Stripped Functionality Logic Locking With Hamming Distance-Based Restore Unit (SFLL-hd) – Unlocked

Logic locking is a technique that has received significant attention. It protects a hardware design netlist from a variety of hardware security threats, such as tampering, reverse-engineering, and piracy, stemming from untrusted chip foundry and end-users. This technique adds logic and inputs to a given design netlist to make sure that the locked design is functional only when a <inline-formula> <tex-math notation="LaTeX">${\boldsymbol {key}}$ </tex-math></inline-formula> is applied from the new inputs; an incorrect key makes the design produce incorrect outputs. The new inputs, referred to as the key inputs, are driven by a tamper-proof memory on the chip, which stores the secret key. Research in this field has shown that this technique, if not implemented properly, may be vulnerable to attacks that extract the <inline-formula> <tex-math notation="LaTeX">${\boldsymbol {key}}$ </tex-math></inline-formula> of logic locking. Recently, a logic locking technique called stripped functionality logic locking (SFLL) has been proposed and shown to withstand all known attacks in a provably secure manner. SFLL strips some functionality from the original design by corrupting its output corresponding to a number of “protected” input patterns. In one version of SFLL, referred to as SFLL-hd, these protected patterns are all of a certain hamming distance <inline-formula> <tex-math notation="LaTeX">${h}$ </tex-math></inline-formula> to the <inline-formula> <tex-math notation="LaTeX">${\boldsymbol {key}}$ </tex-math></inline-formula>. The modified design is accompanied by additional logic that fixes the output for each protected input pattern only when the <inline-formula> <tex-math notation="LaTeX">${\boldsymbol {key}}$ </tex-math></inline-formula> is in the tamper-proof memory. In this paper, we present an attack that breaks SFLL-hd within a minute. Our attack exploits structural traces left behind in the locked design due to the functionality strip operation and is capable of identifying some of the protected patterns. We also present a theoretical framework that helps us develop two different techniques to complete our attack. In the first technique, we use the Gaussian elimination technique to solve a system of equations that we form based on <inline-formula> <tex-math notation="LaTeX">${k}$ </tex-math></inline-formula>-identified protected patterns in <inline-formula> <tex-math notation="LaTeX">${O}({k}^{ {{3}}})$ </tex-math></inline-formula> time in the best case, where <inline-formula> <tex-math notation="LaTeX">${k}$ </tex-math></inline-formula> is the number of key bits in <inline-formula> <tex-math notation="LaTeX">${\boldsymbol {key}}$ </tex-math></inline-formula>. The second technique uses one identified protected pattern to query the oracle <inline-formula> <tex-math notation="LaTeX">${k}$ </tex-math></inline-formula> times. In both techniques, we successfully recover the <inline-formula> <tex-math notation="LaTeX">${\boldsymbol {key}}$ </tex-math></inline-formula> from the protected pattern(s). We show that our attacks work on the SFLL-locked microprocessor design (more than 50 K gates) that the authors of SFLL made available to the public; we extract the 256-bit key within a minute and reveal it in this paper. We also test our attacks on a few other SFLL-hd benchmarks provided by SFLL authors.

[1]  Jarrod A. Roy,et al.  EPIC: Ending Piracy of Integrated Circuits , 2008, 2008 Design, Automation and Test in Europe.

[2]  Ankur Srivastava,et al.  Mitigating SAT Attack on Logic Locking , 2016, CHES.

[3]  Domenic Forte,et al.  Novel Bypass Attack and BDD-based Tradeoff Analysis Against All Known Logic Locking Attacks , 2017, CHES.

[4]  Jeyavijayan Rajendran,et al.  Fault Analysis-Based Logic Encryption , 2015, IEEE Transactions on Computers.

[5]  Farinaz Koushanfar,et al.  A Survey of Hardware Trojan Taxonomy and Detection , 2010, IEEE Design & Test of Computers.

[6]  Farinaz Koushanfar,et al.  Provably Secure Active IC Metering Techniques for Piracy Avoidance and Digital Rights Management , 2012, IEEE Transactions on Information Forensics and Security.

[7]  Hai Zhou,et al.  Double DIP: Re-Evaluating Security of Logic Encryption Algorithms , 2017, ACM Great Lakes Symposium on VLSI.

[8]  Ozgur Sinanoglu,et al.  SARLock: SAT attack resistant logic locking , 2016, 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[9]  Ramesh Karri,et al.  A Primer on Hardware Security: Models, Methods, and Metrics , 2014, Proceedings of the IEEE.

[10]  Jeyavijayan Rajendran,et al.  Removal Attacks on Logic Locking and Camouflaging Techniques , 2020, IEEE Transactions on Emerging Topics in Computing.

[11]  Jeyavijayan Rajendran,et al.  Security analysis of logic obfuscation , 2012, DAC Design Automation Conference 2012.

[12]  Jeyavijayan Rajendran,et al.  Provably-Secure Logic Locking: From Theory To Practice , 2017, CCS.

[13]  Ozgur Sinanoglu,et al.  ATPG-based cost-effective, secure logic locking , 2018, 2018 IEEE 36th VLSI Test Symposium (VTS).

[14]  Siddharth Garg,et al.  Securing Computer Hardware Using 3D Integrated Circuit (IC) Technology and Split Manufacturing for Obfuscation , 2013, USENIX Security Symposium.

[15]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[16]  Farinaz Koushanfar,et al.  Active Hardware Metering for Intellectual Property Protection and Security , 2007, USENIX Security Symposium.

[17]  Mark Mohammad Tehranipoor,et al.  Counterfeit Integrated Circuits: A Rising Threat in the Global Semiconductor Supply Chain , 2014, Proceedings of the IEEE.

[18]  Joseph Zambreno,et al.  Preventing IC Piracy Using Reconfigurable Logic Barriers , 2010, IEEE Design & Test of Computers.

[19]  Miodrag Potkonjak,et al.  Hardware obfuscation using PUF-based logic , 2014, 2014 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[20]  Brandon Wang,et al.  Embedded reconfigurable logic for ASIC design obfuscation against supply chain attacks , 2014, 2014 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[21]  Sayak Ray,et al.  Evaluating the security of logic encryption algorithms , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[22]  T. Tao,et al.  On random ±1 matrices: Singularity and determinant , 2006 .

[23]  Igor L. Markov,et al.  Solving the Third-Shift Problem in IC Piracy With Test-Aware Logic Locking , 2015, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[24]  Meng Li,et al.  AppSAT: Approximately deobfuscating integrated circuits , 2017, 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[25]  Ankur Srivastava,et al.  Anti-SAT: Mitigating SAT Attack on Logic Locking , 2019, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.