SAT-based Reverse Engineering of Gate-Level Schematics using Fault Injection and Probing
This addresses a security vulnerability in hardware design for chip manufacturers and security researchers, offering an incremental improvement over existing reverse engineering techniques.
The authors tackled the problem of reverse engineering gate-level schematics in aggressively camouflaged circuits, showing that standard SAT-based attacks fail to guarantee gate-by-gate equivalence, and they developed a stronger attack combining SAT-based methods with fault analysis to successfully recover the correct schematic, as demonstrated on an S-Box circuit.
Gate camouflaging is a known security enhancement technique that tries to thwart reverse engineering by hiding the functions of gates or the connections between them. A number of works on SAT-based attacks have shown that it is often possible to reverse engineer a circuit function by combining a camouflaged circuit model and the ability to have oracle access to the obfuscated combinational circuit. Especially in small circuits it is easy to reverse engineer the circuit function in this way, but SAT-based reverse engineering techniques provide no guarantees of recovering a circuit that is gate-by-gate equivalent to the original design. In this work we show that an attacker who does not know gate functions or connections of an aggressively camouflaged circuit cannot learn the correct gate-level schematic even if able to control inputs and probe all combinational nodes of the circuit. We then present a stronger attack that extends SAT-based reverse engineering with fault analysis to allow an attacker to recover the correct gate-level schematic. We analyze our reverse engineering approach on an S-Box circuit.