6 research outputs found
Is Robust Design-for-Security Robust Enough? Attack on Locked Circuits with Restricted Scan Chain Access
The security of logic locking has been called into question by various
attacks, especially a Boolean satisfiability (SAT) based attack, that exploits
scan access in a working chip. Among other techniques, a robust
design-for-security (DFS) architecture was presented to restrict any
unauthorized scan access, thereby, thwarting the SAT attack (or any other
attack that relies on scan access). Nevertheless, in this work, we successfully
break this technique by recovering the secret key despite the lack of scan
access. Our security analysis on a few benchmark circuits protected by the
robust DFS architecture demonstrates the effectiveness of our attack; on
average ~95% of the key bits are correctly recovered, and almost 100% in most
cases. To overcome this and other prevailing attacks, we propose a defense by
making fundamental changes to the robust DFS technique; the new defense can
withstand all logic locking attacks. We observe, on average, lower area
overhead (~1.65%) than the robust DFS design (~5.15%), and similar test
coverage (~99.88%).Comment: To be published in IEEE/ACM International Conference on
Computer-Aided Design (ICCAD) 201
DynUnlock: Unlocking Scan Chains Obfuscated using Dynamic Keys
Outsourcing in semiconductor industry opened up venues for faster and
cost-effective chip manufacturing. However, this also introduced untrusted
entities with malicious intent, to steal intellectual property (IP),
overproduce the circuits, insert hardware Trojans, or counterfeit the chips.
Recently, a defense is proposed to obfuscate the scan access based on a dynamic
key that is initially generated from a secret key but changes in every clock
cycle. This defense can be considered as the most rigorous defense among all
the scan locking techniques. In this paper, we propose an attack that remodels
this defense into one that can be broken by the SAT attack, while we also note
that our attack can be adjusted to break other less rigorous (key that is
updated less frequently) scan locking techniques as well.Comment: Accepted at Design, Automation and Test in Europe Conference (DATE)
202
On Designing Secure and Robust Scan Chain for Protecting Obfuscated Logic
In this paper, we assess the security and testability of the state-of-the-art
design-for-security (DFS) architectures in the presence of scan-chain
locking/obfuscation, a group of solution that has previously proposed to
restrict unauthorized access to the scan chain. We discuss the key leakage
vulnerability in the recently published prior-art DFS architectures. This
leakage relies on the potential glitches in the DFS architecture that could
lead the adversary to make a leakage condition in the circuit. Also, we
demonstrate that the state-of-the-art DFS architectures impose some substantial
architectural drawbacks that moderately affect both test flow and design
constraints. We propose a new DFS architecture for building a secure scan chain
architecture while addressing the potential of key leakage. The proposed
architecture allows the designer to perform the structural test with no
limitation, enabling an untrusted foundry to utilize the scan chain for
manufacturing fault testing without needing to access the scan chain. Our
proposed solution poses negligible limitation/overhead on the test flow, as
well as the design criteria
SeqL: Secure Scan-Locking for IP Protection
Existing logic-locking attacks are known to successfully decrypt functionally
correct key of a locked combinational circuit. It is possible to extend these
attacks to real-world Silicon-based Intellectual Properties (IPs, which are
sequential circuits) through scan-chains by selectively initializing the
combinational logic and analyzing the responses. In this paper, we propose
SeqL, which achieves functional isolation and locks selective flip-flop
functional-input/scan-output pairs, thus rendering the decrypted key
functionally incorrect. We conduct a formal study of the scan-locking problem
and demonstrate automating our proposed defense on any given IP. We show that
SeqL hides functionally correct keys from the attacker, thereby increasing the
likelihood of the decrypted key being functionally incorrect. When tested on
pipelined combinational benchmarks (ISCAS,MCNC), sequential benchmarks (ITC)
and a fully-fledged RISC-V CPU, SeqL gave 100% resilience to a broad range of
state-of-the-art attacks including SAT[1], Double-DIP[2], HackTest[3], SMT[4],
FALL[5], Shift-and-Leak[6] and Multi-cycle attacks[7]
DFSSD: Deep Faults and Shallow State Duality, A Provably Strong Obfuscation Solution for Circuits with Restricted Access to Scan Chain
In this paper, we introduce DFSSD, a novel logic locking solution for
sequential and FSM circuits with a restricted (locked) access to the scan
chain. DFSSD combines two techniques for obfuscation: (1) Deep Faults, and (2)
Shallow State Duality. Both techniques are specifically designed to resist
against sequential SAT attacks based on bounded model checking. The shallow
state duality prevents a sequential SAT attack from taking a shortcut for early
termination without running an exhaustive unbounded model checker to assess if
the attack could be terminated. The deep fault, on the other hand, provides a
designer with a technique for building deep, yet key recoverable faults that
could not be discovered by sequential SAT (and bounded model checker based)
attacks in a reasonable time
NNgSAT: Neural Network guided SAT Attack on Logic Locked Complex Structures
The globalization of the IC supply chain has raised many security threats,
especially when untrusted parties are involved. This has created a demand for a
dependable logic obfuscation solution to combat these threats. Amongst a wide
range of threats and countermeasures on logic obfuscation in the 2010s decade,
the Boolean satisfiability (SAT) attack, or one of its derivatives, could break
almost all state-of-the-art logic obfuscation countermeasures. However, in some
cases, particularly when the logic locked circuits contain complex structures,
such as big multipliers, large routing networks, or big tree structures, the
logic locked circuit is hard-to-be-solved for the SAT attack. Usage of these
structures for obfuscation may lead a strong defense, as many SAT solvers fail
to handle such complexity. However, in this paper, we propose a
neural-network-guided SAT attack (NNgSAT), in which we examine the capability
and effectiveness of a message-passing neural network (MPNN) for solving these
complex structures (SAT-hard instances). In NNgSAT, after being trained as a
classifier to predict SAT/UNSAT on a SAT problem (NN serves as a SAT solver),
the neural network is used to guide/help the actual SAT solver for finding the
SAT assignment(s). By training NN on conjunctive normal forms (CNFs)
corresponded to a dataset of logic locked circuits, as well as fine-tuning the
confidence rate of the NN prediction, our experiments show that NNgSAT could
solve 93.5% of the logic locked circuits containing complex structures within a
reasonable time, while the existing SAT attack cannot proceed the attack flow
in them