Speakers

The past four decades have seen a dramatic evolution of chip design technology. We've gone from 5 micrometer NMOS down to 3 nanometer CMOS with a corresponding multi-millionfold growth in transistor density. The regular introduction of new abstraction layers and hardware microarchitectures supported by EDA design tools has enabled the industry to deal with ever increasing complexities. This trend does not appear to be ending anytime soon. We take a retrospective view of how we got to the current state of the art and find there are recurring patterns we can use to guide us forward. New opportunities arise to reuse past patterns in novel new ways as the technology constraints shift. Understanding the foundations is key to building the next generation technologies.

Quality of sample preparation plays a crucial role in Reverse Engineering of semiconductors and require advanced sample prep techniques. The essential shrinking of critical dimensions in ICs and increasing of number of BEOL (back-end-of-line) metallization layers is challenging not only at the sample prep phase but also impacts all following phases of RE, such as imaging, image processing, and circuit extraction. The local interconnect layers in the layout are becoming thinner, and more sophisticated deprocessing approach should be applied. For example, techniques that were perfectly used for copper and aluminium metallization do not work for cobalt.

Packaging of semiconductor devices is rapidly getting more complicated. It was anticipated previously that every die from a multi-die package would be extracted for further analysis without any damage to other dice. Today, due to the widespread implementation of 3D packaging it is not always possible. So, you may have to destroy other dice inside a package to get out the required one. Extracted die will most likely have a much-thinned silicon substrate, that makes physical analysis extremely delicate as the die is prone to deformations.

Getting state-of-the-art samples for analysis, especially for circuitry analysis, when about 20 such samples are required is another major obstacle. Frequently, these components are present exclusively in premium consumer devices.

The complexity of the RE project is defined by the above-mentioned factors and is definitely not directly correlated with the claimed technology node, such as 3-5 nanometers.

This material will be well illustrated in the presentation with respective images of technological solutions for modern samples.

Mechanical sample preparation is eventually required when attempting to fully reverse engineer a semiconductor device. The key to successful reverse engineering is utilizing the appropriate sample preparation toolset to match the complexity of the device. We will present the key principles and advantages/disadvantages of mechanical sample preparation toolsets and techniques and include case studies to illustrate the application as it would apply to a reverse engineering case.

Since 2019, the Fraunhofer Institute EMFT operates a hardware sample preparation analysis lab according to common criteria – evaluation assurance level 6. Besides sample preparation and analyses for common market IC and PCB’s, this lab is also dedicated for secure IC and trusted hardware components. Hereby, this lab offers methods for general failure analysis and especially hardware trust verification like counterfeit/tampering detection and patent infringement. In this talk we want to present our state-of-the-art preparation and analysis devices, in addition to exemplary results we obtained so far.

Hardware reverse engineering, a critical aspect of cybersecurity, plays a pivotal role in uncovering vulnerabilities and understanding the inner workings of hardware systems. We delve into the domain of hardware reverse engineering, specifically focusing on Xilinx 7-Series and UltraScale(+) FPGA configuration engines, the control plane governing the (secure) bitstream configuration within the FPGA. Our goal is to examine the effectiveness of fuzzing to analyze and document the opaque inner workings of FPGA configuration engines, with a primary emphasis on identifying security vulnerabilities.

We introduce ConFuzz, an advanced FPGA configuration engine fuzzing and rapid prototyping framework. Based on our detailed understanding of the bitstream file format, we systematically define three novel key fuzzing strategies for Xilinx FPGA configuration engines. Moreover, our strategies are executed through mutational structure-aware fuzzers and incorporate various novel custom-tailored, FPGA-specific optimizations to reduce search space.

We present previously undocumented behavior within the configuration engine, including critical findings such as system crashes leading to unresponsive states of the whole FPGA. In addition, our investigations not only lead to the rediscovery of the recent starbleed attack but also uncover a novel unpatchable vulnerability, denoted as JustSTART (CVE-2023-20570), capable of circumventing RSA authentication for Xilinx UltraScale(+).

Over the past decade, the gate-level netlist reverse engineering framework HAL played a key role in advancing the field of hardware reverse engineering through research, teaching, trainings, and industry adoption. However, the path was not always straightforward, as HAL was developed by initially inexperienced developers and with heavy resource limitations. This talk offers a comprehensive exploration of HAL's growth during its early years, putting a focus on the difficult balancing act of technical management vs research output. We share insights on design decisions, organizational strategies we applied, and technical trade-offs that have been pivotal in enhancing HAL's functionality, usability, and scalability. By discussing both successful decisions and mistakes on management and technical aspects, we aim to provide valuable insights to lower the bar for resource-constrained small teams in development of new high-quality tools.

Globally distributed supply chains or unintentional design weaknesses leave the door open for attacks on the hardware level. For these, hardware reverse engineering (RE) results play a pivotal role. The ongoing publication of new RE-involved attacks had motivated the development of the qualitative Common RE Scoring System (CRESS). In this work, to generate a quantitative attack representation, we performed an extensive interview study with experts in the field. The interview results allowed us to derive weights that measure the severity of different RE-involved attack categories and form an equation that quantifies scenarios, resulting in the severity-indicating CRESS score. This enables the coherent rating of novel scenarios, renders them comparable, and supports the development of effective countermeasures. In this talk, we demonstrate the resulting CRESS formula and numerical score in theory and using a case-study.

In the field of hardware security analysis and identifying counterfeit chips, chip analysis serves as a crucially important method. However, this method faces significant challenges due to its time-consuming and labor-intensive nature. These challenges encompass various aspects, including the preparation of entire and uniform metal/via layers that fulfil imaging requirements. Additionally, the method requires efficient and accurate imaging of all physical structures of the chips and effectively analyzing their functionalities, demanding considerable human and time resources. In this presentation, we primarily share research on the issue of imaging throughput, utilizing a customized rapid imaging system to capture chip images. Notably, compared to traditional imaging systems, this new customized system replaces the traditional photomultiplier tube detector with a direct electron detector, incorporates a retarding structure, and includes a swinging objective lens to increase imaging speed and reduce distortion, achieving a significant increase in imaging speed with practicality. This substantially improves the efficiency of chip analysis, exceeding tenfold. Furthermore, the integration of high-precision stage movement further accelerates the subsequent image analysis process, ensuring reliable and accurate results.

Trusted design, manufacturing, and physical verification of semiconductor chips are essential for globally distributed supply chains in advanced microelectronics, as they help to limit the risks of hardware Trojans, counterfeits, and overproduction threats.

The trust in physical verification results is based on high-performing, reliable, and accurate image processing algorithms during the recovery process.

In this talk, we will introduce a novel image processing algorithm based on expert knowledge for SEM image segmentation. Our approach incorporates features created during the chip design phase and the image characteristics of SEM microscopes to provide high accuracy and efficiency.

To demonstrate the effectiveness of our approach, we will showcase our results based on real analysis scenarios. We will also compare our algorithm to other state-of-the-art algorithms currently used for this task. By doing so, we will highlight the advantages of our approach and demonstrate how it can improve supply chain management, streamline the verification process, and ultimately increase trust in the results.

In recent years, deep learning-based segmentation techniques have been applied to circuit annotation for the hardware assurance of integrated circuits (ICs). However, imperfections in circuit images often cause incorrectly segmented pixels, which result in critical circuit connection errors that are detrimental to subsequent circuit analysis. To mitigate such circuit connection errors, this work proposes a targeted data augmentation framework for deep learning-based circuit annotation, termed Integrated Circuit Mask-GAN (ICMG). ICMG generates circuit images containing the aforementioned imperfections through GAN-based image translation from synthetic circuit masks. These circuit masks are synthesized by a novel mask generation process that incorporates our domain knowledge of IC layouts and is configurable to emulate various image imperfections such as material residuals in the sample preparation or distortion in the imaging process. In our experiments on a microcontroller IC, our proposed ICMG greatly reduced the circuit connection errors and the required manual effort for data labeling compared to the reported techniques.

Data encryption on modern devices is one of the biggest challenges for European law enforcement agencies (LEAs). The lawful extraction of user data during a criminal investigation requires both highly specialized equipment and reliable processes. While technically very demanding, fully invasive hardware analysis of integrated circuits (ICs) is the most promising approach. The FORRES EU project aims to establish a unified tool-set for hardware reverse engineering, analysis and a platform for sharing knowledge between LEAs. To achieve this a workflow is created which entails the preparation and imaging of ICs and a software framework for analysis of the generated images.

The complete automation of Integrated Circuit (IC) reverse engineering is a multifaceted process, with performance intricately linked to sample preparation and imaging procedures. Artifacts introduced during Scanning Electron Microscopy (SEM) imaging, stemming from defects, noise, dust and other anomalies, pose a significant challenge to the image-to-layout conversion crucial for reverse engineering. These anomalies can lead to information loss or misleading results, adversely affecting the extraction of the intra and inter layer connectivity, and even causing phantom short-circuits. In the context of FEOL layers, the extraction of transistors may also suffer due to inadequate information.

This paper addresses this challenge by leveraging image inpainting techniques to reconstruct damaged regions using spatial information from their surroundings. Recent advancements in Deep Learning have elevated image inpainting techniques, demonstrating success in generating high-resolution images with remarkable improvements in quality, texture, and information recovery. While literature has showcased these achievements across various domains, including reverse engineering, existing models are constrained to reconstructing the current layer in isolation, neglecting crucial information from neighboring layers. It is imperative to integrate information from adjacent layers for accurate image reconstruction.

This research introduces a self-supervised deep learning architecture for image inpainting in IC reverse engineering, emphasizing preservation of inter-layer connectivity. The novelty lies not in the architecture itself, which is grounded in a common image-to-image framework, but in the innovative dataset preparation and training procedures. The deep learning architecture is designed to model not only the target layer but also the surrounding layers. To achieve this, a dataset has been meticulously crafted to include relevant information, with RGB channels swapped for upper, middle, and lower layers. Results affirm the success of our approach, demonstrating clear information recovery from upper or lower layers, thereby validating the effectiveness of our proposed methodology.

Integrated Circuit reverse engineering can be expensive and time consuming, relying on painstaking effort by skilled analysts. A typical workflow consists of sample preparation (delayering), imaging (large area mosaics captured on scanning electron microscopes), image processing (converting the captured layer images into vectorized interconnect information along with identifying the standard cells) and finally schematic creation and organization. Identifying the standard cells in the images relies on referencing a library of image kernels and some type of image correlation searching. Creating a suitable library can be time consuming, and different manufacturers and process generations will usually have different cell libraries. Image correlation searching is compute intensive, which can be slow and expensive. In this talk I will describe an alternative approach where we use automated extraction of the base circuit elements (transistors) and then powerful graph searching on the resulting text netlist to identify the standard cells. The extraction and searching are both significantly faster than previous methods, and the graph search kernels are simple text descriptions of standard library cells, many of which do not change between process nodes.

Field-Programmable Gate Arrays (FPGAs) face a substantial risk of intellectual property (IP) theft, a challenge distinct from their nanometer-scale IC counterparts, whose first layer of protection is their inherent high-level entry barrier. In contrast, FPGAs are more susceptible to IP theft due to their configuration file's proprietary format, extensively documented by the open-source community. This presentation reveals the acute threat of FPGA reverse engineering, drawing insights from a real-world case study involving an iPhone 7 FPGA.

The presentation explores the extent of automation in the netlist reverse engineering process, evaluating techniques across several benchmarks representing diverse FPGA applications. Synthesized for Xilinx and Lattice FPGAs, these benchmarks provide a comprehensive understanding of the threat landscape. The findings culminate in an open-source tool-suite of netlist reverse engineering techniques. This suite not only facilitates future research but empowers the community to conduct realistic threat assessments and evaluate novel countermeasures. Lastly, we explore varied countermeasures, including obfuscation, as an additional line of defense to safeguard valuable IP.

In this presentation, we discuss two secure FPGA CAD flows that our research group has been developing, that are enabled through FPGA bitstream reverse engineering.

The first thrust is the development of a trusted CAD process for FPGAs, where we have been working on techniques to verify the integrity of the CAD toolchain and the produced bitstream. This work was recently presented at the 2023 FPT conference. Our technique involves querying the commercial CAD flow to obtain the set of design transformations performed during physical synthesis. We then apply these transformations to the post-synthesis netlist to obtain a transformed netlist, as well as use open-source bitstream-to-netlist tools to obtain a reverse-engineered netlist. These netlists are then compared using a scalable structural matching algorithm to validate bitstream to netlist equivalence.

In our second project, we have developed an FPGA CAD flow that is designed to protect the secrecy of third-party IP. While traditionally CAD tools have used the IEEE 1735 IP encryption standard, this has been shown to be vulnerable to key theft attacks, leaving the encrypted IP vulnerable to theft. Our approach is to keep the IP encrypted even during the CAD flow, removing the need for the CAD tools to have any knowledge of the IP encryption keys. Of course, the IP cannot be fully encrypted; however, key details, such as logic equations (LUT INIT), can be kept encrypted. We have developed a proof-of-concept tool that shows how this approach can be deployed using existing commercial CAD tools and FPGA devices. Bitstream reverse engineering tools are leveraged to make this type of flow possible: by utilizing the mapping of LUT INIT values to bitstream bits, we can decrypt and patch the encrypted bitstream portions on the device during configuration. This work has not yet been published.

This work-in-progress focuses on using a commercial software tool, Cadence Conformal, to formally verify gate-level FPGA netlists which have been generated by logic synthesis and by reverse-engineering an FPGA bitstream against the original register-transfer level (RTL) design description. The synthesized netlist is created using Yosys, an open-source logic synthesis tool. Following synthesis, the gate-level netlist is verified against the RTL description using Conformal. Our approach supports Yosys synthesis optimizations, such as finite state machine (FSM) optimization and redundant register removal during synthesis. Hints about these optimizations are provided to Conformal along with the gate-level and RTL designs to perform verification. To date over 100 FPGA designs targeted to an AMD/Xilinx Artix-7 device have been verified using this approach. This total includes 12 designs that contain multipliers, block RAMs, and between 10,000 and 100,000 logic blocks.

FPGA bitstreams are vulnerable to attack and can be secretly modified in the field after generation. Recent research at Ruhr University Bochum has shown that an FPGA bitstream can be converted back to gate-level netlist form using open-source reverse engineering tools. We show that after bitstream conversion to a netlist, Conformal can be used to formally verify design functionality against either the original RTL specification or the gate-level design created by Yosys. In the former case, the optimization hints generated during Yosys compilation can be reused to allow for formal verification of the reversed netlist.

Thus far, the infrastructure for a complete system has been developed and a reverse-engineered netlist of a simple combinational circuit has been verified against a synthesized gate-level version. Work is continuing to support larger reverse-engineered circuits and reverse-engineered circuits that contain multipliers and RAM.

Hardware Reverse Engineering (HRE) is at the core of hardware security assurance, an essential tool for building trust in digital systems. In this talk, we argue that HRE is a specific setting of human-computer interaction, where a variety of software exists that can assist the reverse engineering process, but where success depends heavily on the experience, skills and cognitive abilities of the human analyst. Such human problem-solving processes are an underexplored yet critical aspect of HRE.

Our work develops methods for investigating human problem-solving, making use of both quantitative and qualitative research methods. Since reverse engineers rely heavily on visual information, eye tracking holds promise for studying their cognitive processes. To gain further insights, we additionally employ verbal thought protocols during and immediately after HRE tasks: Concurrent and Retrospective Think Aloud. We evaluate the combination of eye tracking and Think Aloud with 41 participants in an HRE simulation. Our findings show that eye tracking accurately identifies fixations on individual circuit elements and highlights critical components. Based on two use cases, we demonstrate that eye tracking and Think Aloud can complement each other to improve data quality.

We show various avenues for research into reverse engineering strategies using our methodology. Further, we provide insights for practitioners aiming at improving hardware security and developing educational tools pertinent to HRE.

Secured hardware is vital for system-critical applications. Hardware fingerprinting techniques – such as 'physically ‘unclonable’ functions (PUFs)' or physically obfuscated keys (POKs) – claim to enable realizing security goals such as anti-counterfeiting, secured key storage, or authentication. While being a heavily researched field, the precise capabilities of electrical and physical inspection techniques for direct fingerprinting evaluation are not adequately explored. Our objective is to design a general model for fingerprint characterization which is experimentally applied to an SRAM and resistive and capacitive fingerprinting techniques on the PCB level; thus, evaluating the claimed property that fingerprints are protected from being reproduced. The methodological approach is bipartite. First, we design theoretical fingerprint-dependent models. These models allow us to translate electrical or physical parameters into corresponding fingerprint values. Second, we perform measurements to utilize our models with experimental data. For the SRAM, we electrically characterize the voltage transfer characteristic of individual transistors via nanoprobing. Further, we geometrically characterize the SRAM's process-dependent layout via delayering, scanning electron microscopy, and image processing. For the PCB, the characterization is done via probing and optical microscopy. To show the correctness of our models, the results are compared to a previously generated ground truth of the fingerprints. The results are preliminary and partly work in progress (WIP). On the PCB level, we devised and simulated measurement circuits demonstrating the feasibility of fingerprints based on resistance and capacitance values due to process variations. We show a successful, model-based evaluation of these implementations, effectively rendering them reproducible. For the evaluated 28nm node SRAM, preliminary experimental results are available yet not fully assessed. For these, we expect a successful electrical characterization but unsuccessful geometrical characterization. Overall, albeit not finalized, our results demonstrate the importance of a feasibility assessment of model-based approaches to evaluate fingerprinting via direct electrical and physical characterization. Further, we show the capabilities of physical inspection techniques.

Many consumer electronic devices use secure elements to cryptographically authenticate peripherals or accessories, preventing unlicensed third parties from building compatible products. There are significant financial incentives for generic accessory manufacturers to defeat these protections, resulting in increasingly sophisticated attacks.

In this presentation, we analyze two generations of an OEM product with a cryptographic authentication mechanism, as well as an unlicensed clone. We compare the process technology, general sophistication and complexity of the silicon architectures seen in each device, and discuss observed weaknesses and countermeasures.

Netlist reverse engineering has been a research area for over two decades. However, the development and validation of new methods heavily rely on suitable benchmark data. Unfortunately, in chip design, where IP secrecy and non-disclosure agreements prevail, accessing appropriate benchmarks poses a challenge. Consequently, methods are often evaluated on limited and small-scale benchmarks, leading to potential shortcomings in real-world functionality and scalability for larger designs. Moreover, due to variations in synthesized data sets created with different tools and cell libraries, comparing methodologies becomes difficult as each researcher evaluates their own implementation. This lack of standardization hinders the ability to draw meaningful comparisons. The introduction of machine learning approaches further complicates matters, as they necessitate extensive data sets for training and validation of models. In this talk, we aim to provide an overview of existing benchmarks while highlighting the requirements for future benchmark sets. Additionally, we will introduce an open-source benchmark set that strives to address some of these challenges.

In an era of increasing reliance on secure communication systems, the need to ensure the integrity and trustworthiness of cryptographic algorithms is paramount. Motivated by concerns over the potential existence of compromised implementations of such cryptographic algorithms within critical infrastructure and national defense systems, we present a novel automated reverse engineering approach to locating implementations of symmetric cryptographic algorithms within gate-level netlists, either implemented on Field-Programmable Gate Arrays (FPGAs) or Application-Specific Integrated Circuits (ASICs). By scrutinizing the gate-level netlists, we can automatically pinpoint and partially analyze symmetric cryptographic implementations to then enable a human reverse engineer to search for irregularities, vulnerabilities, or deviations from established cryptographic standards. One strength of our approach is that it succeeds independent of the implemented cipher, as it relies on structural properties commonly shared between implementations of symmetric algorithms. Hence, it can also aid the analysis of foreign made electronics and enemy weapon systems in particular to isolate secret, proprietary cryptographic algorithms that can then be evaluated by cryptographers to find and exploit algorithmic weaknesses. Finally, the developed algorithm provides a valuable tool for the validation of cryptographic claims made by consumer devices, such as smartphones, for example as part of standardization procedures to support end-user trust into their devices.

In summary, our work introduces a comprehensive methodology for analyzing gate-level netlists obtained through hardware reverse engineering, with a focus on detecting symmetric cryptographic implementations. The application of this methodology extends to critical infrastructure, national defense, and consumer electronics, providing a robust means of assessing the trustworthiness of cryptographic systems in various domains.

Recent advancement in circuit extraction methods poses new threats to Intellectual Property (IP) protection of Integrated Circuits (ICs). Hardware obfuscation protects manufactured ICs from circuit extraction by withholding circuit information. Logic gate camouflaging is arguably one of the most effective obfuscation technique, which makes logic gates of different functionalities visually indistinguishable, thus resulting in logic gates with unknown functionalities in an extracted netlist. A few logic gate de-camouflaging attacks have been proposed to predict the functionalities of camouflages logic gates. Conventional attacks mainly target for small-scale camouflaging and not suitable for large-scale camouflaging due to infeasible computation cost. Recently, Graph Neural Network (GNN) has demonstrated its computation efficiency in hardware assurance related tasks. However, generic GNNs do not differentiate FanIn (FI) and FanOut (FO) and are not suitable for logic gate de-camouflaging. In this paper, we propose a novel GNN-based attack method, namely GNNReveal, for logic gate de-camouflaging. Our proposed GNNReveal performs separate FI/FO aggregations using dedicate aggregation networks to generate a unique node embedding for each logic gate with different functionalities. Thanks to the high discriminative power of these node embeddings, for the first time, we are able to formulate the IC logic gate de-camouflaging problem directly as a node classification problem.By means of experiments on several large-scale benchmark circuits, we show that our proposed GNNReveal achieved very high de-camouflaging accuracy, on average >80% F1-score for all tested circuits. Further, our proposed GNNReveal outperformed all competing methods by a large margin of 20%. Our proposed GNNReveal exposes new vulnerabilities to IC logic gate camouflaging.