AttackGNN: Red-Teaming GNNs in Hardware Security Using Reinforcement Learning

TL;DR

This paper introduces AttackGNN, a reinforcement learning-based method to generate adversarial circuits that successfully fool GNN-based hardware security techniques across multiple problem classes, exposing their vulnerabilities.

Contribution

It presents the first red-team attack on GNN-based hardware security methods using RL to craft adversarial examples, demonstrating widespread vulnerabilities.

Findings

Achieved 100% success rate in fooling GNNs across all tested security tasks.

Developed a scalable RL agent effective against multiple GNN-based defenses.

Highlighted critical robustness gaps in current GNN-based hardware security techniques.

Abstract

Machine learning has shown great promise in addressing several critical hardware security problems. In particular, researchers have developed novel graph neural network (GNN)-based techniques for detecting intellectual property (IP) piracy, detecting hardware Trojans (HTs), and reverse engineering circuits, to name a few. These techniques have demonstrated outstanding accuracy and have received much attention in the community. However, since these techniques are used for security applications, it is imperative to evaluate them thoroughly and ensure they are robust and do not compromise the security of integrated circuits. In this work, we propose AttackGNN, the first red-team attack on GNN-based techniques in hardware security. To this end, we devise a novel reinforcement learning (RL) agent that generates adversarial examples, i.e., circuits, against the GNN-based techniques. We overcome three challenges related to effectiveness, scalability, and generality to devise a potent RL agent. We target five GNN-based techniques for four crucial classes of problems in hardware security: IP piracy, detecting/localizing HTs, reverse engineering, and hardware obfuscation. Through our approach, we craft circuits that fool all GNNs considered in this work. For instance, to evade IP piracy detection, we generate adversarial pirated circuits that fool the GNN-based defense into classifying our crafted circuits as not pirated. For attacking HT localization GNN, our attack generates HT-infested circuits that fool the defense on all tested circuits. We obtain a similar 100% success rate against GNNs for all classes of problems.