FuncTeller: How Well Does eFPGA Hide Functionality?

TL;DR

This paper demonstrates that eFPGA-based IP redaction, previously considered secure, can be compromised using FuncTeller, an attack that accurately recovers the protected circuit's functionality through black-box access.

Contribution

The paper introduces FuncTeller, a novel attack method that challenges the assumed security of eFPGA-based IP redaction by effectively retrieving circuit functionality.

Findings

FuncTeller achieves over 85% accuracy in recovering circuit functions.

The attack is effective on diverse circuits including benchmarks and commercial processors.

eFPGA redaction security can be bypassed with black-box analysis.

Abstract

Hardware intellectual property (IP) piracy is an emerging threat to the global supply chain. Correspondingly, various countermeasures aim to protect hardware IPs, such as logic locking, camouflaging, and split manufacturing. However, these countermeasures cannot always guarantee IP security. A malicious attacker can access the layout/netlist of the hardware IP protected by these countermeasures and further retrieve the design. To eliminate/bypass these vulnerabilities, a recent approach redacts the design's IP to an embedded field-programmable gate array (eFPGA), disabling the attacker's access to the layout/netlist. eFPGAs can be programmed with arbitrary functionality. Without the bitstream, the attacker cannot recover the functionality of the protected IP. Consequently, state-of-the-art attacks are inapplicable to pirate the redacted hardware IP. In this paper, we challenge the assumed security of eFPGA-based redaction. We present an attack to retrieve the hardware IP with only black-box access to a programmed eFPGA. We observe the effect of modern electronic design automation (EDA) tools on practical hardware circuits and leverage the observation to guide our attack. Thus, our proposed method FuncTeller selects minterms to query, recovering the circuit function within a reasonable time. We demonstrate the effectiveness and efficiency of FuncTeller on multiple circuits, including academic benchmark circuits, Stanford MIPS processor, IBEX processor, Common Evaluation Platform GPS, and Cybersecurity Awareness Worldwide competition circuits. Our results show that FuncTeller achieves an average accuracy greater than 85% over these tested circuits retrieving the design's functionality.