42 research outputs found
KRATT: QBF-Assisted Removal and Structural Analysis Attack Against Logic Locking
This paper introduces KRATT, a removal and structural analysis attack against
state-of-the-art logic locking techniques, such as single and double flip
locking techniques (SFLTs and DFLTs). KRATT utilizes powerful quantified
Boolean formulas (QBFs), which have not found widespread use in hardware
security, to find the secret key of SFLTs for the first time. It can handle
locked circuits under both oracle-less (OL) and oracle-guided (OG) threat
models. It modifies the locked circuit and uses a prominent OL attack to make a
strong guess under the OL threat model. It uses a structural analysis technique
to identify promising protected input patterns and explores them using the
oracle under the OG model. Experimental results on ISCAS'85, ITC'99, and HeLLO:
CTF'22 benchmarks show that KRATT can break SFLTs using a QBF formulation in
less than a minute, can decipher a large number of key inputs of SFLTs and
DFLTs with high accuracy under the OL threat model, and can easily find the
secret key of DFLTs under the OG threat model. It is shown that KRATT
outperforms publicly available OL and OG attacks in terms of solution quality
and run-time
SALSy: Security-Aware Layout Synthesis
Integrated Circuits (ICs) are the target of diverse attacks during their
lifetime. Fabrication-time attacks, such as the insertion of Hardware Trojans,
can give an adversary access to privileged data and/or the means to corrupt the
IC's internal computation. Post-fabrication attacks, where the end-user takes a
malicious role, also attempt to obtain privileged information through means
such as fault injection and probing. Taking these threats into account and at
the same time, this paper proposes a methodology for Security-Aware Layout
Synthesis (SALSy), such that ICs can be designed with security in mind in the
same manner as power-performance-area (PPA) metrics are considered today, a
concept known as security closure. Furthermore, the trade-offs between PPA and
security are considered and a chip is fabricated in a 65nm CMOS commercial
technology for validation purposes - a feature not seen in previous research on
security closure. Measurements on the fabricated ICs indicate that SALSy
promotes a modest increase in power in order to achieve significantly improved
security metrics
A Security-aware and LUT-based CAD Flow for the Physical Synthesis of eASICs
Numerous threats are associated with the globalized integrated circuit (IC)
supply chain, such as piracy, reverse engineering, overproduction, and
malicious logic insertion. Many obfuscation approaches have been proposed to
mitigate these threats by preventing an adversary from fully understanding the
IC (or parts of it). The use of reconfigurable elements inside an IC is a known
obfuscation technique, either as a coarse grain reconfigurable block (i.e.,
eFPGA) or as a fine grain element (i.e., FPGA-like look-up tables). This paper
presents a security-aware CAD flow that is LUT-based yet still compatible with
the standard cell based physical synthesis flow. More precisely, our CAD flow
explores the FPGA-ASIC design space and produces heavily obfuscated designs
where only small portions of the logic resemble an ASIC. Therefore, we term
this specialized solution an "embedded ASIC" (eASIC). Nevertheless, even for
heavily LUT-dominated designs, our proposed decomposition and pin swapping
algorithms allow for performance gains that enable performance levels that only
ASICs would otherwise achieve. On the security side, we have developed novel
template-based attacks and also applied existing attacks, both oracle-free and
oracle-based. Our security analysis revealed that the obfuscation rate for an
SHA-256 study case should be at least 45% for withstanding traditional attacks
and at least 80% for withstanding template-based attacks. When the 80\%
obfuscated SHA-256 design is physically implemented, it achieves a remarkable
frequency of 368MHz in a 65nm commercial technology, whereas its FPGA
implementation (in a superior technology) achieves only 77MHz
Evaluating Architectural, Redundancy, and Implementation Strategies for Radiation Hardening of FinFET Integrated Circuits
In this article, authors explore radiation hardening techniques through the design of a test chip implemented in 16-nm FinFET technology, along with architectural and redundancy design space exploration of its modules. Nine variants of matrix multiplication were taped out and irradiated with neutrons. The results obtained from the neutron campaign revealed that the radiation-hardened variants present superior resiliency when either local or global triple modular redundancy (TMR) schemes are employed. Furthermore, simulation-based fault injection was utilized to validate the measurements and to explore the effects of different implementation strategies on failure rates. We further show that the interplay between these different implementation strategies is not trivial to capture and that synthesis optimizations can effectively break assumptions about the effectiveness of redundancy schemes
Impact of Orientation on the Bias of SRAM-Based PUFs
This paper investigates the impact of memory orientation on the bias pattern
of SRAM-based PUFs. We designed and fabricated a 65nm CMOS chip that contains
eleven SRAM macros that exercise different memory- and chip-level parameters.
At the memory level, several parameters passed to the SRAM compiler are
considered, including the number of addresses, the number of words, the aspect
ratio, and the chosen bitcell. Chip-level decisions are considered during the
floorplan, including the location and rotation of each SRAM macro in the
testchip. In this study, we conduct a comprehensive analysis of different
memory orientations and their effect on the biasing direction. Physical
measurements performed on 50 fabricated chips revealed that specific memory
orientations, namely R270 and MY90, exhibit a distinct negative biasing
direction compared to other orientations. Importantly, this biasing direction
remains consistent regardless of memory type, column mux ratio, memory size, or
the utilization of SRAMs with different bitcells. Overall, this study
highlights the significance of careful physical implementation and memory
orientation selection in designing SRAM-based PUFs. Our findings can guide
designers in the selection of SRAM memories with properties that make for
better PUFs that potentially require less error correction effort to compensate
for instability