3 research outputs found
FuncTeller: How Well Does eFPGA Hide Functionality?
Hardware intellectual property (IP) piracy is an emerging threat to the
global supply chain. Correspondingly, various countermeasures aim to protect
hardware IPs, such as logic locking, camouflaging, and split manufacturing.
However, these countermeasures cannot always guarantee IP security. A malicious
attacker can access the layout/netlist of the hardware IP protected by these
countermeasures and further retrieve the design. To eliminate/bypass these
vulnerabilities, a recent approach redacts the design's IP to an embedded
field-programmable gate array (eFPGA), disabling the attacker's access to the
layout/netlist. eFPGAs can be programmed with arbitrary functionality. Without
the bitstream, the attacker cannot recover the functionality of the protected
IP. Consequently, state-of-the-art attacks are inapplicable to pirate the
redacted hardware IP. In this paper, we challenge the assumed security of
eFPGA-based redaction. We present an attack to retrieve the hardware IP with
only black-box access to a programmed eFPGA. We observe the effect of modern
electronic design automation (EDA) tools on practical hardware circuits and
leverage the observation to guide our attack. Thus, our proposed method
FuncTeller selects minterms to query, recovering the circuit function within a
reasonable time. We demonstrate the effectiveness and efficiency of FuncTeller
on multiple circuits, including academic benchmark circuits, Stanford MIPS
processor, IBEX processor, Common Evaluation Platform GPS, and Cybersecurity
Awareness Worldwide competition circuits. Our results show that FuncTeller
achieves an average accuracy greater than 85% over these tested circuits
retrieving the design's functionality.Comment: To be published in the proceedings of the 32st USENIX Security
Symposium, 202