TY - JOUR
T1 - ScanSAT
T2 - Unlocking Static and Dynamic Scan Obfuscation
AU - Alrahis, Lilas
AU - Yasin, Muhammad
AU - Limaye, Nimisha
AU - Saleh, Hani
AU - Mohammad, Baker
AU - Al-Qutayri, Mahmoud
AU - Sinanoglu, Ozgur
N1 - Publisher Copyright:
© 2013 IEEE.
PY - 2021
Y1 - 2021
N2 - While financially advantageous, outsourcing key steps, such as testing, to potentially untrusted Outsourced Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hides the transformation functions that map the scan-in stimulus (scan-out response) and the delivered scan pattern (captured response). While static scan obfuscation utilizes the same secret key, and thus, the same secret transformation functions throughout the lifetime of the chip, dynamic scan obfuscation updates the key periodically. In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic-locked version and applies the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. We implement our attack, apply on representative scan obfuscation techniques, and show that ScanSAT can break both static and dynamic scan obfuscation schemes with 100 percent success rate. Moreover, ScanSAT is effective even for large key sizes and in the presence of scan compression.
AB - While financially advantageous, outsourcing key steps, such as testing, to potentially untrusted Outsourced Assembly and Test (OSAT) companies may pose a risk of compromising on-chip assets. Obfuscation of scan chains is a technique that hides the actual scan data from the untrusted testers; logic inserted between the scan cells, driven by a secret key, hides the transformation functions that map the scan-in stimulus (scan-out response) and the delivered scan pattern (captured response). While static scan obfuscation utilizes the same secret key, and thus, the same secret transformation functions throughout the lifetime of the chip, dynamic scan obfuscation updates the key periodically. In this paper, we propose ScanSAT: an attack that transforms a scan obfuscated circuit to its logic-locked version and applies the Boolean satisfiability (SAT) based attack, thereby extracting the secret key. We implement our attack, apply on representative scan obfuscation techniques, and show that ScanSAT can break both static and dynamic scan obfuscation schemes with 100 percent success rate. Moreover, ScanSAT is effective even for large key sizes and in the presence of scan compression.
KW - logic locking
KW - Obfuscated scan chains
KW - SAT attack
KW - scan locking
KW - scan obfuscation
UR - http://www.scopus.com/inward/record.url?scp=85121054585&partnerID=8YFLogxK
U2 - 10.1109/TETC.2019.2940750
DO - 10.1109/TETC.2019.2940750
M3 - Article
AN - SCOPUS:85121054585
SN - 2168-6750
VL - 9
SP - 1867
EP - 1882
JO - IEEE Transactions on Emerging Topics in Computing
JF - IEEE Transactions on Emerging Topics in Computing
IS - 4
ER -