SMT Attack – CAD for Assurance

By: Kimia Zamiri Azar (GMU), Hadi Mardani Kamali (GMU), Houman Homayoun (UC Davis), Avesta Sasan (GMU)

Stage: RTL

Summary

SMT Attack on Boolean and Non-Boolean Obfuscation Methods

Contact

Kimia Zamiri Azar

Input/Output Interface

Input: obfuscated netlist, original netlist
Output: extracted key, de-obfuscation time

Dependencies

MonoSAT

Licensing Info

The MIT License (MIT)

Tool Link

References

Azar, Kimia Zamiri; Kamali, Hadi Mardani; Homayoun, Houman; Sasan, Avesta

SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks Journal Article

In: IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2019, no. 1, pp. 97-122, 2018.

Abstract | Links | BibTeX

@article{Azar_Kamali_Homayoun_Sasan_2018,

title = {SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks},

author = {Kimia Zamiri Azar and Hadi Mardani Kamali and Houman Homayoun and Avesta Sasan},

url = {https://tches.iacr.org/index.php/TCHES/article/view/7335},

doi = {10.13154/tches.v2019.i1.97-122},

year  = {2018},

date = {2018-11-01},

journal = {IACR Transactions on Cryptographic Hardware and Embedded Systems},

volume = {2019},

number = {1},

pages = {97-122},

abstract = {In this paper, we introduce the Satisfiability Modulo Theory (SMT) attack on obfuscated circuits. The proposed attack is the superset of Satisfiability (SAT) attack, with many additional features. It uses one or more theory solvers in addition to its internal SAT solver. For this reason, it is capable of modeling far more complex behaviors and could formulate much stronger attacks. In this paper, we illustrate that the use of theory solvers enables the SMT to carry attacks that are not possible by SAT formulated attacks. As an example of its capabilities, we use the SMT attack to break a recent obfuscation scheme that uses key values to alter delay properties (setup and hold time) of a circuit to remain SAT hard. Considering that the logic delay is not a Boolean logical property, the targeted obfuscation mechanism is not breakable by a SAT attack. However, in this paper, we illustrate that the proposed SMT attack, by deploying a simple graph theory solver, can model and break this obfuscation scheme in few minutes. We describe how the SMT attack could be used in one of four different attack modes: (1) We explain how SMT attack could be reduced to a SAT attack, (2) how the SMT attack could be carried out in Eager, and (3) Lazy approach, and finally (4) we introduce the Accelerated SMT (AccSMT) attack that offers significant speed-up to SAT attack. Additionally, we explain how AccSMT attack could be used as an approximate attack when facing SMT-Hard obfuscation schemes.},

keywords = {},

pubstate = {published},

tppubtype = {article}

}