Table of Contents
Fetching ...

Library-Attack: Reverse Engineering Approach for Evaluating Hardware IP Protection

Aritra Dasgupta, Sudipta Paria, Christopher Sozio, Andrew Lukefahr, Swarup Bhunia

TL;DR

Library-Attack targets hardware IP protection by leveraging privileged access to supply-chain design information and knowledge of countermeasures to reverse-engineer the original IP. The method constructs a transformed-design library $\mathcal{TD}$ from a candidate set $\mathcal{OD}$ of size $m$ with $n$ variants per candidate, and uses cut-point matching to score similarity with the protected design $TD_0$. The authors demonstrate successful recovery of the original design $OD_0$ across two countermeasures (128-bit XOR Locking and 128-bit LUT Obfuscation) applied to ISCAS89 benchmarks, highlighting vulnerabilities even for small benchmarks and standard cells. An updated threat model is proposed to account for highly skilled adversaries with privileged supply-chain access and familiarity with EDA tools. These results motivate stronger protections and integrated assessment of SPoF-type threats in hardware IP protection.

Abstract

Existing countermeasures for hardware IP protection, such as obfuscation, camouflaging, and redaction, aim to defend against confidentiality and integrity attacks. However, within the current threat model, these techniques overlook the potential risks posed by a highly skilled adversary with privileged access to the IC supply chain, who may be familiar with critical IP blocks and the countermeasures implemented in the design. To address this scenario, we introduce Library-Attack, a novel reverse engineering technique that leverages privileged design information and prior knowledge of security countermeasures to recover sensitive hardware IP. During Library-Attack, a privileged attacker uses known design features to curate a design library of candidate IPs and employs structural comparison metrics from commercial EDA tools to identify the closest match. We evaluate Library-Attack on transformed ISCAS89 benchmarks to demonstrate potential vulnerabilities in existing IP-level countermeasures and propose an updated threat model to incorporate them.

Library-Attack: Reverse Engineering Approach for Evaluating Hardware IP Protection

TL;DR

Library-Attack targets hardware IP protection by leveraging privileged access to supply-chain design information and knowledge of countermeasures to reverse-engineer the original IP. The method constructs a transformed-design library from a candidate set of size with variants per candidate, and uses cut-point matching to score similarity with the protected design . The authors demonstrate successful recovery of the original design across two countermeasures (128-bit XOR Locking and 128-bit LUT Obfuscation) applied to ISCAS89 benchmarks, highlighting vulnerabilities even for small benchmarks and standard cells. An updated threat model is proposed to account for highly skilled adversaries with privileged supply-chain access and familiarity with EDA tools. These results motivate stronger protections and integrated assessment of SPoF-type threats in hardware IP protection.

Abstract

Existing countermeasures for hardware IP protection, such as obfuscation, camouflaging, and redaction, aim to defend against confidentiality and integrity attacks. However, within the current threat model, these techniques overlook the potential risks posed by a highly skilled adversary with privileged access to the IC supply chain, who may be familiar with critical IP blocks and the countermeasures implemented in the design. To address this scenario, we introduce Library-Attack, a novel reverse engineering technique that leverages privileged design information and prior knowledge of security countermeasures to recover sensitive hardware IP. During Library-Attack, a privileged attacker uses known design features to curate a design library of candidate IPs and employs structural comparison metrics from commercial EDA tools to identify the closest match. We evaluate Library-Attack on transformed ISCAS89 benchmarks to demonstrate potential vulnerabilities in existing IP-level countermeasures and propose an updated threat model to incorporate them.
Paper Structure (7 sections, 7 figures, 1 table)

This paper contains 7 sections, 7 figures, 1 table.

Figures (7)

  • Figure 1: Various threats encountered in the IC design flow.
  • Figure 2: Taxonomies: (a) Existing IP-level countermeasures, and (b) various oracle-guided and oracle-less attack vectors in literature.
  • Figure 3: Library-Attack steps.
  • Figure 4: Overview of the original and transformed design library generation in Library-Attack. The attacker creates a library of $m$ candidate $OD_i$ after analyzing the functional and scan I/O ports. Next, they use the logic locking tool to generate $n$ variants for every candidate $OD_i$, resulting in a $TD_{ij}$ library of size $m \times n$.
  • Figure 5: Overview IP-level countermeasures: (a) Original gate-level netlist; (b) XOR locking using a key-gate, the true logic at $n_0$ is only restored when the keyinput $k_0$ is set to 0; and (c) LUT obfuscation where a NAND2 gate is replaced with a LUT 2x1, the true functionality at $n_2$ is restored only when the bitstream $\{b_3,b_2,b_1,b_0\}$ is configured to 4'b0111.
  • ...and 2 more figures