 Hi everyone, my name is Nimesha Lemay and I will be presenting a work which comprises three attacks on state-of-the-art task log defence and its variants. The defences were proposed to thwart threats of intellectual property piracy and integrated circuit overproduction. Through this defence, I will explain the importance of the threats, the solutions proposed so far and the assumptions which led to the success of a proposed attacks. This work is in collaboration with New York University Abu Dhabi. The outline for the presentation is as follows. I will first provide a brief background of the IC supply chain model and threats risen from it. Then briefly I will explain the concept of logic locking before delving deeper into the defences under consideration. Next I will walk you all through our proposed attacks on these considered defences by also providing supporting experimental results before concluding my talk. Let's start with the introduction. In the early 1980s, the integrated circuit supply chain used to follow a vertical approach, where a single company used to own and operate every stage of the IC supply chain including fabrication. But with sub-nanomated technology, cost of fabrication increased. For example, it costed an infinite 2.6 billion euros to set up and operate a 140-nanomated technology fab, whereas for TSMC, the cost of owning a 28-nanomated fab is around 9.3 billion dollars. With such economic constraints, a horizontal model was adopted where design companies would outsource the fabrication and testing to entities already having set up for these technology nodes. There is roughly one foundry for 11 design houses. However, with such a supply chain model, where design house and foundry are different entities lying anywhere in the world, there is a risk of security. Attacks such as IP piracy or IC overproduction, counterfeit of ICs and insertion of hardware torsion can be realized in such an outsourced horizontal supply chain model. It has been reported that around 15% of Pentagon devices are counterfeit and that it has cost 7-10 billion dollars as a result of IP piracy. In this work, we focus on the threat of IP piracy and the solutions proposed to safeguard against this threat. Several design for dust solutions have been proposed to port IP piracy attack. Amongst which, logic locking is a holistic solution that protects against multiple untrusted entities such as foundry, test facility and end users in the IC supply chain. Before getting into the logic locking concepts, I will outline the IC design flow first. This is the traditional or insecure IC design flow where design house produces a GDSU file which contains the geometric details of the netlist or the out. This GDS file is then sent to the outwashed foundry for fabrication and then to test facility for structural testing and finally the chip is assembled and packaged for end users. This traditional flow is however an insecure flow as mentioned before where the original design is passed on to the outsourced untrusted foundry and test facility and finally dispatched for free use. Untrusted entities having direct access to the original design can easily copy or pirate the design thereby carrying out the IP piracy attack. Now when the original design is upheld with the logic locking defense, locked design without the secret key is forwarded to the untrusted entities to produce a locked chip. Without the secret key the untrusted entities and no longer pirate or copy the design for IP piracy attack. Before shipping the chip for free use the locked design is unlocked at a trusted trusted facility. The secret key is loaded onto a tamper proof memory and the design is unlocked before shipping the chip to market for free use. Now let me provide you all with an example to explain logic locking. Consider the original circuit developed by a trusted designer. Using logic locking as a design for trust solution the IP owner locks the original circuit or netlist using additional gates commonly known as key gates. The input of these key gates is called as key input. Consider an all-zero pattern applied to the original circuit whose correct response is bit zero. Now for the correct key the locked circuit functions correctly and outputs a bit zero for the same input pattern but for an incorrect key the locked circuit functions incorrectly. So in short with logic locking the circuit is converted into a password particular chip and towards IP piracy and IC overproduction attacks. In this work we assume the most powerful attacker who has access to the working chip which can be purchased from the market with the secret key loaded inside. The working chip is an oracle and the attacker also has access to the reverse engineered netlist that includes the key logic. This can be obtained by reverse engineering the physical chip or the GDSU file. Now the attacker can simulate and apply these input patterns to the working chip to collect the output responses. The attacker can then figure out the secret key and break the defense. The likely attacker in this case can be an antiracid foundry, antiracid test facility and end user or even a combination of these. Example of such an attack is sabotage. Further it is consistent with Curse of Principle which states that everything about the system except for secret key must be known to the attacker. There has been an extensive research work going on in the domain of logic locking since more than a decade with early efforts in developing high output corruption schemes such as RLL, FLL and SLL which were subsequently broken by algorithmic attacks exploiting the high output corruption property of these different schemes. Later point function based solutions were proposed which pushed the efforts of these algorithmic attacks to exponential limits. However, even such techniques were short lived and exploited by structural and miscellaneous attacks. Logic locking research then saw a plethora of defense and attack works. Recently a new logic locking defense was proposed for the class log which we considered in this work. Now let me provide you all with a brief background on SAT attack and the point function based schemes. SAT attack was proposed in 2015 which breaks traditional high output corruption locking techniques by ruining out multiple incorrect keys in each iteration. Hence the complexity of SAT attack is measured in the number of SAT iterations and for traditional locking techniques the number of SAT iterations lie in the range of 100. A possible direction to port the SAT attack is to design a low corruption scheme where the SAT attack is forced to eliminate only one incorrect key for iteration thereby exponentially increasing the attack complexity. Some examples of low corruption techniques use point functions in the design such as SAT lock, anti-SAT and SFL. SAS lock is a variant of anti-SAT where the point function is replaced by diversified version. However, all these SAT is lean techniques are vulnerable to structural attacks. And as mentioned in this work we will investigate a proposed with structural attacks on the class lock defense and its variants. Now we will move on to the background on class lock and the M-class defense. The class lock defense consists of two parts original circuit and the point function sub-circuit. To secure against structural attacks it is critical for the point function to get merged with the original circuit. However, state-of-the-art CAD or synthesis tools fail to resolve the structures and hence with the substructure identifiable the structural attack can be successfully launched. With this attack the point function sub-circuit is removed and the original netlist is recovered. Now that we know how the class lock defense works we dive into its security analysis and launch of proposed attacks. We first discuss about the proposed IFS attack on the class lock defense. In anti-SAT the G and G bar blocks comprise an anti which is a point function structure. However, in class lock the cascade of and or gates forms the G and G bar blocks. It is nothing but a diversified point function. To successfully launch the IFS attack we first need to identify the flip signal Y and its value. We place all the key inputs in the point of convergence to obtain the flip signal. Next, using an oracle we identify the value of this flip signal. For this case it is logic zero and setting this signal Y to logic zero bypasses the class lock protection to obtain the original design. This is a core example of one ISCAS-85 benchmark C432. We observed success on 14 out of 15 circuits from ISCAS-85 and ITC-99 Ventimax v. Since this is a circuit recovery attack we cannot recover the secret key using it. To recover the secret key we propose a key bit mapping attack or KBM attack in short. Consider two complementary point function blocks G-GAS and G-GAS bar. Signal Y is the AND of these two complementary blocks. Each of these blocks takes in as input X key input K and a random vector R. In class lock instead of a point function structure there is a cascade of AND or gates. Similar to the above equation signal Y is characterized as follows. Now we set one part of the key as all zeros and aim to recover the other part. After recovering the other part of the key we obtain the value of the flip of the signal Y and recover the origin circuit. However setting K1 to 0 is difficult as bitwise mapping is unknown. Next we look into how to obtain the bitwise mapping between the two parts of the key. We collect the key inputs connected to the same PI or internal net. In this case K0 and KN are connected to input IN0 and hence these two key inputs will be placed in different pins and will have a bitwise mapping between them. Similarly K1 and KN plus 1 are connected to the same input and will be placed in different bins and also with K2 and KN plus 2. Here is an example showing how the key bit mappings are identified from an actual schematic. After identifying the bitwise mapping between the two keys setting one part to some random value leads to the retrieval of the second part of the key using the SAT attack. Now setting one part of the key reduces the key serve space from 2 to the power 2n to 2 to the power n thereby adding the SAT attack. We can see here that without a proposed KBM SAT attack the number of SAT iterations exponentially increase with the key size. However with the KBM SAT attack the number of iterations have reduced to linear complexity. Thus we have successfully recovered the secret key unlocking the lock design in few minutes as compared to yours. We successfully launched our proposed attacks on the CAS lock defense to first recover the original socket and then to recover even the secret key. Next we will look into another variant of CAS lock which is known as Mirrored CAS or MCAS. In Mirrored CAS or MCAS defense two CAS blocks are attached back to back as shown here. There are two keys used in MCAS one is hard-coded in the design while the other key is fed as user input. Now only when the K secret equals K CAS y out equals y origin and the original socket gets recovered. Removing the Y CAS block will no longer return the original socket it will now return a modified socket which consists of original and hard-coded secret key. Ideally Y secret should be indecipherable due to CAT tool optimizations making the hard-coded component resolved in the original socket. However the state-of-the-art CAT tools are not segregated centric and thus fail to successfully dissolve Y secret within the original design. Thus identifying Y secret and removing it returns the original socket. The IFS SAT attack has three main steps peeling of Y CAS, identifying flip signal Y secret and finally launching SAT attack to decipher K secret. Step one of peeling Y CAS can be done either using IFS attack or KBM SAT attack previously shown in the CAS law defense. For identifying Y secret the signal must be connected to all PIs. The signal must have at most two and two input gates in its fan-in and finally it must have a linear or a cascaded structure in its fan-in cone. Here we show a toy example the net highlighted in purple is the Y secret which is the flip signal. There are 31 gates in the fan-in of the signal as highlighted in red. The number of primary inputs connected to all these 31 gates are 32 and also as we can see the linear structure is clearly visible. Hence to recover the secret key K secret we need to set Y CAS equal to Y secret such that Y out becomes Y origin. Now after identifying the flip signal we invoke the SAT attack to find K CAS. Setting correct K CAS will make Y CAS equal to Y secret and the original circuit will be successfully recovered. In note here that although we are invoking a SAT attack we are not using an oracle instead we are using the Y secret block with correctly orally hard coded as the oracle for the Y CAS block with key inputs accessible as primary inputs. SAT attack tool will return the K CAS key which is nothing but the K secret key hence we only require a reverse engineered lock netlist to launch the IFS SAT attack. Thus the proposed attack is successful and highlights the error news assumptions about the SAT tools and the dissolution of the structure. Next we move on to the experimental results for the three attacks proposed in this work. We launched our IFS attack on total of 15 circuits from ISCAS 85 and ITC 99 benchmark suite synthesized with full library and with only two input gates constrained library on CAS defense and collected the results for flip signal value the level at which the flip signal was found from the output port and the time taken by the attack. As we can see synthesis induces changes in the value of flip signal from 0 to 1. Hence assuming the value of Y to be always 0 is incorrect and hence launching our IFS attack is pivotal to know the correct value of the by signal. Further we also observe that when primary output port is protected then the flip signal lies at at most level three from the primary output port. Lastly the time taken by our IFS attack is less than 15 seconds. Next we launch a KBM SAT attack on the CAS lock defense to recover the secret key unlocking the locked circuits. We observe 100 success for all the 15 circuits. Now without KBM SAT the SAT attack iterations go to the power 2n as we observed before. However with KBM SAT attack after setting one part of the key the number of SAT iterations become linear with respect to key size. Next we launched our IFS SAT attack on total of 15 circuits from ISCAS 85 and ITC 99 benchmark suite against synthesized with full library and with only two input gates constrained library on mcal defense and collected the results for flip signal value the level at which the flip signal was found from the output port and the time taken by the attack. As we can see the synthesis induces changes in the value of flip signal from 0 to 1 similar to what we observe in the CAS lock defense hence assuming the value of y will always be 0 is incorrect and launching our IFS attack is again pivotal to know the correct value of the y signal. Further we also observe that when the primary output port is protected then the flip signal lies at at most level 3 from the output port. Now after identifying the flip signal and its value we extract the hard coded CAS block and run SAT attack on it using the key control CAS block to recover this kc grid key. The time taken by our IFS SAT attack is in total at max 24 minutes with SAT attack taking the majority of the time. Lastly as a note IFS SAT attack is launched in an oracle-less setting. The hard coded CAS block is fed as a built-in oracle to the SAT attack along with the key control CAS block as the locked circuit. Next we launched IFS SAT attack on varying key sizes and observed 100 percent success across all the cases. We then checked the effect of technology nodes on the efficacy of our IFS SAT attack and observed that technology node had no effect on the attack efficacy. Similarly the synthesis tools also did not play a role in sorting our IFS SAT attack. The failures we see in the table are due to the presence of logic 0 and logic 1 signals in the design which either of the tools resolve separately. Thus we experimentally verified the efficacy of all three of our proposed attacks across different library gates, different technology nodes and different CAD tools. To summarize we were successfully able to break 14 out of 15 circuits for all the three attacks. With IFS and KBM as preprocessing steps the number of SAT iterations have reduced to few hundreds which in turn reduced the runtime of the attack. We also verify the efficacy of our attacks on different key sizes, technology nodes and CAD tools. Since we concluded although the defense techniques are theoretically secure the hardware implementation leaves structural traces which can then be exploited by an attacker to recover the original design. Thus through this work we caution the designers about the security assumptions when implementing an algorithmically secure defense in after-hardware.