Skip to main content
SpringerLink
Log in

A survey of algorithmic methods in IC reverse engineering

  • Regular Paper
  • Published:
Journal of Cryptographic Engineering Aims and scope Submit manuscript

Abstract

The discipline of reverse engineering integrated circuits (ICs) is as old as the technology itself. It grew out of the need to analyze competitor’s products and detect possible IP infringements. In recent years, the growing hardware Trojan threat motivated a fresh research interest in the topic. The process of IC reverse engineering comprises two steps: netlist extraction and specification discovery. While the process of netlist extraction is rather well understood and established techniques exist throughout the industry, specification discovery still presents researchers with a plurality of open questions. It therefore remains of particular interest to the scientific community. In this paper, we present a survey of the state of the art in IC reverse engineering while focusing on the specification discovery phase. Furthermore, we list noteworthy existing works on methods and algorithms in the area and discuss open challenges as well as unanswered questions. Therefore, we observe that the state of research on algorithmic methods for specification discovery suffers from the lack of a uniform evaluation approach. We point out the urgent need to develop common research infrastructure, benchmarks, and evaluation metrics.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

Notes

  1. https://opencores.org.

  2. https://github.com/emsec/hal-benchmarks.

References

  1. Agrawal, V.D.: Choice of tests for logic verification and equivalence checking and the use of fault simulation. In: Proceedings of the IEEE International Conference on VLSI Design, pp. 306–311. IEEE (2000)

  2. Agrawal, V.D., Lee, D.: Characteristic polynomial method for verification and test of combinational circuits. In: Proceedings of the IEEE International Conference on VLSI Design, pp. 341–342. IEEE (1996)

  3. Albartus, N., Hoffmann, M., Temme, S., Azriel, L., Paar, C.: DANA—universal dataflow analysis for gate-level netlist reverse engineering. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020(4), 309–336 (2020)

    Article  Google Scholar 

  4. Azriel, L., Ginosar, R., Gueron, S., Mendelson, A.: Using scan side channel to detect IP theft. IEEE Trans. Very Large Scale Integr. VLSI Syst. 25(12), 3268–3280 (2017)

    Article  Google Scholar 

  5. Azriel, L., Ginosar, R., Mendelson, A.: Revealing on-chip proprietary security functions with scan side channel based reverse engineering. In: Proceedings of the 27th Edition o f the Great Lakes Symposium on VLSI, vol. Part F1277 (2017)

  6. Benini, L., De Micheli, G.: A survey of Boolean matching techniques for library binding. ACM Trans. Des. Autom. Electron. Syst. 2(3), 193–226 (1997)

    Article  Google Scholar 

  7. Benz, F., Seffrin, A., Huss, S.A.: Bil: A tool-chain for bitstream reverse-engineering. In: 22nd International Conference on Field Programmable Logic and Applications (FPL), pp. 735–738. IEEE (2012)

  8. Briglez, F., Fujiwara, H.: A neutral netlist of 10 combinatorial benchmark circuits and a target translator in FORTRAN. In: Int. Symposium on Circuits and Systems, Special Session on ATPG and Fault Simulation, June 1985, pp. 663–698 (1985)

  9. Brunner, M., Baehr, J., Sigl, G.: Improving on state register identification in sequential hardware reverse engineering. In: Proceedings of the 2019 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2019, pp. 151–160 (2019)

  10. Chair for Embedded Security: HAL—The Hardware Analyzer (2019). https://github.com/emsec/hal

  11. Chakraborty, P., Cruz, J., Bhunia, S.: SAIL: machine learning guided structural analysis attack on hardware obfuscation. In: Proceedings of the 2018 Asian Hardware Oriented Security and Trust Symposium, AsianHOST 2018, pp. 56–61. Institute of Electrical and Electronics Engineers Inc. (2019)

  12. Chatterjee, S., Mishchenko, A., Brayton, R., Wang, X., Kam, T.: Reducing structural bias in technology mapping. In: IEEE/ACM International Conference on Computer-Aided Design, ICCAD-2005, pp. 519–526. IEEE (2005)

  13. Chisholm, G., Eckmann, S., Lain, C., Veroff, R.: Understanding integrated circuits. IEEE Des. Test Comput. 16(2), 26–37 (1999)

    Article  Google Scholar 

  14. Clarke, E., Mcmillan, K., Zhao, X., Fujita, M., Yang, J.: Spectral transforms for large Boolean functions with applications to technology mapping. Formal Methods Syst. Des. 10(2/3), 137–148 (1997)

    Article  Google Scholar 

  15. Clarke, E.M., Grumberg, O., Peled, D.A.: Model Checking. MIT Press, Cambridge (1999)

    MATH  Google Scholar 

  16. Couch, J., Reilly, E., Schuyler, M., Barrett, B.: Functional block identification in circuit design recovery. In: 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 75–78. IEEE (2016)

  17. Dai, Y.Y., Braytont, R.K.: Circuit recognition with deep learning. In: 2017 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 162–162. IEEE (2017)

  18. Diao, Y., Wei, X., Lam, T.K., Wu, Y.L.: Coupling reverse engineering and SAT to tackle NP-complete arithmetic circuitry verification in o(number of gates). In: Proceedings of the Asia and South Pacific Design Automation Conference, ASP-DAC, vol. 25-28-Janu, pp. 139–146. Institute of Electrical and Electronics Engineers Inc. (2016)

  19. Doom, T., White, J., Wojcik, A., Chisholm, G.: Identifying high-level components in combinational circuits. In: Proceedings of the IEEE Great Lakes Symposium on VLSI (November), pp. 313–318 (1998)

  20. Ender, M., Moradi, A., Paar, C.: The unpatchable silicon: a full break of the bitstream encryption of Xilinx 7-Series FPGAs. In: 29th USENIX Security Symposium (USENIX Security 20) (2020)

  21. Engels, S., Hoffmann, M., Paar, C.: The end of logic locking? A critical view on the security of logic locking. Cryptology ePrint Archive (Report 2019/796), pp. 1–16 (2019)

  22. Fayyazi, A., Shababi, S., Nuzzo, P., Nazarian, S., Pedram, M.: Deep learning-based circuit recognition using sparse mapping and level-dependent decaying sum circuit representations. In: 2019 Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 638–641. IEEE (2019)

  23. Fyrbiak, M., Strauss, S., Kison, C., Wallat, S., Elson, M., Rummel, N., Paar, C.: Hardware reverse engineering: overview and open challenges. In: 2017 IEEE 2nd International Verification and Security Workshop (IVSW), pp. 88–94. IEEE (2017)

  24. Fyrbiak, M., Wallat, S., Déchelotte, J., Albartus, N., Böcker, S., Tessier, R., Paar, C.: On the difficulty of FSM-based hardware obfuscation. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018, 293–330 (2018)

    Article  Google Scholar 

  25. Fyrbiak, M., Wallat, S., Reinhard, S., Bissantz, N., Paar, C.: Graph similarity and its applications to hardware security. IEEE Trans. Comput. 69(4), 505–519 (2019)

    Article  MathSciNet  Google Scholar 

  26. Gascon, A., Subramanyan, P., Dutertre, B., Tiwari, A., Jovanovic, D., Malik, S.: Template-based circuit understanding. In: 2014 Formal Methods in Computer-Aided Design (FMCAD), pp. 83–90. IEEE (2014)

  27. Goodfellow, I., Pouget-Abadie, J., Mirza, M., Xu, B., Warde-Farley, D., Ozair, S., Courville, A., Bengio, Y.: Generative adversarial nets. In: Advances in Neural Information Processing Systems, pp. 2672–2680 (2014)

  28. Guccione, S., Levi, D., Sundararajan, P., Jose, S.: JBits: a java-based Interface for reconfigurable computing. In: 2nd Annual Military and Aerospace Applications of Programmable Devices and Technologies Conference (MAPLD), vol. 95124, pp. 253–261 (1999)

  29. Hansen, M., Yalcin, H., Hayes, J.: Unveiling the ISCAS-85 benchmarks: a case study in reverse engineering. IEEE Des. Test Comput. 16(3), 72–80 (1999)

    Article  Google Scholar 

  30. Kasch, S.P.: The semiconductor chip protection act: past, present, and future. High Technol. Law J. 7, 71–105 (1992)

    Google Scholar 

  31. Kömmerling, O., Kuhn, M.G.: Design principles for tamper-resistant smartcard processors. In: Proceedings of the USENIX Workshop on Smartcard Technology (Smartcard’99), pp. 9–20 (1999)

  32. Kumagai, J.: Chip detectives [reverse engineering]. IEEE Spectr. 37(11), 43–48 (2000)

    Article  MathSciNet  Google Scholar 

  33. Lai, Y.T., Sastry, S., Pedram, M.: Boolean matching using binary decision diagrams with applications to logic synthesis and verification. In: Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors, pp. 452–458. IEEE Comput. Soc. Press (1992)

  34. Li, W.: Formal methods for reverse engineering gate-level netlists. Ph.D. thesis, University of California at Berkeley (2013)

  35. Li, W., Gascon, A., Subramanyan, P., Tan, W.Y., Tiwari, A., Malik, S., Shankar, N., Seshia, S.A.: WordRev: finding word-level structures in a sea of bit-level gates. In: Proceedings of the 2013 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2013, pp. 67–74. IEEE (2013)

  36. Li, W., Wasson, Z., Seshia, S.A.: Reverse engineering circuits using behavioral pattern mining. In: Proceedings of the 2012 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2012, pp. 83–88 (2012)

  37. Fei-Fei, Li, Fergus, R., Perona, P.: One-shot learning of object categories. IEEE Trans. Pattern Anal. Mach. Intell. 28(4), 594–611 (2006)

    Article  Google Scholar 

  38. Lippmann, B., Werner, M., Unverricht, N., Singla, A., Egger, P., Dübotzky, A., Rasche, M., Kellermann, O., Gieser, H., Graeb, H.: Integrated flow for reverse engineering of nanoscale technologies. In: Proceedings of the Asia and South Pacific Design Automation Conference, ASP-DAC, pp. 82–89 (2019)

  39. Mailhot, F.: Technology mapping for VLSI circuits exploiting Boolean properties and operations. Ph.D. thesis, Stanford (1994)

  40. McElvain, K.S.: Methods and apparatuses for automatic extraction of finite state machines (2001)

  41. Meade, T., Jin, Y., Tehranipoor, M., Zhang, S.: Gate-level netlist reverse engineering for hardware security: control logic register identification. In: 2016 IEEE International Symposium on Circuits and Systems (ISCAS), pp. 1334–1337. IEEE (2016)

  42. Meade, T., Shamsi, K., Le, T., Di, J., Zhang, S., Jin, Y.: The old frontier of reverse engineering: netlist partitioning. J. Hardw. Syst. Secur. 2(3), 201–213 (2018)

    Article  Google Scholar 

  43. Meade, T., Zhang, S., Jin, Y.: Netlist reverse engineering for high-level functionality reconstruction. In: Proceedings of the Asia and South Pacific Design Automation Conference, ASP-DAC, vol. 25-28-Janu, pp. 655–660 (2016)

  44. Mohnke, J., Malik, S.: Permutation and phase independent Boolean comparison. In: 1993 European Conference on Design Automation with the European Event in ASIC Design, pp. 86–92. IEEE Computer Society Press (1993)

  45. Moradi, A., Barenghi, A., Kasper, T., Paar, C.: On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from Xilinx Virtex-II FPGAs. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 111–123 (2011)

  46. Moradi, A., Kasper, M., Paar, C.: Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures, pp. 1–18 (2012)

  47. Moradi, A., Oswald, D., Paar, C., Swierczynski, P.: Side-channel attacks on the bitstream encryption mechanism of Altera Stratix II: facilitating black-box analysis using software reverse-engineering. In: ACM/SIGDA International Symposium on Field Programmable Gate Arrays—FPGA, pp. 91–99 (2013)

  48. Moradi, A., Schneider, T.: Improved side-channel analysis attacks on xilinx bitstream encryption of 5, 6, and 7 series. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9689, pp. 71–87 (2016)

  49. Nedospasov, D., Seifert, J.P., Schlosser, A., Orlic, S.: Functional integrated circuit analysis. In: 2012 IEEE International Symposium on Hardware-Oriented Security and Trust, pp. 102–107. IEEE (2012)

  50. Nohl, K., Evans, D., Starbug, S., Plötz, H.: Reverse-engineering a cryptographic RFID Tag. In: Proceedings of the 17th USENIX Security Symposium, pp. 185–194. USENIX Association (2008)

  51. Note, J.B., Rannaud, É.: From the bitstream to the netlist. In: 16th International Symposium on Field Programmable Gate Arrays (FPGA), p. 264. ACM (2008)

  52. O’Donnell, R.: Analysis of Boolean Functions. Cambridge University Press, Cambridge (2014)

    Book  Google Scholar 

  53. Ohlrich, M., Ebeling, C., Ginting, E., Sather, L.: SubGemini: identifying subcircuits using a fast subgraph isomorphism algorithm. In: Proceedings of the 30th International on Design Automation Conference—DAC’93, pp. 31–37. ACM Press, New York (1993)

  54. Pan, S.J., Yang, Q.: A survey on transfer learning. IEEE Trans. Knowl. Data Eng. 22(10), 1345–1359 (2010)

    Article  Google Scholar 

  55. Pham, K.D., Horta, E., Koch, D.: BITMAN: a tool and API for FPGA bitstream manipulations. In: Design, Automation & Test in Europe Conference & Exhibition (DATE), pp. 894–897. IEEE (2017)

  56. Polian, I.: Security aspects of analog and mixed-signal circuits. In: 2016 IEEE 21st International Mixed-Signal Testing Workshop, IMSTW 2016. Institute of Electrical and Electronics Engineers Inc. (2016)

  57. Principe, E.L., Asadizanjani, N., Forte, D., Tehranipoor, M., Chivas, R., DiBattista, M., Silverman, S., Marsh, M., Piche, N., Mastovich, J.: Steps toward automated deprocessing of integrated circuits. In: ISTFA 2017: Proceedings from the 43rd International Symposium for Testing and Failure Analysis, pp. 285–298. ASM International (2017)

  58. Quadir, S.E., Chen, J., Forte, D., Asadizanjani, N., Shahbazmohamadi, S., Wang, L., Chandy, J., Tehranipoor, M.: A survey on chip to system reverse engineering. ACM J. Emerg. Technol. Comput. Syst. 13(1) (2016)

  59. Rolt, J.D., Natale, G.D., Flottes, M.L., Rouzeyre, B.: A novel differential scan attack on advanced DFT structures. ACM Trans. Des. Autom. Electron. Syst. 18(4), 1–22 (2013)

    Article  Google Scholar 

  60. Roy, J.A., Koushanfar, F., Markov, I.L.: EPIC: ending piracy of integrated circuits. In: Proceedings of the Conference on Design, Automation and Test in Europe, pp. 1069–1074 (2008)

  61. Rubanov, N.: SubIslands: the probabilistic match assignment algorithm for subcircuit recognition. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 22(1), 26–38 (2003)

    Article  Google Scholar 

  62. Rubanov, N.: A high-performance subcircuit recognition method based on the nonlinear graph optimization. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 25(11), 2353–2363 (2006)

    Article  Google Scholar 

  63. Saab, D.G., Nagubadi, V., Kocan, F., Abraham, J.: Extraction based verification method for off the shelf integrated circuits. In: 2009 1st Asia Symposium on Quality Electronic Design, pp. 396–400. IEEE (2009)

  64. Samanvi, K., Sivadasan, N.: Subgraph similarity search in large graphs. arXiv (2015)

  65. Schobert, M.: Interactive Functions of the Degate Software Package (2012)

  66. Shakya, B., Shen, H., Tehranipoor, M., Forte, D.: Covert Gates: Protecting Integrated Circuits with Undetectable Camouflaging. tCHES 2019 2019(3), 86–118 (2019)

    Google Scholar 

  67. Shi, Y., Ting, C.W., Gwee, B.H., Ren, Y.: A highly efficient method for extracting FSMs from flattened gate-level netlist. In: Proceedings of 2010 IEEE International Symposium on Circuits and Systems, pp. 2610–2613. IEEE (2010)

  68. Skorobogatov, S., Woods, C.: Breakthrough silicon scanning discovers backdoor in military chip. In: Prouff, E., Schaumont, P. (eds.) Cryptographic Hardware and Embedded Systems—CHES 2012. Lecture Notes in Computer Science, vol. 7428, pp. 23–40. Springer, Berlin (2012)

  69. Soeken, M., Sterin, B., Drechsler, R., Brayton, R.: Simulation graphs for reverse engineering. In: Proceedings of the 15th Conference on Formal Methods in Computer-Aided Design, FMCAD 2015, pp. 152–159 (2016)

  70. Subramanyan, P., Tsiskaridze, N., Li, W., Gascón, A., Tan, W.Y., Tiwari, A., Shankar, N., Seshia, S.A., Malik, S.: Reverse engineering digital circuits using structural and functional analyses. IEEE Trans. Emerg. Top. Comput. 2(1), 63–80 (2014)

    Article  Google Scholar 

  71. Swierczynski, P., Fyrbiak, M., Koppe, P., Paar, C.: FPGA Trojans through detecting and weakening of cryptographic primitives. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 34(8), 1236–1249 (2015)

    Article  Google Scholar 

  72. Swierczynski, P., Moradi, A., Oswald, D., Paar, C.: Physical security evaluation of the bitstream encryption mechanism of altera stratix II and stratix III FPGAs. ACM Trans. Reconfigurable Technol. Syst. 7(4) (2014)

  73. SymbiFlow: Project X-Ray (2018). https://github.com/SymbiFlow/prjxray

  74. Technology, S.S.: Top 5 counterfeited semiconductors: analog ICs top the list—semiconductor digest. https://sst.semiconductor-digest.com/2012/04/top-5-counterfeited-semiconductors-analog-ics-top-the-list/

  75. Thomas, O., Sarl, T., Nedospasov, D.: On the impact of automating the IC analysis process. Tech. rep. (2015)

  76. Torrance, R., James, D.: The state-of-the-art in IC reverse engineering. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) LNCS, vol. 5747, pp. 363–381 (2009)

  77. Wallat, S., Albartus, N., Becker, S., Hoffmann, M., Ender, M., Fyrbiak, M., Drees, A., Maaen, S., Paar, C.: Highway to HAL: Open-Sourcing the first extendable gate-level netlist reverse engineering framework. In: ACM International Conference on Computing Frontiers 2019, CF 2019—Proceedings, pp. 392–397 (2019)

  78. Werner, M., Lippmann, B., Baehr, J., Grab, H.: Reverse engineering of cryptographic cores by structural interpretation through graph analysis. In: 2018 IEEE 3rd International Verification and Security Workshop, IVSW 2018, pp. 13–18 (2018)

  79. Ziener, D., Aßmus, S., Teich, J.: Identifying FPGA IP-cores based on lookup table content analysis. In: Proceedings—2006 International Conference on Field Programmable Logic and Applications, FPL, pp. 481–486 (2006)

Download references

Acknowledgements

Part of this work was supported by the European Research Council (ERC) under the European Union’s Horizon 2020 Research and Innovation programme (ERC Advanced Grant No. 695022 (EPoCH)), as well as the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) under Germany’s Excellence Strategy - EXC 2092 CASA – 390781972.

Author information

Authors and Affiliations

  1. Technion - Israel Institute of Technology, Haifa, Israel

    Leonid Azriel, Ran Ginosar & Avi Mendelson

  2. Max Planck Institute for Security and Privacy, Bochum, Germany

    Julian Speith, Nils Albartus & Christof Paar

  3. Ruhr University Bochum, Bochum, Germany

    Julian Speith, Nils Albartus & Christof Paar

Authors
  1. Leonid Azriel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Julian Speith
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nils Albartus
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ran Ginosar
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Avi Mendelson
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Christof Paar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Leonid Azriel.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Azriel, L., Speith, J., Albartus, N. et al. A survey of algorithmic methods in IC reverse engineering. J Cryptogr Eng 11, 299–315 (2021). https://doi.org/10.1007/s13389-021-00268-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s13389-021-00268-5

Keywords

Search

Navigation