Provably Secure Camouflaging Strategy for IC Protection

Similar documents
Design-for-Testability for Path Delay Faults in Large Combinational Circuits Using Test-Points

Uninformed search strategies

Physical Design of CMOS Integrated Circuits

Uninformed search methods

Uninformed search methods II.

SCIENTIFIC DATA SYSTEMS, INC. Depth Tension Line Speed Panel. DTLS Manual

Search I. Tuomas Sandholm Carnegie Mellon University Computer Science Department. [Read Russell & Norvig Chapter 3]

MIL-STD-883G METHOD

Design of Low Power and High Speed 4-Bit Ripple Carry Adder Using GDI Multiplexer

#19 MONITORING AND PREDICTING PEDESTRIAN BEHAVIOR USING TRAFFIC CAMERAS

EE 364B: Wind Farm Layout Optimization via Sequential Convex Programming

Layout Design II. Lecture Fall 2003

Uninformed Search (Ch )

HW #5: Digital Logic and Flip Flops

Solving Problems by Searching chap3 1. Problem-Solving Agents

Depth-bounded Discrepancy Search

Real World Search Problems. CS 331: Artificial Intelligence Uninformed Search. Simpler Search Problems. Example: Oregon. Search Problem Formulation

Uninformed search methods II.

Smart-Walk: An Intelligent Physiological Monitoring System for Smart Families

Designing of Low Power and Efficient 4-Bit Ripple Carry Adder Using GDI Multiplexer

Uninformed Search Strategies

EE582 Physical Design Automation of VLSI Circuits and Systems

REASONS FOR THE DEVELOPMENT

Uninformed Search (Ch )

An Efficient Code Compression Technique using Application-Aware Bitmask and Dictionary Selection Methods

Cleveland State University MCE441: Intr. Linear Control Systems. Lecture 6: The Transfer Function Poles and Zeros Partial Fraction Expansions

A study on the relation between safety analysis process and system engineering process of train control system

GOLOMB Compression Technique For FPGA Configuration

Post-Placement Functional Decomposition for FPGAs

Artificial Intelligence. Uninformed Search Strategies

D-Case Modeling Guide for Target System

How Game Engines Can Inspire EDA Tools Development: A use case for an open-source physical design library

JPEG-Compatibility Steganalysis Using Block-Histogram of Recompression Artifacts

Non-Interactive Secure Computation Based on Cut-and-Choose

A Novel Decode-Aware Compression Technique for Improved Compression and Decompression

Iteration: while, for, do while, Reading Input with Sentinels and User-defined Functions

Synchronous Sequential Logic. Topics. Sequential Circuits. Chapter 5 Steve Oldridge Dr. Sidney Fels. Sequential Circuits

A Performanced Based Angle of Attack Display

Relevance of Questions from past Level III Essay Exams

Citation for published version (APA): Canudas Romo, V. (2003). Decomposition Methods in Demography Groningen: s.n.

Decompression Method For Massive Compressed Files In Mobile Rich Media Applications

A history-based estimation for LHCb job requirements

EE241 - Spring 2013 Advanced Digital Integrated Circuits. Assigned reading. No new reading. Lecture 4: Transistor Models

ISOLATION OF NON-HYDROSTATIC REGIONS WITHIN A BASIN

Problem Solving as Search - I

A SEMI-PRESSURE-DRIVEN APPROACH TO RELIABILITY ASSESSMENT OF WATER DISTRIBUTION NETWORKS

Legendre et al Appendices and Supplements, p. 1

Lossless Comparison of Nested Software Decompositions

Better Search Improved Uninformed Search CIS 32

Stand-Alone Bubble Detection System

Lab 1c Isentropic Blow-down Process and Discharge Coefficient

Utilizing Don t Care States in SAT-based Bounded Sequential Problems

GOLFER. The Golf Putting Robot

MEMORY is one of the key driving factors in embeddedsystem

MWGen: A Mini World Generator

Compression of FPGA Bitstreams Using Improved RLE Algorithm

Analysis of Pressure Rise During Internal Arc Faults in Switchgear

Quartz etch process to improve etch depth linearity and uniformity using Mask Etcher IV

A Novel Approach to Predicting the Results of NBA Matches

Princess Nora University Faculty of Computer & Information Systems ARTIFICIAL INTELLIGENCE (CS 370D) Computer Science Department

AC : MEASUREMENT OF HYDROGEN IN HELIUM FLOW

A CO 2 Waveform Simulator For Evaluation and Testing of Respiratory Gas Analyzers

Oil-Lubricated Compressors for Regenerative Cryocoolers Using an Elastic Membrane

CPE/EE 427, CPE 527 VLSI Design I L06: Complementary CMOS Logic Gates

The Effect Analysis of Rudder between X-Form and Cross-Form

VLSI Design 12. Design Styles

Ranger Walking Initiation Stephanie Schneider 5/15/2012 Final Report for Cornell Ranger Research

5.1 Introduction. Learning Objectives

An Application of Signal Detection Theory for Understanding Driver Behavior at Highway-Rail Grade Crossings

CPE/EE 427, CPE 527 VLSI Design I L21: Sequential Circuits. Review: The Regenerative Property

PROGRAMMING LINX LEARNING GAME

EEC 686/785 Modeling & Performance Evaluation of Computer Systems. Lecture 6. Wenbing Zhao. Department of Electrical and Computer Engineering

Hermetic Compressor Manifold Analysis With the Use of the Finite Element Method

VLSI Design 8. Design of Adders

P-5215 Differential Pressure Transmitter

Supplementary Figures

Application of Bayesian Networks to Shopping Assistance

Outline. Terminology. EEC 686/785 Modeling & Performance Evaluation of Computer Systems. Lecture 6. Steps in Capacity Planning and Management

VLSI Design I; A. Milenkovic 1

living with the lab control of salinity 2012 David Hall

CS472 Foundations of Artificial Intelligence. Final Exam December 19, :30pm

An Indian Journal FULL PAPER ABSTRACT KEYWORDS. Trade Science Inc.

Electromagnetic Attacks on Ring Oscillator-Based True Random Number Generator

THE PLAYING PATTERN OF WORLD S TOP SINGLE BADMINTON PLAYERS

What s Really Going on with your Beer s Fermentation?

Name May 3, 2007 Math Probability and Statistics

Incompressible Potential Flow. Panel Methods (3)

AC : A LABORATORY EXERCISE TO DEMONSTRATE HOW TO EXPERIMENTALLY DETERMINE THE OPERATING POINT FOR A FAN

An Architecture for Combined Test Data Compression and Abort-on-Fail Test

College Football Rankings: An Industrial Engineering Approach. An Undergraduate Honors College Thesis. in the

Lecture 5. Optimisation. Regularisation

Fun Neural Net Demo Site. CS 188: Artificial Intelligence. N-Layer Neural Network. Multi-class Softmax Σ >0? Deep Learning II

IWR PLANNING SUITE II PCOP WEBINAR SERIES. Laura Witherow (IWR) and Monique Savage (MVP) 26 July

Neural Networks II. Chen Gao. Virginia Tech Spring 2019 ECE-5424G / CS-5824

Optimization of Air compressor Motor speed for Reducing Power Consumption

MICROPROCESSOR ARCHITECTURE

HIGH RESOLUTION DEPTH IMAGE RECOVERY ALGORITHM USING GRAYSCALE IMAGE.

Minimum Mean-Square Error (MMSE) and Linear MMSE (LMMSE) Estimation

WATER HYDRAULIC HIGH SPEED SOLENOID VALVE AND ITS APPLICATION

Tecniche di Progettazione: Design Patterns

Transcription:

Provably Secure Camouflaging Strategy for IC Protection Meng Li 1 Kaveh Shamsi 2 Travis Meade 2 Zheng Zhao 1 Bei Yu 3 Yier Jin 2 David Z. Pan 1 1 Electrical and Computer Engineering, University of Texas at Austin 2 Electrical and Computer Engineering, University of Central Florida 3 Computer Science and Engineering, The Chinese University of Hong Kong ICCAD2016 - November 07, 2016 - Austin, TX 1 / 27

Introduction IP protection against reverse engineering becomes a significant concern Reverse engineering flow Delayering & Imaging Image Processing Netlist Recon. I0 I1 I2 I3 ORX1 XORX1 ANDX2 ORX1 O2 O1 2 / 27

Introduction IC camouflaging is proposed to hide circuit functionality Layout technique Create cells that look alike but have different functionalities Real Camouflaging Cells Dummy Possible dummy via N+ N+ P-type Substrate Layout Modification Fabrication Level Cell Level Netlist Level Open questions to solve: How to evaluate the security of a camouflaged netlist How to reduce the overhead introduced by IC camouflaging 3 / 27

State-of-The-Art IC Camouflaging Fabrication level techniques: Contact- and doping-based techniques [Chow+, US Patent 07] 4 / 27

State-of-The-Art IC Camouflaging Fabrication level techniques: Contact- and doping-based techniques [Chow+, US Patent 07] Cell level designs: Camouflaging lookup table [Malik+, ISVLSI 15] 4 / 27

State-of-The-Art IC Camouflaging Fabrication level techniques: Contact- and doping-based techniques [Chow+, US Patent 07] Cell level designs: Camouflaging lookup table [Malik+, ISVLSI 15] Netlist level camouflaging cell insertion strategy: Insertion based on interference graph [Rajendran+, CCS 13] 4 / 27

State-of-The-Art IC Camouflaging Fabrication level techniques: Contact- and doping-based techniques [Chow+, US Patent 07] Cell level designs: Camouflaging lookup table [Malik+, ISVLSI 15] Netlist level camouflaging cell insertion strategy: Insertion based on interference graph [Rajendran+, CCS 13] Our contribution A provably secure criterion is proposed and formally analyzed from Machine Learning perspective Two factors that improve the circuit security are revealed A camouflaging framework is proposed to increase the security exponentially with linear increase of overhead 4 / 27

Preliminary: Reverse Engineering Attack Knowledge of the attacker: Get camouflaged netlists Include cells and connections Differentiate regular and camouflaging cells Don t know the specific functionality of camouflaging cells Acquire a functional circuit as black box Don t have access to internal signals 5 / 27

Preliminary: Reverse Engineering Attack Knowledge of the attacker: Get camouflaged netlists Include cells and connections Differentiate regular and camouflaging cells Don t know the specific functionality of camouflaging cells Acquire a functional circuit as black box Don t have access to internal signals The attacker aims to recover the circuit functionality by querying the black-box functional circuit 5 / 27

Preliminary: Reverse Engineering Attack Knowledge of the attacker: Get camouflaged netlists Include cells and connections Differentiate regular and camouflaging cells Don t know the specific functionality of camouflaging cells Acquire a functional circuit as black box Don t have access to internal signals The attacker aims to recover the circuit functionality by querying the black-box functional circuit Attacker query strategy: Brute force attack Testing-based attack [Rajendran+, CCS 13] SAT-based attack [Massad+, NDSS 15] 5 / 27

Preliminary: SAT-based Attack Key idea: Only query black box with input patterns that can help remove false functionalities No existing camouflaging strategy demonstrates enough resilience K 0 i 0 i1 i 2 i 3 i 4 G1 G2 AND, NAND? G3 O0 i 0 i1 i 2 i 3 i 4 G1 G2 NAND AND K0 MUX G3 i0 i1 i2 i3 i4 Circuit Copy1 Circuit Copy2 K 1 (c) Fi DiS 6 / 27

IC De-camouflaging Modeled As a Learning Problem IC de-camouflaging can be modeled as a learning problem Functions of camouflaged circuit A set of boolean functions Original circuit Target boolean function Input-output pairs Samples Different attack methods correspond to different sampling strategies Brute force attack Random sampling SAT-based attack Query by disagreement SAT-based attack requires asymptotically less number of input-output pairs compared with brute force attack 7 / 27

IC Camouflaging Security Analysis De-camouflaging complexity (DC) Number of input patterns the attacker needs to query to resolve circuit functionality Independent of how the de-camouflaging problem is formulated Then, de-camouflaging complexity is DC O(θdlog( 1 ɛ )) d: characterize the total number of functionalities θ: characterize the number of functionalities that can be pruned by each input pattern ɛ: output error probability for the resolved circuit Intrinsic trade-off between DC and output error probability Need to increase θ and d to enhance security 8 / 27

Novel Camouflaging Cell Generation Strategy Target at increasing d for better security To increase d Increase the number of functionalities of the camouflaging cells Increase the number of cells inserted into the netlist Possible dummy via Layout Modification NAND/NOR/XOR BUF/INV 9 / 27

Novel Camouflaging Cell Generation Strategy Observation: Overhead of a cell depends on its functionality Cell design strategy: Build cells with negligible overhead for certain functionality Two different types: Dummy contact-based camouflaging cells Stealth doping-based camouflaging cells 10 / 27

Novel Camouflaging Cell Generation Strategy Dummy contact-based camouflaging cells Possible dummy via Layout Modification BUF AND2 OR2 Function BUF INV AND2 NAND2 OR2 NOR2 Timing 1.0x 2.0x 1.0x 1.5x 1.0x 1.9x Area 1.0x 1.5x 1.0x 1.3x 1.0x 1.3x Power 1.0x 1.5x 1.0x 0.9x 1.0x 1.1x 11 / 27

Novel Camouflaging Cell Generation Strategy Stealth doping-based camouflaging cells Always-off MOS Always-on MOS AND2 OR2 NAND2 Function AND2 BUF OR2 BUF NAND2 INV Timing 1.0x 1.4x 1.0x 1.4x 1.0x 1.6x Area 1.0x 1.3x 1.0x 1.3x 1.0x 1.5x Power 1.0x 1.2x 1.0x 1.2x 1.0x 1.5x 12 / 27

Novel Camouflaging Cell Generation Strategy Characteristics of two type camouflaging cells: Dummy contact-based cell: error probability is 1 Stealth doping-based cell: enable dummy wire connection Contact and doping technique can be further combined to increase the number of functionalities Cannot determine whether the node is inverted A B C D E F Cannot determine whether the node is masked 13 / 27

AND-Tree Camouflaging Strategy Target at increasing θ for better security AND-Tree achieves high resilience against SAT-based attack Represent a class of circuits with output 0/1 for only one input We find θ increases exponentially for ideal AND-Tree Unbiased primary inputs: i.i.d binary distribution Non-decomposability Node 1 Node 1 PO 2 PO1 PO 2 14 / 27

Overall Camouflaging Framework Combine the proposed camouflaging strategy Leverage camouflaging cells to insert AND-Tree Standard Cell Library 1. Camouflaged Library Generation 2. Camouflaged Cell Characterization Original Circuit Netlist 3. AND-Tree Structure Detection Enough de-camouflaging complexity? Yes No 4. AND-Tree Structure Insertion 5. Input Pins & AND-Tree Camouflage 6. Primary Outputs Fanin Camouflage Camouflaged Netlist 15 / 27

AND-Tree Detection Detect existing AND-Tree structure in the netlist Important criterion: AND-Tree size AND-Tree input bias (distance with ideal distribution) AND-Tree de-composability Example: Node 1 Node 2 Node 3 Node 4 [Node 1] [Node 2] [Node 3] [Node 4] Node 5 Node 6 Node 7 Node 8 Node 9 16 / 27

AND-Tree Detection Detect existing AND-Tree structure in the netlist Important criterion: AND-Tree size AND-Tree input bias (distance with ideal distribution) AND-Tree de-composability Example: Node 1 Node 2 Node 3 Node 4 [Node 1] [Node 2] [Node 3] [Node 4] Node 5 Node 6 [Node 1] [Node 4] Node 7 Node 8 Node 9 16 / 27

AND-Tree Detection Detect existing AND-Tree structure in the netlist Important criterion: AND-Tree size AND-Tree input bias (distance with ideal distribution) AND-Tree de-composability Example: Node 1 Node 2 Node 3 Node 4 [Node 1] [Node 2] [Node 3] [Node 4] Node 5 Node 7 Node 8 Node 6 [Node 1] OR [Node 1,Node 2] [Node 4] [Node 8] Node 9 16 / 27

AND-Tree Detection Detect existing AND-Tree structure in the netlist Important criterion: AND-Tree size AND-Tree input bias (distance with ideal distribution) AND-Tree de-composability Example: Node 1 Node 2 Node 3 Node 4 [Node 1] [Node 2] [Node 3] [Node 4] Node 5 Node 7 Node 8 Node 6 [Node 1] [Node 4] OR [Node 1,Node 2] [Node 8] AND [Node 1,Node 2,Node 8] Node 9 16 / 27

AND-Tree Insertion Insert AND-Tree when no trees exist in original netlist Guarantee non-decomposable Guarantee unbiasedness by connecting tree inputs to primary inputs To insert AND-Tree into the netlist Node 1 Node 1 Node 2 OR/BUF θ increases exponentially as the inserted AND-Tree size 17 / 27

AND-Tree Insertion Node selection criterion for AND-Tree insertion Consider timing/power overhead, error impact Define insertion score (IS) for each node IS = α SA β P ob N O SA: switching probability Pob : observe probability N O : number of outputs in the fanout cone Select nodes iteratively until AND-Tree exists in the fanin cone of each output 18 / 27

Experimental Results Experimental setup SAT-based de-camouflaging attack [Subramanyan+, HOST 15] Runtime limit 1.5 10 5 s Camouflaging framework implemented in C++ Timing/Power analysis with Primetime/Primetime-PX Benchmark: ISCAS 85 and MCNC 19 / 27

Experimental Results Examination of cell generation strategy Use the proposed camouflaging cells to rebuild the benchmarks bench # input # output # gate time (s) # iter c432 36 7 203 1.758 80 c880 60 23 466 1.2 10 4 148 ISCAS c1908 33 25 938 N/A N/A c2670 233 64 1490 N/A N/A c3540 50 22 1741 N/A N/A c5315 178 123 2608 N/A N/A i4 192 6 536 1.9 10 3 743 apex2 39 3 652 N/A N/A MCNC ex5 8 63 1126 6.9 10 2 139 i9 88 63 1186 2.1 10 4 81 i7 199 67 1581 1.5 10 2 225 k2 46 45 1906 N/A N/A 20 / 27

Experimental Results Examination of AND-Tree structure Ideal AND-Tree Impact of decomposability and input bias # of input-output patterns 10 5 10 4 10 3 10 2 10 1 16 14 12 10 8 # Input Pins De-camouflaging time Input-output patterns 6 10 4 10 2 10 0 10-2 10-4 4 De-camouflaging Time (s) # of input-output patterns 10 5 10 4 10 3 10 2 10 1 16 14 12 10 8 # Input Pins De-camouflaging time Input-output patterns 6 10 4 10 2 10 0 10-2 10-4 4 De-camouflaging Time (s) # of input-output patterns 10 5 10 4 10 3 10 2 10 1 16 14 12 10 8 # Input Pins De-camouflaging time Input-output patterns 6 10 4 10 2 10 0 10-2 10-4 4 De-camouflaging Time (s) 21 / 27

Experimental Results De-camouflaging complexity of the proposed framework Combined strategy v.s. AND-Tree strategy De-camouflaging Complexity 10 5 10 4 10 3 10 2 10 1 Combined Method AND-Tree Method 10 0 0 2 4 6 8 10 12 14 16 Tree Size De-camouflaging Time 10 6 10 4 10 2 10 0 10-2 Combined Method AND-Tree Method 0 2 4 6 8 10 12 14 16 Tree Size 22 / 27

Experimental Results Overhead of the proposed framework De-camouflaging Complexity 10 8 10 6 10 4 10 2 10 0 10-2 De-camouflaging time Input-output patterns Area 5 7 9 11 13 15 17 19 # Input Pins 15.0 10.0 5.0 0.0 Area Overhead (%) bench # gate area (%) power (%) timing (%) c432 203 16.7 14.1 0.30 c499 275 5.83 4.32 0.00 c880 466 9.85 10.8 0.06 i4 536 12.0 8.73 0.00 i7 1581 5.41 4.02 0.15 ex5 1126 4.15 3.73 0.11 ex1010 5086 0.75 1.06 0.00 des 6974 0.64 0.23 0.00 sparc exu 27368 0.22 0.05 0.00 23 / 27

Conclusion The security criterion is formally analyzed based on the equivalence to active learning Two camouflaging techniques are proposed to enhance the security of circuit netlist A provably secure camouflaging framework is developed to combine two techniques Effectiveness of the framework is verified with experiments and demonstrate good resilience achieved with small overhead 24 / 27

Thanks for your attention! 25 / 27

Back Up: Cell Generation Strategy Comparison Comparison with two different cell generation strategies Assume Circuit size: N Number of functions of each camouflaging cells Previous method: m 1 Our method: m 2 Number of modified cells: n Number of possible functionalities Previous method: n m1 Our method: C n n N m 2 If N = 1000, m 1 = 8, m 2 = 2, n = 10, then Previous method: 10 9 Our method: 10 26 26 / 27

Back Up: AND-Tree Camouflaging To camouflage the inserted AND-Tree Functional camouflaging with BUF/INV cell Structural camouflaging to hinder removal attack Dummy- Contact Cells Stealthdoping Cells 27 / 27

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback