Reverse engineering camouflaged sequential circuits without scan access

Integrated circuit (IC) camouflaging is a promising technique to protect the design of a chip from reverse engineering. However, recent work has shown that even camouflaged ICs can be reverse engineered from the observed input/output behaviour of a chip using SAT solvers. However, these so-called SAT attacks have so far targeted only camouflaged combinational circuits. For camouflaged sequential circuits, the SAT attack requires that the internal state of the circuit is controllable and observable via the scan chain. It has been implicitly assumed that restricting scan chain access increases the security of camouflaged ICs from reverse engineering attacks. In this paper, we develop a new attack methodology to decamouflage sequential circuits without scan access. Our attack uses a model checker (a more powerful reasoning tool than a SAT solver) to find a discriminating set of input sequences, i.e., one that is sufficient to determine the functionality of camouflaged gates. We propose several refinements, including the use of a bounded model checker, and sufficient conditions for determining when a set of input sequences is discriminating to improve the run-time and scalabilty of our attack. Our attack is able to decamouflage a large sequential benchmark circuit that implements a subset of the VIPER processor.

[1]  Mark Mohammad Tehranipoor,et al.  A low-cost solution for protecting IPs against scan-based side-channel attacks , 2006, 24th IEEE VLSI Test Symposium.

[2]  Siddharth Garg,et al.  Integrated Circuit (IC) Decamouflaging: Reverse Engineering Camouflaged ICs within Minutes , 2015, NDSS.

[3]  Meng Li,et al.  Provably Secure Camouflaging Strategy for IC Protection , 2019, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[4]  Jeyavijayan Rajendran,et al.  Security analysis of logic obfuscation , 2012, DAC Design Automation Conference 2012.

[5]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[6]  Jeyavijayan Rajendran,et al.  Security analysis of integrated circuit camouflaging , 2013, CCS.

[7]  Dick James,et al.  The State-of-the-Art in IC Reverse Engineering , 2009, CHES.

[8]  Sayak Ray,et al.  Evaluating the security of logic encryption algorithms , 2015, 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST).

[9]  Xiangyu Zhang,et al.  Oracle-guided incremental SAT solving to reverse engineer camouflaged logic circuits , 2016, 2016 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[10]  Jeyavijayan Rajendran,et al.  CamoPerturb: Secure IC camouflaging for minterm protection , 2016, 2016 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[11]  Siddharth Garg,et al.  Threshold-Dependent Camouflaged Cells to Secure Circuits Against Reverse Engineering Attacks , 2016, 2016 IEEE Computer Society Annual Symposium on VLSI (ISVLSI).

[12]  David Bryan,et al.  Combinational profiles of sequential benchmark circuits , 1989, IEEE International Symposium on Circuits and Systems,.

[13]  Giovanni Squillero,et al.  RT-Level ITC'99 Benchmarks and First ATPG Results , 2000, IEEE Des. Test Comput..