Non-Invasive Reverse Engineering of One-Hot Finite State Machines Using Scan Dump Data

Finite-state machine (FSM) always works as a core control unit of a chip or a system. As a high level design, FSM has also been exploited to build multiple secure designs as it is deemed hard to discern FSM structure from the netlist or physical design. However, these secure designs can never sustai...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on emerging topics in computing 2024-07, Vol.12 (3), p.795-809
Main Authors: Dong, Zhaoxuan, Cui, Aijiao, Lu, Hao
Format: Article
Language:English
Subjects:
Association rules mining
Data mining
Encoding
Finite-state machine (FSM) state registers
Integrated circuit modeling
one-hot coding
Physical design
Registers
Reverse engineering
scan data
Watermarking
Citations: Items that this one cites
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Finite-state machine (FSM) always works as a core control unit of a chip or a system. As a high level design, FSM has also been exploited to build multiple secure designs as it is deemed hard to discern FSM structure from the netlist or physical design. However, these secure designs can never sustain once the FSM structure is reversed. Reverse engineering FSM not only indicates the access of the control scheme of a design, but also poses a severe threat to those FSM-based secure designs. As the one-hot encoding FSM is widely adopted in various circuit designs, this paper proposes a non-invasive method to reverse engineer the one-hot encoding FSM. The data dumped from the scan chain during chip operation is first collected. The scan data is then used to identify all the candidate sets of state registers which satisfy two necessary conditions for one-hot state registers. Association relationship between the candidate registers and data registers are further evaluated to identify the unique target set of state registers. The transitions among FSM states are finally retrieved based on the scan dump data from those identified state registers. The experimental results on the benchmark circuits of different size show that this proposed method can identify all one-hot state registers exactly and the transitions can be retrieved at a high accuracy while the existing methods cannot achieve a satisfactory correct detection rate for one-hot encoding FSM.
ISSN:2168-6750
2168-6750
DOI:10.1109/TETC.2023.3322299