Novel Attacks and Defense Strategies for Enhanced Logic Locking Security

  • Lilas Alrahis

Student thesis: Doctoral Thesis


These days, most semiconductor design houses adopt a fabless business model. Outsourcing the fabrication and testing processes to potentially untrusted parties raises concerns regarding integrated circuits (ICs) piracy, reverse engineering (RE), overproduction, intellectual property (IP) rights violation, and hardware Trojan insertion. This has driven a lot of research into developing methods to regain trust in the design process (design-for-trust). Logic locking is a holistic design-for-trust technique that aims to protect the design IP from untrustworthy entities throughout the IC supply chain by locking the functionality of the design. State-of-the-art logic locking solutions such as provably secure logic locking (PSLL) and scan locking/obfuscation aim to offer protection against immediate attacks such as the Boolean satisfiability (SAT)-based attack. However, these implementations mostly focus on thwarting the SAT-based attack leaving them vulnerable to other unexplored threats. This thesis contributes to logic locking in two ways. It identifies the shortcomings of the state-of-the-art logic locking techniques by developing novel attacks aimed at breaking them. It also proposes a defense scheme that is resilient to the oracleless machine learning (ML)-based attacks on logic locking. Furthermore, the thesis contributes to the broader field of hardware security by developing an ML-based functional RE platform that can aid in the detection of malware and IP violations. In this respect, the first contribution of the thesis is aimed at evaluating the security of scan obfuscation. ScanSAT – the first of its kind – modeling attack to break scan obfuscation is developed. ScanSAT transforms a scan-obfuscated circuit to its logic-locked version and applies the SAT-based attack, extracting the secret key. ScanSAT breaks static, dynamic, and scrambling-based scan obfuscation. The first attack in literature to break stripped functionality logic locking (SFLLHD), the state-of-the-art PSLL technique at the time, is proposed next. The attack utilizes functional RE to detect the protection logic of SFLL-HD and obtains the original design with a high success rate, without requiring an oracle. Next, GNNUnlock is developed to move beyond the detection of a single PSLL implementation. GNNUnlock is the first-of-its-kind oracle-less ML-based attack on PSLL that can identify any desired protection logic without focusing on a specific syntactic topology. The key is to leverage a well-trained graph neural network (GNN) to identify all the gates in a given locked netlist that belong to the targeted protection logic. GNNUnlock is successful in breaking PSLL techniques such as SFLL-HD and Anti-SAT under different parameters, synthesis settings, and technology nodes. Moreover, GNNUnlock successfully breaks corner cases where even the most advanced state-of-the-art attacks fail. Another contribution of the thesis is UNSAIL, which is a defense mechanism to be integrated with any traditional logic locking technique protecting it against the emerging oracle-less and ML-based attacks. To the best of our knowledge, UNSAIL is the first proposed defense against such potent attacks. The development of GNN-RE is the final contribution of the thesis. GNN-RE is a generalized GNN-based functional RE platform that automatically identifies and labels sub-circuits in any unstructured flattened netlist. The platform leverages GNN to learn the structural/functional features of the desired sub-modules to be detected. The GNN-RE platform shows superior performance when compared to the state-of-the-art ML-based approaches for functional RE. All in all, with the speeding race to develop secure logic locking solutions; this thesis aims to fill the gap in security measures by introducing novel attacks and defense strategies to counteract malicious conduct throughout the IC supply chain.
Date of AwardDec 2020
Original languageAmerican English


  • Hardware security
  • Logic locking
  • Scan obfuscation
  • IP protection
  • Reverse engineering
  • Hardware obfuscation
  • Machine learning.

Cite this