Vulnerability Assessment of Logic Locking Techniques: Towards Next Generation Attacks on Logic Locking



Journal Title

Journal ISSN

Volume Title



To save the ever-increasing costs of maintaining an integrated circuit (IC) supply chain facility, take advantage of cutting-edge technology nodes, and meet the market demand, the manufacturing supply chain of ICs is globally distributed, known as the horizontal model in the supply chain. In the IC supply chain's horizontal model, separate entities fulfill various stages of design, fabrication, testing, packaging, and integration of ICs, forming a globally distributed chain. Outsourcing different stages of the manufacturing supply chain to the third-party facilities with no reliable monitoring on them results in identifying them as untrusted entities. Involving untrusted third-party facilities in supply chain manufacturing has introduced multiple forms of security threats such as IC overproduction, hardware Trojan insertion, reverse engineering (RE), intellectual property (IP) theft, and counterfeiting. To combat these threats, many design-for-trust countermeasure mechanisms have been widely studied in the literature, such as watermarking, IC metering, IC camouflaging, split manufacturing, and logic obfuscation. Amongst them, logic obfuscation a.k.a. logic locking, as a proactive scheme, has received significant attention in recent years, in which the designer would be able to add post-manufacturing programming capability into the circuits. Logic obfuscation is the process of hiding the correct functionality of a circuit, during the stages at untrusted parties, when the programming value, referred to as the key, is unknown. Only once the correct key is provided, the circuit behaves correctly, and the correct key would be initiated and stored in a tamper-proof non-volatile memory after fabrication at a trusted party. However, the introduction of different de-obfuscation attacks, particularly Boolean satisfiability (SAT)-based attacks, have undermined the effectiveness of the vast majority of existing logic locking countermeasures. The evolution of different de-obfuscation attacks in recent years results in the introduction of numerous logic locking solutions, which makes them resilient and robust against many of the state-of-the-art de-obfuscation attacks, including SAT-based attacks. In this thesis, we first provide a comprehensive overview of the state-of-the-art defense and attack mechanisms in logic locking. Then, we reveal some limitations of the existing attack mechanisms leading us to introduce newer and stronger attack approaches with much more capabilities and performance compared to the existing ones. For this purpose, we introduce the satisfiability modulo theory (SMT) attack, in which the adversary has the capability of modeling non-Boolean logic locking mechanisms using theory solvers. SMT attack is the first of its kind that is able to model non-Boolean characteristics of the circuit. Then, we will introduce the neural network guided SAT (NNgSAT) attack that exploits the benefit of a message passing neural network (MPNN) to reduce the complexity of the de-obfuscation model, especially when complex structures, such as routing modules and multipliers, are parts of the logic locked circuits. After that, we also go one step further and propose two new countermeasures to combat state-of-the-art attacks. Unlike almost all state-of-the-art logic locking solutions that focus on functional/logic locking, we introduce a new logic locking paradigm, called data flow obfuscation, which targets the flow/timing of the circuit as a new means for logic locking. We exploit the essence of asynchronicity to lock the flow/timing of the circuits, making it almost impossible to be modeled/formulated using state-of-the-art attacks. We also introduce a communication and obfuscation management architecture (COMA), as an alternative solution, for enhancing the security of logic locking against the existing attack. The main aim of COMA is to protect the main secret of logic locking, which is the logic locking key, from being stolen or revealed. For this purpose, in COMA, we propose an architecture allowing the designer to store the logic locking key outside of the IC that is manufactured in an untrusted foundry. As a result, the outcome of this thesis aims to provide an assessment of the capabilities and limitations of the existing studies on logic locking, either defense or attack mechanisms. By introducing newer and stronger approaches, this research also opens new directions for the designers to evaluate the security of the designs using more appropriate and well-formulated mechanisms, leading to stronger and more reliable design and implementation with enhanced security.