Publications

The rise of instruction-tuned Large Language Models (LLMs) marks a significant advancement in artificial intelligence (AI) (tailored to respond to specific prompts). Despite their popularity, applying such models to debug security vulnerabilities in hardware designs, i.e., register transfer language (RTL) modules, particularly at system-on-chip (SoC) level, presents considerable challenges. One of the main issues lies in the need for precisely designed instructions for pinpointing and mitigating the vulnerabilities, which requires substantial time and expertise from human experts. In response to this challenge, this paper proposes Self-HWDebug, an innovative framework that leverages LLMs to automatically create required debugging instructions. In Self-HWDebug, a set of already identified bugs from the most critical hardware common weakness enumeration (CWE) listings, along with mitigation resolutions, is provided to the framework, followed by prompting the LLMs to generate targeted instructions for such mitigation. The LLM-generated instructions are subsequently used as references to address vulnerabilities within the same CWE category but in totally different designs, effectively demonstrating the framework’s ability to extend solutions across related security issues. Self-HWDebug significantly reduces human intervention by using the model’s own output to guide debugging. Through comprehensive testing, Self-HWDebug proves not only to reduce experts’ effort/time but also to even improve the Quality of the debugging process.

Automating hardware (HW) security vulnerability detection and mitigation during the design phase is imperative for two reasons: (i) It must be before chip fabrication, as post-fabrication fixes can be costly or even impractical; (ii) The size and complexity of modern HW raise concerns about unknown vulnerabilities compromising CIA triad. While Large Language Models (LLMs) can revolutionize both HW design and testing processes, within the semiconductor context, LLMs can be harnessed to automatically rectify security-relevant vulnerabilities inherent in HW designs. This study explores the seeds of LLM integration in register transfer level (RTL) designs, focusing on their capacity for autonomously resolving security-related vulnerabilities. The analysis involves comparing methodologies, assessing scalability, interpretability, and identifying future research directions. Potential areas for exploration include developing specialized LLM architectures for HW security tasks and enhancing model performance with domain-specific knowledge, leading to reliable automated security measurement and risk mitigation associated with HW vulnerabilities.

A heterogeneous integrated system in package (SIP) system integrates chiplets outsourced from different vendors into the same substrate for better performance. However, during post-integration testing, the sensitive testing data designated for a specific chiplet can be blocked, tampered or sniffed by other malicious chiplets. This paper proposes GATE-SiP which is an authenticated partial encryption protocol to enable secure testing. Within GATE-SiP, the sensitive testing pattern will only be sent to the authenticated chiplet. In addition, partial encryption of the sensitive data prevents data sniff threats without causing significant penalties on timing overhead. Extensive simulation results show the GATE-SiP protocol only brings 6.74% and 14.31% on area and timing overhead, respectively.

Integrating heterogeneous components in multi-chiplet packaging, known as system-in-package (SiP), is a significant step forward in overcoming limitations by Moore’s Law and Dennard scaling. This innovative approach offers enhanced efficiency, cost-effectiveness, and accelerated time-to-market. However, with its globalized supply chain, SiP technology introduces security vulnerabilities distinct from those in system-on-chip (SoC) designs. These risks include potential data leaks, the insertion of malicious circuits within the active interposer, and the possibility of extracting security assets through probing attacks. Current defenses used for traditional SoCs are not adequately designed for this multi-chiplet integration. Moreover, these solutions are vulnerable to quantum attacks due to their reliance on classical methods. In this paper, we introduce PQC-HI, a novel post-quantum-enabled chiplet authentication and key encapsulation framework to safeguard SiP security assets against the supply chain and in-field vulnerabilities. PQC-HI relies on two critical components that need to be integrated into the SiP architecture: the chiplet hardware security module (CHSM) and chiplet security intellectual property (CSIP). Our approach is based on NIST standards CRYSTALS-Kyber and CRYSTALS-Dilithium, providing a protocol resilient to quantum attacks and ensuring secure SiP communication. We implemented this protocol on an FPGA platform and demonstrated the efficiency and area overhead.

The employment of fully reconfigurable logic and routing modules represents a promising and potentially resilient approach to combating intellectual property (IP) piracy and the overproduction of integrated circuits (IC). Over time, the utilization of such reconfigurable logic has evolved within the realm of hardware security, encompassing a spectrum of protective measures and security monitoring solutions. This evolution underscores a technological transition within this domain, shifting from full-custom ASICs to gate-array ASICs to enhance robustness. This paper delineates the progression within this field, tracing advancements from rudimentary look-up-table based methods to sophisticated partial reconfigurable ASICs featuring embedded FPGAs (eFPGAs). The investigation critically evaluates the merits and limitations of each technique, and advocates for a strategic trajectory that optimizes efficiency and upholds the promised robustness.

Intellectual property (IP) core reuse is a common practice for accelerating new product development in modern system-on-chip (SoC) architectures. However, reusing and sharing IP cores in today’s competitive market poses significant security risks. IP watermarking is a potential solution for detecting unauthorized IP duplication and overuse. In this paper, we propose GEM-Water, a robust IP watermark verification scheme that uses electromagnetic (EM) radiation of an IP in an SoC for watermark extraction during boot-up. This is accomplished by applying an n-bit challenge to the IP that triggers some certain state transition in a Finite State Machine (FSM) during boot-up. The FSM output is then mapped into an EM signature which can be extracted and processed to generate expected responses to prove IP ownership. GEM-Water has been implemented in a wide variety of benchmarks using several AMD Xilinx 7 series FPGAs, and the experimental results validate the robustness and viability of the suggested approach with >95% accuracy.

With the limitations of Moore’s Law and Dennard scaling in integrated circuits (ICs) on the horizon, the concept of heterogeneous integration (HI) has gained significant traction as a favored method for creating System-in-Packages (SiP) through the utilization of chiplets. However, this shift brings forth a fresh set of security concerns, wherein the SiPs or their chiplets are vulnerable to a vector of threats, including reverse engineering and unauthorized overproduction. In this paper, we introduce SHI-Lock, as a first-of-its-kind hardware co-obfuscation countermeasure for System-in-Package. In SHI-Lock, by relying on a chiplet-hardware-security-module (CHSM), a co-obfuscation mechanism has been shared (interaction-based) between the chiplet designer(s) and the SiP integrator, allowing them to extend the protection in both intra-chiplet and inter-chiplet domains. SHI-Lock consists of a {obfuscation + key provisioning} protocol that enables forward trusts for chiplet designers to extend the chiplet-level obfuscation techniques to be used in multiple SiP designs. The co-obfuscation relies on a finite-state-machine (FSM) obfuscation and acts as a license activation protocol in HI. We evaluate the robustness of SHI-Lock using various metrics and threats including functional and structural attacks and perform overhead analysis of design-under-obfuscation, verifying that SHI-Lock can effectively be integrated into chiplets to create obfuscation at both Chiplet-level and system-level to protect SiPs from piracy and overproduction.

For the past decade, hardware obfuscation has been a popular approach for protecting integrated circuits (ICs) against supply chain threats such as intellectual property (IP) piracy and overproduction. Despite this, the design of these techniques was originally for the digital domain and is not appropriate for analog circuits due to their intrinsic features, such as their small size. In this paper, we propose PALLET, a last-level edit (LLE) relying on a unique keyless obfuscation technique for pure analog and mixed-signal circuits to protect the design against untrusted foundries. In PALLET, design functionality is obfuscated by adding misleading (false) elements to the circuit layout based on design specifications and area overhead constraints. In PALLET, after fabrication of the LLEed (obfuscated) IC, the design house with a trusted focused-ion beam (FIB) facility performs the circuits edit at the top metal layers to de-obfuscate (remove LLE from) the IC with minimal effort. We also focus on a mathematical representation to show adversarial computation complexity based on the LLE framework. Finally, to validate the efficacy of LLE, we perform a security assessment against prominent attacks and compare post-layout performance parameters for a bandgap reference (BGR) design to demonstrate compliance with design specifications.

High-level synthesis (HLS) has revolutionized hardware design by allowing engineers to code their designs in higher abstraction levels like C/C++. To generate register-transfer level (RTL) design, HLS optimizes hardware designs for improving overheads (e.g., area, power, throughput). However, the optimizations are not done with security in mind. Therefore, HLS can introduce new vulnerabilities (e.g., information leakage and access control violations) to the design through optimizing. One such security violation is vulnerable resource sharing where in attempting to minimize the area of the hardware design, HLS uses the same resources between assets without taking into account the secure and non-secure computing. The secure asset’s operations are then not done in a secure manner, allowing for the possibility of an attacker controlling such resources to gain valuable insight into the asset’s information. Mitigating such a vulnerability would require the integration of identification algorithms to separate the secure and non-secure operations. In this paper, we introduce a toolflow to mitigate vulnerable resource sharing by utilizing intermediate representations (IR) files to identify the shared resource(s) and conducting an intellectual property (IP) separation at the high-level language (HLL) to have a separate resource handling the security operations.

High-level synthesis (HLS) has revolutionized hardware design by allowing engineers to code their designs in higher abstraction levels like C/C++. To generate register-transfer level (RTL) design, HLS optimizes hardware designs for improving overheads (e.g., area, power, throughput). However, the optimizations are not done with security in mind. Therefore, HLS can introduce new vulnerabilities (e.g., information leakage and access control violations) to the design through optimizing. One such security violation is vulnerable resource sharing where in attempting to minimize the area of the hardware design, HLS uses the same resources between assets without taking into account the secure and non-secure computing. The secure asset’s operations are then not done in a secure manner, allowing for the possibility of an attacker controlling such resources to gain valuable insight into the asset’s information. Mitigating such a vulnerability would require the integration of identification algorithms to separate the secure and non-secure operations. In this paper, we introduce a toolflow to mitigate vulnerable resource sharing by utilizing intermediate representations (IR) files to identify the shared resource(s) and conducting an intellectual property (IP) separation at the high-level language (HLL) to have a separate resource handling the security operations.

Watermarking offers a viable solution to combat IP piracy and illegal re-use. However, watermarking verification techniques rely heavily on manual testing by verification engineers and ignore the possibility of having a rogue SoC design house. To automate the watermarking-based verification process and to be against wider attacks (e.g., rogue design house), this paper presents ActiWate, which conducts automatic self-verification by communicating with various peripherals within the SoC. Showing its resilience against removal and spoofing attacks, ActiWate is architectured to be an IP/SoC-agnostic watermarking and our experiments demonstrate its versatility by implementing it on multiple RISC-V SoCs with different components/peripherals.

As logic locking becomes more sophisticated and new technologies emerge (e.g., laser probing for failure analysis), the statement “logic locking is dead” will become more common. While recent studies have investigated the possibility of defining a security metric(s) for logic locking, none are sufficient against all threat models and potential future threats. In this paper, we first examine the quantitative and qualitative metrics as a MUST for logic locking. Then, by establishing a bridge between metrics and the potential methods, we introduce a compound-style logic locking that can meet the criteria needed for logic locking based on the defined metrics.

As Moore’s law comes to a crawl, heterogeneous integration-based system-in-package emerges as a promising direction to maintain the speedy rate of performance density improvement of modern integrated circuits by integrating fabricated silicon dies into a unified package. However, hardware security threats such as fault injection attacks present formidable challenges to the protection of on-chip assets. Even worse than a conventional monolithic device, system-in-package (SiP) might introduce malicious chiplets to allow for internal and remote power fault injection attacks due to the obscurity of the semiconductor supply chain. In order to thwart fault injection attacks, we present FISHI which aims to include a root-of-trust chiplet in the SiP to enable run-time system-level power noise variation monitoring capabilities and near-sensor machine learning inference for attack-induced anomaly detection. Specifically, we design a time-to-digital converter to collect power profiles of targeted applications as a reference and create a hardware ML engine accordingly to measure the deviations between the run-time power fluctuations and the golden ones. We prototype our FISHI solution on one of the chiplets in a Xilinx 2.5D FPGA SiP and demonstrate its effectiveness by detecting power fault injection attempts on an AES implementation on the other chiplet.

Systems-on-chip (SoCs) have become increasingly large and complex, resulting in new threats and vulnerabilities, mainly related to system-level flaws. However, the system-level verification process, whose violation may lead to exploiting a hardware vulnerability, is not studied comprehensively due to the lack of decisive (security) requirements and properties from the SoC designer’s perspective. To enable a more comprehensive verification for system-level properties, this paper presents HUnTer (Hardware Underneath Trigger), a framework for identifying sets (sequences) of instructions at the processor unit (PU) that unveils the underneath hardware vulnerabilities. The HUnTer framework automates (i) threat modeling, (ii) threat-based formal verification, (iii) generation of counterexamples, and (iv) generation of snippet code for exploiting the vulnerability. The HUnTer framework also defines a security coverage metric (HUnT_Coverage) to measure the performance and efficacy of the proposed approach. Using the HUnTer framework on a RISC-V-based open-source SoC architecture, we conduct a wide variety of case studies of Trust-HUB vulnerabilities to demonstrate the high effectiveness of the proposed framework.

Conventional logic locking techniques mainly focus on gate-level netlists to combat IP piracy and IC overproduction. However, this is generally not sufficient for protecting semantics and behaviors of the design. Further, these techniques are even more objectionable when the IC supply chain is at risk of insider threats. This paper proposes RTLock, a robust logic locking framework at the RTL abstraction. RTLock provides a detailed formal analysis of the design specs at the RTL that determines the locking candidate points w.r.t. attacks resiliency (SAT/BMC), locking key size, and overhead. RTLock incorporates (partial) DFT infrastructure (scan chain) at the RTL, enabled with a scan locking mechanism. It allows us to push all the necessary security-driven actions to the highest abstraction level, thus making the flow EDA tool agnostic. Additionally, RTLock demonstrates why RTL-based locking must be coupled with encryption and management protocols (e.g., IEEE P1735), to be effective against insider threats. Our experimental results show that, vs. other techniques, RTLock protects the design against broader threats at low overhead and without compromising testability.

Recent studies on intellectual property (IP) protection techniques demonstrate that engaging embedded reconfigurable components (e.g., eFPGA redaction) would be a promising approach to concealing the functional and structural information of the security-critical design. However, detailed investigation reveals that such techniques suffer from almost prohibited overhead in terms of area, power, delay, and testability. In this paper, we introduce EvoLUTe, a distinct and significantly more fine-grained redaction methodology using smaller reconfigurable components (such as look-up-tables (LUTs)). In EvoLUTe, we examine both eFPGA-based and LUT-based design spaces, demonstrating that a novel cone-based and fine-grained universal function modeling approach using LUTs is capable of providing the same degree of resiliency at a much lower area/power/delay and testability costs.

The utilization of fully reconfigurable logic and routing modules may be considered as one potential and even provably resilient technique against intellectual property (IP) piracy and integrated circuits (IC) overproduction. The embedded FPGA (eFPGA) is one instance that could be used for IP redaction leading to hiding the functionality through the untrusted stages of the IC supply chain. The eFPGA architecture, albeit reliable, unnecessarily results in exploding the die size even while it is supposed to be at fine granularity targeting small modules/IPs. In this paper, we propose SheLL, which primarily embeds the interconnects (routing channels) of the design and secondarily twists the minimal logic parts of the design into the eFPGA architecture. In SheLL, the eFPGA architecture is customized for this specific logic locking methodology, allowing us to minimize the overhead of eFPGA fabric as possible. Our experimental results demonstrate that SheLL guarantees robustness against notable attacks while the overhead is significantly lower compared to the existing eFPGA-based competitors.

In their quest for further optimization, High-level synthesis (HLS) utilizes advanced automatic optimization algorithms to achieve lower implementation time/effort for even more complex designs. These optimization algorithms are for the HLS tools’ backend stages, e.g., allocation, scheduling, and binding, and they are highly optimized for resources/latency constraints. However, current HLS tools’ backend is unaware of designs’ security assets, and their algorithms are incapable of handling security constraints. In this paper, we propose Secure-HLS (SecHLS), which aims to define underlying security constraints for HLS tools’ backend stages and intermediate representations. In SecHLS, we improve a set of widely-used scheduling and binding algorithms by integrating the proposed security-related constraints into them. We evaluate the effectiveness of SecHLS in terms of power, performance, area (PPA), security, and complexity (execution time) on small and real-size benchmarks, showing how the proposed security constraints can be integrated into HLS while maintaining low PPA/complexity burdens.

Modern Systems-on-chip (SoCs) have grown in size and complexity, giving rise to fresh concerns and susceptibilities, especially with flaws at the system level. Nevertheless, a thorough exploration of the system-level verification process, which, if breached, could result in the exploitation of hardware vulnerabilities, is still lacking. This deficiency is primarily attributed to the absence of definitive security criteria and attributes from the perspective of SoC designers. To facilitate a more comprehensive assessment of system-level characteristics, this paper introduces a framework designed to identify sequences of instructions within the processor unit (PU) that expose underlying hardware vulnerabilities. The framework streamlines various aspects, including (i) threat modeling, (ii) formal verification based on potential threats, (iii) the creation of counterexamples, and (iv) the generation of code snippets that exploit these vulnerabilities. Additionally, the framework establishes a security coverage metric (referred to as Coverage) to gauge the performance and efficiency of the proposed methodology. To demonstrate the effectiveness of the methodology, we conducted a diverse range of case studies on a RISC-V-based open-source SoC architecture, showcasing its ability to uncover Trust-HUB vulnerabilities.

Existing logic locking techniques can prevent IP piracy or tampering. However, they often come at the expense of high overhead and are gradually becoming vulnerable to emerging deobfuscation attacks. To protect SoC IPs, we propose O’Clock, a fully-automated clock-gating-based approach that ‘locks the clock’ to protect IPs in complex SoCs. O’Clock obstructs data/control flows and makes the underlying logic dysfunctional for incorrect keys by manipulating the activity factor of the clock tree. O’Clock has minimal changes to the original design and no change to the IC design flow. Our experimental results show its high resiliency against state-of-the-art de-obfuscation attacks (e.g., oracle-guided SAT, unrolling-/BMC-based SAT, removal, and oracle-less machine learning-based attacks) at negligible power, performance, and area (PPA) overhead.

With the emergence of numerous circuit de-obfuscation attacks, the strength of logic locking has been jeopardized in recent years. Amongst them, bounded-model-checker (BMC)-based attack on locked circuits with limited design-for-testability (DFT) access received significant attention in recent years. However, scalability is a crucial challenge in such an attack due to having two unrolling factors, namely sequential unrolling and miter duplication. This paper will explore some techniques for warming up the BMC before its main invocation to expedite the attack procedure. Our experimental results reflect that the efficacy of BMC-based attacks can be enhanced once the BMC is initiated meticulously through the studied methodologies.

To enable trust in the IC supply chain, logic locking as an IP protection technique received significant attention in recent years. Over the years, by utilizing Boolean satisfiability (SAT) solver and its derivations, many de-obfuscation attacks have undermined the security of logic locking. Nonetheless, all these attacks receive the inputs (locked circuits) in a very simplified format (Bench or remapped and translated Verilog) with many limitations. This raises the bar for the usage of the existing attacks for modeling and assessing new logic locking techniques, forcing the designers to undergo many troublesome translations and simplifications. This paper introduces the RANE Attack, an open-source CAD-based toolbox for evaluating the security of logic locking mechanisms that implement a unique interface to use formal verification tools without a need for any translation or simplification. The RANE attack not only performs better compared to the existing de-obfuscation attacks, but it can also receive the library-dependent logic-locked circuits with no limitation in written, elaborated, or synthesized standard HDL, such as Verilog. We evaluated the capability/performance of RANE on FOUR case studies, one is the first de-obfuscation attack model on FSM locking solutions (e.g., HARPOON) in which the key is not a static bit-vector but a sequence of input patterns.

Logic locking has been widely evaluated as a proactive countermeasure against the hardware security threats within the IC supply chain. However, the introduction of the SAT attack, and many of its derivatives, has raised big concern about this form of countermeasure. In this paper, we explore the possibility of exploiting chaos computing as a new means of logic locking. We introduce the concept of chaotic logic locking, called ChaoLock, in which, by leveraging asymmetric inputs in digital chaotic Boolean gates, we define the concept of programmability (key-configurability) to the sets of underlying initial conditions and system parameters. These initial conditions and system parameters determine the operation (functionality) of each digital chaotic Boolean gate. Also, by proposing dummy inputs in chaotic Boolean gates, we show that during reverse-engineering, the dummy inputs conceal the main functionality of the chaotic Boolean gates, which make the reverse-engineering almost impossible. By performing a security analysis of ChaoLock, we show that with no restriction on conventional CMOS-based ASIC implementation and with no test/debug compromising, none of the state-of-the-art attacks on logic locking, including the SAT attack, could reformulate chaotic Boolean gates while dummy inputs are involved and their parameters are locked. Our analysis and experimental results show that with a low number of chaotic Boolean gates mixed with CMOS digital gates, ChaoLock can guarantee resiliency against the state-of-the-art attacks on logic locking at low overhead.

The resource-constrained nature of the Internet of Things (IoT) edges, poses a challenge in designing a secure and high-performance communication for this family of devices. Although side-channel resistant ciphers (either block or stream) could guarantee the security of the communication, the energy intensive nature of these ciphers makes them undesirable for lightweight IoT solutions. In this paper, we introduce ExTru, an encrypted communication protocol based on stream ciphers that adds a configurable switching & toggling network (CSTN) to not only boost the performance of the communication in these devices, it also consumes far less energy than the conventional side-channel resistant ciphers. Although the overall structure of the proposed scheme is leaky against physical attacks, we introduce a dynamic encryption mechanism that removes this vulnerability. We demonstrate how each communicated message in the proposed scheme reduces the level of trust. Accordingly, since a specific number of messages, N, could break the communication and extract the key, by using the dynamic encryption mechanism, ExTru can re-initiate the level of trust periodically after T messages where T <; N, to protect the communication against side-channel and scan-based attacks (e.g. SAT attack). Furthermore, we demonstrate that by properly configuring the value of T, ExTru not only increases the strength of security from per “device” to per “message”, it also significantly improves energy saving as well as throughput vs. an architecture that only uses a conventional side-channel resistant block/stream cipher.

The globalization of the IC supply chain has raised many security threats, especially when untrusted parties are involved. This has created a demand for a dependable logic obfuscation solution to combat these threats. Amongst a wide range of threats and countermeasures on logic obfuscation in the 2010s decade, the Boolean satisfiability (SAT) attack, or one of its derivatives, could break almost all state-of-the-art logic obfuscation countermeasures. However, in some cases, particularly when the logic locked circuits contain complex structures, such as big multipliers, large routing networks, or big tree structures, the logic locked circuit is hard-to-be-solved for the SAT attack. Usage of these structures for obfuscation may lead a strong defense, as many SAT solvers fail to handle such complexity. However, in this paper, we propose a neural-network-guided SAT attack (NNgSAT), in which we examine the capability and effectiveness of a message-passing neural network (MPNN) for solving these complex structures (SAT-hard instances). In NNgSAT, after being trained as a classifier to predict SAT/UNSAT on a SAT problem (NN serves as a SAT solver), the neural network is used to guide/help the actual SAT solver for finding the SAT assignment(s). By training NN on conjunctive normal forms (CNFs) corresponded to a dataset of logic locked circuits, as well as fine-tuning the confidence rate of the NN prediction, our experiments show that NNgSAT could solve 93.5% of the logic locked circuits containing complex structures within a reasonable time, while the existing SAT attack cannot proceed the attack flow in them.

In this paper, we propose a canonical prune-and-SAT (CP&SAT) attack for breaking state-of-the-art routing-based obfuscation techniques. In the CP&SAT attack, we first encode the key-programmable routing blocks (keyRBs) based on an efficient SAT encoding mechanism suited for detailed routing constraints, and then efficiently re-encode and reduce the CNF corresponded to the keyRB using a bounded variable addition (BVA) algorithm. In the CP&SAT attack, this is done before subjecting the circuit to the SAT attack. We illustrate that this encoding and BVA-based pre-processing significantly reduces the size of the CNF corresponded to the routing-based obfuscated circuit, in the result of which we observe 100% success rate for breaking prior art routing-based obfuscation techniques. Further, we propose a new intercorrelated logic and routing locking technique, or in short InterLock, as a countermeasure to mitigate the CP&SAT attack. In Interlock, in addition to hiding the connectivity, a part of the logic (gates) in the selected timing paths are also implemented in the keyRB(s). We illustrate that when the logic gates are twisted with keyRBs, the BVA could not provide any advantage as a pre-processing step. Our experimental results show that, by using InterLock, with only three 8×8 or only two 16×16 keyRBs (twisted with actual logic gates), the resilience against existing attacks as well as our new proposed CP&SAT attack would be guaranteed while, on average, the delay/area overhead is less than 10% for even medium-size benchmark circuits.

In this paper, we assess the security and testability of the state-of-the-art design-for-security (DFS) architectures in the presence of scan-chain locking/obfuscation, a group of solution that has previously proposed to restrict unauthorized access to the scan chain. We discuss the key leakage vulnerability in the recently published prior-art DFS architectures. This leakage relies on the potential glitches in the DFS architecture that could lead the adversary to make a leakage condition in the circuit. Also, we demonstrate that the state-of-the-art DFS architectures impose some substantial architectural drawbacks that moderately affect both test flow and design constraints. We propose a new DFS architecture for building a secure scan chain architecture while addressing the potential of key leakage. The proposed architecture allows the designer to perform the structural test with no limitation, enabling an untrusted foundry to utilize the scan chain for manufacturing fault testing without having a need to access the scan chain. Our proposed solution poses negligible limitation/overhead on the test flow, as well as the design criteria.

In this paper, we introduce SCRAMBLE, as a novel logic locking solution for sequential circuits while the access to the scan chain is restricted. The SCRAMBLE could be used to lock an FSM by hiding its state transition graph (STG) among a large number of key-controlled false transitions. Also, it could be used to lock sequential circuits (sequential datapath) by hiding the timing paths’ connectivity among a large number of key-controlled false connections. Besides, the structure of SCRAMBLE allows us to engage this scheme as a new scan chain locking solution by hiding the correct scan chain sequence among a large number of the key-controlled false sequences. We demonstrate that the proposed scheme resists against both (1) the 2-stage attacks on FSM, and (2) SAT attacks integrated with unrolling as well as bounded-model checking. We have discussed two variants of SCRAMBLE: (I) Connectivity SCRAMBLE (SCRAMBLE-C), and (b) Logic SCRAMBLE (SCRAMBLE-L). The SCRAMBLE-C relies on the SAT-hard and key-controlled modules that are built using near non-blocking logarithmic switching networks. The SCRAMBLE-L uses input multiplexing techniques to hide a part of the FSM in a memory. In the result section, we describe the effectiveness of each variant against state-of-the-art attacks.

In this paper, we introduce DFSSD, a novel logic locking solution for sequential and FSM circuits with a restricted (locked) access to the scan chain. DFSSD combines two techniques for obfuscation: (1) Deep Faults, and (2) Shallow State Duality. Both techniques are specifically designed to resist against sequential SAT attacks based on bounded model checking. The shallow state duality prevents a sequential SAT attack from taking a shortcut for early termination without running an exhaustive unbounded model checker to assess if the attack could be terminated. The deep fault, on the other hand, provides a designer with a technique for building deep, yet key recoverable faults that could not be discovered by sequential SAT (and bounded model checker based) attacks in a reasonable time.

In this paper, we introduce a novel Communication and Obfuscation Management Architecture (COMA) to handle the storage of the obfuscation key and to secure the communication to/from untrusted yet obfuscated circuits. COMA addresses three challenges related to the obfuscated circuits: First, it removes the need for the storage of the obfuscation unlock key at the untrusted chip. Second, it implements a mechanism by which the key sent for unlocking an obfuscated circuit changes after each activation (even for the same device), transforming the key into a dynamically changing license. Third, it protects the communication to/from the COMA protected device and additionally introduces two novel mechanisms for the exchange of data to/from COMA protected architectures: (1) a highly secure but slow double encryption, which is used for exchange of key and sensitive data (2) a high-performance and low-energy yet leaky encryption, secured by means of frequent key renewal. We demonstrate that compared to state-of-the-art key management architectures, COMA reduces the area overhead by 14%, while allowing additional features including unique chip authentication, enabling activation as a service (for IoT devices), reducing the side channel attack on key management architecture, and providing two new means of the secure communication to/from an COMA-secured untrusted chip.

Although conventional Network-on-Chip (NoC) designs provide high bandwidth, many modern applications for many-core architectures have significant periods of low NoC utilization. Highly provisioned NoCs provide the required performance during periods of high activity; yet, large NoC designs come with high power costs. Furthermore, as technology shrinks, the contribution of static power increases. Hence, numerous NoC power-gating techniques have been proposed to alleviate the growing contribution of static power. However, the efficiency of power-gating techniques decreases due to sporadic packet arrivals across a range of injection rates. In this paper, we propose Minimally-Buffered Router Infrastructure (Muffin), which increases the number of traversals that can be made without needing to power on the routers. Empirical results on SPLASH-2 show that, compared to conventional power-gating scheme, Muffin improves static power consumption by an average of 95.4%, while improving the average packet latency by 73.7%.

In this paper, we propose a novel and SAT-resistant logic-locking technique, denoted as Full-Lock, to obfuscate and protect the hardware against threats including IP-piracy and reverse-engineering. The Full-Lock is constructed using a set of small-size fully Programmable Logic and Routing block (PLR) networks. The PLRs are SAT-hard instances with reasonable power, performance and area overheads which are used to obfuscate (1) the routing of a group of selected wires and (2) the logic of the gates leading and proceeding the selected wires. The Full-Lock resists removal attacks and breaks a SAT attack by significantly increasing the complexity of each SAT iteration.

To reduce the cost of ICs and to meet the market’s demand, a considerable portion of manufacturing supply chain, including silicon fabrication, packaging and testing may be pushed offshore. Utilizing a global IC manufacturing supply chain, and inclusion of non-trusted parties in the supply chain has raised concerns over security and trust related challenges including those of overproduction, counterfeiting, IP piracy, and Hardware Trojans to name a few. To reduce the risk of IC manufacturing in an untrusted and globally distributed supply chain, the researchers have proposed various locking and obfuscation mechanisms for hiding the functionality of the ICs during the manufacturing, that requires the activation of the IP after fabrication using the key value(s) that is only known to the IP/IC owner. At the same time, many such proposed obfuscation and locking mechanisms are broken with attacks that exploit the inherent vulnerabilities in such solutions. The past decade of research in this area, has resulted in many such defense and attack solutions. In this paper, we review a decade of research on hardware obfuscation from an attacker perspective, elaborate on attack and defense lessons learned, and discuss future directions that could be exploited for building stronger defenses.

In this work, we propose LUT-Lock, a novel Look-Up-Table-based netlist obfuscation algorithm, for protecting the intellectual property that is mapped to an FPGA bitstream or an ASIC netlist. We, first, illustrate the effectiveness of several key features that make the LUT-based obfuscation more resilient against SAT attacks and then we embed the proposed key features into our proposed LUT-Lock algorithm. We illustrate that LUT-Lock maximizes the resiliency of the LUT-based obfuscation against SAT attacks by forcing a near exponential increase in the execution time of a SAT solver with respect to the number of obfuscated gates. Hence, by adopting LUT-Lock algorithm, SAT attack execution time could be made unreasonably long by increasing the number of utilized LUTs.

Due to high aggregate idle time of Networks-on-Chip (NoCs) routers in practical applications, power-gating techniques have been proposed to combat the ever-increasing ratio of static power. Nevertheless, the sporadic packet arrivals compromise the effectiveness of power-gating by incurring significant latency and energy overhead. In this paper, we propose a Scalable Pivot-based On/Off Gating Engine (SPONGE) which efficiently manages power-gating decisions and routing mechanism by adaptively selecting a small set of powered-on columns of routers and keeping the others in power-gated state. To this end, a router architecture augmented with a novel routing algorithm is proposed in which a packet can traverse powered-off routers without waking them up, and can only turn in predetermined powered-on routers. Experimental results on SPLASH-2 benchmarks demonstrate that, compared to the conventional power-gating method, SPONGE on average not only improves static power consumption by 81.7%, it also improves average packet latency by 63%.

In this paper, we claim that cyclic obfuscation, when properly implemented, poses exponential complexity on SAT or CycSAT attack. The CycSAT, in order to generate the necessary cycle avoidance clauses, uses a pre-processing step. We show that this pre-processing step has to compose its cycle avoidance condition on all cycles in a netlist, otherwise, a missing cycle could trap the SAT solver in an infinite loop or force it to return an incorrect key. Then, we propose several techniques by which the number of cycles is exponentially increased with respect to the number of inserted feedbacks. We further illustrate that when the number of feedbacks is increased, the pre-processing step of CycSAT faces an exponential increase in complexity and runtime, preventing the correct composition of loop avoidance clauses in a reasonable time before invoking the SAT solver. On the other hand, if the pre-processing is not completed properly, the SAT solver will get stuck or return incorrect key. Hence, when the cyclic obfuscation in accordance to the conditions proposed in this paper is implemented, it would impose an exponential complexity with respect to the number of inserted feedback, even when the CycSAT solution is used.

K-mean clustering is an essential tool for many big data applications including data mining, predictive analysis, forecasting studies, and machine learning. However, due to large size (volume) of Big-Data, and large dimensionality of its data points, even the application of a simple k-mean clustering may become extremely time and resource demanding. In this paper, we propose a two-level filtering algorithm based on binary kd-tree structure, which considerably decreases the time of convergence in K-means algorithm for large datasets. The proposed modification to the classification algorithm, evolves the SW to naturally divide the classification into smaller data sets, based on the number of available cores and size of logic available in an FPGA. The empirical results show that on a multi-core FPGA, provides 330x speed-up compared to a conventional SW-only solution.

Reducing the size of the technology increases leakage power in Network-on-Chip (NoC) routers drastically. Power-gating, particularly in NoC routers, is one of the most efficient approaches for alleviating the leakage power. Although applying power-gating techniques alleviates NoC power consumption due to high proportion of idleness in NoC routers, since the timing behavior of packets is irregular, even in low injection rates, performance overhead in power-gated routers is significant. In this paper, we present SMART, a Scalable Mapping And Routing Technique, with virtually no area overhead on the network. It improves the irregularity of the timing behavior of packets in order to mitigate leakage power and lighten the imposed performance overhead. SMART employs a special deterministic routing algorithm, which reduces number of packets encounter power-gated routers. It establishes a dedicated path between each source-destination pair to maximize using powered-on routers, which roughly halves the number of wake-ups. Additionally, in order to maximize the efficiency of the proposed routing algorithm, SMART provides an exclusive mapping for each communication task graph. In proposed mapping, all cores should be arranged with a special layout suited for the proposed routing, which helps us to minimize the number of hops. Furthermore, we modify the predictor of conventional power-gating technique to reduce energy overhead of inconsistent wake-ups. Experimental results on SPLASH-2 benchmarks indicate that the proposed technique can save 21.9% of static power, and reduce the latency overhead by 42.9% compared with the conventional power-gating technique.

Network on Chip (NoC) is the most common interconnection platform for multiprocessor systems-on-chips (MPSoCs). In order to explore the design space of this platform, we need a high-speed, cycle-accurate, and flexible simulation tool. In this paper, we present AdapNoC, a configurable cycle-accurate FPGA-based NoC simulator, which can be configured via software. A wide range of parameters are configurable in FPGA side of the proposed simulator, and the software side is implemented on an embedded soft-core processor. We transfer some parts of simulator, such as Traffic Generators (TGs) and Traffic Receptors (TRs), to software side without any degradation in simulation speed. Moreover, we implement a dual-clock architecture as an innovation in virtualization methodology, which is also capable to share idle time-slots, which helps not only simulate bigger NoCs, but also reduce simulation time drastically. Also, by employing a traffic aggregator architecture, AdapNoC provides table-based adaptive routing algorithm as a configurable parameter in router microarchitecture. We evaluate simulation time of AdapNoC by using Xilinx Virtex-6 XC6VLX240T, and demonstrate 53x–180x speed-up against BOOKSIM. Also, due to our proposed virtualization, and TGs and TRs migration to software side, we can implement a 64-node non-virtualized or a 1024-node virtualized mesh network in only %72 of Xilinx Virtex-6 XC6VLX240T resources.