research-article

ScanSAT: unlocking obfuscated scan chains

Authors:

Muhammad Yasin,

Baker Mohammad,

Mahmoud Al-Qutayri,

Ozgur SinanogluAuthors Info & Claims

ASPDAC '19: Proceedings of the 24th Asia and South Pacific Design Automation Conference

Pages 352 - 357

https://doi.org/10.1145/3287624.3287693

Published: 21 January 2019 Publication History

Abstract

While financially advantageous, outsourcing key steps such as testing to potentially untrusted Outsourced Semiconductor Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hide the transformation functions between the scan-in stimulus (scan-out response) and the delivered scan pattern (captured response). In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic-locked version and applies a variant of the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. Our empirical results demonstrate that ScanSAT can easily break naive scan obfuscation techniques using only three or fewer attack iterations even for large key sizes and in the presence of scan compression.

References

[1]

M. Rostami, F. Koushanfar, and R. Karri, "A Primer on Hardware Security: Models, Methods, and Metrics," IEEE, vol. 102, no. 8, pp. 1283--1295, 2014.

[2]

M. Berry and G. John, "Outsourcing Test - What are the most valuable engagement periods?" http://www.amkor.com/go/outsourcing-test, 2014, {May 16, 2016}.

[3]

J. Roy, F. Koushanfar, and I. L. Markov, "Ending Piracy of Integrated Circuits," IEEE Computer, vol. 43, no. 10, pp. 30--38, 2010.

Digital Library

[4]

M. Yasin, J. Rajendran, O. Sinanoglu, and R. Karri, "On Improving the Security of Logic Locking," IEEE Transactions on CAD of Integrated Circuits and Systems, vol. 35, no. 9, pp. 1411--1424, 2016.

Digital Library

[5]

J. Rajendran, H. Zhang, C. Zhang, G. Rose, Y. Pino, O. Sinanoglu, and R. Karri, "Fault Analysis-Based Logic Encryption," IEEE Transactions on Computer, vol. 64, no. 2, pp. 410--424, 2015.

[6]

R. Karmakar, S. Chatopadhyay, and R. Kapur, "Encrypt Flip-Flop: A Novel Logic Encryption Technique For Sequential Circuits," arXiv preprint arXiv:1801.04961, 2018.

[7]

X. Wang, D. Zhang, M. He, D. Su, and M. Tehranipoor, "Secure scan and test using obfuscation throughout supply chain," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2017.

Digital Library

[8]

U. Guin, Z. Zhou, and A. Singh, "Robust design-for-security architecture for enabling trust in ic manufacturing and test," IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2018.

[9]

P. Subramanyan, S. Ray, and S. Malik, "Evaluating the Security of Logic Encryption Algorithms," in IEEE International Symposium on Hardware Oriented Security and Trust, 2015, pp. 137--143.

[10]

F. Brglez, D. Bryan, and K. Kozminski, "Combinational Profiles of Sequential Benchmark Circuits," in IEEE International Symposium on Circuits and Systems, 1989, pp. 1929--1934.

[11]

M. Yasin, S. M. Saeed, J. Rajendran, and O. Sinanoglu, "Activation of Logic Encrypted Chips: Pre-test or Post-Test?" in Design, Automation Test in Europe, 2016, pp. 139--144.

Digital Library

[12]

M. El Massad, S. Garg, and M. Tripunitara, "Reverse engineering camouflaged sequential circuits without scan access," in Computer-Aided Design (ICCAD), 2017 IEEE/ACM International Conference on. IEEE, 2017, pp. 33--40.

Digital Library

[13]

B. Yang, K. Wu, and R. Karri, "Scan based Side Channel Attack on Dedicated Hardware Implementations of Data Encryption Standard," in IEEE International Test Conference, 2004, pp. 339--344.

Digital Library

[14]

J. Lee, M. Tehranipoor, C. Patel, and J. Plusquellic, "Securing designs against scan-based side-channel attacks," IEEE transactions on dependable and secure computing, vol. 4, no. 4, pp. 325--336, 2007.

Digital Library

[15]

C. Liu and Y. Huang, "Effects of embedded decompression and compaction architectures on side-channel attack resistance." in VTS, 2007, pp. 461--468.

Digital Library

[16]

S. M. Saeed, S. S. Ali, O. Sinanoglu, and R. Karri, "Test-Mode-Only Scan Attack and Countermeasure for Contemporary Scan Architectures," in IEEE International Test Conference, 2014, pp. 1--8.

[17]

S. Paul, R. S. Chakraborty, and S. Bhunia, "VIm-Scan: A Low Overhead Scan Design Approach for Protection of Secret Key in Scan-based Secure Chips," in IEEE VLSI Test Symposium, 2007, pp. 455--460.

Digital Library

[18]

A. Cui, Y. Luo, and C.-H. Chang, "Static and Dynamic Obfuscations of Scan Data against Scan-based Side-channel Attacks," IEEE Transactions on Information Forensics and Security, vol. 12, no. 2, pp. 363--376, 2017.

Digital Library

[19]

Y. Atobe, Y. Shi, M. Yanagisawa, and N. Togawa, "Dynamically Changeable Secure Scan Architecture against Scan-based Side Channel Attack," in International SoC Design Conference, 2012, pp. 155--158.

[20]

D. Hely, F. Bancel, M.-L. Flottes, and B. Rouzeyre, "Test Control for Secure Scan Designs," in Test Symposium, 2005. European. IEEE, 2005, pp. 190--195.

Digital Library

[21]

G. Sengar, D. Mukhopadhyay, and D. R. Chowdhury, "Secured Flipped Scan-Chain Model for Crypto-Architecture," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 26, no. 11, pp. 2080--2084, 2007.

Digital Library

[22]

E. J. McCluskey, "Built-in self-test techniques," IEEE Design & Test of Computers, vol. 2, no. 2, pp. 21--28, 1985.

Digital Library

Cited By

Jang SMoon YWon DKang S(2025)PASS: Pattern-Sequence-Authentication-Based Secure Scan Against Reverse Engineering AttacksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.342907144:1(52-64)Online publication date: Jan-2025
https://doi.org/10.1109/TCAD.2024.3429071
Hashemi MMohammadi SCarlson T(2024)LOTUS: A Scalable Framework to Lock Multimodule Designs With One-Time Self-Destructing KeyIEEE Embedded Systems Letters10.1109/LES.2024.336061516:4(413-416)Online publication date: Dec-2024
https://doi.org/10.1109/LES.2024.3360615
Suzano JChastand AValea EDi Natale GPhilippe AAbouzeid FRoche P(2024)IEEE 1838 compliant scan encryption and integrity for 2.5/3D ICs2024 IEEE European Test Symposium (ETS)10.1109/ETS61313.2024.10567195(1-6)Online publication date: 20-May-2024
https://doi.org/10.1109/ETS61313.2024.10567195
Show More Cited By

Recommendations

A Reduction of Grid-Bag Layout to Auckland Layout
ASWEC '10: Proceedings of the 2010 21st Australian Software Engineering Conference

Many major programming platforms support layout managers in Grid-bag style, where GUI elements can be placed on a rectangular grid. In Grid-bag layout mangers, cells of the underlying grid can be merged in order to create more complex layouts. In this ...
Nmap in the Enterprise: Your Guide to Network Scanning
Distributed Evasive Scan Techniques and Countermeasures
DIMVA '07: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Scan detection and suppression methods are an important means for preventing the disclosure of network information to attackers. However, despite the importance of limiting the information obtained by the attacker, and the wide availability of such ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASPDAC '19: Proceedings of the 24th Asia and South Pacific Design Automation Conference

January 2019

794 pages

ISBN:9781450360074

DOI:10.1145/3287624

General Chair:
Toshiyuki Shibuya
Fujitsu Laboratories

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGDA: ACM Special Interest Group on Design Automation

In-Cooperation

IEICE ESS: Institute of Electronics, Information and Communication Engineers, Engineering Sciences Society
IEEE CAS
IEEE CEDA
IPSJ SIG-SLDM: Information Processing Society of Japan, SIG System LSI Design Methodology

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 January 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ASPDAC '19

Sponsor:

SIGDA

ASPDAC '19: 24th Asia and South Pacific Design Automation Conference

January 21 - 24, 2019

Tokyo, Japan

Acceptance Rates

Overall Acceptance Rate 466 of 1,454 submissions, 32%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
357
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)1

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Jang SMoon YWon DKang S(2025)PASS: Pattern-Sequence-Authentication-Based Secure Scan Against Reverse Engineering AttacksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.342907144:1(52-64)Online publication date: Jan-2025
https://doi.org/10.1109/TCAD.2024.3429071
Hashemi MMohammadi SCarlson T(2024)LOTUS: A Scalable Framework to Lock Multimodule Designs With One-Time Self-Destructing KeyIEEE Embedded Systems Letters10.1109/LES.2024.336061516:4(413-416)Online publication date: Dec-2024
https://doi.org/10.1109/LES.2024.3360615
Suzano JChastand AValea EDi Natale GPhilippe AAbouzeid FRoche P(2024)IEEE 1838 compliant scan encryption and integrity for 2.5/3D ICs2024 IEEE European Test Symposium (ETS)10.1109/ETS61313.2024.10567195(1-6)Online publication date: 20-May-2024
https://doi.org/10.1109/ETS61313.2024.10567195
Han ZShayan MDixit AShihab MMakris YRajendran JCalandrino JTroncoso C(2023)FuncTellerProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620562(5809-5826)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620562
Chen XMerugu MZhang JRay S(2023) AroMa: Evaluating Deep Learning Systems for Stealthy Integrity Attacks on Multi-tenant AcceleratorsACM Journal on Emerging Technologies in Computing Systems10.1145/357903319:2(1-17)Online publication date: 6-Jan-2023
https://dl.acm.org/doi/10.1145/3579033
Ray DSao YBiswas SAli S(2023)On Securing Cryptographic ICs against Scan-based Attacks: A Hamming Weight Distribution PerspectiveACM Journal on Emerging Technologies in Computing Systems10.1145/357721519:2(1-20)Online publication date: 25-Mar-2023
https://dl.acm.org/doi/10.1145/3577215
Pearce HKarri RTan B(2023)High-Level Approaches to Hardware Security: A TutorialACM Transactions on Embedded Computing Systems10.1145/357720022:3(1-40)Online publication date: 20-Apr-2023
https://dl.acm.org/doi/10.1145/3577200
Alrahis LKnechtel JSinanoglu OTakahashi A(2023)Graph Neural NetworksProceedings of the 28th Asia and South Pacific Design Automation Conference10.1145/3566097.3568345(83-90)Online publication date: 16-Jan-2023
https://dl.acm.org/doi/10.1145/3566097.3568345
Gandhi JShekhawat DSantosh MPandey J(2023)Logic locking for IP securityComputers and Security10.1016/j.cose.2023.103196129:COnline publication date: 24-May-2023
https://dl.acm.org/doi/10.1016/j.cose.2023.103196
Meka JVenkatesh SVemuri R(2022)Analysis of the Satisfiability Attack Against Logic Encryption Using Synthetic Benchmarks2022 IEEE International Symposium on Smart Electronic Systems (iSES)10.1109/iSES54909.2022.00096(445-450)Online publication date: Dec-2022
https://doi.org/10.1109/iSES54909.2022.00096
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten