SAT-based Reverse Engineering of Gate-Level Schematics using Fault Injection and Probing

TL;DR

This paper enhances SAT-based reverse engineering of gate-level schematics by integrating fault injection and probing techniques, demonstrating improved attack capabilities against camouflaged circuits, especially for complex designs like S-Boxes.

Contribution

It introduces a novel attack combining SAT-based methods with fault analysis to accurately recover gate-level schematics of camouflaged circuits.

Findings

Fault injection improves reverse engineering accuracy.

The approach successfully recovers the schematic of an S-Box.

Enhanced attack outperforms traditional SAT-based methods.

Abstract

Gate camouflaging is a known security enhancement technique that tries to thwart reverse engineering by hiding the functions of gates or the connections between them. A number of works on SAT-based attacks have shown that it is often possible to reverse engineer a circuit function by combining a camouflaged circuit model and the ability to have oracle access to the obfuscated combinational circuit. Especially in small circuits it is easy to reverse engineer the circuit function in this way, but SAT-based reverse engineering techniques provide no guarantees of recovering a circuit that is gate-by-gate equivalent to the original design. In this work we show that an attacker who does not know gate functions or connections of an aggressively camouflaged circuit cannot learn the correct gate-level schematic even if able to control inputs and probe all combinational nodes of the circuit. We then present a stronger attack that extends SAT-based reverse engineering with fault analysis to allow an attacker to recover the correct gate-level schematic. We analyze our reverse engineering approach on an S-Box circuit.