Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploiting the Lock: Leveraging MiG-V's Logic Locking for Secret-Data Extraction

Lennart M. Reimann, Yadu Madhukumar Variyar, Lennet Huelser, Chiara Ghinami, Dominik Germek, Rainer Leupers

TL;DR

This work investigates the confidentiality implications of logic locking, focusing on the MiG-V, the first commercially available logic-locked RISC-V processor. By systematically flipping bits in a $1024$-bit Inter-Lock key and introducing a runtime key-switching Trojan, the authors demonstrate that a single-bit alteration can leak cryptographic keys when running OpenSSL ciphers such as ChaCha, highlighting a serious runtime confidentiality risk not addressed by traditional LL analyses. The study integrates both board-level bit-flip experiments and an FPGA-based Trojan that enables post-activation key changes with minimal hardware overhead, underscoring the need for comprehensive security evaluations of LL beyond key-recovery attacks. The findings have practical implications for secure hardware supply chains and motivate development of information-flow auditing and runtime monitoring to prevent data leakage in logic-locked designs, particularly for cryptographic workloads and secure kernels.

Abstract

The MiG-V was designed for high-security applications and is the first commercially available logic-locked RISC-V processor on the market. In this context logic locking was used to protect the RISC-V processor design during the untrusted manufacturing process by using key-driven logic gates to obfuscate the original design. Although this method defends against malicious modifications, such as hardware Trojans, logic locking's impact on the RISC-V processor's data confidentiality during runtime has not been thoroughly examined. In this study, we evaluate the impact of logic locking on data confidentiality. By altering the logic locking key of the MiG-V while running SSL cryptographic algorithms, we identify data leakages resulting from the exploitation of the logic locking hardware. We show that changing a single bit of the logic locking key can expose 100% of the cryptographic encryption key. This research reveals a critical security flaw in logic locking, highlighting the need for comprehensive security assessments beyond logic locking key-recovery attacks.

Exploiting the Lock: Leveraging MiG-V's Logic Locking for Secret-Data Extraction

TL;DR

This work investigates the confidentiality implications of logic locking, focusing on the MiG-V, the first commercially available logic-locked RISC-V processor. By systematically flipping bits in a -bit Inter-Lock key and introducing a runtime key-switching Trojan, the authors demonstrate that a single-bit alteration can leak cryptographic keys when running OpenSSL ciphers such as ChaCha, highlighting a serious runtime confidentiality risk not addressed by traditional LL analyses. The study integrates both board-level bit-flip experiments and an FPGA-based Trojan that enables post-activation key changes with minimal hardware overhead, underscoring the need for comprehensive security evaluations of LL beyond key-recovery attacks. The findings have practical implications for secure hardware supply chains and motivate development of information-flow auditing and runtime monitoring to prevent data leakage in logic-locked designs, particularly for cryptographic workloads and secure kernels.

Abstract

The MiG-V was designed for high-security applications and is the first commercially available logic-locked RISC-V processor on the market. In this context logic locking was used to protect the RISC-V processor design during the untrusted manufacturing process by using key-driven logic gates to obfuscate the original design. Although this method defends against malicious modifications, such as hardware Trojans, logic locking's impact on the RISC-V processor's data confidentiality during runtime has not been thoroughly examined. In this study, we evaluate the impact of logic locking on data confidentiality. By altering the logic locking key of the MiG-V while running SSL cryptographic algorithms, we identify data leakages resulting from the exploitation of the logic locking hardware. We show that changing a single bit of the logic locking key can expose 100% of the cryptographic encryption key. This research reveals a critical security flaw in logic locking, highlighting the need for comprehensive security assessments beyond logic locking key-recovery attacks.
Paper Structure (20 sections, 6 figures, 7 tables)

This paper contains 20 sections, 6 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Logic Locking
  4. Reverse Engineering and Hardware Trojans
  5. Inter-Lock
  6. The MiG-V Core
  7. MiG-V Evaluation Board (Logic Locked RISC-V)
  8. Attack Model
  9. Analysis
  10. Attack
  11. Related Work
  12. Methodology
  13. Evaluation Board Setup
  14. FPGA Setup
  15. Evaluation
  16. ...and 5 more sections

Figures (6)

  • Figure 1: The MiG-V evaluation board with a connected JTAG adapter.
  • Figure 2: Placing XOR/XNOR logic locking key gates using an XOR/XNOR logic locking scheme.
  • Figure 3: Overview of the MiG-V mig-v-blockdiagram.
  • Figure 4: Implemented Trojan on the ROM. 1024 different adverse LL keys can be stored, addressable using 10-bit (trojan_address[9:0]).
  • Figure 5: The MiG-V's board status LEDs signaling a valid Open-OCD connection.
  • ...and 1 more figures