Advancing Hardware Security Using Polymorphic and Stochastic Spin-Hall Effect Devices

Protecting intellectual property (IP) in electronic circuits has become a serious challenge in recent years. Logic locking/encryption and layout camouflaging are two prominent techniques for IP protection. Most existing approaches, however, particularly those focused on CMOS integration, incur excessive design overheads resulting from their need for additional circuit structures or device-level modifications. This work leverages the innate polymorphism of an emerging spin-based device, called the giant spin-Hall effect (GSHE) switch, to simultaneously enable locking and camouflaging within a single instance. Using the GSHE switch, we propose a powerful primitive that enables cloaking all the 16 Boolean functions possible for two inputs. We conduct a comprehensive study using state-of-the-art Boolean satisfiability (SAT) attacks to demonstrate the superior resilience of the proposed primitive in comparison to several others in the literature. While we tailor the primitive for deterministic computation, it can readily support stochastic computation; we argue that stochastic behavior can break most, if not all, existing SAT attacks. Finally, we discuss the resilience of the primitive against various side-channel attacks as well as invasive monitoring at runtime, which are arguably even more concerning threats than SAT attacks.Comment: Published in Proc. Design, Automation and Test in Europe (DATE) 201

Stealthy parametric hardware Trojans in VLSI Circuits

Over the last decade, hardware Trojans have gained increasing attention in academia, industry and by government agencies. In order to design reliable countermeasures, it is crucial to understand how hardware Trojans can be built in practice. This is an area that has received relatively scant treatment in the literature. In this thesis, we examine how particularly stealthy parametric Trojans can be introduced to VLSI circuits. Parametric Trojans do not require any additional logic and are purely based on subtle manipulations on the sub-transistor level to modify the parameters of few transistors which makes them very hard to detect. We introduce a design methodology to insert stealthy parametric hardware Trojans which are based on injecting extremely rare path delay faults into the netlist of the target circuit. As a case study, we apply our method to a 32-bit multiplier circuit resulting in a stealthy Trojan multiplier that computes faulty outputs for specific combinations of input pairs that are applied to the circuit. The multiplier can be used to realize bug attacks, introduced by Biham et al. in 2008. We also extend this concept and show how it can be used to attack ECDH key agreement protocols. Our method is a versatile tool for designing stealthy Trojans for a given circuit and is not restricted to multipliers and the bug attack. In this thesis we also examine how a stealthy side-channel hardware Trojan can be inserted in a provably-secure side-channel analysis protected implementation. Once the Trojan is triggered, the malicious design exhibits exploitable side-channel leakage leading to successful key recovery attacks. The underlying concept is based on a secure masked hardware implementation which does not exhibit any detectable leakage. However, by running the device at a particular clock frequency one of the requirements of the underlying masking scheme is not fulfilled anymore, and the device\u27s side-channel leakage can be exploited. We apply our technique to a Threshold Implementation of the PRESENT block cipher realized in both FPGA and ASIC. We show that triggering the Trojan makes both FPGA and ASIC prototypes vulnerable to certain SCA attacks. True random number generators (TRNGs) are an essential component of cryptographic designs, which are used to generate private keys for encryption and authentication, and are used in masking countermeasures. This thesis also presents a mechanism to design a stealthy parametric hardware Trojan for ring oscillator-based TRNGs. When the Trojan is triggered by operation at a specific high temperature the malicious TRNG generates predictable non-random outputs, yet under normal operating conditions it works correctly. Also we elaborate a stochastic model based on Markov Chains by which the attacker can use their knowledge of the Trojan to predict the TRNG outputs

Probability Based Logic Locking on Integrated Circuits

The demand of integrated circuits (IC)s are increasing and the industry has outsourced the fabrication process to untrusted environments. An adversary at these untrusted facilities can reverse engineer parts of the IC to reveal the original design. IC piracy and overproduction are serious issues that threaten the security and integrity of a system. These ICs can be copied illegally and altered to contain malicious hardware. The pirated ICs can be placed in consumer products which may harm the system or leak sensitive information. Hardware obfuscation is a technique used to protect the original design before it gets fabricated, tested, assembled, and packaged. Hardware obfuscation intends to hide or alter the original design of a circuit to prevent attackers from determining the true design. Logic locking is a type of hardware obfuscation technique where additional key gates are inserted into the circuit. Only the correct key can unlock the functionality of that circuit otherwise the system produces the wrong output. In an effort to hinder these threats on ICs, we have developed a probability-based logic locking technique to protect the design of a circuit. Our proposed technique called ProbLock can be applied to combinational and sequential circuits through a critical selection process. We used a filtering process to select the best location of key gates based on various constraints. The main constraint is based on gate probabilities in the circuit. Each step in the filtering process generates a subset of nodes for each constraint. We also integrated an anti-SAT technique into ProbLock to enhance the security against a specific boolean satisfiability (SAT) attack. We analyzed the correlation between each constraint and adjusted the strength of the constraints before inserting key gates. We adjusted an optimized ProbLock to have a small overhead but high security metric against SAT attacks. We have tested our algorithm on 40 benchmarks from the ISCAS ’85 and ISCAS ’89 suite. ProbLock is evaluated using a SAT attack on the benchmark and measuring how well the attack performs on the locked circuit. Finally, we compared ProbLock to other logic locking techniques and discussed future steps for this project

Advances in Logic Locking: Past, Present, and Prospects

Logic locking is a design concealment mechanism for protecting the IPs integrated into modern System-on-Chip (SoC) architectures from a wide range of hardware security threats at the IC manufacturing supply chain. Logic locking primarily helps the designer to protect the IPs against reverse engineering, IP piracy, overproduction, and unauthorized activation. For more than a decade, the research studies that carried out on this paradigm has been immense, in which the applicability, feasibility, and efficacy of the logic locking have been investigated, including metrics to assess the efficacy, impact of locking in different levels of abstraction, threat model definition, resiliency against physical attacks, tampering, and the application of machine learning. However, the security and strength of existing logic locking techniques have been constantly questioned by sophisticated logical and physical attacks that evolve in sophistication at the same rate as logic locking countermeasure approaches. By providing a comprehensive definition regarding the metrics, assumptions, and principles of logic locking, in this survey paper, we categorize the existing defenses and attacks to capture the most benefit from the logic locking techniques for IP protection, and illuminating the need for and giving direction to future research studies in this topic. This survey paper serves as a guide to quickly navigate and identify the state-of-the-art that should be considered and investigated for further studies on logic locking techniques, helping IP vendors, SoC designers, and researchers to be informed of the principles, fundamentals, and properties of logic locking

Hardware Intellectual Property Protection Through Obfuscation Methods

Security is a growing concern in the hardware design world. At all stages of the Integrated Circuit (IC) lifecycle there are attacks which threaten to compromise the integrity of the design through piracy, reverse engineering, hardware Trojan insertion, physical attacks, and other side channel attacks — among other threats. Some of the most notable challenges in this field deal specifically with Intellectual Property (IP) theft and reverse engineering attacks. The IP being attacked can be ICs themselves, circuit designs making up those larger ICs, or configuration information for the devices like Field Programmable Gate Arrays (FPGAs). Custom or proprietary cryptographic components may require specific protections, as successfully attacking those could compromise the security of other aspects of the system. One method by which these concerns can be addressed is by introducing hardware obfuscation to the design in various forms. These methods of obfuscation must be evaluated for effectiveness and continually improved upon in order to match the growing concerns in this area. Several different forms of netlist-level hardware obfuscation were analyzed, on standard benchmarking circuits as well as on two substitution boxes from block ciphers. These obfuscation methods were attacked using a satisfiability (SAT) attack, which is able to iteratively rule out classes of keys at once and has been shown to be very effective against many forms of hardware obfuscation. It was ultimately shown that substitution boxes were naturally harder to break than the standard benchmarks using this attack, but some obfuscation methods still have substantially more security than others. The method which increased the difficulty of the attack the most was one which introduced a modified SIMON block cipher as a One-way Random Function (ORF) to be used for key generation. For a substitution box obfuscated in this way, the attack was found to be completely unsuccessful within a five-day window with a severely round-reduced implementation of SIMON and only a 32-bit obfuscation key

Provably Trustworthy and Secure Hardware Design with Low Overhead

Due to the globalization of IC design in the semiconductor industry and outsourcing of chip manufacturing, 3PIPs become vulnerable to IP piracy, reverse engineering, counterfeit IC, and hardware Trojans. To thwart such attacks, ICs can be protected using logic encryption techniques. However, strong resilient techniques incur significant overheads. SCAs further complicate matters by introducing potential attacks post-fabrication. One of the most severe SCAs is PA attacks, in which an attacker can observe the power variations of the device and analyze them to extract the secret key. PA attacks can be mitigated via adding large extra hardware; however, the overheads of such solutions can render them impractical, especially when there are power and area constraints. In our first approach, we present two techniques to prevent normal attacks. The first one is based on inserting MUX equal to half/full of the output bit number. In the second technique, we first design PLGs using SiNW FETs and then replace some logic gates in the original design with their SiNW FETs-based PLGs counterparts. In our second approach, we use SiNW FETs to produce obfuscated ICs that are resistant to advanced reverse engineering attacks. Our method is based on designing a small block, whose output is untraceable, namely URSAT. Since URSAT may not offer very strong resilience against the combined AppSAT-removal attack, S-URSAT is achieved using only CMOS-logic gates, and this increases the security level of the design to robustly thwart all existing attacks. In our third topic, we present the usage of ASLD to produce secure and resilient circuits that withstand IC attacks (during the fabrication) and PA attacks (after fabrication). First, we show that ASLD has unique features that can be used to prevent PA and IC attacks. In our three topics, we evaluate each design based on performance overheads and security guarantees