Logic Locking: A Practical Approach to Secure Hardware

Preface
Contents
Acronyms
Notation
Part I Hardware Security and Trust: Threats and Solutions
1 Introduction
1.1 Outline
2 Background
2.1 Electronics Supply Chain Threats
2.1.1 Reverse Engineering
2.1.2 Hardware Trojans
2.1.3 IP Piracy and Overuse
2.1.4 IC Overbuilding and Counterfeiting
2.2 Design-for-Trust Solutions
2.2.1 Layout Camouflaging
2.2.2 Split Manufacturing
2.2.3 Metering
2.2.4 Functional Filler Cells
2.3 Synopsis
3 Hardware Trojans
3.1 The Anatomy of Hardware Trojans
3.2 Classifications
3.2.1 Activation and HT Effect
3.2.2 Comprehensive Classification
3.2.3 Challenges of HT Classification
3.3 A Consolidated Classification System
3.3.1 Class-1 Hardware Trojans
3.3.1.1 Example of a Class-1 HT in Processors
3.3.2 Class-2 Hardware Trojans
3.3.3 Classification Features
3.4 Preventing Hardware Trojans
3.4.1 Layout Camouflaging
3.4.2 Split Manufacturing
3.4.3 Functional Filler Cells
3.4.4 Logic Locking
3.4.5 Lessons Learned
3.5 Synopsis
Part II The Mechanics of Logic Locking
4 Working Principle and Attack Scenarios
4.1 Classification
4.2 Locking Example and Notation
4.3 Logic Locking and Hardware Trojans
4.4 Logic Locking in the IC Supply Chain
4.5 The Concept of Secrecy
4.6 Terminology
4.7 Attacks on Logic Locking
4.8 Logic Locking and Reverse Engineering
4.9 Attack Scenario
4.10 Synopsis
5 Attacks and Schemes
5.1 Evolution of Attacks
5.1.1 Classification of Attacks
5.1.1.1 Exploitation Characteristics
5.1.1.2 Attack Model Type
5.1.1.3 Result Type
5.1.2 Functional Attacks
5.1.3 Side-Channel Attacks
5.1.4 Structural Attacks
5.1.5 Physical Attacks
5.2 Evolution of Schemes
5.2.1 Classification of Schemes
5.2.2 Pre-SAT Schemes
5.2.3 Post-SAT Schemes
5.2.3.1 Point Function-Based Schemes
5.2.3.2 SAT-Unresolvable Structures
5.2.3.3 Stripped-Functionality Schemes
5.2.3.4 SAT-Oblivious and Compound Schemes
5.2.4 Post-ML Schemes
5.2.5 New Directions in Logic Locking
5.2.5.1 Routing-Based Locking
5.2.5.2 LUT-Based Locking
5.2.5.3 Parametric Locking
5.2.5.4 HLS and RTL Locking
5.2.5.5 Universal Circuits
5.3 Lessons Learned
5.4 Synopsis
6 Security Metrics: One Problem, Many Dimensions
6.1 Dimensions of Security
6.1.1 The Key-Space Size
6.1.2 Design Objectives and Classification
6.2 Functional Hardware Security
6.2.1 Functional Deceptiveness
6.2.1.1 Example: Deceptiveness Factor
6.2.2 Functional Corruptibility
6.2.3 Functional Secrecy
6.2.3.1 Example: Secrecy Factor
6.3 Structural Hardware Security
6.3.1 The Structural Complexity Change
6.3.1.1 Example: Structural Complexity Change
6.3.2 The Structural Key-Gate Entropy
6.3.2.1 Example: Structural Key-Gate Entropy
6.3.3 The Problem of Multidimensionality
6.3.4 Emerging Dimensions
6.4 Evaluation
6.4.1 Experimental Environment
6.4.2 Results: Pre-SAT Comparison
6.4.3 Results: Pre/Post-SAT Comparison
6.5 The Security-Cost Trade-Off Problem
6.5.1 Case Study: Overhead Implication on Security
6.5.1.1 Experimental Environment
6.5.1.2 Evaluation Results
6.5.2 Discussion
6.6 Limitations and Outlook
6.7 Related Work
6.8 Synopsis
Part III Logic Locking in Practice
7 Software Framework
7.1 Framework Overview
7.2 Module Selection
7.3 Module Preprocessing
7.3.1 Resolution of Instantiations
7.3.2 Isolation of Combinational Logic
7.3.3 RTL to Verilog Assignments
7.3.4 Assignments to Generic Gate Level
7.3.4.1 Translation with a Limited Technology Library
7.4 Application of Logic Locking
7.4.1 Netlist Parsing
7.4.2 Scheme Deployment
7.4.2.1 Tool Setup
7.4.2.2 Application Setup
7.4.2.3 Design Concept
7.4.3 Netlist and Key Storage
7.5 Integration
7.6 Testing and Verification
7.6.1 Key Integration
7.6.2 Functional Testing
7.6.3 Equivalence Checking
7.6.4 Verification from RTL to Layout
7.6.5 Netlist Sign-off
7.7 Limitations and Outlook
7.8 Synopsis
8 Processor Integrity Protection
8.1 Scaling Logic Locking Beyond Module Boundaries
8.1.1 Framework Extension: Introducing Security Dependencies
8.1.1.1 Constellation Selection
8.1.1.2 Per-Module Locking
8.1.1.3 Module Interlocking
8.1.1.4 Activation Procedure
8.1.1.5 Hub Generation
8.1.2 Case Study: Protecting a RISC-V Core
8.1.2.1 Experimental Environment
8.1.2.2 Constellation Design
8.1.2.3 Cost Evaluation
8.1.2.4 Testing and Verification
8.1.2.5 Summary
8.1.3 The ``Made in Germany RISC-V'' Core
8.1.4 Security Analysis
8.2 Protecting Against Software-Controlled Hardware Trojans
8.2.1 The Control-Lock Methodology
8.2.1.1 Implementation Concept
8.2.1.2 Design Objectives
8.2.2 Key-Dependent Netlist Generation
8.2.3 Signal Grouping Schemes
8.2.3.1 1-bit Grouping
8.2.3.2 N-bit Grouping
8.2.3.3 Framework Extension
8.2.4 Security Analysis
8.2.5 Case Study: Protecting Against a Denial of Service Trojan
8.2.5.1 Experimental Environment
8.2.5.2 Results
8.2.6 Related Work
8.3 Limitations and Outlook
8.4 Synopsis
Part IV Machine Learning for Logic Locking
9 Security Evaluation with Machine Learning
9.1 Constructing an ML-Driven Attack
9.2 Attack Flow
9.2.1 Setup: What Is the Attack Scenario?
9.2.2 Extraction: What to Present to the ML Model?
9.2.2.1 Locality Vector Extraction
9.2.2.2 Localities Extraction for XOR/XNOR-Based Locking
9.2.3 ML Design: Which Model to Select?
9.2.3.1 Locality Vectors as Image Data
9.2.4 Deployment: How to Execute the Attack?
9.3 Evaluation
9.3.1 Experimental Environment
9.3.2 Model Setup
9.3.3 Data Preparation
9.3.4 Results: Generalized Set Scenario
9.3.5 Results: Self-Referencing Scenario
9.3.5.1 SnapShot vs. SAIL
9.3.5.2 SnapShot vs. OMLA
9.3.6 Attack Comparison
9.4 Limitations and Outlook
9.5 Synopsis
10 Designing Deceptive Logic Locking
10.1 The Learning-Resilience Test
10.1.1 The AND Netlist Test
10.1.2 The Random Netlist Test
10.1.3 Test Application for XOR/XNOR-Based Locking
10.1.3.1 ANT Observations
10.1.3.2 RNT Observations
10.1.4 Test Application for Twin-Gate Locking
10.1.4.1 ANT Observations
10.1.4.2 RNT Observations
10.1.5 Learning Resilience: Lessons Learned
10.2 Structural Analysis Attack on MUX-Based Logic Locking
10.3 Deceptive Multiplexer-Based Logic Locking
10.3.1 Locking Strategies
10.3.2 Cost Model
10.3.3 D-MUX Algorithm
10.4 Resilience Evaluation
10.4.1 SAAM Evaluation
10.4.2 SWEEP Evaluation
10.4.3 Learning-Resilience Evaluation
10.4.4 SnapShot Evaluation
10.4.5 Security Requirements
10.4.6 Security Challenges: Novel Attack Vectors
10.5 Cost Evaluation
10.5.1 Optimum AT
10.5.2 Low Performance
10.5.3 High Performance
10.6 Limitations and Outlook
10.7 Synopsis
Part V New Directions
11 Research Directions
11.1 Improving Logic Locking
11.1.1 Secure Key Storage
11.1.2 Verifiable Security
11.1.3 Family of Circuits
11.2 Untrusted IP and EDA Tools
11.3 Security in Early Design Stages
11.4 Security in Emerging Technologies
11.5 Machine Learning for Security
12 Conclusion
A Notation Details
A.1 Graphic Representation of Logic Gates
B Framework Details
B.1 Parameters
B.2 Software Design Concept
B.3 Inter-Lock Hub
C Logic Locking and Machine Learning Details
C.1 Deep Learning and Neural Networks
C.2 Genetic Algorithms
C.2.1 Neuroevolution
C.3 CNN Architecture Evolution
C.3.1 Genotype
C.3.2 Phenotype
C.3.3 KPA Evaluation
D Evaluation Details
D.1 Impact of Cost Budget on Security
D.2 Area-Timing Plot
D.3 Control-Lock Evaluation
D.3.1 Results: Optimum AT
D.3.2 Results: Low Performance
D.3.3 Results: High Performance
D.4 ML Model Design
D.4.1 MLP Design Parameters
D.4.2 CNN Evolution and Design Parameters
D.4.2.1 CNN Setup
D.4.2.2 GA Setup
D.4.2.3 Termination Criterion
D.4.3 SnapShot: Evolved CNN Architectures
D.5 D-MUX: Resilience Evaluation
D.5.1 SWEEP: Attack Setup
D.5.2 SnapShot: Attack Setup and Evaluation
D.5.3 Localities Extraction for MUX-Based Locking
D.6 D-MUX Cost Evaluation
References
Index