
CONSTRUCTIVE AND DESTRUCTIVE REVERSE ENGINEERING ASPECTS OF DIGITAL SYSTEMS DISSERTATION zur Erlangung des Grades eines Doktor-Ingenieurs der Fakultat¨ fur¨ Elektrotechnik und Informationstechnik an der Ruhr-Universitat¨ Bochum by Marc Fyrbiak Bochum, May 2018 Copyright © 2018 by Marc Fyrbiak. All rights reserved. Printed in Germany. To my beloved family. Marc Fyrbiak Place of birth: Braunschweig, Germany Author’s contact information: [email protected] www.emsec.rub.de Thesis Advisor: Prof. Dr.-Ing. Christof Paar Ruhr-Universit¨atBochum, Germany Secondary Referee: Prof. Russell Tessier University of Massachusetts Amherst, MA, USA Thesis submitted: May 30, 2018 Thesis defense: September 21, 2018 Last revision: April 26, 2019 v vii Abstract Our modern digital society stands on the foundation of digital hardware systems implemented in a myriad of interconnected smart-X devices as well as traditional computing systems realizing technological trends such as cloud computing. Since these devices and systems are an integral part of our everyday life, targeted manipulations of digital hardware systems have devastating consequences for safety, security, and privacy. In today’s production chains, hardware designs are transparent to numerous untrusted stake- holders and thus inevitably prone to manipulations and Intellectual Property (IP) piracy. In many attack scenarios, an adversary merely has access to the low-level, potentially obfuscated gate-level netlist and faces the costly and time-consuming task of reverse engineering the pro- prietary design to identify security-critical circuitry, followed by the insertion of a meaningful hardware Trojan. However, these challenges of destructive aspects have been only considered in passing by the research community. In addition to destructive aspects, hardware reverse engineering facilitates various constructive applications and can thus safeguard digital hardware systems. For example, security engineers are forced to leverage reverse engineering in order to witness hardware Trojans in untrusted third-party IP cores as source code is typically not available. Moreover, understanding the complexity of hardware reverse engineering facilitates sound countermeasures for hardware protection schemes. So far reverse engineering is commonly neglected in the security analysis of various schemes since it is still an opaque and poorly understood process. In order to systematically investigate constructive and destructive aspects of gate-level netlist reverse engineering, we first address the lack of gate-level netlist reverse engineering and manipu- lation frameworks in the open literature and then present a holistic framework called HAL. HAL supports and automates custom reverse engineering tasks and enables tailored manipulations with ease. Based on its extensibility, we investigate diverse technical aspects of gate-level netlist reverse engineering and provide several research contributions such as the many-faceted workflow of semi-automated hardware Trojan insertion, costs associated with reverse engineering based on graph similarity algorithms, and novel insights on the (in-)security of several Finite State Machine (FSM)-based hardware obfuscation schemes. Moreover, we investigate cognitive aspects of reverse engineering and develop a methodology based on problem solving research and research on the acquisition of expertise to quantify the crucial human factor in hardware reverse engineering. As an important finding we show that development of automated custom tools for reverse engineering and hardware Trojan injection is not as challenging and time-consuming as previously thought. Keywords. Gate-level Netlist Reverse Engineering, Cognitive Aspects of Reverse Engineering, Hardware Obfuscation, Hardware Trojans, Graph Similarity Kurzfassung Unsere moderne digitale Gesellschaft steht auf dem Fundament von digitalen Hardware Systemen, die in einer Vielzahl von verbundenen smart-X Ger¨aten und traditionellen Computersystemen verbaut sind. Da diese Ger¨ate und Systeme integraler Bestandteil unseres t¨aglichen Lebens geworden sind, haben gezielte Manipulation dieser Hardware Systemen verheerende Auswirkungen fur¨ die Sicherheit und Privatheit. In heutigen Produktionsketten sind Hardware Designs transparent fur¨ viele nicht vertrau- enswurdige¨ Stakeholder und damit zwangsl¨aufig anf¨allig fur¨ Manipulation und IP Piraterie. In vielen Angriffsszenarien hat ein Angreifer allerdings nur Zugang zur low-level, potentiell obfuskierten, gate-level Netzliste und steht daher dem kosten- und zeitaufwendigem Reverse Engineering gegenuber:¨ Zuerst mussen¨ sicherheitsrelevante Elemente im Schaltkreis idenzifiziert werden und anschließend ein sinnvoller Hardware Trojaner eingefugt¨ werden. Jedoch wurden diese Herausforderungen bisher nur fluchtig¨ von der Forschungsgemeinschaft behandelt. Zus¨atzlich zu destruktiven Aspekten erm¨oglicht Hardware Reverse Engineering verschiedene konstruktive Applikationen um Hardware Systeme abzusichern. So sind Sicherheitsingenieure dazu gezwungen nicht vertrauenswurdige¨ Designs von Drittparteien per Reverse Engineering zu analysieren um Hardware Trojaner zu identifizieren, da der Quellcode typischerweise nicht verfugbar¨ ist. Außerdem erm¨oglicht ein genaueres Verst¨andnis von Hardware Reverse Engi- neering die Entwicklung solider Schutzmaßnahmen. Jedoch wurde Reverse Engineering in der Sicherheitsanalyse von verschiedenen Schutzmaßnahmen vernachl¨assigt, da Reverse Engineering immer noch ein undurchsichtiger und kaum verstandener Prozess ist. Um systematisch konstruktive und destruktive Aspekte von gate-level Netlist Reverse En- gineering zu erforschen, beschreiben wir zuerst das Fehlen eines Netlist Reverse Engineering- und Manipulationsframeworks in der ¨offentlich zug¨anglichen Literatur und pr¨asentieren ein ganzheitliches Framework namens HAL. HAL unterstutzt¨ und automatisiert maßgeschneiderte Reverse Engineering Aufgaben und erm¨oglicht zielgerichtete Manipulation. Basierend auf der Erweiterbarkeit von HAL untersuchen wir verschiedene technische Aspekte von gate-level Netlist Reverse Engineering und wir liefern mehrere Forschungsbeitr¨age, z. B. den facettenreichen Arbeitsablauf der teilautomatisierten Hardware Trojaner Einfugung,¨ Reverse Engineering Kosten basierend auf Graph Ahnlichkeitsanalysen,¨ sowie neue Erkenntnisse bzgl. der (Un-)Sicherheit von mehreren Obfuskationsschemata basierend auf endlichen Zustandsautomaten. Außerdem untersuchen wir kognitive Aspekte beim Reverse Engineering und wir entwickeln eine Methodik basierend auf Probleml¨ose- und Expertiseforschung, um entscheidende menschlichen Faktoren beim Hardware Reverse Engineering zu untersuchen. Gegens¨atzlich zur bisherigen Meingung zeigen wir, dass die Entwicklung von automatisierten maßgeschneiderten Werkzeugen zum Rever- se Engineering und zur Hardware Trojaner Einfugung¨ nicht anspruchsvoll und zeitaufwendig sind. Schlagworte. Gate-level Netlist Reverse Engineering, Kognitive Aspekte von Reverse Engi- neering, Hardware Obfuskation, Hardware Trojaner, Graph Ahnlichkeit¨ Acknowledgements I want to express my sincere gratitude to my Doktorvater Christof Paar for his continuous excellent advises far beyond the scope of research. His positive and inspiring nature formed an outstanding education for both research and teaching. In particular, I want to thank him for pushing Philipp, Benjamin, and myself to founding our start-up. Moreover, my sincere thanks are given to Russell Tessier for being like a second Doktorvater to me, for his excellent guidance in the field of computer architecture and for improving my writing. Moreover I want to thank Irmgard for her overall support with any office and administration issues, and our office (chit)chat. Furthermore thanks to Horst for solving all technical issues and satisfying our technical requirements. Many thanks to all my colleagues at EMSEC, SYSSEC, and SecHuman for numerous interesting conversations about security research and aspects about research in general. Special thanks to Nicolai for his kind introduction to statistics research and our conversations about technology. Another special thanks go to Nikol, Malte, Sebastian and Carina for being so patient in teaching me psychology. I want to thank our Chaos WG with Philipp, Benjamin, and Christian for exploration of IT-security research as well as our spare time enjoyed together. In addition, I want to thank my office mates (in chronological order) Ingo, Christian, Pawel, Max, Sebastian, and Nils for numerous inspiring technical and non-technical discussions. My sincere gratitude to all my co-authors and colleagues for spending nights in the office right before submissions deadlines and all of my students I supervised during my research time — I was very lucky to supervise you and learned a lot from you! Last but not least I want to thank my family and friends for their love and support throughout the years. Table of Contents Imprint . .v Preface . vii Abstract . vii Kurzfassung . ix Acknowledgements . xiii I Introduction1 1 Introduction 3 II Background7 2 Technical Background9 2.1 Hardware Design Process . .9 2.2 Gate-level Netlists . 10 2.3 Adversary Model . 11 2.4 Hardware Reverse Engineering . 11 2.4.1 Chip-level Reverse Engineering . 11 2.4.2 FPGA Bitstream Reverse Engineering . 12 2.4.3 Gate-level Netlist Reverse Engineering . 12 2.5 Hardware Trojan Detection and Manipulation . 13 2.6 Hardware Protection . 13 III Gate-level Netlist Reverse Engineering 15 3 HAL- Gate-level Netlist Reverse Engineering and Manipulation
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages177 Page
-
File Size-