24 research outputs found
Testing the Trustworthiness of IC Testing: An Oracle-less Attack on IC Camouflaging
Test of integrated circuits (ICs) is essential to ensure their quality; the test is meant to prevent defective and out-of-spec ICs from entering into the supply chain. The test is conducted by comparing the observed IC output with the expected test responses for a set of test patterns; the test patterns are generated using automatic test pattern generation algorithms. Existing test-pattern generation algorithms aim to achieve higher fault coverage at lower test costs. In an attempt to reduce the size of test data, these algorithms reveal the maximum information about the internal circuit structure. This is realized through sensitizing the internal nets to the outputs as much as possible, unintentionally leaking the secrets embedded in the circuit as well.
In this paper, we present HackTest, an attack that extracts secret information generated in the test data, even if the test data does not explicitly contain the secret. HackTest can break the existing intellectual property (IP) protection techniques, such as camouflaging, within two minutes for our benchmarks using only the camouflaged layout and the test data. HackTest applies to all existing camouflaged gate-selection techniques and is successful even in the presence of state-of-the-art test infrastructure, i.e. test data compression circuits. Our attack necessitates that the IC test data generation algorithms be reinforced with security. We also discuss potential countermeasures to prevent HackTest
FuncTeller: How Well Does eFPGA Hide Functionality?
Hardware intellectual property (IP) piracy is an emerging threat to the
global supply chain. Correspondingly, various countermeasures aim to protect
hardware IPs, such as logic locking, camouflaging, and split manufacturing.
However, these countermeasures cannot always guarantee IP security. A malicious
attacker can access the layout/netlist of the hardware IP protected by these
countermeasures and further retrieve the design. To eliminate/bypass these
vulnerabilities, a recent approach redacts the design's IP to an embedded
field-programmable gate array (eFPGA), disabling the attacker's access to the
layout/netlist. eFPGAs can be programmed with arbitrary functionality. Without
the bitstream, the attacker cannot recover the functionality of the protected
IP. Consequently, state-of-the-art attacks are inapplicable to pirate the
redacted hardware IP. In this paper, we challenge the assumed security of
eFPGA-based redaction. We present an attack to retrieve the hardware IP with
only black-box access to a programmed eFPGA. We observe the effect of modern
electronic design automation (EDA) tools on practical hardware circuits and
leverage the observation to guide our attack. Thus, our proposed method
FuncTeller selects minterms to query, recovering the circuit function within a
reasonable time. We demonstrate the effectiveness and efficiency of FuncTeller
on multiple circuits, including academic benchmark circuits, Stanford MIPS
processor, IBEX processor, Common Evaluation Platform GPS, and Cybersecurity
Awareness Worldwide competition circuits. Our results show that FuncTeller
achieves an average accuracy greater than 85% over these tested circuits
retrieving the design's functionality.Comment: To be published in the proceedings of the 32st USENIX Security
Symposium, 202
PSOFuzz: Fuzzing Processors with Particle Swarm Optimization
Hardware security vulnerabilities in computing systems compromise the
security defenses of not only the hardware but also the software running on it.
Recent research has shown that hardware fuzzing is a promising technique to
efficiently detect such vulnerabilities in large-scale designs such as modern
processors. However, the current fuzzing techniques do not adjust their
strategies dynamically toward faster and higher design space exploration,
resulting in slow vulnerability detection, evident through their low design
coverage. To address this problem, we propose PSOFuzz, which uses particle
swarm optimization (PSO) to schedule the mutation operators and to generate
initial input programs dynamically with the objective of detecting
vulnerabilities quickly. Unlike traditional PSO, which finds a single optimal
solution, we use a modified PSO that dynamically computes the optimal solution
for selecting mutation operators required to explore new design regions in
hardware. We also address the challenge of inefficient initial seed generation
by employing PSO-based seed generation. Including these optimizations, our
final formulation outperforms fuzzers without PSO. Experiments show that
PSOFuzz achieves up to 15.25 speedup for vulnerability detection and up
to 2.22 speedup for coverage compared to the state-of-the-art
simulation-based hardware fuzzer.Comment: To be published in the proceedings of the ICCAD, 202
Security Analysis of Anti-SAT
Logic encryption protects integrated circuits (ICs) against intellectual property (IP) piracy and over- building attacks by encrypting the IC with a key. A Boolean satisfiability (SAT) based attack breaks all existing logic encryption technique within few hours. Recently, a defense mechanism known as Anti-SAT was presented that protects against SAT attack, by rendering the SAT-attack effort exponential in terms of the number of key gates. In this paper, we highlight the vulnerabilities of Anti-SAT and propose signal probability skew (SPS) attack against Anti-SAT block. SPS attack leverages the structural traces in Anti-SAT block to identify and isolate Anti-SAT block. The attack is 100% successful on all variants of Anti-SAT block. SPS attack is scalable to large circuits, as it breaks circuits with up to 22K gates within two minutes
Is Split Manufacturing Secure?
Abstract-Split manufacturing of integrated circuits (IC) is being investigated as a way to simultaneously alleviate the cost of owning a trusted foundry and eliminate the security risks associated with outsourcing IC fabrication. In split manufacturing, a design house (with a low-end, in-house, trusted foundry) fabricates the Front End Of Line (FEOL) layers (transistors and lower metal layers) in advanced technology nodes at an untrusted high-end foundry. The Back End Of Line (BEOL) layers (higher metal layers) are then fabricated at the design house's trusted low-end foundry. Split manufacturing is considered secure (prevents reverse engineering and IC piracy) as it hides the BEOL connections from an attacker in the FEOL foundry. We show that an attacker in the FEOL foundry can exploit the heuristics used in typical floorplanning, placement, and routing tools to bypass the security afforded by straightforward split manufacturing. We developed an attack where an attacker in the FEOL foundry can connect 96% of the missing BEOL connections correctly. To overcome this security vulnerability in split manufacturing, we developed a fault analysis-based defense. This defense improves the security of split manufacturing by deceiving the FEOL attacker into making wrong connections
A Red Team/Blue Team Assessment of Functional Analysis Methods for Malicious Circuit Identification
Recent advances in hardware security have led to the development of FANCI (Functional Analysis for Nearly-Unused Circuit Identification), an analysis tool that identifies stealthy, malicious circuits within hardware designs that can perform malicious backdoor behavior. Evaluations of such tools against benchmarks and academic attacks are not always equivalent to the dynamic attack scenarios that can arise in the real world. For this reason, we apply a red team/blue team approach to stress-test FANCI's abilities to efficiently detect malicious backdoor circuits within hardware designs. In the Embedded Systems Challenge (ESC) 2013, teams from research groups from multiple continents created designs with malicious backdoors hidden in them as part of a red team effort to circumvent FANCI. Notably, these backdoors were not placed into a priori known designs. The red team was allowed to create arbitrary, unspecified designs. Two interesting results came out of this effort. The first was that FANCI was surprisingly resilient to this wide variety of attacks and was not circumvented by any of the stealthy backdoors created by the red teams. The second result is that frequent-action backdoors, which are backdoors that are not made stealthy, were often successful. These results emphasize the importance of combining FANCI with a reasonable degree of validation testing. The blue team efforts also exposed some aspects of the FANCI prototype that make analysis time-consuming in some cases, which motivates further development of the prototype in the future
Vulnerability Assessment of Ciphers To Fault Attacks Using Reinforcement Learning
A fault attack (FA) is one of the most potent threats to cryptographic applications. Implementing a FA-protected block cipher requires knowledge of the exploitable fault space of the underlying crypto algorithm. The discovery of exploitable faults is a challenging problem that demands human expertise and time. Current practice is to rely on certain predefined fault models. However, the applicability of such fault models varies among ciphers. Prior work discovers such exploitable fault models individually for each cipher at the expanse of a large amount of human effort. Our work completely replaces human effort by using reinforcement learning (RL) over the huge fault space of a block cipher to discover the effective fault models automatically. Validation on an AES block cipher demonstrates that our approach can automatically discover the effective fault models within a few hours, outperforming prior work, which requires days of manual analysis. The proposed approach also reveals vulnerabilities in the existing FA-protected block ciphers and initiates an end-to-end vulnerability assessment flow
Towards Provably-Secure Analog and Mixed-Signal Locking Against Overproduction
Similar to digital circuits, analog and mixed-signal (AMS) circuits are also susceptible to supply-chain attacks such as piracy, overproduction, and Trojan insertion. However, unlike digital circuits,
supply-chain security of AMS circuits is less explored. In this work,
we propose to perform “logic locking” on digital section of the AMS
circuits. The idea is to make the analog design intentionally suffer
from the effects of process variations, which impede the operation of the circuit. Only on applying the correct key, the effect of process
variations are mitigated, and the analog circuit performs as desired.
We provide the theoretical guarantees of the security of the circuit,
and along with simulation results for the band-pass filter, low-noise
amplifier, and low-dropout regulator, we also show experimental
results of our technique on a band-pass filter
When a Patch is Not Enough - HardFails: Software-Exploitable Hardware Bugs
In this paper, we take a deep dive into microarchitectural security from a
hardware designer's perspective by reviewing the existing approaches to detect
hardware vulnerabilities during the design phase. We show that a protection gap
currently exists in practice that leaves chip designs vulnerable to
software-based attacks. In particular, existing verification approaches fail to
detect specific classes of vulnerabilities, which we call HardFails: these bugs
evade detection by current verification techniques while being exploitable from
software. We demonstrate such vulnerabilities in real-world SoCs using RISC-V
to showcase and analyze concrete instantiations of HardFails. Patching these
hardware bugs may not always be possible and can potentially result in a
product recall. We base our findings on two extensive case studies: the recent
Hack@DAC 2018 hardware security competition, where 54 independent teams of
researchers competed world-wide over a period of 12 weeks to catch inserted
security bugs in SoC RTL designs, and an in-depth systematic evaluation of
state-of-the-art verification approaches. Our findings indicate that even
combinations of techniques will miss high-impact bugs due to the large number
of modules with complex interdependencies and fundamental limitations of
current detection approaches. We also craft a real-world software attack that
exploits one of the RTL bugs from Hack@DAC that evaded detection and discuss
novel approaches to mitigate the growing problem of cross-layer bugs at design
time