Fun-SAT: Functional Corruptibility-Guided SAT-Based Attack on Sequential Logic Encryption

“…In this step, for complex cases that are hard to distinguish between original and extra states, some random stimuli can be matched with the oracle. More recent studies on FSM obfuscation show how even implicit external secrecy (keyless) can be modeled using I/O query-based attacks [29,41]. In RANE [41], the secret(s) of HARPOON, which are S N init , I en , and I auth (Fig.…”

“…Structural analysis-based attacks [12][13][14] on point function techniques [15][16][17][18], attacks relying on machine learning [19,20] on routing-based techniques [21][22][23], and theory-based SAT attacks [24,25] on non-Boolean logic locking [26,27] are some of the evident examples showing the concerning state of the logic locking. [28], Fun-SAT [29], [30] states prior the original FSM connected to the original part of FSM Structural [31] Interlocking [32] Augments orignial FSM with obfuscation mode and code-word Code-word doesn't impact output function Fun-SAT [29], Structural [31] State [33] Verifies enabling key at each state and Obfuscated states are loosely connected Structural [31] Deflection deflects to black holes to the orignial part of FSM…”

“…Active [5] Adds extra obfuscation states Obfuscated states are loosely Fun-SAT [29], Metering and black holes for correct order connected to the original FSM Structural [31] JANUS [34,35] Concealment state register role using a configurable FF Leaves scan chain open (leak of FF type) BMC not tested ( §II-D)…”

“…Over time, many keyless locking methods have been challenged by different techniques [29,31,41]. The {structural+functional} attack focuses on the topological flaws of these methods that allow the adversary to distinguish the original part of the STG from the obfuscated part, leading to recovering the correct FSM [31,38].…”

“…The {structural+functional} attack focuses on the topological flaws of these methods that allow the adversary to distinguish the original part of the STG from the obfuscated part, leading to recovering the correct FSM [31,38]. More recent approaches show how these keyless locking, even while they are utilizing implicit representation of the secret [30,[32][33][34][35]37], can be remodeled and evaluated using I/O query-based attacks like the BMC attack [29,41]. Table 1 shows a comparative summary of the notable FSM obfuscation methods, their vulnerabilities, and the attacks they are susceptible to (discussed in Sec.…”

ReTrustFSM: Toward RTL Hardware Obfuscation-A Hybrid FSM Approach

“…In this step, for complex cases that are hard to distinguish between original and extra states, some random stimuli can be matched with the oracle. More recent studies on FSM obfuscation show how even implicit external secrecy (keyless) can be modeled using I/O query-based attacks [29,41]. In RANE [41], the secret(s) of HARPOON, which are S N init , I en , and I auth (Fig.…”

“…Structural analysis-based attacks [12][13][14] on point function techniques [15][16][17][18], attacks relying on machine learning [19,20] on routing-based techniques [21][22][23], and theory-based SAT attacks [24,25] on non-Boolean logic locking [26,27] are some of the evident examples showing the concerning state of the logic locking. [28], Fun-SAT [29], [30] states prior the original FSM connected to the original part of FSM Structural [31] Interlocking [32] Augments orignial FSM with obfuscation mode and code-word Code-word doesn't impact output function Fun-SAT [29], Structural [31] State [33] Verifies enabling key at each state and Obfuscated states are loosely connected Structural [31] Deflection deflects to black holes to the orignial part of FSM…”

“…Active [5] Adds extra obfuscation states Obfuscated states are loosely Fun-SAT [29], Metering and black holes for correct order connected to the original FSM Structural [31] JANUS [34,35] Concealment state register role using a configurable FF Leaves scan chain open (leak of FF type) BMC not tested ( §II-D)…”

“…Over time, many keyless locking methods have been challenged by different techniques [29,31,41]. The {structural+functional} attack focuses on the topological flaws of these methods that allow the adversary to distinguish the original part of the STG from the obfuscated part, leading to recovering the correct FSM [31,38].…”

“…The {structural+functional} attack focuses on the topological flaws of these methods that allow the adversary to distinguish the original part of the STG from the obfuscated part, leading to recovering the correct FSM [31,38]. More recent approaches show how these keyless locking, even while they are utilizing implicit representation of the secret [30,[32][33][34][35]37], can be remodeled and evaluated using I/O query-based attacks like the BMC attack [29,41]. Table 1 shows a comparative summary of the notable FSM obfuscation methods, their vulnerabilities, and the attacks they are susceptible to (discussed in Sec.…”

ReTrustFSM: Toward RTL Hardware Obfuscation-A Hybrid FSM Approach

Post-satisfiability Era: Countermeasures and Threats

Advances in Logic Locking