KC2: Key-Condition Crunching for Fast Sequential Circuit Deobfuscation

Logic locking and IC camouflaging are two promising techniques for thwarting an array of supply chain threats. Logic locking can hide the design from the foundry as well as end-users and IC camouflaging can thwart IC reverse engineering by end-users. Oracle-guided SAT-based deobfuscation attacks against these schemes have made it more and more difficult to securely implement them with low overhead. Almost all of the literature on SAT attacks is focused on combinational circuits. A recent first implementation of oracle-guided attacks on sequential circuits showed a drastic increase in deobfuscation time versus combinational circuits. In this paper we show that integrating the sequential SAT-attack with incremental bounded-model-checking, and dynamic simplification of key-conditions (Key-Condition Crunching or KC2), we are able to reduce the runtime of sequential SAT-attacks by two orders of magnitude across benchmark circuits, significantly reducing the gap between sequential and combinational deobfuscation. These techniques are applicable to combinational deobfuscation as well and thus represent a generic improvement to deobfuscation procedures and help better understand the complexity of deobfuscation for designing secure locking/camouflaging schemes.

[1]  A. Kuehlmann Dynamic transition relation simplification for bounded property checking , 2004, ICCAD 2004.

[2]  N. Eén Cut Sweeping , 2009 .

[3]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[4]  Siddharth Garg,et al.  Integrated Circuit (IC) Decamouflaging: Reverse Engineering Camouflaged ICs within Minutes , 2015, NDSS.

[5]  Dick James,et al.  The State-of-the-Art in IC Reverse Engineering , 2009, CHES.

[6]  Sayak Ray,et al.  Evaluating the security of logic encryption algorithms , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[7]  Hai Zhou,et al.  CycSAT: SAT-based attack on cyclic logic encryptions , 2017, 2017 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[8]  Meng Li,et al.  AppSAT: Approximately deobfuscating integrated circuits , 2017, 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[9]  Siddharth Garg,et al.  Reverse Engineering Camouflaged Sequential Integrated Circuits Without Scan Access , 2017, ArXiv.

[10]  Robert K. Brayton,et al.  Efficient implementation of property directed reachability , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[11]  Siddharth Garg,et al.  Logic Locking for Secure Outsourced Chip Fabrication: A New Attack and Provably Secure Defense Mechanism , 2017, ArXiv.

[12]  M. Tehranipoor,et al.  Hardware Trojans: Lessons Learned after One Decade of Research , 2016, TODE.

[13]  Yan Zhang,et al.  A Study of Sweeping Algorithms in the Context of Model Checking , 2011, DIFTS@FMCAD.

[14]  David Z. Pan,et al.  On the Approximation Resiliency of Logic Locking and IC Camouflaging Schemes , 2019, IEEE Transactions on Information Forensics and Security.

[15]  Kenneth L. McMillan,et al.  Interpolation and SAT-Based Model Checking , 2003, CAV.

[16]  David Z. Pan,et al.  Revisit sequential logic obfuscation: Attacks and defenses , 2017, 2017 IEEE International Symposium on Circuits and Systems (ISCAS).

[17]  Meng Li,et al.  Cross-Lock: Dense Layout-Level Interconnect Locking using Cross-bar Architectures , 2018, ACM Great Lakes Symposium on VLSI.

[18]  Lawrence T. Pileggi,et al.  Building trusted ICs using split fabrication , 2014, 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).