SCOPE: Synthesis-Based Constant Propagation Attack on Logic Locking

Abstract

Hardware intellectual property (IP) piracy and misuse have introduced new challenges in the semiconductor industry as untrusted parties in the IP's life cycle may clone, reverse-engineer, or extract important design secrets from an IP. A promising solution to protect a hardware IP against such attacks is to perform logic locking, where additional logic controlled by a secret key is inserted in strategic locations of an IP to lock the functionality when the correct key is not available. As a multitude of logic locking techniques has emerged in the past decade, the research community has also developed strong attacks against them to expose various vulnerabilities that can be exploited by an adversary to break the protection. While state-of-the-art logic locking solutions have demonstrated provable robustness against known attacks, there is a critical need to explore new attack vectors and mitigate them to achieve a higher level of protection. In this article, we present SCOPE, a novel synthesis-based constant propagation attack for security evaluation of logic locking techniques. SCOPE is oracle-less and requires no knowledge about the locking algorithm or the locked design by an attacker. The introduced attack performs a synthesis-based analysis on each individual key-input port and looks for meaningful design features that may help derive the correct key value. SCOPE offers two attack modes with varying complexity and effectiveness, a linear regression test, and an unsupervised machine-learning analysis. We perform SCOPE to a number of existing locking techniques and demonstrate that the average attack accuracy is 84.13% with high scalability in terms of design size. Based on the vulnerabilities identified by SCOPE, we provide a low-overhead countermeasure that can help mitigate such constant propagation attacks.