skip to main content
10.1145/3287624.3287693acmconferencesArticle/Chapter ViewAbstractPublication PagesaspdacConference Proceedingsconference-collections
research-article

ScanSAT: unlocking obfuscated scan chains

Published: 21 January 2019 Publication History

Abstract

While financially advantageous, outsourcing key steps such as testing to potentially untrusted Outsourced Semiconductor Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hide the transformation functions between the scan-in stimulus (scan-out response) and the delivered scan pattern (captured response). In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic-locked version and applies a variant of the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. Our empirical results demonstrate that ScanSAT can easily break naive scan obfuscation techniques using only three or fewer attack iterations even for large key sizes and in the presence of scan compression.

References

[1]
M. Rostami, F. Koushanfar, and R. Karri, "A Primer on Hardware Security: Models, Methods, and Metrics," IEEE, vol. 102, no. 8, pp. 1283--1295, 2014.
[2]
M. Berry and G. John, "Outsourcing Test - What are the most valuable engagement periods?" http://www.amkor.com/go/outsourcing-test, 2014, {May 16, 2016}.
[3]
J. Roy, F. Koushanfar, and I. L. Markov, "Ending Piracy of Integrated Circuits," IEEE Computer, vol. 43, no. 10, pp. 30--38, 2010.
[4]
M. Yasin, J. Rajendran, O. Sinanoglu, and R. Karri, "On Improving the Security of Logic Locking," IEEE Transactions on CAD of Integrated Circuits and Systems, vol. 35, no. 9, pp. 1411--1424, 2016.
[5]
J. Rajendran, H. Zhang, C. Zhang, G. Rose, Y. Pino, O. Sinanoglu, and R. Karri, "Fault Analysis-Based Logic Encryption," IEEE Transactions on Computer, vol. 64, no. 2, pp. 410--424, 2015.
[6]
R. Karmakar, S. Chatopadhyay, and R. Kapur, "Encrypt Flip-Flop: A Novel Logic Encryption Technique For Sequential Circuits," arXiv preprint arXiv:1801.04961, 2018.
[7]
X. Wang, D. Zhang, M. He, D. Su, and M. Tehranipoor, "Secure scan and test using obfuscation throughout supply chain," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 2017.
[8]
U. Guin, Z. Zhou, and A. Singh, "Robust design-for-security architecture for enabling trust in ic manufacturing and test," IEEE Transactions on Very Large Scale Integration (VLSI) Systems, 2018.
[9]
P. Subramanyan, S. Ray, and S. Malik, "Evaluating the Security of Logic Encryption Algorithms," in IEEE International Symposium on Hardware Oriented Security and Trust, 2015, pp. 137--143.
[10]
F. Brglez, D. Bryan, and K. Kozminski, "Combinational Profiles of Sequential Benchmark Circuits," in IEEE International Symposium on Circuits and Systems, 1989, pp. 1929--1934.
[11]
M. Yasin, S. M. Saeed, J. Rajendran, and O. Sinanoglu, "Activation of Logic Encrypted Chips: Pre-test or Post-Test?" in Design, Automation Test in Europe, 2016, pp. 139--144.
[12]
M. El Massad, S. Garg, and M. Tripunitara, "Reverse engineering camouflaged sequential circuits without scan access," in Computer-Aided Design (ICCAD), 2017 IEEE/ACM International Conference on. IEEE, 2017, pp. 33--40.
[13]
B. Yang, K. Wu, and R. Karri, "Scan based Side Channel Attack on Dedicated Hardware Implementations of Data Encryption Standard," in IEEE International Test Conference, 2004, pp. 339--344.
[14]
J. Lee, M. Tehranipoor, C. Patel, and J. Plusquellic, "Securing designs against scan-based side-channel attacks," IEEE transactions on dependable and secure computing, vol. 4, no. 4, pp. 325--336, 2007.
[15]
C. Liu and Y. Huang, "Effects of embedded decompression and compaction architectures on side-channel attack resistance." in VTS, 2007, pp. 461--468.
[16]
S. M. Saeed, S. S. Ali, O. Sinanoglu, and R. Karri, "Test-Mode-Only Scan Attack and Countermeasure for Contemporary Scan Architectures," in IEEE International Test Conference, 2014, pp. 1--8.
[17]
S. Paul, R. S. Chakraborty, and S. Bhunia, "VIm-Scan: A Low Overhead Scan Design Approach for Protection of Secret Key in Scan-based Secure Chips," in IEEE VLSI Test Symposium, 2007, pp. 455--460.
[18]
A. Cui, Y. Luo, and C.-H. Chang, "Static and Dynamic Obfuscations of Scan Data against Scan-based Side-channel Attacks," IEEE Transactions on Information Forensics and Security, vol. 12, no. 2, pp. 363--376, 2017.
[19]
Y. Atobe, Y. Shi, M. Yanagisawa, and N. Togawa, "Dynamically Changeable Secure Scan Architecture against Scan-based Side Channel Attack," in International SoC Design Conference, 2012, pp. 155--158.
[20]
D. Hely, F. Bancel, M.-L. Flottes, and B. Rouzeyre, "Test Control for Secure Scan Designs," in Test Symposium, 2005. European. IEEE, 2005, pp. 190--195.
[21]
G. Sengar, D. Mukhopadhyay, and D. R. Chowdhury, "Secured Flipped Scan-Chain Model for Crypto-Architecture," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 26, no. 11, pp. 2080--2084, 2007.
[22]
E. J. McCluskey, "Built-in self-test techniques," IEEE Design & Test of Computers, vol. 2, no. 2, pp. 21--28, 1985.

Cited By

View all
  • (2025)PASS: Pattern-Sequence-Authentication-Based Secure Scan Against Reverse Engineering AttacksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.342907144:1(52-64)Online publication date: Jan-2025
  • (2024)LOTUS: A Scalable Framework to Lock Multimodule Designs With One-Time Self-Destructing KeyIEEE Embedded Systems Letters10.1109/LES.2024.336061516:4(413-416)Online publication date: Dec-2024
  • (2024)IEEE 1838 compliant scan encryption and integrity for 2.5/3D ICs2024 IEEE European Test Symposium (ETS)10.1109/ETS61313.2024.10567195(1-6)Online publication date: 20-May-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASPDAC '19: Proceedings of the 24th Asia and South Pacific Design Automation Conference
January 2019
794 pages
ISBN:9781450360074
DOI:10.1145/3287624
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

  • IEICE ESS: Institute of Electronics, Information and Communication Engineers, Engineering Sciences Society
  • IEEE CAS
  • IEEE CEDA
  • IPSJ SIG-SLDM: Information Processing Society of Japan, SIG System LSI Design Methodology

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 January 2019

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Conference

ASPDAC '19
Sponsor:

Acceptance Rates

Overall Acceptance Rate 466 of 1,454 submissions, 32%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)15
  • Downloads (Last 6 weeks)1
Reflects downloads up to 01 Mar 2025

Other Metrics

Citations

Cited By

View all
  • (2025)PASS: Pattern-Sequence-Authentication-Based Secure Scan Against Reverse Engineering AttacksIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.342907144:1(52-64)Online publication date: Jan-2025
  • (2024)LOTUS: A Scalable Framework to Lock Multimodule Designs With One-Time Self-Destructing KeyIEEE Embedded Systems Letters10.1109/LES.2024.336061516:4(413-416)Online publication date: Dec-2024
  • (2024)IEEE 1838 compliant scan encryption and integrity for 2.5/3D ICs2024 IEEE European Test Symposium (ETS)10.1109/ETS61313.2024.10567195(1-6)Online publication date: 20-May-2024
  • (2023)FuncTellerProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620562(5809-5826)Online publication date: 9-Aug-2023
  • (2023) AroMa: Evaluating Deep Learning Systems for Stealthy Integrity Attacks on Multi-tenant AcceleratorsACM Journal on Emerging Technologies in Computing Systems10.1145/357903319:2(1-17)Online publication date: 6-Jan-2023
  • (2023)On Securing Cryptographic ICs against Scan-based Attacks: A Hamming Weight Distribution PerspectiveACM Journal on Emerging Technologies in Computing Systems10.1145/357721519:2(1-20)Online publication date: 25-Mar-2023
  • (2023)High-Level Approaches to Hardware Security: A TutorialACM Transactions on Embedded Computing Systems10.1145/357720022:3(1-40)Online publication date: 20-Apr-2023
  • (2023)Graph Neural NetworksProceedings of the 28th Asia and South Pacific Design Automation Conference10.1145/3566097.3568345(83-90)Online publication date: 16-Jan-2023
  • (2023)Logic locking for IP securityComputers and Security10.1016/j.cose.2023.103196129:COnline publication date: 24-May-2023
  • (2022)Analysis of the Satisfiability Attack Against Logic Encryption Using Synthetic Benchmarks2022 IEEE International Symposium on Smart Electronic Systems (iSES)10.1109/iSES54909.2022.00096(445-450)Online publication date: Dec-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media