TimingSAT: Decamouflaging timing-based logic obfuscation

Abstract

In order to counter advanced reverse engineering techniques, various integrated circuit (IC) camouflaging methods are proposed to protect hardware intellectual property (IP) proactively. For example, a timing-based camouflaging strategy is developed recently representing a new class of parametric camouflaging strategies. Unlike traditional IC camouflaging techniques that directly hide the circuit functionality, the new parametric strategies obfuscate the circuit timing schemes, which in turn protects the circuit functionality and invalidates all the existing attacks. In this paper, we propose a SAT attack, named TimingSAT, to analyze the security of such timing-based camouflaging strategies. We demonstrate that with a proper transformation of the camouflaged netlist, traditional SAT attacks are still effective to decamouflage the new protection methods. The correctness of the resolved circuit functionality is formally proved. While a direct implementation of TimingSAT suffers from poor scalability, we propose a simplification procedure to significantly enhance the attack efficiency without sacrificing the correctness of the decamouflaged netlist. The efficiency and effectiveness of TimingSAT is validated with extensive experimental results.