Effective Iterative Techniques for Fingerprinting Design IP

Fingerprinting is an approach that assigns a unique and invisible ID to each sold instance of the intellectual property (IP). One of the key advantages fingerprinting-based intellectual property protection (IPP) has over watermarking-based IPP is the enabling of tracing stolen hardware or software. Fingerprinting schemes have been widely and effectively used to achieve this goal; however, their application domain has been restricted only to static artifacts, such as image and audio, where distinct copies can be obtained easily. In this paper, we propose the first generic fingerprinting technique that can be applied to an arbitrary synthesis (optimization or decision) or compilation problem and, therefore to hardware and software IPs. The key problem with design IP fingerprinting is that there is a need to generate a large number of structurally unique but functionally and timing identical designs. To reduce the cost of generating such distinct copies, we apply iterative optimization in an incremental fashion to solve a fingerprinted instance. Therefore, we leverage on the optimization effort already spent in obtaining previous solutions, yet we generate a uniquely fingerprinted new solution. This generic approach is the basis for developing specific fingerprinting techniques for four important problems in VLSI CAD: partitioning, graph coloring, satisfiability, and standard-cell placement. We demonstrate the effectiveness of the new fingerprinting-based IPP techniques on a number of standard benchmarks

A Chaotic IP Watermarking in Physical Layout Level Based on FPGA

A new chaotic map based IP (Intellectual Property) watermarking scheme at physical design level is presented. An encrypted watermark is embedded into the physical layout of a circuit by configuring LUT (Lookup Table) as specific functions when it is placed and routed onto the FPGA (Field-Programmable Gate Array). The main contribution is the use of multiple chaotic maps in the processes of watermark design and embedding, which efficiently improves the security of watermark. A hashed chaotic sequence is used to scramble the watermark. Secondly, two pseudo-random sequences are generated by using chaotic maps. One is used to determine unused LUT locations, and the other divides the watermark into groups. The watermark identifies original owner and is difficult to detect. This scheme was tested on a Xilinx Virtex XCV600-6bg432 FPGA. The experimental results show that our method has low impact on functionality, short path delay and high robustness in comparison with other methods

A Survey on IP Watermarking Techniques

Intellectual property (IP) block reuse is essential for facilitating the design process of system-on-a-chip. Sharing IP designs poses significant high security risks. Recently, digital watermarking emerged as a candidate solution for copyright protection of IP blocks. In this paper, we survey and classify different techniques used for watermarking IP designs. To this end, we defined several evaluation criteria, which can also be used as a benchmark for new IP watermarking developments. Furthermore, we established a comprehensive set of requirements for future IP watermarking techniques

Privacy-Preserving IP Verification

The rapid growth of the globalized integrated circuit (IC) supply chain has drawn the attention of numerous malicious actors that try to exploit it for profit. One of the most prominent targets of such parties is the third-party intellectual property (3PIP) vendors and their circuit designs. With the increasing number of transactions between vendors and system integrators, the threat of IP reuse and piracy has become a significant consideration for the IC industry. What is more, the correctness of 3PIP designs should be verified before integration, imposing another challenge for 3PIP vendors since they have to prove the functionality of their designs to system integrators while protecting the privacy of the circuit implementations. To eliminate this deadlock, we utilize the cryptographic technique of \u27zero-knowledge proofs\u27 to enable 3PIP vendors to convince system integrators about various functional properties of a circuit (e.g., area, power, frequency) without disclosing its netlist (i.e., in zero-knowledge). Our approach comprises a circuit compiler that transforms arbitrary netlists into a zero knowledge-friendly format and a library of modules that provide cryptographic guarantees for various properties of the netlist while hiding the actual gates. We evaluate our method using combinational and sequential circuits from the ISCAS and ITC benchmark suites

Preventing integrated circuit piracy using reconfigurable logic barriers

With each new feature size, integrated circuit (IC) manufacturing costs increase. Rising expenses cause the once vertical IC supply chain to flatten out. Companies are increasing their reliance on contractors, often foreign, to supplement their supply chain deficiencies as they no longer can provide all of the services themselves. This shift has brought with it several security concerns classified under three categories: (1) Metering - controlling the number of ICs created and for whom. (2) Theft - controlling the dissemination of intellectual property (IP). (3) Trust - controlling the confidence in the IC post-fabrication. Our research focuses on providing a solution to the metering problem by restricting an attacker\u27s access to the IC design. Our solution modifies the CAD tool flow in order to identify locations in the circuit which can be protected with reconfigurable logic barriers. These barriers require the correct key to be present for information to flow through. Incorrect key values render the IC useless as the flow of information is blocked. Our selection heuristics utilize observability and controllability don\u27t care sets along with a node\u27s location in the network to maximize an attacker\u27s burden while keeping in mind the associated overhead. We implement our approach in an open-source logic synthesis tool, compare it against previous solutions and evaluate its effectiveness against a knowledgeable attacker

Novel Computational Methods for Integrated Circuit Reverse Engineering

Production of Integrated Circuits (ICs) has been largely strengthened by globalization. System-on-chip providers are capable of utilizing many different providers which can be responsible for a single task. This horizontal structure drastically improves to time-to-market and reduces manufacturing cost. However, untrust of oversea foundries threatens to dismantle the complex economic model currently in place. Many Intellectual Property (IP) consumers become concerned over what potentially malicious or unspecified logic might reside within their application. This logic which is inserted with the intention of causing harm to a consumer has been referred to as a Hardware Trojan (HT). To help IP consumers, researchers have looked into methods for finding HTs. Such methods tend to rely on high-level information relating to the circuit, which might not be accessible. There is a high possibility that IP is delivered in the gate or layout level. Some services and image processing methods can be leveraged to convert layout level information to gate-level, but such formats are incompatible with detection schemes that require hardware description language. By leveraging standard graph and dynamic programming algorithms a set of tools is developed that can help bridge the gap between gate-level netlist access and HT detection. To help in this endeavor this dissertation focuses on several problems associated with reverse engineering ICs. Logic signal identification is used to find malicious signals, and logic desynthesis is used to extract high level details. Each of the proposed method have their results analyzed for accuracy and runtime. It is found that method for finding logic tends to be the most difficult task, in part due to the degree of heuristic\u27s inaccuracy. With minor improvements moderate sized ICs could have their high-level function recovered within minutes, which would allow for a trained eye or automated methods to more easily detect discrepancies within a circuit\u27s design

CYBERSECURITY FOR INTELLECTUAL PROPERTY: DEVELOPING PRACTICAL FINGERPRINTING TECHNIQUES FOR INTEGRATED CIRCUITRY

The system on a chip (SoC) paradigm for computing has become more prevalent in modern society. Because of this, reuse of different functional integrated circuits (ICs), with standardized inputs and outputs, make designing SoC systems easier. As a result, the theft of intellectual property for different ICs has become a highly profitable business. One method of theft-prevention is to add a signature, or fingerprint, to ICs so that they may be tracked after they are sold. The contribution of this dissertation is the creation and simulation of three new fingerprinting methods that can be implemented automatically during the design process. In addition, because manufacturing and design costs are significant, three of the fingerprinting methods presented, attempt to alleviate costs by determining the fingerprint in the post-silicon stage of the VLSI design cycle. Our first two approaches to fingerprint ICs, are to use Observability Don’t Cares (ODCs) and Satisfiability Don’t Cares (SDCs), which are almost always present in ICs, to hide our fingerprint. ODCs cause an IC to ignore certain internal signals, which we can utilize to create fingerprints that have a minimal performance overhead. Using a heuristic approach, we are also able to choose the overhead the gate will have by removing some fingerprint locations. The experiments show that this work is effective and can provide a large number of fingerprints for more substantial circuits, with a minimal overhead. SDCs are similar to ODCs except that they focus on input patterns, to gates, that cannot exist. For this work, we found a way to quickly locate most of the SDCs in a circuit and depending on the input patterns that we know will not occur, replace the gates to create a fingerprint with a minimal overhead. We also created two methods to implement this SDC fingerprinting method, each with their own advantages and disadvantages. Both the ODC and SDC fingerprinting methods can be implemented in the circuit design or physical design of the IC, and finalized in the post-silicon phase, thus reducing the cost of manufacturing several different circuits. The third method developed for this dissertation was based on our previous work on finite state machine (FSM) protection to generate a fingerprint. We show that we can edit ICs with incomplete FSMs by adding additional transitions from the set of don’t care transitions. Although the best candidates for this method are those with unused states and transitions, additional states can be added to the circuit to generate additional don’t care transitions and states, useful for generating more fingerprints. This method has the potential for an astronomical number of fingerprints, but the generated fingerprints need to be filtered for designs that have an acceptable design overhead in comparison to the original circuit. Our fourth and final method for IC fingerprinting utilizes scan-chains which help to monitor the internal state of a sequential circuit. By modifying the interconnects between flip flops in a scan chain we can create unique fingerprints that are easy to detect by the user. These modifications are done after the design for test and during the fabrication stage, which helps reduce redesign overhead. These changes can also be finalized in the post-silicon stage, similar to the work for the ODC and SDC fingerprinting, to minimize manufacturing costs. The hope with this dissertation is to demonstrate that these methods for generating fingerprints, for ICs, will improve upon the current state of the art. First, these methods will create a significant number of unique fingerprints. Second, they will create fingerprints that have an acceptable overhead and are easy to detect by the developer and are harder to detect or remove by the adversary. Finally, we show that three of the methods will reduce the cost of manufacturing by being able to be implemented in the later stages of their design cycle

SCAN CHAIN BASED HARDWARE SECURITY

Hardware has become a popular target for attackers to hack into any computing and communication system. Starting from the legendary power analysis attacks discovered 20 years ago to the recent Intel Spectre and Meltdown attacks, security vulnerabilities in hardware design have been exploited for malicious purposes. With the emerging Internet of Things (IoT) applications, where the IoT devices are extremely resource constrained, many proven secure but computational expensive cryptography protocols cannot be applied on such devices. Thus there is an urgent need to understand the hardware vulnerabilities and develop cost effective mitigation methods. One established field in the semiconductor and integrated circuit (IC) industry, known as IC test, has the goal of ensuring that fabricated ICs are free of manufacturing defects and perform the required functionalities. Testing is essential to isolate faulty chips from good ones. The concept of design for test (DFT) has been integrated in the commercial IC design and fabrication process for several decades. Scan chain, which provides test engineer access to all the flip flops in the chip through the scan in (SI) and scan out (SO) ports, is the backbone of industrial testing methods and can be found in almost all the modern designs. In addition to IC testing, scan chain has found applications in intellectual property (IP) protection and IC identification. However, attackers can also leverage the controllability and observability of scan chain as a side channel to break systems such as cryptographic chips. This dissertation addresses these two important security problems by proposing (1) a practical scan chain based security primitive for IP protection and (2) a partial scan chain framework that can mitigate all the existing scan based attacks. First, we observe the fact that each D-flip-flop has two output ports, Q and Q’, designed to simplify the logic and has been used to reduce the power consumption for IC test. The availability of both Q and Q’ ports provide the opportunity for IP protection. More specifically, we can generate a digital fingerprint by selecting different connection styles between adjacent scan cells during the design of scan chain. This method has two major advantages: fingerprints are created as a post-silicon procedure and therefore there will be little fabrication overhead; altering the connection style requires the modification of test vectors for each fingerprinted IP and thus enables a non-intrusive fingerprint verification method. This addresses the overhead and detectability problems, two of the most challenging problems of designing practical IP fingerprinting techniques in the past two decades. Combined with the recently developed reconfigurable scan networks (RSNs) that are popular for embedded and IoT devices, we design an IC identification (ID) scheme utilizing the different connection styles. We perform experiments on standard benchmarks to demonstrate that our approach has low design overhead. We also conduct security analysis to show that such fingerprints and IC IDs are robust against various attacks. In the second part of this dissertation, we consider the scan chain side channel attack, which has been reported as one of the most severe side channel attacks to modern secure systems. We argue that the current countermeasures are restricted to the requirement of providing direct SI and SO for testing and thus suffers the vulnerability of leaving this side channel open to the attackers as well. Therefore, we propose a novel public-private partial scan chain based approach with the basic idea of removing the flip flops that store sensitive information from the scan chain. This will eliminate the scan chain side channel, but it also limits IC test. The key contribution in our proposed public-private partial scan chain design is that it can keep the full test coverage while providing security to the scan chain. This is achieved by chaining the removed flip flops into one or more private partial scan chains and adding protections to the SI and SO ports of such chains. Unlike the traditional partial scan design which not only fails to provide full fault coverage, but also incur huge overhead in test time and test vector generation time, we propose a set of techniques to ensure that the desired test vectors can be entered into the system efficiently. These techniques include test vector reordering, test vector reusing, and test vector generation based on a novel finite state machine (FSM) structure we have invented. On the other hand, to enable the test engineers the ability to observe the test output to diagnose the chip while not leaking information to the attackers, we propose two lightweight mechanisms, one based on linear feedback shift register (LFSR) and the other one based on configurable physical unclonable function (PUF). Finally, we discuss a protocol on how in-field test can be realized using our public-private partial scan chain. We conduct experiments with industrial scan design tools to demonstrate that the required hardware in our approach has negligible area overhead and gives full test coverage with reduced test time and does not need to re-generate test vectors. In sum, this dissertation focuses on the role of scan chain, a conventional design for test facility, in hardware security. We show that scan chain features can be leveraged to create practical IP protection techniques including IP watermarking and fingerprinting as well as IC identification and authentication. We also propose a novel public-private partial scan design principle to close the scan chain side channel to the attackers. Through this dissertation work, we demonstrate that it is possible to develop highly practical scan chain based techniques that can benefit both the community of IC test and hardware security

Effective Iterative Techniques for Fingerprinting Design IP

While previous watermarking-based approaches to intellectual property protection (IPP) have asymmetrically emphasized the IP provider's rights, the true goal of IPP is to ensure the rights of both the IP provider and the IP buyer. Symmetric fingerprinting schemes have been widely and effectively used to achieve this goal; however, their application domain has been restricted only to static artifacts, such as image and audio. In this paper, we propose the first generic symmetric fingerprinting technique which can be applied to an arbitrary optimization/synthesis problem and, therefore, to hardware and software intellectual property. The key idea is to apply iterative optimization in an incremental fashion to solve a fingerprinted instance; this leverages the optimization effort already spent in obtaining a previous solution, yet generates a uniquely fingerprinted new solution. We use this approach as the basis for developing specific fingerprinting techniques for four important problems in VLSI CAD: partitioning, graph coloring, satisfiability, and standard-cell placement. We demonstrate the effectiveness of our fingerprinting techniques on a number of standard benchmarks for these tasks. Our approach provides an effective tradeoff between runtime and resilience against collusion