More Like this

1. TAAL: Tampering Attack on Any Key-based Logic Locked Circuits

   https://doi.org/10.1145/3442379  

   Jain, Ayush ; Zhou, Ziqi ; Guin, Ujjwal ( March 2021 , ACM Transactions on Design Automation of Electronic Systems)

   null (Ed.)

   Due to the globalization of semiconductor manufacturing and test processes, the system-on-a-chip (SoC) designers no longer design the complete SoC and manufacture chips on their own. This outsourcing of the design and manufacturing of Integrated Circuits (ICs) has resulted in several threats, such as overproduction of ICs, sale of out-of-specification/rejected ICs, and piracy of Intellectual Properties (IPs). Logic locking has emerged as a promising defense strategy against these threats. However, various attacks about the extraction of secret keys have undermined the security of logic locking techniques. Over the years, researchers have proposed different techniques to prevent existing attacks. In this article, we propose a novel attack that can break any logic locking techniques that rely on the stored secret key. This proposed TAAL attack is based on implanting a hardware Trojan in the netlist, which leaks the secret key to an adversary once activated. As an untrusted foundry can extract the netlist of a design from the layout/mask information, it is feasible to implement such a hardware Trojan. All three proposed types of TAAL attacks can be used for extracting secret keys. We have introduced the models for both the combinational and sequential hardware Trojans that evade manufacturing tests. An adversary only needs to choose one hardware Trojan out of a large set of all possible Trojans to launch the TAAL attack. 

   more » « less
2. Distributed Logic Encryption: Essential Security Requirements and Low-Overhead Implementation

   https://doi.org/10.1145/3526241.3530372  

   Afsharmazayejani, Raheel ; Sayadi, Hossein ; Rezaei, Amin ( June 2022 , In Proceedings of Great Lakes Symposium on VLSI (GLSVLSI))

   Due to outsource manufacturing, the semiconductor industry must deal with various hardware threats such as piracy and overproduction. To prevent illegal electronic products from functioning, the circuit can be encrypted using a protected key only known to the designer. However, an attacker can still decipher the secret key utilizing a functioning circuit bought from the market, and the encrypted layout leaked from an untrusted foundry. In this paper, after introducing essential conformity and mutuality features for secure logic encryption, we propose DLE, a novel Distributed Logic Encryption design that resists against all known oracle guided and structural attacks including the newly proposed fault-aided SAT-based attack that iteratively injects a single stuck-at fault to thwart the locking effect. DLE forces the attacker to insert multiple stuck-at faults simultaneously in critical points to achieve a smaller but meaningful encrypted circuit; thus, exponentially reducing the chance to hit all the critical points with properly located stuck-at fault injections. Our experiments confirm that DLE maintains an exponentially high degree of security under diverse attacks with the polynomial area and linear performance overheads. 

   more » « less
3. Does logic locking work with EDA Tools

   Han, Zhaokun ; Yasin, Muhammad ; Rajendran, Jeyavijayan ( April 2021 , USENIX Security Conference 2021)

   Logic locking is a promising solution against emerging hardware security threats, which entails protecting a Boolean circuit using a “keying” mechanism. The latest and hitherto unbroken logic-locking techniques are based on the “corrupt-and-correct (CAC)” principle, offering provable security against input-output query attacks. However, it remains unclear whether these techniques are susceptible to structural attacks. This paper exploits the properties of integrated circuit (IC) design tools, also termed electronic design automation (EDA) tools, to undermine the security of the CAC techniques. Our proposed attack can break all the CAC techniques, including the unbroken CACrem technique that 40+ hackers taking part in a competition for more than three months could not break. Our attack can break circuits processed with any EDA tools, which is alarming because, until now, none of the EDA tools can render a secure locking solution: logic locking cannot make use of the existing EDA tools. We also provide a security property to ensure resilience against structural attacks. The commonly-used circuits can satisfy this property but only in a few cases where they cannot even defeat brute-force; thus, questions arise on the use of these circuits as benchmarks to evaluate logic locking and other security techniques. 

   more » « less
4. Exploiting Logic Locking for a Neural Trojan Attack on Machine Learning Accelerators

   https://doi.org/10.1145/3583781.3590242  

   Xu, Hongye ; Liu, Dongfang ; Merkel, Cory ; Zuzak, Michael ( June 2023 , GLSVLSI '23: Proceedings of the Great Lakes Symposium on VLSI 2023)

   Logic locking has been proposed to safeguard intellectual property (IP) during chip fabrication. Logic locking techniques protect hardware IP by making a subset of combinational modules in a design dependent on a secret key that is withheld from untrusted parties. If an incorrect secret key is used, a set of deterministic errors is produced in locked modules, restricting unauthorized use. A common target for logic locking is neural accelerators, especially as machine-learning-as-a-service becomes more prevalent. In this work, we explore how logic locking can be used to compromise the security of a neural accelerator it protects. Specifically, we show how the deterministic errors caused by incorrect keys can be harnessed to produce neural-trojan-style backdoors. To do so, we first outline a motivational attack scenario where a carefully chosen incorrect key, which we call a trojan key, produces misclassifications for an attacker-specified input class in a locked accelerator. We then develop a theoretically-robust attack methodology to automatically identify trojan keys. To evaluate this attack, we launch it on several locked accelerators. In our largest benchmark accelerator, our attack identified a trojan key that caused a 74% decrease in classification accuracy for attacker-specified trigger inputs, while degrading accuracy by only 1.7% for other inputs on average. 

   more » « less
5. Breaking Analog Locking Techniques

   https://doi.org/10.1109/TVLSI.2020.3007159  

   Jayasankaran, Nithyashankari Gummidipoondi ; Sanabria-Borbon, Adriana ; Abuellil, Amr ; Sanchez-Sinencio, Edgar ; Hu, Jiang ; Rajendran, Jeyavijayan ( July 2020 , IEEE Transactions on Very Large Scale Integration (VLSI) Systems)

   Similar to digital circuits, analog circuits are also susceptible to supply-chain attacks. There are several analog locking techniques proposed to combat these supply-chain attacks. However, there exists no elaborate evaluation procedure to estimate the resilience offered by these techniques. Evaluating analog defenses requires the usage of non-Boolean variables, such as bias current and gain. Hence, in this work, we evaluate the resilience of the analog-only locks and analog and mixed-signal (AMS) locks using satisfiability modulo theories (SMTs). We demonstrate our attack on five analog locking techniques and three AMS locking techniques. The attack is demonstrated on commonly used circuits, such as bandpass filter (BPF), low-noise amplifier (LNA), and low-dropout (LDO) voltage regulator. Attack results on analog-only locks show that the attacker, knowing the required bias current or voltage range, can determine the key. Likewise, knowing the protected input patterns (PIPs), the attacker can determine the key to unlock the AMS locks. We then extend our attack to break the existing analog camouflaging technique. 

   more » « less