NETA: Netlist Analysis Toolset

@inproceedings{10.1145/3287624.3288739,

title = {NETA: When IP Fails, Secrets Leak},

author = {Travis Meade and Jason Portillo and Shaojie Zhang and Yier Jin},

url = {http://cadforassurance.org/wp-content/uploads/travis2019neta.pdf},

doi = {10.1145/3287624.3288739},

isbn = {9781450360074},

year  = {2019},

date = {2019-01-01},

booktitle = {Proceedings of the 24th Asia and South Pacific Design Automation Conference},

pages = {90–95},

publisher = {Association for Computing Machinery},

address = {Tokyo, Japan},

series = {ASPDAC ’19},

abstract = {Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.},

keywords = {},

pubstate = {published},

tppubtype = {inproceedings}

}

@inproceedings{Meade2017,

title = {Revisit Sequential Logic Obfuscation: Attacks and Defenses},

author = {Travis Meade and Zheng Zhao and Shaojie Zhang and David Z. Pan and Yier Jin},

url = {http://cadforassurance.org/wp-content/uploads/travis2017revisit.pdf},

doi = {10.1109/ISCAS.2017.8050606},

year  = {2017},

date = {2017-05-28},

booktitle = {2017 IEEE International Symposium on Circuits and Systems (ISCAS)},

pages = {1-4},

publisher = {IEEE},

address = {Baltimore, MD, USA },

abstract = {The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.},

keywords = {},

pubstate = {published},

tppubtype = {inproceedings}

}

@inproceedings{Meade2016b,

title = {Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification},

author = {Travis Meade and Yier Jin and Mark Tehranipoor and Shaojie Zhang},

url = {http://cadforassurance.org/wp-content/uploads/travis2016gate.pdf},

doi = {10.1109/ISCAS.2016.7527495},

year  = {2016},

date = {2016-05-22},

booktitle = {2016 IEEE International Symposium on Circuits and Systems (ISCAS)},

pages = {1334-1337},

publisher = {IEEE},

address = {Montreal, QC, Canada},

abstract = {The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.},

keywords = {},

pubstate = {published},

tppubtype = {inproceedings}

}

@inproceedings{Meade2016,

title = {Netlist Reverse Engineering for High-Level Functionality Reconstruction},

author = {Travis Meade and Shaojie Zhang and Yier Jin},

url = {http://cadforassurance.org/wp-content/uploads/travis2016netlist.pdf},

doi = {10.1109/ASPDAC.2016.7428086},

year  = {2016},

date = {2016-01-25},

booktitle = {2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC)},

pages = {655-660},

publisher = {IEEE},

address = {Macau},

organization = {ASP-DAC },

series = {ASP-DAC 16},

abstract = {In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.},

note = {Best Paper Award},

keywords = {},

pubstate = {published},

tppubtype = {inproceedings}

}