mark Tehranipoor and Shaojie Zhang},
url = {http://cadforassurance.org/wp-content/uploads/travis2016gate.pdf},
doi = {10.1109/ISCAS.2016.7527495},
year = {2016},
date = {2016-05-22},
booktitle = {2016 IEEE International Symposium on Circuits and Systems (ISCAS)},
pages = {1334-1337},
publisher = {IEEE},
address = {Montreal, QC, Canada},
abstract = {The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {inproceedings}
}
The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.
Meade, Travis; Zhang, Shaojie; Jin, Yier
Netlist Reverse Engineering for High-Level Functionality Reconstruction Proceedings Article
In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 655-660, ASP-DAC IEEE, Macau, 2016, (Best Paper Award).
Abstract | Links | BibTeX | Tags: Reverse Engineering
@inproceedings{Meade2016,
title = {Netlist Reverse Engineering for High-Level Functionality Reconstruction},
author = {Travis Meade and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2016netlist.pdf},
doi = {10.1109/ASPDAC.2016.7428086},
year = {2016},
date = {2016-01-25},
booktitle = {2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC)},
pages = {655-660},
publisher = {IEEE},
address = {Macau},
organization = {ASP-DAC },
series = {ASP-DAC 16},
abstract = {In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.},
note = {Best Paper Award},
keywords = {Reverse Engineering},
pubstate = {published},
tppubtype = {inproceedings}
}
In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.