Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

RESAA: A Removal and Structural Analysis Attack Against Compound Logic Locking

Felipe Almeida, Levent Aksoy, Samuel Pagliarini

TL;DR

RESAA presents a practical framework for removing and structurally analyzing compound logic locking (CLL) by identifying critical gates and partitioning locked nets into RLL and PSLL components. It classifies techniques, then applies both oracle-guided (OG) and oracle-less (OL) attacks, including QBF, SAT, and SCOPE, to recover secret keys across CLL configurations. The approach demonstrates high key-recovery success, notably achieving up to 92.6% OL accuracy on ITC'99 b22 and superior performance over standalone attacks in OL scenarios, while integrating with industry-grade synthesis flows and releasing open-source resources. These findings underscore security vulnerabilities in CLL and stress the need for thorough evaluation and careful selection of LL techniques in practice, with RESAA offering a realistic, end-to-end analysis tool for designers and researchers.

Abstract

The semiconductor industry's paradigm shift towards fabless integrated circuit (IC) manufacturing has introduced security threats, including piracy, counterfeiting, hardware Trojans, and overproduction. In response to these challenges, various countermeasures, including Logic locking (LL), have been proposed to protect designs and mitigate security risks. LL is likely the most researched form of intellectual property (IP) protection for ICs. A significant advance has been made with the introduction of compound logic locking (CLL), where two LL techniques are concurrently utilized for improved resiliency against attacks. However, the vulnerabilities of LL techniques, particularly CLL, need to be explored further. This paper presents a novel framework, RESAA, designed to classify CLL-locked designs, identify critical gates, and execute various attacks to uncover secret keys. RESAA is agnostic to specific LL techniques, offering comprehensive insights into CLL's security scenarios. Experimental results demonstrate RESAA's efficacy in identifying critical gates, distinguishing segments corresponding to different LL techniques, and determining associated keys based on different threat models. In particular, for the oracle-less threat model, RESAA can achieve up to 92.6% accuracy on a relatively complex ITC'99 benchmark circuit. The results reported in this paper emphasize the significance of evaluation and thoughtful selection of LL techniques, as all studied CLL variants demonstrated vulnerability to our framework. RESAA is also open-sourced for the community at large.

RESAA: A Removal and Structural Analysis Attack Against Compound Logic Locking

TL;DR

RESAA presents a practical framework for removing and structurally analyzing compound logic locking (CLL) by identifying critical gates and partitioning locked nets into RLL and PSLL components. It classifies techniques, then applies both oracle-guided (OG) and oracle-less (OL) attacks, including QBF, SAT, and SCOPE, to recover secret keys across CLL configurations. The approach demonstrates high key-recovery success, notably achieving up to 92.6% OL accuracy on ITC'99 b22 and superior performance over standalone attacks in OL scenarios, while integrating with industry-grade synthesis flows and releasing open-source resources. These findings underscore security vulnerabilities in CLL and stress the need for thorough evaluation and careful selection of LL techniques in practice, with RESAA offering a realistic, end-to-end analysis tool for designers and researchers.

Abstract

The semiconductor industry's paradigm shift towards fabless integrated circuit (IC) manufacturing has introduced security threats, including piracy, counterfeiting, hardware Trojans, and overproduction. In response to these challenges, various countermeasures, including Logic locking (LL), have been proposed to protect designs and mitigate security risks. LL is likely the most researched form of intellectual property (IP) protection for ICs. A significant advance has been made with the introduction of compound logic locking (CLL), where two LL techniques are concurrently utilized for improved resiliency against attacks. However, the vulnerabilities of LL techniques, particularly CLL, need to be explored further. This paper presents a novel framework, RESAA, designed to classify CLL-locked designs, identify critical gates, and execute various attacks to uncover secret keys. RESAA is agnostic to specific LL techniques, offering comprehensive insights into CLL's security scenarios. Experimental results demonstrate RESAA's efficacy in identifying critical gates, distinguishing segments corresponding to different LL techniques, and determining associated keys based on different threat models. In particular, for the oracle-less threat model, RESAA can achieve up to 92.6% accuracy on a relatively complex ITC'99 benchmark circuit. The results reported in this paper emphasize the significance of evaluation and thoughtful selection of LL techniques, as all studied CLL variants demonstrated vulnerability to our framework. RESAA is also open-sourced for the community at large.
Paper Structure (16 sections, 9 figures, 5 tables)

This paper contains 16 sections, 9 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Scope of this work
  3. Contributions
  4. Background and Related Work
  5. Logic Locking and Threat Models
  6. Defenses
  7. Attacks
  8. Cat-and-Mouse Game
  9. Proposed Methodology
  10. Classification and Partition
  11. Attack Under the OG Threat Model
  12. Attack Under the OL Threat Model
  13. Results
  14. Results of RESAA under the OG Threat Model
  15. Results of RESAA under the OL Threat Model
  16. ...and 1 more sections

Figures (9)

  • Figure 1: (a) Original circuit; (b) Locked circuit where the secret key is $k_0k_1 = 10$.
  • Figure 2: High-level architecture of (a) SFLT (b) RLL + SFLT (c) DFLT, and (d) RLL + DFLT in a CLL scheme. The critical signals are indicated by "X" in red.
  • Figure 3: Conventional logic locking in the IC design flow (adapted from yasin2017_2).
  • Figure 4: Overview of the RESAA framework: The left portion shows the pre-processing step to lock and translate the CLL benchmark into mapped Verilog. The CLL netlist is then partitioned and subjected to attacks, revealing the CLL secret key.
  • Figure 5: Classification of techniques employed in a locked netlist.
  • ...and 4 more figures