Introduction

Motivation

• All algorithmically secure cryptographic primitives and protocols rely on a hardware root of trust to deliver the expected protections when implemented in software.

• This paper systematizes the knowledge for a number of important contemporary problems in hardware security. It classifies hardware-based threats, defenses, and metrics to evaluate the effectiveness of the developed defenses.

IC Supply Chain

Designing an IC involves:

• Procuring intellectual property (IP) designs from thirdparty design houses, designing some components inhouse, combining both, and generating the IC layout.

• A blueprint of the design (e.g., in terms of GDS-II layout format) is then sent to the foundry that develops a costly mask and manufactures the ICs.

• The ICs are then tested at the manufacturing site and often also at third-party test facilities.

• Finally, fault-free ICs are packaged and sold.

Open

Semiconductor supply chain: IC design flow

There are multiple points within this supply chain where things can go wrong. The following hardware-based threats are possible.

• IP piracy and IC overbuilding: An IP user or a rogue foundry may illegally pirate the IP without the knowledge and consent of the designer. A malicious foundry may build more than the required number of ICs and sell the excess ICs in the gray market.

• Reverse engineering (RE): An attacker can reverse engineer the IC/IP design to his/her desired abstraction
  level. He can then reuse the recovered IP or improve it.

• Side-channel analysis: An attacker can extract the secret information by exploiting a physical modality (power consumption, timing, or electromangnetic emission) of the hardware that executes the target application.

• Counterfeiting: An attacker illegally forges or imitates the original component/design.

Systematization of Hardware Security Knowledge

Open

Systematization of hardware security around the attack method.

Paper Organization

• Section II focuses on hardware Trojans.

• Section III details IP piracy and IC overbuilding.

• Section IV discusses reverse engineering.

• Section V explains side-channel attacks, and

• Section VI describes counterfeiting.

For each attack, the threat model, the state-of-the-art defenses, and the metrics used to evaluate the defenses are systematized.

Hardware Trojans

• A hardware Trojan is a malicious modification to a circuit.

• The Trojan may control, modify, disable, or monitor the contents and communications of the underlying computing device.

• Trojan detection is difficult.

Threat Models

There is two common scenarios for a hardware Trojan attack.

1. In the first scenario, an attacker in the foundry inserts a Trojan into the design by manipulating
   the lithographic masks. These Trojans are in the form of addition, deletion or modification of gates.

2. In the second scenario, a malicious IP is designed either by a rogue in the third-party IP (3PIP) design house or by a rogue in the inhouse design team.

State-of-the-Art Defenses

• Most techniques attempt to detect Trojans inserted in the foundry. There are at least two possible ways to detect this class of Trojans: invasive and noninvasive.

• Defenses against malicious 3PIP and insider attacks include self-monitoring and static verification.

IP piracy and IC overbuilding

An attacker with access to an IP or an IC can steal and claim ownership and/or can overbuild and sell them illegally.

Threat Models

1. In scenario 1, the attacker in the integration house may pirate the 3PIP or use more than the licensed number of 3PIP instances.

2. In scenario 2, the attacker in the foundry may pirate the 3PIP after extracting it from the layout of the design.

3. In scenario 3, the attacker in the foundry may pirate the IC design and/or overbuild.

State-of-the-Art Defenses

Five methods have been developed to thwart piracy and overbuilding: obfuscation, watermarking, fingerprinting, metering, and split manufacturing.

• In scenarios 1 and 2, the 3PIP vendor may protect his IP by obfuscating it, or by embedding his watermark, or by inserting a separate watermark in each instance of the IP (also called a fingerprint).

• In scenario 3, the integrator may obfuscate or embed his watermark or fingerprint the design before delivering it to the foundry.

1. Watermarking:

   1. A designer’s signature is embedded into the design artifact. The designer can later
      reveal the watermark and claim ownership of an IC/IP. Watermarks may include addition of black-hole states to the finite state machine (FSM), addition of secret constraints during high level, logic and physical synthesis, and field-programmable gate array (FPGA) design.

2. Fingerprinting:

   1. It helps the defender to track the source of piracy by embedding the signature of the buyer (for instance, his public key) along with the watermark of the designer. When challenged, the designer can reveal the watermark to claim the ownership and the buyer’s signature to reveal the source of piracy.

   2. Similar to watermarking, fingerprinting can also be applied during high-level, logic, and physical synthesis.

3. Obfuscation:

   1. Obfuscation hides the functionality and implementation of a design by inserting additional gates into it. In one type of obfuscation, xor/xnor gates, and memory elements are added. The obfuscated design will function correctly only on applying the correct value to these gates and memory elements.

   2. In another type of obfuscation, the FSM of the design is obfuscated. An FSM can be obfuscated by adding extra states and/or transitions into it.

      1. Some states in the original FSM may be replicated

      2. invalid transitions between states may be added

      3. unused states can be utilized

      4. additional states with no outward transitions, referred to as black hole states, can be added

   3. In all these techniques, only a valid key leads to the correct functionality; an invalid key leads the design into invalid states or transitions, and maybe into black hole states where the design will be stuck.

4. Metering:

   1. It is a set of tools, methodologies, and protocols used to track a manufactured IC. In passive metering, part of an IC’s functionality is used for metering. The identified ICs are matched against their record in
      a database. This will reveal unregistered ICs or overbuilt ICs. In active metering, parts of the IC’s functionality can be only accessed, locked, or unlocked by the designer and/or IP rights owners.

   2. The difference between metering and obfuscation is that while metering uses a unique unlock key per IC, obfuscation just locks the IC.

5. Split Manufacturing:

   1. The layout of the design is split into the front-end-of-line (FEOL) layers and back-end-ofline
      (BEOL) layers. They are then fabricated separately in different foundries.

   2. Postfabrication, the FEOL and BEOL wafers are aligned and integrated together using either electrical, mechanical, or optical alignment techniques.

Reverse Engineering

RE of an IC involves:

1. identifying the device technology used in it

2. extracting its gate-level netlist

3. inferring its functionality

Threat Models

• In scenario 1, the attacker in the integration house can reverse engineer the 3PIP. The 3PIP vendor can protect his IP by obfuscating it. The foundry and the user are assumed to be untrustworthy.

• In scenario 2, the attacker in the foundry can extract the 3PIP from the layout of the IC. Similar to RE scenario 1, the vendor can obfuscate his IP before delivering it to the untrustworthy system-on-chip (SoC)
  integrator.

• In scenario 3, the attacker in the foundry can reverse engineer the IC. He can extract the transistor-level
  netlist from the layout, and then the gate-level netlist from it. The integrator can protect the design by
  obfuscating it.

• In scenarios 4–8, the user is the reverse engineer. He may depackage the IC, delayer it, image the layers, stitch those images, and extract the netlist. While a 3PIP vendor may obfuscate his IP (RE scenario 4), an integrator may obfuscate the layout (RE scenario 5). A trusted foundry might camouflage the layout (RE scenarios 6–8). This will provide an additional layer of defense beyond obfuscation (RE scenarios 7 and 8).

State-of-the-Art Defenses

Obfuscation and camouflaging can thwart RE.

• In scenarios 1, 2, 4, and 7, a 3PIP vendor can obfuscate his IP.

• In scenarios 3, 5, and 6, an SoC integrator can obfuscate his design.

A trusted foundry can camouflage the layout (scenarios 6–8) and add a layer of defense beyond obfuscation.

Camouflaging: This is a layout-level technique to hamper image-processing-based extraction of gate-level netlist.

Side-Channel Attacks

• Side-channel attacks exploit the leakage of secret information through a physical modality when an application is being executed on a system.

• Side-channel attacks are powerful and have been able to break most existing important cryptographic algorithms

• Timing consumption, power consumption, electromagnetic (EM) emanations, photonic emissions, and acoustic noise of the system can be used to extract the secret key.

• Fault attacks can be launched using lasers, glitches in power supplies and clocks, and X-rays.

• An attacker can scan out the secret key, when the key storing registers are connected as a scan chain. It has been shown that the power/timing consumption of PUF circuits is directly correlated with the process variation that PUF secrets are based upon. Therefore, PUFs are also shown to be susceptible to side-channel attacks.

Threat Models

A realistic threat model must be developed first, and the defense should then vary depending upon the
capabilities of the attacker in collecting the side-channel measurements.

State-of-the-Art Defenses

1. Leakage Reduction: These techniques decrease the dependency between the side-channel traces of I_F and the secret information k.

2. Noise Injection: The SNR of the measurable sidechannel information can be reduced by injecting artificial noise. Therefore, noise injection does not provide a theoretical security but it does increase the required work of an attacker to extract the secret keys.

3. Key Update: Frequently updating the secret key prevents the accumulation of side-channel information by the adversary. This method uses a predefined sequence of keys (e.g., the output of a pseudorandom
   number generator) plus synchronized timings to ensure that the sequence of keys is consistent for both communicating parties.

4. Side-Channel-Resistant PUFs: Due to effectiveness of side-channel attacks against PUFs, it is imperative that circuit countermeasures be used in future implementations. These countermeasures mitigate
   the correlation between the secret information and the measurable circuit delay/power consumption.

5. Secure Scan Chains: In a secure scan approach, mirror key registers are used in sensitive parts of the circuits. These registers block unauthorized access to value of sensitive registers in the test mode of operation. In another approach, scan chains are divided into smaller subchains and access to them for regular users is randomized.

Counterfeiting

• A counterfeit semiconductor component is an illegal forgery or imitation of the original component.

• Although the common incentive for selling fake ICs is financial, the ease of inserting intentional hardware Trojans or spyware in fake ICs makes them a real security threat for the whole system which would eventually integrate the fake components.

Threat Models

1. In scenario 1, defective ICs, i.e., those which failed the manufacture-time testing and have been discarded, are used in consumer products. An untrustworthy entity at the test facility can be the source of leaking defective ICs.

2. In scenario 2, a dishonest entity in the IC supply chain mislabels a product and sells it as another IC potentially through a vendor.

3. Scenario 3 is similar to scenario 2 except for the following difference: While the designer employs proactive techniques to prevent counterfeiting in scenario 2, the assembly use reactive techniques to detect counterfeiting in scenario 3.

State-of-the-Art Defenses

1. Hardware Metering and Auditing: Hardware metering is a set of tools, methodologies, and protocols that enable postfabrication tracking of the manufactured ICs. Hardware metering may be passive, or active.

   1. In passive metering, part of the functionality of each IC can be specifically identified and used for metering, even for the ICs coming from the same mask. The identified ICs may be matched against their record in a preformed database that could reveal unregistered ICs or overbuilt ICs (in case of
      collisions).

   2. In active metering, parts of the chip’s functionality can be only accessed, locked (disabled), or unlocked (enabled) by the designer and/or IP rights owners, using a high level knowledge of the design.

2. IC Fingerprints or PUFs

3. Device Aging Models/Sensors: IC lifetime is influenced by a variety of phenomena. By employing
   sensors in ICs to measure these phenomena, an estimate of chip lifetime can be found which would prevent counterfeiters from selling used chips as new ones.

4. IP Watermarking

New Terms

• 3PIP: third-party IP

• PUF: Physically unclonable functions

  • PUF is dependent on random physical factors (unpredictable and uncontrollable) that exist natively and/or are incidentally introduced during a manufacturing process.