Biblio

Globalization of the integrated circuit (IC) supply chain exposes designs to security threats such as reverse engineering and intellectual property (IP) theft. Designers may want to protect specific high-level synthesis (HLS) optimizations or micro-architectural solutions of their designs. Hence, protecting the IP of ICs is essential. Behavioral locking is an approach to thwart these threats by operating at high levels of abstraction instead of reasoning on the circuit structure. Like any security protection, behavioral locking requires additional area. Existing locking techniques have a different impact on security and overhead, but they do not explore the effects of alternatives when making locking decisions. We develop a design-space exploration (DSE) framework to optimize behavioral locking for a given security metric. For instance, we optimize differential entropy under area or key-bit constraints. We define a set of heuristics to score each locking point by analyzing the system dependence graph of the design. The solution yields better results for 92% of the cases when compared to baseline, state-of-the-art (SOTA) techniques. The approach has results comparable to evolutionary DSE while requiring 100× to 400× less computational time.

Register Transfer Level (RTL) locking seeks to prevent intellectual property (IP) theft of a design by locking the RTL description that functions correctly on the application of a key. This paper evaluates the security of a state-of-the-art RTL locking scheme using a satisfiability modulo theories (SMT) based algorithm to retrieve the secret key. The attack first obtains the high-level behavior of the locked RTL, and then use an SMT based formulation to find so-called distinguishing input patterns (DIP)1 The attack methodology has two main advantages over the gate-level attacks. First, since the attack handles the design at the RTL, the method scales to large designs. Second, the attack does not apply separate unlocking strategies for the combinational and sequential parts of a design; it handles both styles via a unifying abstraction. We demonstrate the attack on locked RTL generated by TAO [1], a state-of-the-art RTL locking solution. Empirical results show that we can partially or completely break designs locked by TAO.

Researchers develop bioassays following rigorous experimentation in the lab that involves considerable fiscal and highly-skilled-person-hour investment. Previous work shows that a bioassay implementation can be reverse engineered by using images or video and control signals of the biochip. Hence, techniques must be devised to protect the intellectual property (IP) rights of the bioassay developer. This study is the first step in this direction and it makes the following contributions: (1) it introduces use of a sieve-valve as a security primitive to obfuscate bioassay implementations; (2) it shows how sieve-valves can be used to obscure biochip building blocks such as multiplexers and mixers; (3) it presents design rules and security metrics to design and measure obfuscated biochips. We assess the cost-security trade-offs associated with this solution and demonstrate practical sieve-valve based obfuscation on real-life biochips.

Anti-virus software (AVS) tools are used to detect Malware in a system. However, software-based AVS are vulnerable to attacks. A malicious entity can exploit these vulnerabilities to subvert the AVS. Recently, hardware components such as Hardware Performance Counters (HPC) have been used for Malware detection. In this paper, we propose PREEMPT, a zero overhead, high-accuracy and low-latency technique to detect Malware by re-purposing the embedded trace buffer (ETB), a debug hardware component available in most modern processors. The ETB is used for post-silicon validation and debug and allows us to control and monitor the internal activities of a chip, beyond what is provided by the Input/Output pins. PREEMPT combines these hardware-level observations with machine learning-based classifiers to preempt Malware before it can cause damage. There are many benefits of re-using the ETB for Malware detection. It is difficult to hack into hardware compared to software, and hence, PREEMPT is more robust against attacks than AVS. PREEMPT does not incur performance penalties. Finally, PREEMPT has a high True Positive value of 94% and maintains a low False Positive value of 2%.

As digital microfluidic biochips (DMFBs) make the transition to the marketplace for commercial exploitation, security and intellectual property (IP) protection are emerging as important design considerations. Recent studies have shown that DMFBs are vulnerable to reverse engineering aimed at stealing biomolecular protocols (IP theft). The IP piracy of proprietary protocols may lead to significant losses for pharmaceutical and biotech companies. The micro-electrode-dot-array (MEDA) is a next-generation DMFB platform that supports real-time sensing of droplets and has the added advantage of important security protections. However, real-time sensing offers opportunities to an attacker to steal the biochemical IP. We show that the daisychaining of microelectrodes and the use of one-time-programmability in MEDA biochips provides effective bitstream scrambling of biochemical protocols. To examine the strength of this solution, we develop a SAT attack that can unscramble the bitstreams through repeated observations of bioassays executed on the MEDA platform. Based on insights gained from the SAT attack, we propose an advanced defense against IP theft. Simulation results using real-life biomolecular protocols confirm that while the SAT attack is effective for simple instances, our advanced defense can thwart it for realistic MEDA biochips and real-life protocols.

Researchers develop bioassays by rigorously experimenting in the lab. This involves significant fiscal and skilled person-hour investment. A competitor can reverse engineer a bioassay implementation by imaging or taking a video of a biochip when in use. Thus, there is a need to protect the intellectual property (IP) rights of the bioassay developer. We introduce a novel 3D multilayer-based obfuscation to protect a biochip against reverse engineering.

Recent hardware advances, called gate camouflaging, have opened the possibility of protecting integrated circuits against reverse-engineering attacks. In this paper, we investigate the possibility of provably boosting the capability of physical camouflaging of a single Boolean gate into physical camouflaging of a larger Boolean circuit. We first propose rigorous definitions, borrowing approaches from modern cryptography and program obfuscation areas, for circuit camouflage. Informally speaking, gate camouflaging is defined as a transformation of a physical gate that appears to mask the gate to an attacker evaluating the circuit containing this gate. Under this assumption, we formally prove two results: a limitation and a construction. Our limitation result says that there are circuits for which, no matter how many gates we camouflaged, an adversary capable of evaluating the circuit will correctly guess all the camouflaged gates. Our construction result says that if pseudo-random functions exist (a common assumptions in cryptography), a small number of camouflaged gates suffices to: (a) leak no additional information about the camouflaged gates to an adversary evaluating the pseudo-random function circuit; and (b) turn these functions into random oracles. These latter results are the first results on circuit camouflaging provable in a cryptographic model (previously, construction were given under no formal model, and were eventually reverse-engineered, or were argued secure under specific classes of attacks). Our results imply a concrete and provable realization of random oracles, which, even if under a hardware-based assumption, is applicable in many scenarios, including public-key infrastructures. Finding special conditions under which provable realizations of random oracles has been an open problem for many years, since a software only provable implementation of random oracles was proved to be (almost certainly) impossible.

A digital microfluidic biochip (DMFB) is an emerging technology that enables miniaturized analysis systems for point-of-care clinical diagnostics, DNA sequencing, and environmental monitoring. A DMFB reduces the rate of sample and reagent consumption, and automates the analysis of assays. In this paper, we provide the first assessment of the security vulnerabilities of DMFBs. We identify result-manipulation attacks on a DMFB that maliciously alter the assay outcomes. Two practical result-manipulation attacks are shown on a DMFB platform performing enzymatic glucose assay on serum. In the first attack, the attacker adjusts the concentration of the glucose sample and thereby modifies the final result. In the second attack, the attacker tampers with the calibration curve of the assay operation. We then identify denial-of-service attacks, where the attacker can disrupt the assay operation by tampering either with the droplet-routing algorithm or with the actuation sequence. We demonstrate these attacks using a digital microfluidic synthesis simulator. The results show that the attacks are easy to implement and hard to detect. Therefore, this work highlights the need for effective protections against malicious modifications in DMFBs.