Travis Meade

Provably secure camouflaging strategy for IC protection

The advancing of reverse engineering techniques has complicated the efforts in intellectual property protection. Proactive methods have been developed recently, among which layout-level IC camouflaging is the leading example. However, existing camouflaging methods are rarely supported by provably secure criteria, which further leads to over-estimation of the security level when countering the latest de-camouflaging attacks, e.g., the SAT-based attack. In this paper, a quantitative security criterion is proposed for de-camouflaging complexity measurements and formally analyzed through the demonstration of the equivalence between the existing de-camouflaging strategy and the active learning scheme. Supported by the new security criterion, two novel camouflaging techniques are proposed, the low-overhead camouflaging cell library and the AND-tree structure, to help achieve exponentially increasing security levels at the cost of linearly increasing performance overhead on the circuit under protection. A provably secure camouflaging framework is then developed by combining these two techniques. Experimental results using the security criterion show that the camouflaged circuits with the proposed framework are of high resilience against the SAT-based attack with negligible performance overhead.

AppSAT: Approximately deobfuscating integrated circuits

In todays diversified semiconductor supply-chain, protecting intellectual property (IP) and maintaining manufacturing integrity are important concerns. Circuit obfuscation techniques such as logic encryption and IC camouflaging can potentially defend against a majority of supply-chain threats such as stealthy malicious design modification, IP theft, overproduction, and cloning. Recently, a Boolean Satisfiability (SAT) based attack, namely the SAT attack has been able to deobfuscate almost all traditional circuit obfuscation schemes, and as a result, a number of defense solutions have been proposed in literature. All these defenses are based on the implicit assumption that the attacker needs a perfect deobfuscation accuracy which may not be true in many practical cases. Therefore, in this paper by relaxing the exactness constraint on deobfuscation, we propose the AppSAT attack, an approximate deobfuscation algorithm based on the SAT attack and random testing. We show how the AppSAT attack can deobfuscate 68 out of the 71 benchmark circuits that were obfuscated with state-of-the-art SAT attack defenses with an accuracy of, n being the number of inputs. AppSAT shows that with current SAT attack defenses there will be a trade-off between exact-attack resiliency and approximation resiliency.

Netlist reverse engineering for high-level functionality reconstruction

In a modern IC design flow, from specification development to chip fabrication, various security threats are emergent. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no golden models are available for comparisons. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also showed that the developed tool can easily identify malicious logic from a flattened (or even obfuscated) netlist. If combined with chip level reverse engineering techniques, the developed REFSM tool can help detect the insertion of hardware Trojans in fabricated circuits.

Gate-level netlist reverse engineering for hardware security: Control logic register identification

The heavy reliance on third-party resources, including third-party IP cores and fabrication foundries, has triggered the security concerns that design backdoors and/or hardware Trojans may be inserted into fabricated chips. While existing reverse engineering tools can help recover netlist from fabricated chips, there is a lack of efficient tools to further analyze the netlist for malicious logic detection and full functionality recovery. While it is relatively easy to identify the functional modules from the netlist using pattern matching methods, the main obstacle is to isolate control logic registers and reverseengineering the control logic. Upon this request, we proposed a topology-based computational method for register categorization. Through this proposed algorithm, we can differentiate data registers from control logic registers such that the control logic can be separated from the datapath. Experimental results showed that the suggested method was capable of identifying control logic registers in circuits with various complexities ranging from the RS232 core to the 8051 microprocessor.

IP protection through gate-level netlist security enhancement

Abstract In modern Integrated Circuits (IC) design flow, from specification to chip fabrication, various security threats are emergent. These range from malicious modifications in the design, to the Electronic Design Automation (EDA) tools, during layout or fabrication, or to the packaging. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips where no Register Transfer Level (RTL) code or golden models are available. While chip level reverse engineering techniques can help rebuild circuit gate-level netlist from fabricated chips, there still lacks a netlist reverse engineering tool which can recover the full functionality of the rebuilt netlist. Toward this direction, we develop a tool, named Reverse Engineering Finite State Machine (REFSM), that helps end-users reconstruct a high-level description of the control logic from a flattened netlist. We demonstrate that REFSM effectively recovers circuit control logic from netlists with varying degrees of complexity. Experimental results also show that the REFSM can easily identify malicious logic from a flattened (or even obfuscated) netlist. Supported by REFSM, another tool, called Reverse Engineering Hardware Obfuscation for Protection (REHOP), is developed to enhance gate-level netlist security without learning the RTL code.

Provably Secure Camouflaging Strategy for IC Protection

The advancing of reverse engineering techniques has complicated the efforts in intellectual property protection. Proactive methods have been developed recently, among which layout-level integrated circuit camouflaging is the leading example. However, existing camouflaging methods are rarely supported by provably secure criteria, which further leads to an over-estimation of the security level when countering latest de-camouflaging attacks, e.g., the SAT-based attack. In this paper, a quantitative security criterion is proposed for de-camouflaging complexity measurements and formally analyzed through the demonstration of the equivalence between the existing de-camouflaging strategy and the active learning scheme. Supported by the new security criterion, two camouflaging techniques are proposed, including the low-overhead camouflaging cell generation strategy and the AND-tree camouflaging strategy, to help achieve exponentially increasing security levels at the cost of linearly increasing performance overhead on the circuit under protection. A provably secure camouflaging framework is then developed combining these two techniques. The experimental results using the security criterion show that camouflaged circuits with the proposed framework are of high resilience against different attack schemes with only negligible performance overhead.

The Old Frontier of Reverse Engineering: Netlist Partitioning

Without access to high-level details of commercialized integrated circuits (IC), it might be impossible to find potential design flaws or limiting use cases. To assist in high-level recovery, many IC reverse engineering solutions have been proposed. This paper focuses on a hard problem facing reverse engineering researchers, that of netlist partitioning. To assist in this endeavor, we propose our own methods that focus on signal matching by analyzing fan-in trees. This analysis extends to representing signal’s fan-ins numerically by their structural properties. These values go through certain common dimension reducing algorithms; clustering practices are also leveraged to assist in our proposed partitioning process. Adversely researchers have almost never agreed on the metric for evaluating such netlist partitioning methods. To keep our results unbiased, we leverage the Normalize Mutual Information (NMI) to evaluate our proposed partitioning method and compare its results with other techniques that aim to solve the same problem. Lastly, we show how our proposed methods are capable of effectively partition netlists of larger scale than previously proposed schemes.

SoC interconnection protection through formal verification

Abstract The wide adoption of third-party hardware Intellectual Property (IP) cores including those from untrusted vendors have raised security concerns for system designers and end-users. Existing approaches to ensure the trustworthiness of individual IPs rarely consider the entire SoC design, especially the IP interactions through SoC bus. These methods can hardly identify malicious logic (or design flaws) distributed in multiple IPs whereas individual IPs fulfill security properties and can pass the security testing/verification. One possible solution is to treat the SoC as one IP core and try to verify security properties of the entire design. This method, however, suffers from scalability issues due to the large size of SoC designs with multiple IP cores integrated. In this paper, we present a scalable SoC bus verification framework trying to verify the security properties of SoC bus implementation where the bus protocol plays the role of the golden reference. More specifically, finite state machine (FSM) models will be constructed from the bus implementation and the trustworthiness will be verified based on the property set derived from the bus protocol and potential security threats. Along with IP level formal verification solutions, the proposed framework can help ensure the security of large-scale SoCs. Experimental results on ARM AMBA Bus demonstrate that our approach is applicable and scalable to prevent information leakage and denial-of-service (DoS) attack by verifying security properties.

Revisit sequential logic obfuscation: Attacks and defenses

The urgent requests to protection integrated circuits (IC) and hardware intellectual properties (IP) have led to the development of various logic obfuscation methods. While most existing solutions focus on the combinational logic or sequential logic with full scan-chains, in this paper, we will revisit the security of sequential logic obfuscation within circuits where full scan-chains are not available or accessible. We will first introduce attack methods to compromise obfuscated sequential circuits leveraging newly developed netlist analysis tools. We will then propose systematic solutions and provide guidelines in developing resilient sequential logic obfuscation schemes.

Circuit Obfuscation and Oracle-guided Attacks: Who can Prevail?

This paper provides a systematization of knowledge in the domain of integrated circuit protection through obfuscation with a focus on the recent Boolean satisfiability (SAT) attacks. The study systematically combines real-world IC reverse engineering reports, experimental results using the most recent oracle-guided attacks, and concepts in machine-learning and cryptography to draw a map of the state-of-the-art of IC obfuscation and future challenges and opportunities.