University of Connecticut OpenCommons@UConn Doctoral Dissertations University of Connecticut Graduate School 5-20-2020 Physical Unclonable Functions for Authenticating and Preventing Reverse Engineering of Integrated Circuits and Electronics Hardware Md Shahed Enamul Quadir University of Connecticut - Storrs, [email protected] Follow this and additional works at: https://opencommons.uconn.edu/dissertations Recommended Citation Enamul Quadir, Md Shahed, "Physical Unclonable Functions for Authenticating and Preventing Reverse Engineering of Integrated Circuits and Electronics Hardware" (2020). Doctoral Dissertations. 2531. https://opencommons.uconn.edu/dissertations/2531 Physical Unclonable Functions for Authenticating and Preventing Reverse Engineering of Integrated Circuits and Electronics Hardware Md Shahed Enamul Quadir, PhD University of Connecticut, 2020 Electronics hardware is subject to a number of potential threats such as reverse en- gineering and counterfeiting. As a result, hardware authentication mechanisms and anti- reverse engineering techniques such as obfuscation and tamper-resistance are essential. In this thesis, we will present methods to approach these problems, and the primary research contributions of this thesis are a Low pass filter PUF for the authentication of PCBs and ICs; Key generation for hardware obfuscation using strong PUFs; and Session key genera- tion using strong PUF modeling. Physical Unclonable Functions (PUFs) are probabilistic circuit primitives that extract randomness from the physical characteristics of a device. In this work, we propose a novel PUF design based on resistor and capacitor variations for low pass filters (LoPUF). We extract the process variations present at the output of the filter with the use of an inverter to digitize the output and a counter to measure output pulse widths. We have created a process to select RC pairs that can be used to reliably generate authentication IDs. The Md Shahed Enamul Quadir, PhD University of Connecticut, 2020 LoPUF has been evaluated in the context of both printed circuit boards and integrated circuits. As a result of the increased use of contract foundries, IP theft, excess production and reverse engineering are major concerns for the electronics and defense industries. Hardware obfuscation and IP locking can be used to make a design secure by replacing a part of the circuit with a key-locked module. In order to ensure each chip has unique keys, we propose a strong PUF-based hardware obfuscation scheme to uniquely lock each chip that is less area intensive than previous work. Communication with embedded systems can be problematic because they are limited in their capability to implement public key encryption and client-side authentication. In this work, we introduce a session key generation mechanism using PUFs. We propose a novel dynamic key generation method that depends on the ability to model certain PUF circuits using machine learning algorithms. Our proposed method also mitigates tampering attacks as no information is stored between subsequent keys. We have shown the effectiveness of our method with error-correcting capability to keep the outputs of the PUF from noise. Physical Unclonable Functions for Authenticating and Preventing Reverse Engineering of Integrated Circuits and Electronics Hardware Md Shahed Enamul Quadir B.S., Bangladesh University of Engineering and Technology, 2009 MSEE, University of Alabama at Birmingham, 2012 A Dissertation Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy at the University of Connecticut 2020 i Copyright by Md Shahed Enamul Quadir 2020 ii APPROVAL PAGE Doctor of Philosophy Dissertation Physical Unclonable Functions for Authenticating and Preventing Reverse Engineering of Integrated Circuits and Electronics Hardware Presented by Md Shahed Enamul Quadir Major Advisor Prof. John A. Chandy Associate Advisor Prof. Lei Wang Associate Advisor Prof. Faquir Jain University of Connecticut 2020 iii Dedicated to my wonderful parents and my younger brother iv Acknowledgement First of all, I would like to express my sincerest gratitude to my major advisor Professor John Chandy during my Ph.D. work with his mentorship, patience, valuable feedback with his immense knowledge and motivation. I am very grateful to him because he contributed to my research by coming up with magnificent ideas and providing insightful suggestions and feedback as well as his support to overcome numerous obstacles. I sincerely thank my advisor for his continuous support and encouragement and couldn't imagine a better mentor and advisor for my Ph.D. Besides my advisor, I would like to thank Professor Lei Wang, Professor Faquir Jain, Professor Omer Khan, and Professor Helena Silva for their support, helpful comments, and encouragement that helped me to complete my thesis. Furthermore, I am grateful to the Electrical and Computer Engineering department, and, University of Connecticut and their employees for their support during my graduate studies. I would like to thank all teaching faculties and laboratory technicians in the ECE and Physics departments for their help and support during my teaching. I would also like to acknowledge the financial support of the United States National Science Foundation, the ECE Department, the Department of Physics and the Graduate School of the University of Connecticut. Also, I would like to acknowledge all of my teachers, lab mates, colleagues, and friends who were always beside me with their wisdom, assistance, and confidence. v Last but not the least, I would like to show my love to my dearest family: my great parents, and my dearest younger brother. I recognize and remember my father's contribu- tions in each and every achievement of my academic path. My dearest parents deserve my deep feeling of respect for their unconditional love and endless support in every step of my life. It is my greatest honor to dedicate my thesis work to my family. vi Contents I Introduction 1 1 Introduction 2 2 Overview of reverse engineering and countermeasures 7 2.1 Background . 7 2.2 Equipment . 13 2.3 Chip-Level Reverse Engineering (RE) . 15 2.3.1 Decapsulation . 16 2.3.2 Delayering . 17 2.3.3 Imaging . 19 2.3.4 Post-Processing . 20 2.4 Chip-Level Anti-Reverse Engineering . 22 2.4.1 Camouflage . 22 2.4.2 Obfuscation . 23 2.4.3 Other Techniques . 24 2.5 Board-Level Reverse Engineering (RE) . 25 2.6 PCB-level Anti-Reverse Engineering . 31 2.7 System-level Reverse Engineering (RE) . 32 2.7.1 Firmware/Netlist Information Representation . 33 2.7.2 ROM Reverse Engineering (RE) . 35 2.7.3 EEPROM/Flash Reverse Engineering (RE) . 36 2.7.4 Reverse Engineering (RE) of FPGAs . 38 2.8 System-level Anti-reverse Engineering . 41 vii 2.8.1 Anti-reverse Engineering for ROMs . 41 2.8.2 Anti-reverse Engineering for EEPROMs/Flashs . 44 2.8.3 Anti-reverse Engineering for FPGAs . 46 2.8.4 Summary of Anti-RE Techniques for System-Level . 48 2.9 Reverse Engineering Summary . 48 II Authentication of PCBs and ICs 50 3 Authentication of Printed Circuit Board 51 3.1 Introduction . 51 3.2 Prior Related Work . 53 3.3 Proposed Methodology . 54 3.3.1 Mux-Demux Switch . 55 3.3.2 Low pass RC filter . 57 3.3.3 Instrumentation Amplifier . 59 3.4 Results and Analysis using Analog Amplifiers . 61 3.4.1 Experimental Setup . 61 3.4.2 Experimental Results . 61 3.4.3 Voltage Selection Algorithm for RC Pair . 62 3.5 Digital Extraction of the input pulse from the RC filter . 66 3.5.1 Extraction of PUF bits from the RC filter . 66 3.5.2 Simulation Results . 69 3.6 Results and Analysis using Inverter . 69 3.6.1 Experimental Setup . 69 3.6.2 Experimental Results . 70 3.6.3 Pulse width Selection Algorithm for RC Pair . 71 3.7 Discussion . 74 3.8 Conclusion . 76 4 Authentication of IC based on RC variations 78 viii 4.1 Introduction . 78 4.2 Proposed Methodology . 79 4.2.1 Low pass RC filter . 79 4.2.2 Extraction of PUF bits from the RC filter . 80 4.3 Results and Analysis . 82 4.3.1 Experimental Results . 85 4.3.2 Pulse Width Selection Algorithm for RC Pair . 86 4.3.3 Evaluation of LoPUF Under VDD and Temperature Variations . 90 4.3.4 Uniqueness . 92 4.3.5 Randomness . 93 4.3.6 Security measures of the LoPUF against Attacks . 94 4.4 Conclusion . 94 III Hardware Obfuscation 95 5 Key generation for Hardware Obfuscation using Strong PUF 96 5.1 Introduction . 96 5.2 Prior PUF-Based Obfuscation Approaches . 98 5.3 Strong PUF-Based Key Generation . 100 5.3.1 Challenge Selection Process . 102 5.3.2 Chip Activation . 104 5.4 Security Analysis . 105 5.4.1 Manufacturing Attacks . 105 5.4.2 In the Field Attacks . 105 5.5 Performance Analysis . 106 5.5.1 Hardware Complexity . 106 5.5.2 Uniqueness and Reliability of the PUF . 106 5.6 Evaluation . 107 5.7 Conclusions . 110 ix IV Reliable Session Key Generation 112 6 Session Key generation using strong PUF modeling 113 6.1 Introduction . 113 6.1.1 Transport Layer Security (TLS) . 114 6.1.2 Physical Unclonable Functions . 116 6.2 Proposed Approach . 117 6.2.1 Enrollment . 117 6.2.2 Key Reconstruction . 118 6.2.3 Key Refresh . 119 6.2.4 Error Correction . 120 6.3 Discussion . 121 6.4 Conclusions . 123 7 An Efficient Algorithm for Extracting reliable Key from Noisy Data 125 7.1 Introduction . 125 7.2 Related Works . 127 7.3 Entropy Loss in Secure Sketch . 128 7.4 Methodology . 129 7.5 Conclusion . 131 V Anti-RE of Flash Memory 132 8 Anti-RE Techniques for Flash Memories against Backside SCM Probing133 8.1 Introduction . ..