Using Scan Side Channel to Detect IP Theft

In the growing heterogeneous Internet of Things market, which embraces a plurality of vendors and service providers, IP protection plays a central role. This paper proposes a process for the detection of IP theft in VLSI devices that exploits the internal test scan chains, designed for production test automation. The scan chains supply direct access to the internal registers in the device, enabling combinational analysis of the device logic. By using Boolean function learning methods, the learner creates a partial dependence graph of the internal flip-flops. The graph is further partitioned using the shared nearest neighbors graph clustering method, and individual blocks of combinational logic are isolated. These blocks can be matched with known building blocks that compose the original function. This enables reconstruction of the function implementation to the level of pipeline structure. The IP owner can compare the resulting structure with his own implementation to confirm whether an IP violation has occurred. We demonstrate the power of the presented approach with a test case of an open source Bitcoin SHA-256 accelerator, containing more than 80 000 registers. With the presented method, we discover the microarchitecture of the module, locate all the main components of the SHA-256 algorithm, and learn the module’s flow control. In addition to the direct recognition of the IP content, we also demonstrate a combination of reverse engineering and watermark methods. We define a new watermark structure—pipeline-associated watermark (PAW), combined with pipeline stages that can be detected with the scan-based reverse engineering method.

[1]  Ingo Wegener,et al.  The complexity of Boolean functions , 1987 .

[2]  Miodrag Potkonjak,et al.  Computational forensic techniques for intellectual property protection , 2001, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[3]  Swarup Bhunia,et al.  SCARE: Side-Channel Analysis Based Reverse Engineering for Post-Silicon Validation , 2012, 2012 25th International Conference on VLSI Design.

[4]  Ryan O'Donnell,et al.  Learning juntas , 2003, STOC '03.

[5]  Srinivas Katkoori,et al.  A novel method for watermarking sequential circuits , 2012, 2012 IEEE International Symposium on Hardware-Oriented Security and Trust.

[6]  James H. Burrows,et al.  Secure Hash Standard , 1995 .

[7]  Farinaz Koushanfar,et al.  Provably Secure Active IC Metering Techniques for Piracy Avoidance and Digital Rights Management , 2012, IEEE Transactions on Information Forensics and Security.

[8]  Peter Damaschke On parallel attribute-efficient learning , 2003, J. Comput. Syst. Sci..

[9]  Miodrag Potkonjak,et al.  Intellectual Property Protection in VLSI Designs: Theory and Practice , 2003 .

[10]  Ray A. Jarvis,et al.  Clustering Using a Similarity Measure Based on Shared Near Neighbors , 1973, IEEE Transactions on Computers.

[11]  Mark Mohammad Tehranipoor,et al.  Securing Designs against Scan-Based Side-Channel Attacks , 2007, IEEE Transactions on Dependable and Secure Computing.

[12]  Denis Réal,et al.  Defeating Any Secret Cryptography with SCARE Attacks , 2010, LATINCRYPT.

[13]  Yu-Cheng Fan,et al.  Testing-Based Watermarking Techniques for Intellectual-Property Identification in SOC Design , 2008, IEEE Transactions on Instrumentation and Measurement.

[14]  Gang Qu,et al.  Hardware metering , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[15]  Tughrul Arslan,et al.  Code Compressor and Decompressor for Ultra Large Instruction Width Coarse-Grain Reconfigurable Systems , 2007 .

[16]  Sergei Skorobogatov,et al.  Breakthrough Silicon Scanning Discovers Backdoor in Military Chip , 2012, CHES.

[17]  Ryan O'Donnell,et al.  Analysis of Boolean Functions , 2014, ArXiv.

[18]  M. Pecht,et al.  Bogus: electronic manufacturing and consumers confront a rising tide of counterfeit electronics , 2006, IEEE Spectrum.

[19]  Quynh H. Dang,et al.  Secure Hash Standard | NIST , 2015 .

[20]  Giorgio Di Natale,et al.  Test Versus Security: Past and Present , 2014, IEEE Transactions on Emerging Topics in Computing.

[21]  Giorgio Di Natale,et al.  Thwarting Scan-Based Attacks on Secure-ICs With On-Chip Comparison , 2014, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[22]  Peter Damaschke Adaptive versus nonadaptive attribute-efficient learning , 1998, STOC '98.

[23]  Kaushik Roy,et al.  CLIP: Circuit Level IC Protection Through Direct Injection of Process Variations , 2012, IEEE Transactions on Very Large Scale Integration (VLSI) Systems.

[24]  Bruno Rouzeyre,et al.  Test control for secure scan designs , 2005, European Test Symposium (ETS'05).

[25]  Giovanni Squillero,et al.  RT-Level ITC'99 Benchmarks and First ATPG Results , 2000, IEEE Des. Test Comput..

[26]  Avi Mendelson,et al.  Exploiting the Scan Side Channel for Reverse Engineering of a VLSI Device , 2016 .

[27]  Avi Mendelson,et al.  Revealing On-chip Proprietary Security Functions with Scan Side Channel Based Reverse Engineering , 2017, ACM Great Lakes Symposium on VLSI.

[28]  Edoardo Charbon,et al.  Watermarking-based copyright protection of sequential functions , 1999 .

[29]  Edoardo Charbon Hierarchical watermarking in IC design , 1998, Proceedings of the IEEE 1998 Custom Integrated Circuits Conference (Cat. No.98CH36143).

[30]  Christof Paar,et al.  Side-channel based watermarks for integrated circuits , 2010, 2010 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST).

[31]  Giorgio Di Natale,et al.  New security threats against chips containing scan chain structures , 2011, 2011 IEEE International Symposium on Hardware-Oriented Security and Trust.

[32]  Ramesh Karri,et al.  Security challenges during VLSI test , 2011, 2011 IEEE 9th International New Circuits and systems conference.

[33]  Daniel G. Saab,et al.  Extraction based verification method for off the shelf integrated circuits , 2009, 2009 1st Asia Symposium on Quality Electronic Design.

[34]  Ingrid Verbauwhede,et al.  Security Analysis of Industrial Test Compression Schemes , 2013, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[35]  Tim Güneysu,et al.  New Protection Mechanisms for Intellectual Property in Reconfigurable Logic , 2007, 15th Annual IEEE Symposium on Field-Programmable Custom Computing Machines (FCCM 2007).

[36]  Sharad Malik,et al.  Reverse engineering digital circuits using functional analysis , 2013, 2013 Design, Automation & Test in Europe Conference & Exhibition (DATE).