PNNL-25330 Prepared for the U.S. Department of Energy under Contract DE-AC05-76RL01830 Reverse Engineering Integrated Circuits Using Finite State Machine Analysis Kiri Oler Carl Miller March 2016 DISCLAIMER This report was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor Battelle Memorial Institute, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof, or Battelle Memorial Institute. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. PACIFIC NORTHWEST NATIONAL LABORATORY operated by BATTELLE for the UNITED STATES DEPARTMENT OF ENERGY under Contract DE-AC05-76RL01830 Printed in the United States of America Available to DOE and DOE contractors from the Office of Scientific and Technical Information, P.O. Box 62, Oak Ridge, TN 37831-0062; ph: (865) 576-8401 fax: (865) 576-5728 email: [email protected] Available to the public from the National Technical Information Service, U.S. Department of Commerce, 5285 Port Royal Rd., Springfield, VA 22161 ph: (800) 553-6847 fax: (703) 605-6900 email: [email protected] online ordering: http://www.ntis.gov/ordering.htm This document was printed on recycled paper. (9/2003) PNNL-25330 Reverse Engineering Integrated Circuits Using Finite State Machine Analysis Kiri Oler Carl Miller March 2016 Prepared for the U.S. Department of Energy under Contract DE-AC05-76RL01830 Pacific Northwest National Laboratory Richland, Washington 99352 Reverse Engineering Integrated Circuits Using Finite State Machine Analysis Abstract structed by evaluating every possible input stream on the IC. Each evaluation tree is unique for each FSM, and Due to the lack of a secure supply chain, it is not possi- any two FSMs that share the same evaluation tree are ble to fully trust the integrity of electronic devices. Cur- equivalent. It should be noted that evaluation trees are rent methods of verifying integrated circuits are either normal, as defined in [2], meaning the ordering on the destructive or non-specific. Here we expand upon prior nodes is preserved, allowing for the concept of descen- work, in which we proposed a novel method of reverse dant nodes and subtrees, which will be necessary as we engineering the finite state machines that integrated cir- proceed. Through basic pattern matching we can reduce cuits are built upon in a non-destructive and highly spe- the nodes and subtrees to work backwards towards the cific manner. In this paper, we present a methodology original state machine. This work will verify that both for reverse engineering integrated circuits, including a operations yield a state machine equivalent to the im- mathematical verification of a scalable algorithm used to plemented machine. In addition, to mathematical veri- generate minimal finite state machine representations of fication, we tested our approach using a combined hard- integrated circuits. ware/software implementation. We begin by discussing the motivation behind this 1 Introduction work in greater detail. We then present our contribu- tion to the problem by first providing the mathematical The integrity of our computing hardware is of criti- foundation and then outlining the software and hardware cal concern in industries such as energy generation and implementation used to test our theory. distribution, aviation, and health care. Currently, there is no way of verifying the integrity of the entire supply 2 Motivation chain, from design to use, to ensure the level of integrity needed. In dividing this work into smaller, more feasible Many of the ICs that control our desktop computers, pieces, we have chosen to focus on examining the end servers, SCADA systems, and a range of other devices product–the integrated circuit (IC). Many modern ICs are are designed in the U.S. but put into silicon overseas. built upon finite state machines (FSMs). In this research, [6] This creates a large gap in our control of the sup- we have developed a method for rediscovering the FSM ply chain which puts all systems that use this hardware that an IC is built upon using a nondestructive and intel- at risk for modification or injection attacks. Today, many ligent brute force method. Prior work has focused on de- organizations spend enormous amounts of money veri- structive reverse engineering methods that use images of fying the integrity of a given piece of hardware; they are the transistor levels to determine function [1], and non- then locked in to that hardware for decades afterwards, destructive characterization techniques like power usage, resulting in obsolete hardware and software running crit- timing delays, current leakage, and EM imaging which ical systems. can be used to certify an IC against a known-good IC. There are a few destructive existing methods for deter- [7, 3, 9]. mining if an IC deviates from the original design; these The mathematical theory behind our approach is pre- are expensive and time consumptive but extremely accu- sented in two parts. First, we construct a tree represent- rate. Alternatively, there are a variety of non-destructive ing the IC, and then we determine the underlying state imaging methods for determining if an unknown IC is machine based on said tree. The evaluation tree is con- different from an assumed-good benchmark IC. How- 1 ever, these methods often only work for large or active 0 differences, and are based on the assumption that the 0 1 2 3 benchmark chip has not been corrupted. What is needed, 1 and what we will detail in the following sections, is an 2 3 4 algorithm to enable a fast, non-destructive method of re- 0 1 2 3 0 1 2 3 0 1 2 3 0 1 2 3 verse engineering ICs to ensure their veracity. We must 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 assume the worst case scenario in which we have no prior knowledge, no design documents, no labeling, or an out- Figure 1: Example of a tree with nodes and edges labeled of-production IC. and an example path highlighted in red. 3 Prerequisites FSM will be modeled using a tree structure. More specif- Below we define the structures and notation relevant ically, an FSM is represented as a tree T with a set of to the proposed method, culminating with the concept of nodes N, where each node has, at most, c = 2x children, tree equality for the purpose of manipulating those trees where x 2 N+, implying the FSM being modeled has x representing the FSMs. input pins. A node without any children is referred to as a leaf. For algorithmic purposes, nodes are labeled numer- 3.1 Assumptions ically (top to bottom, left to right), beginning with 0 for the root node and reading left to right down each level of The work presented here relies upon a few critical as- the tree. Likewise, edges originating from the same par- sumptions: ent node are grouped together and labeled numerically from left to right. See Figure 1 for an illustration of the • The IC state machine must be a Moore FSM (i.e. node and edge labeling conventions. Each node in the the output depends only on the machine’s state), and tree represents a state in the FSM, with the child nodes more specifically, not a Mealy FSM (i.e. the output representing the states that can be transitioned into from depends on both current state and the input). the given node or state. The root node of the tree is the • An isolated state machine. FSM’s initial state. A tree with no nodes or children is The FSM must be in isolation and separated from referred to as the empty tree and denoted 0. As with the any outside source which may affect the states or formal definition of a tree, each tree is a set N with c state transitions. In practice, this means that the functions defined as follows: S FSM cannot be connected to any sort of non-volatile !i : N ! N [ 0 memory. Also, it cannot be allowed to take any in- put outside of that which is provided via the algo- For example, if node n has children s1;s2;:::;sc, then rithmic testing apparatus. Si n ! si for 1 ≤ i ≤ c or Si(t) = si. Additionally, conven- tions dictate that a tree T is referred to by its root node, • Scalability is possible. meaning notationally S (T) refers to the leftmost child Though we have a theoretic basis for trees with any 1 of node T, which is, in turn, the root node of the leftmost number of children/input pins, the larger this num- subtree of T. Likewise, the subtree labels proceed in as- ber, the greater the impact to the efficiency of our al- cending order from left to right. Therefore, S T refers to gorithm, which is a topic to be explored more thor- c the rightmost child of T and rightmost subtree of T. We oughly in future work. write Si(T) ≤ T to denote that Si(T) is a subtree of T. • The single origin point is always accessible.