On the Difficulty of FSM-based Hardware Obfuscation

Marc Fyrbiak, Sebastian Wallat, Jonathan Déchelotte, Nils Albartus, Russell Tessier, Chris­tof Paar

IACR Transactions on Cryptographic Hardware and Embedded Systems, Vol. 2018, No. 3, pp 293-330, 2018. (presentation at CHES 2018, Amsterdam, The Netherlands, September 9 – 12, 2018)


Abstract

In today’s Integrated Circuit (IC) production chains, a designer’s valuable Intellectual Property (IP) is transparent to diverse stakeholders and thus inevitably prone to piracy. To protect against this threat, numerous defenses based on the obfuscation of a circuit’s control path, i.e. Finite State Machine (FSM), have been proposed and are commonly believed to be secure. However, the security of these sequential obfuscation schemes is doubtful since realistic capabilities of reverse engineering and subsequent manipulation are commonly neglected in the security analysis. The contribution of our work is threefold: First, we demonstrate how high-level control path information can be automatically extracted from third-party, gate-level netlists. To this end, we extend state-of-the-art reverse engineering algorithms to deal with Field Programmable Gate Array (FPGA) gate-level netlists equipped with FSM obfuscation. Second, on the basis of realistic reverse engineering capabilities we carefully review the security of state-of-the-art FSM obfuscation schemes. We reveal several generic strategies that bypass allegedly secure FSM obfuscation schemes and we practically demonstrate our attacks for a several of hardware designs, including cryptographic IP cores. Third, we present the design and implementation of Hardware Nanomites, a novel obfuscation scheme based on partial dynamic reconfiguration that generically mitigates existing algorithmic reverse engineering.

[PDF] [DOI]

Tags: FSM-based Hardware Obfuscation, Hardware Nanomites, Hardware Obfuscation, Hardware Reverse Engineering