ScanSAT: Unlocking Static and Dynamic Scan Obfuscation

Alrahis, Lilas; Yasin, Muhammad; Limaye, Nimisha; Saleh, Hani; Mohammad, Baker; Al‐Qutayri, Mahmoud; Sinanoglu, Ozgur

doi:10.1109/tetc.2019.2940750

Cited by 31 publications

(14 citation statements)

References 43 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Attackers who own the reverse-engineered netlist can resort to ScanSAT attack [22]. Based on a SAT solver, it targets scan protection methods that corrupt scan data in the absence of a secret key.…”

Section: Discussionmentioning

confidence: 99%

“…However, as is the case with logic locking, the obfuscated scan output reflects the inversion effect of key-gates and it can be used to trace back to the secret key. ScanSAT attack is indeed capable of modelling the locked scan chains as a combination [22] Shift & Leak [33] Encrypt Flip-Flop [26] × Dynamic Scan Obfuscation [32] × Secure Cell [25] × Proposed denotes resilience against the attack × denotes susceptibility to the attack of key-gates inserted at PPIs and PPOs. Using the same attack model as SAT attack, the secret key is deduced by the SAT solver.…”

Section: Comparison With Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Secure Scan Controller for Protecting Logic Locking

Nguyen

Valea

Flottes

et al. 2020

2020 IEEE 26th International Symposium on on-Line Testing and Robust System Design (IOLTS)

View full text Add to dashboard Cite

The globalized supply chain in the Integrated Circuit (IC) industry raises several security concerns such as overproduction, IP piracy and Hardware Trojan insertion. Logic locking has emerged as a potential countermeasure to address these issues. However, its efficiency is challenged by various attacks, especially oracle-guided attacks based on Boolean Satisfiability (SAT) solvers. These attacks rely on the possibility for an attacker to control and observe in the field the internal state of a functional IC, which acts as an oracle. This ability to control/observe the IC states is offered by scan chains, typically used for IC production testing. In this paper, we propose a method, complementary to logic locking, to prevent such attacks. This method introduces a scan chain controller with a key-based authentication mechanism, in order to prevent unauthorized access to the scan chains once the IC is deployed in the field. The solution can be coupled with any logic locking technique at the cost of negligible area overhead. Furthermore, it is secure against state-of-the-art attacks and supports full testing.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Comparison With Related Workmentioning

confidence: 99%

A Secure Scan Controller for Protecting Logic Locking

Nguyen

Valea

Flottes

et al. 2020

2020 IEEE 26th International Symposium on on-Line Testing and Robust System Design (IOLTS)

View full text Add to dashboard Cite

show abstract

“…We modify the code-base to dump a conjunctive normal form (CNF) after each iteration, which may reveal some of the seed bits. Unlike [16], we can carry out our attack for just one capture cycle. To recover more bits, we restart the LFSR circuit and obtain a new DIP and its corresponding output pattern from the SAT tool, and recover more seed bits.…”

Section: A Attack Methodologymentioning

confidence: 99%

“…The defense in [13] can be viewed as the most rigorous, and thus, the most secure, dynamic scan locking defense. Indeed, the defense in [12] was broken recently even for its most rigorous version where the key is updated for every pattern (p=1) [16]. Yet, the defense in [13] remains unbroken.…”

Section: Introductionmentioning

confidence: 99%

DynUnlock: Unlocking Scan Chains Obfuscated using Dynamic Keys

Limaye

Sinanoglu

2020

2020 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

Self Cite

View full text Add to dashboard Cite

Outsourcing in semiconductor industry opened up venues for faster and cost-effective chip manufacturing. However, this also introduced untrusted entities with malicious intent, to steal intellectual property (IP), overproduce the circuits, insert hardware Trojans, or counterfeit the chips. Recently, a defense is proposed to obfuscate the scan access based on a dynamic key that is initially generated from a secret key but changes in every clock cycle. This defense can be considered as the most rigorous defense among all the scan locking techniques. In this paper, we propose an attack that remodels this defense into one that can be broken by the SAT attack, while we also note that our attack can be adjusted to break other less rigorous (key that is updated less frequently) scan locking techniques as well.

show abstract

“…While DisORC demonstrates resilience against oracle-guided attacks, it is only applied at the gate-level for a locked netlist. Scan locking techniques [18], [19], [20] which insert key-driven logic on scan paths are also shown to be vulnerable to modeling-based attacks [21], [22].…”

Section: B Functional Mode Isolationmentioning

confidence: 99%