# Novel Bypass Attack and BDD-based Tradeoff Analysis Against All Known Logic Locking Attacks

## Abstract

Logic locking has emerged as a promising technique for protecting gate-level semiconductor intellectual property. However, recent work has shown that such gate-level locking techniques are vulnerable to Boolean satisfiability (SAT) attacks. In order to thwart such attacks, several SAT-resistant logic locking techniques have been proposed, which minimize the discriminating ability of input patterns to rule out incorrect keys. In this work, we show that such SAT-resistant logic locking techniques have their own set of unique vulnerabilities. In particular, we propose a novel “bypass attack” that ensures the locked circuit works even when an incorrect key is applied. Such a technique makes it possible for an adversary to be oblivious to the type of SAT-resistant protection applied on the circuit, and still be able to restore the circuit to its correct functionality. We show that such a bypass attack is feasible on a wide range of benchmarks and SAT-resistant techniques, while incurring minimal run-time and area/delay overhead. Binary decision diagrams (BDDs) are utilized to analyze the proposed bypass attack and assess tradeoffs in security vs overhead of various countermeasures.

## Notes

### Acknowledgment

This research is supported in part by Cisco Systems Inc, and by the AFOSR award number FA9550-14-1-0351.

## References

- 1.Tehranipoor, M.M., Guin, U., Forte, U.: Counterfeit integrated circuits. In: Counterfeit Integrated Circuits, pp. 15–36. Springer, Heidelberg (2015)Google Scholar
- 2.Vaidyanathan, K., Liu, R., Sumbul, E., Zhu, Q., Franchetti, F., Pileggi, L.: Efficient and secure intellectual property (IP) design with split fabrication. In: 2014 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 13–18. IEEE (2014)Google Scholar
- 3.Alkabani, Y., Koushanfar, F.: Active hardware metering for intellectual property protection and security. In: USENIX security, Boston MA, USA, pp. 291–306 (2007)Google Scholar
- 4.Roy, J.A., Koushanfar, F., Markov, I.L.: Epic: Ending piracy of integrated circuits, vol. 43, pp. 30–38. IEEE (2010)Google Scholar
- 5.Rajendran, J., Zhang, H., Zhang, C., Rose, G.S., Pino, Y., Sinanoglu, O., Karri, R.: Fault analysis-based logic encryption. IEEE Trans. Comput.
**64**(2), 410–424 (2015)MathSciNetCrossRefzbMATHGoogle Scholar - 6.Subramanyan, P., Ray, S., Malik, S.: Evaluating the security of logic encryption algorithms. In: 2015 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 137–143. IEEE (2015)Google Scholar
- 7.Yasin, M., Mazumdar, B., Rajendran, J.J.V., Sinanoglu, O.: SARLock: SAT attack resistant logic locking. In: 2016 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp. 236–241, May 2016Google Scholar
- 8.Xie, Y., Srivastava, A.: Mitigating SAT attack on logic locking. In: Gierlichs, B., Poschmann, A.Y. (eds.) CHES 2016. LNCS, vol. 9813, pp. 127–146. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-53140-2_7 Google Scholar
- 9.Torrance, R., James, D.: The state-of-the-art in IC reverse engineering. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 363–381. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-04138-9_26 CrossRefGoogle Scholar
- 10.Rajendran, J., Pino, Y., Sinanoglu, O., Karri, R.: Security analysis of logic obfuscation. In: Proceedings of the 49th Annual Design Automation Conference, pp. 83–89. ACM (2012)Google Scholar
- 11.Bushnell, M., Agrawal, V.: Essentials of Electronic Testing for Digital, Memory and Mixed-Signal VLSI Circuits, vol. 17. Springer, Heidelberg (2004)Google Scholar
- 12.Yasin, M., Rajendran, J.J., Sinanoglu, O., Karri, R.: On improving the security of logic locking. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.
**35**(9), 1411–1424 (2016)CrossRefGoogle Scholar - 13.Yasin, M., Mazumdar, B., Sinanoglu, O., Rajendran, J.: Security analysis of anti-SAT. In: 2017 22nd Asia and South Pacific Design Automation Conference (ASP-DAC), pp. 342–347. IEEE (2017)Google Scholar
- 14.Shen, Y., Zhou, H.: Double DIP: Re-evaluating security of logic encryption algorithms. In: Proceedings of the Great Lakes Symposium on VLSI 2017, GLSVLSI 2017, pp. 179–184. ACM, New York (2017)Google Scholar
- 15.Brglez, F.: A neutral netlist of 10 combinational benchmark circuits and a target translation in FORTRAN. In: ISCAS-85 (1985)Google Scholar
- 16.Amarú, L., Gaillardon, P.-E., De Micheli, G.: The EPFL combinational benchmark suite. In: Proceedings of the 24th International Workshop on Logic & Synthesis (IWLS), number EPFL-CONF-207551 (2015)Google Scholar
- 17.Soos, M.: Cryptominisat-a SAT solver for cryptographic problems (2009). http://www.msoos.org/cryptominisat4
- 18.Brayton, R., Mishchenko, A.: ABC: An academic industrial-strength verification tool. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 24–40. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-14295-6_5 CrossRefGoogle Scholar
- 19.Somenzi, F.: CUDD: CU decision diagram package release 2.3.0. University of Colorado at Boulder (1998)Google Scholar
- 20.Yang, C., Ciesielski, M.: BDS: A BDD-based logic optimization system. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst.
**21**(7), 866–876 (2002)CrossRefGoogle Scholar