Survey on Applications of Formal Methods in Reverse Engineering and Intellectual Property Protection

Keshavarz, Shahrzad; Yu, Cunxi; Ghandali, Samaneh; Xu, Xiaolin; Holcomb, Daniel

doi:10.1007/s41635-018-0044-3

Cited by 11 publications

(4 citation statements)

References 57 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…One big assumption of this threat model is that the scan chain structure is unknown to the adversary. However, many recent studies demonstrate and validate the possibility of successfully reverse-engineering an IC and a PCB via delayering, imaging, annotation, and netlist extraction [72], [73]. Thus, since the adversary has access to the successfully reverseengineered netlist, many of the previously discussed secure scan architectures would be invalid, particularly those architectures that manipulated the scan chain structure without the insertion of the key, such as flipped scan, feedback XORed scan, and state dependent scan.…”

Section: More Advanced Secure Scan Chain Architectures In the Presence Of Logic Obfuscationmentioning

confidence: 99%

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

et al. 2021

View full text Add to dashboard Cite

The availability of access to Integrated Circuits' scan chain is an inevitable requirement of modern ICs for testability/debugging purposes. However, leaving access to the scan chain OPEN resulted in numerous security threats on ICs. It raises challenging concerns particularly when the secret asset, like secret information, is placed within the chip, such as the keys of cryptographic algorithms, or similarly logic obfuscation key. So, to combat these threats, numerous secure scan chain architectures have been proposed in the literature to prevent any unauthorized access to the scan chain. They also keep the availability of the scan chain for testability/debugging. In this paper, we first show why a secure scan chain architecture is required when security primitives, like logic obfuscation, are in place. Then, we provide a holistic overview of all secure scan chain architectures starting from preliminary methods introduced when cryptography is in place and the adversary threat model is very limited. It is then followed by newer and more advanced methods introduced when logic obfuscation is in place and the adversary threat model is much stronger. Hence, we have more concentration on the architecture proposed more recently on logic obfuscation. We evaluate all secure scan chain architectures in terms of security and resiliency, testability/debugging time and complexity, and area/power/delay overhead.

show abstract

Section: More Advanced Secure Scan Chain Architectures In the Presence Of Logic Obfuscationmentioning

confidence: 99%

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

et al. 2021

View full text Add to dashboard Cite

show abstract

“…The outsourcing of fabrication in the semiconductor supply chain has exposed it to numerous security threats, including Integrated Circuit (IC) piracy, counterfeiting, overproduction, and hardware Trojans [1][2][3][4]. These threats have resulted in significant annual losses, estimated at $4 billion a decade ago [5].…”

Section: Introductionmentioning

confidence: 99%

Leveraging Layout-based Effects for Locking Analog ICs

Aljafar

Azaïs

Flottes

et al. 2022

Proceedings of the 2022 Workshop on Attacks and Solutions in Hardware Security

View full text Add to dashboard Cite

While numerous obfuscation techniques are available for securing digital assets in the digital domain, there has been a notable lack of focus on protecting Intellectual Property (IP) in the analog domain. This is primarily due to the relatively smaller footprint of analog components within an Integrated Circuit (IC), with the majority of the surface dedicated to digital elements. However, despite their smaller nature, analog components are highly valuable IP and warrant effective protection. In this paper, we present a groundbreaking method for safeguarding analog IP by harnessing layout-based effects that are typically considered undesirable in IC design. Specifically, we exploit the impact of Length of Oxide Diffusion and Well Proximity Effect on transistors to fine-tune critical parameters such as transconductance (gm) and threshold voltage (Vth). These parameters remain concealed behind key inputs, akin to the logic locking approach employed in digital ICs. Our research explores the application of layout-based effects in two commercial CMOS technologies, namely a 28nm and a 65nm node. To demonstrate the efficacy of our proposed technique, we implement it for locking an Operational Transconductance Amplifier. Extensive simulations are performed, evaluating the obfuscation strength by applying a large number of key sets (over 50,000 and 300,000). The results exhibit a significant degradation in performance metrics, such as open-loop gain (up to 130dB), phase margin (up to 50 degrees), 3dB bandwidth (approximately 2.5MHz), and power consumption (around 1mW) when incorrect keys are employed. Our findings highlight the advantages of our approach as well as the associated overhead.

show abstract

“…To prevent the adversaries from such attacks, researchers have proposed various obfuscation methods for hiding and/or locking the functionality of a netlist [3][4][5][6][7]. However, the validity and strength of logic obfuscation to defend an IP against adversaries in the manufacturing supply chain was seriously challenged as researchers demonstrated that the de-obfuscation attacks leveraging satisfiability (SAT) solvers [8][9][10] combined with Signal Probability Skew (SPS) attacks [11] could break the existing obfuscation schemes (both locking and camouflaging) in a relatively short time.…”

Section: Introductionmentioning

confidence: 99%

SAT-Hard Cyclic Logic Obfuscation for Protecting the IP in the Manufacturing Supply Chain

Roshanisefat

Kamali

Homayoun

et al. 2020

IEEE Trans. VLSI Syst.

View full text Add to dashboard Cite

State-of-the-art attacks against cyclic logic obfuscation use satisfiability solvers that are equipped with a set of cycle avoidance clauses. These cycle avoidance clauses are generated in a pre-processing step and define various key combinations that could open or close cycles without making the circuit oscillating or stateful. In this paper, we show that this preprocessing step has to generate cycle avoidance conditions on all cycles in a netlist, otherwise, a missing cycle could trap the solver in an infinite loop or make it exit with an incorrect key. Then, we propose several techniques by which the number of cycles is exponentially increased as a function of the number of inserted feedbacks. We further illustrate that when the number of feedbacks is increased, the pre-processing step of the attack faces an exponential increase in complexity and runtime, preventing the correct composition of cycle avoidance clauses in a reasonable time. On the other hand, if the pre-processing is not concluded, the attack formulated by the satisfiability solver will either get stuck or exit with an incorrect key. Hence, when the cyclic obfuscation under the conditions proposed in this paper is implemented, it would impose an exponentially difficult problem for the satisfiability solver based attacks.

show abstract

Survey on Applications of Formal Methods in Reverse Engineering and Intellectual Property Protection

Cited by 11 publications

References 57 publications

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

Leveraging Layout-based Effects for Locking Analog ICs

SAT-Hard Cyclic Logic Obfuscation for Protecting the IP in the Manufacturing Supply Chain

Contact Info

Product

Resources

About