A comprehensive metering scheme for intellectual property protection during both after-sale and evaluation periods of IC design

Transcription

1 LETTER IEICE Electronics Express, Vol.10, No.19, 1 11 A comprehensive metering scheme for intellectual property protection during both after-sale and evaluation periods of IC design Aobo Pan, Yaping Lin a), Wenjie Che, Zhiqiang You, Yonghe Liu, and Jinguo Li College of Information Science and Engineering Hunan University Changsha China a) yplin hnu edu cn Abstract: In this paper, we propose a comprehensive scheme that simultaneously achieves IP protection in both after-sale and evaluation periods. Our key idea is to build a pre-verification path into an active metering structure, with a non-functional defect purposely attached to the path, rendering any potential pirating users unwilling to risk the defective behavior of the fabricated chips. Using the MCNC 91 benchmarks, we achieve a large area-to-power ratio proving the feasibility of our scheme. At the same time, compared with a well-known metering scheme, the proposed scheme can significantly improve the robustness against brute-force attack, roughly by an average value of per layer. The scheme can also reduce the area and power overhead by 4.4% and 11.2% on average considering an extra 5 to 10 layers. Keywords: intellectual property protection (IPP), IC design, hardware metering, finite state machine (FSM), physically unclonable function (PUF) Classification: Integrated circuits References [1] Defense science board (DSB) study on high performance microchip supply (2005) report_final. pdf [2] M. Jacome and H. Peixoto: IEEE Des. Test Comput. 18 [3] (2001) 98. [3] VSI Alliance - IP Protection Development Working Group. The valueand management of intellectual assets (2000) datasheets/tocippwp210.pdf [4] R. Colin Johson: Antipiracy scheme aims protect chip makers. [5] Intellectual Poperty Protection: Schemes, Alternatives and Discussion, VSI AllianceTM White Paper. 1

2 download?doi= &rep=rep1&type=pdf [6] A. Oliveira: IEEE Trans. Computer-Aided Design Integr. Circuits Syst. 20 [9] (2001) [7] A. Cui, C. H. Chang, S. Tahar and A. T. Abdel-Hamid: IEEE Trans. Computer-Aided Design Integr. Circuits Syst. 30 [5] (2011) 678. [8] Y. Alkabani, F. Koushanfar and M. Potkonjak: Proc. Int. Conf. Computer-Aided Design (2007) 674. [9] Y. Alkabani and F. Koushanfar: Proc International Conference on Compilers, Architecture, and Synthesis for Embedded Systems (2008) 227. [10] Altera Corporation, Method and Apparatus for Controlling Evaluation of Protected Intellectual Property in Hardware, U.S. Patent [11] R. S. Chakraborty and S. Bhunia: IEEE Trans. Computer-Aided Design Integr. Circuits Syst. 28 [10] (2009) [12] T. Batra: Methodology for Protection and Licensing of HDL IP. [13] Recommended Practice for Encryption and Use Rights Management of Electronic Design Intellectual Property (IP). bin/view.cgi/p1735/webhome [14] S. Narasimhan, R. Chakraborty and S. Bhunia: IEEE Des. Test Comput. 29 [3] (2011) 70. [15] M. Tehranipoor, H. Salmani, X. Zhang, X. Wang, R. Karri, J. Rajendran and K. Rosenfeld: Computer 44 [7] (2011) 66. [16] Y. Alkabani and F. Koushanfar: Proc. IEEE Int l Workshop Hardware- Oriented Security and Trust (2008) 82. [17] S. T. King, J. Tucek, A. Cozzie, C. Grier, W. Jiang and Y. Zhou: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008). [18] X. Zhang and M. Tehranipoor: Proc IEEE Int l Symp. Hardware- Oriented Security and Trust (2011) 67. [19] F. Koushanfar: IEEE Trans. Inf. Forensics Security 7 [1] (2012) 51. [20] B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan and K. Yang: Proc. 21st Annual International Cryptology Conference on Advances in Cryptology (2001) 1. [21] R. Chakraborty and S. Bhunia: 23rd International Conference on VLSI Design (2010) 405. [22] A. Maiti, I. Kim and P. Schaumont: IEEE Trans. Inf. Forensics Security 7 [1] (2012) 333. [23] M. Majzoobi, F. Koushanfar and M. Potkonjak: Proc IEEE/ACM International Conference on Computer-Aided Design (2008) 670. [24] P. Zhang: Dynamic Power Optimization with IC Compiler and PrimeTime PX. dynamic-power-optimization-with-ic-compiler-and-primetime-px 1 Introduction With the growing demand for expanded functionality, reduced form factor, and increased performance, designing and fabricating sophisticated and 2

3 miniaturized IC products generally requires significant investments in both time and money [1]. To reduce cost and shorten time-to-market, The IC industry has introduced reuse based IP paradigm that is becoming prevalent these days in the industry [2]. Unfortunately, IP-reuse mechanisms possess various vulnerabilities in the face of different forms of IP piracy, presenting great challenges in protecting the rights of all the entities in the design model [3, 4]. Indeed, IP piracy has emerged as the most pressing threat in the industry, leading to tremendous loss every year [5]. As reused IP cores usually experience both the IP evaluation period where the IP core is evaluated and verified by potential clients, and the after sale period where the IP cores will be put into production, techniques protecting reused IPs must be able to defend possible IP infringements during these two major stages in the design flow. While intensive efforts have been devoted to protect IP cores during these two stages, they often have to be performed separately using different techniques, unable to create an integral and unified user experience for the designers. In this paper, we propose a comprehensive scheme that is able to simultaneously achieve IP protection during the two different periods. Fig. 1 depicts the existing separate IPP schemes versus our proposed unified comprehensive scheme. Fig. 1. Existing IP protection schemes vs. our comprehensive scheme Extensive study exists in the literature for protecting reused IP in these two stages. For IP safeguarding during the after-sale period, a variety of techniques have been proposed including passive methods like watermarking [6, 7] as well as active methods like hardware metering [8, 9], encryption [10] and obfuscation [11]. Active hardware metering can achieve higher efficiency in preventing IP infringements by providing a series of locking and unlocking mechanisms to prohibit illegal overbuilding. In these mechanisms, IP vendors and IC designers can take active control of the post-silicon fabrication process and their rights are therefore protected. However, existing IC metering schemes has only focused on protecting the post-evaluation IPs, generally ignoring the evaluation period. Several methods are also proposed to protect IPs during the evaluation period. Traditionally, IP vendors can send an encrypted IP core to IC designers, where the decryption process along with the simulation and synthesis can only be performed on a specific platform provided by the IP vendors [12]. Recently, the industry has introduced a specific design platform which enables IC designers to evaluate IPs on a user-transparent form [13]. To overcome the flexibility issue associated with fixed design platforms, an IP evaluation protection approach employing a sequential 3

4 hardware Trojan (SHT) structure is proposed in [14]. A SHT works as a time-bomb which puts an expiry for the evaluation period. Once the evaluation period is over, SHT will cause expected malfunctions, which will prevent illegal use of the evaluation copy. However, by embedding a malicious SHT into the supplied IPs for evaluation, IC designers are exposed to potential risks as similar malicious SHTs can also be embedded into after-sale IPs. This IP trust issue has been demonstrated in recent studies where malicious Trojans are implanted by potential un-trusted IP designers in after-sale IPs [15, 16, 17, 18]. Therefore, addressing the security issue of the IC designer is an open challenge for an HT method. In this paper, we address the above challenges by designing a comprehensive scheme that can provide IP protection for both after-sale period and evaluation period simultaneously. Our key idea is to combine the metering structure with a specifically designed verification-path achieving IP protection in both periods. Toward this, we propose a new finite state machine (FSM) based metering structure that has improved robustness against brute-force attack with lower area and power overhead. We show that the proposed scheme address the security concerns of IC designers owing to SHT while also safeguarding the IP core throughout the entire design process. 2 Overview of the proposed scheme In this section, we provide an overview of the proposed scheme. Traditionally, IP designers will introduce a metering mechanism to actively control the number of legally fabricated IC chips for after-sale IP protection. For IP protection during verification and evaluations, IP vendors may provide an evaluation version, protected by a Sequential Hardware Trojans inserted into the evaluation FSMs [14]. Unfortunately, this approach cannot ensure to the IC designer that after-sale IP will function as verified and Trojan free, owing to the fact that different versions are used in evaluation and after-sale periods. To address this issue, in our proposed scheme, we introduce a preverification path attached to an improved active metering structure. While our scheme is based on the metering framework described in [9], we introduce a few techniques to achieve the goal. Firstly, we propose a new metering structure to substitute the Replicated-FSM (RFSM) based metering structure proposed in [8], achieving an improved robustness against brute-force attacks. Secondly, enabled by the resulting robustness, we introduced a pre-verification path to the proposed metering part. This added pre-verification path is constructed through which IC designers can enter the unlocked state to do functional simulations and verification of the original after-sale FSM design. To ensure that the path is for evaluation only, we purposely attach a Ring Oscillator (RO) triggering mechanism which will generate non-functional defects in the post-silicon period, making illegal users unwilling to risk the defective behavior in manufactured chips. To ensure the integrity of the attached RO mechanism to the verification path, we assign the monitoring and verification task of the RO triggering mechanism to a trusted third party (TTP). This scheme is illustrated in Fig. 2. The three main parties in the design process are IP designers, IC designers and the foundry. Additionally, a 4

5 TTP is also involved to undertake the tasks of authentication, key management, and RO monitoring in the evaluation path. During a normal design cycle, IP vendors will first send their IP cores that are locked by the comprehensive metering scheme to IC designers. The keys of the after-sale metering part should be kept private and sent to the TTP. Simultaneously, the keys used for evaluation should be made public. Then IC designers utilize the public keys of the pre-verification path to enter the original FSM unlocked state to perform simulations and verifications of the original design. After ensuring the correctness and conformity of the pre-verified IPs, the IC designers then ask the foundry to manufacture a certain number of the integrated chips. Noticing that, the chips which are consisted of varieties of IPs should be locked again by the IC designers. These keys owned by IC designers are also sent to the TTP. In order to unlock each single chip, the foundry has to turn to a TTP for their unique unlocking keys of the after-sale metering part of each IC and IP respectively. Any adversary who attempts to use a fabricated chip through the verification path has to suffer the bad performance of it. This way, the illegal overbuilding issue is prevented for each IP vendor and a reliable preverification requirement from IC designers is also safely provided by the IP vendors. Furthermore, the entire verification for both parts is performed on a single copy of the IP core, which is different from existing methods. Fig. 2. Overview of the proposed scheme 3 Comprehensive metering scheme In this section, we introduce a new IC metering structure that will enable us to later on add the verification path without altering the original function. Different from the RFSM metering structure, we employ a hierarchical FSM (HFSM) metering structure that possesses much higher secure level against brute-force attack. Moreover, the physically unclonable function (PUF) is used for the ID generation of each chip in our scheme. Luckily, there already exist numerous of weak or strong PUF structures could achieve this goal [8, 9, 19, 23]. The only realistic assumption we made is that the PUF used in the structure could generate stable responses. A. The hierarchical FSM based metering structure The HFSM is depicted in Fig. 3. Here the HFSM contains the original FSM, the metering part, and the verification path enclosed in the dotted box. In the metering part, we assign the first state of the added HFSM S R as the 5

6 new fixed power-up state. S R begins as the top state with two transitional edges connected to the other two states S 1 and S 2. The transitional input of the original FSM is defined as an m bits long value, denoted by {b 1 b 2... b k...b m } i, where i represents the i-th transition layer. Fig. 4 shows the structure of the m-bit long transitional input. The first bit b 1 is decided by the PUF response and the rest m 1 bits are provided by the IP designer as a private key K j {1j2n} for every transition layer. For example, the transitional input 1_K 1 from S R to S 1 is an m bits long value, where 1 stands for {b 1 } 1 and K 1 is the rest m 1 bits key {b 2...b m } 1, as is shown in Fig. 3. Since {b 1 } i determines the key that is required for the i-th layer, a unique n-bit PUF response would determine a unique set composed of n keys: {{b 2...b m } 1, {b 2...b m } 2,..., {b 2...b m } n } to unlock an N-layer HFSM. Assume that the first two bits of a PUF response are 10, then the first two transitional paths can be presented by the bold dotted line in Fig. 3. After n 1 transitional steps, the current state will either be S n 1 or S n. Notice that there is only one transitional path for S n 1 and S n to jump to the final unlocked state S 0, the first bit b 1 in the last layer should be disregarded. Fig. 3. Details of the comprehensive metering structure B. Netlist modification After the FSM has been modified in the high level, the register transfer level (RTL) code will be synthesized to the gate level netlist. Due to the unique public keys in the FSM which is shown in the bottom of Fig. 4, a sole combination would exist in the netlist to construct the trigger. Fig. 5 shows the netlist modification process. Firstly, the public keys are used to perform the logic simulation. Necessary logic values will be recorded and then decide the Boolean function of the trigger which is finally linked to the RO. The above described process will successfully modify the netlist. Anyone who use this public keys to reach the original FSM will trigger the RO immediately, and suffer from an extra huge power consumption. The Fig. 4. Structure of the m-bit long transition input 6

7 Fig. 5. RO embedding and triggering process remaining step is to re-synthesize it. The resynthesis process can be seen as a function of obfuscation that transforms the original design into a functional equivalent one but more difficult to be reverse engineered [19]. This is desirable as our objective is to hide the added states and secret information of our circuits. Interested readers are referred to [19, 20, 21] for detailed discussion regarding this. 4 Security analysis In this section, we analyze the security issues of the proposed scheme. We consider several types of attacks that IC designers and foundries may launch. Because of their distinct interests and objectives, we analyze the threats from the foundry and IC designers perspectives separately. A. Attacks from the foundry and countermeasures 1) Brute-force attack This type of attack aims at guessing the keys of each step with no prior knowledge of the HFSM. For this type of attack, we provide a comparison between our HFSM structure and the RFSM structure. The results are summarized in Table I. Here, we analyze eight benchmarks with different input length. The third column denotes the security level of our scheme while N layers are added. Compared with the security level of the RFSM scheme presented in the sixth column, our scheme can improve the security level against brute-force attack by 2 N*7.4 on average. However, an intelligent attacker may use the previous used keys to increase the attack efficiency. Fortunately, recent literatures on PUFs show a property that the hamming distance of PUF responses is always approaching to 50% [22]. Therefore, it is still exponentially hard to compute the unknown keys. 2) Reverse engineering of HFSM An adversary may attempt to infer the added HFSM structure from the manufacturing files received from the designer. However, this process is 7

8 Table I. Brute-force robustness comparison between the HFSM metering structure and the RFSM structure regarded computationally intractable. It is extremely costly and time consuming for an adversary to successful reverse-engineer a design in GDSII format. 3) PUF emulation The emulation attack tries to construct a model that is able to simulate or emulate the PUF behaviors on the hardware. If the process succeeds, the characteristic of the hardware PUF is cloned and the PUF CPRs behavior can be predicted. Fortunately, current PUF technology effectively renders this attack impractical [23]. B. Attacks from the IC designer and countermeasures 1) Combinational redundancy removal The attackers can try to remove the combinational logic part or FFs which are not essential for the proper functionality of the design. In our design, merging the HFSM structure into the original sequential functions makes this attack ineffective [8, 9]. Furthermore, attackers have to compute a set of reachable states, which can only be done and applicable for relatively small circuits. 2) PUF removal/tampering attack A dishonest IC designer may connect the PUF interface only with their own HFSM, not with the purchased IPs. In addition, a fixed signal could be linked to the IPs so that the keys would be the same for every product. To prevent this, in our design, we have introduced the TTP to verify both the functions of PUF and the interface connection between the PUF and ICs. 3) RO removal attack To avoid extra power consumption while using the ICs illegally, attackers may attempt to remove the RO which is not the original function of the IPs. Similar to the PUF removal attack described above, the TTP can insure that RO is correctly built in the ICs. 5 Experimental results In this section, we present an extensive set of experimental results to 8

9 demonstrate the effectiveness of the proposed scheme. We employ the sequential benchmarks from the MCNC 91 set and the Synopsys Design Circuit tool for synthesis. We have written a JAVA program to modify the original FSM in KISS format and use the kiss2vl tool to convert the format from KISS to Verilog. This way, we can use Synopsys DC to read and synthesize it. Then the RO is inserted into the netlist and the final resynthesis is performed. We do not use any optimization commands in the synthesis level. The reasons are twofold: 1) different optimization direction can lead to different overhead; 2) it is difficult to select an unbiased optimization commands when we compare our experiment results with others. The overhead of power consumption is defined as the total dynamic power which consist of net switching and cell leakage power, and the delay is defined as the critical path delay. Table II shows the experimental overhead on nine different benchmarks with a five-layer metering structure and an RO consisting of six delay cells (sixteen inverters per cell). The first and second columns represent the benchmark names and the input length respectively. The rest of the columns are mainly divided into three parts: (a) original benchmark, (b) general metering structure, and (c) comprehensive metering structure. Our evaluation metrics for each part include area, power, and delay overhead of the scheme. The percentages in (b) are the ratio of the results in (b) to that in (a), and the percentages in (c) are the ratio of the results in (c) to that in (b). As we can see, the average percentage of overhead in (b) is 140.6%, 160.9%, 109.2% for area, power, and delay respectively. We also notice that the percentages of overhead become smaller as the circuit size increases. The results demonstrate an acceptable implementation overhead for small circuits and a negligible overhead for large circuits. In (c), the average percentages of area, power overhead are 110.4% and 630.3% respectively, indicating that we could greatly increase the power consumption with insignificant/slight area overhead. Table II. Overhead of comprehensive metering scheme implemented on MCNC 91 benchmark Fig. 6 shows the effectiveness of the RO mechanism for large circuits. Here we select a relatively large benchmark s298 as our experimental circuit. We expect to gain a high power consumption from the RO with acceptable area overhead. Considering that the large circuit is insensitive to the growth of area and power, we build more delay cells to construct the RO to observe the change of overhead. From the Fig. 6, evidently the power consumption is increasing much faster than the area overhead. 9

10 Fig. 6. Area and power overhead for s298 while adding different number of delay cells When 66 delay cells are added to s298, the power overhead rises to 325.5% while the area overhead is only 110.2%. The results demonstrate that it is possible to gain a large power-to-area ratio from the added RO, effectively preventing un-trusted users from pirating the chips. We also compared the area, power and delay overhead of the two metering structures on three different benchmarks. As is shown in Fig. 7 to Fig. 9, the X-axis represents the number of layers (from 1 to 10), and the Y- axis represents the overhead ratio of our HFSM to RFSM, i.e., the overhead of the RFSM is regarded as the base standard. Though the delay overhead is oscillating from 60% to 130%, the area and power overheads are Fig. 7. Area, delay and power overhead ratio of our HFSM structure compared to the RFSM structure for adding 1 10 layers for benchmark styr Fig. 8. Area, delay and power overhead ratio of our HFSM structure compared to the RFSM structure for adding 1 10 layers for benchmark s820 10

11 Fig. 9. Area, delay and power overhead ratio of our HFSM structure compared to the RFSM structure for adding 1 10 layers for benchmark s298 consistently in a downtrend as the number of layers increases. The reason is that there are fewer states per layer in our HFSM metering structure. The jitter of the power overhead can be attributed to the influence of the unoptimized net switching power [24]. For security purpose, longer secret keys are needed in practice to enhance the robustness of the metering structure, which requires more added layers. Therefore, results for layer numbers from 5 to 10 are more critical and practical. For benchmark styr, the average reduced percentages of area and power overhead for adding 5 to 10 layers are 1% and 14.9% respectively. For s820 and s298, the average reduced percentages of area are 5.5% and 5.6%, and that of power are 14.9% and 2.7% respectively. The results demonstrate that our HFSM structure generates smaller area and power overhead compared to the RFSM metering structure. 6 Conclusions In this paper, we propose a comprehensive metering structure that enables an IC designer to perform evaluation and verification on the true after-sale IP version while simultaneously allowing metering by the IP designer. Our key technique, the newly added verification path, uses an embedded RO triggering mechanism to prevent foundry from post-silicon bypassing of the metering structure. Experimental results show that the RO triggering structure achieves a large power-to-area ratio, which manifests the effectiveness and compatibility of the evaluation path to the metering part. Evaluations on the area, power and delay overhead demonstrate that our metering structure has exponentially improved the robustness against brute force attack with lower overhead compared to the RFSM metering structure. Acknowledgments This work is partly supported by the National Natural Science Foundation of China (No ). 11