Is Robust Design-for-Security Robust Enough? Attack on Locked Circuits with Restricted Scan Chain Access
This work addresses a critical security problem for hardware designers and manufacturers by exposing flaws in a widely considered robust defense against logic locking attacks, though it is incremental as it builds on prior attack methods.
The authors tackled the vulnerability of a robust design-for-security (DFS) architecture for logic locking, which was believed to thwart attacks by restricting scan access, and successfully broke it by recovering the secret key with ~95% accuracy on average, demonstrating its ineffectiveness.
The security of logic locking has been called into question by various attacks, especially a Boolean satisfiability (SAT) based attack, that exploits scan access in a working chip. Among other techniques, a robust design-for-security (DFS) architecture was presented to restrict any unauthorized scan access, thereby, thwarting the SAT attack (or any other attack that relies on scan access). Nevertheless, in this work, we successfully break this technique by recovering the secret key despite the lack of scan access. Our security analysis on a few benchmark circuits protected by the robust DFS architecture demonstrates the effectiveness of our attack; on average ~95% of the key bits are correctly recovered, and almost 100% in most cases. To overcome this and other prevailing attacks, we propose a defense by making fundamental changes to the robust DFS technique; the new defense can withstand all logic locking attacks. We observe, on average, lower area overhead (~1.65%) than the robust DFS design (~5.15%), and similar test coverage (~99.88%).