 This is the hardware obfuscation and it's going to be given by Mark Furbyak, which is also from University of Boko. Yeah, hello everyone. Thanks for the introduction. Today I will present our results on FSM-based hardware obfuscation. So first, let's start with a simple observation. So the modern hardware design flow is heavily globalized and involves numerous stakeholders. Since the implementation and intellectual property is visible to numerous untrusted stakeholders, this is an issue for IP owners. For example, just assume untrusted offshore fab who may overproduce chips as they already have the masks. A potential solution to this problem is to deploy IP theft protection and obfuscation methods to the design in order to hinder this issue and achieve some form of post-manufacturing controllability for the IP owner. And here one strand of research has analyzed finite state machine-based schemes and commonly it is believed that they are secure and provide strong protection. And our basic research question was how secure are these schemes actually. And note that in this talk I will just focus on the dynamic state deflection scheme. The other schemes are in the paper detailed and described. So before we come to all the FSM stuff, we first state our adversary model. We assume that the adversary has access to the gate level netlist equipped with some form of FSM obfuscation. And here is no a priori information about the module hierarchies or internal names of the gates and signals. And of course the goal is to de-obfuscate the design and to commit some form of IP infringement. So for example one instantiation would be an untrusted fab who wants to over-produce chips. And now let's have a look at the dynamic state deflection scheme. So basically we have two parts. So in the middle the blue original FSM is equipped with two other parts, a red obfuscation FSM and the black hole FSM. The key idea is now that the new initial state is now not in the blue part but in the red part. You see in the bottom left state with the ingoing arrow. This is like the new initial state. And the key idea about the scheme is now we have an enabling key. Basically this is a sequence from this new initial state to the original one in blue. So you would need all these inputs to go there. This is the enabling key and this is only known to honest parties. And the thing with the black hole FSM is that a valid key has to be present in the original states to ensure that the design is working properly. And our question here was how challenging is FSM reverse engineering and how secure is the scheme? Because if we could somehow reverse engineer the finite state machine from the gate level net list and obtain the state transition graph, we could directly read the enabling key and then for example over-produce chips or do whatever kind of IP infringement we want to do. So first in the following I will talk a little about automated FSM reverse engineering strategies and with this knowledge in mind we will come back to the dynamic state deflection scheme and later on I will present a novel FSM obfuscation primitive that we developed that is suited for FPGAs called hardware nanomites. So when you want to reverse engineer FSM gates, it has some properties so below, there is a general model of a Moore automata implemented in hardware so in the middle you have the state memory that stores the current state and together with the input and the transition logic realises the state transition function and of course there is also some output logic to steer some complex data path for example some CPU data path or some AES or whatsoever. And even though this model appears to be very basic it has some inner end characteristics that are very important for us in order to determine the gates that implement the gate level net list that implement the FSM in the gate level net list. And the first thing is we have the first property, this is register control signal so basically the state memory has some control signals like clock, enable signal, set and reset signals and typically for FSMs each flip-flop has the same set of control signals so we group all flip-flops in the gate level net list according to the set of control signals. The second observation in this graph is that we have a strongly connected component basically this means there is a circle in this figure from the state memory via the transition logic and back to the state memory. And in particular the strongly connected component is further characterised. We have when you have a look at like each flip-flop in the state memory and you go via the state transition logic back to the same flip-flop you have just a combinational logic feedback path so there is no flip-flop in between. The second observation here is that basically each flip-flop in the state memory influences and depend on each other for the state transition function. So if this sounds complex we will have an example later on this property. And last but not least the AC control behaviour so the state memory typically connects also to some output logic that is not in the strongly connected component to realise the control signals and steer the data path. So with these four properties in mind we can identify which gates in the gate level net list belong to an FSM candidate but still we then have the gates but not the state transition graph so this is the next step so where we want to determine the state transition graph from the gates. And there is a simple example here shown on the right. So assume all the gates and signals have been derived by the different properties so we have just a single input bit i, a single output bit o and three gates and if you have a look at the graphic representation it looks like this and basically reassembles our model that we have seen before. So we have the XOR gate G1, the flip-flop G2 and the inverter G3 that realises the output logic. And now we want to obtain the state transition graph from the circuit so how do we start? So assume G2 is initialised with zero so we start with an initial state S0 and since we have the output which is an inverter the output o is one because we invert the zero bit and just get one. So and what happens next is we basically brute force the input i, we start with the zero and we know G2 stores a zero because we have zero state. The input is zero so zero, XOR zero, still zero so we stay in the state zero. And now once we have the input i as one then we know we have a new state called S1 that stores the one in G2 and of course the output is then zero because it's inverted. And then we basically do the same again for state S1 we have a one in G2 and for the input zero we stay in S1 and for the one we go back. So basically this is the key idea how to determine the state transition graph from the FSM dates. And in the paper we have formulated this as two algorithms. Basically we start with the gate-level net list, we perform the topological analysis that uses basically these four properties as shown before. We get a set of FSM candidates of the gates that might implement an FSM and then we perform the Boolean function analysis to just extract the state transition graph and further information for the FSM so all the details are there in the paper. What is important? So the complexity of this Boolean function analysis is basically the number of states multiplied with two to the power of the number of inputs. So for each state we brute force all the inputs so this is important for later. So with this knowledge of FSM reverse engineering in mind let's come back to the dynamic state deflection. So as noted before we have some dynamic state deflection scheme with the three parts, the original FSM, the red part and the black hole part and the enabling key is just known to honest parties. And in a case study we implemented an AES circuit and equipped the AES state machine with the dynamic state deflection scheme and we used a 12 bit enabling key, 14 obfuscation states and five black hole states per original one which basically reassembled the evaluation numbers from the previous works. And now let's start with the topological analysis first. So our topological analysis said okay there's a candidate. This candidate has eight flip flops, 21 inputs and some score. The score basically says the influence and dependence is 0.625. What this means is we measure how many flip flops influence and depend on each other. So typically you would expect that we have a score of at least one so that each flip flop influences and depends on each other. A value of zero would mean the opposite. And here we see we have basically two groups and we will focus on the group FF1 to FF6 because we see hey it might be that FF7 and FF8 are just false positive detected flip flops and here in the output of our command line tool we see okay this group might be of further interest. Let's have a look here. And when we analyze this group further with the Boolean function analysis we get this nicely colored graph. This is directly from the AS circuit. And it's also we were able to color this graph which is kind of great because again we have strongly connected components in there. What this means is for example have a look at the black hole states. So every black hole state can just visit each other so they can't go back to the blue state so they form a strongly connected component basically a circle that cannot be left. The same holds also for the obfuscation FSM. So basically for each red state I can reach every other red state but once I would leave the red state via the edge there shown which connects to the blue one I wouldn't be able to go back to the red state. So red states and black states form a strongly connected component and also the blue part basically forms a strongly connected component because for blue parts I can only I can reach all other blue parts but once I would go into the black states I couldn't go back to the blue part. What is important is that our computational complexity for the size took around five minutes on the standard laptop. The topological analysis for this one was like done in two minutes and what is most importantly now when we have the state transition graph you see these states in the red obfuscation FSM marked as a square. So basically these are the states and the state transition function set of particular interest because we now could simply read out the enabling key from this graph and for example overproduce chips or do any other form of IP infringement. Summary of results so for this part we also had a look at the other schemes we found several issues and they are all described in the paper. Lessons learned from this basically the topological analysis yields the FSM gate so we directly know even for a large gate level net list we know there might be an FSM implemented in these kind of gates and also an issue was that we were able to separate the obfuscation part from the original part so in the last part with the dynamic state deflection you have seen that we could also analyze the state transition graph for circles and the complexity of Boolean function analysis was also not as high as previously thought. So let's briefly come to our new primitive. Our main idea was the topological analysis always yields the FSM gate so let's try to hide this information and we did it with a partial reconfiguration so basically the state transition graph shown on the right is split into several partial designs and each partial design is then reconfigured in this dynamic physical block the red part and together with the state register and the static data pass computes the original functionality. What is important here that partial reconfiguration yields really interesting properties so first we have self-modifying hardware because during different points in time the dynamic physical block implements other functionality and also we have a nice anti-simulation primitive because simulating partial reconfigurable designs is very hard at the moment. Let's have a look at the evaluation numbers so basically what is important to see the line marked in red so the complete static design appears to be really large with like 28k lutz and 30k flip-flops but note that this was for a non-SOC FPGA for a SOC FPGA we could repurpose the for example on a xylings sync board could repurpose the A9 processor instead of the microblades and most of these components like the BDR controller or the Axis Smart Connect are also found in general design so they could be also repurposed for our part and then the overhead is not as large. The part for the dynamic physical block is really small because it's just implementing the state transition function with 240 lookup tables and 320 flip-flops and in the paper we have also security analysis why it's challenging to reverse engineer. So in conclusion, we demonstrated several generic and semi-automated strategies on state-of-the-art FSM obfuscation schemes and we're able to bypass that protection and we proposed a novel FSM obfuscation primitive for field programmable gate arrays. So with this, thanks for your attention and I'm happy to answer any questions. Any questions for Mark? Hello. Do you have results that compare the normal M here? Hi. Do you have results that compare the normal FSM M with your proposed solution? The result that compare the GE, the gate equivalent? The gate equivalent? Are the hardware GE, the original FSM and are your solution FSM? Do you have results on that? In this number or what do you mean? Are the original FSM? The original FSM was like really really small I mean this was like five state FSM like which is I don't know six flip-flops and like I don't know 20 LUTs or something so this is really small this is more like a primitive to realize any kind of obfuscation so this is like first the ecosystem to realize then something for example it could be that you use this implementation to also have some previous obfuscation mode for your design and then later on just have your normal design that you don't have this large overhead in the hardware but just have it once at startup and then it's heavily obfuscated and then it's like easier in the end. Yeah because I want to know the overhead of it. Yeah the overhead like just if you do it once is like pretty large I think the design ran with like 100 megahertz due to the DDR controller and it took like 485,000 cycles to do like five reconfigurations when I remember correctly I'm not sure it's in the paper. Another question for Marc? Okay I do have one quick question. There's one. Hello. Oh hi. Hi. One question about the previous the framework where you did analysis of the state machine. Yes. What happens if my state machine used B-RAM instead of flip-flops? Yeah I mean we didn't handle B-RAM because but it's also potential because I mean then just the state memory is just implemented in a B-RAM but it will have the same property so there will be a cycle again there will be just combinational logic for the state transition function and so on so this is like easily added to our like program. But then the problem is like for the B-RAM if I have all the states in the B-RAM how are you going to know if one state goes to another? How do you know the dependency of states? Because we analyze the input as well. I mean yes we have all the states but we basically brute force the input and we know okay we have some initial state because it's somewhere the design is initialized and with the simulated input we know which is like the next state that is then read from some address and stored somewhere. Okay. Okay. We don't have time for other questions so let's thank Mark and Max again and they'll give the microphone to Pierre Alain for the next session.