 over gates, protecting integrated circuit with undetectable camouflaging, sorry. This is a joint work by Piquet Chakaya, Oiting Chen, Mark Teranypur, and Dominique Forte, and Dominique will give the talk. Thank you for the introduction. It's a pleasure to be here. So this, the motivation behind this work is the rise of automated reverse engineering. So for those of you who are unfamiliar, integrated circuits can be reverse engineered in three to four basic steps. First, you start by de-packaging the IC, and then you do an iterative process where you image, you de-layer, then you image the next layer, and so on and so forth. And then in the last step, you more or less do post-processing where you collect these images, stitch them together, analyze them, and then put together your results. And the output of this is typically a net list. Now today, there's been a lot of improvements in automating this approach. In our case, for example, we've actually developed an automated de-layering approach, which actually uses a plasma FIB-SEM to simultaneously do imaging and de-layering. And more recently, there's actually a lot of commercial companies doing the post-processing steps, such as TechSplained and Tech Insights and Micronet. Now, there's a lot of good intentions and bad intentions associated with reverse engineering. It could be done for educational purposes. It could be done to prove IP infringement. But on the malicious side, it could be used to clone designs and to find weaknesses in the hardware as well. And this is particularly what we're worried about in this paper, because if you find these exploits, there's even potential that you could use them to launch remote attacks on your integrated systems. Okay, so what is IC camouflaging? Well, it's used to protect an IC from reverse engineering, in particular, by disrupting the ability of the attacker to do imaging and to actually identify exactly what function or what connections are in your integrated circuit. So to illustrate this process, we have this smart card, which we partially de-layered in our lab. And I'll focus on just one very, very small region to show you what this looks like. There's basically five rows here of standard cells. Standard cells are the basic building blocks of these integrated circuits. And with the standard cell methodology, we've been able to go from very small integrated circuits which are manually done to these modern circuits, which we have millions of gates. Now, there's a double-edged sword here, and in terms of getting that flexibility, you can see that there's a lot of patterns here, and those patterns are gonna be repeated. So a standard cell library typically only has maybe 200 standard cells. So to illustrate a couple that are repeating, I've highlighted them here. And just by looking at these patterns and identifying these patterns, an attacker can perform reverse engineering and extract the net list. So the idea behind IC camouflaging is to disrupt some of the imaging here, so that some of these in the net list are actually still a mystery to the attacker. And they have to launch even more attacks that actually look at the functionality or the electrical parameters of these gates in order to fully reverse engineer the functionality. So existing camouflaging techniques are look as follows. They basically take your gate here, they replace it with another type of gate or standard cell, which could take one or more functionalities, and the attacker has to determine which of these functionalities are being used. Two very popular techniques are dummy contact-based approach and threshold voltage-based approach. The dummy contact one is shown in the middle here, where you can see, we've basically taken a regular NAND gate and actually converted it to one with more transistors and more contacts. And the idea is that these contacts, some of them are dummy contacts, some of them are real contacts, they determine the actual configuration of this cell, and the attacker can actually do this through imaging. But as you can see, it's much, much larger, there's more area, there's more power involved, typically four to five times more. The threshold voltage one is based on modifying the threshold voltages to determine the functionality of the cell. Typically in many of these instantiations, they use a different kind of design logic style. So for example, in the one shown here, they use a sense amplifier-based logic, which requires a clock, it's very difficult to work with, and it also has a high area and power, et cetera, overheads. So to summarize this slide, because of the high area and high overheads, it's very difficult to actually use this for your entire integrated circuit, so you have to use it just in small percentage. And because these cells in particular are distinct and they're noticeable by an attacker, this actually paints a target on the back of these cells, which makes them an easy thing to reverse engineer. So before getting into the actual attacks, let me just discuss a little bit more about the adversarial model, who's actually doing the attacking, who's doing the protecting. So what we're focused on here is actually attacking that's occurring when somebody actually buys this integrated circuit in the market, or perhaps they steal it from, for example, a recovered military system. And the folks that are trying to protect it are obviously the design house, and in many instances, we're actually considering the foundry to be trusted in this scenario, because in many cases, the foundry is actually providing these standard cells to the designer, and they're actually fabricating it so they know actually what's actually being fabricated. And the attacker in this case actually has three things in their hands. They have a net list, which is partially reverse engineered, but again, it has these missing areas, so we call this a camouflage net list. They have a functional chip, which acts as an oracle. That is, you could apply inputs to it and you'll get the correct outputs. And finally, they have scan chain access. Scan chain is something that's used to break down the design into the sequential design into small combination of logic blocks and kind of gives you an idea of the internals of the IC and it's basically required to do testing as well as these kinds of attacks. Okay, so here's a look at the actual attacks themselves. So in this case, we have our original design where we have these green cells which could be easily reverse engineered in the camouflage design using existing techniques. We have a couple of cells that have been changed, but the attacker knows exactly what they are and as I mentioned before, these kind of paint a target on these cells. So what kind of attacks can be done? Well first, you could do some invasive attacks. You could actually go in and actually use semi-invasive or invasive probing to extract the functionality of these targets. But that's a little bit expensive, so that's why they've developed these non-invasive attacks to also accomplish this. So the top one is one non-invasive attack, which is based on automatic test pattern generation, where you basically use these well-known tools to generate a pattern that excites this cell and propagates its value to the output so that you can infer its actual function. And the last one was discussed by the previous speaker is the satisfiability attack, which basically uses these SAT tools on a net list that's basically been encoded. So for example, we could take one of those camouflage cells and convert it into a MUX with multiple functionalities and basically the secret trying to be identified is a key very, very similar to logic locking. And people have shown that these camouflaged net lists can be reverse engineered in minutes using this type of SAT attack. So the goals basically for our approach, which we call as covert gate, was to overcome all of these issues. We want to make this a low overhead approach and in order to prevent the attacker from actually identifying targets, we basically want to make every single of our covert gates or camouflage gates look like any other cell in the design. And what that does is it basically creates a target like this where everything has to be attacked by the attacker. This basically blows up your SAT and ATPG attacks and makes it very difficult to actually accomplish them. Okay, so how does this work? So I'm glad to say that we accomplished what we sought out to do and for the rest of the presentation you'll see how we did it. So one big distinguishing thing about our covert gates in comparison to other camouflaging techniques is we don't take a cell and actually make it have multiple functionalities, rather we take a cell and we actually create dummy inputs into that cell. And essentially what that does is it again makes it so that every single cell has potentially real contacts or dummy contacts and the attacker has to determine which. And this is again gonna be low overhead because we use basically normal standard cells and no change in logic style at all. So how do we accomplish this? Well, when you have a typical gate and typical transistors in your gates they typically are consisting of these transistors which act as switches and they are switched on based on the voltage that's applied to the gate itself. And what we do in this case to create dummy inputs we don't want them to affect the functionality of the gate so we make these transistors that are always on and always off, okay? So this is illustrated on the bottom side. So let's say we actually had this inverter in the original design or we can replace it with one of like a NOR gate here with a dummy input and it'll actually have the equivalent functionality but when the attacker actually tries to image it they'll actually just see a NOR gate and they'll have two inputs they don't know which one is which. So in this case we have the NOR gate and the B input is the dummy so the pull up network actually has an always on transistor and the pull down network hasn't always off transistor and as you could see they're more or less equivalent in terms of schematic and functionality. So how do we actually fabricate these? What's the cost? Well it's actually very, very easy to do both of these techniques. In the always on case we basically just have to create this shallow doped channel in the device before we create the transistor and then we basically proceed with the remaining steps for the transistor fabrication. So this only requires basically one new mask and one ion implantation step. In the case of the always off transistor we kind of adopt what's been done with the dummy contact approach. In this case you basically have a contact and you create some silicon insulator some silicon dioxide for example which more or less detaches it and from making contact to the gate. We also actually do this for the source as well. This can actually improve things like leakage current for our always off transistors. And again this is very, very simple to do basically just one new mask step one new coating step and that's all. Okay so the first thing we set out to do was to actually verify that these couldn't be imaged and you couldn't distinguish them for your normal standard cells. So we created these prototypical structures and did some imaging on them. So on the top you have your regular IC where the source and drain are basically shown in these blue boxes and on the middle we actually have this always on transistor where we've again created this shallow doped region which is shown in orange. And we use this test scanner or three SCM in our lab to do the imaging. We used various beam energies which give you different penetration depths as shown in the table. And we also used secondary electron and backscattered electron imaging techniques. So here are results for the regular versus always on. P mouse is on the left and mouse is on the right and kind of in a checkered board pattern you have the normal ones and then you have the always on ones. And the key thing we wanna see here is whether or not that shallow doped channel is actually visible. And as you can see here if you do all the comparisons basically it's never, ever visible. And we found this for all the imaging that we did for all the settings we used and so forth for both P mouse and N mouse this was the case. So the always on one is safe. And for always off we also implemented a prototype where on a silicon wafer we created these gold contacts. On the regular ones they were just solid gold and on the right for the dummy contacts we actually had some silicon insulator in the middle. And once again we did imaging using secondary electron and backscattered electron in the top row and the next row we have regular and dummy. And as you could see there's actually no difference in the contrast whether we use SE or BSE imaging. So once again these are also safe. And finally we took a look at the non-invasive attacks and how they could actually be used to attack this covert gate approach. So to do that let's take a look at the spectrum of attacks that you could actually have. On the very left this is basically the one that I described earlier which was our target where we want every single standard cell in design to be a suspect one that the attacker has to attack. And on the right is kind of more close to the existing channel techniques where they know exactly where the targets are. And in the middle you have a spectrum you could have gates that only some types of gates could be covert only some types of dummy inputs can be dummy and so forth. And for SAT attack we basically tried to focus on three where just a few of the standard cells were potentially covert gates. And for the ATBG one we actually used two which was only one particular gate type and one particular pin type. And in order to do create our net list we did a covert gate insertion approach which was done randomly. The only thing that we disallowed when we were actually getting dummy inputs was we didn't allow a combination of loops to exist in the design because this would be a red flag right away. The attacker wouldn't even have to attack this. They'd know that these were not in the original design. And before we get to the SAT attack let me just discuss our formulations. There was two that we studied. So basically if an attacker encounters a covert gate with a function F and N inputs what they have to do is they could in formulation one enumerate all the possible functions and dummy inputs and they could put all of those and put them into a large MUX. And here the select lines determine which of these functions and gates is actually used. An alternative formulation actually applies the MUXes at the inputs themselves and the MUX actually chooses between the original input that's in the net list and an input that's a non-controlling value that is one that doesn't affect the functionality of the design. In other words it's a dummy input. And as you could imagine as you increase the number of pins for these gates as you increase the number of gates in your design the SAT attack complexity is going to increase as we'll see. So here are some of our results. We compare them to existing camo approaches which are shown in the middle and our approach is shown in the right. This key K here is kind of a function of the number of select lines that the attacker has to break. As you can see in the existing camo approach it's kind of a very small number but if we move to covert gate because we can have so many of them this number is amplified. And if we look at the results you can see the attack times in general all the benchmarks we use except one are breakable by SAT in seconds. On the other hand when you look at our two formulations which one of which is shown in brackets you can see that the vast majority of them time out and the only ones that are broken actually get broken in hours rather than seconds. This is considerably harder. And keep in mind that we only used the number three on the scale of the attack scale. If we went to five these would almost assuredly time out. And for test-based approaches we got even better results because once again, consider we actually used a much, much weaker attacker and the results are basically broken down as follows. When you use these ATBG tools you could get basically four different results. The first is that this is detectable that is using this pattern that's given by the tool you could actually determine if it has a dummy input in which dummy input it is. The next is undetectable which basically means that this covert cell that we've inserted has no impact at all on the design in which case it's kind of a useless one. So these two are actually good for an attacker. And then the last two scenarios are bad for an attacker and good for the defender in that it either cannot determine a pattern at all. It's impossible actually. That means it's untestable or the tool just given the effort that it had couldn't generate a pattern but there's potential that a pattern actually exists. So again, we did this, we did this with focus just on one gate actually per this industrial size benchmark. And we found that basically 91% of them at least are in the green category which is good for us. And actually as you can see when we use for example Nord 2X and Nan 2X which have the largest gate count in the design the number of ATBG untestable is 99% or better which basically means that 99% of the design is cannot be reverse engineered using this test-based technique which is very good. And last but not least let's look a little bit at the overheads and the corruptibility results. So we basically built a schematic model of our covert gate which I won't show for brevity. And what we found is that essentially the area was as you can see here is very very low compared to the original design, less than a percent. And similarly for power, the only area where we actually had some increase was actually the delay. And this is because we actually inserted these gates randomly rather than doing it intelligently and the reason we did that was because we didn't want to get any hints at all to the attacker but if you wanted to avoid things like timing critical paths you could easily bring down this overhead and perhaps get no overhead at all. And in terms of verification failure this basically looks at the outputs and the flip-flops of your design and determines if there are patterns that actually cause a difference between the net list with these covert gates which the attacker gets and again they're assuming they have dummy inputs and the original one. And you can see that those are very very high which is very good. So before ending I just want to acknowledge of course our sponsors NSF and AFOSR for their financial support in this work. I'd also like to thank our partners and sponsors. We're gracious enough to help us get this equipment in our lab to enable this kind of work as well. And in conclusion I'd like to say that I think covert gates are a very very promising technology but one that still even requires additional work for the community. So let's put this in our toolbox and see what we can do with it. Things that I point out here or we can look at Oracle base attacks and formal proofs against them. We can look at Oracle less attacks which could be very very interesting in this case. We'd also of course like to fabricate and characterize real devices to see what their overhead is. And if anybody is here from a foundry and you want to talk more about that I'd be happy to talk with you. And last but not least we want to look at even more advanced microscopy schemes like helium, Indian ion microscopes in the future. So thank you for your attention. I'd be more than happy to answer your questions. Okay. Hi Dominic, nice presentation. There's another part of this though that you didn't address and I was just curious from your experience, maybe you haven't done a lot of it but I mean since this is gonna be pretty tricky right? Cause now you have basically inputs to gates that will not affect the output of the function. So how are you gonna deal with the synthesis problem in the sense that the tools are gonna be confused in some sense that you're gonna be routing to inputs of gates that have no effect on the function. So have you dealt with that yet? Yes it makes sense. So we actually synthesize the design first and then we actually replace these gates and choose the inputs, does that make sense? It does but how do you deal with the routing then? I mean you still have to have wires to go to these gates that you've inserted that have these additional inputs. So you could imagine that this is done either after layout or right before layout and again it's all within your control right? You're not asking the tool to do anything else. You're just writing a script that's actually gonna replace these original standard cells with these ones and you're gonna actually connect the route yourself. Okay. So how does the routing in terms, I mean so how many, I guess how much congestion is added? I guess if you have each of these gates as you mentioned are gonna have additional inputs at least one, right? So that's quite a few wires that you're gonna be adding. That's indeed true but these again are just, they're just like normal standard cells right? So if you had like for example a three input NAND you wouldn't have a problem with routing it normally right? Now you have a three input NAND but one of them has a dummy input. We are not changing the cells really at all except those transistors that are always on and always off. So it doesn't really create any issues like that. Okay, thanks. Yeah, sorry we are slightly out of time so maybe you can ask the question offline. So we now have a coffee break and we'll meet again at 11.40 for the first Invited Talk. Let's thank Dominique again and all the speaker of the session.