Xue-Yan Wang,Qiang Zhou,Yi-Ci Cai,Gang Qu

DOI: https://doi.org/10.1007/s11390-018-1807-6

2018-01-01

Abstract:Intellectual property (IP) protection is one of the hardcore problems in hardware security. Semiconductor industry still lacks effective and proactive defense to shield IPs from reverse engineering (RE) based attacks. Integrated circuit (IC) camouflaging technique fills this gap by replacing some conventional logic gates in the IPs with specially designed logic cells (called camouflaged gates) without changing the functions of the IPs. The camouflaged gates can perform different logic functions while maintaining an identical look to RE attackers, thus preventing them from obtaining the layout information of the IP directly from RE tools. Since it was first proposed in 2012, circuit camouflaging has become one of the hottest research topics in hardware security focusing on two fundamental problems. How to choose the types of camouflaged gates and decide where to insert them in order to simultaneously minimize the performance overhead and optimize the RE complexity? How can an attacker de-camouflage a camouflaged circuit and complete the RE attack? In this article, we review the evolution of circuit camouflaging through this spear and shield race. First, we introduce the design methods of four different kinds of camouflaged cells based on true/dummy contacts, static random access memory (SRAM), doping, and emerging devices, respectively. Then we elaborate four representative de-camouflaging attacks: brute force attack, IC testing based attack, satisfiability-based (SAT-based) attack, and the circuit partition based attack, and the corresponding countermeasures: clique-based camouflaging, CamoPerturb, AND-tree camouflaging, and equivalent class based camouflaging, respectively. We argue that the current research efforts should be on reducing overhead introduced by circuit camouflaging and defeating de-camouflaging attacks. We point out that exploring features of emerging devices could be a promising direction. Finally, as a complement to circuit camouflaging, we conclude with a brief review of other state-of-the-art IP protection techniques.

Meng Li,Kaveh Shamsi,Travis Meade,Zheng Zhao,Bei Yu,Yier Jin,David Z. Pan

DOI: https://doi.org/10.1145/2966986.2967065

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:The advancing of reverse engineering techniques has complicated the efforts in intellectual property protection. Proactive methods have been developed recently, among which layout-level IC camouflaging is the leading example. However, existing camouflaging methods are rarely supported by provably secure criteria, which further leads to over-estimation of the security level when countering the latest de-camouflaging attacks, e.g., the SAT-based attack. In this paper, a quantitative security criterion is proposed for de-camouflaging complexity measurements and formally analyzed through the demonstration of the equivalence between the existing de-camouflaging strategy and the active learning scheme. Supported by the new security criterion, two novel camouflaging techniques are proposed, the low-overhead camouflaging cell library and the AND-tree structure, to help achieve exponentially increasing security levels at the cost of linearly increasing performance overhead on the circuit under protection. A provably secure camouflaging framework is then developed by combining these two techniques. Experimental results using the security criterion show that the camouflaged circuits with the proposed framework are of high resilience against the SAT-based attack with negligible performance overhead.

Shan Jiang,Ning Xu,Xue-Yan Wang,Qiang Zhou

DOI: https://doi.org/10.1007/s11390-018-1870-z

2018-01-01

Abstract:Integrated circuit (IC) camouflaging technique has been applied as a countermeasure against reverse engineering (RE). However, its effectiveness is threatened by a boolean satisfiability (SAT) based de-camouflaging attack, which is able to restore the camouflaged circuit within only minutes. As a defense to the SAT-based de-camouflaging attack, a brand new camouflaging strategy (called CamoPerturb) has been proposed recently, which perturbs one minterm by changing one gate’s functionality and then restores the perturbed circuit with a separated camouflaged block, achieving good resistance against the SAT-based attack. In this paper, we analyze the security vulnerabilities of CamoPerturb by illustrating the mechanism of minterm perturbation induced by gate replacement, then propose an attack to restore the changed gate’s functionality, and recover the camouflaged circuit. The attack algorithm is facilitated by sensitization and implication principles in automatic test pattern generation (ATPG) techniques. Experimental results demonstrate that our method is able to restore the camouflaged circuits with very little time consumption.

Huafeng CHEN,Haibin SHEN,Xiaolang YAN

2008-01-01

Abstract:The design-for-testability structure based on scan-chain often compromises the security of crypto chips.A method to attack certain hardware implementation of elliptic curve cryptography was presented.And an easy but effective secure scan method against the attack was proposed,which would not compromise the security of the chip,while maintaining high fault coverage.By controlling operational mode of the chip,the disability mechanism of scan enable signal was applied.The scan function was disabled when there existed security information in the chip.It solved the problem of secure information disclosure caused by scan chain design.

Mohamed El Massad,Siddharth Garg,Mahesh Tripunitara

DOI: https://doi.org/10.48550/arXiv.1710.10474

2017-10-28

Cryptography and Security

Abstract:Integrated circuit (IC) camouflaging is a promising technique to protect the design of a chip from reverse engineering. However, recent work has shown that even camouflaged ICs can be reverse engineered from the observed input/output behaviour of a chip using SAT solvers. However, these so-called SAT attacks have so far targeted only camouflaged combinational circuits. For camouflaged sequential circuits, the SAT attack requires that the internal state of the circuit is controllable and observable via the scan chain. It has been implicitly assumed that restricting scan chain access increases the security of camouflaged ICs from reverse engineering attacks. In this paper, we develop a new attack methodology to decamouflage sequential circuits without scan access. Our attack uses a model checker (a more powerful reasoning tool than a SAT solver) to find a discriminating set of input sequences, i.e., one that is sufficient to determine the functionality of camouflaged gates. We propose several refinements, including the use of a bounded model checker, and sufficient conditions for determining when a set of input sequences is discriminating to improve the run-time and scalabilty of our attack. Our attack is able to decamouflage a large sequential benchmark circuit that implements a subset of the VIPER processor.

Shan Jiang,Ning Xu,Xueyan Wang,Qiang Zhou

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.035

2017-01-01

Abstract:To further enhance the security of the minterm protection based integrated circuit(IC) camouflaging strategy,an efficient attack technique for its circuit structure defects was proposed,and its improvements were analyzed.Firstly, the implementation methods for the minterm protection based camouflaging strategy proposed by CamoPerturb were analyzed, and the mechanism of the minterm perturbation induced by the gate replacement was demonstrated by leveraging sensitization and implication principles.Then,the replaced gate and the perturbed minterm were calculated by u-sing FAN algorithm as a reference, thus recovering the original circuit structure.The experimental results in ISCAS'89 benchmark circuits and the controllers of OpenSPARC microprocessor,show that the CamoPerturb circuit can be decamouflaged in a few milliseconds by using the proposed method.

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1145/3060403.3060493

2017-01-01

Abstract:Gate camouflaging has emerged as a leading proactive countermeasure for reverse engineering (RE) attacks. However, a recently proposed circuit partition attack (CPA) can significantly reduce the complexity of revealing the original design from a camouflaged circuit. In this paper, we first conduct an empirical study on how CPA can facilitate the state-of-the-art de-camouflaging methods to perform more efficient attacks. We then study how an equivalent class guided camouflaging approach may thwart these de-camouflaging attempts and re-establish the defense against RE. Experimental results demonstrate that (1) CPA is an effective pre-processing technique to boost de-camouflaging methods, and (2) Equivalent class guided camouflaging technique is resilient against the union of CPA and existing de-camouflaging methods.

Jae-Won Jang,Swaroop Ghosh

DOI: https://doi.org/10.48550/arXiv.1705.02707

2017-05-08

Abstract:Semiconductor supply chain is increasingly getting exposed to variety of security attacks such as Trojan insertion, cloning, counterfeiting, reverse engineering (RE) and piracy of Intellectual Property (IP) due to involvement of untrusted parties. Camouflaging of gates has been proposed to hide the functionality of gates. However, gate camouflaging is associated with significant area, power and delay overhead. In this paper, we propose camouflaging of interconnects using multiplexers (muxes) to protect the IP. A transistor threshold voltage-defined pass transistor mux is proposed to prevent its reverse engineering since transistor threshold voltage is opaque to the adversary. The proposed mux with more than one input, hides the original connectivity of the net. The camouflaged design operates at nominal voltage and obeys conventional reliability limits. A small fraction of nets can be camouflaged to increase the RE effort extremely high while keeping the overhead low. We propose controllability, observability and random net selection strategy for camouflaging. Simulation results indicate 15-33% area, 25-44% delay and 14-29% power overhead when 5-15% nets are camouflaged using the proposed 2:1 mux. By increasing the mux size to 4:1, 8:1, and 16:1, the RE effort can be further improved with small area, delay, and power penalty.

Cryptography and Security

Chen Yan,Jaya Dofe,Scott Kontak,Qiaoyan Yu,Emre Salman

DOI: https://doi.org/10.1109/tcsii.2017.2749523

2018-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:Circuit camouflaging is a layout-level technique to thwart image analysis-based reverse engineering attacks. An efficient dummy contact-based camouflaging method for monolithic 3-D integrated circuits (ICs) is proposed. 3-D ICs achieve ultra-high density device integration enabled by fine-grained monolithic inter-tier vias. Standard cell libraries are developed to evaluate the effects of circuit camouflaging on large-scale 2-D and monolithic 3-D ICs. These libraries are used to design a camouflaged SIMON (lightweight block cipher) and several academic benchmarks. Simulation results demonstrate that the monolithic 3-D technology is highly effective to facilitate the utilization of the camouflaging technique against reverse engineering attacks. At the expense of a slight degradation in timing characteristics, monolithic 3-D technology eliminates not only the area but also the power overhead related to camouflaging.

Meng Li,Kaveh Shamsi,Yier Jin,David Z. Pan

DOI: https://doi.org/10.1109/test.2018.8624671

2018-01-01

Abstract:In order to counter advanced reverse engineering techniques, various integrated circuit (IC) camouflaging methods are proposed to protect hardware intellectual property (IP) proactively. For example, a timing-based camouflaging strategy is developed recently representing a new class of parametric camouflaging strategies. Unlike traditional IC camouflaging techniques that directly hide the circuit functionality, the new parametric strategies obfuscate the circuit timing schemes, which in turn protects the circuit functionality and invalidates all the existing attacks. In this paper, we propose a SAT attack, named TimingSAT, to analyze the security of such timing-based camouflaging strategies. We demonstrate that with a proper transformation of the camouflaged netlist, traditional SAT attacks are still effective to decamouflage the new protection methods. The correctness of the resolved circuit functionality is formally proved. While a direct implementation of TimingSAT suffers from poor scalability, we propose a simplification procedure to significantly enhance the attack efficiency without sacrificing the correctness of the decamouflaged netlist. The efficiency and effectiveness of TimingSAT is validated with extensive experimental results.

Kaveh Shamsi,Meng Li,Travis Meade,Zheng Zhao,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3060403.3060458

2017-01-01

Abstract:Logic locking and IC camouflaging are proactive circuit obfuscation methods that if proven secure can thwart hardware attacks such as reverse engineering and IP theft. However, the security of both these schemes is called into question by recent SAT based attacks. While a number of methods have been proposed in literature that exponentially increase the running time of such attacks, they are vulnerable to \"findand-remove\" attacks, and only slightly hide the circuit functionality. In this paper, we present a novel approach towards creating SAT attack resiliency based on creating densely cyclic obfuscated circuit topologies by adding dummy paths to the circuit. Our methodology is applicable to both IC camouflaging and logic locking. We demonstrate that cyclic logic locking creates SAT resilient circuits with 40% less area and 20% less delay compared to an insecure XOR/XNOR-obfuscation with the same key length. Furthermore, we show that cyclic IC camouflaging can be implemented at the layout level with no substrate area overhead and little delay and power overhead with respect to the original circuit.

Jaya Dofe,Chen Yan,Scott Kontak,Emre Salman,Qiaoyan Yu

DOI: https://doi.org/10.1109/AsianHOST.2016.7835570

2016-01-01

Abstract:This work proposes a novel method for transistor-level logic locking to address intellectual property (IP) piracy and reverse engineering attacks in monolithic three-dimensional (M3D) ICs. The proposed method locks logic gates by independently inserting parallel or serial locking transistors and camouflaged contacts in multiple tiers in M3D ICs. Without the correct key bits and confidential information for camouflaged contacts, the locked logic gates will malfunction and significantly alter power profiles, which makes reverse engineering attacks more difficult. The performance overhead of the proposed method is evaluated with ISCAS'85 benchmark circuits synthesized and placed with a customized M3D IC library. Case study on c6288 benchmark circuit shows that the proposed locking method with the correct key increases the power by only 0.26%. On average, this method consumes 2.3% more transistors than the baseline ISCAS'85 benchmark circuits.

Grace Li Zhang,Bing Li,Meng Li,Bei Yu,David Z. Pan,Michaela Brunner,Georg Sigl,Ulf Schlichtmann

DOI: https://doi.org/10.1109/TCAD.2020.2974338

2020-03-02

Abstract:With recent advances in reverse engineering, attackers can reconstruct a netlist to counterfeit chips by opening the die and scanning all layers of authentic chips. This relatively easy counterfeiting is made possible by the use of the standard simple clocking scheme, where all combinational blocks function within one clock period, so that a netlist of combinational logic gates and flip-flops is sufficient to duplicate a design. In this paper, we propose to invalidate the assumption that a netlist completely represents the function of a circuit with unconventional timing. With the introduced wave-pipelining paths, attackers have to capture gate and interconnect delays during reverse engineering, or to test a huge number of combinational paths to identify the wave-pipelining paths. To hinder the test-based attack, we construct false paths with wave-pipelining to increase the counterfeiting challenge. Experimental results confirm that wave-pipelining true paths and false paths can be constructed in benchmark circuits successfully with only a negligible cost, thus thwarting the potential attack techniques.

Cryptography and Security,Hardware Architecture

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1016/j.vlsi.2018.10.009

IF: 1.345

2018-01-01

Integration

Abstract:As one of the most effective proactive countermeasures against reverse engineering, circuit camouflaging has emerged to be a hot research topic and it is becoming a mature technology with the development of various de-camouflaging attacks. Among them, the SAT-based method is the most powerful one to defeat circuit camouflaging. However, SAT-based attacks have scalability problem due to the complexity of the underlying SAT solvers, and straightforward approach to parallelize SAT-based attacks will fail. In this article, we propose a novel parallelization framework for SAT-based attacks, which consists of a two-level partition method (independent module partitioning and k-medoids clustering), together with a novel conflict avoidance strategy. Specifically, we first break down the camouflaged netlist into multiple independent modules that can be solved in parallel. However, any good circuit camouflaging approach should produce one or multiple large modules. To solve this problem, we further apply the k -medoids algorithm to partition the large modules into multiple “high cohesion” and “low coupling” clusters. Utilizing the relative independence of these clusters, we propose a two-stage attack method to avoid conflicts among clusters. Experimental results on OpenSparc T1 microprocessor controller demonstrate that our approach can on average reduce the scales of the SAT formulas by more than 50%, reduce the attack iteration number by 45%, and achieves on average 3.6× and maximum 10× speed up over the best-known SAT-based de-camouflaging tool.

Kaveh Shamsi,Meng Li,Kenneth Plaks,Saverio Fazzari,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3342099

IF: 1.447

2019-01-01

ACM Transactions on Design Automation of Electronic Systems

Abstract:The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

Kaveh Shamsi,Meng Li,Kenneth Plaks,Saverio Fazzari,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3342099

IF: 1.447

2019-11-14

ACM Transactions on Design Automation of Electronic Systems

Abstract:The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

computer science, software engineering, hardware & architecture

Akshay Wali,Shamik Kundu,Andrew J Arnold,Guangwei Zhao,Kanad Basu,Saptarshi Das

DOI: https://doi.org/10.1021/acsnano.0c10651

IF: 17.1

2021-02-23

ACS Nano

Abstract:Reverse engineering (RE) is one of the major security threats to the semiconductor industry due to the involvement of untrustworthy parties in an increasingly globalized chip manufacturing supply chain. RE efforts have already been successful in extracting device level functionalities from an integrated circuit (IC) with very limited resources. Camouflaging is an obfuscation method that can thwart such RE. Existing work on IC camouflaging primarily involves transformable interconnects and/or covert gates where variation in doping and dummy contacts hide the circuit structure or build cells that look alike but have different functionalities. Emerging solutions, such as polymorphic gates based on a giant spin Hall effect and Si nanowire field effect transistors (FETs), are also promising but add significant area overhead and are successfully decamouflaged by the satisfiability solver (SAT)-based RE techniques. Here, we harness the properties of two-dimensional (2D) transition-metal dichalcogenides (TMDs) including MoS2, MoSe2, MoTe2, WS2, and WSe2 and their optically transparent transition-metal oxides (TMOs) to demonstrate area efficient camouflaging solutions that are resilient to SAT attack and automatic test pattern generation attacks. We show that resistors with resistance values differing by 5 orders of magnitude, diodes with variable turn-on voltages and reverse saturation currents, and FETs with adjustable conduction type, threshold voltages, and switching characteristics can be optically camouflaged to look exactly similar by engineering TMO/TMD heterostructures, allowing hardware obfuscation of both digital and analog circuits. Since this 2D heterostructure devices family is intrinsically camouflaged, NAND/NOR/AND/OR gates in the circuit can be obfuscated with significantly less area overhead, allowing 100% logic obfuscation compared to only 5% for complementary metal oxide semiconductor (CMOS)-based camouflaging. Finally, we demonstrate that the largest benchmarking circuit from ISCAS'85, comprised of more than 4000 logic gates when obfuscated with the CMOS-based technique, is successfully decamouflaged by SAT attack in <40 min; whereas, it renders to be invulnerable even in more than 10 h when camouflaged with 2D heterostructure devices, thereby corroborating our hypothesis of high resilience against RE. Our approach of connecting material properties to innovative devices to secure circuits can be considered as a one of a kind demonstration, highlighting the benefits of cross-layer optimization.

Qinhan Tan,Seetal Potluri,Aydin Aysu

DOI: https://doi.org/10.48550/arXiv.2005.13048

2021-02-17

Abstract:Intellectual Property (IP) theft is a serious concern for the integrated circuit (IC) industry. To address this concern, logic locking countermeasure transforms a logic circuit to a different one to obfuscate its inner details. The transformation caused by obfuscation is reversed only upon application of the programmed secret key, thus preserving the circuit's original function. This technique is known to be vulnerable to Satisfiability (SAT)-based attacks. But in order to succeed, SAT-based attacks implicitly assume a perfectly reverse-engineered circuit, which is difficult to achieve in practice due to reverse engineering (RE) errors caused by automated circuit extraction. In this paper, we analyze the effects of random circuit RE-errors on the success of SAT-based attacks. Empirical evaluation on ISCAS, MCNC benchmarks as well as a fully-fledged RISC-V CPU reveals that the attack success degrades exponentially with increase in the number of random RE-errors. Therefore, the adversaries either have to equip RE-tools with near perfection or propose better SAT-based attacks that can work with RE-imperfections.

Cryptography and Security

Xueyan Wang,Xiaotao Jia,Qiang Zhou,Yici Cai,Jianlei Yang,Mingze Gao,Gang Qu

DOI: https://doi.org/10.1145/2902961.2903000

2016-01-01

Abstract:Circuit obfuscation techniques have been proposed to conceal circuit's functionality in order to thwart reverse engineering (RE) attacks to integrated circuits (IC). We believe that a good obfuscation method should have low design complexity and low performance overhead, yet, causing high RE attack complexity. However, existing obfuscation techniques do not meet all these requirements. In this paper, we propose a polynomial obfuscation scheme which leverages special designed multiplexers (MUXs) to replace judiciously selected logic gates. Candidate to-be-obfuscated logic gates are selected based on a novel gate classification method which utilizes IC topological structure information. We show that this scheme is resilient to all the known attacks, hence it is secure. Experiments are conducted on ISCAS 85/89 and MCNC benchmark suites to evaluate the performance overhead due to obfuscation.

Jianfeng Wang,Zhonghao Chen,Jiahao Zhang,Yixin Xu,Tongguang Yu,Ziheng Zheng,Enze Ye,Sumitha George,Huazhong Yang,Yongpan Liu,Kai Ni,Vijaykrishnan Narayanan,Xueqing Li

DOI: https://doi.org/10.1145/3640462

IF: 1.447

2024-02-14

ACM Transactions on Design Automation of Electronic Systems

Abstract:Logic camouflage is a widely adopted technique that mitigates the threat of intellectual property (IP) piracy and overproduction in the integrated circuit (IC) supply chain. Camouflaged logic achieves functional obfuscation through physical-level ambiguity and post-manufacturing programmability. However, discussions on programmability are confined to the level of logic cells/gates, limiting the broader-scale application of logic camouflage. In this work, we propose a novel module-level configuration methodology for programmable camouflaged logic that can be implemented without additional hardware ports and with negligible resources. We prove theoretically that the configuration of the programmable camouflaged logic cells can be achieved through the inputs and netlist of the original module. Further, we propose a novel lightweight ferroelectric FET (FeFET)-based reconfigurable logic gate (rGate) family and apply it to the proposed methodology. With the flexible replacement and the proposed configuration-aware conversion algorithm, this work is characterized by the input-only programming scheme as well as the combination of high output error rate and point-function-like defense. Evaluations show an average of >95% of the alternative rGate location for camouflage, which is sufficient for the security-aware design. We illustrate the exponential complexity in function state traversal and the enhanced defense capability of locked blackbox against Boolean Satisfiability (SAT) attacks compared with key-based methods. We also preserve an evident output Hamming distance and introduce negligible hardware overheads in both gate-level and module-level evaluations under typical benchmarks.

computer science, software engineering, hardware & architecture