Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1109/ISCAS.2016.7538897

2016-01-01

Abstract:Circuit camouflaging techniques have been proposed to thwart reverse engineering (RE) attacks to integrated circuits (IC). In one of the most well-known camouflaging methods, selective XOR, NAND, and NOR gates are replaced by configurable logic units which have the same appearance to the RE attackers. It is argued that a successful attack has to brute force search all the camouflaged gates' possible {XOR, NAND, NOR} combinations, resulting in the attack complexity exponential to the number of camouflaged gates. In this paper, we have reported an attack to significantly reduce this complexity by partitioning the IC to many subcircuits to attack individually. We validate the power of the proposed circuit partition based attack on ISCAS benchmark suite and OpenSparc T1 microprocessor, and propose a potential countermeasure to re-secure IC camouflaging.

Xue-Yan Wang,Qiang Zhou,Yi-Ci Cai,Gang Qu

DOI: https://doi.org/10.1007/s11390-018-1807-6

2018-01-01

Abstract:Intellectual property (IP) protection is one of the hardcore problems in hardware security. Semiconductor industry still lacks effective and proactive defense to shield IPs from reverse engineering (RE) based attacks. Integrated circuit (IC) camouflaging technique fills this gap by replacing some conventional logic gates in the IPs with specially designed logic cells (called camouflaged gates) without changing the functions of the IPs. The camouflaged gates can perform different logic functions while maintaining an identical look to RE attackers, thus preventing them from obtaining the layout information of the IP directly from RE tools. Since it was first proposed in 2012, circuit camouflaging has become one of the hottest research topics in hardware security focusing on two fundamental problems. How to choose the types of camouflaged gates and decide where to insert them in order to simultaneously minimize the performance overhead and optimize the RE complexity? How can an attacker de-camouflage a camouflaged circuit and complete the RE attack? In this article, we review the evolution of circuit camouflaging through this spear and shield race. First, we introduce the design methods of four different kinds of camouflaged cells based on true/dummy contacts, static random access memory (SRAM), doping, and emerging devices, respectively. Then we elaborate four representative de-camouflaging attacks: brute force attack, IC testing based attack, satisfiability-based (SAT-based) attack, and the circuit partition based attack, and the corresponding countermeasures: clique-based camouflaging, CamoPerturb, AND-tree camouflaging, and equivalent class based camouflaging, respectively. We argue that the current research efforts should be on reducing overhead introduced by circuit camouflaging and defeating de-camouflaging attacks. We point out that exploring features of emerging devices could be a promising direction. Finally, as a complement to circuit camouflaging, we conclude with a brief review of other state-of-the-art IP protection techniques.

Meng Li,Kaveh Shamsi,Travis Meade,Zheng Zhao,Bei Yu,Yier Jin,David Z. Pan

DOI: https://doi.org/10.1145/2966986.2967065

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:The advancing of reverse engineering techniques has complicated the efforts in intellectual property protection. Proactive methods have been developed recently, among which layout-level IC camouflaging is the leading example. However, existing camouflaging methods are rarely supported by provably secure criteria, which further leads to over-estimation of the security level when countering the latest de-camouflaging attacks, e.g., the SAT-based attack. In this paper, a quantitative security criterion is proposed for de-camouflaging complexity measurements and formally analyzed through the demonstration of the equivalence between the existing de-camouflaging strategy and the active learning scheme. Supported by the new security criterion, two novel camouflaging techniques are proposed, the low-overhead camouflaging cell library and the AND-tree structure, to help achieve exponentially increasing security levels at the cost of linearly increasing performance overhead on the circuit under protection. A provably secure camouflaging framework is then developed by combining these two techniques. Experimental results using the security criterion show that the camouflaged circuits with the proposed framework are of high resilience against the SAT-based attack with negligible performance overhead.

Shan Jiang,Ning Xu,Xue-Yan Wang,Qiang Zhou

DOI: https://doi.org/10.1007/s11390-018-1870-z

2018-01-01

Abstract:Integrated circuit (IC) camouflaging technique has been applied as a countermeasure against reverse engineering (RE). However, its effectiveness is threatened by a boolean satisfiability (SAT) based de-camouflaging attack, which is able to restore the camouflaged circuit within only minutes. As a defense to the SAT-based de-camouflaging attack, a brand new camouflaging strategy (called CamoPerturb) has been proposed recently, which perturbs one minterm by changing one gate’s functionality and then restores the perturbed circuit with a separated camouflaged block, achieving good resistance against the SAT-based attack. In this paper, we analyze the security vulnerabilities of CamoPerturb by illustrating the mechanism of minterm perturbation induced by gate replacement, then propose an attack to restore the changed gate’s functionality, and recover the camouflaged circuit. The attack algorithm is facilitated by sensitization and implication principles in automatic test pattern generation (ATPG) techniques. Experimental results demonstrate that our method is able to restore the camouflaged circuits with very little time consumption.

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1016/j.vlsi.2018.10.009

IF: 1.345

2018-01-01

Integration

Abstract:As one of the most effective proactive countermeasures against reverse engineering, circuit camouflaging has emerged to be a hot research topic and it is becoming a mature technology with the development of various de-camouflaging attacks. Among them, the SAT-based method is the most powerful one to defeat circuit camouflaging. However, SAT-based attacks have scalability problem due to the complexity of the underlying SAT solvers, and straightforward approach to parallelize SAT-based attacks will fail. In this article, we propose a novel parallelization framework for SAT-based attacks, which consists of a two-level partition method (independent module partitioning and k-medoids clustering), together with a novel conflict avoidance strategy. Specifically, we first break down the camouflaged netlist into multiple independent modules that can be solved in parallel. However, any good circuit camouflaging approach should produce one or multiple large modules. To solve this problem, we further apply the k -medoids algorithm to partition the large modules into multiple “high cohesion” and “low coupling” clusters. Utilizing the relative independence of these clusters, we propose a two-stage attack method to avoid conflicts among clusters. Experimental results on OpenSparc T1 microprocessor controller demonstrate that our approach can on average reduce the scales of the SAT formulas by more than 50%, reduce the attack iteration number by 45%, and achieves on average 3.6× and maximum 10× speed up over the best-known SAT-based de-camouflaging tool.

Shan Jiang,Ning Xu,Xueyan Wang,Qiang Zhou

DOI: https://doi.org/10.3969/j.issn.1001-0505.2017.S1.035

2017-01-01

Abstract:To further enhance the security of the minterm protection based integrated circuit(IC) camouflaging strategy,an efficient attack technique for its circuit structure defects was proposed,and its improvements were analyzed.Firstly, the implementation methods for the minterm protection based camouflaging strategy proposed by CamoPerturb were analyzed, and the mechanism of the minterm perturbation induced by the gate replacement was demonstrated by leveraging sensitization and implication principles.Then,the replaced gate and the perturbed minterm were calculated by u-sing FAN algorithm as a reference, thus recovering the original circuit structure.The experimental results in ISCAS'89 benchmark circuits and the controllers of OpenSPARC microprocessor,show that the CamoPerturb circuit can be decamouflaged in a few milliseconds by using the proposed method.

Gonglong Chen,Wei Dong

DOI: https://doi.org/10.1145/3418210

2020-01-01

ACM Transactions on Sensor Networks

Abstract:Recently, Cross-Technology Communication (CTC), allowing the direct communication among heterogeneous devices with incompatible physical layers, has attracted much research attention. Many efficient CTC protocols have been proposed to demonstrate its promise in IoT applications. However, the applications built upon CTC will be significantly impaired when CTC suffers from malicious attacks such as jamming or sniffing. In this article, we implement a reactive jamming system, JamCloak, that can attack most existing CTC protocols. To this end, we first propose a taxonomy of the existing CTC protocols. Then based on the taxonomy, we extract essential features to train a CTC detection model, and estimate the parameters that can efficiently jam CTC links. Experimental results show that JamCloak consistently achieves 94.7% of classification accuracy on average in both Line-of-Sight and Non-Line-of-Sight scenarios. We also apply JamCloak to attack three existing CTC protocols: WiZig, Esense and EMF. Results show that JamCloak can significantly reduce PDR (packet delivery ratio) by 80.8% on average in practical environments. In the meantime, JamCloak’s jamming gain is more than 1.78× higher than the existing reactive jammer. In addition, we propose a practical countermeasure against reactive jamming attacks over CTC links like JamCloak. Results show that our approach significantly improves the jamming detection accuracy by 91.2% on average than the existing approach, and effectively decreases the reduction in packet delivery ratio to 1.7%.

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1109/aspdac.2018.8297315

2018-01-01

Abstract:As one of the most effective proactive countermeasures against reverse engineering, circuit camouflaging has emerged to be a hot research topic and it is becoming a mature technology with the development of various de-camouflaging attacks. Among them, the SAT-based method is the most powerful one to defeat circuit camouflaging. However, SAT-based attacks have scalability problem due to the complexity of the underlying SAT solvers, and straightforward approach to parallelize SAT-based attacks will fail. In this paper, we propose a two-level partition method (independent module partitioning and k-medoids clustering), together with a novel conflict avoidance strategy to solve the problem. Experimental results on OpenSparc T1 microprocessor controller demonstrate that our approach can on average reduce the scales of the SAT formulas by more than 50% and achieve 3.6x speedup on the best-known SAT-based de-camouflaging tool.

Tingyuan Nie,Jie Sun,Aiguo Ji,Zhe-Ming Lu

DOI: https://doi.org/10.1587/elex.10.20130138

2013-01-01

IEICE Electronics Express

Abstract:The continuously widening design productivity gap in the past few decades gives high incentives to counterfeiting ICs. Existing intellectual property (IP) protection schemes demand high overheads, and some techniques like watermarking do not facilitate tracing of illegal users. In this letter, we propose a novel fingerprinting method based on post-processing on circuit partitions. We evaluate our method on the ISPD98 benchmark suite. The experimental results demonstrate the effectiveness of the proposal. The fingerprinting design is distinct because the Hamming distance between fingerprinted IP designs is large enough to resist a collusion attack.

Xueyan Wang,Qiang Zhou,Yici Cai,Gang Qu

DOI: https://doi.org/10.1109/tcad.2018.2864220

IF: 2.9

2019-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:Since the first circuit obfuscation technique was proposed to thwart reverse engineering (RE) attacks to integrated circuits (ICs), there have been active research in de-obfuscation attacks and new obfuscation countermeasures. Although it is crucial for an obfuscation method to be secure against known de-obfuscation attacks, it is equally important to keep the cost of circuit obfuscation low. Most importantly, obfuscation methods need to be formally analyzed for their effectiveness and efficiency. In this paper, we propose a set of quantitatively evaluable metrics for this purpose, particularly facilitated by a recently proposed circuit partition attack (CPA) and the powerful SAT-based attack (SATA). Moreover, we find that CPA can be applied prior to any de-obfuscation attacks to reduce RE efforts exponentially. We then propose a new equivalent class guided obfuscation scheme (ECG-Obfus) to defeat CPA which leverages specially designed camouflaged cells to replace judiciously selected logic gates. Specifically, we select candidate gates for obfuscation from one certain equivalent class, in which the underlying equivalent relation is defined based on IC topological structure information. We evaluate ECG-Obfus using the proposed metrics and conduct experiments on ISCAS 85/89 standard benchmark suites and OpenSparc T1 microprocessor. The results show that ECG-Obfus gains good resilience against known de-obfuscation attacks (including CPA and SATA), with low design complexity and performance overhead.

Mohamed El Massad,Siddharth Garg,Mahesh Tripunitara

DOI: https://doi.org/10.48550/arXiv.1710.10474

2017-10-28

Cryptography and Security

Abstract:Integrated circuit (IC) camouflaging is a promising technique to protect the design of a chip from reverse engineering. However, recent work has shown that even camouflaged ICs can be reverse engineered from the observed input/output behaviour of a chip using SAT solvers. However, these so-called SAT attacks have so far targeted only camouflaged combinational circuits. For camouflaged sequential circuits, the SAT attack requires that the internal state of the circuit is controllable and observable via the scan chain. It has been implicitly assumed that restricting scan chain access increases the security of camouflaged ICs from reverse engineering attacks. In this paper, we develop a new attack methodology to decamouflage sequential circuits without scan access. Our attack uses a model checker (a more powerful reasoning tool than a SAT solver) to find a discriminating set of input sequences, i.e., one that is sufficient to determine the functionality of camouflaged gates. We propose several refinements, including the use of a bounded model checker, and sufficient conditions for determining when a set of input sequences is discriminating to improve the run-time and scalabilty of our attack. Our attack is able to decamouflage a large sequential benchmark circuit that implements a subset of the VIPER processor.

Grace Li Zhang,Bing Li,Meng Li,Bei Yu,David Z. Pan,Michaela Brunner,Georg Sigl,Ulf Schlichtmann

DOI: https://doi.org/10.1109/TCAD.2020.2974338

2020-03-02

Abstract:With recent advances in reverse engineering, attackers can reconstruct a netlist to counterfeit chips by opening the die and scanning all layers of authentic chips. This relatively easy counterfeiting is made possible by the use of the standard simple clocking scheme, where all combinational blocks function within one clock period, so that a netlist of combinational logic gates and flip-flops is sufficient to duplicate a design. In this paper, we propose to invalidate the assumption that a netlist completely represents the function of a circuit with unconventional timing. With the introduced wave-pipelining paths, attackers have to capture gate and interconnect delays during reverse engineering, or to test a huge number of combinational paths to identify the wave-pipelining paths. To hinder the test-based attack, we construct false paths with wave-pipelining to increase the counterfeiting challenge. Experimental results confirm that wave-pipelining true paths and false paths can be constructed in benchmark circuits successfully with only a negligible cost, thus thwarting the potential attack techniques.

Cryptography and Security,Hardware Architecture

Meng Li,Kaveh Shamsi,Yier Jin,David Z. Pan

DOI: https://doi.org/10.1109/test.2018.8624671

2018-01-01

Abstract:In order to counter advanced reverse engineering techniques, various integrated circuit (IC) camouflaging methods are proposed to protect hardware intellectual property (IP) proactively. For example, a timing-based camouflaging strategy is developed recently representing a new class of parametric camouflaging strategies. Unlike traditional IC camouflaging techniques that directly hide the circuit functionality, the new parametric strategies obfuscate the circuit timing schemes, which in turn protects the circuit functionality and invalidates all the existing attacks. In this paper, we propose a SAT attack, named TimingSAT, to analyze the security of such timing-based camouflaging strategies. We demonstrate that with a proper transformation of the camouflaged netlist, traditional SAT attacks are still effective to decamouflage the new protection methods. The correctness of the resolved circuit functionality is formally proved. While a direct implementation of TimingSAT suffers from poor scalability, we propose a simplification procedure to significantly enhance the attack efficiency without sacrificing the correctness of the decamouflaged netlist. The efficiency and effectiveness of TimingSAT is validated with extensive experimental results.

Tingyuan Nie,Lijian Zhou,Zhe-Ming Lu

DOI: https://doi.org/10.1049/iet-cds.2015.0036

2016-01-01

Abstract:The intellectual property (IP) reuse-based design model is vulnerable to misappropriation and fraud. The situation requires new IP protection mechanisms to guarantee the rights for both IP producers and IP users. In this study, the authors study the constraints used in circuit partitioning and hereby introduce two fingerprinting methods by cell perturbations. They evaluate the proposed methods on ISPD98 benchmark suits by the state-of-the-art partitioner hMetis and cell manipulation. By tuning the fingerprinting strategies, the performance of fingerprinted designs is well maintained. Experimental result shows that the overhead of fingerprinting methods is trivial. The relative Hamming distance of cell fixing method is high, which indicates the method could yield distinct fingerprinting solutions. The relative Hamming distance of cell exchange method is low which is due to the low percentage of cell being fixed.

Han Gan,Hongxin Zhang,Muhammad Saad Khan,Xueli Wang,Fan Zhang,Pengfei He

DOI: https://doi.org/10.1109/cc.2017.8068768

2017-01-01

China Communications

Abstract:Correlation power analysis (CPA) has become a successful attack method about crypto-graphic hardware to recover the secret keys. However, the noise influence caused by the random process interrupts (RPIs) becomes an important factor of the power analysis attack efficiency, which will cost more traces or attack time. To address the issue, an improved method about empirical mode decomposition (EMD) was proposed. Instead of restructuring the decomposed signals of intrinsic mode functions (IMFs), we extract a certain intrinsic mode function (IMF) as new feature signal for CPA attack. Meantime, a new attack assessment is proposed to compare the attack effectiveness of different methods. The experiment shows that our method has more excellent performance on CPA than others. The first and the second IMF can be chosen as two optimal feature signals in CPA. In the new method, the signals of the first IMF increase peak visibility by 64% than those of the tradition EMD method in the situation of non-noise. On the condition of different noise interference, the orders of attack efficiencies are also same. With external noise interference, the attack effect of the first IMF based on noise with 15dB is the best.

Kaveh Shamsi,Meng Li,Kenneth Plaks,Saverio Fazzari,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3342099

IF: 1.447

2019-01-01

ACM Transactions on Design Automation of Electronic Systems

Abstract:The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

Haocheng Ma,Jiaji He,Yanjiang Liu,Leibo Liu,Yiqiang Zhao,Yier Jin

DOI: https://doi.org/10.1109/tcad.2020.3024938

2019-01-01

Abstract:Side-Channel Analysis (SCA) attacks are major threats to hardware security. Upon this security threat, various countermeasures at different design layers have been proposed against SCA attacks. These approaches often introduce significant performance overheads and impose high requirements of side-channel security backgrounds to IC designers. In this paper, we propose an automatic computer-aided design (CAD) tool that can enhance the circuit resistance against electromagnetic (EM) SCA attacks. This new tool will guide a security-driven placement process and can be seamlessly integrated into the modern IC design flow. The protected IC design will be resilient to SCA attacks with negligible area and power overheads. In order to develop this tool, we first investigate the root-cause of EM leakage at layout level and mathematically demonstrate the feasibility of security-driven placement through the EM leakage modeling. We then identify that the correlation between the data under protection and the EM leakage can be significantly reduced through data-dependent registers reallocation. Simulation results on cryptographic circuits prove the effectiveness of both the constructed EM leakage model and the EM model based CAD tool for EM security.

Kaveh Shamsi,Meng Li,Kenneth Plaks,Saverio Fazzari,David Z. Pan,Yier Jin

DOI: https://doi.org/10.1145/3342099

IF: 1.447

2019-11-14

ACM Transactions on Design Automation of Electronic Systems

Abstract:The globalization of the semiconductor supply chain introduces ever-increasing security and privacy risks. Two major concerns are IP theft through reverse engineering and malicious modification of the design. The latter concern in part relies on successful reverse engineering of the design as well. IC camouflaging and logic locking are two of the techniques under research that can thwart reverse engineering by end-users or foundries. However, developing low overhead locking/camouflaging schemes that can resist the ever-evolving state-of-the-art attacks has been a challenge for several years. This article provides a comprehensive review of the state of the art with respect to locking/camouflaging techniques. We start by defining a systematic threat model for these techniques and discuss how various real-world scenarios relate to each threat model. We then discuss the evolution of generic algorithmic attacks under each threat model eventually leading to the strongest existing attacks. The article then systematizes defences and along the way discusses attacks that are more specific to certain kinds of locking/camouflaging. The article then concludes by discussing open problems and future directions.

computer science, software engineering, hardware & architecture

王晨旭,张凯峰,喻明艳,王进祥

DOI: https://doi.org/10.3778/j.issn.1002-8331.1207-0302

2013-01-01

Abstract:Differential Power Analysis(DPA), a technology of non-invasive side-channel attack, has posed a serious threat for the safety of cipher integrated circuits. In order to evaluate the effectiveness of power analysis attack countermeasure conveniently, following the gate-level power analysis method, a Correlation Power Analysis(CPA)research platform based on PrimeTime PX and MATLAB is built. The auxiliary platform has a strong universality, and only by reworking cipher-specific power model, the algorithm level countermeasures for different ciphers can be evaluated easily. As an application, standard AES algorithm and the improved AES algorithm with threshold countermeasure method is attacked, showing the platform effectiveness.

Jianfeng Wang,Zhonghao Chen,Jiahao Zhang,Yixin Xu,Tongguang Yu,Ziheng Zheng,Enze Ye,Sumitha George,Huazhong Yang,Yongpan Liu,Kai Ni,Vijaykrishnan Narayanan,Xueqing Li

DOI: https://doi.org/10.1145/3640462

IF: 1.447

2024-02-14

ACM Transactions on Design Automation of Electronic Systems

Abstract:Logic camouflage is a widely adopted technique that mitigates the threat of intellectual property (IP) piracy and overproduction in the integrated circuit (IC) supply chain. Camouflaged logic achieves functional obfuscation through physical-level ambiguity and post-manufacturing programmability. However, discussions on programmability are confined to the level of logic cells/gates, limiting the broader-scale application of logic camouflage. In this work, we propose a novel module-level configuration methodology for programmable camouflaged logic that can be implemented without additional hardware ports and with negligible resources. We prove theoretically that the configuration of the programmable camouflaged logic cells can be achieved through the inputs and netlist of the original module. Further, we propose a novel lightweight ferroelectric FET (FeFET)-based reconfigurable logic gate (rGate) family and apply it to the proposed methodology. With the flexible replacement and the proposed configuration-aware conversion algorithm, this work is characterized by the input-only programming scheme as well as the combination of high output error rate and point-function-like defense. Evaluations show an average of >95% of the alternative rGate location for camouflage, which is sufficient for the security-aware design. We illustrate the exponential complexity in function state traversal and the enhanced defense capability of locked blackbox against Boolean Satisfiability (SAT) attacks compared with key-based methods. We also preserve an evident output Hamming distance and introduce negligible hardware overheads in both gate-level and module-level evaluations under typical benchmarks.

computer science, software engineering, hardware & architecture