Paper 2020/751

DANA - Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering

Nils Albartus, Max Hoffmann, Sebastian Temme, Leonid Azriel, and Christof Paar

Abstract

Reverse engineering of integrated circuits, i.e., understanding the internals of IC, is required for many benign and malicious applications. Examples of the former are detection of patent infringements, hardware Trojans or IP-theft, as well as interface recovery and defect analysis, while malicious applications include IP-theft and finding insertion points for hardware Trojans. However, regardless of the application, the reverse engineer initially starts with a large unstructured netlist, forming an incomprehensible sea of gates. This work presents DANA, a generic, technology-agnostic, and fully automated dataflow analysis methodology for flattened gate-level netlists. By analyzing the flow of data between individual FF, DANA recovers high-level registers. The key idea behind DANA is to combine independent metrics based on structural and control information with a powerful automated architecture. Notably, DANA works without any thresholds, scenario-dependent parameters, or other "magic" values that the user must choose. We evaluate DANA on nine modern hardware designs, ranging from cryptographic co-processors, over CPUs, to the OpenTitan, a state-of-the-art SOC, which is maintained by the lowRISC initiative with supporting industry partners like Google and Western Digital. Our results demonstrate almost perfect recovery of registers for all case studies, regardless whether they were synthesized as FPGA or ASIC netlists. Furthermore, we explore two applications for dataflow analysis: we show that the raw output of DANA often already allows to identify crucial components and high-level architecture features and also demonstrate its applicability for detecting simple hardware Trojans. Hence, DANA can be applied universally as the first step when investigating unknown netlists and provides major guidance for human analysts by structuring and condensing the otherwise incomprehensible sea of gates. Our implementation of DANA and all synthesized netlists are available as open source on GitHub.

Metadata
Available format(s)
PDF
Category
Applications
Publication info
Preprint. MINOR revision.
Keywords
Hardware Reverse EngineeringGate Level NetlistsDataflow Analysis
Contact author(s)
max hoffmann @ rub de
nils albartus @ rub de
History
2021-05-21: last of 2 revisions
2020-06-21: received
See all versions
Short URL
https://ia.cr/2020/751
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2020/751,
      author = {Nils Albartus and Max Hoffmann and Sebastian Temme and Leonid Azriel and Christof Paar},
      title = {{DANA} - Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering},
      howpublished = {Cryptology {ePrint} Archive, Paper 2020/751},
      year = {2020},
      url = {https://eprint.iacr.org/2020/751}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.