Novel Fault Injection Attacks on Logic Locking using ATPG

Abstract

The outsourcing of the design and manufacturing of integrated circuits (ICs) in the current horizontal semiconductor integration flow includes untrusted entities that have posed various security threats, such as overproduction of ICs, sale of out-of-specification/rejected ICs, and piracy of Intellectual Properties (IPs). Logic Locking is a well-accepted protection technique against the aforementioned threats, where the original design is modified by incorporating additional key gates in the netlist, resulting in a key-dependent functional circuit. The original functionality of the chip is recovered once it is programmed with the secret key, otherwise, it produces incorrect results for some input patterns. Over the past decade, different attacks have been proposed to break logic locking, simultaneously motivating researchers to develop more secure countermeasures. This thesis presents novel fault injection attacks based on stuck-at fault analysis, which can be used to break a secure logic locking technique. The proposed attacks are based on self-referencing, where the secret key is determined by injecting faults in the key lines to perform either differential fault analysis (DFA) with its fault-free counterpart or direct key extraction at the primary output through sensitization. A commercial ATPG tool is used to generate test patterns that detect stuck-at faults on the key lines, which will be used to determine the secret key from the external fault-induced functional IC. One test pattern is sufficient to determine one key bit, which results in at most |K| test patterns to determine the entire secret key of size |K|. However, The number of test patterns decreases when stuck-at faults on different key wires can be targeted simultaneously. The laser fault injection tool is used during the experimentation to induce external faults on the circuit implemented in the FPGA to demonstrate the effectiveness of the attack methodology. The proposed attack is generic to break any logic locked circuits.