Reverse engineering camouflaged sequential circuits without scan access

Mohamed El Massad, Siddharth Garg, Mahesh Tripunitara

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Integrated circuit (IC) camouflaging is a promising technique to protect the design of a chip from reverse engineering. However, recent work has shown that even camouflaged ICs can be reverse engineered from the observed input/output behaviour of a chip using SAT solvers. However, these so-called SAT attacks have so far targeted only camouflaged combinational circuits. For camouflaged sequential circuits, the SAT attack requires that the internal state of the circuit is controllable and observable via the scan chain. It has been implicitly assumed that restricting scan chain access increases the security of camouflaged ICs from reverse engineering attacks. In this paper, we develop a new attack methodology to decamouflage sequential circuits without scan access. Our attack uses a model checker (a more powerful reasoning tool than a SAT solver) to find a discriminating set of input sequences, i.e., one that is sufficient to determine the functionality of camouflaged gates. We propose several refinements, including the use of a bounded model checker, and sufficient conditions for determining when a set of input sequences is discriminating to improve the run-time and scalabilty of our attack. Our attack is able to decamouflage a large sequential benchmark circuit that implements a subset of the VIPER processor.

Original languageEnglish (US)
Title of host publication2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages33-40
Number of pages8
Volume2017-November
ISBN (Electronic)9781538630938
DOIs
StatePublished - Dec 13 2017
Event36th IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017 - Irvine, United States
Duration: Nov 13 2017Nov 16 2017

Other

Other36th IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017
CountryUnited States
CityIrvine
Period11/13/1711/16/17

Fingerprint

Sequential circuits
Reverse engineering
Combinatorial circuits
Integrated circuits
Networks (circuits)

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Computer Graphics and Computer-Aided Design

Cite this

Massad, M. E., Garg, S., & Tripunitara, M. (2017). Reverse engineering camouflaged sequential circuits without scan access. In 2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017 (Vol. 2017-November, pp. 33-40). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICCAD.2017.8203757

Reverse engineering camouflaged sequential circuits without scan access. / Massad, Mohamed El; Garg, Siddharth; Tripunitara, Mahesh.

2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017. Vol. 2017-November Institute of Electrical and Electronics Engineers Inc., 2017. p. 33-40.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Massad, ME, Garg, S & Tripunitara, M 2017, Reverse engineering camouflaged sequential circuits without scan access. in 2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017. vol. 2017-November, Institute of Electrical and Electronics Engineers Inc., pp. 33-40, 36th IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017, Irvine, United States, 11/13/17. https://doi.org/10.1109/ICCAD.2017.8203757
Massad ME, Garg S, Tripunitara M. Reverse engineering camouflaged sequential circuits without scan access. In 2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017. Vol. 2017-November. Institute of Electrical and Electronics Engineers Inc. 2017. p. 33-40 https://doi.org/10.1109/ICCAD.2017.8203757
Massad, Mohamed El ; Garg, Siddharth ; Tripunitara, Mahesh. / Reverse engineering camouflaged sequential circuits without scan access. 2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017. Vol. 2017-November Institute of Electrical and Electronics Engineers Inc., 2017. pp. 33-40
@inproceedings{82fdcf1f1667422b8607460c362030e0,
title = "Reverse engineering camouflaged sequential circuits without scan access",
abstract = "Integrated circuit (IC) camouflaging is a promising technique to protect the design of a chip from reverse engineering. However, recent work has shown that even camouflaged ICs can be reverse engineered from the observed input/output behaviour of a chip using SAT solvers. However, these so-called SAT attacks have so far targeted only camouflaged combinational circuits. For camouflaged sequential circuits, the SAT attack requires that the internal state of the circuit is controllable and observable via the scan chain. It has been implicitly assumed that restricting scan chain access increases the security of camouflaged ICs from reverse engineering attacks. In this paper, we develop a new attack methodology to decamouflage sequential circuits without scan access. Our attack uses a model checker (a more powerful reasoning tool than a SAT solver) to find a discriminating set of input sequences, i.e., one that is sufficient to determine the functionality of camouflaged gates. We propose several refinements, including the use of a bounded model checker, and sufficient conditions for determining when a set of input sequences is discriminating to improve the run-time and scalabilty of our attack. Our attack is able to decamouflage a large sequential benchmark circuit that implements a subset of the VIPER processor.",
author = "Massad, {Mohamed El} and Siddharth Garg and Mahesh Tripunitara",
year = "2017",
month = "12",
day = "13",
doi = "10.1109/ICCAD.2017.8203757",
language = "English (US)",
volume = "2017-November",
pages = "33--40",
booktitle = "2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017",
publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - GEN

T1 - Reverse engineering camouflaged sequential circuits without scan access

AU - Massad, Mohamed El

AU - Garg, Siddharth

AU - Tripunitara, Mahesh

PY - 2017/12/13

Y1 - 2017/12/13

N2 - Integrated circuit (IC) camouflaging is a promising technique to protect the design of a chip from reverse engineering. However, recent work has shown that even camouflaged ICs can be reverse engineered from the observed input/output behaviour of a chip using SAT solvers. However, these so-called SAT attacks have so far targeted only camouflaged combinational circuits. For camouflaged sequential circuits, the SAT attack requires that the internal state of the circuit is controllable and observable via the scan chain. It has been implicitly assumed that restricting scan chain access increases the security of camouflaged ICs from reverse engineering attacks. In this paper, we develop a new attack methodology to decamouflage sequential circuits without scan access. Our attack uses a model checker (a more powerful reasoning tool than a SAT solver) to find a discriminating set of input sequences, i.e., one that is sufficient to determine the functionality of camouflaged gates. We propose several refinements, including the use of a bounded model checker, and sufficient conditions for determining when a set of input sequences is discriminating to improve the run-time and scalabilty of our attack. Our attack is able to decamouflage a large sequential benchmark circuit that implements a subset of the VIPER processor.

AB - Integrated circuit (IC) camouflaging is a promising technique to protect the design of a chip from reverse engineering. However, recent work has shown that even camouflaged ICs can be reverse engineered from the observed input/output behaviour of a chip using SAT solvers. However, these so-called SAT attacks have so far targeted only camouflaged combinational circuits. For camouflaged sequential circuits, the SAT attack requires that the internal state of the circuit is controllable and observable via the scan chain. It has been implicitly assumed that restricting scan chain access increases the security of camouflaged ICs from reverse engineering attacks. In this paper, we develop a new attack methodology to decamouflage sequential circuits without scan access. Our attack uses a model checker (a more powerful reasoning tool than a SAT solver) to find a discriminating set of input sequences, i.e., one that is sufficient to determine the functionality of camouflaged gates. We propose several refinements, including the use of a bounded model checker, and sufficient conditions for determining when a set of input sequences is discriminating to improve the run-time and scalabilty of our attack. Our attack is able to decamouflage a large sequential benchmark circuit that implements a subset of the VIPER processor.

UR - http://www.scopus.com/inward/record.url?scp=85043528524&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85043528524&partnerID=8YFLogxK

U2 - 10.1109/ICCAD.2017.8203757

DO - 10.1109/ICCAD.2017.8203757

M3 - Conference contribution

VL - 2017-November

SP - 33

EP - 40

BT - 2017 IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2017

PB - Institute of Electrical and Electronics Engineers Inc.

ER -