Towards Cognitive Obfuscation: Impeding Hardware Reverse Engineering
  Based on Psychological Insights by Wiesen, Carina et al.
Towards Cognitive Obfuscation
Impeding Hardware Reverse Engineering Based on Psychological Insights
Carina Wiesen∗
Ruhr-Universität Bochum
Bochum, Germany
carina.wiesen@rub.de
Nils Albartus†
Ruhr-Universität Bochum
Bochum, Germany
nils.albartus@rub.de
Max Hoffmann†
Ruhr-Universität Bochum
Bochum, Germany
max.hoffmann@rub.de
Steffen Becker†
Ruhr-Universität Bochum
Bochum, Germany
steffen.becker@rub.de
Sebastian Wallat
University of Massachusetts
Amherst, Massachusetts
swallat@umass.edu
Marc Fyrbiak†
Ruhr-Universität Bochum
Bochum, Germany
marc.fyrbiak@rub.de
Nikol Rummel∗†
Ruhr-Universität Bochum
Bochum, Germany
nikol.rummel@rub.de
Christof Paar†
Ruhr-Universität Bochum
Bochum, Germany
christof.paar@rub.de
ABSTRACT
In contrast to software reverse engineering, there are hardly
any tools available that support hardware reversing. There-
fore, the reversing process is conducted by human analysts
combining several complex semi-automated steps. However,
countermeasures against reversing are evaluated solely against
mathematical models. Our research goal is the establishment
of cognitive obfuscation based on the exploration of under-
lying psychological processes. We aim to identify problems
which are hard to solve for human analysts and derive novel
quantification metrics, thus enabling stronger obfuscation
techniques.
KEYWORDS
cognitive obfuscation, netlist-level reverse engineering, hard-
ware obfuscation
ACM Reference Format:
Carina Wiesen, Nils Albartus, Max Hoffmann, Steffen Becker,
Sebastian Wallat, Marc Fyrbiak, Nikol Rummel, and Christof Paar.
2019. Towards Cognitive Obfuscation: Impeding Hardware Reverse
Engineering Based on Psychological Insights. In Proceedings of
∗Educational Research Institute, Ruhr-Universität Bochum
†Horst Görtz Institute for IT Security, Ruhr-Universität Bochum
Permission to make digital or hard copies of all or part of this work
for personal or classroom use is granted without fee provided that
copies are not made or distributed for profit or commercial advantage
and that copies bear this notice and the full citation on the first
page. Copyrights for components of this work owned by others than
ACM must be honored. Abstracting with credit is permitted. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee. Request permissions
from permissions@acm.org.
ASP-DAC 2019, Jan. 2019, Tokyo, Japan
© 2019 Association for Computing Machinery.
ACM ISBN 123-4567-24-567/08/06. . . $15.00
https://doi.org/10.475/123_4
ACM Asia South Pacific Design Automation Conference (ASP-
DAC 2019). ACM, New York, NY, USA, Article 4, 8 pages. https:
//doi.org/10.475/123_4
1 INTRODUCTION
Hardware components form the root of trust in virtually
any computing system. In order to detect fabrication faults,
copyright infringements, counterfeit products, or malicious
manipulations hardware reverse engineering is usually the
tool-of-choice [2, 10, 14]. While hardware reverse engineering
is a highly complex and universal tool for legitimate purposes,
it can also be employed with illegitimate intentions, under-
mining the integrity of ICs via piracy, subsequent weakening
of security functions, or insertion of hardware Trojans [10, 19].
In particular, Intellectual Property (IP) piracy has become a
major concern for the semiconductor industry which causes
losses in the range of several billion dollars [14]. Governments
and armed forces classify hardware reverse engineering as
a major security threat, since malicious manipulations of
hardware components in mission-critical systems can even
have lethal consequences [10].
Due to the serious threats posed by attacks based on
hardware reverse engineering, strong countermeasures are
indispensable. The security of most existing obfuscation tech-
niques is assessed exclusively based on technical measures.
However, the process of hardware reverse engineering cannot
be fully automated yet and the lack of holistic tools forces
human analysts to combine several semi-automated steps
[23]. Accordingly, cognitive processes and strategies applied
by humans in the context of hardware reverse engineering
must be taken into account for the development of sound
countermeasures. In this work, we describe a novel approach
of developing cognitive obfuscation methods considering both
technical and human factors during the hardware reverse
engineering processes.
ar
X
iv
:1
91
0.
00
32
3v
1 
 [c
s.C
R]
  1
 O
ct 
20
19
ASP-DAC 2019, Jan. 2019, Tokyo, Japan C. Wiesen et al.
Goal and Contribution. Our work is motivated by the lack
of metrics to precisely capture the strength of defenses against
hardware reverse engineering. Since technical and human
factors are inseparably connected in hardware reverse engi-
neering processes, the thorough understanding of the human
factor is essential to develop cognitive obfuscation methods.
To the best of our knowledge we are the first to define cog-
nitive obfuscation as the approach of impeding hardware
reverse engineering based on the analysis of psychological
processes. In summary our contributions are:
∙ Exploration of Human Factors. We define our psycho-
logical research design to analyze the underlying cogni-
tive processes of hardware reverse engineering in detail.
Additionally, we emphasize how reverse engineering can
be formulated as a psychological concept of problem
solving and identify which insights will perspectively
help to develop sound cognitive obfuscation methods.
∙ Improved Hardware Reverse Engineering Tool HAL.We
significantly advance the development of our hardware
reverse engineering software HAL [12] to adequately
capture human behavior as a foundation for this re-
search.
∙ Cognitive Obfuscation Methods. We derive the neces-
sity for novel obfuscation methods based on psychologi-
cal insights from the inseparable connection of technical
and human factors in hardware reverse engineering.
2 TECHNICAL BACKGROUND
In the following section we define the term hardware reverse
engineering and specify gate-level netlist reverse engineering
as our main research topic. Additionally, we provide a brief
overview on existing obfuscation methods impeding gate-level
netlist reverse engineering and emphasize the significance of
our novel approach leading to cognitive obfuscation methods.
2.1 Hardware Reverse Engineering
Reverse engineering is commonly described as the process
of retrieving knowledge or information from anything man-
made in order to understand its inner structure and workings
[20]. In the context of computer security, reverse engineering
is often associated with the analysis of binary programs [29]
or hardware designs [8].
Reverse engineering in the field of hardware security is con-
ducted for legitimate as well as illegitimate purposes [10]. On
the one hand, security engineers are often forced to conduct
reverse engineering to identify counterfeited hardware, secu-
rity vulnerabilities, or malicious manipulations like hardware
Trojans [25]. On the other hand, hardware reverse engineering
is also associated with illegitimate actions such as the analy-
sis of hardware designs on various levels to understand their
functionality in order to commit IP infringement, weaken
security functions, or to inject Trojans [10].
A valuable reference point and target of hardware reverse
engineers are Finite State Machines (FSMs). Building the
control logic, FSMs form an integral part of virtually any
hardware design. Due to its small circuitry and unique struc-
ture - consisting of a feedback path, which connects the state
transition logic and state memory (see Figure 1) - the FSM
can be easily identified in the sea of gates [11].
State Transition
Logic
Output Logic
State
MemoryInput
Figure 1: Schematic of an FSM circuit in hardware
Another valuable target for reverse engineers are imple-
mentations of cryptographic ciphers – like the Advanced
Encryption Standard (AES) – which are often implemented
in hardware to accelerate encryption and decryption pro-
cesses. Reverse engineering of such implementations can re-
veal weaknesses or even hard-coded keys in the worst-case.
Furthermore, the acquired knowledge can serve as a starting
point to insert a hardware Trojan into the given structure.
Gate-level Netlist Reverse Engineering. A gate-level netlist
is a representation of a set of logic gates of a particular gate
library together with their interconnections [27]. In this work
we will focus on Field Programmable Gate Array (FPGA)
gate-level netlist reverse engineering. In FPGA netlists com-
binational logic is usually implemented with Look-Up-Tables
(LUTs) and Multiplexers (MUX), while sequential logic is
realized with Flip-Flops (FFs).
During synthesis, which transforms a high-level description
of the circuit into the gate-level netlist, important human-
readable information is lost, namely (1) meaningful descrip-
tive labels, (2) boundaries of implemented modules, and (3)
module hierarchies. The absence of this information drasti-
cally complicates the reverse engineering process and forces
human analysts to conduct non-automatable sense-making
processes [10].
2.2 Obfuscation Methods
Obfuscation itself describes a transformation which obstructs
high-level information without changing functionality. The
goal of obfuscation is to impede the reverse engineering pro-
cesses.
Hardware designs can be separated in data path and con-
trol path. While there is a lack of data path obfuscation,
control path obfuscation has received manifold contributions
by the scientific community. Many works, e.g., [5], [7], [1],
and [6], introduced techniques which modify the behavior of
an FSM. Simplified, dummy states are added and the amount
of possible transitions is heavily increased, thus obfuscating
the original behavior of the FSM. The proposed security
analyses of these obfuscation methods almost solely consider
technical or mathematical attacks and often prove security
Towards Cognitive Obfuscation ASP-DAC 2019, Jan. 2019, Tokyo, Japan
in the respective models. However, Fyrbiak et al. presented a
variety of attacks against such techniques [11]. These attacks
were successful, because the obfuscated parts of the FSMs
could be semi-automatically distinguished from original parts.
For these distinguishers, human sense-making processes and
goal-oriented strategies were indispensable to differentiate
both parts and eventually led to practical attacks against
presumably secure techniques.
We emphasize, that security assessments and proofs of
the aforementioned techniques were solely based on techni-
cal models. Incorporating knowledge about the underlying
psychological processes faced by human analysts during the
reverse engineering of hardware designs might have directly
uncovered the anchor points used by Fyrbiak et al. in [11].
An holistic overview of recent metrics and obfuscation
methods for hardware can be found in [22].
2.3 Need for Cognitive Obfuscation Methods to
Impede Hardware Reverse Engineering
Naturally, the absence of high-level information in gate-level
netlists requires human analysts to employ sense-making pro-
cesses during reverse engineering. Hence, human strategies
and cognitive abilities influence the success of the reverse en-
gineering process. If we want to develop stronger obfuscation
methods it is essential to understand how human analysts
are reversing a hardware design. By acquiring a deeper un-
derstanding of used strategies or hard problems for a reverse
engineer we can derive new metrics to assess the strength of
an obfuscation scheme. Eventually, these metrics can lead
to stronger approaches for hardware obfuscation based on
cognitive insights.
3 PSYCHOLOGICAL BACKGROUND
Human factors have not been taken into account for the
development of obfuscation methods, yet. This is surprising,
since successful reverse engineering of netlists requires human
analysts to employ their cognitive abilities to design strategies
manually. Hence, human factors and underlying psychological
processes play a crucial role in hardware reverse engineering
and should be included in effective obfuscation methods. To
the best of our knowledge we are one of the first to explore rel-
evant human factors and underlying psychological processes
for the development of cognitive obfuscation methods. In this
section we provide the psychological background required to
describe and analyze human behavior in hardware reverse
engineering. Our research is based on the theory of reverse
engineering and its application to Boolean systems by Lee
et al. [16] which will be presented in the following.
3.1 Reverse Engineering - A Special Kind of
Problem Solving?
Lee and Johnson-Laird [16] explored underlying psychological
processes of reverse engineering and defined it as a special
kind of problem solving. Problem solving comprises psycho-
logical competencies which involve goal-directed thinking and
actions in situations, in which the problem solver does not
operate routinely [13]. Accordingly, a problem exists when a
person does not have the relevant knowledge to produce an
immediate solution.
In psychological research, two kinds of problem solving are
commonly distinguished [9], [17]. First in analytical problems
all relevant information to successfully solve the problem are
included. A common example of an analytical problem is the
Tower of Hanoi [15]. The challenge of analytical problems are
the analysis and sequential utilization of given information
[13]. The second type of problems are defined as complex prob-
lems which do not specify information to solve the problem.
In complex problem situation the problem solver is asked to
manipulate information to solve the problem. Complex prob-
lems combine different characteristics like non-transparency
of information, dependencies between components of the
problem, dynamics, or multiple goals [13].
Figure 2: Example of Reverse Engineering Task (Lee &
Johnson-Laird, 2013) [16]
Lee & Johnson-Laird [16] argue that reverse engineering
involves both attributes of analytical and complex problem
solving. Hence, problem solver in reverse engineering divide a
given system (like a netlist) in subsystems which is a common
strategy in analytical problem solving. Additionally, depen-
dencies between single components influence the problem
solving process in reverse engineering [16]. Dependencies and
their influence on the problem solving process are typically
allocated to complex problem solving processes [16]. By com-
bining characteristics of both analytical and complex problem
solving, reverse engineering can be defined as a special kind
of problem solving. In the context of the theory of reverse
engineering, Lee and Johnson-Laird [16] conducted five ex-
periments consisting of high-level reverse engineering tasks
(see Figure 2 and Figure 3).
Figure 3: Solution of Reverse Engineering Task in Figure 1
(Lee & Johnson-Laird, 2013) [16]
Participants were asked to draw the underlying circuit
which represents the light as on. Both congruent (AND, OR,
XOR) and incongruent (NAND, NOR, XNOR) were depicted in the
ASP-DAC 2019, Jan. 2019, Tokyo, Japan C. Wiesen et al.
single tasks. Incongruent tasks were harder to solve than con-
gruent tasks. Additionally, the difficulty of reverse engineering
was significantly influenced by the number of dependencies
between single components which influence the output of a
system. Summarized, these results can be seen as a starting
point for further research. Nevertheless, it is essential to trans-
fer the experimental setup in the field of hardware reverse
engineering to produce higher validity of the results. By the
exploration of human processes in realistic hardware reverse
engineering tasks, we aim to find more specific answers about
how human analysts are reversing a gate-level netlist and
which parameters influence the difficulty of solving hardware
reverse engineering tasks in realistic scenarios. Knowledge
about parameters which force engineers to make mistakes
while reversing a chip can be the foundation for the develop-
ment of cognitive obfuscation methods. In the following we
present our novel approach of the exploration of underlying
human processes in hardware reverse engineering and how
we plan to use insights about human factors to derive novel
cognitive obfuscation methods to impede hardware reverse
engineering.
3.2 A Novel Approach: Cognitive Obfuscation
To the best of our knowledge we are one of the first to de-
rive novel obfuscation methods impeding hardware reverse
engineering based on psychological insights. Therefore, we
aim to achieve a deeper understanding about underlying psy-
chological processes and how these processes are influenced
by human factors. For developing novel obfuscation methods,
we first have to explore human processes and to identify the
difficulties human analysts are facing during the process of
reversing a netlist. In the next step, we can identify and
explain common difficulties and recurring mistakes of human
analysts with different levels of expertise. We can use these
insights to develop cognitive obfuscation methods which force
engineers to make these kind of mistakes. Furthermore, we
are able to develop cognitive obfuscation methods based on
prior results about difficulties and learning processes to test
them with human analysts. This enables us to quantify differ-
ent approaches of cognitive obfuscation and to derive metrics
about the strength of each individual approach.
Due to the lack of prior research findings about human
processes in realistic hardware reverse engineering scenarios,
we formulated the following research questions. They seek to
answer if engineers are reversing hardware more efficiently
with growing experience, what sort of difficulties occur over
time, if these difficulties can be avoided over time, and what
other cognitive factors influence the problem solving processes
of hardware reverse engineering.
RQ1: Do participants get more efficient in solving hardware
reverse engineering tasks with growing experience?
RQ2: Which difficulties occur during the learning pro-
cesses?
RQ3: Do the same difficulties occur repeatedly during the
learning processes?
RQ4: How much time do participants need to solve diffi-
culties in the learning processes?
RQ5: Which cognitive factors play a role for learning hard-
ware reverse engineering?
4 METHOD
In this section we present our research methods, materials,
and designs. To answer the research questions above, we em-
ploy both longitudinal and cross-sectional research methods
for analyzing the behavior of human analysts on different
levels of expertise.
4.1 Psychological Research Methods
Longitudinal studies are common psychological research meth-
ods and often conducted to repeatedly observe behavioral
changes of individual participants over a period of time [21].
In comparison to cross-sectional studies, longitudinal studies
analyze behavioral changes within one person. The analysis
of longitudinal case studies will focus on individual strategies
in learning processes and in solving difficulties while working
on hardware reverse engineering tasks.
Cross-sectional studies are also commonly used in psy-
chological research and aim to compare behavior between
different study participants [4]. Cross-sectional studies will
focus on the comparison of used strategies, difficulties be-
tween different human analysts, and influences of cognitive
factors as well as different levels of expertise.
By combining these two research methods we intend to
receive a holistic understanding of underlying psychological
processes of humans conducting hardware reverse engineering.
Therefore, we analyze behavioral changes in individual human
analysts over a period of time on the one hand and compare
behavior between different analysts on the other hand. In the
first step, we conduct two longitudinal studies by analyzing
case studies of individual students. In the next section we
outline the study procedures and describe the participants
of the two longitudinal studies.
4.2 Longitudinal Studies: Participants &
Procedures
Both studies are integrated in a novel educational hardware
reverse engineering lab course held in winter term 2018/2019
at Ruhr-Universität Bochum (Germany) and at the University
of Massachusetts Amherst (USA) [28]. The participants were
novice IT security students with backgrounds in computer
security, electrical engineering, or computer science. This
lab course consists of two parts: the lecture phase and the
practical phase. During the lecture phase students acquire
relevant knowledge in Boolean algebra, general knowledge
about hardware - especially FPGAs and ASICs - Hardware
Description Languages (HDLs) like Verilog and VHDL, attack
strategies, and obfuscation techniques. In the second phase,
students can apply their newly acquired theoretical knowledge
by working individually on four realistic hardware reverse
Towards Cognitive Obfuscation ASP-DAC 2019, Jan. 2019, Tokyo, Japan
Figure 4: The completely revised GUI of HAL
engineering projects. The study is included in the practical
phase and the following research data will be generated.
Behavioral Data. Behavioral data of reverse engineering
processes will be analyzed based on log files. To enable par-
ticipants to work on hardware reverse engineering tasks, we
developed four hardware reverse engineering projects as ed-
ucational and study material. In all projects (Section 4.3)
practical hardware reverse engineering tasks are included
which students had to solve by working with our hardware re-
verse engineering software HAL (Section 4.3). While working
with HAL, every single action is recorded automatically and
will be saved as a text file including timestamps and actions,
e.g. python commands, selecting relevant components in the
netlist, or retrieving logic functions. Based on this data, we
aim to analyze if students get more efficient in solving hard-
ware reverse engineering tasks, what sort of difficulties or
mistakes occurred and how much time they needed to solve
them. Please note that the data collection phase has not been
finished yet and first results will be presented in more detail
at the conference.
Questionnaires. Additionally, participants are asked to
answer a number of questionnaires regarding information
about socio-demographics, intelligence [26], motivation [24],
prior experiences in hardware reverse engineering and related
topics, task difficulty [3], and mental effort [18]. Based on
this data we aim to analyze which cognitive and motivational
factors or levels of prior knowledge influence the success in
hardware reverse engineering.
In the following we provide deeper insights about our
hardware reverse engineering software HAL and the single
projects included in the study.
4.3 HAL
Fyrbiak et al. introduced HAL [12], a framework to enable
(semi-)automated hardware reverse engineering. The struc-
ture of HAL is shown in Figure 5. HAL provides a solid
foundation enabling reverse engineers to implement custom
plugins for netlist analysis that operate on a graph-based
abstraction. This abstraction allows for inspection of arbi-
trary netlists independent of specific gate-libraries or target
architectures.
At the time of publication, HAL was mainly a command-
line tool which enabled implementation of arbitrary algo-
rithms through its plugin system. In order to yield verifiable
results for psychological analysis we notably improved the
GUI of HAL. The design goals were (1) reproducibility, (2)
granularity, and (3) more user-friendly. Therefore, we ex-
tended the GUI with an event system, a submodule partition-
ing system, and connected the underlying graph model to a
GUI-integrated python context. Figure 4 shows the new GUI
of HAL. In multiple dockable widgets a variety of tools are
available to the analyst, e.g., a graphical representation of
the netlist, detailed information for selected elements, a rich
logging window, a python shell and a python code editor.
Event System. The new event system allows for exact trac-
ing of user actions. Regardless of the inducing source (user,
plugin, or python code executed live), the core fires detailed
events to notify both, GUI and logger, about changes on the
ASP-DAC 2019, Jan. 2019, Tokyo, Japan C. Wiesen et al.
Netlist Modified 
  Netlist
mod
User
HAL
HDL Parser HDL WriterGraph Core
GUI
Python Shell
Plugin Manager
Analysis 
  Report
Database Database  
  File
Input: Output:
Plugin 1
Plugin n
Plugin 2
...
Figure 5: Overview of the original HAL architecture from [12]
data model. While such an event system is generally used
in GUI and game design, we explicitly designed this system
to create information which can be used by a psychological
analyst to trace the user’s actions. The main functionality
of the former GUI was to allow for interactive netlist explo-
ration. However, it only displayed an immutable static netlist
and was not connected to the plugin system. This is only of
limited benefit to a reverse engineer who wants to use both,
visual inspection and code/plugins, especially when facing
large designs. With the new event system the GUI can react
to changes in the data model, as well as associated data,
regardless of the source, and display the new information
accordingly.
Submodule Partitioning System. While textual output is a
primary method of reporting analysis results, HAL allowed
a reverse engineer to apply a color to a net or gate in order
to create visual groups. However, these colors were isolated
GUI features and could not be created or accessed in plugins
or from python code.
We replaced the isolated coloring system with a new sys-
tem that allows the user to group identified gates or nets into
logical modules, e.g., an identified transceiver circuit. These
so called submodules are persistent and can be created and
accessed via code and interaction with the GUI. To preserve
the visual separation, each submodule is rendered in a sep-
arate color to allow for intuitive visually distinction. Since
a gate or net can belong to multiple submodules, colored
squares on each gate represent all submodules a gate is a
member of. In addition the hierarchy of submodules can be
changed to determine which submodule’s color has higher
priority during rendering. We plan to also include collapsing
of submodules into single abstract elements in the future.
Python Integration. The powerful plugin system of HAL
enables implementation of arbitrary algorithms in C++. How-
ever, a reverse engineer often has to manually explore the ad-
jacent area of identified modules. Going through the rewrite/-
compile/debug cycle of C++ development can make this
process tedious and slow. Therefore, the original version of
HAL featured a python console, i.e., the user could instead of
executing a plugin switch to a python console. The intuitive
and, more importantly, interpreted nature of python allows
for dynamic execution of HAL’s features, circumventing the
necessity to develop plugins for every small step.
The downside was a clear separation of HAL runs between
python console usage, GUI invocation, and plugin calls. We
have integrated the python console into the GUI together with
a python code editor, allowing for interactive development
and execution of scripts (cf. Figure 4, right side) without
the necessity to restart HAL for each use-case. To further
improve interoperability, the python context is connected to
the underlying graph model of the netlist and all operations
are directly executed on the data model. This allows for
interleaved usage of C++ plugins, python scripts, and user
actions in the GUI.
4.4 Educational & Research Material: Hardware
Reverse Engineering Projects
With our enhancements to HAL, we were able to accom-
pany our lectures with practical reverse engineering. At the
same time, we created a platform which enables reproducible
evaluation of human processes by means of several reverse
engineering projects. The purpose of these projects is twofold.
On the one hand the projects were developed to accomplish
educational goals teaching students how to practically apply
various reverse engineering techniques. On the other hand
they had to be implemented as research materials to analyze
human behavior in realistic hardware reverse engineering sce-
narios. To investigate if the twofold purpose of the projects
was successful, a pilot course has been conducted [28]. The
results of the educational evaluation showed the successful
implementation of the projects as educational and research
materials. Nevertheless the analysis revealed indications for
revising aspects of the single projects. In the following the
revised projects which will be used for our upcoming larger
studies are presented.
4.4.1 Project 1 - Introduction to HAL. An introductory project
helps students to understand the various features and the
functionality of HAL. It imparts knowledge about different
gate types and their functionalities, and how HAL can be
incorporated for the reverse engineering process. Dedicated
HAL features like automated generation Boolean functions
- or rather Binary Decision Diagrams (BDDs) - to analyze
the logic of gates are introduced. Moreover applying differ-
ent algorithms from graph theory, e.g., identifying strongly
connected components, are included in project 1, which will
support students in solving hardware reverse engineering
tasks. For that matter a simple cipher has been designed
consisting of a substitution-permutation-network.
4.4.2 Project 2 - FSM Reverse Engineering. In this task an
FSM circuit has to be identified in the sea of gates and the
transition logic has to be reversed. The challenge in this
task is to find the FSM in the netlist with several thousand
gates. The task makes heavy use of novel features of HAL,
like the submodules to group parts in the netlist that belong
together, as described in Section 4.3. The detection of the
FSM has become more realistic by finding false positive
results when it comes to identifying possible FSM circuits.
The challenge for the students is to analyze the candidates
Towards Cognitive Obfuscation ASP-DAC 2019, Jan. 2019, Tokyo, Japan
in more detail. Algorithms from graph theory, supporting
the search, can directly be executed via HAL plugins. Once
the component has been identified the Boolean functions
of the state transition logic has to be explored in order to
retrieve the states and transitions. Live exploration can be
done easily with the integrated Python interface to control
HAL (cf. Section 4.3).
What psychological insights will we gain?
∙ First reference point of how long students need to solve
the FSM reversing task in total.
∙ Analysis and description of students’ mistakes during
the FSM reversing task.
∙ Analysis of how much extra time effort students spent
on solving mistakes.
4.4.3 Project 3 - Obfuscated FSM. In Section 2.2 several
obfuscation techniques to protect the control path - and
thus the FSM - have been described. Therefore, Project 3
incorporates reversing of an FSM based obfuscation technique
named HARPOON [5], as shown in Figure 6. HARPOON
inserts a second FSM (red) to protect the original FSM (blue).
The inserted FSM part has to be traversed in a certain way,
using a specific input sequence, called the enabling key. Every
other input sequence than the enabling key will not lead to the
original FSM thus rendering the hardware design unusable
for unauthorized parties.
𝑠O0start
𝑠O1
𝑠O2
𝑠O3 𝑠
O
4
𝑠A0 𝑠
A
1 𝑠
A
2
𝑠0
𝑠1
𝑠2
𝑠3
𝑖0 𝑖1
𝑖2
Figure 6: Obfuscated FSM using HARPOON [5]
In this project the students need to apply the methods they
learned in Project 2 in order to detect the FSM components in
a gate-level netlist. In addition, the challenge is to circumvent
the implemented obfuscation HARPOON [5]. In summary,
two different attacks have to be performed: First, the states
and transitions of the FSM have to be reversed to disclose
the enabling key. Second, students will learn how to reverse
the obfuscation and manipulate gate-level netlists to patch
the initial state of the FSM [11].
What psychological insights will we gain?
∙ Analysis of how much time students required to solve
the second FSM reversing task in total.
∙ Comparison with reference point of total required time
in Project 2.
∙ Analysis if students have solved Project 3 more effi-
ciently (e.g., shorter solution time, less mistakes, recov-
ering from mistakes faster).
4.4.4 Project 4 - AES. Project 4 combines dynamic and static
netlist reverse engineering by asking the students to extract
a fixed key from an AES design. Therefore the following
steps have to be performed: First the AES S-Box has to
be identified in the netlist and manipulated using HAL in
order to weaken the AES (static part). Secondly, the now
manipulated netlist can be used for dynamic analysis. Due
to purposeful manipulation of the netlist, simulations of the
design allow for extraction of the fixed key [25].
What psychological insights will we gain?
∙ Analysis and description of used hardware reverse en-
gineering strategies in the most complex task of the
study.
∙ Analysis and comparison of total solution time, made
mistakes and time for solving mistakes.
∙ Descriptive analysis of how students recognized pat-
terns and structures in finding the relevant candidates
for extracting the AES key.
5 CONCLUSION
In this paper we highlighted serious security threats evolv-
ing from attacks based on hardware reverse engineering and
identified the need for novel obfuscation methods impeding
such attacks. Based on the inseparable connection of tech-
nical aspects and human factors for conducting hardware
reverse engineering we derived the necessity for obfuscation
methods considering both technical aspects and the behavior
of human analysts. To adequately capture human reverse
engineering strategies we significantly enhanced our hard-
ware reverse engineering tool HAL. In the next step of our
interdisciplinary research, we focused on the exploration of
human factors in hardware reverse engineering by analyzing
their learning processes and identifying common mistakes in
four realistic scenarios. Therefore, we methodically include
both longitudinal and cross-sectional analyses to understand
and characterize hardware reverse engineering processes of
individuals at different levels of expertise. Future studies will
generate deeper insights about underlying human processes,
which may allow for deduction of quantification metrics, even-
tually enabling better obfuscation methods.
ACKNOWLEDGMENT
The research was supported in part by ERC Advanced Grant
695022 and NSF award NS-1563829.
We also want to thank Sebastian Maassen and Adrian
Drees for supporting the development of HAL.
REFERENCES
[1] Yousra Alkabani and Farinaz Koushanfar. 2007. Active Hardware
Metering for Intellectual Property Protection and Security. In
USENIX Security Symposium.
[2] Swarup Bhunia, Michael S Hsiao, Mainak Banga, and Seetharam
Narasimhan. 2014. Hardware Trojan Attacks: Threat Analysis
and Countermeasures. Proceedings of the IEEE 102, 8 (2014),
1229–1247.
[3] Oswald Bratfisch, Gunnar Borg, and Stanislav Dornic. 1972.
Perceived item-difficulty in three tests of intellectual performance
ASP-DAC 2019, Jan. 2019, Tokyo, Japan C. Wiesen et al.
capacity.: (420862004-001). Technical Report. American Psycho-
logical Association. https://doi.org/10.1037/e420862004-001
type: dataset.
[4] Neil R. Carlson (Ed.). 2010. Psychology: the science of behavior
(7th ed ed.). Allyn & Bacon, Boston. OCLC: ocn268547522.
[5] Rajat Subhra Chakraborty and Swarup Bhunia. 2009. HARPOON:
An Obfuscation-Based SoC Design Methodology for Hardware
Protection. IEEE Trans. CAD of Integrated Circuits and Systems
28, 10 (2009), 1493–1502.
[6] Avinash R. Desai, Michael S. Hsiao, Chao Wang, Leyla Nazhandali,
and Simin Hall. 2013. Interlocking Obfuscation for Anti-tamper
Hardware. In Proceedings of the Eighth Annual Cyber Security
and Information Intelligence Research Workshop (CSIIRW ’13).
ACM, New York, NY, USA, Article 8, 4 pages. https://doi.org/
10.1145/2459976.2459985
[7] J. Dofe et al. 2018. Novel Dynamic State-Deflection Method
for Gate-Level Design Obfuscation. IEEE Trans. on CAD of
Integrated Circuits and Systems 37, 2 (2018), 273–285.
[8] Domenic Forte, Swarup Bhunia, and Mark M Tehra-
nipoor. 2017. Hardware Protection through Obfuscation.
https://apps.uqo.ca/LoginSigparb/LoginPourRessources.aspx?
url=http://dx.doi.org/10.1007/978-3-319-49019-9 OCLC:
990626854.
[9] Joachim Funke. 2003. Problemlösendes Denken (1. aufl ed.). Ver-
lag W. Kohlhammer, Stuttgart.
[10] M. Fyrbiak et al. 2017. Hardware Reverse Engineering: Overview
and Open Challenges. In IVSW.
[11] Marc Fyrbiak, Sebastian Wallat, Jonathan Déchelotte, Nils
Albartus, Sinan Böcker, Russell Tessier, and Christof Paar.
2018. On the Difficulty of FSM-based Hardware Obfuscation.
IACR Transactions on Cryptographic Hardware and Embedded
Systems, Volume 2018, Issue 3 (Aug. 2018). https://doi.org/10.
13154/tches.v2018.i3.293-330
[12] Marc Fyrbiak, Sebastian Wallat, Pawel Swierczynski, Max Hoff-
mann, Sebastian Hoppach, Matthias Wilhelm, Tobias Weidlich,
Russell Tessier, and Christof Paar. 2018. HAL-The Missing Piece
of the Puzzle for Hardware Reverse Engineering, Trojan Detec-
tion and Insertion. IEEE Transactions on Dependable and Secure
Computing (2018).
[13] Samuel Greiff, André Kretzschmar, and Detlev Leutner. 2014.
Problemlösen in der Pädagogischen Psychologie. Zeitschrift für
Pädagogische Psychologie 28, 4 (Oct. 2014), 161–166. https:
//doi.org/10.1024/1010-0652/a000140
[14] Ujjwal Guin, Ke Huang, Daniel DiMase, John M. Carulli, Mo-
hammad Tehranipoor, and Yiorgos Makris. 2014. Counterfeit
Integrated Circuits: A Rising Threat in the Global Semiconduc-
tor Supply Chain. Proc. IEEE 102, 8 (Aug. 2014), 1207–1228.
https://doi.org/10.1109/JPROC.2014.2332291
[15] K Kotovsky, J.R Hayes, and H.A Simon. 1985. Why are some
problems hard? Evidence from Tower of Hanoi. Cognitive
Psychology 17, 2 (April 1985), 248–294. https://doi.org/10.
1016/0010-0285(85)90009-X
[16] N. Y. Louis Lee and P. N. Johnson-Laird. 2013. A theory of reverse
engineering and its application to Boolean systems. Journal
of Cognitive Psychology 25, 4 (June 2013), 365–389. https:
//doi.org/10.1080/20445911.2013.782033
[17] Detlev Leutner, Jens Fleischer, Joachim Wirth, Samuel Greiff,
and Joachim Funke. 2012. Analytische und dynamische Prob-
lemlösekompetenz im Lichte internationaler Schulleistungsvergle-
ichsstudien: Untersuchungen zur Dimensionalität. Psychologische
Rundschau 63, 1 (Jan. 2012), 34–42. https://doi.org/10.1026/
0033-3042/a000108
[18] Fred G. W. C. Paas. 1992. Training Strategies for Attaining
Transfer of Problem-Solving Skill in Statistics: A Cognitive-Load
Approach. Journal of Educational Psychology 84, 4 (1992), 6.
[19] Shahed E Quadir, Junlin Chen, Domenic Forte, Navid Asadizan-
jani, Sina Shahbazmohamadi, Lei Wang, John Chandy, and Mark
Tehranipoor. 2016. A Survey on Chip to System Reverse Engi-
neering. JETC 13, 1 (2016), 1–34.
[20] M. G. Rekoff. 1985. On reverse engineering. IEEE Transactions
on Systems, Man, and Cybernetics SMC-15, 2 (March 1985), 244–
252. https://doi.org/10.1109/TSMC.1985.6313354
[21] William R. Shadish, Thomas D. Cook, and Donald T. Camp-
bell. 2001. Experimental and quasi-experimental designs for
generalized causal inference. Houghton Mifflin, Boston.
[22] Bicky Shakya et al. 2017. Introduction to Hardware Obfuscation:
Motivation, Methods and Evaluation. Springer, 3–32.
[23] R. Torrance. 2009. The State-of-the-Art in IC Reverse Engineering.
In CHES. Springer, 363–381.
[24] Regina Vollmeyer and Falko Rheinberg. 2006. Motivational Effects
on Self-Regulated Learning with Different Tasks. Educational
Psychology Review 18, 3 (Nov. 2006), 239–253. https://doi.org/
10.1007/s10648-006-9017-0
[25] Sebastian Wallat, Marc Fyrbiak, Moritz Schlögel, and Christof
Paar. 2017. A Look at the Dark Side of Hardware Reverse Engi-
neering – A Case Study. In IVSW.
[26] David Wechsler, Psychological Corporation, and Inc Pearson Edu-
cation. 2008. WAIS-IV: Wechsler adult intelligence scale. OCLC:
256072924.
[27] Neil H. E. Weste and David Money Harris. 2011. CMOS VLSI
design: a circuits and systems perspective (4th ed ed.). Addison
Wesley, Boston. OCLC: ocn473447233.
[28] Carina Wiesen, Steffen Becker, Marc Fyrbiak, Nils Albartus, Malte
Elson, Nikol Rummel, and Christof Paar. 2018. Teaching Hardware
Reverse Engineering: Educational Guidelines and Practical In-
sights. IEEE TALE 2018: Education and Technology Conference
(2018), 8.
[29] Carsten Willems and Felix C. Freiling. 2012. Reverse Code Engi-
neering — State of the Art and Countermeasures. it - Information
Technology 54, 2 (April 2012), 53–63. https://doi.org/10.1524/
itit.2012.0664
