On the Difficulty of FSM-based Hardware Obfuscation

In today’s Integrated Circuit (IC) production chains, a designer’s valuable Intellectual Property (IP) is transparent to diverse stakeholders and thus inevitably prone to piracy. To protect against this threat, numerous defenses based on the obfuscation of a circuit’s control path, i.e. Finite State Machine (FSM), have been proposed and are commonly believed to be secure. However, the security of these sequential obfuscation schemes is doubtful since realistic capabilities of reverse engineering and subsequent manipulation are commonly neglected in the security analysis. The contribution of our work is threefold: First, we demonstrate how high-level control path information can be automatically extracted from third-party, gate-level netlists. To this end, we extend state-of-the-art reverse engineering algorithms to deal with Field Programmable Gate Array (FPGA) gate-level netlists equipped with FSM obfuscation. Second, on the basis of realistic reverse engineering capabilities we carefully review the security of state-of-the-art FSM obfuscation schemes. We reveal several generic strategies that bypass allegedly secure FSM obfuscation schemes and we practically demonstrate our attacks for a several of hardware designs, including cryptographic IP cores. Third, we present the design and implementation of Hardware Nanomites, a novel obfuscation scheme based on partial dynamic reconfiguration that generically mitigates existing algorithmic reverse engineering.

Download Full-text

Gate-Level Netlist Reverse Engineering Tool Set for Functionality Recovery and Malicious Logic Detection

ISTFA 2016: Conference Proceedings from the 42nd International Symposium for Testing and Failure Analysis ◽

10.31399/asm.cp.istfa2016p0342 ◽

2016 ◽

Author(s):

Travis Meade ◽

Shaojie Zhang ◽

Yier Jin ◽

Zheng Zhao ◽

David Pan

Keyword(s):

Reverse Engineering ◽

Third Party ◽

Control Logic ◽

Hardware Trojans ◽

State Register ◽

Ip Cores ◽

Commercial Off The Shelf ◽

Tool Set ◽

High Level ◽

Wide Usage

Abstract Reliance on third-party resources, including thirdparty IP cores and fabrication foundries, as well as wide usage of commercial-off-the-shelf (COTS) components has raised concerns that backdoors and/or hardware Trojans may be inserted into fabricated chips. Defending against hardware backdoors and/or Trojans has primarily focused on detection at various stages in the supply chain. Netlist reverse engineering tools have been investigated as an alternative to existing chip-level reverse engineering methods which can help recover functional netlists from fabricated chips, but fall short of detecting malicious logic or recovering high-level functionality. In this work, we develop a netlist reverse engineering tool-set which recovers high-level functionality from the netlist, thereby aiding malicious logic detection. The tool-set performs state register identification, control logic recovery and datapath tracking, which facilitates validation of encrypted/obfuscated hardware IP cores. Relying on 3-SAT algorithms and topology-based computational methods, we demonstrate that the developed tool-set can handle netlists of various complexities.

Download Full-text

Automatic Tool for Fast Generation of Custom Convolutional Neural Networks Accelerators for FPGA

Electronics ◽

10.3390/electronics8060641 ◽

2019 ◽

Vol 8 (6) ◽

pp. 641 ◽

Cited By ~ 7

Author(s):

Miguel Rivera-Acosta ◽

Susana Ortega-Cisneros ◽

Jorge Rivera

Keyword(s):

Neural Networks ◽

Convolutional Neural Networks ◽

State Of The Art ◽

Third Party ◽

Hardware Accelerators ◽

Field Programmable ◽

Custom Hardware ◽

Architecture Description ◽

Automatic Tool

This paper presents a platform that automatically generates custom hardware accelerators for convolutional neural networks (CNNs) implemented in field-programmable gate array (FPGA) devices. It includes a user interface for configuring and managing these accelerators. The herein-presented platform can perform all the processes necessary to design and test CNN accelerators from the CNN architecture description at both layer and internal parameter levels, training the desired architecture with any dataset and generating the configuration files required by the platform. With these files, it can synthesize the register-transfer level (RTL) and program the customized CNN accelerator into the FPGA device for testing, making it possible to generate custom CNN accelerators quickly and easily. All processes save the CNN architecture description are fully automatized and carried out by the platform, which manages third-party software to train the CNN and synthesize and program the generated RTL. The platform has been tested with the implementation of some of the CNN architectures found in the state-of-the-art for freely available datasets such as MNIST, CIFAR-10, and STL-10.

Download Full-text

A High-Throughput Architecture for the SHA-256/224 Compliant With the DSRC Standard

International Journal of Embedded and Real-Time Communication Systems ◽

10.4018/ijertcs.2019010106 ◽

2019 ◽

Vol 10 (1) ◽

pp. 98-118

Author(s):

Imed Saad Ben Dhaou ◽

Hannu Tenhunen

Keyword(s):

High Throughput ◽

Short Range ◽

State Of The Art ◽

High Level Synthesis ◽

Data Flow Graph ◽

Transformation Techniques ◽

Safety Message ◽

Dedicated Short Range Communication ◽

Field Programmable ◽

High Level

This article presents a word serial retimed architecture for the SHA-256/224 algorithm. The architecture is compliant with the dedicated-short range communication for safety message authentications. We elaborate three-operand adder architectures suitable for field programmable gate array implementation. Several transformation techniques at the data-flow-graph level have been used to derive the architecture. Synthesis results show that the architecture has high throughput/ slice value compared with state-of-the-art SHA-256 implementations. The article also promulgates a comparison between high-level synthesis and RTL design.

Download Full-text

A Low Cost MST-FSM Obfuscation Method for Hardware IP Protection

Journal of Circuits System and Computers ◽

10.1142/s0218126620502084 ◽

2020 ◽

Vol 29 (13) ◽

pp. 2050208

Author(s):

Yuejun Zhang ◽

Zhao Pan ◽

Pengjun Wang ◽

Xiaowei Zhang

Keyword(s):

Integrated Circuit ◽

Spanning Tree ◽

Minimum Spanning Tree ◽

Hamming Distance ◽

Low Cost ◽

The Arts ◽

Finite State ◽

Ip Cores ◽

Building Program ◽

The Cost

Effective resistance to intellectual property (IP) piracy, overproduction and reverse engineering are becoming more and more necessary in the integrated circuit (IC) supply chain. To protect the hardware, the obfuscation methodology hides the original function by adding a large number of redundant states. However, existing hardware obfuscation approaches have hardware overhead and efficiency of obfuscation limitations. This paper proposed a novel methodology for IP security using the minimum spanning tree finite state machine (MST-FSM) obfuscation. In the minimum spanning tree (MST) algorithm, the Hamming distance defines the cost of obfuscated states. The Kruskal algorithm optimizes the connection relationship of obfuscated states by computing the Hamming distance of the MST-FSM. The proposed MST-FSM is automatically generated and embedded in the hardware IP with the self-building program. Finally, the MST-FSM is applied on the itc99 benchmark circuits and encryption standard IP cores. Compared with other state-of-the-arts, the obfuscation potency is improved by 3.57%, and the average hardware cost is decreased by about 6.01%.

Download Full-text

Powered Ankle-Foot Prostheses: A Survey on Sensing Systems and Control Strategies

Volume 5A: 43rd Mechanisms and Robotics Conference ◽

10.1115/detc2019-97511 ◽

2019 ◽

Author(s):

Erik Chumacero-Polanco ◽

James Yang

Keyword(s):

Control Strategies ◽

Level Control ◽

Low Level ◽

Kinetic Information ◽

Sensing Systems ◽

Systems And Control ◽

Finite State ◽

High Level ◽

And Control

Abstract People who have suffered a transtibial amputation show diminished ambulation and impaired quality of life. Powered ankle foot prostheses (AFP) are used to recover some mobility of transtibial amputees (TTAs). Powered AFP is an emerging technology that has great potential to improve the quality of life of TTAs with important avenues for research and development in different fields. This paper presents a survey on sensing systems and control strategies applied to powered AFPs. Sensing kinematic and kinetic information in powered AFPs is critical for control. Ankle angle position is commonly obtained via potentiometers and encoders directly installed on the joint, velocities can be estimated using numerical differentiators, and accelerations are normally obtained via inertial measurement units (IMUs). On the other hand, kinetic information is usually obtained via strain gauges and torque sensors. On the other hand, control strategies are classified as high- and low-level control. The high-level control sets the torque or position references based on pattern generators, user’s intent of motion recognition, or finite-state machine. The low-level control usually consists of linear controllers that drive the ankle’s joint position, velocity, or torque to follow an imposed reference signal. The most widely used control strategy is the one based on finite-state machines for the high-level control combined with a proportional-derivative torque control for low-level. Most designs have been experimentally assessed with acceptable results in terms of walking speed. However, some drawbacks related to powered AFP’s weight and autonomy remain to be overcome. Future research should be focused on reducing powered AFP size and weight, increasing energy efficiency, and improving both the high- and the low-level controllers in terms of efficiency and performance.

Download Full-text

Hardware Trojans in Chips: A Survey for Detection and Prevention

Sensors ◽

10.3390/s20185165 ◽

2020 ◽

Vol 20 (18) ◽

pp. 5165

Author(s):

Chen Dong ◽

Yi Xu ◽

Ximeng Liu ◽

Fan Zhang ◽

Guorong He ◽

...

Keyword(s):

Integrated Circuits ◽

State Of The Art ◽

Academic Community ◽

The State ◽

Third Party ◽

Hardware Trojans ◽

Advantages And Disadvantages ◽

Wide Range ◽

Ip Cores ◽

Comprehensive Classification

Diverse and wide-range applications of integrated circuits (ICs) and the development of Cyber Physical System (CPS), more and more third-party manufacturers are involved in the manufacturing of ICs. Unfortunately, like software, hardware can also be subjected to malicious attacks. Untrusted outsourced manufacturing tools and intellectual property (IP) cores may bring enormous risks from highly integrated. Attributed to this manufacturing model, the malicious circuits (known as Hardware Trojans, HTs) can be implanted during the most designing and manufacturing stages of the ICs, causing a change of functionality, leakage of information, even a denial of services (DoS), and so on. In this paper, a survey of HTs is presented, which shows the threatens of chips, and the state-of-the-art preventing and detecting techniques. Starting from the introduction of HT structures, the recent researches in the academic community about HTs is compiled and comprehensive classification of HTs is proposed. The state-of-the-art HT protection techniques with their advantages and disadvantages are further analyzed. Finally, the development trends in hardware security are highlighted.

Download Full-text

Implementation of robotic ankle–foot orthosis with an impedance-based assist-as-needed control strategy

Journal of Mechanisms and Robotics ◽

10.1115/1.4053218 ◽

2021 ◽

pp. 1-40

Author(s):

Bing Chen ◽

Bin Zi ◽

Bin Zhou ◽

Zhengyu Wang

Keyword(s):

Level Control ◽

Ankle Foot Orthosis ◽

Low Level ◽

Ankle Impedance ◽

Torque Generation ◽

Ankle Rehabilitation ◽

Finite State ◽

Proportional Derivative Controller ◽

High Level ◽

Foot Orthosis

Abstract In this paper, a robotic ankle–foot orthosis (AFO) is developed for individuals with a paretic ankle, and an impedance-based assist-as-needed controller is designed for the robotic AFO to provide adaptive assistance. First, a description of the robotic AFO hardware design is presented. Next, the design of the finite state machine is introduced, followed by an introduction to the modelling of the robotic AFO. Additionally, the control of the robotic AFO is presented. An impedance-based high-level controller that is composed of an ankle impedance based torque generation controller and an impedance controller is designed for the high-level control. A compensated low-level controller that is composed of a braking controller and a proportional-derivative controller with a compensation part is designed for the low-level control. Finally, a pilot study is conducted, and the experimental results demonstrate that with the proposed control algorithm, the robotic AFO has the potential for ankle rehabilitation by providing adaptive assistance. In the assisted condition with a high level of assistance, reductions of 8% and 20.1% of the root mean square of the tibialis anterior and lateral soleus activities are observed, respectively.

Download Full-text

New First-Order Secure AES Performance Records

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i2.304-327 ◽

2021 ◽

pp. 304-327

Author(s):

Aein Rezaei Shahmirzadi ◽

Dušan Božilov ◽

Amir Moradi

Keyword(s):

Integrated Circuit ◽

State Of The Art ◽

Large Set ◽

First Order ◽

Low Area ◽

Wide Range ◽

Field Programmable ◽

Programmable Gate Arrays ◽

Application Specific Integrated Circuit ◽

The Cost

Being based on a sound theoretical basis, masking schemes are commonly applied to protect cryptographic implementations against Side-Channel Analysis (SCA) attacks. Constructing SCA-protected AES, as the most widely deployed block cipher, has been naturally the focus of several research projects, with a direct application in industry. The majority of SCA-secure AES implementations introduced to the community opted for low area and latency overheads considering Application-Specific Integrated Circuit (ASIC) platforms. Albeit a few, those which particularly targeted Field Programmable Gate Arrays (FPGAs) as the implementation platform yield either a low throughput or a not-highly secure design.In this work, we fill this gap by introducing first-order glitch-extended probing secure masked AES implementations highly optimized for FPGAs, which support both encryption and decryption. Compared to the state of the art, our designs efficiently map the critical non-linear parts of the masked S-box into the built-in Block RAMs (BRAMs).The most performant variant of our constructions accomplishes five first-order secure AES encryptions/decryptions simultaneously in 50 clock cycles. Compared to the equivalent state-of-the-art designs, this leads to at least 70% reduction in utilization of FPGA resources (slices) at the cost of occupying BRAMs. Last but not least, we provide a wide range of such secure and efficient implementations supporting a large set of applications, ranging from low-area to high-throughput.

Download Full-text

Implementation of Audio Effect Generator in FPGA

Nepal Journal of Science and Technology ◽

10.3126/njst.v15i1.12022 ◽

2015 ◽

Vol 15 (1) ◽

pp. 89-98

Author(s):

Sujit Rokka Chhetri ◽

Bikash Poudel ◽

Sandesh Ghimire ◽

Shaswot Shresthamali ◽

Dinesh Kumar Sharma

Keyword(s):

Integrated Circuit ◽

High Speed ◽

Mathematical Formulation ◽

Digital Signal ◽

Ip Core ◽

Field Programmable ◽

Ip Cores ◽

Shift Effect ◽

Effect Generator ◽

Pitch Shift

This paper describes the theory and implementation of audio effects such as echo, distortion and pitch-shift in Field Programmable Gate Array (FPGA). At first the mathematical formulation for generation of such effects is explained and then the algorithm is described for its implementation in FPGA using Very high speed integrated circuit hardware descriptive language (VHDL). The digital system being designed, which is synthesizable and reconfigurable, offers a great flexibility and scalability in designing and prototyping in FPGAs. The system is divided into three HDL blocks, each for echo, distortion, and pitch-shift effect generation, which are multiplexed in order to share the common ADC and DAC. The audio effect generator designed in this paper was successfully implemented in Spartan-3E FPGA utilizing the resources available effectively. There has been tremendous research being carried out in the field of IP core. Efficient IP cores designed to carry out digital signal processing are implemented in every modern device using configurable logics. This trend hasn’t yet been realized in Nepal. Through the design and implementation of audio effect generator, this paper also aims at bringing the field of IP core development to limelight among scholars of Nepal.DOI: http://dx.doi.org/10.3126/njst.v15i1.12022 Nepal Journal of Science and TechnologyVol. 15, No.1 (2014) 89-98

Download Full-text

Doppelganger Obfuscation — Exploring theDefensive and Offensive Aspects of Hardware Camouflaging

IACR Transactions on Cryptographic Hardware and Embedded Systems ◽

10.46586/tches.v2021.i1.82-108 ◽

2020 ◽

pp. 82-108

Author(s):

Max Hoffmann ◽

Christof Paar

Keyword(s):

Reverse Engineering ◽

Low Level ◽

Reverse Engineer ◽

Finite State ◽

Key Leakage ◽

The One ◽

High Level ◽

Generic Design ◽

Control Modules ◽

First Time

Hardware obfuscation is widely used in practice to counteract reverse engineering. In recent years, low-level obfuscation via camouflaged gates has been increasingly discussed in the scientific community and industry. In contrast to classical high-level obfuscation, such gates result in recovery of an erroneous netlist. This technology has so far been regarded as a purely defensive tool. We show that low-level obfuscation is in fact a double-edged sword that can also enable stealthy malicious functionalities.In this work, we present Doppelganger, the first generic design-level obfuscation technique that is based on low-level camouflaging. Doppelganger obstructs central control modules of digital designs, e.g., Finite State Machines (FSMs) or bus controllers, resulting in two different design functionalities: an apparent one that is recovered during reverse engineering and the actual one that is executed during operation. Notably, both functionalities are under the designer’s control.In two case studies, we apply Doppelganger to a universal cryptographic coprocessor. First, we show the defensive capabilities by presenting the reverse engineer with a different mode of operation than the one that is actually executed. Then, for the first time, we demonstrate the considerable threat potential of low-level obfuscation. We show how an invisible, remotely exploitable key-leakage Trojan can be injected into the same cryptographic coprocessor just through obfuscation. In both applications of Doppelganger, the resulting design size is indistinguishable from that of an unobfuscated design, depending on the choice of encodings.

Download Full-text