Anti-Counterfeit and Anti-Tamper Implementation using Hardware Obfuscation Avinash Desai Thesis submitted to the Faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Master of Science in Computer Engineering Michael S. Hsiao, Chair Chao Wang Leyla Nazhandali 8 August, 2013 Blacksburg, Virginia Keywords: Anti-Counterfeit, Anti-Tamper, Trojan Detection Integrated Circuits, Seal, Time-Stamp Copyright 2013, Avinash Desai Anti-Counterfeit and Anti-Tamper Implementation using Hardware Obfuscation Avinash Desai (ABSTRACT) Tampering and Reverse Engineering of a chip to extract the hardware Intellectual Property (IP) core or to inject malicious alterations is a major concern. First, offshore chip manufac- turing allows the design secrets of the IP cores to be transparent to the foundry and other entities along the production chain. Second, small malicious modifications to the design may not be detectable after fabrication without anti-tamper mechanisms. Counterfeit Inte- grated Circuits (ICs) also have become an important security issue in recent years, in which counterfeit ICs that perform incorrectly or sub-par to the expected can lead to catastrophic consequences in safety and/or mission-critical applications, in addition to the tremendous economic toll they incur to the semiconductor industry. Some techniques have been devel- oped in the past to improve the defense against such attacks but they tend to fall prey to the increasing power of the attacker. We present a new way to protect against tampering by a clever obfuscation of the design, which can be unlocked with a specific, dynamic path traversal. Hence, the functional mode of the controller is hidden with the help of obfuscated states, and the functional mode is made operational only on the formation of a specific interlocked Code-Word during state transition. A novel time-stamp is proposed that can provide the date at which the IC was manufactured for counterfeit detection. Furthermore, we propose a second layer of tamper resistance to the time-stamp circuit to make it even more difficult to modify. Results show that methods proposed offer higher levels of security with small area overhead. A side benefit is that any small alteration will be magnified via the obfuscated design proposed in these methods. ∼ To my Grandparents ∼ iii Acknowledgements Firstly, I would like to extend my sincere thanks to my graduate research advisor Dr. Michael HsiaoforgivingmeanopportunitytoworkinPROACTIVEgroup. Hisinvaluable guidance and support was the driving force throughout my research. I have learned many valuable lessons of being a good student and a researcher through countless number of interactions with him. This work was possible due to his constant feedback and suggestions on ideas throughout this project. I express my sincerest gratitude to Dr. Leyla Nazhandali and Dr. Chao Wang for serving on my thesis committee. Brain storming sessions during weekly meetings with Dr. Hsiao, Dr. Leyla and Dr. Wang and Dr. Simin Hall have really helped to carve out different techniques proposed in this thesis. I would also like to thank the student members of the project group Rashmi Moudgil, Dinesh Ganta and Bing Liu for working with me as a team and constantly encouraging to try out different things during the project. I sincerely that my labmate and best friend Sarvesh Prabhu for all the fun we had inside and outside lab, for pushing me to achieve higher goals even during difficult phases of my life and for direct and indirect support.I thank my sister Indira for being there with me throughout my masters degree and encouraging me to do my best. I also thank Dilip, Sharad and Vineet for sharing many wonderful moments in the lab. I thank my roommates Hemanth, Rajat, Tanmay and Sushrut for maintaining an awesome atmosphere at home. iv I take this opportunity to thank my beloved parents Mrs. Vasanti Desai and Mr. Ra- jendra Desai for keeping faith in me, multiplying my happiness and nullifying my sorrows throughout my life. I also thank my angel sister Asmita for constant encouragement and trusting me. Finally, I express my gratitude to my best friend Ashwini, for standing besides me with whatever I do, giving me encouragement and unconditional emotional support when things do not go well and reinforcing my confidence whenever I need it. Avinash Desai Blacksburg August 08, 2012 v Contents 1 Introduction 1 1.1 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Background 6 2.1 Production Chain and Attack Possibilities . . . . . . . . . . . . . . . . . . . 6 2.2 Reverse Engineering Tools and Methodology Used . . . . . . . . . . . . . . . 7 2.2.1 Black Box Testing [28] . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.2 White Box Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.2.3 Side Channel Analysis (SCA) [30] . . . . . . . . . . . . . . . . . . . . 9 2.3 Classification of techniques for Anti-Tamper . . . . . . . . . . . . . . . . . . 9 2.3.1 Passive Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.3.2 Active Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 2.4 Related work on Anti-Tamper Techniques . . . . . . . . . . . . . . . . . . . 12 2.4.1 HARPOON [31] Methodology . . . . . . . . . . . . . . . . . . . . . . 12 Drawbacks of HARPOON . . . . . . . . . . . . . . . . . . . . . . . . 14 2.4.2 STEP [35] Methodology . . . . . . . . . . . . . . . . . . . . . . . . . 14 Drawbacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4.3 HardwareIPProtectionduringEvaluationusingEmbeddedSequential Trojan [32] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Drawbacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 vi 2.4.4 RTLHardwareIPProtectionUsingKey-BasedControlandDataFlow Obfuscation [33] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Drawbacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2.5 Related work on Anti-Counterfeit Techniques . . . . . . . . . . . . . . . . . 19 2.5.1 Counterfeit detection techniques for existing designs . . . . . . . . . . 19 2.5.2 Counterfeit detection techniques for future designs . . . . . . . . . . . 20 2.6 Related Work on Hardware Trojan Detection . . . . . . . . . . . . . . . . . . 21 3 Interlocking Obfuscation for Anti-Tamper Hardware 24 3.1 Shortcomings in Reverse Engineering Techniques . . . . . . . . . . . . . . . . 25 3.1.1 Complete functionality unknown . . . . . . . . . . . . . . . . . . . . 25 3.1.2 Limited resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.1.3 Dependence on algorithmic approach . . . . . . . . . . . . . . . . . . 26 3.2 Requirements of Effective Anti-Tamper Methodologies . . . . . . . . . . . . 26 3.3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3.1 Expansion of States . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.3.2 Code-Word . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.3.3 State Transition Graph (STG) . . . . . . . . . . . . . . . . . . . . . . 29 3.3.4 Entry Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.3.5 Functional Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 3.4 Design Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3.7 Advantages Interlocking Obfuscation Technique for Anti-Tamper Hardware . 39 4 Anti-counterfeit Integrated Circuits Using Tamper-Resistant Time-stamp Circuitry 41 4.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.2 Time-Stamp Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 vii 4.2.1 LFSR Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.2.2 Path Traversal in Time-stamp mode . . . . . . . . . . . . . . . . . . 45 4.3 Tamper-Resistant Time-Stamp Circuit . . . . . . . . . . . . . . . . . . . . . 47 4.4 Design Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.5.1 Time Stamp Circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4.5.2 Tamper Resistant Time Stamp Circuit . . . . . . . . . . . . . . . . . 52 4.6 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 4.7 Advantages of Anti-Counterfeit methods with Tamper-Resistant Time-stamp Circuitry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 5 Conclusion 57 5.0.1 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Bibliography 60 viii List of Figures 1.1 Types of manufactured parts suspected/confirmed to be counterfeit . . . . . 3 1.2 Two Aspects for Counterfeit detection . . . . . . . . . . . . . . . . . . . . . 4 2.1 Production Chain and Attack Possibilities. . . . . . . . . . . . . . . . . . . . 7 2.2 Classification of Anti-Tamper Techniques . . . . . . . . . . . . . . . . . . . . 9 2.3 Production Chain for IP protection using Obfuscation and Key . . . . . . . . 11 2.4 HARPOON Methodology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.5 STEP design methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.6 Key-Based Control and Data Flow Obfuscation . . . . . . . . . . . . . . . . 18 2.7 BISA cell structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.1 State space expansion of the core FSM. . . . . . . . . . . . . . . . . . . . . . 28 3.2 State transition graph. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.3 Modified State transition graph. . . . . . . . . . . . . . . . . . . . . . . . . . 30 3.4 Functional Mode Modification . . . . . . . . . . . . . . . . . . . . . . . . . . 32 3.5 State Transition for Incorrect Code-Word . . . . . . . . . . . . . . . . . . . . 32 3.6 Example obfuscated RTL design. . . . . . . . . . . . . . . . . . . . . . . . . 34 3.7 Design Flow for Anti-Tamper Techniques . . . . . . . . . . . . . . . . . . . . 36 4.1 Timestamp process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 4.2 Linear Feedback Shift Register . . . . . . . . . . . . . . . . . . . . . . . . . . 43 4.3 Multi-mode Use of LFSR-based Time-stamp Circuit . . . . . . . . . . . . . . 45 4.4 Path traversal in entry mode for time-stamp . . . . . . . . . . . . . . . . . . 45 ix 4.5 Integration for tamper-resistant time-stamp . . . . . . . . . . . . . . . . . . 47 4.6 Path traversal for tamper resistant time-stamp . . . . . . . . . . . . . . . . . 49 4.7 Anticounterfeit Design Method . . . . . . . . . . . . . . . . . . . . . . . . . 51 x
Description: