Meng Li,Kaveh Shamsi,Travis Meade,Zheng Zhao,Bei Yu,Yier Jin,David Z. Pan

DOI: https://doi.org/10.1145/2966986.2967065

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:The advancing of reverse engineering techniques has complicated the efforts in intellectual property protection. Proactive methods have been developed recently, among which layout-level IC camouflaging is the leading example. However, existing camouflaging methods are rarely supported by provably secure criteria, which further leads to over-estimation of the security level when countering the latest de-camouflaging attacks, e.g., the SAT-based attack. In this paper, a quantitative security criterion is proposed for de-camouflaging complexity measurements and formally analyzed through the demonstration of the equivalence between the existing de-camouflaging strategy and the active learning scheme. Supported by the new security criterion, two novel camouflaging techniques are proposed, the low-overhead camouflaging cell library and the AND-tree structure, to help achieve exponentially increasing security levels at the cost of linearly increasing performance overhead on the circuit under protection. A provably secure camouflaging framework is then developed by combining these two techniques. Experimental results using the security criterion show that the camouflaged circuits with the proposed framework are of high resilience against the SAT-based attack with negligible performance overhead.

Satwik Patnaik,Mohammed Ashraf,Ozgur Sinanoglu,Johann Knechtel

DOI: https://doi.org/10.1109/tcad.2020.2981034

2020-12-01

Abstract:Layout camouflaging can protect the intellectual property of modern circuits. Most prior art, however, incurs excessive layout overheads and necessitates customization of active-device manufacturing processes, i.e., the front-end-of-line (FEOL). As a result, camouflaging has typically been applied selectively, which can ultimately undermine its resilience. Here, we propose a low-cost and generic scheme—full-chip camouflaging can be finally realized without reservations. Our scheme is based on obfuscating the interconnects, i.e., the back-end-of-line (BEOL), through design-time handling for real and dummy wires and vias. To that end, we implement custom, BEOL-centric obfuscation cells, and develop a CAD flow using industrial tools. Our scheme can be applied to any design and technology node without FEOL-level modifications. Considering its BEOL-centric nature, we advocate applying our scheme in conjunction with split manufacturing, to furthermore protect against untrusted fabs. We evaluate our scheme for various designs at the physical, DRC-clean layout level. Our scheme incurs a significantly lower cost than most of the prior art. Notably, for fully camouflaged layouts, we observe average power, performance, and area overheads of 24.96%, 19.06%, and 32.55%, respectively. We conduct a thorough security study addressing the threats (attacks) related to untrustworthy FEOL fabs (proximity attacks) and malicious end-users (SAT-based attacks). An empirical key finding is that only large-scale camouflaging schemes like ours are practically secure against powerful SAT-based attacks. Another key finding is that our scheme hinders both placement- and routing-centric proximity attacks; correct connections are reduced by $7.47times $ , and complexity is increased by $24.15times $ , respectively, for such attacks.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Xue-Yan Wang,Qiang Zhou,Yi-Ci Cai,Gang Qu

DOI: https://doi.org/10.1007/s11390-018-1807-6

2018-01-01

Abstract:Intellectual property (IP) protection is one of the hardcore problems in hardware security. Semiconductor industry still lacks effective and proactive defense to shield IPs from reverse engineering (RE) based attacks. Integrated circuit (IC) camouflaging technique fills this gap by replacing some conventional logic gates in the IPs with specially designed logic cells (called camouflaged gates) without changing the functions of the IPs. The camouflaged gates can perform different logic functions while maintaining an identical look to RE attackers, thus preventing them from obtaining the layout information of the IP directly from RE tools. Since it was first proposed in 2012, circuit camouflaging has become one of the hottest research topics in hardware security focusing on two fundamental problems. How to choose the types of camouflaged gates and decide where to insert them in order to simultaneously minimize the performance overhead and optimize the RE complexity? How can an attacker de-camouflage a camouflaged circuit and complete the RE attack? In this article, we review the evolution of circuit camouflaging through this spear and shield race. First, we introduce the design methods of four different kinds of camouflaged cells based on true/dummy contacts, static random access memory (SRAM), doping, and emerging devices, respectively. Then we elaborate four representative de-camouflaging attacks: brute force attack, IC testing based attack, satisfiability-based (SAT-based) attack, and the circuit partition based attack, and the corresponding countermeasures: clique-based camouflaging, CamoPerturb, AND-tree camouflaging, and equivalent class based camouflaging, respectively. We argue that the current research efforts should be on reducing overhead introduced by circuit camouflaging and defeating de-camouflaging attacks. We point out that exploring features of emerging devices could be a promising direction. Finally, as a complement to circuit camouflaging, we conclude with a brief review of other state-of-the-art IP protection techniques.

Nikhil Rangarajan,Satwik Patnaik,Johann Knechtel,Ramesh Karri,Ozgur Sinanoglu,Shaloo Rakheja

DOI: https://doi.org/10.1109/TETC.2020.2991134

2020-07-08

Abstract:The era of widespread globalization has led to the emergence of hardware-centric security threats throughout the IC supply chain. Prior defenses like logic locking, layout camouflaging, and split manufacturing have been researched extensively to protect against intellectual property (IP) piracy at different stages. In this work, we present dynamic camouflaging as a new technique to thwart IP reverse engineering at all stages in the supply chain, viz., the foundry, the test facility, and the end-user. Toward this end, we exploit the multi-functionality, post-fabrication reconfigurability, and run-time polymorphism of spin-based devices, specifically the magneto-electric spin-orbit (MESO) device. Leveraging these unique properties, dynamic camouflaging is shown to be resilient against state-of-the-art analytical SAT-based attacks and test-data mining attacks. Such dynamic reconfigurability is not afforded in CMOS owing to fundamental differences in operation. For such MESO-based camouflaging, we also anticipate massive savings in power, performance, and area over other spin-based camouflaging schemes, due to the energy-efficient electric-field driven reversal of the MESO device. Based on thorough experimentation, we outline the promises of dynamic camouflaging in securing the supply chain end-to-end along with a case study, demonstrating the efficacy of dynamic camouflaging in securing error-tolerant image processing IP.

Cryptography and Security,Mesoscale and Nanoscale Physics,Emerging Technologies

Jaya Dofe,Chen Yan,Scott Kontak,Emre Salman,Qiaoyan Yu

DOI: https://doi.org/10.1109/AsianHOST.2016.7835570

2016-01-01

Abstract:This work proposes a novel method for transistor-level logic locking to address intellectual property (IP) piracy and reverse engineering attacks in monolithic three-dimensional (M3D) ICs. The proposed method locks logic gates by independently inserting parallel or serial locking transistors and camouflaged contacts in multiple tiers in M3D ICs. Without the correct key bits and confidential information for camouflaged contacts, the locked logic gates will malfunction and significantly alter power profiles, which makes reverse engineering attacks more difficult. The performance overhead of the proposed method is evaluated with ISCAS'85 benchmark circuits synthesized and placed with a customized M3D IC library. Case study on c6288 benchmark circuit shows that the proposed locking method with the correct key increases the power by only 0.26%. On average, this method consumes 2.3% more transistors than the baseline ISCAS'85 benchmark circuits.

Chen Yan,Jaya Dofe,Scott Kontak,Qiaoyan Yu,Emre Salman

DOI: https://doi.org/10.1109/tcsii.2017.2749523

2018-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:Circuit camouflaging is a layout-level technique to thwart image analysis-based reverse engineering attacks. An efficient dummy contact-based camouflaging method for monolithic 3-D integrated circuits (ICs) is proposed. 3-D ICs achieve ultra-high density device integration enabled by fine-grained monolithic inter-tier vias. Standard cell libraries are developed to evaluate the effects of circuit camouflaging on large-scale 2-D and monolithic 3-D ICs. These libraries are used to design a camouflaged SIMON (lightweight block cipher) and several academic benchmarks. Simulation results demonstrate that the monolithic 3-D technology is highly effective to facilitate the utilization of the camouflaging technique against reverse engineering attacks. At the expense of a slight degradation in timing characteristics, monolithic 3-D technology eliminates not only the area but also the power overhead related to camouflaging.

Jianfeng Wang,Zhonghao Chen,Jiahao Zhang,Yixin Xu,Tongguang Yu,Enze Ye,Ziheng Zheng,Huazhong Yang,Sumitha George,Yongpan Liu,Vijaykrishnan Narayanan,Xueqing Li

DOI: https://doi.org/10.48550/arXiv.2206.08087

2022-01-01

Abstract:Intellectual property (IP) piracy has become a non-negligible problem as the integrated circuit (IC) production supply chain is becoming increasingly globalized and separated that enables attacks by potentially untrusted attackers. Logic locking is a widely adopted method to lock the circuit module with a key and prevent hackers from cracking it. The key is the critical aspect of logic locking, but the existing works have overlooked three possible challenges of the key: safety of key storage, easy key-attempt from interface and key-related overheads, bringing the further challenges of low error rate and small state space. In this work, the key is dynamically generated by utilizing the huge space of a CPU core, and the unlocking is performed implicitly through the interconnection inside the chip. A novel low-cost logic reconfigurable gate is together proposed with ferroelectric FET (FeFET) to mitigate the reverse engineering and removal attack. Compared to the common logic locking methods, our proposed approach is 19,945 times more time consuming to traverse all the possible combinations in only 9-bit-key condition. Furthermore, our technique let key length increases this complexity exponentially and ensure the logic obfuscation effect.

Jae-Won Jang,Swaroop Ghosh

DOI: https://doi.org/10.48550/arXiv.1705.02707

2017-05-08

Abstract:Semiconductor supply chain is increasingly getting exposed to variety of security attacks such as Trojan insertion, cloning, counterfeiting, reverse engineering (RE) and piracy of Intellectual Property (IP) due to involvement of untrusted parties. Camouflaging of gates has been proposed to hide the functionality of gates. However, gate camouflaging is associated with significant area, power and delay overhead. In this paper, we propose camouflaging of interconnects using multiplexers (muxes) to protect the IP. A transistor threshold voltage-defined pass transistor mux is proposed to prevent its reverse engineering since transistor threshold voltage is opaque to the adversary. The proposed mux with more than one input, hides the original connectivity of the net. The camouflaged design operates at nominal voltage and obeys conventional reliability limits. A small fraction of nets can be camouflaged to increase the RE effort extremely high while keeping the overhead low. We propose controllability, observability and random net selection strategy for camouflaging. Simulation results indicate 15-33% area, 25-44% delay and 14-29% power overhead when 5-15% nets are camouflaged using the proposed 2:1 mux. By increasing the mux size to 4:1, 8:1, and 16:1, the RE effort can be further improved with small area, delay, and power penalty.

Cryptography and Security

Kaveh Shamsi,Meng Li,Kenneth Plaks,Saverio Fazzari,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3342099

IF: 1.447

2019-11-14

ACM Transactions on Design Automation of Electronic Systems

Abstract:The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

computer science, software engineering, hardware & architecture

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1109/ISCAS.2016.7538897

2016-01-01

Abstract:Circuit camouflaging techniques have been proposed to thwart reverse engineering (RE) attacks to integrated circuits (IC). In one of the most well-known camouflaging methods, selective XOR, NAND, and NOR gates are replaced by configurable logic units which have the same appearance to the RE attackers. It is argued that a successful attack has to brute force search all the camouflaged gates' possible {XOR, NAND, NOR} combinations, resulting in the attack complexity exponential to the number of camouflaged gates. In this paper, we have reported an attack to significantly reduce this complexity by partitioning the IC to many subcircuits to attack individually. We validate the power of the proposed circuit partition based attack on ISCAS benchmark suite and OpenSparc T1 microprocessor, and propose a potential countermeasure to re-secure IC camouflaging.

Meng Li,Kaveh Shamsi,Yier Jin,David Z. Pan

DOI: https://doi.org/10.1109/test.2018.8624671

2018-01-01

Abstract:In order to counter advanced reverse engineering techniques, various integrated circuit (IC) camouflaging methods are proposed to protect hardware intellectual property (IP) proactively. For example, a timing-based camouflaging strategy is developed recently representing a new class of parametric camouflaging strategies. Unlike traditional IC camouflaging techniques that directly hide the circuit functionality, the new parametric strategies obfuscate the circuit timing schemes, which in turn protects the circuit functionality and invalidates all the existing attacks. In this paper, we propose a SAT attack, named TimingSAT, to analyze the security of such timing-based camouflaging strategies. We demonstrate that with a proper transformation of the camouflaged netlist, traditional SAT attacks are still effective to decamouflage the new protection methods. The correctness of the resolved circuit functionality is formally proved. While a direct implementation of TimingSAT suffers from poor scalability, we propose a simplification procedure to significantly enhance the attack efficiency without sacrificing the correctness of the decamouflaged netlist. The efficiency and effectiveness of TimingSAT is validated with extensive experimental results.

Akshay Wali,Shamik Kundu,Andrew J Arnold,Guangwei Zhao,Kanad Basu,Saptarshi Das

DOI: https://doi.org/10.1021/acsnano.0c10651

IF: 17.1

2021-02-23

ACS Nano

Abstract:Reverse engineering (RE) is one of the major security threats to the semiconductor industry due to the involvement of untrustworthy parties in an increasingly globalized chip manufacturing supply chain. RE efforts have already been successful in extracting device level functionalities from an integrated circuit (IC) with very limited resources. Camouflaging is an obfuscation method that can thwart such RE. Existing work on IC camouflaging primarily involves transformable interconnects and/or covert gates where variation in doping and dummy contacts hide the circuit structure or build cells that look alike but have different functionalities. Emerging solutions, such as polymorphic gates based on a giant spin Hall effect and Si nanowire field effect transistors (FETs), are also promising but add significant area overhead and are successfully decamouflaged by the satisfiability solver (SAT)-based RE techniques. Here, we harness the properties of two-dimensional (2D) transition-metal dichalcogenides (TMDs) including MoS2, MoSe2, MoTe2, WS2, and WSe2 and their optically transparent transition-metal oxides (TMOs) to demonstrate area efficient camouflaging solutions that are resilient to SAT attack and automatic test pattern generation attacks. We show that resistors with resistance values differing by 5 orders of magnitude, diodes with variable turn-on voltages and reverse saturation currents, and FETs with adjustable conduction type, threshold voltages, and switching characteristics can be optically camouflaged to look exactly similar by engineering TMO/TMD heterostructures, allowing hardware obfuscation of both digital and analog circuits. Since this 2D heterostructure devices family is intrinsically camouflaged, NAND/NOR/AND/OR gates in the circuit can be obfuscated with significantly less area overhead, allowing 100% logic obfuscation compared to only 5% for complementary metal oxide semiconductor (CMOS)-based camouflaging. Finally, we demonstrate that the largest benchmarking circuit from ISCAS'85, comprised of more than 4000 logic gates when obfuscated with the CMOS-based technique, is successfully decamouflaged by SAT attack in <40 min; whereas, it renders to be invulnerable even in more than 10 h when camouflaged with 2D heterostructure devices, thereby corroborating our hypothesis of high resilience against RE. Our approach of connecting material properties to innovative devices to secure circuits can be considered as a one of a kind demonstration, highlighting the benefits of cross-layer optimization.

Kaveh Shamsi,Meng Li,Kenneth Plaks,Saverio Fazzari,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3342099

IF: 1.447

2019-01-01

ACM Transactions on Design Automation of Electronic Systems

Abstract:The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

Tongguang Yu,Yixin Xu,Shan Deng,Zijian Zhao,Nicolas Jao,You Sung Kim,Stefan Duenkel,Sven Beyer,Kai Ni,Sumitha George,Vijaykrishnan Narayanan

DOI: https://doi.org/10.1038/s41467-022-29795-3

IF: 16.6

2022-04-25

Nature Communications

Abstract:Abstract Existing circuit camouflaging techniques to prevent reverse engineering increase circuit-complexity with significant area, energy, and delay penalty. In this paper, we propose an efficient hardware encryption technique with minimal complexity and overheads based on ferroelectric field-effect transistor (FeFET) active interconnects. By utilizing the threshold voltage programmability of the FeFETs, run-time reconfigurable inverter-buffer logic, utilizing two FeFETs and an inverter, is enabled. Judicious placement of the proposed logic makes it act as a hardware encryption key and enable encoding and decoding of the functional output without affecting the critical path timing delay. Additionally, a peripheral programming scheme for reconfigurable logic by reusing the existing scan chain logic is proposed, obviating the need for specialized programming logic and circuitry for keybit distribution. Our analysis shows an average encryption probability of 97.43% with an increase of 2.24%/ 3.67% delay for the most critical path/ sum of 100 critical paths delay for ISCAS85 benchmarks.

multidisciplinary sciences

Grace Li Zhang,Bing Li,Meng Li,Bei Yu,David Z. Pan,Michaela Brunner,Georg Sigl,Ulf Schlichtmann

DOI: https://doi.org/10.1109/TCAD.2020.2974338

2020-03-02

Abstract:With recent advances in reverse engineering, attackers can reconstruct a netlist to counterfeit chips by opening the die and scanning all layers of authentic chips. This relatively easy counterfeiting is made possible by the use of the standard simple clocking scheme, where all combinational blocks function within one clock period, so that a netlist of combinational logic gates and flip-flops is sufficient to duplicate a design. In this paper, we propose to invalidate the assumption that a netlist completely represents the function of a circuit with unconventional timing. With the introduced wave-pipelining paths, attackers have to capture gate and interconnect delays during reverse engineering, or to test a huge number of combinational paths to identify the wave-pipelining paths. To hinder the test-based attack, we construct false paths with wave-pipelining to increase the counterfeiting challenge. Experimental results confirm that wave-pipelining true paths and false paths can be constructed in benchmark circuits successfully with only a negligible cost, thus thwarting the potential attack techniques.

Cryptography and Security,Hardware Architecture

Fangzhou Wang,Qijing Wang,Bangqi Fu,Shui Jiang,Xiaopeng Zhang,Lilas Alrahis,Ozgur Sinanoglu,Johann Knechtel,Tsung-Yi Ho,Evangeline F. Y. Young

DOI: https://doi.org/10.48550/arXiv.2211.07997

2022-11-15

Abstract:Due to cost benefits, supply chains of integrated circuits (ICs) are largely outsourced nowadays. However, passing ICs through various third-party providers gives rise to many threats, like piracy of IC intellectual property or insertion of hardware Trojans, i.e., malicious circuit modifications. In this work, we proactively and systematically harden the physical layouts of ICs against post-design insertion of Trojans. Toward that end, we propose a multiplexer-based logic-locking scheme that is (i) devised for layout-level Trojan prevention, (ii) resilient against state-of-the-art, oracle-less machine learning attacks, and (iii) fully integrated into a tailored, yet generic, commercial-grade design flow. Our work provides in-depth security and layout analysis on a challenging benchmark suite. We show that ours can render layouts resilient, with reasonable overheads, against Trojan insertion in general and also against second-order attacks (i.e., adversaries seeking to bypass the locking defense in an oracle-less setting). We release our layout artifacts for independent verification [29] and we will release our methodology's source code.

Cryptography and Security,Hardware Architecture,Machine Learning

Jianlei Yang,Xueyan Wang,Qiang Zhou,Zhaohao Wang,Hai Li,Yiran Chen,Weisheng Zhao

DOI: https://doi.org/10.1109/tcad.2018.2802870

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Circuit obfuscation is a frequently used approach to conceal logic functionalities in order to prevent reverse engineering attacks on fabricated chips. Efficient obfuscation implementations are expected with lower design complexity and overhead but higher attack difficulties. In this paper, an emerging obfuscation approach is proposed by leveraging spin-orbit torque (SOT) devices-based look-up-tables as reconfigurable logic to replace the carefully selected gates. It is essentially impossible to identify the obfuscated gate with SOTs inside according to the physical geometry characteristics because the configured functionalities are represented by magnetization states. Such an obfuscation approach makes the circuit security further improved with high exponential attack complexities. Experiments on MCNC and ISCAS 85/89 benchmark suits show that the proposed approach could reduce the area overheads due to obfuscation by 10% averagely.

Kaveh Shamsi,Meng Li,Travis Meade,Zheng Zhao,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3060403.3060458

2017-01-01

Abstract:Logic locking and IC camouflaging are proactive circuit obfuscation methods that if proven secure can thwart hardware attacks such as reverse engineering and IP theft. However, the security of both these schemes is called into question by recent SAT based attacks. While a number of methods have been proposed in literature that exponentially increase the running time of such attacks, they are vulnerable to \"findand-remove\" attacks, and only slightly hide the circuit functionality. In this paper, we present a novel approach towards creating SAT attack resiliency based on creating densely cyclic obfuscated circuit topologies by adding dummy paths to the circuit. Our methodology is applicable to both IC camouflaging and logic locking. We demonstrate that cyclic logic locking creates SAT resilient circuits with 40% less area and 20% less delay compared to an insecure XOR/XNOR-obfuscation with the same key length. Furthermore, we show that cyclic IC camouflaging can be implemented at the layout level with no substrate area overhead and little delay and power overhead with respect to the original circuit.

Satwik Patnaik,Mohammed Ashraf,Ozgur Sinanoglu,Johann Knechtel

DOI: https://doi.org/10.1145/3240765.3240784

2018-11-16

Abstract:With the globalization of manufacturing and supply chains, ensuring the security and trustworthiness of ICs has become an urgent challenge. Split manufacturing (SM) and layout camouflaging (LC) are promising techniques to protect the intellectual property (IP) of ICs from malicious entities during and after manufacturing (i.e., from untrusted foundries and reverse-engineering by end-users). In this paper, we strive for "the best of both worlds," that is of SM and LC. To do so, we extend both techniques towards 3D integration, an up-and-coming design and manufacturing paradigm based on stacking and interconnecting of multiple chips/dies/tiers. Initially, we review prior art and their limitations. We also put forward a novel, practical threat model of IP piracy which is in line with the business models of present-day design houses. Next, we discuss how 3D integration is a naturally strong match to combine SM and LC. We propose a security-driven CAD and manufacturing flow for face-to-face (F2F) 3D ICs, along with obfuscation of interconnects. Based on this CAD flow, we conduct comprehensive experiments on DRC-clean layouts. Strengthened by an extensive security analysis (also based on a novel attack to recover obfuscated F2F interconnects), we argue that entering the next, third dimension is eminent for effective and efficient IP protection.

Cryptography and Security,Emerging Technologies

Zhaokun Han,Mohammed Shayan,Aneesh Dixit,Mustafa Shihab,Yiorgos Makris,Jeyavijayan Rajendran

DOI: https://doi.org/10.48550/arXiv.2306.05532

2023-06-21

Abstract:Hardware intellectual property (IP) piracy is an emerging threat to the global supply chain. Correspondingly, various countermeasures aim to protect hardware IPs, such as logic locking, camouflaging, and split manufacturing. However, these countermeasures cannot always guarantee IP security. A malicious attacker can access the layout/netlist of the hardware IP protected by these countermeasures and further retrieve the design. To eliminate/bypass these vulnerabilities, a recent approach redacts the design's IP to an embedded field-programmable gate array (eFPGA), disabling the attacker's access to the layout/netlist. eFPGAs can be programmed with arbitrary functionality. Without the bitstream, the attacker cannot recover the functionality of the protected IP. Consequently, state-of-the-art attacks are inapplicable to pirate the redacted hardware IP. In this paper, we challenge the assumed security of eFPGA-based redaction. We present an attack to retrieve the hardware IP with only black-box access to a programmed eFPGA. We observe the effect of modern electronic design automation (EDA) tools on practical hardware circuits and leverage the observation to guide our attack. Thus, our proposed method FuncTeller selects minterms to query, recovering the circuit function within a reasonable time. We demonstrate the effectiveness and efficiency of FuncTeller on multiple circuits, including academic benchmark circuits, Stanford MIPS processor, IBEX processor, Common Evaluation Platform GPS, and Cybersecurity Awareness Worldwide competition circuits. Our results show that FuncTeller achieves an average accuracy greater than 85% over these tested circuits retrieving the design's functionality.

Cryptography and Security