Reverse engineering camouflaged sequential circuits without scan access

Massad, Mohamed El; Garg, Siddharth; Tripunitara, Mahesh

doi:10.1109/iccad.2017.8203757

Cited by 74 publications

(41 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bias PUF based scan [38] ScanSAT-resilient large circuits such as s38584 and b19 (even with a key-size of 128). For s38584, the only benchmark common to our and their work, the NSAA tool reportedly crashed [24]. As acknowledged in [24], NSAA is effective only if the ratio of the primary IOs to the SFFs is reasonably large.…”

Section: Comparison Against Nsaa [24]mentioning

confidence: 74%

“…3 Most of the logic locking attacks, including the powerful SAT attack, assume full scan access to a working oracle. We note that there are a few exceptions, such as [24], that launch the attack without scan access; however, as explained further later, the effectiveness of such techniques is quite limited 2. A chip need not be functional to be tested for structural defects.…”

Section: The Sat Attackmentioning

confidence: 97%

“…An orthogonal line of research is an attack that assumes no scan access [24], herein referred to as NSAA (no scan access attack). NSAA exercises only the primary inputs (and not the SFFs) and observes only the primary outputs (and not the SFFs) of the working chip.…”

Section: Comparison Against Nsaa [24]mentioning

confidence: 99%

“…NSAA exercises only the primary inputs (and not the SFFs) and observes only the primary outputs (and not the SFFs) of the working chip. In [24], NSAA is reported to be successful for 80% of the time for a key-size of 32 bits. Often, the attack can correctly retrieve only a subset of keybits.…”

Section: Comparison Against Nsaa [24]mentioning

confidence: 99%

See 3 more Smart Citations

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

Alrahis

Yasin

Limaye

et al. 2021

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

While financially advantageous, outsourcing key steps, such as testing, to potentially untrusted Outsourced Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hides the transformation functions that map the scan-in stimulus (scan-out response) and the delivered scan pattern (captured response). While static scan obfuscation utilizes the same secret key, and thus, the same secret transformation functions throughout the lifetime of the chip, dynamic scan obfuscation updates the key periodically. In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic-locked version and applies the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. We implement our attack, apply on representative scan obfuscation techniques, and show that ScanSAT can break both static and dynamic scan obfuscation schemes with 100% success rate. Moreover, ScanSAT is effective even for large key sizes and in the presence of scan compression.

show abstract

Section: Comparison Against Nsaa [24]mentioning

confidence: 74%

Section: The Sat Attackmentioning

confidence: 97%

Section: Comparison Against Nsaa [24]mentioning

confidence: 99%

Section: Comparison Against Nsaa [24]mentioning

confidence: 99%

See 2 more Smart Citations

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

Alrahis

Yasin

Limaye

et al. 2021

IEEE Trans. Emerg. Topics Comput.

View full text Add to dashboard Cite

show abstract

“…Comparison with prior attacks. Previously, there has been an attack launched on camouflaged sequential circuits with restricted scan access [32]. To circumvent the blocked scan access, El Massad et al rely on model checker tools to find discriminating input sequences that can be applied through multiple capture cycles to observe the primary output.…”

Section: A Attack Resultsmentioning

confidence: 99%

Is Robust Design-for-Security Robust Enough? Attack on Locked Circuits with Restricted Scan Chain Access

Limaye

Sengupta

Nabeel

et al. 2019

2019 IEEE/ACM International Conference on Computer-Aided Design (ICCAD)

View full text Add to dashboard Cite

The security of logic locking has been called into question by various attacks, especially a Boolean satisfiability (SAT) based attack, that exploits scan access in a working chip. Among other techniques, a robust design-for-security (DFS) architecture was presented to restrict any unauthorized scan access, thereby, thwarting the SAT attack (or any other attack that relies on scan access). Nevertheless, in this work, we successfully break this technique by recovering the secret key despite the lack of scan access. Our security analysis on a few benchmark circuits protected by the robust DFS architecture demonstrates the effectiveness of our attack; on average ∼95% of the key bits are correctly recovered, and almost 100% in most cases. To overcome this and other prevailing attacks, we propose a defense by making fundamental changes to the robust DFS technique; the new defense can withstand all logic locking attacks. We observe, on average, lower area overhead (∼1.65%) than the robust DFS design (∼5.15%), and similar test coverage (∼99.88%).

show abstract

Trust in IoT Devices: A Logic Encryption Perspective

Kasarabada

Luria

Vemuri

2020

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

Tremendous technological advancement has led to the development of an ecosystem of highly connected ubiquitous computing devices called the Internet of Things (IoT). Considering the sensitive nature of the data collected by the IoT devices, it is essential to ensure the security of these devices. Logic encryption is a popular design-fortrust technique used for protection against hardware IP piracy, design counterfeiting, and hardware Trojan insertion. The introduction of various attack methods that leverage vulnerabilities in known logic encryption techniques has prompted the development of new techniques able to thwart the proposed attacks. Major research effort in the field of logic encryption focuses on increasing resilience to known and potential attacks while often ignoring considerations of cost overhead, especially die area and power consumed. Since area and power optimization are key aspects in the design and development of most IoT devices, it is important to evaluate the cost incurred by logic encryption schemes, especially in the context of these two metrics. In this paper, we survey some of the most popular logic encryption and decryption techniques proposed in the past decade. An analysis of the area and power overhead of these logic encryption techniques using several standard benchmark circuits is presented to assess their suitability for resource constrained systems.

show abstract

Reverse engineering camouflaged sequential circuits without scan access

Cited by 74 publications

References 12 publications

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

Is Robust Design-for-Security Robust Enough? Attack on Locked Circuits with Restricted Scan Chain Access

Trust in IoT Devices: A Logic Encryption Perspective

Contact Info

Product

Resources

About