基于正交混淆的多硬件IP核安全防护设计

为了解决集成电路设计中多方合作的成员信息泄漏问题,该文提出一种基于正交混淆的多硬件IP核安全防护方案。该方案首先利用正交混淆矩阵产生正交密钥数据,结合硬件特征的物理不可克隆函数(PUF)电路,产生多硬件IP核的混淆密钥;然后,在正交混淆状态机的基础上,实现多硬件IP核的正交混淆安全防护算法;最后,利用ISCAS-85基准电路和密码算法,验证正交混淆方法的有效性。在台湾积体电路制造股份有限公司(TSMC) 65 nm工艺下测试正交混淆的多硬件IP核方案,正确密钥和错误密钥下的Toggle翻转率小于5%,在较大规模的测试电路中面积和功耗开销占比小于2%。实验结果表明,采用正交混淆的方式能够提高多硬件IP核的安全性,可以有效防御成员信息泄漏、状态翻转率分析等攻击。     

A cellular automata guided two level obfuscation of Finite-State-Machine for IP protection

A popular countermeasure against IP piracy is to obfuscate the Finite State Machine (FSM) which is assumed to be the heart of a digital system. Most of the existing FSM obfuscation strategies rely on additionally introduced set of obfuscation mode state-transitions to protect the original state-transitions of the FSM. Although these methods assume that it is difficult to extract the FSM behavior from the flattened gate-level netlist, some recent reverse engineering attacks could successfully break the defense of these schemes. The capability of differentiating obfuscation mode state-transitions from normal mode state-transitions makes these attacks powerful. As a countermeasure against these attacks, we propose a new strategy that offers a key-based obfuscation to each state-transition of the FSM. We use a special class of non-group additive cellular automata (CA), called D1 1 CA, and it's counterpart D11CA_dual to obfuscate each state-transition of the FSM. Each state-transition has its own customized key, which must be configured correctly in order to get correct state-transition behavior from the synthesized FSM. A second layer of protection to the state-transition logic enhances the security of the proposed scheme. An in-depth security analysis of the proposed easily testable key-controlled FSM synthesis scheme demonstrates its ability to thwart the majority of the state-of-the-art attacks, such as FSM reverse engineering, SAT, and circuit unrolling attacks. Thus, the proposed scheme can be used for IP protection of the digital designs. Experimentations on various IWLS′93 benchmark FSM designs show that the average area, power, and delay overheads our proposed multi-bit key-based obfuscated FSM design are 56.43%, 6.87%, and 23.41% while considering the FSMs as standalone circuits. However, experimentation on the Amber23 processor core shows these overheads drastically reduce (reported area, power, and delay overheads values are 0.0025%, 0.44%, and 0%, respectively) while compared with respect to the entire design.     

Defense-in-depth: A recipe for logic locking to prevail

Logic locking/obfuscation has emerged as an auspicious solution for protecting the semiconductor intellectual property (IP) from the untrusted entities in the design and fabrication process. Logic locking disguises the implementation and functionality of the IP by implanting additional key-gates in the circuit. The right output of the locked chip is produced, once the correct key value is available at the input of the key-gates. The confidentiality of the key is imperative for the security of the locked IP as it stands as the lone barrier against IP infringement. Therefore, the logic locking is considered as a broken scheme once the key value is exposed. The logic locking techniques have shown vulnerability to different classes of attacks, such as Oracle-guided and physical attacks. Although the research community has proposed a number of countermeasures against such attacks, none of them is simultaneously unbreakable against Oracle-guided, Oracle-less, and physical attacks. Under such circumstances, a defense-in-depth mechanism can be considered as a feasible approach in addressing the vulnerabilities of logic locking. Defense-in-depth is a multilayer defense strategy where several independent countermeasures are implemented in the device to provide aggregated protection against different attack vectors.Introducing such a multilayer shielding model in logic locking is the major contribution of this paper. With regard to this, we first identify the core components of logic locking schemes, which need to be protected. Afterwards, we categorize the vulnerabilities of core components according to potential threats for the locking key in logic locking schemes. Furthermore, we propose several defense layers and countermeasures to protect the device from those vulnerabilities. In conclusion, we believe that a logic locking technique with a layered defense mechanism can be a possible solution against IP piracy.     

Golden-Free Hardware Trojan Detection with High Sensitivity Under Process Noise

Malicious modification of integrated circuits in untrusted design house or foundry has emerged as a major security threat. Such modifications, popularly referred to as Hardware Trojans, are difficult to detect during manufacturing test. Sequential hardware Trojans, usually triggered by a sequence of rare events, represent a common and deadly form of Trojans that can be extremely hard to detect using logic testing approaches. Side-channel analysis has emerged as an effective approach for detection of hardware Trojans. However, existing side-channel approaches suffer from increasing process variations, which largely reduce the detection sensitivity and sets a lower limit of the sizes of Trojans detectable. In this paper, we present TeSR, a Temporal Self-Referencing approach that compares the current signature of a chip at two different time windows to isolate the Trojan effect. Since it uses a chip as a reference to itself, the method completely eliminates the effect of process noise and other design marginalities (e.g. capacitive coupling), thus providing high detection sensitivity for Trojans of varying size. Furthermore, unlike most of the existing approaches, TeSR does not require a golden reference chip instance, which may impose a major limitation. Associated test generation, test application, and signature comparison approaches aimed at maximizing Trojan detection sensitivity are also presented. Simulation results for three complex sequential designs and three representative sequential Trojan circuits demonstrate the effectiveness of the approach under large inter- and intra-die process variations. The approach is also validated with current measurement results from several Xilinx Virtex-II FPGA chips.     

基于控制流混淆的软件保护方法研究

软件盗版、篡改和逆向工程是软件安全的主要威胁。逆向工程师利用逆向分析技术可以理解软件的行为,并从中提取核心算法和重要数据结构。针对目前大部分的混淆方法难以抵御动态攻击的缺点,文中提出一种基于控制流图多样化的代码混淆方法。实验结果表明,该方法不仅能够有效降低静态反汇编分析准度,同时能够在一个合理的性能开销之内增加动态逆向分析的难度,从而使混淆后的程序具有更高的安全性。     

硬件木马检测与防护

第三方技术服务的普及使得在集成电路（IC）设计制造过程中,芯片可能被恶意植入“硬件木马”,给芯片的安全性带来了极大挑战,由此,如何检测“安全芯片”中是否存在硬件木马,确保芯片的安全性开始受到人们的广泛关注.在简要介绍硬件木马概念及其危害的基础上,分析硬件木马的特点和结构,介绍了当前现有的几种硬件木马检测技术,给出了硬件木马检测技术的科学分类,重点分析了这些检测方法所面临的问题和挑战并提出了相应的改进措施,总结了未来硬件木马防测技术的发展趋势.     

New lightweight Anti-SAT block design and obfuscation technique to thwart removal attack

Logic locking has emerged as a prominent technique to protect an integrated circuit from piracy, overbuilding, and hardware Trojans. Most of the well-known logic locking techniques are vulnerable to satisfiability (SAT) based attack. Though several SAT-resistant logic locking techniques such as Anti-SAT block (ASB) are reported that increase the time to decipher the secret key, the existing techniques are either vulnerable to signal probability skew (SPS) based removal attack or require significant design overhead. Therefore, a new lightweight ASB design and obfuscation technique is proposed that effectively integrate and obfuscates the ASB in the design to thwart removal attack. We first propose a new ASB design/integration approach that effectively thwarts the structural/functional analysis based removal attack with minimum overhead. Further, we also propose an ASB obfuscation approach that shifts the inverter deep in the circuit using De Morgan's law and replaces an ASB gate with a key-gate to thwart SPS based removal attack. Moreover, a new algorithm is proposed that inserts the ASB in the locked design to achieve desired output corruptibility. Finally, a new INV/BUFF key-gate is proposed that constructs the ASB with reduced overhead over the XOR/XNOR. Experimental evaluation on ISCAS-85 benchmarks shows that our ASB design and obfuscation approaches, on an average, reduce area overhead by 25.5% and 22% respectively, and effectively prevent removal attack without reducing any security.     

基于局部逻辑伪装的IC保护方法

集成电路(IC)设计面临逆向工程的攻击,核心专利(IP)和算法被盗用,硬件安全受到威胁。该文提出一种电路伪装方法LPerturb,通过对其局部电路逻辑的扰动,实现IC电路的保护。对电路进行最大独立锥划分(MFFCs),选取被伪装的最大子电路,确保输出逻辑扰动的局部性。针对要扰动锥结点逻辑,从锥中选择被替换的逻辑单元,以最小化代价对进行局部电路逻辑扰动。用多值伪装电路对扰动的逻辑值进行混淆保护,恢复相应的电路逻辑。实验结果表明,该方法能够稳定生成保护电路,具有较好的输出扰动性,能有效抵御SAT去伪装攻击,面积额外开销较小,时延影响可以忽略。     

硬件木马技术研究进展

通常存在于应用软件、操作系统中的信息安全问题正在向硬件蔓延。硬件木马是集成电路芯片从研发设计、生产制造到封装测试的整个生命周期内被植入的恶意电路,一经诱发,将带来各种非预期的行为,造成重大危害。当前,SoC芯片大量复用IP核,意味着将有更多环节招致攻击;日益增长的芯片规模又使得硬件木马的检测变得更难、成本更高。因此,硬件木马的相关技术研究成为硬件安全领域的热点。介绍了硬件木马的概念、结构、植入途径和分类,对硬件木马的设计、检测和防御技术进行了分析、总结和发展趋势预测,着重分析了检测技术。     

基于多维结构特征的硬件木马检测技术

硬件木马是第三方知识产权(IP)核的主要安全威胁,现有的安全性分析方法提取的特征过于单一,导致特征分布不够均衡,极易出现较高的误识别率。该文提出了基于有向图的门级网表抽象化建模算法,建立了门级网表的有向图模型,简化了电路分析流程;分析了硬件木马共性特征,基于有向图建立了涵盖扇入单元数、扇入触发器数、扇出触发器数、输入拓扑深度、输出拓扑深度、多路选择器和反相器数量等多维度硬件木马结构特征;提出了基于最近邻不平衡数据分类(SMOTEENN)算法的硬件木马特征扩展算法,有效解决了样本特征集较少的问题,利用支持向量机建立硬件木马检测模型并识别出硬件木马的特征。该文基于Trust_Hub硬件木马库开展方法验证实验,准确率高达97.02%,与现有文献相比真正类率(TPR)提高了13.80%,真负类率(TNR)和分类准确率(ACC)分别提高了0.92%和2.48%,在保证低假阳性率的基础上有效识别硬件木马。     

Reliability based hardware Trojan design using physics-based electromigration models

In recent years the concern over Hardware Trojans has come to the forefront of hardware security research as these types of attacks pose a real and dangerous threat to both commercial and mission-critical systems. One interesting threat model utilizes semiconductor physics, specifically aging effects such as Electromigration (EM). However, existing methods for EM-based Trojans rely on empirical Black's models can easily lead to performance degradation and less accuracy in Trojan activation time prediction. In this article, we study the EM-based Trojan attacks based on recently developed physics-based EM models. We propose novel EM attack techniques in which the EM-induced hydrostatic stress increase in a wire is caused by wire structure or layer changes without changing the current density of the wires. The proposed techniques consist of sink/reservoir insertion or sizing and layer switching techniques based on the early and late failure modes of EM wear-out effects. As a result, the proposed techniques can have minimal impact on circuit performance, which is in contrast with existing current-density-based EM attacks. The proposed techniques can serve as a trigger for the EM attack on power/ground networks and signal and clock networks. Furthermore, we also present two potential EM attack mitigation techniques, namely, the split fabrication and burn-in testing.     

On malicious implants in PCBs throughout the supply chain

The PCB supply chain has become globally distributed such that PCBs are vulnerable to hardware Trojan attacks. Moreover, attacks on PCBs are possible even after a system is deployed. Various countermeasures have been proposed and efforts to develop board-level Trojan benchmarks are underway, but IC Trojan taxonomies do not capture important characteristics of PCB implants. This work surveys existing PCB countermeasures and examples of board-level Trojans to inform a new taxonomy suited for PCB Trojans. Our taxonomy reflects practically significant characteristics of board-level Trojans to guide development of board-level countermeasures and fair, comprehensive benchmark suites.     

基于多级协同混淆的硬件IP核安全防护设计

传统硬件混淆从物理级、逻辑级、行为级等进行单层次混淆,没有发挥多级协同优势,存在安全隐患。该文通过对物理版图、电路逻辑和状态跳变行为的关系研究,提出多级协同混淆的硬件IP核防护方法。该方案首先在自下而上协同混淆中,采用虚拟孔设计版图级伪装门的方式进行物理-逻辑级混淆,采用过孔型物理不可克隆函数(PUF)控制状态跳变的方式实现物理-行为级混淆;然后,在自上而下协同混淆中,利用密钥控制密钥门进行行为-逻辑级混淆,利用并行-支路混淆线的方法完成行为-物理级混淆;最后提出混淆电路在网表的替换机制,设计物理-逻辑-行为的3级协同混淆,实现多级协同混淆的IP核安全防护。ISCAS-89基准电路测试结果表明,在TSMC 65 nm工艺下,多级协同混淆IP核在较大规模测试电路中的面积开销占比平均为11.7%,功耗开销占比平均为5.1%,正确密钥和错误密钥下的寄存器翻转差异低于10%,所提混淆方案可有效抵御暴力攻击、逆向工程、SAT等攻击。     

On Best-Possible Obfuscation

An obfuscator is a compiler that transforms any program (which we will view in this work as a boolean circuit) into an obfuscated program (also a circuit) that has the same input-output functionality as the original program, but is “unintelligible”. Obfuscation has applications for cryptography and for software protection. Barak et al. (CRYPTO 2001, pp. 1–18, 2001) initiated a theoretical study of obfuscation, which focused on black-box obfuscation, where the obfuscated circuit should leak no information except for its (black-box) input-output functionality. A family of functionalities that cannot be obfuscated was demonstrated. Subsequent research has showed further negative results as well as positive results for obfuscating very specific families of circuits, all with respect to black box obfuscation. This work is a study of a new notion of obfuscation, which we call best-possible obfuscation. Best possible obfuscation makes the relaxed requirement that the obfuscated program leaks as little information as any other program with the same functionality (and of similar size). In particular, this definition allows the program to leak information that cannot be obtained from a black box. Best-possible obfuscation guarantees that any information that is not hidden by the obfuscated program is also not hidden by any other similar-size program computing the same functionality, and thus the obfuscation is (literally) the best possible. In this work we study best-possible obfuscation and its relationship to previously studied definitions. Our main results are: (1) A separation between black-box and best-possible obfuscation. We show a natural obfuscation task that can be achieved under the best-possible definition, but cannot be achieved under the black-box definition. (2) A hardness result for best-possible obfuscation, showing that strong (information-theoretic) best-possible obfuscation implies a collapse in the Polynomial-Time Hierarchy. (3) An impossibility result for efficient best-possible (and black-box) obfuscation in the presence of random oracles. This impossibility result uses a random oracle to construct hard-to-obfuscate circuits, and thus it does not imply impossibility in the standard model.     

Obfuscation for Cryptographic Purposes

Loosely speaking, an obfuscation O of a function f should satisfy two requirements: firstly, using O, it should be possible to evaluate f; secondly, O should not reveal anything about f that cannot be learnt from oracle access to f alone. Several definitions for obfuscation exist. However, most of them are very hard to satisfy, even when focusing on specific applications such as obfuscating a point function (e.g., for authentication purposes). In this work, we propose and investigate two new variants of obfuscation definitions. Our definitions are simulation-based (i.e., require the existence of a simulator that can efficiently generate fake obfuscations) and demand only security on average (over the choice of the obfuscated function). We stress that our notions are not free from generic impossibilities: there exist natural classes of function families that cannot be securely obfuscated. Hence we cannot hope for a general-purpose obfuscator with respect to our definition. However, we prove that there also exist several natural classes of functions for which our definitions yield interesting results.     

Security Path: An Emerging Design Methodology to Protect the FPGA IPs Against Passive/Active Design Tampering

Modern FPGAs have a great market share in hardware prototyping, massive parallel systems and reconfigurable architectures. Although the field-programmability of FPGAs is an effective feature in the growth and diversity of their applications; it has caused security concerns for IPs/Designs on FPGAs. Recent researches show that a reliable mechanism is required to protect the IPs/applications on FPGAs against malicious manipulations during all stages of design lifecycle, especially when they are operating in the field. In this paper, we propose a new tamper-resistant design methodology (Security Path methodology) and a revised security-aware FPGA architecture. This methodology protects the configured design against tampering attacks in parallel with the normal operation of the circuit. When the attack is discovered, the normal data flow is obfuscated and the circuit is blocked. Experimental results show that this methodology provides near full coverage in tampering detection with overhead of 12.32 % in power, 12 % in delay and 38 % in area.     

基于投影寻踪分析的芯片硬件木马检测

提出一种利用芯片旁路泄漏信息的硬件木马无损检测方法,通过基于绝对信息散度指标的投影寻踪技术,将芯片运行过程中产生的高维旁路信号投影变换到低维子空间,在信息损失尽量小的前提下发现原始数据中的分布特征,从而实现芯片旁路信号特征提取与识别。针对示例性高级加密标准(AES-128)木马电路的检测实验表明,该技术可以有效分辨基准芯片与硬件木马测试芯片之间的旁路信号特征差异,实现硬件木马检测。     

Two Countermeasures Against Hardware Trojans Exploiting Non-Zero Aliasing Probability of BIST

The threat of hardware Trojans has been widely recognized by academia, industry, and government agencies. A Trojan can compromise security of a system in spite of cryptographic protection. The damage caused by a Trojan may not be limited to a business or reputation, but could have a severe impact on public safety, national economy, or national security. An extremely stealthy way of implementing hardware Trojans has been presented by Becker et al. at CHES’2012. Their work have shown that it is possible to inject a Trojan in a random number generator compliant with FIPS 140-2 and NIST SP800-90 standards by exploiting non-zero aliasing probability of Logic Built-In-Self-Test (LBIST). In this paper, we present two methods for modifying LBIST to prevent such an attack. The first method makes test patterns dependent on a configurable key which is programed into a chip after the manufacturing stage. The second method uses a remote test management system which can execute LBIST using a different set of test patterns at each test cycle.     

基于电路模块自相似性的硬件木马检测方法

由于硬件木马种类的多样性和SoC电路制造过程中不可预测的工艺变化,硬件木马检测变得极具挑战性。现有的旁路信号分析法存在两个缺点,一是需要黄金模型作为参考,二是工艺波动会掩盖部分硬件木马的活动效果。针对上述不足,提出一种利用电路模块结构自相似性的无黄金模型检测方法。通过对32位超前进位加法器的软件仿真实验和对128位AES加密电路的硬件仿真实验,验证了该方法的有效性。实验结果表明,在45 nm工艺尺寸下,对于面积占比较小的硬件木马,该方法的检测成功率可以达到90.0%以上。