ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

While financially advantageous, outsourcing key steps, such as testing, to potentially untrusted Outsourced Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hides the transformation functions that map the scan-in stimulus (scan-out response) and the delivered scan pattern (captured response). While static scan obfuscation utilizes the same secret key, and thus, the same secret transformation functions throughout the lifetime of the chip, dynamic scan obfuscation updates the key periodically. In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic-locked version and applies the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. We implement our attack, apply on representative scan obfuscation techniques, and show that ScanSAT can break both static and dynamic scan obfuscation schemes with 100% success rate. Moreover, ScanSAT is effective even for large key sizes and in the presence of scan compression.

[1]  Jarrod A. Roy,et al.  Ending Piracy of Integrated Circuits , 2010, Computer.

[2]  Mark Mohammad Tehranipoor,et al.  A low-cost solution for protecting IPs against scan-based side-channel attacks , 2006, 24th IEEE VLSI Test Symposium.

[3]  Rohit Kapur,et al.  A Scan Obfuscation Guided Design-for-Security Approach for Sequential Circuits , 2020, IEEE Transactions on Circuits and Systems II: Express Briefs.

[4]  Giorgio Di Natale,et al.  A New Secure Stream Cipher for Scan Chain Encryption , 2018, 2018 IEEE 3rd International Verification and Security Workshop (IVSW).

[5]  Jing Ye,et al.  Scan Chain Based Attacks and Countermeasures: A Survey , 2019, IEEE Access.

[6]  Jarrod A. Roy,et al.  EPIC: Ending Piracy of Integrated Circuits , 2008, 2008 Design, Automation and Test in Europe.

[7]  Subhadeep Banik,et al.  Improved Scan-Chain Based Attacks and Related Countermeasures , 2013, INDOCRYPT.

[8]  Edward McCluskey,et al.  Built-In Self-Test Techniques , 1985, IEEE Design & Test of Computers.

[9]  Ramesh Karri,et al.  A Primer on Hardware Security: Models, Methods, and Metrics , 2014, Proceedings of the IEEE.

[10]  Baker Mohammad,et al.  Functional Reverse Engineering on SAT-Attack Resilient Logic Locking , 2019, 2019 IEEE International Symposium on Circuits and Systems (ISCAS).

[11]  Adit D. Singh,et al.  SSTKR: Secure and Testable Scan Design through Test Key Randomization , 2011, 2011 Asian Test Symposium.

[12]  Youhua Shi,et al.  Dynamically changeable secure scan architecture against scan-based side channel attack , 2012, 2012 International SoC Design Conference (ISOCC).

[13]  Mark Mohammad Tehranipoor,et al.  Securing Designs against Scan-Based Side-Channel Attacks , 2007, IEEE Transactions on Dependable and Secure Computing.

[14]  Chip-Hong Chang,et al.  Static and Dynamic Obfuscations of Scan Data Against Scan-Based Side-Channel Attacks , 2017, IEEE Transactions on Information Forensics and Security.

[15]  Giorgio Di Natale,et al.  Thwarting Scan-Based Attacks on Secure-ICs With On-Chip Comparison , 2014, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[16]  Deepak Sirone,et al.  Functional Analysis Attacks on Logic Locking , 2018, IEEE Transactions on Information Forensics and Security.

[17]  Ozgur Sinanoglu,et al.  ScanSAT: unlocking obfuscated scan chains , 2019, ASP-DAC.

[18]  Giorgio Di Natale,et al.  A novel differential scan attack on advanced DFT structures , 2013, ACM Trans. Design Autom. Electr. Syst..

[19]  Swarup Bhunia,et al.  HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection , 2009, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[20]  Sayak Ray,et al.  Evaluating the security of logic encryption algorithms , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[21]  Jeyavijayan Rajendran,et al.  Provably-Secure Logic Locking: From Theory To Practice , 2017, CCS.

[22]  Avi Mendelson,et al.  Using Scan Side Channel to Detect IP Theft , 2017, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[23]  Bruno Rouzeyre,et al.  Preventing Scan Attacks on Secure Circuits Through Scan Chain Encryption , 2019, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[24]  Nozomu Togawa,et al.  Scan-based attack against elliptic curve cryptosystems , 2010, 2010 15th Asia and South Pacific Design Automation Conference (ASP-DAC).

[25]  Jeyavijayan Rajendran,et al.  Fault Analysis-Based Logic Encryption , 2015, IEEE Transactions on Computers.

[26]  Ramesh Karri,et al.  Secure scan: a design-for-test architecture for crypto chips , 2005, Proceedings. 42nd Design Automation Conference, 2005..

[27]  Siddharth Garg,et al.  Reverse engineering camouflaged sequential circuits without scan access , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[28]  Michel Renovell,et al.  Scan Design and Secure Chip , 2004, IOLTS.

[29]  Sauvagya Ranjan Sahoo,et al.  On-chip comparison based secure output response compactor for scan-based attack resistance , 2015, 2015 International Conference on VLSI Systems, Architecture, Technology and Applications (VLSI-SATA).

[30]  Ramesh Karri,et al.  On Improving the Security of Logic Locking , 2016, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[31]  Rohit Kapur,et al.  Encrypt Flip-Flop: A Novel Logic Encryption Technique For Sequential Circuits , 2018, ArXiv.

[32]  Debdeep Mukhopadhyay,et al.  Scan Based Side Channel Attacks on Stream Ciphers and Their Counter-Measures , 2008, INDOCRYPT.

[33]  Ramesh Karri,et al.  Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard , 2004 .

[34]  Ozgur Sinanoglu,et al.  Stripped Functionality Logic Locking With Hamming Distance-Based Restore Unit (SFLL-hd) – Unlocked , 2019, IEEE Transactions on Information Forensics and Security.

[35]  Giorgio Di Natale,et al.  A New Scan Attack on RSA in Presence of Industrial Countermeasures , 2012, COSADE.

[36]  Ujjwal Guin,et al.  Robust Design-for-Security Architecture for Enabling Trust in IC Manufacturing and Test , 2018, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[37]  David Bryan,et al.  Combinational profiles of sequential benchmark circuits , 1989, IEEE International Symposium on Circuits and Systems,.

[38]  Swarup Bhunia,et al.  VIm-Scan: A Low Overhead Scan Design Approach for Protection of Secret Key in Scan-Based Secure Chips , 2007, 25th IEEE VLSI Test Symposium (VTS'07).

[39]  R. Karri,et al.  Scan based side channel attack on dedicated hardware implementations of Data Encryption Standard , 2004, 2004 International Conferce on Test.

[40]  Jeyavijayan Rajendran,et al.  Activation of logic encrypted chips: Pre-test or post-test? , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[41]  Donglin Su,et al.  Secure Scan and Test Using Obfuscation Throughout Supply Chain , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[42]  Bruno Rouzeyre,et al.  Test control for secure scan designs , 2005, European Test Symposium (ETS'05).

[43]  Debdeep Mukhopadhyay,et al.  Secured Flipped Scan-Chain Model for Crypto-Architecture , 2007, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.