DynUnlock: Unlocking Scan Chains Obfuscated using Dynamic Keys
This work addresses security vulnerabilities in chip manufacturing for semiconductor designers and manufacturers, but it is incremental as it builds upon existing SAT attack methods to target a specific defense.
The paper tackles the problem of breaking a rigorous scan chain obfuscation defense that uses dynamic keys to protect semiconductor IP from theft and tampering, and the result is an attack that remodels this defense to be vulnerable to SAT attacks, with applicability to less rigorous techniques as well.
Outsourcing in semiconductor industry opened up venues for faster and cost-effective chip manufacturing. However, this also introduced untrusted entities with malicious intent, to steal intellectual property (IP), overproduce the circuits, insert hardware Trojans, or counterfeit the chips. Recently, a defense is proposed to obfuscate the scan access based on a dynamic key that is initially generated from a secret key but changes in every clock cycle. This defense can be considered as the most rigorous defense among all the scan locking techniques. In this paper, we propose an attack that remodels this defense into one that can be broken by the SAT attack, while we also note that our attack can be adjusted to break other less rigorous (key that is updated less frequently) scan locking techniques as well.