SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks

Azar, Kimia Zamiri; Kamali, Hadi Mardani; Homayoun, Houman; Sasan, Avesta

doi:10.46586/tches.v2019.i1.97-122

Cited by 59 publications

(28 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although there have been advancements in logic locking techniques [9], researchers have been able to ind the vulnerabilities in many of the most prominent obfuscation schemes. Attacks such as CycSAT, SMT-Solver [4,6,8,32] show that by considering just a few conditions and pre-processing steps, designs obfuscated with cyclic obfuscation can be reverse-engineered. The state-of-the-art attack SFLL-HD [54] has also been successfully defeated using FALL-attack [41] which does not require an oracle IC to ind the correct key making the attack even more feasible.…”

Section: Post-sat Obfuscation and Challengesmentioning

confidence: 99%

“…The total number of cores ranging from 16 to 24, with RAM varying from 64GB to 512GB. For the experimental evaluation, we use benchmarks from ISCAS-85 2 , ISCAS-89 3 and Common Evaluation Platform (CEP) 4 . The benchmarks are listed as part of Table 2.…”

Section: Experimental Evaluation 51 Experimental Setupmentioning

confidence: 99%

“…The goal of the adversary is to retrieve the key to unobfuscated the IP using SAT-attack. We use SMT-attack [4], which is not only the super-set of SAT-attack but also the newly developed state-of-the-art attack. The newly developed SMT attack uses a primary SAT-solver with extra theory solvers.…”

Section: Experimental Evaluation 51 Experimental Setupmentioning

confidence: 99%

See 2 more Smart Citations

Breaking the Design and Security Trade-off of Look-up-table–based Obfuscation

Kolhe

Sheaves

et al. 2022

ACM Trans. Des. Autom. Electron. Syst.

Self Cite

View full text Add to dashboard Cite

Logic locking and Integrated Circuit (IC) camouflaging are the most prevalent protection schemes that can thwart most hardware security threats. However, the state-of-the-art attacks, including Boolean Satisfiability (SAT) and approximation-based attacks, question the efficacy of the existing defense schemes. Recent obfuscation schemes have employed reconfigurable logic to secure designs against various hardware security threats. However, they have focused on specific design elements such as SAT hardness. Despite meeting the focused criterion such as security, obfuscation incurs additional overheads, which are not evaluated in the present works. This work provides an extensive analysis of Look-Up-Table (LUT)-based obfuscation by exploring several factors such as LUT technology, size, number of LUTs, and replacement strategy as they have a substantial influence on Power-Performance-Area (PPA) and Security (PPA/S) of the design. We show that using large LUT makes LUT-based obfuscation resilient to hardware security threats. However, it also results in enormous design overheads beyond practical limits. To make the reconfigurable logic obfuscation efficient in terms of design overheads, this work proposes a novel LUT architecture where the security provided by the proposed primitive is superior to that of the traditional LUT-based obfuscation. Moreover, we leverage the security-driven design flow, which uses off-the-shelf industrial EDA tools to mitigate the design overheads further while being non-disruptive to the current industrial physical design flow. We empirically evaluate the security of the LUTs against state-of-the-art obfuscation techniques in terms of design overheads and SAT-attack resiliency. Our findings show that the proposed primitive significantly reduces both area and power by a factor of 8 × and 2 ×, respectively, without compromising security.

show abstract

Section: Post-sat Obfuscation and Challengesmentioning

confidence: 99%

Section: Experimental Evaluation 51 Experimental Setupmentioning

confidence: 99%

See 1 more Smart Citation

Breaking the Design and Security Trade-off of Look-up-table–based Obfuscation

Kolhe

Sheaves

et al. 2022

ACM Trans. Des. Autom. Electron. Syst.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Mathematically, solving the IC deobfuscation problem is often considered equivalent to solving the Boolean SAT of a CNF (Yasin et al, 2016a ; Shamsi et al, 2017 ; Zhou et al, 2017 ; Roshanisefat et al, 2018 ; Xie and Srivastava, 2018 ; Zamiri Azar et al, 2018 ). Specifically, the obfuscated IC, where several gates have been encrypted by replacing old gates with new gates and adding key inputs, can be equivalent to the original IC only when the key inputs are correctly inferred.…”

Section: Problem Setupmentioning

confidence: 99%

Deep Graph Learning for Circuit Deobfuscation

et al. 2021

Self Cite

View full text Add to dashboard Cite

Circuit obfuscation is a recently proposed defense mechanism to protect the intellectual property (IP) of digital integrated circuits (ICs) from reverse engineering. There have been effective schemes, such as satisfiability (SAT)-checking based attacks that can potentially decrypt obfuscated circuits, which is called deobfuscation. Deobfuscation runtime could be days or years, depending on the layouts of the obfuscated ICs. Hence, accurately pre-estimating the deobfuscation runtime within a reasonable amount of time is crucial for IC designers to optimize their defense. However, it is challenging due to (1) the complexity of graph-structured circuit; (2) the varying-size topology of obfuscated circuits; (3) requirement on efficiency for deobfuscation method. This study proposes a framework that predicts the deobfuscation runtime based on graph deep learning techniques to address the challenges mentioned above. A conjunctive normal form (CNF) bipartite graph is utilized to characterize the complexity of this SAT problem by analyzing the SAT attack method. Multi-order information of the graph matrix is designed to identify the essential features and reduce the computational cost. To overcome the difficulty in capturing the dynamic size of the CNF graph, an energy-based kernel is proposed to aggregate dynamic features into an identical vector space. Then, we designed a framework, Deep Survival Analysis with Graph (DSAG), which integrates energy-based layers and predicts runtime inspired by censored regression in survival analysis. Integrating uncensored data with censored data, the proposed model improves the standard regression significantly. DSAG is an end-to-end framework that can automatically extract the determinant features for deobfuscation runtime. Extensive experiments on benchmarks demonstrate its effectiveness and efficiency.

show abstract

“…In some other techniques, the key-programmable cycles are added into the design, which traps the SAT solver in an infinite loop [26]- [28], [37], [38]. Although these solutions defeat the SAT attack, further investigation shows that this breed of obfuscation techniques is already broken using SMT attack [14], [45], timingSAT [46], and SAT-based attacks on cyclic obfuscation [12], [13], [47].…”

Section: ) Cyclic and Behavioral Obfuscationmentioning

confidence: 99%

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

et al. 2021

Self Cite

View full text Add to dashboard Cite

The availability of access to Integrated Circuits' scan chain is an inevitable requirement of modern ICs for testability/debugging purposes. However, leaving access to the scan chain OPEN resulted in numerous security threats on ICs. It raises challenging concerns particularly when the secret asset, like secret information, is placed within the chip, such as the keys of cryptographic algorithms, or similarly logic obfuscation key. So, to combat these threats, numerous secure scan chain architectures have been proposed in the literature to prevent any unauthorized access to the scan chain. They also keep the availability of the scan chain for testability/debugging. In this paper, we first show why a secure scan chain architecture is required when security primitives, like logic obfuscation, are in place. Then, we provide a holistic overview of all secure scan chain architectures starting from preliminary methods introduced when cryptography is in place and the adversary threat model is very limited. It is then followed by newer and more advanced methods introduced when logic obfuscation is in place and the adversary threat model is much stronger. Hence, we have more concentration on the architecture proposed more recently on logic obfuscation. We evaluate all secure scan chain architectures in terms of security and resiliency, testability/debugging time and complexity, and area/power/delay overhead.

show abstract

SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks

Cited by 59 publications

References 15 publications

Breaking the Design and Security Trade-off of Look-up-table–based Obfuscation

Breaking the Design and Security Trade-off of Look-up-table–based Obfuscation

Deep Graph Learning for Circuit Deobfuscation

From Cryptography to Logic Locking: A Survey on the Architecture Evolution of Secure Scan Chains

Contact Info

Product

Resources

About