Description
Massive outsourcing of the integrated circuit (IC) design and manufacturing processes (fabless model), as well as increased demand for commercial and custom ICs in the government and the commercial sectors, have raised reliability and security issues. Aiding to the cause is the increasing complexity of IC designs and shorter Time-To-Market (TTM), which has led to the insertion of intentional (hardware Trojan, backdoors) and unintentional flaws at various levels of the IC production process. Techniques for the detection of such flaws require reverse engineering (RE) of ICs, which involves identifying the device technology used in it, extracting its gate-level netlist, and/or inferring its functionality. Tools and techniques that have been developed for RE of ICs can be misused by an attacker to steal the design, identify the device technology for competitive advantage, or illegally fabricate the target IC. To achieve these objectives, an attacker will attempt to RE the design to the target level of abstraction, which can vary depending on the objective of the attacker. If the objective is to steal the design, then the target abstraction level can be either the physical design level, the gate-level, or the RT level, whereas if the goal is to insert malicious logic then the target abstraction level can be either the gate-level or the RT level. In the semiconductor supply chain, an RE attacker can be present in either the design integration house, the foundry, or it can be the user. To prevent such an attack, tools such as Network Flow Attack For Split Manufacturing, ObfusGEM, NETA, and Deep Learning Based Model Building Attacks on Arbiter PUF Compositions have been developed.
Related Tools
- Functional Corruptibility-Guided SAT-Based Attack on Sequential Logic Encryption
- SATConda
- SeqL: Scan-Chain Locking and a Broad Security Evaluation
- SnapShot
- A Computationally Efficient Tensor Regression Network based Modeling Attack on XOR Arbiter PUF and its Variants
- RTL Logic Attacks
- DANA: Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering
- HAL
- DHIT: Defense of High-Speed Transceivers
- Deep Learning Based Model Building Attacks on Arbiter PUF Compositions
- Network Flow Attack For Split Manufacturing
- ObfusGEM
- NETA: Netlist Analysis Toolset
Publications
Zuzak, Michael; Srivastava, Ankur
ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design Proceedings Article
In: International Symposium on Memory Systems (MEMSYS), 2020.
@inproceedings{Zuzak2020,
title = {ObfusGEM: Enhancing Processor Design Obfuscation Through Security-Aware On-Chip Memory and Data Path Design},
author = {Michael Zuzak and Ankur Srivastava},
year = {2020},
date = {2020-01-01},
booktitle = {International Symposium on Memory Systems (MEMSYS)},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Portillo, Jason; Meade, Travis; Hacker, John; Zhang, Shaojie; Jin, Yier
RERTL: Finite State Transducer Logic Recovery at Register Transfer Level Proceedings Article
In: 2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp. 1-6, ASIAN-HOST IEEE, Xi'an, P.R. China, 2019.
@inproceedings{Portillo2019,
title = {RERTL: Finite State Transducer Logic Recovery at Register Transfer Level},
author = {Jason Portillo and Travis Meade and John Hacker and Shaojie Zhang and Yier Jin},
url = {https://ieeexplore.ieee.org/document/9006699},
doi = {10.1109/AsianHOST47458.2019.9006699},
year = {2019},
date = {2019-12-16},
booktitle = {2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)},
pages = {1-6},
publisher = {IEEE},
address = {Xi'an, P.R. China},
organization = {ASIAN-HOST },
series = {ASIAN-HOST 19},
abstract = {Increasingly complex Intellectual Property (IP) design, coupled with shorter Time-To-Market (TTM), breeds flaws at various levels of the Integrated Circuit (IC) production. With access to IPs at all stages of production, design defects can easily be found and corrected, i.e., knowledge of the Register Transfer Level (RTL) code allows for the option of easy defect detection. However, third-party IPs are typically delivered as hard IPs or gate-level netlists, which complicates the defect detection process. The inaccessibility of source RTL code and the lack of RTL recovery tools make the task of finding high-level security flaws in logic intractable. Upon this request, in this paper, we present an RTL recovery tool suite named RERTL that leverages advanced graph algorithms including Lengauer-Tarjan's dominator tree and Euler tour tree technique to assist in netlist analysis. Supported by RERTL, logical states and their interactions are recovered from the initial design in the format of gate-level netlists. After the recovery of state interaction, RERTL further converts the full design into human-readable RTL. A series of netlist case studies were examined using RERTL covering benign logic structures, designs with accidental defects, and designs with deliberate backdoors. The experimental results show that all of our designs at various complexities were recoverable within seconds.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Increasingly complex Intellectual Property (IP) design, coupled with shorter Time-To-Market (TTM), breeds flaws at various levels of the Integrated Circuit (IC) production. With access to IPs at all stages of production, design defects can easily be found and corrected, i.e., knowledge of the Register Transfer Level (RTL) code allows for the option of easy defect detection. However, third-party IPs are typically delivered as hard IPs or gate-level netlists, which complicates the defect detection process. The inaccessibility of source RTL code and the lack of RTL recovery tools make the task of finding high-level security flaws in logic intractable. Upon this request, in this paper, we present an RTL recovery tool suite named RERTL that leverages advanced graph algorithms including Lengauer-Tarjan's dominator tree and Euler tour tree technique to assist in netlist analysis. Supported by RERTL, logical states and their interactions are recovered from the initial design in the format of gate-level netlists. After the recovery of state interaction, RERTL further converts the full design into human-readable RTL. A series of netlist case studies were examined using RERTL covering benign logic structures, designs with accidental defects, and designs with deliberate backdoors. The experimental results show that all of our designs at various complexities were recoverable within seconds.
Meade, Travis; Portillo, Jason; Zhang, Shaojie; Jin, Yier
NETA: When IP Fails, Secrets Leak Proceedings Article
In: Proceedings of the 24th Asia and South Pacific Design Automation Conference, pp. 90–95, Association for Computing Machinery, Tokyo, Japan, 2019, ISBN: 9781450360074.
@inproceedings{10.1145/3287624.3288739,
title = {NETA: When IP Fails, Secrets Leak},
author = {Travis Meade and Jason Portillo and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2019neta.pdf},
doi = {10.1145/3287624.3288739},
isbn = {9781450360074},
year = {2019},
date = {2019-01-01},
booktitle = {Proceedings of the 24th Asia and South Pacific Design Automation Conference},
pages = {90–95},
publisher = {Association for Computing Machinery},
address = {Tokyo, Japan},
series = {ASPDAC ’19},
abstract = {Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Assuring the quality and the trustworthiness of third party resources has been a hard problem to tackle. Researchers have shown that analyzing Integrated Circuits (IC), without the aid of golden models, is challenging. In this paper, we discuss a toolset, NETA, designed to aid IP users in assuring the confidentiality, integrity, and accessibility of their IC or third party IP core. The discussed toolset gives access to a slew of gate-level analysis tools, many of which are heuristic-based, for the purposes of extracting high-level circuit design information. NETA majorly comprises the following tools: RELIC, REBUS, REPCA, REFSM, and REPATH. The first step involved in netlist analysis falls to signal classification. RELIC uses a heuristic-based fan-in structure matcher to determine the uniqueness of each signal in the netlist. REBUS finds word-groups by leveraging the data bus in the netlist in conjunction with RELIC's signal comparison through heuristic verification of input structures. REPCA on the other hand tries to improve upon the standard brute force RELIC comparison by leveraging the data analysis technique of PCA and a sparse RELIC analysis on all signals. Given a netlist and a set of registers, REFSM reconstructs the logic which represents the behavior of a particular register set over the course of the operation of a given netlist. REFSM has been shown useful for examining register interaction at a higher level. REPATH, similar to REFSM, finds a series of input patterns that force a logical FSM to initialize with some reset state into a state specified by the user. Finally, REFSM 2 is introduced to utilizes linear time precomputation to improve the original REFSM.
Facon, Adrien; Guilley, Sylvain; Lec'hvien, Matthieu; Marion, Damien; Perianin, Thomas
Binary Data Analysis for Source Code Leakage Assessment Proceedings Article
In: Innovative Security Solutions for Information Technology and Communications, pp. 391–409, Springer International Publishing, Cham, 2019, ISBN: 978-3-030-12942-2.
@inproceedings{10.1007/978-3-030-12942-2_30,
title = {Binary Data Analysis for Source Code Leakage Assessment},
author = {Adrien Facon and Sylvain Guilley and Matthieu Lec'hvien and Damien Marion and Thomas Perianin},
doi = {10.1007/978-3-030-12942-2_30},
isbn = {978-3-030-12942-2},
year = {2019},
date = {2019-01-01},
booktitle = {Innovative Security Solutions for Information Technology and Communications},
pages = {391--409},
publisher = {Springer International Publishing},
address = {Cham},
abstract = {Side Channel Analysis (SCA) is known to be a serious threat for cryptographic algorithms since twenty years. Recently, the explosion of the Internet of Things (IoT) has increased the number of devices that can be targeted by these attacks, making this threat more relevant than ever. Furthermore, the evaluations of cryptographic algorithms regarding SCA are usually performed at the very end of a product design cycle, impacting considerably the time-to-market in case of security flaws. Hence, early simulations of embedded software and methodologies have been developed to assess vulnerabilities with respect to SCA for specific hardware architectures. Aiming to provide an agnostic evaluation method, we propose in this paper a new methodology of data collection and analysis to reveal leakage of sensitive information from any software implementation. As an illustration our solution is used interestingly to break a White Box Cryptography (WBC) implementation, challenging existing simulation-based attacks.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Side Channel Analysis (SCA) is known to be a serious threat for cryptographic algorithms since twenty years. Recently, the explosion of the Internet of Things (IoT) has increased the number of devices that can be targeted by these attacks, making this threat more relevant than ever. Furthermore, the evaluations of cryptographic algorithms regarding SCA are usually performed at the very end of a product design cycle, impacting considerably the time-to-market in case of security flaws. Hence, early simulations of embedded software and methodologies have been developed to assess vulnerabilities with respect to SCA for specific hardware architectures. Aiming to provide an agnostic evaluation method, we propose in this paper a new methodology of data collection and analysis to reveal leakage of sensitive information from any software implementation. As an illustration our solution is used interestingly to break a White Box Cryptography (WBC) implementation, challenging existing simulation-based attacks.
Souissi, Youssef; Facon, Adrien; Guilley, Sylvain
Virtual Security Evaluation Proceedings Article
In: Carlet, Claude; Guilley, Sylvain; Nitaj, Abderrahmane; Souidi, El Mamoun (Ed.): Codes, Cryptology and Information Security, pp. 3–12, Springer International Publishing, Cham, 2019, ISBN: 978-3-030-16458-4.
@inproceedings{Souissi2019Virtual,
title = {Virtual Security Evaluation},
author = {Youssef Souissi and Adrien Facon and Sylvain Guilley},
editor = {Claude Carlet and Sylvain Guilley and Abderrahmane Nitaj and El Mamoun Souidi},
doi = {10.1007/978-3-030-16458-4_1},
isbn = {978-3-030-16458-4},
year = {2019},
date = {2019-01-01},
booktitle = {Codes, Cryptology and Information Security},
pages = {3--12},
publisher = {Springer International Publishing},
address = {Cham},
abstract = {``An ounce of prevention is worth a pound of cure''. This paper presents a methodology to detect side-channel leakage at source-code level. It leverages simple tests performed on noise-less traces of execution, and returns to the developer accurate information about the security issues. The feedback is in terms of location (where in code, when in time), in terms of security severity (amount and duration of leakage), and most importantly, in terms of possible reason for the leakage. After the source code (and subsequently the compiled code) has been sanitized, attack attempts complement the methodology to test the implementation against realistic exploitations. This last steps allows to validate whether the tolerated leakages during the sanitizing stage are indeed benign.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
``An ounce of prevention is worth a pound of cure''. This paper presents a methodology to detect side-channel leakage at source-code level. It leverages simple tests performed on noise-less traces of execution, and returns to the developer accurate information about the security issues. The feedback is in terms of location (where in code, when in time), in terms of security severity (amount and duration of leakage), and most importantly, in terms of possible reason for the leakage. After the source code (and subsequently the compiled code) has been sanitized, attack attempts complement the methodology to test the implementation against realistic exploitations. This last steps allows to validate whether the tolerated leakages during the sanitizing stage are indeed benign.
Meade, Travis; Shamsi, Kaveh; Le, Thao; Di, Jia; Zhang, Shaojie; Jin, Yier
The Old Frontier of Reverse Engineering: Netlist Partitioning Journal Article
In: Journal of Hardware and Systems Security, vol. 2, no. 3, pp. 201-213, 2018.
@article{Meade2018,
title = {The Old Frontier of Reverse Engineering: Netlist Partitioning},
author = {Travis Meade and Kaveh Shamsi and Thao Le and Jia Di and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2018the.pdf},
doi = {10.1007/s41635-018-0043-4},
year = {2018},
date = {2018-09-10},
journal = {Journal of Hardware and Systems Security},
volume = {2},
number = {3},
pages = {201-213},
abstract = {Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of a larger scale than previously proposed schemes.
Mathieu, Brandon L.; McCue, Jamin J.; Duncan, Lucas; Dupaix, Brian; Lavasani, Hossein Miri; Khalil, Waleed
A Capacitively Coupled, Pseudo Return-to-Zero Input, Latched-Bias Data Receiver Journal Article
In: IEEE Journal of Solid-State Circuits, vol. 53, no. 9, pp. 2500-2511, 2018, ISSN: 1558-173X.
@article{mathieu2018cap,
title = {A Capacitively Coupled, Pseudo Return-to-Zero Input, Latched-Bias Data Receiver},
author = {Brandon L. Mathieu and Jamin J. McCue and Lucas Duncan and Brian Dupaix and Hossein Miri Lavasani and Waleed Khalil},
doi = {10.1109/JSSC.2018.2859390},
issn = {1558-173X},
year = {2018},
date = {2018-09-01},
journal = {IEEE Journal of Solid-State Circuits},
volume = {53},
number = {9},
pages = {2500-2511},
abstract = {A power and area efficient, capacitively coupled receiver for short links is presented. The proposed architecture enables a wide input common-mode range by utilizing on-chip ac-coupling capacitors, which avoids the use of large, off-chip capacitors or slow, rail-to-rail input stages. The small coupling capacitance and bias switches generate a pseudo return-to-zero pulse that is latched into the receiver via digital feedback. This input latching reduces the effects of baseline wander caused by unbalanced data streams without the need for encoding or scrambling. In addition, the full-scale digital feedback is used as the receiver output, enabling direct interface with standard digital cells. The architecture is implemented in a 130-nm SiGe BiCMOS and 45-nm CMOS silicon-on-insulator (SOI) technology. The 130-nm SiGe BiCMOS design achieves a peak data rate of 10 Gb/s at 5.1 mW, while a peak efficiency of 0.46 mW/Gb/s is recorded at 8 Gb/s. The 45-nm CMOS SOI design achieves a peak data rate of 30 Gb/s at 12.02 mW, with a peak efficiency of 0.24 mW/Gb/s at 25 Gb/s. Both the SiGe BiCMOS and CMOS SOI designs exhibit BERs of <;10-12 with PRBS15 data as small as 100 mV and occupy 0.012 and 0.007 mm2, respectively, including the on-chip coupling capacitance.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
A power and area efficient, capacitively coupled receiver for short links is presented. The proposed architecture enables a wide input common-mode range by utilizing on-chip ac-coupling capacitors, which avoids the use of large, off-chip capacitors or slow, rail-to-rail input stages. The small coupling capacitance and bias switches generate a pseudo return-to-zero pulse that is latched into the receiver via digital feedback. This input latching reduces the effects of baseline wander caused by unbalanced data streams without the need for encoding or scrambling. In addition, the full-scale digital feedback is used as the receiver output, enabling direct interface with standard digital cells. The architecture is implemented in a 130-nm SiGe BiCMOS and 45-nm CMOS silicon-on-insulator (SOI) technology. The 130-nm SiGe BiCMOS design achieves a peak data rate of 10 Gb/s at 5.1 mW, while a peak efficiency of 0.46 mW/Gb/s is recorded at 8 Gb/s. The 45-nm CMOS SOI design achieves a peak data rate of 30 Gb/s at 12.02 mW, with a peak efficiency of 0.24 mW/Gb/s at 25 Gb/s. Both the SiGe BiCMOS and CMOS SOI designs exhibit BERs of <;10-12 with PRBS15 data as small as 100 mV and occupy 0.012 and 0.007 mm2, respectively, including the on-chip coupling capacitance.
Takarabt, Sofiane; Chibani, Kais; Facon, Adrien; Guilley, Sylvain; Mathieu, Yves; Sauvage, Laurent; Souissi, Youssef
Pre-silicon Embedded System Evaluation as New EDA Tool for Security Verification Proceedings Article
In: 2018 IEEE 3rd International Verification and Security Workshop (IVSW), pp. 74-79, 2018.
@inproceedings{8494881,
title = {Pre-silicon Embedded System Evaluation as New EDA Tool for Security Verification},
author = {Sofiane Takarabt and Kais Chibani and Adrien Facon and Sylvain Guilley and Yves Mathieu and Laurent Sauvage and Youssef Souissi},
doi = {10.1109/IVSW.2018.8494881},
year = {2018},
date = {2018-07-01},
booktitle = {2018 IEEE 3rd International Verification and Security Workshop (IVSW)},
pages = {74-79},
abstract = {The security evaluation of embedded systems becomes clear and mandatory. Up today, the evaluation process is limited to certification labs that conduct the analysis on real target devices. This requires appropriate measurement platforms and equipment in addition to real chip analysis skills. In this paper, we put forward a pre-silicon evaluation methodology and tools that allow the security verification at an early stage (virtual target) and running it hands in hands with the functional verification. As of today, such approach can be used as new Electronic Design Automation (EDA) tool to properly satisfy the basics of Design for Security (DFS) concept. From a practical viewpoint, we show a study case to illustrate and provide a better understanding of that approach. Moreover, we propose new evaluation metrics based on Signal to Noise Ratio (SNR) computation, and verified on virtual and real targets respectively based on a comparative study. Likewise, the tool identifies vulnerabilites (thereby anticipating complete families of otherwise numerous, complex and many undiscovered attacks), and returns accurate feedack to the user on the precise line of code (LoC) where the vulnerability lays along with its characterization, including an identification of its severity. This allows the design to input source code to the tool, and to get back in return annotated source code with a collection of LoCs which deserve careful analysis and/or subsequent modification aiming at patching vulnerabilities.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The security evaluation of embedded systems becomes clear and mandatory. Up today, the evaluation process is limited to certification labs that conduct the analysis on real target devices. This requires appropriate measurement platforms and equipment in addition to real chip analysis skills. In this paper, we put forward a pre-silicon evaluation methodology and tools that allow the security verification at an early stage (virtual target) and running it hands in hands with the functional verification. As of today, such approach can be used as new Electronic Design Automation (EDA) tool to properly satisfy the basics of Design for Security (DFS) concept. From a practical viewpoint, we show a study case to illustrate and provide a better understanding of that approach. Moreover, we propose new evaluation metrics based on Signal to Noise Ratio (SNR) computation, and verified on virtual and real targets respectively based on a comparative study. Likewise, the tool identifies vulnerabilites (thereby anticipating complete families of otherwise numerous, complex and many undiscovered attacks), and returns accurate feedack to the user on the precise line of code (LoC) where the vulnerability lays along with its characterization, including an identification of its severity. This allows the design to input source code to the tool, and to get back in return annotated source code with a collection of LoCs which deserve careful analysis and/or subsequent modification aiming at patching vulnerabilities.
Wang, Yujie; Chen, Pu; Hu, Jiang; Li, Guofeng; Rajendran, Jeyavijayan
The Cat and Mouse in Split Manufacturing Journal Article
In: IEEE Transactions on Very Large Scale Integration (VLSI) Systems, vol. 26, no. 5, pp. 805-817, 2018, ISSN: 1557-9999.
@article{8259507,
title = {The Cat and Mouse in Split Manufacturing},
author = {Yujie Wang and Pu Chen and Jiang Hu and Guofeng Li and Jeyavijayan Rajendran},
url = {https://ieeexplore.ieee.org/document/8259507},
doi = {10.1109/TVLSI.2017.2787754},
issn = {1557-9999},
year = {2018},
date = {2018-05-01},
journal = {IEEE Transactions on Very Large Scale Integration (VLSI) Systems},
volume = {26},
number = {5},
pages = {805-817},
abstract = {Split manufacturing of integrated circuits eliminates vulnerabilities introduced by an untrusted foundry by manufacturing only a part of the target design at an untrusted high-end foundry and the remaining part at a trusted low-end foundry. Most researchers have focused on attack and defenses for hierarchical designs and/or use a relatively high-end trusted foundry, leading to high cost. We propose an attack and defense for split manufacturing for flattened designs. Our attack uses a network-flow model and outperforms previous attacks. We also develop two defense techniques using placement perturbation-one using physical design information and the other using logical information-while considering overhead. The effectiveness of our techniques is demonstrated on benchmark circuits.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Split manufacturing of integrated circuits eliminates vulnerabilities introduced by an untrusted foundry by manufacturing only a part of the target design at an untrusted high-end foundry and the remaining part at a trusted low-end foundry. Most researchers have focused on attack and defenses for hierarchical designs and/or use a relatively high-end trusted foundry, leading to high cost. We propose an attack and defense for split manufacturing for flattened designs. Our attack uses a network-flow model and outperforms previous attacks. We also develop two defense techniques using placement perturbation-one using physical design information and the other using logical information-while considering overhead. The effectiveness of our techniques is demonstrated on benchmark circuits.
Meade, Travis; Zhao, Zheng; Zhang, Shaojie; Pan, David Z.; Jin, Yier
Revisit Sequential Logic Obfuscation: Attacks and Defenses Proceedings Article
In: 2017 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1-4, IEEE, Baltimore, MD, USA , 2017.
@inproceedings{Meade2017,
title = {Revisit Sequential Logic Obfuscation: Attacks and Defenses},
author = {Travis Meade and Zheng Zhao and Shaojie Zhang and David Z. Pan and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2017revisit.pdf},
doi = {10.1109/ISCAS.2017.8050606},
year = {2017},
date = {2017-05-28},
booktitle = {2017 IEEE International Symposium on Circuits and Systems (ISCAS)},
pages = {1-4},
publisher = {IEEE},
address = {Baltimore, MD, USA },
abstract = {The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.
Meade, Travis; Jin, Yier; Tehranipoor, Mark; Zhang, Shaojie
Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification Proceedings Article
In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1334-1337, IEEE, Montreal, QC, Canada, 2016.
@inproceedings{Meade2016b,
title = {Gate-Level Netlist Reverse Engineering for Hardware Security: Control Logic Register Identification},
author = {Travis Meade and Yier Jin and Mark Tehranipoor and Shaojie Zhang},
url = {http://cadforassurance.org/wp-content/uploads/travis2016gate.pdf},
doi = {10.1109/ISCAS.2016.7527495},
year = {2016},
date = {2016-05-22},
booktitle = {2016 IEEE International Symposium on Circuits and Systems (ISCAS)},
pages = {1334-1337},
publisher = {IEEE},
address = {Montreal, QC, Canada},
abstract = {The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverse engineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.
Meade, Travis; Zhang, Shaojie; Jin, Yier
Netlist Reverse Engineering for High-Level Functionality Reconstruction Proceedings Article
In: 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 655-660, ASP-DAC IEEE, Macau, 2016, (Best Paper Award).
@inproceedings{Meade2016,
title = {Netlist Reverse Engineering for High-Level Functionality Reconstruction},
author = {Travis Meade and Shaojie Zhang and Yier Jin},
url = {http://cadforassurance.org/wp-content/uploads/travis2016netlist.pdf},
doi = {10.1109/ASPDAC.2016.7428086},
year = {2016},
date = {2016-01-25},
booktitle = {2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC)},
pages = {655-660},
publisher = {IEEE},
address = {Macau},
organization = {ASP-DAC },
series = {ASP-DAC 16},
abstract = {In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.},
note = {Best Paper Award},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip-level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.