Gate-Level Netlist Reverse Engineering Tool Set for Functionality Recovery and Malicious Logic Detection

Abstract Reliance on third-party resources, including thirdparty IP cores and fabrication foundries, as well as wide usage of commercial-off-the-shelf (COTS) components has raised concerns that backdoors and/or hardware Trojans may be inserted into fabricated chips. Defending against hardware backdoors and/or Trojans has primarily focused on detection at various stages in the supply chain. Netlist reverse engineering tools have been investigated as an alternative to existing chip-level reverse engineering methods which can help recover functional netlists from fabricated chips, but fall short of detecting malicious logic or recovering high-level functionality. In this work, we develop a netlist reverse engineering tool-set which recovers high-level functionality from the netlist, thereby aiding malicious logic detection. The tool-set performs state register identification, control logic recovery and datapath tracking, which facilitates validation of encrypted/obfuscated hardware IP cores. Relying on 3-SAT algorithms and topology-based computational methods, we demonstrate that the developed tool-set can handle netlists of various complexities.

Download Full-text

On the Difficulty of FSM-based Hardware Obfuscation

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2018.i3.293-330 ◽

2018 ◽

pp. 293-330 ◽

Cited By ~ 4

Author(s):

Marc Fyrbiak ◽

Sebastian Wallat ◽

Jonathan Déchelotte ◽

Nils Albartus ◽

Sinan Böcker ◽

...

Keyword(s):

Reverse Engineering ◽

Integrated Circuit ◽

State Of The Art ◽

Security Analysis ◽

Third Party ◽

Level Control ◽

Finite State ◽

Field Programmable ◽

Ip Cores ◽

High Level

In today’s Integrated Circuit (IC) production chains, a designer’s valuable Intellectual Property (IP) is transparent to diverse stakeholders and thus inevitably prone to piracy. To protect against this threat, numerous defenses based on the obfuscation of a circuit’s control path, i.e. Finite State Machine (FSM), have been proposed and are commonly believed to be secure. However, the security of these sequential obfuscation schemes is doubtful since realistic capabilities of reverse engineering and subsequent manipulation are commonly neglected in the security analysis. The contribution of our work is threefold: First, we demonstrate how high-level control path information can be automatically extracted from third-party, gate-level netlists. To this end, we extend state-of-the-art reverse engineering algorithms to deal with Field Programmable Gate Array (FPGA) gate-level netlists equipped with FSM obfuscation. Second, on the basis of realistic reverse engineering capabilities we carefully review the security of state-of-the-art FSM obfuscation schemes. We reveal several generic strategies that bypass allegedly secure FSM obfuscation schemes and we practically demonstrate our attacks for a several of hardware designs, including cryptographic IP cores. Third, we present the design and implementation of Hardware Nanomites, a novel obfuscation scheme based on partial dynamic reconfiguration that generically mitigates existing algorithmic reverse engineering.

Download Full-text

Case study: Detecting hardware Trojans in third-party digital IP cores

2011 IEEE International Symposium on Hardware-Oriented Security and Trust ◽

10.1109/hst.2011.5954998 ◽

2011 ◽

Cited By ~ 106

Author(s):

Xuehui Zhang ◽

Mohammad Tehranipoor

Keyword(s):

Third Party ◽

Hardware Trojans ◽

Ip Cores

Download Full-text

DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2020.i4.309-336 ◽

2020 ◽

pp. 309-336

Author(s):

Nils Albartus ◽

Max Hoffmann ◽

Sebastian Temme ◽

Leonid Azriel ◽

Christof Paar

Keyword(s):

Integrated Circuits ◽

Reverse Engineering ◽

Dataflow Analysis ◽

Hardware Trojans ◽

On Chip ◽

Perfect Recovery ◽

High Level ◽

And Control ◽

Hardware Designs ◽

Ip Theft

Reverse engineering of integrated circuits, i.e., understanding the internals of Integrated Circuits (ICs), is required for many benign and malicious applications. Examples of the former are detection of patent infringements, hardware Trojans or Intellectual Property (IP)-theft, as well as interface recovery and defect analysis, while malicious applications include IP-theft and finding insertion points for hardware Trojans. However, regardless of the application, the reverse engineer initially starts with a large unstructured netlist, forming an incomprehensible sea of gates.This work presents DANA, a generic, technology-agnostic, and fully automated dataflow analysis methodology for flattened gate-level netlists. By analyzing the flow of data between individual Flip Flops (FFs), DANA recovers high-level registers. The key idea behind DANA is to combine independent metrics based on structural and control information with a powerful automated architecture. Notably, DANA works without any thresholds, scenario-dependent parameters, or other “magic” values that the user must choose. We evaluate DANA on nine modern hardware designs, ranging from cryptographic co-processors, over CPUs, to the OpenTitan, a stateof- the-art System-on-Chip (SoC), which is maintained by the lowRISC initiative with supporting industry partners like Google and Western Digital. Our results demonstrate almost perfect recovery of registers for all case studies, regardless whether they were synthesized as FPGA or ASIC netlists. Furthermore, we explore two applications for dataflow analysis: we show that the raw output of DANA often already allows to identify crucial components and high-level architecture features and also demonstrate its applicability for detecting simple hardware Trojans.Hence, DANA can be applied universally as the first step when investigating unknown netlists and provides major guidance for human analysts by structuring and condensing the otherwise incomprehensible sea of gates. Our implementation of DANA and all synthesized netlists are available as open source on GitHub.

Download Full-text

Hardware Trojans in Chips: A Survey for Detection and Prevention

Sensors ◽

10.3390/s20185165 ◽

2020 ◽

Vol 20 (18) ◽

pp. 5165

Author(s):

Chen Dong ◽

Yi Xu ◽

Ximeng Liu ◽

Fan Zhang ◽

Guorong He ◽

...

Keyword(s):

Integrated Circuits ◽

State Of The Art ◽

Academic Community ◽

The State ◽

Third Party ◽

Hardware Trojans ◽

Advantages And Disadvantages ◽

Wide Range ◽

Ip Cores ◽

Comprehensive Classification

Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

Download Full-text

Allogeneic chimerism with low-dose irradiation, antigen presensitization, and costimulator blockade in H-2 mismatched mice

Blood ◽

10.1182/blood.v97.2.557 ◽

2001 ◽

Vol 97 (2) ◽

pp. 557-564 ◽

Cited By ~ 41

Author(s):

Peter J. Quesenberry ◽

Suju Zhong ◽

Han Wang ◽

Marc Stewart

Keyword(s):

Low Dose ◽

Great Majority ◽

Cd40 Ligand ◽

Third Party ◽

Whole Body ◽

Spleen Cells ◽

Graft Versus Host ◽

Dose Irradiation ◽

Unique Model ◽

High Level

Abstract We have previously shown that the keys to high-level nontoxic chimerism in syngeneic models are stem cell toxic, nonmyelotoxic host treatment as provided by 100-cGy whole-body irradiation and relatively high levels of marrow stem cells. This approach was unsuccessful in H-2 mismatched B6.SJL to BALB/c marrow transplants, but with tolerization, stable multilineage chimerism was obtained. Ten million B6.SJL spleen cells were infused intravenously into BALB/c hosts on day −10 and (MR-1) anti-CD40 ligand monoclonal antibody (mAb) injected intraperitoneally at varying levels on days −10, −7, −3, 0, and +3 and the BALB/c mice irradiated (100 cGy) and infused with 40 million B6.SJL/H-2 mismatched marrow cells on day 0. Stable multilineage chimerism at levels between 30% to 40% was achieved in the great majority of mice at 1.6 mg anti-CD40 ligand mAb per injection out to 64 weeks after transplantation, without graft-versus-host disease. The transplanted mice were also tolerant of donor B6.SJL, but not third-party CBA/J skin grafts at 8 to 9 and 39 to 43 weeks after marrow transplantation. These data provide a unique model for obtaining stable partial chimerism in H-2 mismatched mice, which can be applied to various clinical diseases of man such as sickle cell anemia, thalassemia, and autoimmune disorders.

Download Full-text

Basic concepts for an HDL reverse engineering tool-set

Proceedings of International Conference on Computer Aided Design ◽

10.1109/iccad.1996.569423 ◽

2002 ◽

Cited By ~ 4

Author(s):

G. Lehmann ◽

B. Wunder ◽

K.D. Muller-Glaser

Keyword(s):

Reverse Engineering ◽

Basic Concepts ◽

Tool Set

Download Full-text

SCREENING OF ENVIRONMENTAL IMPACT OF POLLUTION WITH THE QGIS PLUGIN ENVIFATE

ISPRS - International Archives of the Photogrammetry, Remote Sensing and Spatial Information Sciences ◽

10.5194/isprs-archives-xlii-4-w2-79-2017 ◽

2017 ◽

Vol XLII-4/W2 ◽

pp. 79-83 ◽

Cited By ~ 1

Author(s):

F. Geri ◽

O. Cainelli ◽

G. Salogni ◽

P. Zatelli ◽

M. Ciolli

Keyword(s):

Environmental Pollution ◽

Atmospheric Dispersion ◽

Third Party ◽

Environmental Research ◽

Future Research ◽

Toxic Substances ◽

Command Line ◽

Screening Analysis ◽

High Level ◽

The University

Public and academic interest in environmental pollution caused by toxic substances and other sources, like noise, is constantly raising. To protect public health and ecosystems it is necessary to maintain the concentrations of pollutants below a safety threshold. In this context the development of models able to assess environmental pollution impact has been identified as a priority for future research. Scientific community has therefore produced many predictive models in the field. The vast majority of them needs to be run by specialists with a deep technical knowledge of the modeled phenomena in order to process the data and understand the results and it is not feasible to use this models for simple prescreening activities. Planners, evaluators and technical operators need reliable, usable and simple tools in order to carry out screening analysis of impact assessment. The ENVIFATE software is currently under development by the Department of Civil, environmental and mechanical engineering of the University of Trento, Italy, in the frame of a project funded by the Italian Veneto Region with the aim to make available to nonspecialists screening analysis to assess the risks of a set of possible environmental pollution sources in protected areas. The development of ENVIFATE follows these basic requirements: i) Open-Source ii) multiplatform iii) user friendly iv) GIS oriented. In order to respect these principles we have chosen to develop a plugin of QGIS, using python as a development language and creating a module for each environmental compartment analyzed: rivers, lakes, atmospheric dispersion, dispersion in groundwater and noise. The plugin architecture is composed of a series of core functions characterized by command line interfaces that can be called from third-party applications (such as Grass GIS), connectable in custom data flows and with a high level of modularity and scalability. The base of the different models are highly tested and reliable algorithms adopted by the Italian Institute for Protection and Environmental Research (Istituto Superiore per la Protezione e la Ricerca Ambientale – ISPRA). Due to their simplicity, and for safety reasons, the structure of these models is constrained to provide conservative results, so to overestimate actual risk. This approach allows to provide statistically validated instruments to be used in different environmental contexts. All modules of the plugin provide numerical and cartographical results: in particular the command-line interface provides "static" results, or linked to a particular spatial and temporal state, while the Qgis plugins iterate the single analysis along space and time in order to provide georeferenced maps and time distributed results.

Download Full-text

Potentially Unwanted Program Analysis and Detection using YARA Rules

International Journal of Engineering and Advanced Technology - Regular Issue ◽

10.35940/ijeat.e9855.069520 ◽

2020 ◽

Vol 9 (5) ◽

pp. 1331-1335

Keyword(s):

Reverse Engineering ◽

Program Analysis ◽

Parental Control ◽

Third Party ◽

Engineering Technique

In this paper, some potentially unwanted program (PUP) samples are analyzed, detected and are blocked using YARA rules. Nowadays the user may notices the unwanted software such as PUP or a potentially unwanted application (PUA) . For security and parental control products subjective tagging criterion was used. To compromise privacy or weaken the computer's security such software was implemented. Third party software often bundle a wanted program to be downloaded with a wrapper application and may offer to install an unwanted application. In this paper, some samples of PUP under reverse engineering technique are analyzed by using YARA rules that promptly resist unwanted applications or programs.

Download Full-text

The Downside of Software-Defined Networking in Wireless Network

UKH Journal of Science and Engineering ◽

10.25079/ukhjse.v4n2y2020.pp147-156 ◽

2020 ◽

Vol 4 (2) ◽

pp. 147-156

Author(s):

Zahraa Saleh ◽

Qahhar Qadir

Keyword(s):

Low Power ◽

Communication Networks ◽

Data Extraction ◽

Software Defined Networking ◽

Network Control ◽

Control Logic ◽

High Loss ◽

Traffic Volumes ◽

High Level ◽

Control And Management

Mobile traffic volumes have grown exponentially because of the increase in services and applications. Traditional networks are complex to manage because the forwarding, control, and management planes are all bundled together and, thus, administrators are supposed to deploy high-level policies, as each vendor has its own configuration methods. Software-Defined Networking (SDN) is considered the future paradigm of communication networks. It decouples control logic from its underlying hardware, thereby promoting logically centralized network control and making the network more programmable and easy to configure. Low-power wireless technologies are moving toward a multitenant and multiapplication Internet of Things (IoT), which requires an architecture with scalable, reliable, and configured solutions. However, employing an SDN-based centralized architecture in the environment of a low-power wireless IoT network introduces significant challenges, such as difficult-to-control traffic, unreliable links, network contention, and high associated overheads that can significantly affect the performance of the network. This paper is a contribution toward a performance evaluation for the use of SDN in wireless networking by evaluating the latency, packet drop ratio (PDR), data extraction rate (DER), and overheads. The results show that SDN adds a high percentage of overheads to the network, which is about 43% of the 57% user packets, and the DER drops when the number of mesh nodes are increased, in addition to the high loss that was observed for packets that traveled over more hops.

Download Full-text

ECLiPSe – From LP to CLP

Theory and Practice of Logic Programming ◽

10.1017/s1471068411000469 ◽

2011 ◽

Vol 12 (1-2) ◽

pp. 127-156 ◽

Cited By ~ 30

Author(s):

JOACHIM SCHIMPF ◽

KISH SHEN

Keyword(s):

Logic Programming ◽

Constraint Programming ◽

Combinatorial Problem ◽

Third Party ◽

Programming System ◽

Development Environment ◽

Control Language ◽

Extended Prolog ◽

High Level ◽

And Control

AbstractECLiPSe is a Prolog-based programming system, aimed at the development and deployment of constraint programming applications. It is also used for teaching most aspects of combinatorial problem solving, for example, problem modelling, constraint programming, mathematical programming and search techniques. It uses an extended Prolog as its high-level modelling and control language, complemented by several constraint solver libraries, interfaces to third-party solvers, an integrated development environment and interfaces for embedding into host environments. This paper discusses language extensions, implementation aspects, components, and tools that we consider relevant on the way from Logic Programming to Constraint Logic Programming.

Download Full-text