Zimu Guo

Investigation of obfuscation-based anti-reverse engineering for printed circuit boards

Prior work has shown that printed circuit board (PCB) reverse engineering can be accomplished with inexpensive home solutions as well as state-of-the-art technologies. Once the information of how components on a PCB are connected is determined, an adversary can steal the IP, clone the design, determine points of attack on a system, etc. Existing chip-level obfuscation techniques are not applicable to board level due to the significant differences between chips and PCBs. In this paper, we propose a PCB obfuscation approach that relies on permutation blocks to hide the interconnects among the PCBs circuit components. A detailed framework is provided to implement the proposed approach and evaluate its performance. Potential attacks and countermeasures are also discussed. Results obtained from five industrial reference designs show that it is nearly impossible to break the proposed approach by brute force, even under pessimistic assumptions. Our investigation also reveals that PCBs containing a programmable component with 64 pins (or more) are well-protected by our approach, making it suitable for a large percentage of systems and applications.

Highly Reliable Key Generation From Electrocardiogram (ECG)

Traditional passwords are inadequate as cryptographic keys, as they are easy to forge and are vulnerable to guessing. Human biometrics have been proposed as a promising alternative due to their intrinsic nature. Electrocardiogram (ECG) is an emerging biometric that is extremely difficult to forge and circumvent, but has not yet been heavily investigated for cryptographic key generation. ECG has challenges with respect to immunity to noise, abnormalities, etc. In this paper, we propose a novel key generation approach that extracts keys from real-valued ECG features with high reliability and entropy in mind. Our technique, called interval optimized mapping bit allocation (IOMBA), is applied to normal and abnormal ECG signals under multiple session conditions. We also investigate IOMBA in the context of different feature extraction methods, such as wavelet, discrete cosine transform, etc., to find the best method for feature extraction. Experiments of IOMBA show that 217-, 38-, and 100-bit keys with 99.9%, 97.4%, and 95% average reliability and high entropy can be extracted from normal, abnormal, and multiple session ECG signals, respectively. By allowing more errors or lowering entropy, key lengths can be further increased by tunable parameters of IOMBA, which can be useful in other applications. While IOMBA is demonstrated on ECG, it should be useful for other biometrics as well.

Hardware security meets biometrics for the age of IoT

The Internet of Things (IoT) is a concept that involves connecting endpoint devices and physical objects to the Internet. While IoT is envisioned to dramatically increase convenience in our daily lives, it could also result in catastrophic economic and safety issues. Considering the applications envisioned for IoT (smart cities, homes, retail, etc.), security must be handled with great care and should start from the bottom up (i.e., from the hardware level). As a good deal of IoT devices require interaction between devices and humans, biometrics provide an interesting opportunity for improving both the convenience and security in IoT applications. In this paper, we consider the potential benefits and challenges associated with incorporating biometrics into IoT. We combine novel biometrics, such as ECG and PPG, and system-level obfuscation approaches to prevent reverse engineering, tampering and unauthorized access of IoT devices and other electronic systems. Our preliminary results are promising and motivate future work in this area.

Human recognition from photoplethysmography (PPG) based on non-fiducial features

Photoplethysmography (PPG) signals have unique identity properties for human recognition, and are becoming easier to capture by emerging IoT sensors. Existing research on PPG-based biometric systems rely on fiducial methods that extract landmarks from the PPG signal as features. This paper investigates non-fiducial methods that operating in a holistic manner that is less sensitive to noise in landmarks. We compare PPG-based human verification of 42 subjects with fiducial and non-fiducial methods (specifically, discrete wavelet transform) and classification using a neural network and support vector machine. The experimental results demonstrate higher test recognition rates for wavelet transform feature extraction. We further improve our results by selecting a subset of features via the genetic algorithm.

Noise assessment framework for optimizing ECG key generation

Bioelectrical signals such as electrocardiogram (ECG) have shown promise as biometrics, but their continuous nature and drastic acquisition variations make it difficult to deploy them for biometric-based key generation. In particular, it is nearly impossible to obtain raw ECG measurements from a large population under all possible test conditions. In this paper, we build upon our recent approach called IOMBA by combining it with a pre-assessment framework that uses synthetic ECGs to characterize the impact of different sources of noise on ECG-based keys. Our framework uses an auto-regressive (AR) model with three modulated sources of noise - baseline wander (BW), electromyography (EMG), and motion artifact (MA). The performance of the proposed framework is validated using normal ECG signals from popular ECG databases. Different feature extraction methods are applied for ECG key generation and the performance of each approach with each noise source is evaluated. The proposed framework can be used to optimize pre-processing approaches for low-cost applications.

FFD: A Framework for Fake Flash Detection

Counterfeit electronics have become a big concern in the globalized semiconductor industry where chips might be recycled, remarked, cloned or overproduced. In this work, we advance the state-of-the-art counterfeit detection of flash memory, which is widely used in electronic systems. Fake memories may be used in critical systems, such as missiles, military aircrafts and helicopters, thus diminishing their reliability. In addition, there are countless stories of fake flash drives in the general consumer market. We propose a comprehensive framework called FFD to detect fake flash memories (i.e., recycled, remarked and cloned parts). FFD is validated with 200,000 commercial flash memory pages. Experimental results show that our framework performs well in: 1) nearly 100% detection accuracy of flash with as little as 5% usage, 2) estimating the flash memory usage with high resolution (≤ 5% of its maximal endurance). Another contribution of this work is a chip ID generation technique that can generate unique flash fingerprints with greater than 99.3% reliability.

Systematic Correlation and Cell Neighborhood Analysis of SRAM PUF for Robust and Unique Key Generation

A physical unclonable function (PUF) is a structure that produces a unique response, with an issued challenge (input), which can be used as an identifier or a cryptographic key. SRAM PUFs create unique responses upon power up as certain SRAM cells output a “1” or “0” with high probability due to uncontrollable process variations. A current challenge in SRAM PUFs is their sensitivity to temperature and voltage variations as well as aging. It is always challenging to make SRAM PUFs reliable and unique with algorithms that isolate stable and uncorrelated bits quickly with minimal testing (enrollment). In this paper, we explore the selection of stable and uncorrelated bits through enrollment under different conditions (temperature and voltage) and also by exploiting previously undiscovered interactions between neighboring SRAM cells. We propose neighbor influenced cell selection algorithm (NICSA) with the help of metrics that analyze the impact of each neighboring cell and each enrollment condition. The proposed NICSA helps to identify the “best” cells and conditions for stable bit selection. Besides reliability, SRAM PUF can be less unique due to systematic correlation among chips. We study the systematic correlation between SRAMs power-up values to find the uncorrelated cells among chips for better uniqueness. We have analyzed data from 5 ISSI, 3 IDT, and 3 Cypress SRAMs and our metrics identify the best neighborhood size (16 stable neighbors) and best enrollment condition pair high temperature, high voltage, and low temperature for NICSA.

A zero-cost approach to detect recycled SoC chips using embedded SRAM

Considering the rapid growth of the global consumer electronics market, counterfeiting of integrated circuits (ICs), and in particular recycling, has become a serious issue in recent years. Recycled ICs are those harvested from old systems and re-inserted into the supply chain as new. Such ICs exhibit lower performance and shorter life time, and as a result, pose serious threats to the security and reliability of electronic systems used for critical applications. In this paper, we propose the first recycled IC detection technique based on aging of embedded SRAMs. In our approach, an enrollment phase is used to identify the SRAM cells that initially provide a stable output upon startup (like a PUF ID), but are highly unstable with aging. During verification, if the IC is recycled, the aging in SRAM cells due to usage in the field causes its ID to change, allowing it to be detected. We also develop a framework to determine the parameters (length of ID, thresholds, etc.) to achieve high confidence. Results from new and aged SRAM of Xillinx Spartan-3 FPGA development boards show that the detection accuracy is high with proper parameter selected (false accept rate and false reject rate are 0 and 0.03 respectively) and robust against supply voltage variations.

Permutation-Based Obfuscation

Hardware obfuscation techniques have been studied in preventing reverse engineering and piracy issues. One branch of these techniques is permutation-based obfuscation. In this chapter, permutation-based obfuscation is presented at both the chip level and board level. Prior to providing the implementation details, several implementation-related topics are discussed. These topics consist of the difference between the chip-level and board-level designs as well as the introduction of a general obfuscation implementation flow. Besides the flow, this chapter also provides methodologies for evaluating the obfuscation performance. Finally, potential attacks on permutation-based obfuscation are discussed along with their corresponding countermeasures.

Obfuscation-Based Protection Framework against Printed Circuit Boards Unauthorized Operation and Reverse Engineering

Printed circuit boards (PCBs) are a basic necessity for all modern electronic systems but are becoming increasingly vulnerable to cloning, overproduction, tampering, and unauthorized operation. Most efforts to prevent such attacks have only focused on the chip level, leaving a void for PCBs and higher levels of abstraction. In this article, we propose the first ever obfuscation-based framework for the protection of PCBs. Central to our approach is a permutation block that hides the inter-chip connections between chips on the PCB and is controlled by a key. If the correct key is applied, then the correct connections between chips are made. Otherwise, the connections are incorrectly permuted, and the PCB/system fails to operate. We propose a permutation network added to the PCB based on a Benes network that can easily be implemented in a complex programmable logic device or field-programmable gate arrays. Based on this implementation, we analyze the security of our approach with respect to (i) brute-force attempts to reverse engineer the PCB, (ii) brute-force attempts at guessing the correct key, and (iii) physical and logistic attacks by a range of adversaries. Performance evaluation results on 12 reference designs show that brute force generally requires prohibitive time to break the obfuscation. We also provide detailed requirements for countermeasures that prevent reverse engineering, unauthorized operation, and so on, for different classes of attackers.