Threats on Logic Locking: A Decade Later

Threats on Logic Locking: A Decade Later

Kimia Zamiri Azar Department of Electrical and Computer Engineering,
George Mason University, Fairfax, VA, USA.
11email: {kzamiria, hmardani, hhomayou, asasan}@gmu.edu
   Hadi Mardani Kamali Department of Electrical and Computer Engineering,
George Mason University, Fairfax, VA, USA.
11email: {kzamiria, hmardani, hhomayou, asasan}@gmu.edu
  
Houman Homayoun
Department of Electrical and Computer Engineering,
George Mason University, Fairfax, VA, USA.
11email: {kzamiria, hmardani, hhomayou, asasan}@gmu.edu
   Avesta Sasan Department of Electrical and Computer Engineering,
George Mason University, Fairfax, VA, USA.
11email: {kzamiria, hmardani, hhomayou, asasan}@gmu.edu
Abstract

To reduce the cost of ICs and to meet the market’s demand, a considerable portion of manufacturing supply chain, including silicon fabrication, packaging and testing may be pushed offshore. Utilizing a global IC manufacturing supply chain, and inclusion of non-trusted parties in the supply chain has raised concerns over security and trust related challenges including those of overproduction, counterfeiting, IP piracy, and Hardware Trojans to name a few. To reduce the risk of IC manufacturing in an untrusted and globally distributed supply chain, the researchers have proposed various locking and obfuscation mechanisms for hiding the functionality of the ICs during the manufacturing, that requires the activation of the IP after fabrication using the key value(s) that is only known to the IP/IC owner. At the same time, many such proposed obfuscation and locking mechanisms are broken with attacks that exploit the inherent vulnerabilities in such solutions. The past decade of research in this area, has resulted in many such defense and attack solutions. In this paper, we review a decade of research on hardware obfuscation from an attacker perspective, elaborate on attack and defense lessons learned, and discuss future directions that could be exploited for building stronger defenses.

Keywords:
Reverse Engineering, Logic Locking, SAT Attack, SMT Attack

1 Introduction

The increasing cost of IC manufacturing has pushed several stages of the semiconductor device’s manufacturing supply chain offshore [3]. However, many of these offshore facilities are identified as untrusted entities. Processing and fabrication of ICs in an untrusted supply chain poses a number of challenging security threats such as IP piracy and IC overproduction [16]. To counter these threats, various hardware design-for-trust techniques have been proposed. The term logic locking, a.k.a. hardware obfuscation, surfaced in 2008 by EPIC [10], in which a limited programmability was introduced into a netlist by means of inserting additional key programmable gates (KG)s at design time. After fabrication, the functionality of the IC is programmed by loading the correct key values. The key inputs could be stored in, and loaded from, an on-chip tamper-proof memory [23]. The purpose of inserting KGs is to hide the IC’s functionality from untrusted foundries. Since the functionality of a design is locked with a secret key, the attacker cannot learn the functionality of the locked netlist after reverse engineering. Insertion of KGs hides the ICs functionality between different circuit possibilities, each generated by a different key. The correct functionality will be recovered when the loaded -bit key is correct.

EPIC, however did not end the threat against IP piracy (or other related concerns), as this solution and many other obfuscation solutions that were proposed over the last decade were broken using various carefully crafted attacks. A decade of research in this area, has resulted in a wide range of defense [2], [6], [5], [9], [8], [13], [15], [20], [18], [17], [26], [27], [33], [32] and attack solutions [1], [7], [9], [12], [14], [19], [21], [22], [25], [28], [29], [31], [24], [30], [4]. In this paper, we review many of these obfuscation solutions, explain and reviewing most notable attack mechanisms, summarize and compare the effectiveness of obfuscation solutions against these attacks, and describe the strength and weaknesses of various obfuscation and attack solutions. As illustrated in Fig. 1, the defense and attack solutions related to hardware obfuscation, based on functionality, capability, effectiveness and time-line are categorized into four categories: (1) Test-Inspired Attacks that were mostly inspired from test concepts and attempted to discover the obfuscation key value based on the location of KGs, described in Section 2. (2) SAT Attack, formulation and revelation of which significantly affected the direction and presumed assumptions of the hardware obfuscation research community, explained in Section 3. (3) Post-SAT Attacks where the focus of hardware security researchers changed to the design of an attack against obfuscation solutions that resist the SAT attack, explained in 4. And (4) SMT Attack as a universal attack platform capable of instantiating many theory solvers to act as pre- post- or co- processors to the SAT solver, described in Section 5. We conclude the paper in Section 6 by summarizing the effectiveness of attacks discussed in this paper and provide a short discussion on new opportunities related to designing secure logic locking solutions.

Figure 1: Categorization of attacks against logic locking schemes.

2 Stage 1: Test-Based Attacks

2.1 Brute Force Attack

The brute force attack is the most intuitive attack against obfuscated circuits. This attack exhaustively search for the correct key by testing all key and input values. For instance, assuming that adversary has access to the reverse-engineered netlist, and considering that the circuit has four s ( ) and two s (), an exhaustive search may result in applying of test patterns (in the worst case) and checking the output against an activated (functionally correct) chip to verify correctness. Based on the number of primary inputs () and the number of key bits (), the number of possible test patterns is (). Hence, the search space for a brute force attack is extremely large, making the attack even for small circuits and small number of keys unfeasible in a reasonable amount of time. For example, a small circuit with 20 input pins, which is obfuscated with 80 key gates poses possible test pattern. An attacker can reduce the number of test patterns using functional test or random test, in which the exponential impact of s will be eliminated, and only is required for brute force attack. But even with this change, the attack time is exponential with respect to the number of key gates. EPIC [10] used a random KG insertion policy referred to as random logic locking (RLL). Using RLL, EPIC reasoned that by replacing a small percentage of gates (or insertion of KGs), the obfuscation can resist brute force attacks.

2.2 Sensitization Attack

After introducing EPIC [10], Rajendran et al. [9] proposed a sensitization attack, which determines individual key values, in a time linear to the —KI—, by applying patterns that sensitize key values to the output. As its name implies, sensitization of an internal wire (key bit) to an output means that the value of can be propagated to and thus any change on is observable on . After determining an input pattern that propagates the value of the key-bit to the output, the attacker applies the input pattern to a functional IC (An IC activated and programmed with the correct key that could be obtained from market). The correct key value will be propagated to an output by applying this pattern to the functional IC. The attacker observe and record this output as the value of the sensitized key-bit. The propagation of a key-bit to the output is heavily depending on the location of the KGs, hence, they classify KGs based on their location and discuss corresponding attack strategies for each case. The summary of strategies and techniques used in the sensitization attack is reflected in Table 1. To prevent sensitization attack they proposed SLL, in which the KGs are inserted in locations with maximum mutual interference. In SLL the attacker cannot sensitize the key-bit values to a primary output. Similar to SLL, several prior-art methods in the literature, including fault-analysis (FLL), LUT-based locking, etc. [2], [6], [9], [8], [27], , tried to maximize the complexity of obfuscation using different KGs replacement strategies.

Term Description Strategy used by attacker
Runs of KGs Back-to-Back KGs Replacing by a Single KG
Isolated KGs No Path between KGs Finding Unique Pattern per
KG (Golden Pattern (GP))
Dominating KGs is on Every Path Muting ,
between and s Sensitizing
Concurrently Mutable Convergent at a Third Gate Muting ,
Convergent KGs Both can be Propagated to s Sensitizing
Sequentially Mutable Convergent at a Third Gate Determining by GP,
Convergent KGs One can be Propagated to s Update the Netlist, Target
Non-Mutable Convergent at a Third Gate Brute Force Attack
Convergent KGs None can be Propagated to s
Table 1: Classification of KGs in Sensitization Attack.

2.3 Random-based Hill-Climbing Attack

Plaza et al. [24] developed a new algorithmic attack that uses test patterns and observe responses. Unlike sensitization attack [9], their proposed approach does not require netlist access. They propose a randomized local key-searching algorithm to search the key that can satisfy a subset of correct input/output patterns. The algorithm proposed in [24] is iterative in nature. At first, it selects random value for key bits and then at each iteration, the key bits, which are selected randomly, are toggled one by one. The target is to minimize the frequency of differences between the observed and expected responses. Hence, a random key candidate is gradually improved based on observed test responses. If no solution is found in one iteration, the algorithm resets the key to a new random key value. However, the complexity of this attack quickly increases with increasing number of KGs.

3 Stage 2: SAT Attack

In 2015, Subramanyan et al. [22] proposed a new and powerful attack using Boolean satisfiability (SAT) solver, called SAT attack, that effectively and quickly broke all previously proposed logic locking techniques. As an ”oracle-guided” attack, SAT attack requires a reverse-engineered but locked netlist (), and a functionally activated chip (). A circuit view of steps taken in a SAT attack is shown in Fig. 2. For this attack, the attacker first replicate the obfuscated circuit and builds a double circuit which is used for finding an input (X[i]) that for two different key values generates two different outputs. Such input is referred to as Discriminating Input Pattern(DIP). Each X[i] is used to create a DI validation circuit (DIVC). The validation circuit, as shown in Fig. 2 assures that for a previously found X[i], two different keys generate the same output value. Each iteration of the SAT attack finds a new (X[i]), and add a new DI validation circuit. The DIVCs are ANDed together to form a Set of Correct Key Validation Circuit (SCKVC). In each iteration, the SAT solver try to find a new X[i] and two key values that satisfy the double circuit (KDC) and the Validation Circuit (SCKVC). The key values and the X[i], as illustrated in Alg. 1 (line 5), is found by a SAT query. This means the new key generate two different values for the new X[i], but generate the same value for all previously found Xs for both key values. This process continues until the SAT solver cannot find a new X[i] (line 4). At this point any key that generates the correct output for the set of found Xs is the correct key (line 9).

Figure 2: SAT Attack Iterative Flow.
1:function SAT_Attack(Circuit C, Circuit C)
2:       i 0; F C(X, K, Y) C(X, K, Y);
3:       while SAT(F (Y Y)) do
4:             X[i] sat_assignment (F(YY)); Y[i] C(X[i]);
5:             F F C(X[i], K, Y[i]) C(X[i], K, Y[i]); i i+1;        
6:        sat_assignment(F);
Algorithm 1 SAT-based Attack Algorithm [22]

For all prior obfuscation schemes, even those resistant to sensitization attack, the SAT attack was able to rule out a significant number of key values at each iterations (by finding each DIP). Hence, In order to thwart SAT attack, the first attempted approach was to weaken the strength of the DIPs to reduce its pruning power. SARLock [20] and Anti-SAT [32] were the first prior-art methods that accomplished this. Both SARLock and Anti-SAT engaged one-point flipping function, demonstrated in Fig. 3. Using this obfuscation scheme, each DIP is able to rule out only one incorrect key. Hence, the SAT attack requires to apply all to retrieve the correct functionality. However, this method results in obfuscation circuits that for all but one output work as the original circuit, and the output corruption upon application of a wrong key is quite low.

IN k=0 k=1 k=2 k=3 k=4 k=5 k=6 k=7 0 1 2 3 4 5 6 7
Figure 3: Flipping Structure of SARLock and Anti-SAT.

4 Stage 3: Post-SAT Attacks

As discussed, the proposed SAT-resilient solutions suffered from low output corruption. This however could have been addressed by combining a SAT-hard solution with a traditional obfuscation solution, such as RLL or SLL, that exhibits high level of output corruption. Although SAT-resilient logic locking schemes provided a defense against SAT attack, researchers found new vulnerabilities associated with this class of obfuscation techniques resulting in the development of many new attacks on the presumed SAT-hard logic locking schemes described in this section.

4.1 Removal Attack

As shown in Fig 3, in bare implementation of one-point flipping circuit, the locking circuitry is completely decoupled from the original circuit. A removal attack identifies and removes/bypasses the locking circuitry to retrieve the original circuit and to remove dependence on key values [19]. The removal attack, presented in [19], was used to detect and remove SARLock [20]. In presence of removal attack, researchers investigated SAT-hard solutions that are hard to detect (preventing removal by pure structural analysis), an example of which was Anti-SAT [32].

4.2 Signal Probability Skew (SPS) Attack

The Signal Probability Skew (SPS) attack [21] leverages the structural traces in Anti-SAT block to identify and isolate the Anti-SAT block [32]. Signal probability skew (SPS) of a signal x is defined as , where indicates the probability that signal is . The range of is . If the SPS of signal is closer to zero, an attacker have lower chance of guessing the signal value by random. For a 2-input gate, the signal probability skew is the difference between the signal probability of its input wires. The flipping-circuit in the Anti-SAT is constructed using two complementary circuits, and , in which the number of input vectors that make the function equal to 1 () is either close to 1 or . These two complementary circuits converge at an AND gate . Considering this structure, the absolute difference of the signal probability skew (ADS) of the inputs of gate is quite large, noting that the SAT resilience is ensured by this skewed . Algorithm 2 shows the SPS attack, which identifies the Anti-SAT block’s output by computing signal probabilities and searching for the skew(s) of arriving signals to a gate in a given netlist.

1:function SPS_Attack(Circuit C)
2:       ADS ;
3:       for each gate C do
4:             ADS(gate) Compute_ADS(C, gate);        
5:        Find_Maximum(ADS);
6:        Find_value_from_skew(); Correct value of Anti_SAT output
7:       C remove_TFI(C, , ); Transitive FanIn of the gate
8:       return C C: C after removing Anti_SAT block
Algorithm 2 SPS Attack Algorithm [21]

4.3 Bypass Attack

Although SARLock and Anti-SAT break the SAT attack, their respective output corruptibility is very low if they are not mixed with traditional logic locking, such as SLL. Observing and relying on the very low level of output corruption in such SAT-hard solutions, the bypass attack [28] was introduced. The bypass attack instantiates two copies of the obfuscated netlist using two randomly selected keys, and build a miter circuit that evaluates to 1 only when the output of two circuits is different. The miter circuit is then fed to a SAT solver looking for such inputs. The SAT returns with minimum of two inputs for which the outputs are different. These input patterns are tested using an activated IC (golden IC) validating the correct output. Then a bypass circuit is constructed using a comparator that is stitched to the primary output of the netlist which is unlocked using the selected random key, to retrieve the correct functionality if that input pattern is applied. The Bypass attack works well when the SAT-hard solution is not mixed with traditional logic locking mechanism since its overhead increases very quickly as output corruption of logic locking increases. This observation motivated researchers to look at possibilities of approximate attacks to retrieve the key values associated to non SAT-hard obfuscation solutions that are mixed with SAT-hard solutions.

4.4 AppSAT Attack

So far, defences solution to mitigate the SAT attack, are based on the assumption that the attacker needs an exact attack on logic locking. However, Shamsi et al. [12] proposed a new attack (AppSAT), which relax this constraint. AppSAT shown in Algorithm 3, is an approximate attack on logic locking based on the SAT attack and random testing. The authors use probably-approximate-correct (PAC) model for formulating approximate learning problem. The exact SAT attack continues to find DIPs until no more DIPs can be found. However, the AppSAT will be terminated in any early step in which the error falls below the certain limit. If this condition happens, the key value will be considered as an approximate key with specified error rate; otherwise, the random sampling that resulted in a disagreement will be added to a SAT formula as a new constraint. In AppSAT, heuristic methods for estimating the error is used for large functions, to avoid any computation complexity.

4.5 Double-DIP Attack

Double-DIP [30] is another approximate attack, shown in Algorithm 4. Double-DIP is an extension of SAT attack in which during each iteration, the discriminating input should eliminate at least two wrong keys. To illustrate its effectiveness, researchers used double-DIP to target SARLockSSL, representing a compound of SAT-hard and high output corruption obfuscation. When the double-DIP attack terminates, the key of the traditional logic locking (SSL) is guaranteed to be correct. As a result, the compound logic locking will be reduced to a single SAT attack resilient technique, that could then be attacked using bypass attack.

1:function AppSAT_Attack(Circuit C, Circuit C)
2:       i 0; F C(X, K, Y) C(X, K, Y);
3:       while SAT(F (Y Y)) do
4:             X[i] sat_assignment (F(YY)); Y[i] C(X[i]);
5:             F F C(X[i], K, Y[i]) C(X[i], K, Y[i]); i i+1;
6:             every rounds do
7:             for each ( Random Patterns) do
8:                    if C(X, K, Y) C(X) then
9:                          FailedPatterns FailedPatterns + 1;
10:                          F F (C(X, K, Y) = C(X)); i i+1;                                  
11:             if error ¡ ErrorThreshold then
12:                    return K as an approximate key                     
13:        sat_assignment(F);
Algorithm 3 AppSAT Attack Algorithm [12]
1:function DoubleDIP_Attack(Circuit C, Circuit C)
2:       i 0; F C(X, K, Y) C(X, K, Y) C(X, K, Y) C(X, K, Y) ;
3:       while SAT(F (Y Y)) (K K)) (K K)) do
4:             X[i] sat_assignment (F(YY)) (K K)) (K K));
5:             Y[i] C(X[i]);
6:             F F C(X[i], K, Y[i]); i i+1;        
7:        sat_assignment(F);
Algorithm 4 Double-DIP Attack Algorithm [30]

4.6 Bit-Flipping Attack

The Bit-flipping attack [29] is yet another attack against compound logic locking schemes in which a SAT-hard solution such as SARLock is combined with a traditional logic locking to guarantee both high error rates and resilience to the SAT-based attack. In Bit-flipping attack, the keys are first separated into two groups ( and ) by counting DIPs for two keys with hamming distance equal to one. The attack is motivated from the observation that in traditional logic locking, wrong key causes substantial wrong input-output pattern. However, the error rate of bit-flipping function is usually very small. As shown in Algorithm 5, after separation of keys, this attack fixes SAT-resilient keys, , as a random number, and uses a SAT solver to find the correct key values for . After finding , the bypass attack is applied to retrieve the original circuit.

1:function BitFlipping_Attack(Circuit C, Circuit C)
2:       for each  ¡ Fixed-iteration do
3:             K a random key;
4:             for each bit b K do
5:                    K K while bit b flipped;
6:                    i 0; F C(X, K, Y) C(X, K, Y);
7:                    while SAT(F (Y Y)) do
8:                          X[i] sat_assignment (F(YY));
9:                          F F (X X[i]); i i+1;
10:                          if i ¿ Threshold then
11:                                 b is in K,
12:                                 break;                                                             + 1;        
13:       K all key bits K; Seperation is Done. Then, fix K as a random number.
14:       K SAT_ATTACK (C, C); Find Traditional Keys using SAT.
15:       C update_netlist(C — K)
16:       return (BYPASS_ATTACK(C);
Algorithm 5 Bit-flipping Attack Algorithm [29]

4.7 AppSAT Guided Removal Attack

AppSAT Guided Removal (AGR) attack targets compound logic locking, particularly Anti-SAT + traditional logic locking [19]. This attack integrates AppSAT with a simple structural analysis of the locked netlist (a post-processing steps). Unlike AppSAT, the AGR attack recovers the correct key. In this attack, first the AppSAT is used to find the key of the traditional obfuscation scheme (used as a part of compound lock). Then, AGR targets the remaining key bits belong to the SAT-resilient logic locking, such as Anti-SAT block, through a simple structural analysis. As shown in Algorithm 6, in the post-processing steps, AGR finds the gate () at which most of the Anti-SAT key bits converge. AGR finds by tracing the transitive fanout of the Anti-SAT key inputs, where all the Anti-SAT key bits converge. The ratio of key bits converging at each of the inputs of the gate , are close to , which is shown as the selected property in line 7 of Algorithm 6. AGR identifies the candidates for gate by checking this property for all gates in the circuit, and then sort these candidate based on the number of key inputs that converge at a gate and pick the gate from all candidates, which has the most number of key inputs converge to that gate. Then the attacker re-synthesize the design with the constant value for the output of gate and retrieving the correct functionality.

1:function AGR_Attack(Circuit C, Circuit C)
2:       Cand num_gates(C)
3:       while (Cand ¿ 1 and Timeoutdo
4:             AppSAT_Attack(); 4 times
5:             Candidates ;
6:             for each gate C do
7:                    if gate has the selected property then
8:                          Candidates Candidates + 1;                                         
9:        Find_Max_key_count(Candidates);
10:       C remove_TFI(C, ); remove Transitive FanIn of the gate
11:       return C; C: C after removing Anti_SAT block
Algorithm 6 AGR Attack Algorithm [19]

4.8 Sensitization Guided SAT Attack

While the one-point flipping circuit in Anti-SAT and SARLock are completely decoupled from the original netlist, Li et al. [15] proposed the AND-tree Insertion (ATI), as a SAT-resilient logic locking, which embeds AND trees inside the original netlist. It not only makes all aforementioned attack less effective, it also decreases the implementation overhead. Additionally, the input of AND-tree are camouflaged by inserting INV/BUF camouflaged gates, which can be replaced with the XOR/XNOR gates in order to lock the AND-tree. However, this defense was broken by a new attack that was coined as Sensitization Guided SAT (SGS) attack [19]. The SGS attack is carried out in two stages: (1) sensitization that exploits bias in input patterns which allows an attacker to apply only a subset of DIPs, i.e., those that bring unique values to the AND-tree inputs. (2) SAT attack using the patterns discovered in the first stage.

4.9 Functional Analysis Attack

Aiming to provide a defense that resists all previously formulated attacks led to the introduction of Stripped-Functionality Logic Locking (SFLL) [18]. In SFLL the original circuit is modified for at-least one input pattern (cube) using a cube stripping unit, demonstrated in Fig. 4. As shown, is the output of the stripped circuit, in which the output corresponding to at-least one input pattern is flipped. The restore unit not only generates the flip signal for one input pattern per each wrong key, it also restores the stripped output, (e.g. in Fig. 4) to recover the correct functionality on . Note that applying removal attack on restore unit recovers , which is not the correct functionality. In addition, SFLL-HD is able to protect input patterns that are of Hamming Distance (HD) from the -bit secret key, and accordingly uses Hamming Distance checker as a restore unit (e.g. in Fig. 4 is also called TTLock [17]).

Although SFLL was resilient against all previously formulated attacks, it was exploited using a newly formulated attack, called Functional Analysis on Logic Locking (FALL) attack [4]. In this attack model, the adversary is assumed to be a malicious foundry that knows the locking algorithm and its parameters, e.g. in SFLL-HD. A FALL attack is carried out in three main stages and relies on structural and functional analyses to determine potential key values of a locked circuit. First, FALL attack tries to find all nodes which are the results of comparing an input value with a key input. It is done by a comparator identification. Such nodes (), which contains these particular comparators, are very likely to be part of the functionality restoration unit. The set of all inputs that appear in these comparators, should be in the fan-in cone of the cube stripping unit. Then, it finds a set of all gates whose fan-in-cone is identical to the members of . This set of gates must contain the output of the cube stripping unit. Second, the attacker applies functional analysis on the candidate nodes suggested by and collected from the first stage to identify suspected key values. Broadly speaking, the attacker uses functional properties of the cube stripping function used in SFLL, to determines the values of the keys. Based on the author’s view, this function has three specific properties. So, they have proposed three attacks algorithms on SFLL, which exploit unateness and Hamming distance properties of the cube stripping functions. The input of these algorithm is circuit node , that computed from the first stage, and the algorithm checks if behaves as a Hamming distance calculator in the cube stripping unit of SFLL-HD. If the attack is successful, the return value is the protected cube. Third, they have proposed a SAT-based key confirmation algorithm using a list of suspected key values and I/O oracle access, that verifies whether one of the suspected key values computed from the second stage, is correct.

IN k=0 k=1 k=2 k=3 k=4 k=5 k=6 k=7 0 1 2 3 4 5 6 7
Figure 4: SFLL-HD while .

4.10 CycSAT Attack

Considering the strength of all previously formulated attacks, some of the researchers started seeking solutions that fundamentally violated the assumptions of these attacks with respect to the nature of locked circuits. One of such attempts was the introduction of cyclic logic locking [13][26], was first proposed in [13]. In this obfuscation technique, as shown in Algorithm 7, each deliberately established cycle is designed to have more than one way to open. The requirement for having more than one way to open each cycle assures that even if the original netlist has no cycle by itself, the cycles remains irreducible by means of structural analysis. The cyclic obfuscation resulted in an obfuscation with high level of output corruption, while it was able to break the SAT attack either by 1) trapping it in an infinite loop, or 2) forcing it to exit with a wrong key depending on weather the introduced cycles make the circuit stateful or oscillating.

The promise of secure cyclic obfuscation was shortly after broken by CycSAT attack [7]. In CycSAT, the key combinations that result in formation of cycles are found in a pre-processing step. These conditions are then translated into problem augmenting CNF formulas, denoted as cycle avoidance clauses, satisfaction of which guarantee no cycle in the netlist. The cycle avoidance clauses are then added to the original SAT circuit CNF and the SAT attack is executed. The validity of this attack, however, was challenged in [26], as researchers illustrated that the pre-processing time for CycSAT attack is linearly dependent on the number of cycles in the netlist. Hence, by building an exponential relation between the number of feedback, and the number of cycles in the design, the pre-processing step of CycSAT will face exponential runtime.

4.11 Behavioral SAT (BeSAT) Attack

Inability to analyze all cycles in the prepossessing step of CycSAT results in missing cycles in the pre-processing step of CycSAT, leading to building a statefull or oscillating circuit, trapping the SAT stage of the CycSAT attack. BeSAT [31] remedies this shortcoming by augmenting the CycSAT attack with a run-time behavioral analysis. As shown in Algorithm 8, by performing behavioral analysis at each SAT iteration, BeSAT detects repeated DIPs when the SAT is trapped in an infinite loop. Also, when SAT cannot find any new DIP, a ternary-based SAT is used to verify the returned key as a correct one, preventing the SAT from exiting with an invalid key.

1:function CycSAT_Attack(Circuit C, Circuit C)
2:        FindFeedback(C);
3:       for each  do
4:              no_ structural_ path();        
5:       i 0; (K)=
6:       C(X, K, Y) C(X, K, Y) (K); F C(X, K, Y) C(X, K, Y);
7:       while SAT(F (Y Y)) do
8:             X[i] sat_assignment (F(YY)); Y[i] C(X[i]);
9:             F F C(X[i], K, Y[i]) C(X[i], K, Y[i]); i i+1;        
10:        sat_assignment(F);
Algorithm 7 CycSAT Attack on Cyclic Locked Circuits [13]
1:function BeSAT_Attack(Circuit C, Circuit C)
2:        FindFeedback(C);
3:       for each  do
4:              no_ structural_ path();        
5:       i 0; (K)=
6:       C(X, K, Y) C(X, K, Y) (K); F C(X, K, Y) C(X, K, Y);
7:       while SAT(F (Y Y)) do
8:             X[i] sat_assignment (F(YY)); Y[i] C(X[i]);
9:             F F C(X[i], K, Y[i]) C(X[i], K, Y[i]);
10:             if (X[i] in DIP) and (C(X[i], K) Y[i])) then
11:                    F F (K K̂${}_{1}$) (K K̂${}_{1}$);
12:             else if (X[i] in DIP) and (C(X[i], K) Y[i]) then
13:                    F F (K K̂${}_{2}$) (K K̂${}_{2}$);              
14:             i i+1;        
15:       while SAT(Fdo Correct Key: K̂${}_{c}$
16:             if Ternary_SAT(F, Kthen
17:                    F F (K K̂${}_{c}$)
18:             else
19:                     K̂${}_{c}$; break;                     
Algorithm 8 BeSAT Attack on Cyclic Locked Circuits [31]

5 Stage 4: SMT Attack

As discussed previously, many of the attacks proposed at post-SAT attack stage were formulated by adding a pre-processing step to the original SAT attack, and/or extending the SAT attack to co-process and check additional features in each iteration. In other terms, to break many of the post-SAT era obfuscation techniques, attackers relied on compound attacks by combining SAT solvers by pre-processors (e.g. in CycSAT) and co-processors (e.g. in BeSAT) to extend its modeling reach. Motivated by this trend, the need for having pre- co- and post- processors along with a SAT solver in an attack was realized and addressed in [14] and a new and extremely powerful attack, coined as Satisfiability Module Theory (SMT) attack was introduced. The strength of SMT attack, as the superset of SAT attack, comes from its ability to combine SAT and Theory solvers. As shown in Fig. 5, The SMT attack could be invoked with any number and combination of theory solvers, and a SAT solver, which allow the attacker to express constraints that are difficult or even impossible to express using CNF, including timing, delay, power, arithmetic, graph and many other first-order theories in general. To showcase the modeling capability of SMT attack, the authors used the SMT attack 1) to break a new breed of obfuscation that relied on locking the delay information in netlist (by generating setup and hold violations), 2) to formulate an accelerated attack (to reduce the attack time) with means of approximate exit (if trapped with SAT hard solutions).

Figure 5: Overall Architecture of SMT Attack for Circuit Deobfuscation [14].

In pursuit of obfuscation schemes that could not be attacked by SAT motivated attackers, some researchers tried to extend the locking mechanism to aspects of a circuit’s function that cannot be translated to CNF. For example, Xie et al. proposed a timing obfuscation scheme, denoted as delay logic locking (DLL), in [33]. The Goal of DLL obfuscation scheme is introducing setup and hold violation if the correct key is not applied. In this case, the obfuscation attempts to change both logical and behavioral (timing) properties. A functionally-correct but timing-incorrect key will result in timing violations, leading to circuit malfunctions. Considering that timing is not translatable to CNF, the SAT solver remains oblivious to the keys used for timing obfuscation. Authors in [14], however, illustrated that the SMT attack could easily deploy a graph theory solver, provide timing constraints to the theory solver (in terms of required min and max delay to meet the hold and setup time), and use the theory solver in parallel with the internal SAT solver to break both logic and delay obfuscation. They additionally show that the theory solver could be initiated as a pre-processor (Eager SMT approach) or as a co-processor (Lazy SMT approach) to break the same problem, showcasing the strength of SMT attack. The lazy mode of this attack is illustrated in Algorithm 9. Although at about the same time Chakraborty proposed TimingSAT to attack the DLL [1], similar to many prior SAT-based attack, it was by deploying a pre-processor for analysis of graph timing, and generating helper clauses for the subsequent call to the SAT attack.

1:function SMTLazy_Attack(Circuit C, Circuit C)
2:       C toBOOLEAN(C); Replace TDK with Buffer
3:       i 0; F C(X, K, Y) C(X, K, Y);
4:       G toGRAPH(C); Wires = Edges, Gates = Vertices
5:       F GenTCE(G) Theory Learned Clauses
6:       F F F; SMT Clauses
7:       while SMT(Fdo X[i], K, K, CC
8:             Y[i] C(X[i]); F F C(X[i], K, Y[i]) C(X[i], K, Y[i]);
9:             F F CC; i i+1;        
10:        smt_assignment(F);
11:
1:       function GenTCE(Graph G)
2:             Inputs find_start_points(G); Outputs find_end_points(G); T [];
3:             for each ((Sp, Ep) (Inputs, outputsdo
4:                    Upper(Sp,Ep)(K) !(distance_leq(Sp, Ep, t)); Hold Violation
5:                    Lower(Sp,Ep)(K) distance_leq(Sp, Ep, t); Setup Violation
6:                    Range(Sp,Ep)(K) Lower(Sp,Ep)(K) Upper(Sp,Ep)(K);
7:                    T T Range(Sp,Ep)(K);              
8:             return T        
Algorithm 9 SMT Attack on DLL (Lazy Approach) [14]

The ability of SMT solver to instantiate and integrate different theory solver makes it a suitable attack platform for modeling and formulating very strong attacks. As an example of the strength of SMT attack, the authors in [14] formulated and presented an accelerated SMT attack with ability of detecting the presence of SAT-hard obfuscation and switching to an accelerated approximate attack. As shown in Algorithm 10, this was done by invoking a BitVector theory solver to constrain the SMT solver for finding keys that result in highest output corruption first. This could be done by constraining the required HD between the output of double circuit when two different keys for the same discriminating input is being tested. The required HD starts from a large value, and every time that the SMT solver return UNSAT, the constraint is relaxed until HD of 1 is reached. This leads to the guaranteed discovery of keys for traditional logic locking first. After tries ( in Algorithm 10) for HD of 1, the SMT attack exits, notes that there exist a SAT-hard obfuscation, which now could be addressed by the Bypass attack.

1:function AccSMT_Attack(Circuit C, Circuit C)
2:       i 0; HD sizeof(output); HD HD - 1;
3:       TimeOut 20; Rep 20; HD 1; R 0;
4:       C toBOOLEAN(C); Everything is Boolean.
5:       F C(X, K, Y) C(X, K, Y);
6:       BV toBITVECTOR(C); Define BITVECTOR on output.
7:       BVs(X, K, K) ONEs(BV(X, K) BV(X, K));
8:       F (BVs(X, K, K) HD) (BVs(X, K, K) HD);
9:       F F F; SMT Clauses
10:       while HD do
11:             while SMT(FTimeOutdo X[i], K, K, CC
12:                    Y[i] C(X[i]);
13:                    F F C(X[i], K, Y[i]) C(X[i], K, Y[i]); F F CC;
14:                    if HD HD then
15:                          if R == Rep then
16:                                 break;                           
17:                          R++;                                  HD–;        
18:        smt_assignment(F);
Algorithm 10 Accelerated SMT Attack on Compound Locking [14]

6 Discussion & Opportunities

Table 2 compares the effectiveness of the attacks discussed in this paper against most notable obfuscation schemes. As illustrated the combination of FALL, Bypass and SMT attack can break all existing solutions, pointing us to a need for a new direction for generating non-bypassable SMT hard obfuscation solutions. The dilemma is that SAT-hard solutions have extremely low output corruption, and are prone to Bypass, FALL, Removal and SPS attack. On the other hand, the traditional logic locking schemes have high output corruption, but could be easily broken with SAT/SMT attack. The compound logic locking solutions that combine the SAT-hard solutions for resistance against SAT and SMT attack, and traditional logic locking for resistance against Bypass, FALL, Removal and SPS attack are also prone to approximate SAT and SMT attacks. What is really desired, is a SMT-hard logic locking scheme with high degree of output corruption. As a step in this direction, few very recent research papers have focused on increasing the execution time of each SAT/SMT iteration rather than the total execution time [5], [11]. The Full-Lock in [5] is argued that the strength of SAT/SMT solvers come from their Conflict-Driven Clause Learning (CDCL) ability, which is resulted by recursively calling Davis-Putnam-Logemann-Loveland (DPLL) algorithm. Hence, the Full-Lock creates an obfuscation method that results in very deep recursive call trees. They argue that the SAT/SMT attack execution time can be expresses by formula 1, in which denotes the number of iterations (DIPs) of the SAT/SMT attack, is the execution time of recursive calls for DPLL algorithm on CNF , and is the execution time of the remaining book keeping code executed at each iteration.

(1)

Authors argue that in formula 1 denotes the number of recursive DPLL calls. Accordingly, the execution time of SAT attack could also become unfeasible by building an exponential relation between the percentage gate inserted (area overhead) and M. The strong aspect of this alternative solution is that (1) the problems posed at each iteration of SAT/SMT attack is a SAT-hard problem, (2) the output corruption of this methods is significantly higher than obfuscating solution relying on increasing the , (3) it is not susceptible to SPS, removal, bypass, approximate attack, to name a few. The hardness of SAT/SMT attack in the solution posed by Full-Lock cannot be assessed/formulated similar to that of SFLL. Moving towards this new direction for generating SAT-hard problems with high level of output corruption can be generalized more, where an obfuscation solution in this direction can engineer the number of recursive calls, pushing the number of recursive call to be an exponential function of added gates counts (area overhead).

 Attacks
Defenses
\@killglue
. . RLL FLL SLL Anti-SAT SARLock Compound SFLL Cyclic SRCLock DLL
[10] [8] [9] [32] [20] [20] [18] [13] [26] [33]
Brute Force
Sensitization [9]
Hill-Climbing [24]
SAT [22]
SPS+Removal [19][21]
Bypass [28]
AppSAT [12] P
Double-DIP [30] P
Bit-Flipping [29]
AGR [19]
FALL [4]
CycSAT [7]
BeSAT [31]
TimingSAT [1]
SMT [14] P
✓: Attack Success, ✗: Fail to Attack.
P: Only removes the key to the traditional locking in Compound Defense.
Table 2: Comparison of proposed attacks/defenses.

References

  • [1] A. Chakraborty, Y. Liu, and A. Srivastava. Timingsat: timing profile embedded sat attack. In International Conference on Computer-Aided Design (ICCAD), page 6, 2018.
  • [2] A. Baumgarten A. Tyagi and J. Zambreno. Preventing ic piracy using reconfigurable logic barriers. IEEE Design & Test of Computers, 27(1):66–75, 2010.
  • [3] A. yeh. Trends in the global ic design service market. DIGITIMES research, 2012.
  • [4] D. Sirone and P. Subramanyan. Functional analysis attacks on logic locking. arXiv preprint arXiv:1811.12088, 2018.
  • [5] H. M. Kamali, K. Z. Azar, H. Homayoun, and A. Sasan. Full-lock: Hard distributions of sat instances for obfuscating circuits using fully configurable logic and routing blocks. In Design Automation Conference (DAC), pages 1–6, 2019.
  • [6] H. M. Kamali, K. Z. Azar, K. Gaj, H. Homayoun, and A.sasan. Lut-lock: A novel lut-based logic obfuscation for fpga-bitstream and asic-hardware protection. In IEEE Computer Society Annual Symposium on VLSI (ISVLSI), pages 405–410, 2018.
  • [7] H. Zhou, R. Jiang, and S. Kong. Cycsat: Sat-based attack on cyclic logic encryptions. In International Conference on Computer-Aided Design (ICCAD), pages 49–56, 2017.
  • [8] J. Rajendran, H. Zhang, C. Zhang, G. Rose, Y. Pino, O. Sinanoglu, and R. Karri. Fault analysis-based logic encryption. IEEE Transactions on Computers, 64(2):410–424, 2015.
  • [9] J. Rajendran, Y. Pino, O. Sinanoglu, and R. Karri. Security analysis of logic obfuscation. In Design Automation Conference (DAC), pages 83–89, 2012.
  • [10] J. Roy, F. Koushanfar, and I. L. Markov. Ending piracy of integrated circuits. Computer, 43(10):30–38, 2010.
  • [11] K. Shamsi, M. Li, D. Z. Pan, and Y. Jin. Cross-lock: Dense layout-level interconnect locking using cross-bar architectures. In Great Lakes Symposium on VLSI (GLSVLSI), pages 147–152, 2018.
  • [12] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin. Appsat: Approximately deobfuscating integrated circuits. In IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 95–100, 2017.
  • [13] K. Shamsi, M. Li, T. Meade, Z. Zhao, D. Z. Pan, and Y. Jin. Cyclic obfuscation for creating sat-unresolvable circuits. In Great Lakes Symposium on VLSI (GLSVLSI), pages 173–178, 2017.
  • [14] K. Z. Azar, H. M. Kamali, H. Homayoun, and A. Sasan. Smt attack: Next generation attack on obfuscated circuits with capabilities and performance beyond the sat attacks. IACR Transactions on Cryptographic Hardware and Embedded Systems (CHES), pages 97–122, 2019.
  • [15] M. Li, K. Shamsi, T. Meade, Z. Zhao, B. Yu, Y. Jin, and D. Z. Pan. Provably secure camouflaging strategy for ic protection. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2017.
  • [16] M. Rostami, F. Koushanfar, and R. Karri. A primer on hardware security: Models, methods, and metrics. Proceedings of the IEEE, 102(8):1283–1295, 2014.
  • [17] M. Yasin, A. Sengupta, B. Carrion Schafer, Y. Makris, O. Sinanoglu, and J. Rajendran. What to lock?: Functional and parametric locking. In Great Lakes Symposium on VLSI (GLSVLSI), pages 351–356, 2017.
  • [18] M. Yasin, A. Sengupta, M. T. Nabeel, M. Ashraf, J. Rajendran, and O. Sinanoglu. Provably-secure logic locking: From theory to practice. In ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 1601–1618, 2017.
  • [19] M. Yasin, B. Mazumdar, O. Sinanoglu, and J. Rajendran. Removal attacks on logic locking and camouflaging techniques. IEEE Transactions on Emerging Topics in Computing, (1):1–1, 2017.
  • [20] M. Yasin, J. Rajendran B. Mazumdar, and O. Sinanoglu. Sarlock: Sat attack resistant logic locking. In IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 236–241, 2016.
  • [21] M. Yasin, O. Sinanoglu B. Mazumdar, and J. Rajendran. Security analysis of anti-sat. In Asia and South Pacific Design Automation Conference (ASP-DAC), pages 342–347, 2017.
  • [22] P. Subramanyan, S. Ray, and S. Malik. Evaluating the security of logic encryption algorithms. In IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pages 137–143, 2015.
  • [23] P. Tuyls, G.-J. Schrijen, B. Škorić, J. Van Geloven, N. Verhaegh, and R. Wolters. Read-proof hardware from protective coatings. In International Workshop on Cryptographic Hardware and Embedded Systems (CHES), pages 369–383, 2006.
  • [24] S. M. Plaza and I. L. Markov. Solving the third-shift problem in ic piracy with test-aware logic locking. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 34(6):961–971, 2015.
  • [25] S. Roshanisefat, H. K. Thirumala, K. Gaj, H. Homayoun, and A. Sasan. Benchmarking the capabilities and limitations of sat solvers in defeating obfuscation schemes. In International Symposium on On-Line Testing And Robust System Design (IOLTS), pages 275–280, 2018.
  • [26] S. Roshanisefat, H. M. Kamali, and A. Sasan. Srclock: Sat-resistant cyclic logic locking for protecting the hardware. In Great Lakes Symposium on VLSI (GLSVLSI), pages 153–158, 2018.
  • [27] T. Winograd, H. Salmani, H. Mahmoodi, K. Gaj, and H. Homayoun. Hybrid stt-cmos designs for reverse-engineering prevention. In Design Automation Conference (DAC), pages 1–6, 2016.
  • [28] X. Xu, B. Shakya, M. M. Tehranipoor, and D. Forte. Novel bypass attack and bdd-based tradeoff analysis against all known logic locking attacks. In International Conference on Cryptographic Hardware and Embedded Systems (CHES), pages 189–210, 2017.
  • [29] Y. Shen, A. Rezaei, and H. Zhou. Sat-based bit-flipping attack on logic encryptions. In Design, Automation & Test in Europe Conference & Exhibition (DATE), pages 629–632, 2018.
  • [30] Y. Shen and H. Zhou. Double dip: Re-evaluating security of logic encryption algorithms. In Great Lakes Symposium on VLSI (GLSVLSI), pages 179–184, 2017.
  • [31] Y. Shen, Y. Li, A. Rezaei, S. Kong, D. Dlott, and H. Zhou. Besat: behavioral sat-based attack on cyclic logic encryption. In Asia and South Pacific Design Automation Conference (ASP-DAC), pages 657–662. ACM, 2019.
  • [32] Y. Xie and A. Srivastava. Mitigating sat attack on logic locking. In International Conference on Cryptographic Hardware and Embedded Systems (CHES), pages 127–146, 2016.
  • [33] Y. Xie and A. Srivastava. Delay locking: Security enhancement of logic locking against ic counterfeiting and overproduction. In Design Automation Conference (DAC), page 9, 2017.
Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
366629
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description