obfuscated circuits with capabilities and performance
play

Obfuscated Circuits with Capabilities and Performance Beyond the SAT - PowerPoint PPT Presentation

Aug 25, 2023 •11 likes •701 views

SMT Attack : Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks Conference on Cryptographic Hardware and Embedded Systems 2019 ( CHES 2019 ) Kimia Zamiri Azar , Hadi Mardani Kamali, Houman

  1. SMT Attack : Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond the SAT Attacks Conference on Cryptographic Hardware and Embedded Systems 2019 ( CHES 2019 ) Kimia Zamiri Azar , Hadi Mardani Kamali, Houman Homayoun, and Avesta Sasan Department of Electrical and Computer Engineering George Mason University, USA.

  2. Outline  Intro to Hardware Security  Intro to Logic Locking  SAT Attack and its Limitations  SMT attack  SMT reduced to SAT Attack  Eager SMT Attack  Lazy SMT Attack  Accelerated Lazy SMT Attack  Experimental Results  Conclusion 2

  3. Design Flow High Cost of Manufacturing in ASIC Design has pushed most of needed  fabrication offshore Some Fabs are untrusted  Security threats for untrusted supply chain  Trojan Insertion  Overproduction  Intellectual Property (IP) Theft  Counterfeiting  Reverse Engineering, etc.  In-house SoC Design Flow System Design Design Teams IP Vendor 1 Physical Synthesis RTL Verification PCB Assembly Logic Synthesis Gate-Level Verification Integration Package & Assembly Design Layout (GDSII) Layout Netlist Netlist System RTL Wafer Test Recycle/Repackage for Outdated IP Vendor 2 Integration Team Fabrication Design Synthesis & Verification Testing Packing System Integration 3

  4. Logic Locking Logic Locking : Adding Ambiguity to the Design  Inserting Key Programmable Gates ( KPGs )  No Information on Key at Untrusted Entities  x 1 x 2 Y = f(x 1 , x 2 , …, x n ) x 3 Original Netlist Circuit x 4 x n Logic Locking EPIC (2008) x 1 x 2 Random Y n = f(x 1 , x 2 , …, x n , k 1 , k 2 ) Insertion x 3 k 1 Policy x 4 (RLL) k 2 x n 4

  5. SAT Attack: a Turning Point in Logic Locking  SAT Attack Recipe: Reverse-engineered netlist (CL) 1. k 0 A functionally activated chip (CO) I 0 2. kg 0 g 2 I 1 O 0 g 0 g 5 I 2 g 3 O 1 I 3 g 6 g 1 I 4 g 4 kg 1 I 5 k 1  SAT attack broke all logic obfuscation scheme prior to its debut! Random insertion (RLL)  Fault-analysis (FLL)  Interference-based logic locking (SLL)  5

  6. SAT Attack  SAT Attack Key- SAT Circuit Obfuscated Key-Differentiating DI Validation SCK Validation Programmable (SATC) Circuit Circuit (KDC) Circuit (DIVC) Circuit (SCKVC) Circuit (KPC) (1) X DI K 1 (2) . C Locked (X, Y) K 1 C(X,K,Y) C(X,K 1 ,Y 1 ) ꓥ C(X,K 2 ,Y 2 ) ꓥ (Y 1 !=Y 2 ) X DI . DIVC SCKVC KPC K1 (1) ( d ) X DI KPG X DI KPG KPC Y1 X DI ORACLE eval DIVC X K 1 K (2) KPG . X DI K 2 KDC . Y . Y X KPG K 2 KPC Y2 KPC X X K2 K 2 Y 2 KPG DIVC LC ( d ) X DI Set of Correct Keys (SCK) Set of Invalid Keys (SIK) Clause added Clause added Clause added Clause added Breaks within few minutes (few iterations)! 6

  7. Limitation of SAT Attack  SAT-Resilient Logic Obfuscation Solutions SAT-Resilient Locking Schemes Logical Locking DLL 2017 No Defense Cyclic Locking 2016 RLL 2008 Scheme LUT-Lock 2018 Against All FLL 2015 SARLock 2016 SRCLock 2018 Reconfig. Threats Anti-SAT 2016 SFLL 2017 Barrier 2010 SLL 2012 SAT Before 2008 2008 – 2010 2010 – 2015 2016 2017 2018 IP Piracy Removal 2016 Sensitization & CycSAT 2017 Overproduction SPS 2016 Justification 2012 Counterfeiting SAT SMT AppSAT 2017 Reverse Attack Attack Double-DIP 2017 2015 Engineering Bypass 2017 7

  8. Limitation of SAT Attack A SAT Attack works if Logic obfuscation is of Boolean nature  Model Translation Flow:   Boolean logic  Conjunctive Normal Form ( CNF )  CNF  Satisfiability assignment problem SAT-Resilient Locking Schemes Logical Locking Defense solutions to trap the SAT solver?  DLL 2017 Cyclic Locking 2016  Use non-logical properties for locking LUT-Lock 2018 SARLock 2016 SRCLock 2018  Can not be modeled if could Anti-SAT 2016 SFLL 2017 not be translated to CNF SAT 2016 2017 2018 Removal 2016 CycSAT 2017 SPS 2016 SAT SMT AppSAT 2017 Attack Attack Double-DIP 2017 2015 Bypass 2017 8

  9. Behavioral logical obfuscation  Delay and Logic Locking (DLL)  Obfuscation control the setup and hold  Incorrect key  Setup and Hold time violation  Timing is not translatable to CNF SAT solver remains oblivious to the keys used for timing obfuscation  Tunable Delay Buffer (TDB) k 1 k 1 Tunable Delay y y k 2 x key-gate x k 2 k 2 (TDK) C 9

  10. Solution Satisfiability Modulo Theory (SMT) Attack 10

  11. SMT Solver  A SMT is used to solve a decision problem  Close integration of a SAT solver with Theory solver  Uses first-order theories  Equality  Reasoning  Arithmetic  Graph-based deduction  Modern SMT solvers provide the capability  Combining theory solvers  Can support more powerful languages as its input 11

  12. Approaches to SMT Solver  Two approaches for solving an SMT problem  Eager approach  Lazy approach µ µ Theory µ* Theory SAT Solver SAT Solver SAT/UNSAT SAT/UNSAT Lazy approach Eager approach 12

  13. SMT Eager Approach  Eager approach  Translating the problem into a Boolean SAT instances  The existing Boolean SAT solvers are used as is  The SMT solver has to work a lot harder e.g. for checking the equivalence of two 32-bit values   By deploying a theory solver µ this could be achieved in no time  Theory µ* SAT Solver SAT/UNSAT 13

  14. SMT Lazy Approach  Lazy approach  Integrates the Boolean satisfiability solvers and theory solvers  Capabilities of the Theory solvers:  Theory propagation for checking possible conflicts on partial assignments   Clause learning to speed-up pruning the decision tree.  µ Theory SAT Solver SAT/UNSAT 14

  15. SMT Attack ... Bit-vectors Arrays Equality Graph SMT solver Graph Quantifier-free Update Update extraction SMT solver T LC SMT LC Theory-2 extraction ... Graph SAT solver solver Theory-n Translation extraction Theory solvers module Update SAT CC + LLK Obfuscated netlist Circuit extraction SAT/UNSAT 15

  16. SMT Attack  Step 1  Obfuscated cells  equivalent Key Programmable Gates ( KPG )  A KPG performs the same function as the obfuscated cell  allows building a key controlled representation  ... Bit-vectors Arrays Equality Graph SMT solver Graph Quantifier-free Key Gate Key Gate Translated Gate Translated Gate Update Update extraction SMT solver T LC SMT LC i 0 4. XOR Gate Theory-2 1. Tunable Delay Gate extraction ... k 1 k 1 Graph i 0 SAT k 0 TDK i 1 i 1 solver solver Theory-n k 1 Translation k 0 k 1 extraction Theory solvers module Update k 0 2. Look-Up-Table 5. MUX SAT CC + LLK k 1 i 1 Obfuscated netlist Circuit i 1 k 2 LUTn i 2 ... extraction i 2 n k 2 -1 k 1 i 0 i 1 i 2 i n-1 ... k 1 SAT/UNSAT i 0 i 1 i 2 i n-1 k 1 i 1 3. Camouflaged Gate 6. XNOR Gate k 1 i 2 k 1 i 1 i 1 i 1 AND/XOR i 2 16

  17. SMT Attack  Step 2  Before invoking a theory solver Input model  model which is understood by that theory solver  Different translation step for each theory solver  ... Bit-vectors Arrays Equality Graph SMT solver Graph Quantifier-free Update Update extraction SMT solver T LC SMT LC Theory-2 extraction ... Graph SAT solver solver Theory-n Translation extraction Theory solvers module Update SAT CC + LLK Obfuscated netlist Circuit extraction SAT/UNSAT 17

  18. SMT Attack  Invoking the SMT solver returns  A satisfiable assignment  list of learned theory  conflict clauses ... Bit-vectors Arrays Equality Graph SMT solver Graph Quantifier-free Update Update extraction SMT solver Theory-2 T LC SMT LC extraction ... Graph SAT solver solver Theory-n Translation extraction Theory solvers module Update SAT CC + LLK Obfuscated netlist Circuit extraction SAT/UNSAT 18

  19. Attack Modes  Mode 1 : SMT reduced to SAT Attack  To show SMT is a superset of SAT  Mode 2 : Eager SMT Attack  To show the Strength of SMT  Theory solver(s) and SAT solver are Serialized!  Mode 3 : Lazy SMT Attack  To show the Strength of SMT  Theory solver(s) and SAT solver are Parallelized!  Mode 4 : Accelerated Lazy SMT Attack (AccSMT)  To show more efficiency  Uses BitVector Theory Solver 19

  20. Attack Modes  Mode 1 : SMT reduced to SAT Attack  To show SMT is a superset of SAT  Mode 2 : Eager SMT Attack  To show the Strength of SMT  Theory solver(s) and SAT solver are Serialized!  Mode 3 : Lazy SMT Attack  To show the Strength of SMT  Theory solver(s) and SAT solver are Parallelized!  Mode 4 : Accelerated Lazy SMT Attack (AccSMT)  To show more efficiency  Uses BitVector Theory Solver 20

  21. Mode 1: SMT reduced to SAT Attack  SMT solver is a superset of SAT solver  Any attack formulated for SAT  can be formulated using SMT  one-to-one translation of the original SAT attack 21

  22. Mode 1: SMT reduced to SAT Attack  The recently found Conflict Clauses (CC) are added to the set of previously found Learned Clauses (LC).  Note that this step is done implicitly if SMT is stateful . 22

  23. Attack Modes  Mode 1 : SMT reduced to SAT Attack  To show SMT is a superset of SAT  Mode 2 : Eager SMT Attack  To show the Strength of SMT  Theory solver(s) and SAT solver are Serialized!  Mode 3 : Lazy SMT Attack  To show the Strength of SMT  Theory solver(s) and SAT solver are Parallelized!  Mode 4 : Accelerated Lazy SMT Attack (AccSMT)  To show more efficiency  Uses BitVector Theory Solver 23

Recommend

PLATFORM CAPABILITIES PLATFORM CAPABILITIES ABOUT CLOUDSIGMA 1. Swiss company founded in 2009,

PLATFORM CAPABILITIES PLATFORM CAPABILITIES ABOUT CLOUDSIGMA 1. Swiss company founded in 2009,

PLATFORM CAPABILITIES PLATFORM CAPABILITIES ABOUT CLOUDSIGMA 1. Swiss company founded in 2009, currently with just over 50 employees. 2. Leading IaaS provider with a focus on fl flexibility & performance. 3. Built our own cloud stack

393 views • 14 slides
Performance Bounds of Asynchronous Circuits with Mode-Based Conditional Behavior Mehrdad Najibi

Performance Bounds of Asynchronous Circuits with Mode-Based Conditional Behavior Mehrdad Najibi

Performance Bounds of Asynchronous Circuits with Mode-Based Conditional Behavior Mehrdad Najibi Peter A. Beerel 18 th IEEE International Symposium on Asynchronous Circuits and Systems Talk Outline Context and Motivation Slack Matching

447 views • 19 slides
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

540 views • 50 slides
Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial

Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples Anish Athalye* 1 , Nicholas Carlini * 2 , and David Wagner 3 1 Massachusetts Institute of Technology 2 University of California, Berkeley (now

1.13k views • 67 slides
Non-Obfuscated Yet Unprovable Programs John Case Michael Ralston Computer and Information

Non-Obfuscated Yet Unprovable Programs John Case Michael Ralston Computer and Information

Non-Obfuscated Yet Unprovable Programs John Case Michael Ralston Computer and Information Sciences Department University of Delaware Newark, DE 19716 USA Email: { case , mralston } @udel.edu Revision of Talk at Asian Logic Conference 2011

682 views • 41 slides
Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University Department of Computer Science Committee: Xinyuan Wang, Hakan Aydin, Songqing Chen, Brian Mark Where Innovation Is Tradition April 24, 2015

611 views • 59 slides
Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2),

Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2),

Context-Sensitive Analysis of Obfuscated x86 Executables Arun Lakhotia(1), Davidson Boccardo(2), Anshuman Singh(1), and Aleardo Manacero Jr.(2) (1)University of Louisiana at Lafayette, USA (2)Paulista State University (UNESP), Brazil PEPM 2010

309 views • 29 slides
Extending Performance Monitoring Profile Guided Optimization Capabilities Michael Chynoweth - Sr.

Extending Performance Monitoring Profile Guided Optimization Capabilities Michael Chynoweth - Sr.

Extending Performance Monitoring Profile Guided Optimization Capabilities Michael Chynoweth - Sr. Principal Engineer Intel Corporation Contributors: Joe Olivas, Chris Chrulski, Patrick Konsor, Rajshree Chabukswar, Stas Bratanov, Hideki Saito,

589 views • 14 slides
Security Resources, Capabilities and Cultural Values: Links to Security Performance and

Security Resources, Capabilities and Cultural Values: Links to Security Performance and

Security Resources, Capabilities and Cultural Values: Links to Security Performance and Regulatory Compliance WEIS 2012 Juhee Kwon and M. Eric Johnson Tuck School of Business Dartmouth College 1 Healthcare Security Landscape Healthcare

223 views • 18 slides
Performance Analysis of Reo Circuits Chrtien Verhoef Center for Mathematics and Computer

Performance Analysis of Reo Circuits Chrtien Verhoef Center for Mathematics and Computer

Performance Analysis of Reo Circuits Chrtien Verhoef Center for Mathematics and Computer Science (CWI) CIC 2007 Research Workshop on Coinduction, Interaction and Composition Amsterdam 2007-10-23 Overview Introduction / motivation

837 views • 35 slides
Digitally Assisted Analog Circuits Boris Murmann Stanford University Department of Electrical

Digitally Assisted Analog Circuits Boris Murmann Stanford University Department of Electrical

Digitally Assisted Analog Circuits Boris Murmann Stanford University Department of Electrical Engineering murmann@stanford.edu Outline Motivation Progress in digital circuits has outpaced performance growth in analog circuits by a

569 views • 29 slides
Sequential Circuits Combinational circuits : current input output Sequential circuit :

Sequential Circuits Combinational circuits : current input output Sequential circuit :

14:332:231 DIGITAL LOGIC DESIGN Ivan Marsic, Rutgers University Electrical & Computer Engineering Fall 2013 Lecture #15: Sequential Circuits: Latches Sequential Circuits Combinational circuits : current input output Sequential

483 views • 15 slides
NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W

I nternational Telecom m unication Union ITU-T NGN OAM Capabilities NGN OAM Capabilities Dinesh Mohan CTO S r. Advisor, Nortel I TU-T W orkshop NGN and its Transport Netw orks Kobe, 2 0 -2 1 April 2 0 0 6 NGN OAM Activities Update

777 views • 15 slides
Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP

Redirection Capabilities in SIP Redirection Capabilities in SIP draft-bharatia-sipping-redirect-00.txt Authors: J. Bharatia, S. Sen, R. Yuhanna, S. Orton, M. Watson Presenter: Mark Watson mwatson@nortelnetworks.com General Motivation SIP

478 views • 5 slides
Unintended Conseqences Obfuscated Attacks on TLDs Eberhard W Lisse & Alejandra Reynoso

Unintended Conseqences Obfuscated Attacks on TLDs Eberhard W Lisse & Alejandra Reynoso

Unintended Conseqences Obfuscated Attacks on TLDs Eberhard W Lisse & Alejandra Reynoso Namibian Network Information Center & Universidad del Valle de Guatemala 2017-06-26 Lisse & Reynoso (Johannesburg) Unintended Conseqences

202 views • 19 slides
Design Challenges in High Performance Three Dimensional Circuits Prof. Eby G. Friedman

Design Challenges in High Performance Three Dimensional Circuits Prof. Eby G. Friedman

Design Challenges in High Performance Three Dimensional Circuits Prof. Eby G. Friedman University of Rochester www.ece.rochester.edu/~friedman January 15, 2010 D43D : System Design for 3D Silicon Integration Workshop 2 An Increasing Interest

749 views • 39 slides
Recovering Clear, Natural Identifiers from Obfuscated (JavaScript) Names @b_vasilescu Today

Recovering Clear, Natural Identifiers from Obfuscated (JavaScript) Names @b_vasilescu Today

Bogdan Vasilescu Casey Casalnuovo Prem Devanbu (CMU, ISR) (UCDavis) (UCDavis) @b_vasilescu @devanbu Recovering Clear, Natural Identifiers from Obfuscated (JavaScript) Names @b_vasilescu Today var geom2d = function() { var t =

1.11k views • 61 slides
Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 14: Sequential Circuits, FSM Todays topics: Sequential circuits Finite state machines 1 Sequential Circuits Until now, circuits were combinational when inputs change, the outputs change after a while (time = logic

435 views • 19 slides
Lecture 13: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 13: Sequential Circuits, FSM Todays topics: Sequential circuits Finite

Lecture 13: Sequential Circuits, FSM Todays topics: Sequential circuits Finite state machines 1 Clocks A microprocessor is composed of many different circuits that are operating simultaneously if each circuit X takes in

449 views • 20 slides
Capable: Capabilities for Scalability Current state of design Elias Castegren , Tobias Wrigstad

Capable: Capabilities for Scalability Current state of design Elias Castegren , Tobias Wrigstad

Capable: Capabilities for Scalability Current state of design Elias Castegren , Tobias Wrigstad forename.surname@it.uu.se IWACO 2014, Uppsala 1 / 22 Introduction Safe parallel programming using capabilities Scalability and performance

992 views • 70 slides
Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues

Financial Complexity Physical Capabilities Process Capabilities Other Issues Upfront Costs - Financing (PPAs, Tax Credits, ESCOs) Split Incentive Alternatives - Virtual Net Metering Where to start? Intelligent

640 views • 8 slides
Stevenage Circuits Group Incorporating: Stevenage Circuits Tru-Lon Printed Circuits March 2011

Stevenage Circuits Group Incorporating: Stevenage Circuits Tru-Lon Printed Circuits March 2011

Stevenage Circuits Group Incorporating: Stevenage Circuits Tru-Lon Printed Circuits March 2011 The Organisation Stevenage Circuits formed 1971 Tru-Lon integrated into the Stevenage site March 2011 Group privately owned 11m

1.26k views • 67 slides
Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial

Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial

Thistle Capabilities AtBC What is Thistle? Why Thistle? Capabilities Commercial Capabilities Thistle Home Thistle is Market Ready Service Targets Benefits to AtBC Thistle Team & Workflow What is Thistle?

522 views • 12 slides
Procurement Capabilities across the Public Administration Wilfred Aquilina Audit Manager,

Procurement Capabilities across the Public Administration Wilfred Aquilina Audit Manager,

Performance Audit on Procurement Capabilities across the Public Administration Wilfred Aquilina Audit Manager, Performance Audit Section National Audit Office, Malta Case study presentation Public Procurement Audit Seminar Lisbon, 14 - 15

421 views • 13 slides

More recommend