Michaela Brunner
Abstract
The target of sequential reverse engineering is to extract the state machine of a design. Sequential reverse engineering of a gate-level netlist consists of the identification of so-called state flip-flops (sFFs), as well as the extraction of the state machine. The second step can be solved with an exact approach if the correct sFFs and the correct reset state are provided. For the first step, several more or less heuristic approaches exist.
This work investigates sequential reverse engineering with the objective of a human-readable state machine extraction. A human-readable state machine reflects the original state machine and is not overloaded by additional design information. For this purpose, the work derives a systematic categorization of sFF sets, based on properties of single sFFs and their sets. These properties are determined by analyzing the degrees of freedom in describing state machines as the well-known Moore and Mealy machines. Based on the systematic categorization, this work presents an sFF set definition for a human-readable state machine, categorizes existing sFF identification strategies, and develops four post-processing methods. The results show that post-processing predominantly improves the outcome of several existing sFF identification algorithms.
- [1] . 2020. DANA universal dataflow analysis for gate-level netlist reverse engineering. IACR Transactions on Cryptographic Hardware and Embedded Systems 2020, 4 (2020), 309–336. Google Scholar
Cross Ref
- [2] . 2006. Optimum and heuristic algorithms for an approach to finite state machine decomposition. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 10, 3 (
Nov. 2006), 296–310. Google ScholarDigital Library
- [3] . 2009. Gephi: An open source software for exploring and manipulating networks. In Proceedings of the 3rd International Conference on Weblogs and Social Media (ICWSM’09). http://www.aaai.org/ocs/index.php/ICWSM/09/paper/view/154.Google Scholar
- [4] . 2019. Improving on state register identification in sequential hardware reverse engineering. In Proceedings of the 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST’19). 151–160. Google ScholarCross Ref
- [5] . 2000. RT-level ITC’99 benchmarks and first ATPG results. IEEE Design & Test of Computers 17, 3 (2000), 44–53. Git: https://github.com/squillero/itc99-poli.Google ScholarDigital Library
- [6] . 1988. Decomposition and factorization of sequential finite state machines. In Proceedings of the IEEE International Conference on Computer-Aided Design (ICCAD’89): Digest of Technical Papers. 148–151. Google ScholarCross Ref
- [7] . 2018. On the difficulty of FSM-based hardware obfuscation. IACR Transactions on Cryptographic Hardware and Embedded Systems 2018, 3 (
Aug. 2018), 293–330. Google ScholarCross Ref - [8] . 2020. RELIC-FUN: Logic identification through functional signal comparisons. In Proceedings of the 2020 57th ACM/IEEE Design Automation Conference (DAC’20). 1–6. Google ScholarCross Ref
- [9] . 1960. Symbolic analysis of a decomposition of information processing machines. Information and Control 3, 2 (1960), 154–178. Google ScholarCross Ref
- [10] . 2013. WordRev: Finding word-level structures in a sea of bit-level gates. In Proceedings of the 2013 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’13). 67–74. Google ScholarCross Ref
- [11] . 2001. Methods and apparatuses for automatic extraction of finite state machines.
US Patent No. US 6,182,268 B1, filed January 5, 1998, issued January 30, 2001 .Google Scholar - [12] . 2016. Gate-level netlist reverse engineering for hardware security: Control logic register identification. In Proceedings of the 2016 IEEE International Symposium on Circuits and Systems (ISCAS’16). 1334–1337. Google ScholarDigital Library
- [13] . 2019. NETA: When IP fails, secrets leak. In Proceedings of the 24th Asia and South Pacific Design Automation Conference (ASPDAC’19). ACM, New York, NY, 90–95. Google ScholarDigital Library
- [14] . 2018. The old frontier of reverse engineering: Netlist partitioning. Journal of Hardware and Systems Security 2, 3 (2018), 201–213. Google ScholarCross Ref
- [15] . 2016. Netlist reverse engineering for high-level functionality reconstruction. In Proceedings of the 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC’16). 655–660. Google ScholarDigital Library
- [16] . 2019. NetA. Retrieved February 28, 2022 from https://github.com/jinyier/NetA.Google Scholar
- [17] . 1955. A method for synthesizing sequential circuits. Bell System Technical Journal 34, 5 (
Sept. 1955), 1045–1079. Google ScholarCross Ref - [18] . 1998. Finite state machine decomposition for low power. In Proceedings of the 35th Annual Design Automation Conference (DAC’98). ACM, New York, NY, 758–763. Google ScholarDigital Library
- [19] . 1956. Gedanken-experiments on sequential machines. Automata Studies 34 (1956), 129–153.Google Scholar
- [20] . 2015. Flows/FreePDK45. Retrieved February 28, 2022 from https://vlsiarch.ecen.okstate.edu/flow/.Google Scholar
- [21] . 2017. mriscv. Retrieved February 28, 2022 from https://github.com/onchipuis/mriscv.Google Scholar
- [22] . 2017. mriscvcore. Retrieved February 28, 2022 from https://github.com/onchipuis/mriscvcore.Google Scholar
- [23] . 2019. qflow. Retrieved February 28, 2022 from http://opencircuitdesign.com/qflow/.Google Scholar
- . n.d. OpenCores. Retrieved February 28, 2022 from https://opencores.org/projects.Google Scholar
- [25] . 2016. A survey on chip to system reverse engineering. ACM Journal on Emerging Technologies in Computing Systems 13, 1 (April 2016), Article 6, 34 pages. Google ScholarDigital Library
- [26] . 2010. A highly efficient method for extracting FSMs from flattened gate-level netlist. In Proceedings of 2010 IEEE International Symposium on Circuits and Systems. 2610–2613. Google ScholarCross Ref
- [27] . 2018. secworks. Retrieved February 28, 2022 from https://github.com/secworks?tab=repositories.Google Scholar
- [28] . 2013. Reverse engineering digital circuits using functional analysis. In Proceedings of the 2013 Design, Automation, and Test in Europe Conference and Exhibition (DATE’13). 1277–1280. Google ScholarCross Ref
- [29] . 1971. Depth-first search and linear graph algorithms. In Proceedings of the 12th Annual Symposium on Switching and Automata Theory (swat’71). 114–121. Google ScholarDigital Library
- [30] . 2011. The state-of-the-art in semiconductor reverse engineering. In Proceedings of the 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC’11). 333–338.Google ScholarDigital Library
- . n.d. Yosys Open SYnthesis Suite. Retrieved February 28, 2022 from https://yosyshq.net/yosys/.Google Scholar
Index Terms
- Toward a Human-Readable State Machine Extraction
Recommendations
HISCOAP: a hierarchical testability analysis tool
VLSID '95: Proceedings of the 8th International Conference on VLSI DesignWe describe a time and space efficient technique for evaluating the SCOAP testability measure of a circuit from its hierarchical description. Under the stuck at fault model, the SCOAP measure introduced by Goldstein is known to offer a good estimate of ...
Automated Finite State Machine Extraction
FEAST'19: Proceedings of the 3rd ACM Workshop on Forming an Ecosystem Around Software TransformationFinite state machine (FSM) is a type of computation models widely used in various software programs. Extracting implemented FSMs has many important applications in the networking, software engineering and security domains. In this paper, we first ...
Novel state minimization and state assignment in finite state machine design for low-power portable devices
In this paper, we present a comprehensive method consisting of efficient state minimization and a comprehensive method of state assignment techniques to synthesize finite state machines (FSMs) to optimize power, area, and delay for ''next-state'' logic ...
Comments