research-article

Security Assessment of Dynamically Obfuscated Scan Chain Against Oracle-guided Attacks

Authors:

M Sazadur Rahman,

Saverio Fazzari,

Farimah Farahmandi,

Mark TehranipoorAuthors Info & Claims

ACM Transactions on Design Automation of Electronic Systems (TODAES), Volume 26, Issue 4

Article No.: 29, Pages 1 - 27

https://doi.org/10.1145/3444960

Published: 13 March 2021 Publication History

Abstract

Logic locking has emerged as a promising solution to protect integrated circuits against piracy and tampering. However, the security provided by existing logic locking techniques is often thwarted by Boolean satisfiability (SAT)-based oracle-guided attacks. Criteria for successful SAT attacks on locked circuits include: (i) the circuit under attack is fully combinational, or (ii) the attacker has scan chain access. To address the threat posed by SAT-based attacks, we adopt the dynamically obfuscated scan chain (DOSC) architecture and illustrate its resiliency against the SAT attacks when inserted into the scan chain of an obfuscated design. We demonstrate, both mathematically and experimentally, that DOSC exponentially increases the resiliency against key extraction by SAT attack and its variants. Our results show that the mathematical estimation of attack complexity correlates to the experimental results with an accuracy of 95% or better. Along with the formal proof, we model DOSC architecture to its equivalent combinational circuit and perform SAT attack to evaluate its resiliency empirically. Our experiments demonstrate that SAT attack on DOSC-inserted benchmark circuits timeout at minimal test time overhead, and while DOSC requires less than 1% area and power overhead.

References

[1]

B. Shakya et al. 2017. Introduction to hardware obfuscation: Motivation, methods and evaluation. In Hardware Protection through Obfuscation. Springer, 3--32.

[2]

A. B. Kahng et al. 1998. Watermarking techniques for intellectual property protection. In Proceedings of the 35th Annual Annual Design Automation Conference (DAC’98). ACM, 776--781.

[3]

IEEE. 2014. IEEE recommended practice for encryption and management of electronic design intellectual property. Retrieved from https://standards.ieee.org/findstds/standard/1735-2014.html.

[4]

J. A. Roy et al. 2008. Epic: Ending piracy of integrated circuits. In Proceedings of the Conference on Design, Automation and Test in Europe. ACM, 1069--1074.

[5]

R. S. Chakraborty and S. Bhunia. 2008. Hardware protection and authentication through netlist level obfuscation. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design (ICCAD’08). IEEE Press, 674--677.

[6]

R. S. Chakraborty and S. Bhunia. 2009. Harpoon: An obfuscation-based SoC design methodology for hardware protection. IEEE TCAD Circ. Syst. 28, 10 (2009), 1493--1502.

Digital Library

[7]

J. Rajendran et al. 2013. Security analysis of integrated circuit camouflaging. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 709--720.

[8]

R. W. Jarvis and M. G. Mcintyre. 2007. Split manufacturing method for advanced semiconductor circuits. U.S. Patent 7,195,931.

[9]

M. T. Rahman et al. 2014. CSST: Preventing distribution of unlicensed and rejected ICs by untrusted foundry and assembly. In Proceedings of the IEEE International Symposium on Defect and Fault Tolerance (DFT’14). IEEE, 46--51.

[10]

A. Chhotaray et al. 2017. Standardizing bad cryptographic practice. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’17). ACM, 1533--1546.

[11]

J. J. Rajendran et al. 2013. Is split manufacturing secure? In Proceedings of the Conference on Design, Automation and Test in Europe. EDA Consortium, 1259--1264.

[12]

J. Rajendran et al. 2013. Fault analysis-based logic encryption. IEEE Trans. Comput. 64, 2 (2013), 410--424.

[13]

J. Rajendran et al. 2012. Security analysis of logic obfuscation. In Proceedings of the 49th Annual Design Automation Conference. ACM, 83--89.

[14]

J. Robertson and M. Riley. 2018. The big hack: How china used a tiny chip to infiltrate U.S. companies. Bloomberg.

[15]

DARPA. 2019. Automatic implementation of secure silicon. Retrieved from https://www.darpa.mil/news-events/2019-03-25.

[16]

DARPA. 2017. Darpa electronics resurgence initiative. https://www.darpa.mil/work-with-us/electronics-resurgence-initiative.

[17]

P. Subramanyan et al. 2015. Evaluating the security of logic encryption algorithms. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’15). IEEE, 137--143.

[18]

M. Yasin et al. 2016. Sarlock: Sat attack resistant logic locking. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’16). IEEE, 236--241.

[19]

Y. Xie and A. Srivastava. 2019. Anti-sat: Mitigating sat attack on logic locking. IEEE Trans. Integr. Circ. Syst. 38, 2 (2019), 199--207.

Digital Library

[20]

M. Yasin et al. 2017. Provably secure logic locking: From theory to practice. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’17). ACM, 1601--1618.

[21]

X. Xu et al. 2017. Novel bypass attack and BDD-based tradeoff analysis against all known logic locking attacks. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems. Springer, 189--210.

[22]

M. Yasin et al. 2017. Security analysis of anti-sat. In Proceedings of the 22nd Asia and South Pacific Design Automation Conference (ASP-DAC’17). IEEE, 342--347.

[23]

M. Yasin et al. 2017. Removal attacks on logic locking and camouflaging techniques. IEEE Trans. Emerg. Top. Comput. 8, 2 (2017), 517--532.

[24]

K. Shamsi et al. 2017. Appsat: Approximately deobfuscating integrated circuits. In Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST’17). IEEE, 95--100.

[25]

D. Sirone and P. Subramanyan. 2019. Functional analysis attacks on logic locking. In Proceedings of the Design, Automation, and Test in Europe Conference (DATE’19). IEEE, 936--939.

[26]

L. Alrahis et al. 2019. ScanSAT: Unlocking static and dynamic scan obfuscation. In IEEE Trans. Emerg. Top. Comput. (2019). https://doi.org/10.1109/TETC.2019.2940750

[27]

X. Wang et al. 2017. Secure scan and test using obfuscation throughout supply chain. IEEE Trans. Integr. Circ. Syst. 37, 9 (2017), 1867--1880.

[28]

A. Cui et al. 2016. Static and dynamic obfuscations of scan data against scan-based side-channel attacks. IEEE TIFS 12, 2 (2016), 363--376.

[29]

S. M. Plaza and I. L. Markov. 2014. Protecting integrated circuits from piracy with test-aware logic locking. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design (ICCAD’14). IEEE Press, 262--269.

[30]

M. El Massad et al. 2015. Integrated circuit (ic) decamouflaging: Reverse engineering camouflaged ICs within minutes. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15). 1--14.

[31]

R. Karmakar et al. 2018. Encrypt flip-flop: A novel logic encryption technique for sequential circuits. Retrieved from https://arXiv:1801.04961.

[32]

K. Kursawe et al. 2009. Reconfigurable physical unclonable functions-enabling technology for tamper-resistant storage. In Proceedings of the IEEE International Symposium on Hardware Oriented Security and Trust (HOST’09). IEEE, 22--29.

[33]

G. Sengar et al. 2007. Secured flipped scan-chain model for crypto-architecture. IEEE Trans. Integr. Circ. Syst. 26, 11 (2007), 2080--2084.

Digital Library

[34]

F. Brglez et al. 1989. Combinational profiles of sequential benchmark circuits. In Proceedings of the IEEE International Symposium on Circuits and Systems. 1929--1934.

[35]

F. Corno et al. 2000. Rt-level itc’99 benchmarks and first atpg results. IEEE DTC 17, 3 (2000), 44--53.

[36]

C. McDonald et al. 2008. An algebraic analysis of trivium ciphers based on the boolean satisfiability problem. In Proceedings of the 4th International Workshop on Boolean Functions: Cryptography and Applications. 173--184.

[37]

G. V. Bard et al. 2007. Efficient methods for conversion and solution of sparse systems of low-degree multivariate polynomials over gf (2) via sat-solvers. https://eprint.iacr.org/2007/024.

[38]

A. Klein. 2013. Linear feedback shift registers. In Stream Ciphers. Springer, 17--58.

[39]

C. Coarfa et al. 2000. Random 3-sat: The plot thickens. In Proceedings of the International Conference on Principles and Practice of Constraint Programming. Springer, 143--159.

[40]

G. S. Tseitin. 1983. On the complexity of derivation in propositional calculus. In Automation of Reasoning. Springer, 466--483.

[41]

J. C.-M. Li and M. S. Hsiao. 2009. Fault simulation and test generation. In Electronic Design Automation. Elsevier, 851--917.

[42]

M. Cygan et al. 2016. On problems as hard as cnf-sat. ACM Trans. Algor. 12, 3 (2016), 41.

[43]

T. E. Marchok et al. 1995. Complexity of sequential ATPG. In Proceedings of the European Design and Test Conference (ED&TC’95). IEEE, 252--261.

[44]

P. Chakraborty et al. 2018. Sail: Machine learning guided structural analysis attack on hardware obfuscation. In Proceedings of the IEEE Asian Hardware-Oriented Security and Trust Conference (AsianHOST’18). IEEE, 56--61.

[45]

E. Biham and A. Shamir. 1997. Differential fault analysis of secret key cryptosystems. In Proceedings of the Annual International Cryptology Conference. Springer, 513--525.

[46]

J. D. Rolt et al. 2013. A novel differential scan attack on advanced dft structures. ACM Trans. Design Autom. Electr. Syst. 18, 4 (2013), 58.

[47]

L. Azriel et al. 2016. Exploiting the scan side channel for reverse engineering of a vlsi device. Technical Report, Technion, Israel Institute of Technology. CCIT Report 897.

[48]

El Massad et al. 2017. Reverse engineering camouflaged sequential circuits without scan access. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design (ICCAD’17). 33--40.

[49]

Armin Biere. 2013. Lingeling, plingeling and treengeling entering the SAT competition 2013. In Proceedings of the SAT Competition.

[50]

Mate Soos. 2016. The CryptoMiniSat 5 set of solvers at SAT competition 2016. In Proceedings of the SAT Competition.

[51]

Niklas Sorensson and Niklas Een. 2005. Minisat v1. 13-a sat solver with conflict-clause minimization. In Proceedings of the International Conference on Theory and Applications of Satisfiability Testing (SAT’05). 1--2.

[52]

A. Cimatti, E. Clarke, F. Giunchiglia, and M. Roveri. 1999. NuSMV: A new symbolic model verifier. In Proceedings of the International Conference on Computer Aided Verification. 495--499.

[53]

Y. Atobe et al. 2012. Dynamically changeable secure scan architecture against scan-based side channel attack. In Proceedings of the IEEE International SoC Design Conference (ISOCC’12). 155--158.

[54]

N. Limaye et al. 2020. DynUnlock: Unlocking scan chains obfuscated using dynamic keys. Retrieved from https://arXiv:2001.06724.

[55]

A. Sengupta et al. 2018. ATPG-based cost-effective, secure logic locking. In Proceedings of the IEEE 36th Very Large-scale Integration Test Symposium (VTS’18). 1--6.

[56]

A. Jain et al. 2020. Atpg-guided fault injection attacks on logic locking. Retrieved from https://arXiv:2007.10512.

[57]

R. Karmakar et al. 2019. Efficient key-gate placement and dynamic scan obfuscation towards robust logic encryption. IEEE Trans. Emerg. Topics Comput. (2019). https://doi.org/10.1109/TETC.2019.2963094

[58]

Q. Nguyen et al. 2020. A secure scan controller for protecting logic locking. In Proceedings of the IEEE 26th International Symposium on On-Line Testing and Robust System Design (IOLTS’20). IEEE.

[59]

Y. Xie et al. 2017. Delay locking: Security enhancement of logic locking against ic counterfeiting and overproduction. In Proceedings of the 54th Annual Design Automation Conference.

[60]

A. Chakraborty et al. 2020. Evaluating the security of delay-locked circuits. IEEE Trans. Comput.-Aided Design Integr. Circ. Syst. (2020). https://doi.org/10.1109/TCAD.2020.3008843

[61]

Muhammad Yasin et al. 2017. What to lock? Functional and parametric locking. In Proceedings of the on Great Lakes Symposium on Very Large-scale Integration (VLSI’17).

[62]

Muhammad Yasin et al. 2016. Activation of logic encrypted chips: Pre-test or post-test? In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’16). IEEE.

[63]

Ujjwal Guin et al. 2016. FORTIS: A comprehensive solution for establishing forward trust for protecting IPs and ICs. ACM Trans. Design Autom. Electr. Syst. 21, 4 (2016), 1--20.

Digital Library

[64]

Tolga Acar et al. 2015. Key management using trusted platform modules. U.S. Patent No. 9,026,805.

[65]

Nicolas T. Courtois and Willi Meier. 2003. Algebraic attacks on stream ciphers with linear feedback. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Berlin.

Cited By

Talukdar JPaik WOrtega EChakrabarty K(2024)ALT-Lock: Logic and Timing Ambiguity-Based IP Obfuscation Against Reverse EngineeringIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2024.341103332:8(1535-1548)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1109/TVLSI.2024.3411033
Azar KKamali HFarahmandi FTehranipoor M(2024)Improving Bounded Model Checkers Scalability for Circuit De-Obfuscation: An ExplorationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335728619(2771-2785)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3357286
Kamali H(2024)From Full-Custom to Gate-Array ASIC for Hardware IP Protection2024 IEEE 17th Dallas Circuits and Systems Conference (DCAS)10.1109/DCAS61159.2024.10539912(1-5)Online publication date: 19-Apr-2024
https://doi.org/10.1109/DCAS61159.2024.10539912
Show More Cited By

Recommendations

Distributed Logic Encryption: Essential Security Requirements and Low-Overhead Implementation
GLSVLSI '22: Proceedings of the Great Lakes Symposium on VLSI 2022

Due to outsource manufacturing, the semiconductor industry must deal with various hardware threats such as piracy and overproduction. To prevent illegal electronic products from functioning, the circuit can be encrypted using a protected key only known ...
Boolean Domain Attack on Corrupt and Correct Based Logic Locking Techniques
GLSVLSI '24: Proceedings of the Great Lakes Symposium on VLSI 2024

Logic locking is a potential solution to prevent reverse engineering and integrated circuit (IC) counterfeiting from untrusted third parties within the IC supply chain. Among various techniques, corrupt and correct (CAC) based techniques offer strong ...
Robust and Attack Resilient Logic Locking with a High Application-Level Impact
Logic locking is a hardware security technique aimed at protecting intellectual property against security threats in the IC supply chain, especially those posed by untrusted fabrication facilities. Such techniques incorporate additional locking circuitry ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Design Automation of Electronic Systems

ACM Transactions on Design Automation of Electronic Systems Volume 26, Issue 4

Survey Paper

July 2021

209 pages

ISSN:1084-4309

EISSN:1557-7309

DOI:10.1145/3447538

Editor:
X. Sharon Hu
University of Notre Dame, USA

Issue’s Table of Contents

Copyright © 2021 ACM.

© 2021 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Journal Family

ACM Journals for the Design of Smart and Connected Systems

Publication History

Published: 13 March 2021

Accepted: 01 December 2020

Revised: 01 October 2020

Received: 01 June 2020

Published in TODAES Volume 26, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Defense Advanced Research Projects Agency (DARPA)

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

33
Total Citations
View Citations
440
Total Downloads

Downloads (Last 12 months)73
Downloads (Last 6 weeks)11

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Talukdar JPaik WOrtega EChakrabarty K(2024)ALT-Lock: Logic and Timing Ambiguity-Based IP Obfuscation Against Reverse EngineeringIEEE Transactions on Very Large Scale Integration (VLSI) Systems10.1109/TVLSI.2024.341103332:8(1535-1548)Online publication date: 1-Aug-2024
https://dl.acm.org/doi/10.1109/TVLSI.2024.3411033
Azar KKamali HFarahmandi FTehranipoor M(2024)Improving Bounded Model Checkers Scalability for Circuit De-Obfuscation: An ExplorationIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.335728619(2771-2785)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3357286
Kamali H(2024)From Full-Custom to Gate-Array ASIC for Hardware IP Protection2024 IEEE 17th Dallas Circuits and Systems Conference (DCAS)10.1109/DCAS61159.2024.10539912(1-5)Online publication date: 19-Apr-2024
https://doi.org/10.1109/DCAS61159.2024.10539912
Subbiah KChinnathevar S(2024)A Survey on Logic-Locking Characteristics and AttacksJournal of The Institution of Engineers (India): Series B10.1007/s40031-024-01017-y105:4(1073-1087)Online publication date: 7-Mar-2024
https://doi.org/10.1007/s40031-024-01017-y
Tehranipoor MZamiri Azar KAsadizanjani NRahman FMardani Kamali HFarahmandi FTehranipoor MZamiri Azar KAsadizanjani NRahman FMardani Kamali HFarahmandi F(2024)Digital Twin for Secure Semiconductor Lifecycle ManagementHardware Security10.1007/978-3-031-58687-3_8(345-399)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-58687-3_8
Tehranipoor MZamiri Azar KAsadizanjani NRahman FMardani Kamali HFarahmandi FTehranipoor MZamiri Azar KAsadizanjani NRahman FMardani Kamali HFarahmandi F(2024)Advances in Logic LockingHardware Security10.1007/978-3-031-58687-3_2(53-142)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-58687-3_2
Tehranipoor MZamiri Azar KAsadizanjani NRahman FMardani Kamali HFarahmandi FTehranipoor MZamiri Azar KAsadizanjani NRahman FMardani Kamali HFarahmandi F(2024)Quantifiable Assurance in HardwareHardware Security10.1007/978-3-031-58687-3_1(1-52)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-58687-3_1
Muttaki MSaha SKamali HRahman FTehranipoor MFarahmandi F(2023)RTLock: IP Protection using Scan-Aware Logic Locking at RTL2023 Design, Automation & Test in Europe Conference & Exhibition (DATE)10.23919/DATE56975.2023.10137136(1-6)Online publication date: Apr-2023
https://doi.org/10.23919/DATE56975.2023.10137136
Rahman MZamiri Azar KFarahmandi FMardani Kamali HThapliyal HDeMara RPartin-Vaisband IKatkoori S(2023)Metrics-to-Methods: Decisive Reverse Engineering Metrics for Resilient Logic LockingProceedings of the Great Lakes Symposium on VLSI 202310.1145/3583781.3590273(685-690)Online publication date: 5-Jun-2023
https://dl.acm.org/doi/10.1145/3583781.3590273
Ray DSao YBiswas SAli S(2023)On Securing Cryptographic ICs against Scan-based Attacks: A Hamming Weight Distribution PerspectiveACM Journal on Emerging Technologies in Computing Systems10.1145/357721519:2(1-20)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3577215
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents