Abstract
Reverse engineering of integrated circuits, i.e., understanding the internals of Integrated Circuits (ICs), is required for many benign and malicious applications. Examples of the former are detection of patent infringements, hardware Trojans or Intellectual Property (IP)-theft, as well as interface recovery and defect analysis, while malicious applications include IP-theft and finding insertion points for hardware Trojans. However, regardless of the application, the reverse engineer initially starts with a large unstructured netlist, forming an incomprehensible sea of gates.This work presents DANA, a generic, technology-agnostic, and fully automated dataflow analysis methodology for flattened gate-level netlists. By analyzing the flow of data between individual Flip Flops (FFs), DANA recovers high-level registers. The key idea behind DANA is to combine independent metrics based on structural and control information with a powerful automated architecture. Notably, DANA works without any thresholds, scenario-dependent parameters, or other “magic” values that the user must choose. We evaluate DANA on nine modern hardware designs, ranging from cryptographic co-processors, over CPUs, to the OpenTitan, a stateof- the-art System-on-Chip (SoC), which is maintained by the lowRISC initiative with supporting industry partners like Google and Western Digital. Our results demonstrate almost perfect recovery of registers for all case studies, regardless whether they were synthesized as FPGA or ASIC netlists. Furthermore, we explore two applications for dataflow analysis: we show that the raw output of DANA often already allows to identify crucial components and high-level architecture features and also demonstrate its applicability for detecting simple hardware Trojans.Hence, DANA can be applied universally as the first step when investigating unknown netlists and provides major guidance for human analysts by structuring and condensing the otherwise incomprehensible sea of gates. Our implementation of DANA and all synthesized netlists are available as open source on GitHub.
Highlights
Understanding the internals of unknown hardware, commonly referred to as Hardware Reverse Engineering (HRE), is of major interest in many scenarios [QCF+16]
For each design and synthesis option, we denote the number of Flip Flops (FFs) and the Normalized Mutual Information (NMI), purity, and run time of DANA for both executions
In this work we present DANA, a generic, fully automated dataflow analysis methodology
Summary
Understanding the internals of unknown hardware, commonly referred to as Hardware Reverse Engineering (HRE), is of major interest in many scenarios [QCF+16]. It is widely applied industry practice to use HRE for competitive analysis, which is legal in many countries, including the United States and the EU [TJ11]. 310 DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering. Despite the relevance of HRE, it is still relatively poorly understood compared to many other areas of hardware security [FSK+17] or compared to software reverse engineering, where numerous tools, techniques, and sophisticated scientific approaches exist. We review related work and highlight shortcomings in the state-of-the-art of netlist reverse engineering. We clarify the term gate-level netlist and introduce HAL, a netlist analysis framework that was used in our work. A gate-level netlist is comparable to a circuit diagram of the entire design. Netlists typically lack meaningful descriptive labels for gates and signals
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
