Experiment 14
Hardware Obfuscation

We describe an experiment to implement different Hardware Obfuscation techniques for securing hardware intellectual properties (IPs) against piracy and tampering attacks.
Case Study

The goal of this experiment is to learn the implementation and strength of two major types of hardware obfuscation.

In the semiconductor industry, the system-on-chip designers used to have fabrication facility inside their company. But as the feature size of transistor is shrinking, the establishment and maintenance cost of such facility are so high that it is no longer feasible to have them inside each company. Rather, large fabrication facilities like TSMC fabricates chip from many fabless design houses.

In present day, with the adoption of horizontal business model, the chip integrator acquires third party intellectual property (IP) from around the world. This IP refers to a reusable unit of logic, cell, or chip layout design that is either licensed to another party or owned and used solely by a single party. Then the integrated design is sent to offshore DFT (design for test) insertion facility. The complete and verified design is sent to offshore fabrication facilities to production. The foundry also performs post silicon manufacturing test before slicing off the die. Then the tested chips are sent to another offshore facility for assembly. After assembly and testing, the final production reached the distribution network. The design houses have no authority over the facilities than the contract agreement.

Along this flow, the chip designs, both from the third-party vendor and from the system-on-chip designer, are vulnerable for piracy. IP can be sold in unauthorized manner, used in more instances than paid for, modified to contain malicious circuitry like hardware Trojans. The attacker, who can be a rogue employee in the facilities, can use reverse engineering to retrieve higher level design, and use that design in their chip claiming the design their own. For these reasons, the need for hiding the design or locking the functionality of chip is necessary. If the attackers are unable to extract the correct functionality of the chip, or cannot unlock the chip to function properly, they cannot perform the mentioned attacks.

![Figure 1: Threats in semiconductor supply chain](image)
# Theory Background

Hardware obfuscation is the method of hiding or locking the correct functionality of a chip, to protect the IP from various threats in supply chain.

## 1. Hardware Obfuscation

Hardware obfuscation is a method to hide the logic in a circuit design. By definition, obfuscation is the technique of obscuring or hiding the true meaning of a message or the functionality of a product, in order to protect the intellectual property inherent in the product.

The objective of hardware obfuscation is to have a functionally equivalent but structurally different design. The design is modified in a way that it implements different logic functions and it is not possible to retrieve the correct logic equation by reverse engineering. A locking mechanism must be incorporated which ensures the design becomes functionally equivalent upon correct unlocking process.

### 1.1 Combinational Obfuscation

The obfuscation that modifies only the combinational logic of a design is defined as combinational obfuscation. The most common method to do this type of obfuscation is inserting additional XOR/XNOR gates in the circuit. One input to these gates are connected to primary inputs, commonly termed as key inputs. From the truth table of XOR gate, we can see, when the key input is ‘0’, \(Y = X\) and when key input is ‘1’, \(Y = \neg X\). The opposite happens in XNOR gate. This can work as a lock, where the ‘key’ is the correct combination in key input.

Other techniques of combinational obfuscation include inserting 2X1 MUX gates or look-up-tables as locks, using reprogrammable logic to hide portion of logic, scrambling the data-paths etc.

### 1.2 Sequential Obfuscation

Practical ICs contain memory components like flip-flops, registers, latches. These memory elements constitute sequential circuit, in which logic at some certain point depends on the previous logic states. Memory elements along with combinational logic forms finite

---

<table>
<thead>
<tr>
<th>Table 1: Truth table of XOR/XNOR Gate</th>
</tr>
</thead>
<tbody>
<tr>
<td>Key Input</td>
</tr>
<tr>
<td>0</td>
</tr>
<tr>
<td>0</td>
</tr>
<tr>
<td>1</td>
</tr>
<tr>
<td>1</td>
</tr>
</tbody>
</table>

---

![Figure 2: Combinational Obfuscation](image-url)
state machines (FSM). In a state machine, the next state is determined by present state and inputs to the state machine.

The state machine of an IC can be obfuscated to lock the design. In regular state machine design, usually not all possible state is in operation. There are often states that are never occurs, or not reachable. These states can be used to introduce additional locking mechanism into the design. Another way to obfuscate state machine is hiding the startup state. One can add an extra state machine before the actual state machine which will make the access to the initial state of the original state reachable for only a specific input sequence.

For example, in Figure 3, The original FSM (blue) has startup state $S_0^N$. Without obfuscation, this the state the FSM starts with. The obfuscation FSM (green) is an additional FSM on the left which modified the startup state for the entire design to be $S_0^O$. Only if someone provide input in pattern $P_1^O \rightarrow P_2^O \rightarrow P_3^O$, he or she can reach the original startup state $S_0^N$. Once this state is reached, the FSM works as desired, or can be said ‘unlocked’. Any other input sequence will render the FSM unusable as the original startup state cannot be reach.

An interesting modification of the obfuscation FSM is inserting blackhole state. A blackhole state is a state from which there is no exit path. Once a circuit reaches this state, it is stuck at that state forever until restarted. An example of this can be found in Figure 4. Blackhole states are effective for thwarting retries.
Experiment Set-up: Configuration

The hardware and software needed for this experiment include:

1. The HaHa Board and Altera USB blaster.
2. A computer.

Knowledge Requirement:

1. Verilog HDL
   a. Netlist
   b. Testbench

For your convenience, example of simple Verilog netlist and testbench is attached in the appendix section.
Instructions and Questions

In this experiment, you will perform obfuscation on circuits and observe how brute force attack can break obfuscation.

PART I Combinational Obfuscation
You are given a small benchmark file c499. You need to perform 16-bit combinational obfuscation on it and then verify the obfuscation with testbench.

1. All gates should be XOR/XNOR gates. The unlocking key should be the one assigned to your group in Table 2. The key input should be named as keyinput0, keyinput1, ..., keyinput15. Do NOT make a vector of the key inputs. Submit the Verilog file with report.
2. Write a testbench to test 10 random keys (each 16-bit) and the expected key. Choose 10 input patterns for each of the keys in the testbench (Use loops and $random). Submit the testbench with report.
3. Run simulation with testbench and take screenshots for one wrong key and the right key. Submit the screenshots in report.

For Input I, Output \( O_w = f(I, \text{Key}_\text{wrong}) \) and \( O_r = f(I, \text{Key}_\text{right}) \), then \( O_w \neq O_r \)
The screenshot(s) should reflect this. You get to choose this arbitrary input.

PART II Sequential Obfuscation
You are given a small FSM design. The original state machine of this design is shown in Figure 4. You need to modify the FSM to have obfuscation FSM in the startup as presented in Figure 5. The input sequence for unlocking the FSM is unique for each group. Please follow Table 2 for your designated unlocking key.

1. Design an obfuscation FSM with four states. Refer to Table 2 for the unlocking key \( P_1^0\rightarrow P_2^0\rightarrow P_3^0\rightarrow P_4^0\rightarrow P_5^0 \) specific for your group. Submit the modified Verilog file with report.
2. Write a testbench with
   a. wrong key \( \sim P_1^0 \rightarrow \sim P_2^0 \rightarrow \sim P_3^0 \rightarrow \sim P_4^0 \rightarrow \sim P_5^0 \)
   b. wrong key \( P_1^0 \rightarrow \sim P_2^0 \rightarrow \sim P_3^0 \rightarrow \sim P_4^0 \rightarrow \sim P_5^0 \)
   c. wrong key \( P_1^0 \rightarrow P_2^0 \rightarrow P_3^0 \rightarrow P_4^0 \rightarrow \sim P_5^0 \)
   d. and right key \( P_1^0 \rightarrow P_2^0 \rightarrow P_3^0 \rightarrow P_4^0 \rightarrow P_5^0 \).

Submit the testbench with report.
3. Run simulation. Display state registers so that blackhole state for wrong key can be viewed. At one run, you might want to comment out three other patterns and go with one unlocking state transition pattern. Because once you enter Blackhole state, there is no coming back to start-up state. So, for four patterns (three wrong, one right), you should have 4 screenshots. Submit the screenshots of simulation window in report.

![Diagram of Original and Obfuscation FSM for Part III](image.png)

**Figure 5: Original and obfuscation FSM for Part III**

**Table 2: Required unlocking keys for each group**

<table>
<thead>
<tr>
<th>Group No.</th>
<th>PART II Key</th>
<th>PART III Key</th>
</tr>
</thead>
<tbody>
<tr>
<td>1</td>
<td>16'b011101110100100101</td>
<td>5'b10001</td>
</tr>
<tr>
<td>2</td>
<td>16'b011110101111110</td>
<td>5'b11110</td>
</tr>
<tr>
<td>3</td>
<td>16'b1111111101011110</td>
<td>5'b01101</td>
</tr>
<tr>
<td>4</td>
<td>16'b000110111010101</td>
<td>5'b11110</td>
</tr>
<tr>
<td>5</td>
<td>16'b1011111110100100</td>
<td>5'b01110</td>
</tr>
<tr>
<td>6</td>
<td>16'b11111011100100110</td>
<td>5'b01011</td>
</tr>
<tr>
<td>7</td>
<td>16'b0100001011010101</td>
<td>5'b10011</td>
</tr>
<tr>
<td>8</td>
<td>16'b1110000010100111</td>
<td>5'b01001</td>
</tr>
<tr>
<td>9</td>
<td>16'b0000011001111010</td>
<td>5'b00011</td>
</tr>
<tr>
<td>10</td>
<td>16'b101001100010100</td>
<td>5'b11010</td>
</tr>
<tr>
<td>11</td>
<td>16'b0010001010010010</td>
<td>5'b00110</td>
</tr>
<tr>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>---</td>
<td>---</td>
<td>---</td>
</tr>
<tr>
<td>12</td>
<td>16'b0010100001101110</td>
<td>5'b11001</td>
</tr>
<tr>
<td>13</td>
<td>16'b1100100001000101</td>
<td>5'b10110</td>
</tr>
<tr>
<td>14</td>
<td>16'b1000100010010100</td>
<td>5'b00101</td>
</tr>
<tr>
<td>15</td>
<td>16'b1000100110101100</td>
<td>5'b10100</td>
</tr>
</tbody>
</table>
Lab Report Guidelines

Deliverables:

1. For part I:
   a. Obfuscated Verilog file
   b. Testbench
   c. Screenshot(s) showing simulation displaying $I, O_w, Key_{wrong}$ and $I, O_r, Key_{right}$ for same input pattern $I$.

2. For part II:
   a. Obfuscated Verilog file
   b. Testbench containing three wrong key and the right key
   c. Screenshots of simulation.
References and Further Reading

Appendix

A. Verilog Netlist Example:

```verilog
module c17 (N1, N2, N3, N6, N7, N22, N23);

    input N1, N2, N3, N6, N7;
    output N22, N23;

    wire N10, N11, N16, N19;

    nand NAND2_1 (N10, N1, N3);
    nand NAND2_2 (N11, N3, N6);
    nand NAND2_3 (N16, N2, N11);
    nand NAND2_4 (N19, N11, N7);
    nand NAND2_5 (N22, N10, N16);
    nand NAND2_6 (N23, N16, N19);

endmodule
```

B. Verilog Testbench Example:

```verilog
module tb_c432;

    integer i;

    reg [0:35] in ; // Inputs
    wire [0:6] out ; // Outputs

    c432 uut ( //

initial
    begin
        $fopen("tb_c432_comp_random.txt", "w+b");
        $fwrite(f, /* Result of testbench */ "\n");
        #50
        repeat(10) begin
            in = $random;
            #50
            $fwrite(f, $time, " : input = %d, output = %d \n ", in, out);
        end
    end

$fclose(f);
endmodule
```