Chapter 1
Introduction
1.1 Fundamentals of Hardware Security
In our modern age of omnipresent and highly interconnected information technology,
cybersecurity becomes ever more challenged. For example, with the rise of
the Internet of Things (IoT), most such equipment is connected to the internet in
some way, often inscrutable to the regular customers. This fact opens up large
attack surfaces and can lead to severe ramifications (Fig. 1.1), as demonstrated
through a plethora of real-world attacks over many years. Within the realm of
cybersecurity, hardware security in particular is concerned about achieving security
and trust directly within the underlying electronics. For example, researchers have
cautioned against powerful attacks on the speculative execution of modern processors
[Koc+19a, Lip+18a] or profiled the side-channel leakage of cryptographic
hardware modules [Ler+18]. For another example, the so-called root of trust
(RoT) techniques for isolation and attestation of computation are found in many
commercial computers and other custom devices [Mae+18, Zha+19, Nab+20].

第一章 簡介

1.1硬件安全基礎(chǔ)

在當(dāng)今這個(gè)信息技術(shù)無所不在且高度互聯(lián)的時(shí)代，網(wǎng)絡(luò)安全正變得越來越具有挑戰(zhàn)性。例如，隨著物聯(lián)網(wǎng) (IoT) 的興起，大多數(shù)此類設(shè)備都會(huì)通過某種方式接入互聯(lián)網(wǎng)，通常普通用戶也難以理解其背后的機(jī)理。正如圖 1.1中所描述的歷年來發(fā)生在現(xiàn)實(shí)世界中的海量攻擊所示，這事實(shí)上擴(kuò)大了攻擊面，并會(huì)導(dǎo)致嚴(yán)重的后果。在網(wǎng)絡(luò)安全的領(lǐng)域中，硬件安全著重關(guān)注直接通過底層的電子器件來實(shí)現(xiàn)安全和信任。例如，研究人員曾提醒人們注意針對現(xiàn)代處理器的推測性執(zhí)行的嚴(yán)重攻擊[Koc+19a, Lip+18a]，抑或剖析了加密硬件模塊的側(cè)信道泄漏問題[Ler+18]。再比如，在許多商用計(jì)算機(jī)和其他定制設(shè)備中，都使用了所謂的信任根(RoT)技術(shù)，用于計(jì)算的隔離和證明[Mae+18, Zha+19, Nab+20]。

Next, we discuss the fundamental aspects of hardware security and review
selected prior art, which will be assumed as common knowledge throughout the
remaining chapters of this monograph. It should be understood that this chapter can
provide only an overview on this vast and fast-growing field, but we review the most
important aspects and seminal protection schemes here to equip the reader with the
necessary background to follow this monograph.
接下來，我們將討論硬件安全的基本方面并對所選現(xiàn)有技術(shù)進(jìn)行回顧，在本專著的其余章節(jié)中，這些內(nèi)容將被認(rèn)定為常識(shí)。
應(yīng)該理解的是，本章僅能對此廣闊且飛速發(fā)展的領(lǐng)域提供一個(gè)概述，但我們會(huì)聚焦于其中重要的技術(shù)方面和最具開創(chuàng)性的保護(hù)方案，使得讀者可掌握必要的背景知識(shí)，以理解本專著。

1.1.1 Data Security at Runtime
The confidentiality, integrity, and availability of data processing within electronics
are subject to various threat scenarios, like (1) unauthorized access or modification

Fig. 1.1 Modern devices are deployed all around us and often connected to the internet but
typically lack built-in notions and measures for security. Thus, a plethora of risks arise for everyday
life. Adopted from [Gra16]

of data and (2) attacks leveraging side-channels, fault-injection, physical read-out
or probing.

1.1.1 運(yùn)行時(shí)數(shù)據(jù)安全

電子產(chǎn)品中數(shù)據(jù)處理的保密性、完整性和可用性會(huì)受到各種威脅的影響，諸如(1)對數(shù)據(jù)的未經(jīng)授權(quán)的訪問或修改，(2)利用
側(cè)信道、故障注入、物理讀取或探測的攻擊。

圖1.1 現(xiàn)代的硬件設(shè)備部署在我們周邊，且與互聯(lián)網(wǎng)連接，但通常缺乏內(nèi)置的安全概念和措施。因此，在給人們的日常生活
帶來了大量的安全風(fēng)險(xiǎn)。本圖摘自[Gra16]。

1.1.1.1 Unauthorized Access or Modification of Data
Conventional attacks seeking to steal or corrupt data are conducted mainly at the
software level and for interconnected systems. Cryptography represents a commonly
applied protection scheme here, but there are also many dedicated, hardware-centric
security features. For example, there are:
? Enclaves for trusted execution (TEEs), like the industrial ARM TrustZone and
Intel SGX or the academic MIT Sanctum (Fig. 1.2; see also [Mae+18] for more
background on each TEE)
? Wrappers for monitoring and cross-checking of untrusted third-party intellectual
property (IP) modules [Bas+17]
? Centralized IP infrastructures for secure system design [Wan+15b]
? Verification of computation [Wah+16]
? Secure task scheduling [Liu+14]
? Secure network-on-chip (NoC) architectures [Fio+08], etc.
However, if not designed and implemented carefully, such security features
become prone to hardware-centric attacks themselves, e.g., see [BCO04, Bay+16,
Qiu+19, OD19, CH17]; such attacks are discussed in more detail throughout this
section.

Fig. 1.2 Enclaves for trusted execution are prominent hardware-centric security features. Illustrated
are the high-level architectures of (a) Intel SGX, (b) MIT Sanctum, and ? ARM TrustZone

Fig. 1.3 Wave dynamic differential logic (
WDDL) serves to mitigate power side-channel attacks.
This is achieved by redundant, differential combinational logic paths that switch in opposite
directions for any operation, thereby obfuscating differences in power consumption for particular
transitions. Furthermore, pre-charge logic is used to reduce peak power consumption during
switching. Adopted from [Fuj+14]

1.1.1.1 對數(shù)據(jù)未經(jīng)授權(quán)的訪問或修改

試圖竊取或破壞數(shù)據(jù)的常規(guī)攻擊主要在軟件層面和互連系統(tǒng)上實(shí)施。對此，密碼學(xué)代表了一種普遍適用的保護(hù)方案，但如下所示，也有許多專用的、以硬件為中心的安全保護(hù)特性：
? 用于可信執(zhí)行的隔離飛地 (TEEs), 諸如工業(yè)界中的ARM TrustZone、Intel SGX，學(xué)術(shù)界的MIT Sanctum解決方案 (參見Fig. 1.2; 關(guān)于每種TEE的更多背景，請參見[Mae+18])
? 用于監(jiān)視和交叉檢查不受信任的第三方知識(shí)產(chǎn)權(quán)（IP）模塊的包裝器[Bas+17]
? 用于系統(tǒng)設(shè)計(jì)安全的集中式知識(shí)產(chǎn)權(quán)保護(hù)（IP）基礎(chǔ)設(shè)施 [Wan+15b]
? 計(jì)算驗(yàn)證 [Wah+16]
? 安全的任務(wù)調(diào)度 [Liu+14]
? 安全的片上網(wǎng)絡(luò) (NoC) 架構(gòu) [Fio+08]等。
然而，如果缺乏精心的設(shè)計(jì)和實(shí)現(xiàn)，上述安全特性本身也容易遭受針對硬件的攻擊。具體而言，可參考 章節(jié)[BCO04, Bay+16,
Qiu+19, OD19, CH17]，其中對此類攻擊進(jìn)行了更加詳細(xì)的討論。

Fig. 1.2 用于可信執(zhí)行的隔離飛地是典型的以硬件為中心的安全特性。圖中所示分別為 (a)Intel SGX，(b)MIT Sanctum和?ARM TrustZone的高級(jí)架構(gòu)。

Fig. 1.3 波動(dòng)差分邏輯( WDDL）可用于緩解功耗側(cè)信道攻擊。這是通過冗余的差分組合邏輯路徑實(shí)現(xiàn)的，這些路徑針對任何操作都實(shí)施反向切換，從而掩蓋了特定狀態(tài)轉(zhuǎn)移的功耗差異。此外，預(yù)充電邏輯也被用來降低切換期間的峰值功耗。本圖摘自[Fuj+14]。

1.1.1.2 Side-Channel and Fault-Injection Attacks
Side-channel attacks infer information from physical channels that are leaky due to
the sensitivity and vulnerability of the underlying electronics [ZF05]. For example,
it is well-known that the Advanced Encryption Standard (AES) is vulnerable
to power side-channel attacks when the hardware implementation is unprotected
[BCO04, OD19, SW12]. Another instance is the leakage of information related to
timing behavior or speculative execution in modern processors, through caches and
other buffers [OST05, Lip+18a, Sch+19].

1.1.1.2 側(cè)信道與故障注入攻擊

由于底層電子器件的敏感性和脆弱性，側(cè)信道攻擊可利用物理信道的泄露推斷出相關(guān)信息[ZF05]。例如，
眾所周知，當(dāng)硬件實(shí)現(xiàn)未采取保護(hù)措施時(shí)，高級(jí)加密標(biāo)準(zhǔn) (AES) 易遭受基于功耗的側(cè)信道攻擊[BCO04, OD19, SW12]。
另外一個(gè)例子事關(guān)信息的泄露，與現(xiàn)代處理器中的定時(shí)行為，或者基于高速緩存與緩沖區(qū)的推測執(zhí)行特性有關(guān) [OST05, Lip+18a, Sch+19]。

Most countermeasures against side-channel attacks apply some kind of cloaking
or masking technique, which involves the diffusion of the information leaked
through side-channels. This is achieved by various means, ranging from systemlevel
solutions [GMK16], down to individual gates [Bel+18]. See also Fig. 1.3 for
an example. Nevertheless, the resilience of such countermeasures is still subject to
the physical implementation in its entirety. For example, Fujimoto et al. [Fuj+14].

Fig. 1.4 Multi-stage attack on AES. First, a random but persistent fault is injected into the S-box,
to bias the subsequent encryption. In turn, the bias helps to infer the secret key while sampling over
a sufficiently large number of cipher-texts. Adopted from [Pan+19]

have shown that even the promising WDDL scheme suffers from minute layoutlevel
asymmetries, allowing an attacker to eventually infer the secret key.

大多數(shù)針對側(cè)信道攻擊的安全對策都采用了某種隱身或屏蔽技術(shù)。這涉及到對于通過側(cè)信道泄露的信息擴(kuò)散的控制。
具體可通過各種手段實(shí)現(xiàn)，包括從整系統(tǒng)級(jí)[GMK16]到單個(gè)門電路[Bel+18]的解決方案，另見圖1.3的例子。然而，此類對策的韌性仍取決于其整體上的物理實(shí)現(xiàn)。例如，F(xiàn)ujimoto等人[Fuj+14]已證明，即使先進(jìn)的WDDL方案也會(huì)遭受布局上的微弱不對稱的影響，使得攻擊者最終可推導(dǎo)出密鑰。

Fig. 1.4 針對AES算法的多階段攻擊。首先，一個(gè)隨機(jī)但持續(xù)的故障被注入到S-box中，以使隨后的加密出現(xiàn)偏差。隨后，通過對足夠多的密文進(jìn)行采樣，該偏差可幫助推斷出密鑰。本圖摘自 [Pan+19]。

Fault-injection attacks induce faults to deduce sensitive information. Therefore,
fault injection can also support or advance other attacks; see Fig. 1.4 for an example.
Fault-injection attacks cover (1) direct, invasive fault injection, e.g., by laser light
[SHS16] or electromagnetic waves [CH17, Bay+16, Deh+12], as well as (2)
indirect fault injection, e.g., by repetitive writing to particular memory locations
[Vee+16] or by deliberate “misuse” of dynamic voltage and frequency scaling
(DVFS) features [Qiu+19].
故障注入攻擊會(huì)引發(fā)故障以推斷出敏感信息。因此，參見圖1.4的例子，故障注入也用于支撐或推進(jìn)其他攻擊。故障注入攻擊
包括(1) 直接、侵入式的故障注入，比如通過激光[SHS16] 或電磁波 [CH17, Bay+16, Deh+12],以及 (2) 間接的故障注入，例如，通過對特定的內(nèi)存位置的重復(fù)寫入[Vee+16]或通過故意 "濫用 "動(dòng)態(tài)電壓和頻率縮放(DVFS)功能[Qiu+19]。

Countermeasures include detection of faults at runtime [Nat+19] and hardening
against fault injection at design and manufacturing time [Kar+18b, LM06,
Dut+18]. Note that distinguishing between natural and malicious faults is nontrivial
[Kar+18a], which imposes practical challenges for recovery at runtime.

安全對策包括對運(yùn)行時(shí)故障的檢測、在設(shè)計(jì)與制造階段采取針對故障注入的加固措施 [Kar+18b, LM06,
Dut+18]。請注意，區(qū)分自然產(chǎn)生的故障和人為惡意制造的故障并非易事，這給運(yùn)行時(shí)的恢復(fù)帶來了實(shí)際的挑戰(zhàn)。

1.1.1.3 Physical Read-Out and Probing Attacks
An adversary with access to equipment used traditionally for failure analysis or
inspection, like electro-optical probing or focused ion beam milling tools [Pri+17a],
can mount quite powerful read-out attacks. Among others, these attacks include:

1. Probing of transistors and wires [Wan+17a, Hel+13], either through the metal
   layers or the substrate backside
2. Monitoring the photon emission induced by CMOS transistor switching [Taj+17,
   Kra+21]
3. Monitoring the electrical charges in memories [CSW16]
   When applied carefully, these attacks can reveal all internal signals. For instance,
   Fig. 1.5 shows the concept and an example of an electro-optical probing technique,
   allowing to infer data/bits of individual devices at runtime.

1.1.1.3 物理讀取與探測攻擊

攻擊者如果能夠接觸到電子器件并利用傳統(tǒng)的故障分析或檢測手段實(shí)施入侵，比如光電探測或聚焦離子束銑削工具[Pri+17a]，則可發(fā)動(dòng)相當(dāng)有力的讀出攻擊。其中，這些攻擊包括：

1. 通過金屬層或基板背面探測晶體管和導(dǎo)線 [Wan+17a, Hel+13]
2. 監(jiān)測由CMOS晶體管開關(guān)引起的光子發(fā)射[Taj+17, Kra+21]
3. 監(jiān)測存儲(chǔ)器中的電荷 [CSW16]
   如果仔細(xì)應(yīng)用，這些攻擊可以揭示器件內(nèi)部所有的信號(hào)。比如，圖1.5 展示了光電探測技術(shù)的概念和示例，允許推斷各個(gè)器件運(yùn)行時(shí)的比特位數(shù)據(jù)。
   Countermeasures seek to prevent and/or detect the physical access. Prior
   solutions have sought to place shielding structures in the back-end-of-line
   (BEOL) [Wan+19, Lee+19, YPK16], deflection or scrambling structures in the
   substrate [She+18] (see also Fig. 1.6), and detector circuitry [Wei+18]. Earlier
   studies such as [ISW03] also considered formally secure techniques. However, such
   schemes are subject to limitations assumed for the attackers, which can become
   obsolete and would then render the formal guarantees void.
   安全對策旨在檢測或阻止攻擊者的物理訪問。先前的解決方案試圖在后道工序 (BEOL) [Wan+19, Lee+19, YPK16] 中放置屏蔽結(jié)構(gòu)，在基板中放置偏轉(zhuǎn)或加擾結(jié)構(gòu) [She+18]（另請參見圖 1.6 )以及檢測器電路 [Wei+18]。諸如[ISW03]等早期研究也考慮了正規(guī)的安全技術(shù)。然而，這種方案受制于對攻擊者能力的假設(shè)，隨著時(shí)間的推移，這些限制可能會(huì)變得過時(shí)，從而使這些正規(guī)的保證措施失效。
   
   Fig. 1.5 Concept (a) and example (b) for laser voltage probing, which serves to read-out data/bits
   in devices at runtime. In the example (b), an array of registers is in view, with those remaining
   dark storing “0” and those lighting up storing “1.” Subfigure (a) is adopted from [Loh+16] and (b)
   adopted from a related microscopy image provided as courtesy by Shahin Tajik
   
   Fig. 1.6 Concept of pyramid structures in silicon substrate, e.g., achieved using dedicated etching
   steps. As a result, reflections from incident laser light are scattered and intermingled, making a
   distinct read-out of data more difficult. Adopted from [She+18]
   
   Fig. 1.5 激光電壓探測的概念(a)和例子(b)，其作用是在讀取器件運(yùn)行時(shí)的比特?cái)?shù)據(jù)。在例子(b)中正在展現(xiàn)的是一組寄存器, 其中暗的單元存儲(chǔ)的是比特“0”，亮的單元存儲(chǔ)的是比特“0”。 子圖(a)摘自[Loh+16]，(b)來自由Shahin Tajik提供的相關(guān)顯微圖像。
   
   Fig. 1.6 硅基板中金字塔結(jié)構(gòu)的概念，比如，可通過專用的蝕刻步驟實(shí)現(xiàn)。結(jié)果導(dǎo)致入射激光的反射光線被散射和混合，使得更加難以清晰地讀出數(shù)據(jù)。摘自 [She+18]。

1.1.2 Securing the Integrity and Confidentiality of Hardware
Besides the severe threats on data security at runtime, as outlined above, other
threats such as reverse engineering (RE), piracy of chip-design intellectual property
(IP), illegal overproduction, counterfeiting, or insertion of hardware Trojans
represent further challenges for hardware security. These threats arise due to the
globalized and distributed nature of modern supply chains for electronics, which
span across many entities and countries. See also Fig. 1.7 for an overview of related
threats.
A multitude of protection schemes have been proposed, which can be broadly
classified into IP protection, Trojan defense, and physically unclonable functions
(PUFs). IP protection can be further broadly classified into logic locking, camouflaging,
and split manufacturing. All these schemes seek to protect the hardware
from different attack scenarios, which include untrusted foundries, untrusted testing
facilities, untrusted end-users, or a combination thereof. For example, selected
techniques for IP protection are illustrated in Table 1.1 along with the related
untrusted entities.

1.1.2 確保硬件的完整性與機(jī)密性

除了上述對運(yùn)行時(shí)數(shù)據(jù)安全的嚴(yán)重威脅之外，其他威脅，如逆向工程（RE）、針對芯片設(shè)計(jì)知識(shí)產(chǎn)權(quán)（IP）的盜版、非法過度生產(chǎn)、偽造或植入硬件木馬程序等都構(gòu)成了對硬件安全的進(jìn)一步挑戰(zhàn)。這些威脅的源于現(xiàn)代電子產(chǎn)品供應(yīng)鏈的全球化和分布式性質(zhì)，它使得供應(yīng)鏈橫跨眾多實(shí)體和國家。另請參見圖1.7以了解相關(guān)威脅的概述。
針對上述威脅，業(yè)界已經(jīng)提出了眾多保護(hù)方案，大致可以分為知識(shí)產(chǎn)權(quán)保護(hù)、木馬防御，以及物理不可克隆函數(shù)
(PUFs)三大類。知識(shí)產(chǎn)權(quán)保護(hù)技術(shù)可以進(jìn)一步大致分為邏輯鎖定、偽裝和拆分制造三類。所有這些方案都是為了保護(hù)不同的硬件
攻擊場景，其中包括不受信任的代工廠、不受信任的測試設(shè)施、不受信任的最終用戶或上述場景的組合。例如，表1.1描述了一些所選知識(shí)產(chǎn)權(quán)保護(hù)的技術(shù)，以及與之相關(guān)的不受信任實(shí)體。

Fig. 1.7 An overview on design-, hardware-, and logistics-centric attacks throughout the (largely
outsourced) supply chain of modern electronics. Adopted from [Ber16]
Table 1.1 IP protection techniques versus untrusted entities (?: Protection offered, ?: No
protection offered)


Fig. 1.7 對整個(gè)（主要是外包的）現(xiàn)代電子產(chǎn)品供應(yīng)鏈中以設(shè)計(jì)、硬件和物流為中心的攻擊的概述。外包）。摘自[Ber16]

Table 1.1 應(yīng)對不受信任實(shí)體的知識(shí)產(chǎn)權(quán)保護(hù)方案 (?: 可提供保護(hù), ?: 無法提供保護(hù))

1.1.2.1 Logic Locking
Logic locking protects the design IP by inserting dedicated key-gates, which are
operated by a secret key [YRS20]. Without the knowledge of the secret key,
logic locking ensures that the details of the design IP cannot be fully recovered
and the IC remains non-functional. The key-gates are commonly realized
using, e.g., XOR/XNOR gates [RKM10], AND/OR gates [Dup+14], or look-up
tables (LUTs) [BTZ10]. Only after manufacturing (preferably even after testing
[Yas+16a]) is the IC to be activated, by loading the secret key into a dedicated,
on-chip tamper-proof memory. The realization of such tamper-proof memories
remains a topic of active research and will be covered in more detail in Chap. 7.

1.1.1.3 邏輯鎖定

邏輯鎖定是通過插入專用的密鑰門（key-gates）來保護(hù)設(shè)計(jì) IP，而這些門電路需要通過密鑰 [YRS20] 來操作。只要密鑰未泄露，邏輯鎖定可確保設(shè)計(jì)IP的細(xì)節(jié)無法完全恢復(fù)，且集成電路不能正常工作。密鑰門邏輯通?？赏ㄟ^異或/同或門 （XOR/XNOR）[RKM10]、與/或門（AND/OR ） [Dup+14] 或查找表 (LUTs) [BTZ10]來實(shí)現(xiàn)。IC只有在制造之后（最好是在測試之后[Yas+16a]) 才能被激活，方法是將密鑰加載到專用的片上防篡改存儲(chǔ)器中。如何實(shí)現(xiàn)這種防篡改的存儲(chǔ)機(jī)制仍然是一個(gè)積極的研究課題，并將在第7章中更詳細(xì)地介紹。

Threat Model In general, a threat model describes the capabilities of the attacker
and the resources at their disposal. It also classifies entities as trusted or untrusted.
The threat model for logic locking can be summarized as follows:
? The design house, designers, and the electronic design automation (EDA) tools
the designers work with are considered trusted, whereas the foundry, the test
facility, and the end-user(s) are all considered untrusted.
? The attackers possess knowledge regarding the logic locking technique that has
been applied to protect the design IP.
? The attackers have access to the locked netlist (e.g., by RE). Hence, they can
identify the key inputs and the related logic but are oblivious to the secret key.
? The secret key cannot be tampered with, as it is programmed in a tamper-proof
memory.
? The attackers are in possession of a functional chip bought from the open market.
This chip can act as an “oracle” for evaluating input/output patterns.
Without knowledge of the secret key, logic locking ensures that: (1) the details
of the original design cannot be fully recovered; (2) the IC is non-functional, i.e., it
produces incorrect outputs.

威脅模型 一般來說，威脅模型描述了攻擊者的能力和其所掌握的資源。它還將實(shí)體分類為可信與不可信兩類。
邏輯鎖的威脅模型可以總結(jié)如下：
? 設(shè)計(jì)公司、設(shè)計(jì)師和電子設(shè)計(jì)自動(dòng)化（EDA）工具被認(rèn)為是可信的，而代工廠、測試機(jī)構(gòu)和最終用戶則
被認(rèn)為是不可信的。
? 攻擊者掌握有關(guān)用于保護(hù)設(shè)計(jì) IP 的邏輯鎖定技術(shù)的相關(guān)知識(shí)。
? 攻擊者可以訪問鎖定的網(wǎng)表（例如，通過RE）。因此，他們可以識(shí)別關(guān)鍵的輸入和相關(guān)的邏輯，但卻對密鑰卻一無所知。
? 密鑰被編程在防篡改存儲(chǔ)器中，因此不能被篡改。
? 攻擊者擁有一個(gè)從公開市場購買的功能芯片。該芯片可提供評估輸入/輸出模式的先驗(yàn)信息。
在攻擊者不掌握密鑰的情況下，邏輯鎖定可以確保：(1) 原始設(shè)計(jì)的細(xì)節(jié)不能被完全恢復(fù)；(2) 集成電路處于無功能狀態(tài)，即它會(huì)產(chǎn)生不正確的輸出。

Logic Locking Techniques and Attacks Early research proposed random logic
locking (RLL) [RKM10], fault-analysis-based locking (FLL) [Raj+15], and strong
interference-based locking (SLL) [Raj+12], all to protect against brute force
attacks. These techniques identify suitable, selected locations for inserting the keygates.
However, multiple attacks have undermined the security guarantees of these
aforementioned techniques by formulating different attacks [Raj+12, PM15, LO19].

針對邏輯鎖定技術(shù)和攻擊的早期研究提出了隨機(jī)邏輯鎖定（RLL）[RKM10]、基于故障分析的鎖定（FLL）[Raj+15]，以及
基于強(qiáng)干擾的鎖定（SLL）[Raj+12]，都是為了防止暴力破解攻擊。這些技術(shù)可用于識(shí)別可插入密鑰門的合適的、選定的位置。
然而，當(dāng)前已有多種攻擊方式突破了上述技術(shù)的安全保障 [Raj+12, PM15, LO19]。

In 2015, Subramanyan et al. [SRM15] challenged the security promises of all
then-known logic locking techniques. This attack leveraged Boolean satisfiability
(SAT) to compute the so-called discriminating input patterns (DIPs). A DIP
generates different outputs for the same input across two (or more) different keys,
indicating that at least one of the keys is incorrect. The attack stepwise evaluates
different DIPs until all incorrect keys have been pruned. The attack experiences
its worst case scenario when it can eliminate only one incorrect key per DIP;
here, 2k ? 1 DIPs are required to resolve k key bits. In general, the SAT attack resilience of any locking technique can be represented by the number of DIPs
required to decipher the correct key and the average time taken for each SAT attack
iteration [XS16].

Fig. 1.8 Selected SAT-resilient locking techniques: (a) SARLock, (b) Anti-SAT, ? TTLock/SFLLHD,
and (d) SFLL-flex. Adopted from [YS17]

在2015年，Subramanyan等人[SRM15]挑戰(zhàn)了當(dāng)時(shí)所有已知的邏輯鎖定技術(shù)。其攻擊利用了布爾可滿足性 (SAT)來計(jì)算所謂的可識(shí)別輸入模式(DIP)。DIP 通過兩個(gè)（或更多）不同的密鑰為相同的輸入生成不同的輸出，且至少一個(gè)密鑰是不正確的。攻擊會(huì)逐步評估不同的DIP，直到所有不正確的密鑰都被排除掉。在最壞的情況下，每個(gè) DIP 僅能消除一個(gè)不正確的密鑰，總計(jì)需要2k ? 1 個(gè) DIP 才能完成k位密鑰的求解。 一般來說，針對任何鎖定技術(shù)的SAT攻擊的抵抗韌性都可以用破譯正確密鑰所需的DIP數(shù)量、以及單次SAT攻擊迭代的平均耗時(shí)來表示[XS16]。

Fig. 1.8 選定的抗SAT的鎖定技術(shù)： (a) SARLock, (b) Anti-SAT, ? TTLock/SFLLHD,
以及(d) SFLL-flex. 摘自[YS17]

Initial research in SAT-resilient logic locking techniques aimed to increase the
complexity of the SAT-based attack by ensuring that the attack pruned out exactly
one incorrect key per iteration. To that end, in 2016, SARLock [Yas+16b] and
Anti-SAT [XS16] were put forward as defense techniques against the SAT-based
attack [SRM15]. SARLock (Fig. 1.8a) employs a controlled corruption of the output,
across all incorrect keys, for exactly one input pattern. SARLock can also be
integrated with other high-corruptibility techniques (e.g., FLL or SLL) to provide a
two-layer defense. In Anti-SAT [XS16], two complementary logic blocks, embedded
with the key-gates, converge at an AND gate (Fig. 1.8b). The output of this AND
gate is always “0” for the correct key; for the incorrect key, it may be “1” or “0,”
depending on the inputs. This AND gate then feeds an additional XOR gate that is
interposed into the original design, thereby possibly inducing incorrect outputs for
incorrect keys. Both techniques utilize the concept of point functions and enforce
low output corruptibility to obtain resilience against the SAT-based attack.

最初的抗SAT攻擊的邏輯鎖技術(shù)研究旨在通過確保攻擊在每次迭代中僅能剪除一個(gè)錯(cuò)誤密鑰，來增加基于SAT的攻擊的復(fù)雜度。每個(gè)迭代都有一個(gè)錯(cuò)誤的密鑰。為此，在2016年，SARLock[Yas+16b]和 Anti-SAT [XS16]作為防御SAT攻擊的技術(shù)被首次提出[SRM15]。SARLock（圖 1.8a）采用受控的輸出損壞技術(shù)，其采用所有的錯(cuò)誤密鑰，對同一個(gè)輸入模式進(jìn)行控制性破壞。SARLock還可以與其他高破壞性技術(shù)（如FLL或SLL）集成，以實(shí)現(xiàn)雙層防御。如圖1.8b所示，在Anti-SAT[XS16]中，兩個(gè)嵌入了密鑰門的互補(bǔ)邏輯塊，在一個(gè)與門處匯合。對于正確的密鑰，該與門的輸出總是 “0”；對于錯(cuò)誤的密鑰，輸出可能是 "1 "或 “0”，具體取決于輸入情況。然后，這個(gè)與門會(huì)給另外一個(gè)嵌入到原始設(shè)計(jì)中的異或門提供輸入信息，從而使得錯(cuò)誤的密鑰導(dǎo)致錯(cuò)誤的輸出。這兩種技術(shù)都是利用點(diǎn)函數(shù)的概念，并通過貫徹對輸出的低可破壞性來獲得對于SAT攻擊的抵抗韌性。

The two-layer defense of SARLock was approximately circumvented by App-
SAT [Sha+18a] and Double DIP [SZ17]. In both the attacks, the combination of
a low-corruption part (resilient to SAT attacks) and a high-corruption part (prone
to SAT attacks) is reduced to the low-corruption part (e.g., SARLock + SLL to
SARLock). The Double DIP [SZ17] can eliminate at least two incorrect keys
in each iteration, thereby increasing the attack efficiency. For Anti-SAT, the two
complementary blocks at its heart exhibit significant signal skews, rendering them
distinguishable from other logic, which is exploited by Yasin et al. in the signal
probability skew (SPS) attack [Yas+16c]. Moreover, both SARLock and Anti-SAT are vulnerable to the bypass attack [Xu+17]. This attack picks some key randomly
and determines the inputs that provide incorrect outputs for this chosen key. Then,
additional logic is constructed around the Anti-SAT/SARLock blocks to recover the
overall circuit from these incorrect outputs.

SARLock的兩層防御機(jī)制可被App-SAT [Sha+18a] 和 Double DIP [SZ17]繞過。在這兩種攻擊中，
低破壞性部分（對SAT攻擊具有抵抗韌性）和高破壞性部分（易受SAT攻擊）的組合被簡化為低破壞性部分（例如，SARLock + SLL至SARLock）。Double DIP[SZ17]可在每個(gè)攻擊迭代中至少排除兩個(gè)錯(cuò)誤密鑰，從而提高攻擊效率。對于Anti-SAT而言，其核心的兩個(gè)互補(bǔ)邏輯塊表現(xiàn)出明顯的信號(hào)排查，使它們區(qū)別于其他邏輯，Yasin等人在信號(hào)概率偏移（SPS）攻擊[Yas+16c]中利用了這一點(diǎn)。此外，SARLock和Anti-SAT都很容易遭受繞過攻擊（bypass attack）[Xu+17]。這種攻擊通過隨機(jī)挑選密鑰，并確定為此選定密鑰提供錯(cuò)誤輸出的輸入。然后，再圍繞 Anti-SAT/SARLock 模塊構(gòu)建額外的邏輯，以利用這些錯(cuò)誤的輸出恢復(fù)出整體電路。

In TTLock, the original logic is modified for exactly one input pattern [Yas+17a].
The output for this protected pattern is restored using a comparator block, as
illustrated in Fig. 1.8c. Even if an attacker succeeds to remove the comparator
block, she/he obtains a design different from the original one (albeit for only one
input pattern). On the heels of TTLock, Yasin et al. [Yas+17b] proposed stripped
functionality logic locking (SFLL). SFLL is resilient against most current attacks,
and it enables one to trade-off between resilience against SAT attacks and removal
attacks [Yas+17b]. It is based on the notion of “strip and restore,” where some part
of the original design is removed and the intended functionality is concealed.

在 TTLock 中，原始邏輯只會(huì)針對一個(gè)輸入模式 [Yas+17a] 實(shí)施修改。
如圖 1.8c 所示，此受保護(hù)模式的輸出可通過使用比較器模塊來恢復(fù)。即使攻擊者成功移除了比較器模
塊，也只能獲得與原始設(shè)計(jì)不同的信息（盡管只有一個(gè)輸入模式）。在TTLock之后，Yasin等人[Yas+17b]提出了剝離
功能邏輯鎖（SFLL）技術(shù)。SFLL可以抵御目前大多數(shù)的攻擊。
它使人們能夠在抵御SAT攻擊和移除攻擊[Yas+17b]之間進(jìn)行權(quán)衡。SFLL技術(shù)基于 "剝離和恢復(fù) "的概念，通過將原始設(shè)計(jì)的某些部分移除，從而隱藏預(yù)期的功能。

SFLL has three variants, SFLL-HD [Yas+17b], SFLL-flex [Yas+17b], and SFLL-rem
[Sen+20], which we briefly discuss next. SFLL-HD is a generalized version of
TTLock that allows the designer to protect a larger number of selected input patterns.
It should be noted that SFLL-HD protects a restricted set of input cubes, which
are all underpinned by one secret key. SFLL-flexc×k, in contrast, allows to protect
any c selected input cubes, each with k specified bits. Here, the protected patterns
are typically represented using a small set of input cubes, which are then stored
in an on-chip LUT (Fig. 1.8d). In SFLL-fault, fault-injection-based heuristics are
leveraged to identify and protect multiple patterns and to reduce area cost at the
same time. Both SFLL-HD and SFLL-flexc×k utilize AND-trees that leave structural
hints for an opportune attacker. Related attacks have been demonstrated by Sirone et
al. [SS19] and Yang et al. [YTS19], tackling these locking schemes without access
to an oracle. Recently, graph neural network-based unlocking techniques [Alr+20]
have been proposed to facilitate this notion of oracle-less recovery attacks as well.
The sparse prime implicant (SPI) attack [HYR21] was shown to break the security
guarantees of SFLL-rem [Sen+20].

SFLL有三個(gè)變體：SFLL-HD [Yas+17b], SFLL-flex [Yas+17b], 和SFLL-rem [Sen+20]，接下來我們將簡要討論。
SFLL-HD是TTLock的一個(gè)通用版本，允許設(shè)計(jì)者保護(hù)更多的選定輸入模式。值得注意的是，SFLL-HD保護(hù)的是一組有限的輸入序列，且都由一個(gè)密鑰支撐。相比之下，SFLL-flexc×k則允許保護(hù)任何c個(gè)選定的輸入序列，每個(gè)序列有k個(gè)指定的比特位。在這里，被保護(hù)的模式通常用一小組輸入序列來表示，然后將其存儲(chǔ)在片上LUT中（圖1.8d）。 在SFLL-fault中，基于故障注入的啟發(fā)式方法被用來識(shí)別多種模式并降低芯片面積成本。SFLL-HD和SFLL-flexc×k都利用了"與"樹（AND-tree）結(jié)構(gòu)，為攻擊者留下了結(jié)構(gòu)化的提示。Sirone [SS19]與Yang[YTS19]等人[YTS19]已證實(shí)了相關(guān)攻擊，可在在沒有先驗(yàn)知識(shí)的情況下破解這些鎖定方案。最近，基于圖神經(jīng)網(wǎng)絡(luò)的解鎖技術(shù)[Alr+20]也被提出，以促進(jìn)此種非先驗(yàn)知識(shí)依賴性的破解攻擊概念。稀質(zhì)蘊(yùn)含項(xiàng)（SPI）攻擊[HYR21]被證明可以攻破SFLL-rem[Sen+20]的安全保證。

Further Defenses and Attacks Related to Logic Locking Shamsi et
al. [Sha+18b] presented a layout-centric logic locking scheme, based on routing
cross-bars comprising obfuscated and configurable vias. The notion of cyclic
locking has been proposed in [Sha+17b] and extended in [RMS18]. The idea
is to create supposedly unresolvable locking instances by introducing feedback
cycles. However, tailored SAT formulations have challenged such locking
schemes [ZJK17, She+19].

與邏輯鎖定相關(guān)的進(jìn)一步攻防技術(shù)：Shamsi [Sha+18b] 提出了一種以布局為中心的邏輯鎖定方案，該方案基于由混淆后的可配置通孔組成的互連路由陣列。循環(huán)鎖定的概念已在[Sha+17b]中提出，并在[RMS18]中得到了進(jìn)一步擴(kuò)展。該想法是通過引入反饋循環(huán)來創(chuàng)建假定無法求解的鎖定實(shí)例。然而，通過定制的SAT公式可對此類循環(huán)鎖定方案構(gòu)成挑戰(zhàn)[ZJK17, She+19]。

Recent works have proposed parametric locking [Yas+17a, XS17, Zam+18,
CXS18]; the essence is to lock design parameters and profiles. For example,
in [XS17], the key not only protects the functionality of the design but also
its timing profile. A functionally correct but timing-incorrect key will result in
timing violations, thereby leading to circuit malfunctions. A timing-based SAT
attack, presented in [CLS18], circumvented the timing locking approach in [XS17].
Therefore, further research into parametric locking is required. The notion of mixedsignal
locking has been advocated recently as well, e.g., in [Jay+18, Leo+19].

業(yè)界最近的研究工作提出了參數(shù)化鎖定 [Yas+17a, XS17, Zam+18,
CXS18]的概念；其實(shí)質(zhì)是鎖定設(shè)計(jì)參數(shù)和保護(hù)輪廓。例如。
在[XS17]中，密鑰不僅保護(hù)了設(shè)計(jì)功能，而且還保護(hù)了IC的時(shí)序輪廓。一個(gè)功能正確但定時(shí)不正確的密鑰將導(dǎo)致
時(shí)序違規(guī)，從而導(dǎo)致電路故障。在[CLS18]中提出一種基于時(shí)間的SAT攻擊，可規(guī)避[XS17]中描述的時(shí)間鎖定方法。
因此，有必要對參數(shù)化鎖定進(jìn)行進(jìn)一步研究。同時(shí)，最近業(yè)界也在提倡混合信號(hào)鎖定的概念，例如[Jay+18, Leo+19]。

Finally, further attack/defense schemes on regular locking techniques have been
proposed that focus on inferring/obfuscating the structural modifications induced
by locking, without requiring an oracle, e.g., [CCB18, Alr+21].

最后，關(guān)于常規(guī)鎖定技術(shù)的進(jìn)一步攻防方案已被提出，其重點(diǎn)是干擾/混淆由鎖定引起的結(jié)構(gòu)性修改，且
不依賴先驗(yàn)知識(shí)，例如[CCB18, Alr+21]。

1.1.2.2 Layout Camouflaging
Layout camouflaging serves to mitigate RE attacks conducted by malicious endusers.
Broadly speaking, layout camouflaging alters the layout-level appearance of
an IC in order to protect the design IP. As illustrated in Fig. 1.9, layout camouflaging
can be achieved by dedicated front-end-of-line (FEOL) processing steps, like
manipulation of dopant regions, gate structures, and/or gate contacts [Raj+13a,
Erb+16, Li+16], but also by obfuscation of the back-end-of-line (BEOL) interconnects
[Pat+17, Pat+20a]. Layout camouflaging has been made available for
commercial application, e.g., see the SypherMedia Library [Ram19]. Note that
obfuscation is also known in the context of design-time protection, e.g., by
obfuscating finite state machines [LP15]—such techniques are orthogonal to layout
camouflaging.

1.1.2.2 布局偽裝

布局偽裝用于減輕惡意最終用戶發(fā)起的逆向攻擊（RE）。從廣義上講，布局偽裝可改變 IC 的布局層面外觀，以保護(hù)設(shè)計(jì) IP。
如圖1.9所示，布局偽裝可通過特定的前道工序（FEOL）處理步驟來實(shí)現(xiàn)，例如針對
摻雜區(qū)域、柵極結(jié)構(gòu)和/或柵極觸點(diǎn)的操縱[Raj+13a, Erb+16, Li+16]，以及通過混淆后端工序(BEOL)的互連來實(shí)現(xiàn) [Pat+17, Pat+20a]。布局偽裝技術(shù)已商用，例如，可參見SypherMedia庫[Ram19]。值得注意的是，混淆技術(shù)也常用于IC設(shè)計(jì)階段的IP保護(hù)，例如，通過混淆有限狀態(tài)機(jī)[LP15]來實(shí)施IP保護(hù)，這些技術(shù)手段與布局偽裝是正交的，不存在沖突。

Threat Model The threat model for layout camouflaging is summarized as follows:
? The design house and foundry are trusted, the test facility is either trusted or
untrusted, and the end-user is untrusted.
? The adversary holds one or multiple functional chip copies and is armed with
sophisticated equipment and know-how to conduct RE. The resilience of any
camouflaging scheme ultimately depends on the latter.
? The adversary is aware of the camouflaging scheme, and she/he can identify
the camouflaged gates, infer all the possible functions implemented by the
camouflaged cell, but cannot readily infer the actual functionality.

威脅模型 布局偽裝技術(shù)的威脅模型可總結(jié)如下：
? IC設(shè)計(jì)和代工機(jī)構(gòu)是可信的，測試機(jī)構(gòu)要么可信、要么不可信，而終端用戶是不可信的。
? 攻擊者擁有若干個(gè)功能完備的IC芯片，并掌握并配備了先進(jìn)的設(shè)備與技術(shù)來實(shí)施逆向攻擊。任何
偽裝方案的防御韌性最終取決于后者（攻擊者的能力和所掌握的資源）。
? 攻擊者了解具體的偽裝方案，并可以識(shí)別出偽裝后的門電路、推斷出由偽裝單元實(shí)現(xiàn)的所有功能，但無法輕易推斷出實(shí)際功能。

Layout Camouflaging Techniques and Attacks Similar to logic locking, early
studies focused on the selection of gates to camouflage (and the design of camouflaged
cells). In their seminal work, Rajendran et al. [Raj+13a] proposed
a camouflaged NAND-NOR-XOR cell. The authors also proposed clique-based selection for camouflaging, based on their own finding that a random selection of gates to camouflage can be resolved by sensitization-based attacks [Raj+13a].

Fig. 1.9 Device-level concepts for layout camouflaging

布局偽裝技術(shù)及相關(guān)攻擊與邏輯鎖定類似，早期的研究集中在如何選擇偽裝的門電路以及偽裝單元的設(shè)計(jì)。Rajendran等人在其開創(chuàng)性工作[Raj+13a]z中提出了一種偽裝的"與非-非-異或(NAND-NOR-XOR)"單元。作者還發(fā)現(xiàn)可通過基于敏感度的攻擊來破解對偽裝門電路的隨機(jī)選擇，并基于該發(fā)現(xiàn)進(jìn)一步提出了基于派系(clique) 的偽裝選擇方法[Raj+13a]。

Fig. 1.9 布局偽裝的器件級(jí)概念

Massad et al. [MGT15] and Yu et al. [Yu+17] independently formulated
SAT-based attacks (with oracle access), which challenged the security guarantees
of [Raj+13a]. These attacks could readily circumvent small-scale camouflaging
for various benchmarks with up to 256 gates being camouflaged. A parallel
SAT-based attack providing an average speedup of 3.6× over prior attacks was
presented by Wang et al. [Wan+18a]. Keshavarz et al. [Kes+18] proposed a SATbased
formulation augmented by probing and fault-injection capabilities, where the
authors were able to RE an S-Box. Still, it remains to be seen whether the attack can
tackle larger designs.

Massad等人[MGT15]和Yu等人[Yu+17]各自獨(dú)立制定了基于SAT的攻擊方法（依賴先驗(yàn)知識(shí)），并對[Raj+13a]中承諾的安全保證提出了挑戰(zhàn)。這些攻擊很容易繞過不超過256個(gè)門電路規(guī)模的偽裝。Wang等人[Wan+18a]提出了一種基于SAT的并行攻擊方法，比之前的攻擊平均提速3.6倍。Keshavarz等人[Kes+18]也提出了一種基于SAT的攻擊方法，該方法得益于探測和故障注入，通過該方法，作者成功實(shí)現(xiàn)了對一個(gè)S-Box的逆向攻擊。不過，這種攻擊是否能對更大規(guī)模的設(shè)計(jì)構(gòu)成威脅，還有待于進(jìn)一步觀察。

In [YSR17], Yasin et al. demonstrated how an untrusted test facility can
circumvent the security promise of camouflaging, even without access to an oracle.
The authors deciphered the layout camouflaging technique presented in [Raj+13a]
successfully by analyzing the test patterns provided by the design house to the
untrusted test facility. To the best of our knowledge, none of the layout camouflaging
techniques proposed thus far have been able tomitigate this kind of attack, except for
the dynamic camouflaging technique presented in [Ran+20a], which is discussed in
more detail in Chap. 3.

在[YSR17]中，Yasin等人證明了不受信任的測試機(jī)構(gòu)即使在沒有先驗(yàn)知識(shí)的前提下，如何能夠繞過偽裝技術(shù)的防護(hù)并實(shí)施攻擊。
作者通過分析設(shè)計(jì)公司提供給測試機(jī)構(gòu)的測試模式，成功破譯了[Raj+13a]中提出的布局偽裝技術(shù)。據(jù)我們所知，除了 [Ran+20a]中提出的動(dòng)態(tài)偽裝技術(shù)，迄今為止提出的所有布局偽裝技術(shù)都無法應(yīng)對此類攻擊。關(guān)于動(dòng)態(tài)偽裝技術(shù)，將在第三章中詳細(xì)討論。

Many existing layout camouflaging techniques, e.g., [Raj+13a, Nir+16,
CMG16, Wan+16a], exhibit a significant cost with respect to power, performance,
and area (PPA). For example in [Raj+13a], camouflaging 50% of the design results
in ≈150% overheads for power and area, respectively. See Fig. 1.10 for an analytical
experiment on layout costs for camouflaging versus split manufacturing (introduced
in the next subsection). A more comprehensive investigation of PPA cost for various
layout camouflaging techniques is provided in [Pat+17, Pat+20a].

許多現(xiàn)有的布局偽裝技術(shù)，例如，[Raj+13a, Nir+16, CMG16, Wan+16a]，在功耗性能面積（PPA）方面都存在較大的開銷。以[Raj+13a]為例，對50%的設(shè)計(jì)進(jìn)行偽裝會(huì)導(dǎo)致功率和面積方面分別大約150%的額外開銷。關(guān)于偽裝與拆分制造技術(shù)（拆分制造技術(shù)將在下一節(jié)中介紹）在布局開銷上的的分析對比實(shí)驗(yàn)，可參考圖 1.10。針對各種布局偽裝技術(shù)在PPA開銷方面的更全面的調(diào)查，可參見[Pat+17, Pat+20a]。

Fig. 1.10 Study on PPA cost (%) for layout camouflaging [Raj+13a] (left) and lifting of wires
(randomly selected) to M8 (metal layer 8) for split manufacturing (right). Results are averaged
across ITC-99 benchmarks. For layout camouflaging (left), the impact on power and area is
substantial, given that the NAND–NOR–XOR structure proposed in [Raj+13a] incurs 4× and
5.5× more area and power compared to a regular 2-input NAND gate. For split manufacturing
(right), the cost for area is severe; that is because routing resources are relatively scarce for
M8 (pitch = 0.84μm) and lifting of wires occupies further routing resources, which can only be
obtained by enlarging the die outlines

Fig. 1.10 針對布局偽裝技術(shù)[Raj+13a]（左）與拆分制造技術(shù)（右，通過隨機(jī)將連線拉至M8層（metal layer 8）來實(shí)現(xiàn)）在PPA方面的開銷(%)研究。測試結(jié)果采用針對 ITC-99基準(zhǔn)電路的平均值。布局偽裝技術(shù)（左圖）在功率和面積方面存在較大開銷，
[Raj+13a]中提出的NAND-NOR-XOR結(jié)構(gòu)與普通的2路輸入信號(hào)的與非門相比，前者的面積和功率消耗分別是后者的4倍與5.5倍。拆分制造 (右圖)技術(shù)的面積成本很高；這是因?yàn)镸8層(間距=0.84μm)的走線資源相對匱乏，而拉線會(huì)占用更多的走線資源，只能通過擴(kuò)大芯片的輪廓來獲得。

Most layout camouflaging techniques also require modifications in the frontend-
of-line (FEOL) manufacturing process, which can incur financial cost on top
of PPA overheads. Therefore, in such scenarios, layout camouflaging is applied
selectively, to limit PPA cost and the impact on FEOL processing. However, the
selective application of layout camouflaging techniques compromises the security
guarantees, especially in the light of oracle-guided SAT attacks such as [MGT15,
Yu+17, Wan+18a].

大多數(shù)布局偽裝技術(shù)也需要修改前道工序（FEOL）的制造工藝，這可能會(huì)導(dǎo)致PPA開銷之外的額外財(cái)務(wù)成本。因此，在此種情況下，布局偽裝常被選擇性地應(yīng)用，以限制對PPA開銷以及FEOL工藝的影響。然而，選擇性應(yīng)用布局偽裝技術(shù)也會(huì)損害安全保證，
尤其是面對諸如[MGT15, Yu+17, Wan+18a]等基于先驗(yàn)知識(shí)引導(dǎo)的SAT攻擊時(shí)。

The notion of provably secure layout camouflaging was put forward
in [Yas+16d, Li+16]. CamoPerturb [Yas+16d] seeks to minimally perturb the
functionality of the design by either removing or adding one minterm (i.e., the
product term of all variables). A separate block, called CamoFix, is then added to
restore the minterm; CamoFix is built up using camouflaged INV/BUF cells. This
concept is inherently similar to the idea of TTLock, which was discussed previously.
Inspired by logic locking, Li et al. [Li+16] employ AND-trees as well as OR-trees
for layout camouflaging. Depending on the desired security level, tree structures
inherently present in the design are leveraged, or additional trees are inserted. Then,
the inputs of the trees are camouflaged using dopant-obfuscated cells.

[Yas+16d, Li+16]中提出了可證明安全布局偽裝的概念。CamoPerturb [Yas+16d]試圖通過刪除或增加一個(gè)最小項(xiàng)（即所有變量的乘積項(xiàng)）來實(shí)現(xiàn)對設(shè)計(jì)功能的最低限度加擾。然后通過添加一個(gè)稱為CamoFix的單獨(dú)模塊來恢復(fù)上述最小項(xiàng)，而CamoFix是用偽裝的逆變器/緩沖（INV/BUF）單元?jiǎng)?chuàng)建的。這個(gè)概念在本質(zhì)上與之前討論的TTLock類似。受邏輯鎖的啟發(fā)，Li等人[Li+16]采用了“與”樹（AND-tree）和“或”樹（OR-tree）結(jié)構(gòu)來進(jìn)行布局偽裝。根據(jù)所需的安全級(jí)別，可充分利用設(shè)計(jì)中固有的樹狀結(jié)構(gòu)，或插入額外的樹狀結(jié)構(gòu)。接下來，樹的輸入信號(hào)會(huì)通過使用摻雜混淆(dopant-obfuscated)單元來偽裝。

Both techniques [Yas+16d, Li+16] have been shown to exhibit vulnerabilities:
[Li+16] was circumvented by sensitization-guided SAT attack (SGS) [Yas+17c],
while Jiang et al. [Jia+18] circumvented CamoPerturb using sensitization and
implication principles leveraged from automated test pattern generation (ATPG).
In general, these techniques are also vulnerable to approximate attacks outlined
in [Sha+17a, Sha+18a]. A follow-up work to [Li+16] is presented in [Li+17],
where the authors discuss how structural attacks like SPS [Yas+16c] can be
rendered ineffective when the trees are obfuscated both structurally and functionally.
However, such structural and functional obfuscations are also vulnerable to
sophisticated attacks.

[Yas+16d, Li+16]中描述的兩種技術(shù)都已被證明存在漏洞。其中，[Li+16]的防御機(jī)制可通過敏化引導(dǎo)的SAT攻擊（SGS）[Yas+17c]來繞過，而Jiang等人[Jia+18]則利用自動(dòng)測試模式生成（ATPG）中的敏化和暗示原則繞過了CamoPerturb [Yas+16d]的防御機(jī)制。一般來說，這些技術(shù)也容易遭受[Sha+17a, Sha+18a]中概述的近似攻擊。
[Li+17] 介紹了[Li+16] 后續(xù)工作，其中，作者討論了當(dāng)樹在結(jié)構(gòu)和功能上都被混淆時(shí)，像 SPS [Yas+16c] 這樣的結(jié)構(gòu)攻擊是如何失效的。然而，這種結(jié)構(gòu)和功能上的混淆也很容易遭受復(fù)雜攻擊。

Further Defenses and Attacks Related to Layout Camouflaging Besides the
various analytical attacks, RE may also compromise layout camouflaging techniques
directly. For example, ambiguous gates [Raj+13a, Coc+14] or secretly
configured MUXes [Wan+16a] rely on dummy contacts and/or dummy channels,
which will induce different charge accumulations at runtime. Courbon et
al. [CSW16] leveraged scanning electron microscopy in the passive voltage contrast
mode (SEM PVC) for measurement of charge accumulations, where they succeeded
in reading out a secured memory. Furthermore, monitoring the photon emission at
runtime can presumably also help uncover layout camouflaging [Loh+16].

與布局偽裝相關(guān)的進(jìn)一步防御與攻擊 除了各種分析性攻擊之外，通過逆向工程也可以直接攻破布局偽裝技術(shù)。例如，無論是模糊邏輯門[Raj+13a, Coc+14]還是秘密配置的多路復(fù)用器 [Wan+16a]，均依賴于虛擬觸點(diǎn)或虛擬通道，將在運(yùn)行時(shí)引起差異化的電荷積累。Courbon等人[CSW16]利用掃描電子顯微鏡的被動(dòng)電壓對比（SEM PVC）來測量電荷積累，并成功地讀出了一個(gè)安全存儲(chǔ)器中的內(nèi)容。此外，通過監(jiān)測運(yùn)行時(shí)的光子發(fā)射，想必也能幫助破解布局偽裝[Loh+16]。

Threshold voltage-based layout camouflaging (TVC) has gained traction over
the past few years. The essence of TVC is a selective manipulation of dopants
at the transistor level that creates logic cells that are identical structurally but
depict different functionalities. Nirmala et al. [Nir+16] proposed TVC cells that
can operate as NAND, NOR, OR, AND, XOR, or XNOR. Erbagci et al. [Erb+16]
proposed TVC cells operating as XOR or XNOR, based on the selective use of highand
low-threshold transistors. Collantes et al. [CMG16] adopted domino logic to implement their TVCs. Recently, Iyengar et al. [Iye+18] demonstrated two flavors of TVC in STMicroelectronics 65 nm technology. In principle, TVC techniques
offer better resilience than other layout camouflaging techniques, as regular etching
and optical imaging techniques are ineffective with respect to TVC. Still, TVC may
be revealed eventually, e.g., by leveraging SEM PVC [Sug+15].

基于閾值電壓的布局偽裝（TVC）在過去的幾年里獲得了廣泛的關(guān)注。TVC技術(shù)的本質(zhì)是在晶體管層面有選擇地實(shí)施摻雜
，以創(chuàng)造出結(jié)構(gòu)上相同但功能上不同的邏輯單元。 Nirmala等人[Nir+16]提出的TVC單元可以執(zhí)行"與非"、“非”、"或‘、“與”、“異或” 或者"同或"等多種邏輯運(yùn)算之一。Erbagci等人[Erb+16] 基于對高和低閾值晶體管的選擇性使用，提出了以"異或"或"同或"方式工作的TVC單元。而Collantes等人[CMG16]則采用多米諾邏輯（domino logic）來實(shí)現(xiàn)其TVC。最近，Iyengar等人[Iye+18]在意法半導(dǎo)體（STMicroelectronics）的65納米技術(shù)中展示了兩種類型的TVC。不過，TVC偽裝最終也可能會(huì)被揭開，例如，通過利用掃描電子顯微鏡的被動(dòng)電壓對比（SEM PVC） [Sug+15]作為破解手段。

Another interesting avenue is the camouflaging of the back-end-of-line (BEOL),
i.e., the interconnects [Che+15, Pat+17, Pat+20a, Jan+18]. Chen et al. [Che+15,
CCW18] explored the use of real vias (magnesium, Mg) along with dummy vias
(magnesium oxide, MgO) to achieve the same. They have shown that Mg can
oxidize quickly into MgO, thereby hindering an identification by an RE attacker.
Recently, Patnaik et al. [Pat+17, Pat+20a] extended the concept of BEOL camouflaging
in conjunction with split manufacturing, to protect against an untrusted
FEOL foundry. Patnaik et al. developed customized cells and design stages for
BEOL camouflaging, where they successfully demonstrated full-chip camouflaging
at lower PPA cost than prior works. Their study also explored how large-scale
(BEOL) camouflaging can thwart SAT-based attacks, by inducing overly large and
complex SAT instances, which overwhelm the SAT solvers.

為了實(shí)現(xiàn)偽裝，另外一種有趣的途徑是借助后道工序（BEOL）的布線互連處理[Che+15, Pat+17, Pat+20a, Jan+18]。Chen等人[Che+15, CCW18]探討了使用真通孔（材料為鎂，Mg）與假通孔 (材料為氧化鎂，MgO)來實(shí)現(xiàn)這一目標(biāo)。他們已證實(shí)，金屬鎂可以迅速氧化成為氧化鎂，從而阻礙了逆向攻擊的破解。最近，Patnaik等人[Pat+17, Pat+20a]擴(kuò)展了BEOL偽裝的概念，并將其與拆分制造技術(shù)相結(jié)合，以抵御來自不受信任的前道工序( FEOL)代工機(jī)構(gòu)的威脅。Patnaik等人開發(fā)了定制化的單元與設(shè)計(jì)階段，用于BEOL偽裝?；诖?，他們成功地展示了全芯片級(jí)的偽裝，且該成果比之前的工作具有更低的PPA開銷。在研究中，他們還探討了大規(guī)模BEOL偽裝是如何通過誘導(dǎo)生成巨大復(fù)雜的SAT實(shí)例，使得SAT求解器不堪重負(fù)，從而挫敗基于SAT的攻擊。

Most techniques discussed so far cannot be configured post-fabrication, i.e., they
implement static camouflaging. In contrast, Akkaya et al. [AEM18] demonstrated
a reconfigurable camouflaging scheme that leverages hot-carrier injection. Notably,
the authors fabricated a prototype in 65 nm technology; however, they report significant
PPA cost (e.g., in comparison to regular NAND gates, they report 9.2×, 6.6×,
and 7.3× for power, performance, and area, respectively). Zhang et al. [Zha+18a]
introduced the concept of timing-based camouflaging, based on wave-pipelining and
false paths. However, this technique was circumvented in [Li+18b].

迄今為止，本文所討論的大多數(shù)技術(shù)都不支持在IC制造后通過重構(gòu)進(jìn)行變更，也就是說，它們實(shí)施的保護(hù)類型都屬于靜態(tài)偽裝。
與此相反，Akkaya等人[AEM18]展示了一種利用熱載波注入的可重構(gòu)偽裝方案。值得注意的是，作者基于65納米技術(shù)制造了一個(gè)原型；然而，他們也揭示了該方案具有顯著的PPA開銷（例如，與常規(guī)NAND門相比，此原型的功率、性能和面積分別為其9.2倍、6.6倍。和7.3倍）。Zhang等人[Zha+18a] 介紹了基于時(shí)序的偽裝概念，基于波流水線（wave-pipelining）和 虛假路徑技術(shù)。然而，該技術(shù)的防御可被[Li+18b]中描述的攻擊方法繞過。

1.1.2.3 Split Manufacturing
Split manufacturing seeks to protect the design IP from untrustworthy
foundries [RSK13, Sen+17, Pat+18e, Pat+18f, McC16, Pat+21]. As indicated
by the term, the idea is to split the manufacturing flow, most commonly into an
untrusted FEOL process and a subsequent, trusted BEOL process (Fig. 1.11).
Such splitting into FEOL and BEOL is practical for multiple reasons:
? Outsourcing the FEOL is desired, as it requires some high-end and costly
facilities.
? BEOL fabrication on top of the FEOL is significantly less complex than FEOL
fabrication itself.
? Some in-house or trusted third-party facility can be engaged for BEOL fabrication.
? The sole difference for the supply chain is the preparation and shipping of FEOL
wafers to that facility for BEOL fabrication.

1.1.2.3 拆分制造

拆分制造旨在保護(hù)設(shè)計(jì)IP免于來自不可信的代工廠的威脅[RSK13, Sen+17, Pat+18e, Pat+18f, McC16, Pat+21]。正如該術(shù)語（Split Manufacturing）所示，此想法是將制造流程拆分開來，最常見的是將其分為不可信的前道工序（FEOL）和后續(xù)可信的后道工序（BEOL）（如圖1.11所示）。出于以下多種原因，這種拆分為 FEOL 和 BEOL 的做法是可行的：
? 將 FEOL外包是必要的，因?yàn)樾枰蕾囈恍└叨饲野嘿F的設(shè)備進(jìn)行處理。
?在 FEOL基礎(chǔ)上的BEOL， 其制造過程的復(fù)雜度明顯低于FEOL。.
? 可聘請一些內(nèi)部或可信賴的第三方架構(gòu)實(shí)施BEOL制造。
? 對供應(yīng)鏈而言，唯一的區(qū)別是在完成FEOL工序后，還需將半成品晶片運(yùn)輸至BEOL制造機(jī)構(gòu)。

In fact, split manufacturing has been demonstrated successfully; [Vai+14a]
describes promising results for a 130 nm process split between IBM and Global-Foundries, and [McC16] reports on a 28 nm split process run by Samsung across Austin and South Korea.

Fig. 1.11 Classical split manufacturing, i.e., the separation into front-end-of-line (FEOL) and
back-end-of-line (BEOL) parts

事實(shí)證明，拆分制造的模式在業(yè)界是成功的；[Vai+14a]描述了IBM與全球各代工廠之間關(guān)于130納米制造工藝拆分的良好效果與前景；[McC16]也報(bào)道了三星在奧斯汀與韓國之間對28納米制造工藝進(jìn)行拆分的實(shí)踐。

Fig. 1.11 經(jīng)典的拆分制造過程，即分為前道工序（FEOL）和后道工序（BEOL）兩部分。

Regarding the security notion of split manufacturing, a split layout appears to an
adversary in the FEOL facility as a “sea of incomplete gates and wires,” making it
challenging to infer the entire netlist, its design IP, and ultimately the functionality.
Still, given that regular, security-agnostic design tools work holistically on both the
FEOL and BEOL, hints on the missing wiring can remain in the FEOL [Wan+16b,
Li+19], which can be exploited by attackers, to decipher the missing connections.

關(guān)于拆分制造的安全概念，對攻擊者而言，拆分后的布局意味者 “海量且不完整的門電路與線路”，這使得推斷出整個(gè)網(wǎng)表、設(shè)計(jì)IP乃至芯片的最終功能的任務(wù)變得極具挑戰(zhàn)性。盡管如此，鑒于與安全無關(guān)的常規(guī)設(shè)計(jì)工具整體上在
FEOL 和 BEOL上都有使用，有關(guān)缺失線路的線索仍可保留在 FEOL [Wan+16b,Li+19]中，攻擊者可以利用這些線索來破譯丟失的連接信息。

Threat Model The basic, most common threat model for split manufacturing is
summarized as follows:
? The design house and end-user are trusted, while the FEOL foundry is deemed
untrustworthy. Split manufacturing necessitates a trusted BEOL foundry, with
assembly and testing facilities typically also considered as trustworthy. The enduser
is also considered trustworthy (e.g., defense establishments).
? With the design house and end-user being trusted, the adversary cannot obtain
a chip copy from those entities. Besides, the chip has typically not been
manufactured before; the chip is then unavailable altogether for RE attacks.
? The primary goal of the adversary is to infer the missing BEOL connections
from the incomplete FEOL layout. Once the attacker deciphers all the missing
connections correctly, he/she can pirate and/or illegally overproduce the design
IP. To that end, she/he (1) is aware of the underlying protection technique, if any,
and (2) has access to the EDA tools, libraries, and other supporting information.

威脅模型 拆分制造的最基本常見的威脅模型可歸納如下：
? 設(shè)計(jì)公司和終端用戶是可信的，而FEOL代工廠則被認(rèn)為是不可信的。拆分制造需要可信的BEOL代工廠，裝配和測試機(jī)構(gòu)通常也被認(rèn)為是可信的。且終端用戶也被認(rèn)為是可信的（例如，國防機(jī)構(gòu)）。.
? 由于設(shè)計(jì)公司和最終用戶是可信的，攻擊者無法從這些實(shí)體獲得芯片拷貝。此外，由于該芯片在歷史上通常沒有被制造過，故無法利用實(shí)體芯片實(shí)施逆向攻擊。
?攻擊者的主要目標(biāo)是從不完整的FEOL布局中推斷出缺失的BEOL線路連接。一旦攻擊者正確破解了所有缺失的連接，他就可以掌握設(shè)計(jì)IP并進(jìn)行盜版生產(chǎn)。為此，他首先必須了解所用的基本保護(hù)技術(shù)（如果有的話），而且還要有機(jī)會(huì)獲得EDA工具、庫和其他的支持信息。

An “inverted threat model” was explored in [Wan+17c], where the BEOL
facility is untrustworthy and the FEOL fab is trustworthy. Since fabricating the FEOL is more costly than the BEOL, the practical relevance of this model remains questionable.

在[Wan+17c]中探討了一個(gè) “倒置的威脅模型”，其中BEOL代工廠是不可信的，而FEOL代工廠是可信的。由于FEOL的制造成本比BEOL高，這個(gè)模型的實(shí)際意義仍然值得懷疑。

Another variation of the threat model was explored recently by Chen and
Vemuri [CV18b]. The authors assume that a working chip is available, which is
then used as an oracle for a SAT-based formulation to recover the missing BEOL
connections. While it is not explicitly stated in [CV18b], we presume that the
authors seek to recover the gate-level details of some design whose functionality
is otherwise already available/known. For an attacker, doing so can be relevant, e.g.,
for inserting hardware Trojans during re-implementation of some existing design,
or to obtain the IP without RE of the available chip copy.

Chen和Vemuri[CV18b]最近研究了此威脅模型的另一個(gè)變體。作者假設(shè)攻擊者掌握了一個(gè)可用的芯片，然后將其作為基于SAT公式求解的先驗(yàn)信息，用以破解缺失的BEOL連接。雖然在[CV18b]中沒有明確闡述，但我們推測作者針對一些已知功能的設(shè)計(jì)，試圖恢復(fù)其門電路級(jí)細(xì)節(jié)。對攻擊者而言，這樣做可以達(dá)成多種相關(guān)目的，例如在重構(gòu)現(xiàn)有設(shè)計(jì)的過程中插入硬件木馬、或者無需通過針對實(shí)體芯片的逆向破解就可掌握設(shè)計(jì)IP。

Imeson et al. [Ime+13a] further proposed a strong model in the context of
hardware Trojans. Here, the attacker already holds the design netlist and is interested
in inserting Trojans in appropriate locations. This work [Ime+13a], also known as
k-security, has been further extended in [Li+18a].

Imeson等人[Ime+13a]在硬件木馬的背景下進(jìn)一步提出了一個(gè)增強(qiáng)的威脅模型。在此模型中，攻擊者已經(jīng)掌握了設(shè)計(jì)網(wǎng)表，并試圖在適當(dāng)?shù)奈恢貌迦胗布抉R。這項(xiàng)工作[Ime+13a]也被稱為 k-security，并在[Li+18a]中被進(jìn)一步研究拓展。

Split Manufacturing Techniques and Attacks The first attack on split manufacturing
was proposed by Rajendran et al. [RSK13]. The notion of this so-called
proximity attack is as follows. Although the layout is split into FEOL and BEOL, it is
still designed holistically (when using regular EDA tools). Rajendran et al. [RSK13]
infer the missing connections in the BEOL from the proximity of cells, which
is readily observable in the FEOL. While this attack shows a good accuracy for
small designs, the same is not true for larger designs. Wang et al. [Wan+16b]
extended this attack, by taking into account a multitude of FEOL-level hints:
(1) physical proximity of gates, (2) avoidance of combinatorial loops (which are
rare in practice for combinational designs), (3) timing and load constraints, and
(4) directionality of “dangling wires” (i.e., the wires remaining unconnected in the
top-most FEOL layer). Maga?a et al. [MSD16] proposed various routing-based
attack techniques and conclude that such attacks are more effective than solely
placement-centric attacks. Recently, Zhang et al. [ZMD18] and Li et al. [Li+19]
leveraged machine learning techniques for deciphering missing connections. However,
neither attack [MSD16, ZMD18, Li+19] recovers the actual netlist; rather,
they provide the most probable BEOL connections.

拆分制造技術(shù)與相關(guān)攻擊 首個(gè)針對拆分制造的攻擊是由Rajendran等人提出的[RSK13]。這種所謂的接近式攻擊（proximity attack）的概念為：雖然布局被分割成FEOL和BEOL，但基于常規(guī)EDA工具，IC設(shè)計(jì)依然是一個(gè)整體工作。由此，Rajendran等人[RSK13] 提出可通過單元間的接近程度推斷出BEOL中缺失的連接，而這一點(diǎn)在FEOL中很容易觀察得到。雖然這種攻擊對小型設(shè)計(jì)顯示出良好的準(zhǔn)確性，但對于規(guī)模較大的設(shè)計(jì)而言，效果卻欠佳。因此，Wang等人[Wan+16b]通過采用大量FEOL級(jí)別的提示線索來擴(kuò)展此種攻擊，具體包括：(1) 門電路間的物理接近度, (2) 對于組合循環(huán)設(shè)計(jì)的規(guī)避（這在組合設(shè)計(jì)的實(shí)踐中相當(dāng)罕見） (3) 時(shí)序和負(fù)載的限制, 以及(4) 懸空線的方向性（即在FEOL最上層中尚未連接的線路）。Maga?a等人[MSD16]提出了多種基于繞線的攻擊技術(shù)，并得出結(jié)論，此類攻擊比單純的以布局為中心的攻擊更有效。

On the defense side, various techniques have been proposed to safeguard FEOL
layouts against proximity attacks, e.g., [RSK13, Vai+14b, Wan+16b, Sen+17,
Wan+17d, MSD16, Fen+17, Pat+18e, Pat+18f, CV18a, Li+20, Pat+21]. They
can be categorized into (1) placement-centric, (2) routing-centric, and (3) both
placement- and routing-centric defenses.

在防御方面，業(yè)界已提出了多種保護(hù)FEOL
布局的技術(shù)，例如，[RSK13, Vai+14b, Wan+16b, Sen+17,
Wan+17d, MSD16, Fen+17, Pat+18e, Pat+18f, CV18a, Li+20, Pat+21] 。
它們可以分為 (1) 以布局為中心，(2) 以繞線為中心，以及 (3) 同時(shí)以布局和繞線為中心的防御類別。

Wang et al. [Wan+16b] and Sengupta et al. [Sen+17] propose placement
perturbation. Layout randomization is the most secure technique, especially when
splitting after the first metal layer, as shown by Sengupta et al. [Sen+17]. However,
this technique has limited scalability and demonstrates significant layout cost for
larger designs. In general, placement-centric works caution that splitting after
higher metal layers—which helps to limit financial cost and practical hurdles for
split manufacturing [XFT15, Pat+18e, Pat+18f, Pat+21]—can undermine their resilience. That is because any placement perturbation is eventually offset by routing
at higher layers.

Wang[Wan+16b]與Sengupta等人[Sen+17]提出布局?jǐn)_動(dòng)（placement perturbation）的概念。將布局隨機(jī)化是最為安全的技術(shù)，尤其是如Sengupta等人[Sen+17]所示，在第一金屬層之后進(jìn)行拆分處理時(shí)。然而，此類技術(shù)的可擴(kuò)展性有限，對于較大規(guī)模的設(shè)計(jì)而言，布局開銷顯著增長?？傮w而言，針對以布局為中心的技術(shù)，如果在較高的金屬層之后實(shí)施制造工藝的拆分，一方面
會(huì)有助于控制制造的財(cái)務(wù)成本、減少制造過程中的實(shí)際障礙[XFT15, Pat+18e, Pat+18f, Pat+21]，另一方面會(huì)也破壞該技術(shù)的彈性和擴(kuò)展性，這是因?yàn)獒槍θ魏挝恢玫臄_動(dòng)最終都會(huì)被更高層的繞線所抵消。

Routing-centric techniques such as those in [RSK13, Wan+17d, MSD16,
Fen+17, Pat+18e, Li+20, Pat+21] resolve proximity and other hints at the FEOL
routing. Rajendran et al. [RSK13] proposed to swap pins of IP modules and to
re-route those nets, thereby obfuscating the design hierarchy. As these swaps cover
only part of the interconnects, this technique cannot protect against gate-level IP
piracy. In fact, 87% of the connections could be correctly recovered on the ISCAS-
85 benchmarks [RSK13]. In general, routing-centric techniques are subject to the
available routing resources and PPA budgets, which can ease proximity attacks.
For example, [Wan+17d, Fen+17] consider short routing detours, and [MSD16]
consider few routing blockages to limit impact on design timing.

以繞線為中心的技術(shù)，例如 [RSK13、Wan+17d、MSD16、Fen+17、Pat+18e、Li+20、Pat+21] 中的方法解決了 FEOL 繞線的接近度與其他提示線索的問題。Rajendran等人[RSK13]提出了通過交換IP模塊的引腳，重新編排網(wǎng)絡(luò)繞線，從而實(shí)現(xiàn)的對設(shè)計(jì)層次的混淆的技術(shù)。由于這些引腳的交換只涉及部分互連布線，該技術(shù)不能防止門電路級(jí)的IP盜用。事實(shí)上，87%的連接可以在ISCAS-85基準(zhǔn)上被正確恢復(fù)[RSK13]?？傮w而言，以繞線為中心的技術(shù)受制于可用的布線資源和PPA預(yù)算，而這些因素可以減緩接近式攻擊。例如，[Wan+17d, Fen+17]考慮了較短的布線繞行，而[MSD16] 很少考慮繞線阻塞，以限制對設(shè)計(jì)時(shí)序的影響。

Patnaik et al. [Pat+18e, Pat+21] proposed various heuristics as well as custom
cells for lifting wires to the BEOL in a concerted manner. The authors demonstrated
a superior resilience against the state-of-the-art network-flow attack [Wan+16b] and
deep learning attacks [Li+19] when compared to the prior placement- and routingcentric
techniques. Later on, Patnaik et al. [Pat+18f] proposed randomization at
the netlist level, which is carried through the EDA flow, thereby resulting in an
erroneous and misleading FEOL layout. The original design is only restored at
the BEOL, using customized routing cells. This work is one of the first to address
holistic protection of both placement and routing, which also demonstrated superior
protection against the state-of-the-art proximity attacks.

Patnaik等人[Pat+18e, Pat+21]提出了各種啟發(fā)式方法以及定制的單元，以協(xié)調(diào)的方式將連線拉至BEOL。作者證明了該技術(shù)相對于先前的以布局和繞線為中心的防御技術(shù)而言，對最先進(jìn)的網(wǎng)絡(luò)流攻擊（network-flow attack）[Wan+16b]、深度學(xué)習(xí)攻擊[Li+19]具有更卓越的抵御能力。 隨后，Patnaik等人[Pat+18f]提出了網(wǎng)表層面隨機(jī)化的概念，通過在EDA流程中貫徹隨機(jī)化處理，從而導(dǎo)致錯(cuò)誤與誤導(dǎo)性的FEOL布局。原始設(shè)計(jì)僅能在BEOL階段，通過使用定制的布線單元才能恢復(fù)。針對布局和繞線的整體保護(hù)問題，這項(xiàng)工作是最早的解決方案之一，同時(shí)也展示了對最先進(jìn)的接近式攻擊的卓越保護(hù)。

Further Defenses and Attacks Related to Split Manufacturing Inspired by
logic locking, Sengupta et al. [Sen+19] realize IP protection at manufacturing
time by locking the FEOL and subsequent unlocking of the BEOL. The authors
also formalize the problem of split manufacturing, borrowing concepts from logic
locking.

與拆分制造有關(guān)的進(jìn)一步防御和攻擊 Sengupta等人[Sen+19]受邏輯鎖定技術(shù)的啟發(fā)，認(rèn)識(shí)到通過鎖定FEOL和隨后解鎖BEOL來實(shí)現(xiàn)制造過程中的IP保護(hù)。作者也將拆分制造的問題形式化，并從邏輯鎖定技術(shù)中借用了若干概念。

As mentioned before, Imeson et al. [Ime+13a] formulated the notion of k-security
to prevent targeted insertion of hardware Trojans. The idea is to create k
isomorphic structures in the FEOL by guided lifting of wires to the BEOL. Now,
an attacker cannot uniquely map these k structures to some specific target in the
already known design; she/he has to either randomly guess (with a probability of
1/k) or insert multiple Trojans. Li et al. [Li+18a] extended k-security in various
ways. Most notably, they leverage additional gates and wires to elevate the security
level beyond those achieved in [Ime+13a]. Recently, Xu et al. [Xu+19] questioned
the theoretical security of k-security by pattern matching attacks.

如前所述，Imeson等人[Ime+13a]提出了k-security的概念，以防止有針對性地植入硬件木馬。該想法是通過引導(dǎo)將連線拉至BEOL，從而創(chuàng)建k個(gè)同構(gòu)結(jié)構(gòu)?，F(xiàn)在，攻擊者無法將這K個(gè)結(jié)構(gòu)唯一映射到已知設(shè)計(jì)中的某些特定目標(biāo)上；他只能隨機(jī)猜測（命中概率為 1/k），或者植入多個(gè)木馬。Li等人[Li+18a]以多種方式擴(kuò)展了k-security技術(shù)。其中最值得注意的是，他們利用額外的邏輯門和連線來提升設(shè)計(jì)的安全級(jí)別，使之超過了[Ime+13a]所達(dá)到的水平。 最近，Xu等人[Xu+19]通過模式匹配（pattern matching）攻擊對k-security的理論安全性提出了質(zhì)疑。

Vaidyanathan et al. [VDP14] advocate testing of the untrusted FEOL against
Trojan insertion, using BEOL stacks dedicated for testability. Xiao et al. [XFT15]
propose the notion of obfuscated built-in self-authentication (OBISA) to hinder IP
piracy and Trojan insertion.

Vaidyanathan等人[VDP14]主張采用測試專用的BEOL棧，對不受信的FEOL進(jìn)行測試，以防止木馬植入。Xiao等人[XFT15] 提出了混淆的內(nèi)置自我認(rèn)證（OBISA）的概念，以阻止IP 盜版和木馬植入。

While advanced attacks such as [ZMD18, Li+19, Li+20] are on the rise, split
manufacturing becomes inherently more resilient for larger, industrial designs.
In fact, none of the existing attacks have succeeded in completely recovering
all missing BEOL connections for larger designs yet. Still, the premise for split
manufacturing—to resolve hints from the FEOL—remains. Thus, schemes that
further reduce the dependency on EDA tools (and cost) are required. Although
[Sen+19] explore the formalism of split manufacturing, the notion of provably
secure split manufacturing remains an open problem.

雖然像[ZMD18, Li+19, Li+20]這樣的高級(jí)攻擊仍在不斷加劇，但對于大型工業(yè)設(shè)計(jì)來說，拆分制造在本質(zhì)上變得更富韌性。事實(shí)上，針對大型設(shè)計(jì)，現(xiàn)有的攻擊都沒有完全成功恢復(fù)所有缺失的BEOL連接的先例。盡管如此，確保拆分制造安全性的前提——解決來自 FEOL的提示線索——依然是一個(gè)存在的問題。因此，需要可進(jìn)一步減少對 EDA 工具的依賴與成本的解決方案。盡管[Sen+19]探討了拆分制造的形式化，但可證明的拆分制造的概念仍然是一個(gè)懸而未決問題。

Finally, “entering the next dimension of split manufacturing,” by leveraging
the up-and-coming techniques for 3D integration, has been initiated in [Val+13,
Ime+13a, Kne+17, Pat+18c, Gu+18b, Pat+19b]. Further research toward this end
seems promising as well.

最后，通過利用在[Val+13, Ime+13a, Kne+17, Pat+18c, Gu+18b, Pat+19b]中提出的新興3D集成技術(shù)，可將拆分制造擴(kuò)展至新的維度。針對此方向的進(jìn)一步研究似乎也頗具前景。

1.1.2.4 Trojan Defense
The notion of Trojans is wide-ranging and requires multiple dimensions for classification
[BT18]—it relates to malicious hardware modifications that are (1) working
at the system level, register-transfer level (RTL), gate/transistor level, or the physical
level; (2) leveraging the digital and/or the physical domain; (3) seeking to leak
information from an IC, reduce the IC’s performance, or disrupt the working of
the IC altogether; (4) are always on, triggered internally, or triggered externally. For
example for (2), digital Trojans are activated by either a specific, rare input pattern
or via “time bombs” on certain operations (or input patterns) being executed for
a particular number of cycles. On the other hand, physical Trojans are activated
either by detrimental effects such as electromigration, negative bias temperature
instability, etc., or by internal or external side-channel triggers.

1.1.2.3 木馬防御

木馬的概念范圍很廣，需要從多個(gè)方面進(jìn)行分類[BT18]–它涉及到針對硬件的惡意修改，包括：
(1)在系統(tǒng)層面、寄存器傳輸層面（RTL）、門電路/晶體管層面或物理層面生效；
(2)利用數(shù)字和/或物理領(lǐng)域特性；(3)尋求從IC中泄露信息，減少IC的功能；
(3) 試圖從IC中泄漏信息，降低集成電路的性能，乃至完全破壞IC的工作；
(4) 木馬始終駐留，可由內(nèi)外部誘因觸發(fā)。例如，對于（2），數(shù)字木馬可由特定且罕見的輸入模式激活，
或通過持續(xù)特定時(shí)鐘周期數(shù)的 "時(shí)間炸彈 "（基于特定的操作或者輸入模式）來激活。另一方面，物理木馬要么被電遷移、負(fù)偏壓溫度不穩(wěn)定性等不利影響因素激活，要么被內(nèi)部或外部的側(cè)信道觸發(fā)器激活。

Trojans are likely introduced by untrustworthy third-party IP, adversarial designers,
or through “hacking” of computer-aided design (CAD) tools [Bas+19], or,
arguably even more likely, during distribution and deployment of ICs [Swi+17].
Although it has been projected traditionally as the main scenario, we argue that
the likelihood of Trojans being introduced at fabrication time is rather low. That
is because any such endeavor, once detected, would fatally disrupt the business
of the affected foundry. Therefore, foundries can be expected to employ technical
and organizational means available to them to hinder modifications by malicious
employees.

木馬通常是由不可信的第三方IP、敵對的設(shè)計(jì)者引入的，也可通過被黑客控制的計(jì)算機(jī)輔助設(shè)計(jì)（CAD）工具來實(shí)現(xiàn)植入[Bas+19]，更有可能在IC的分發(fā)和部署過程中實(shí)現(xiàn)植入[Swi+17]。盡管在傳統(tǒng)上，制造環(huán)節(jié)被認(rèn)為是引入木馬的主要場景，但我們認(rèn)為其發(fā)生的可能性相當(dāng)?shù)?。這是因?yàn)橐坏┍话l(fā)現(xiàn)，將對代工廠的業(yè)務(wù)造成致命的影響。因此，代工廠有望采用一切技術(shù)和組織手段來阻止惡意雇員對IC制造的篡改。

Defense techniques can be classified into (1) Trojan detection during design
and manufacturing time and (2) Trojan mitigation at runtime. The former relies on
testing and verification steps [Cha+09a, Aar+10, JM08, LJM12, Guo+19, Sug+15,
Vas+18, Cha+15], whereas the latter relies on dedicated security features for testability
and self-authentication [XFT14], current monitoring [GBF17], monitoring
and detection of malicious activities [KV11, Bhu+13, Bas+17, Wu+16, Wah+16],
etc. See also Fig. 1.12 for an example of the latter features. Note that the two classes
(Trojan detection during design and manufacturing time for one, Trojan mitigation
at runtime for another) may also intersect, for example with the use of built-in selfauthentication
modules [Shi+17].

木馬防御技術(shù)可分為兩類：（1）設(shè)計(jì)與制造階段的木馬檢測， (2) 運(yùn)行階段針對木馬攻擊的緩解。
前者依靠的是如[Cha+09a, Aar+10, JM08, LJM12, Guo+19, Sug+15, Vas+18, Cha+15]中所述的測試和驗(yàn)證步驟，而后者則依賴專門的安全特性來實(shí)現(xiàn)可測試性與自我認(rèn)證[XFT14]、電流監(jiān)控[GBF17]、以及針對惡意活動(dòng)的監(jiān)控與檢測[KV11, Bhu+13, Bas+17, Wu+16, Wah+16] 等等。針對后者所依賴的安全特性的示例，也可參見圖1.12。值得注意的是，這兩類防御技術(shù)不是互斥的，也存在交叉，例如使用內(nèi)置的自我認(rèn)證模塊[Shi+17]。

Besides, IP protection schemes like logic locking and split manufacturing can
hinder Trojan insertion at manufacturing time, at least to a certain degree. That is because
an adversary without the full understanding of the layout and its IP cannot
easily insert specific, targeted Trojans [Ime+13a, Pat+19b].

Fig. 1.12 Trojan mitigation at runtime, based on concurrent error detection (CED) and
input/output as well as error encoding modules. The latter are required for the overall system,
where multiple chips of the outlined architecture will be linked together for cross-verification.
Adopted from [Wu+16]

此外，諸如邏輯鎖定和拆分制造等IP保護(hù)方案，在一定程度上也可以阻止在制造過程中植入木馬。這是因?yàn)?br> 如果缺乏對設(shè)計(jì)布局和IP的充分理解，攻擊者無法輕易植入特定、有針對性的木馬[Ime+13a, Pat+19b]。

Fig. 1.12 基于并發(fā)錯(cuò)誤檢測（CED）與輸入/輸出以及錯(cuò)誤編碼模塊，在運(yùn)行時(shí)緩解木馬攻擊。錯(cuò)誤編碼模塊是整系統(tǒng)所必需的，在系統(tǒng)中，所述架構(gòu)的多個(gè)芯片將被鏈接在一起進(jìn)行交叉驗(yàn)證，摘自[Wu+16]。

1.1.2.5 Physically Unclonable Functions
When applied some input stimulus, a PUF should provide a fully de-correlated
output response. This response must be reproducible for the very same PUF, even
under varying environmental conditions, but it must differ across different PUF
instances, even for the same PUF design. The desired properties for PUFs are
uniqueness, unclonability, unpredictability, reproducibility, and tamper-resilience.

1.1.2.5 物理不可克隆函數(shù)

當(dāng)施加一些輸入激勵(lì)時(shí)，PUF應(yīng)提供完全去相關(guān)的輸出響應(yīng)。即使在不同的環(huán)境條件下，針對同一PUF，這種響應(yīng)必須是可重復(fù)的。同時(shí)，即使是同一批次的PUF設(shè)計(jì)，對于不同的PUF實(shí)例，響應(yīng)信號(hào)也必須不同。PUF應(yīng)具備的性質(zhì)包括唯一性、不可克隆性、不可預(yù)知性、可重復(fù)性、以及防篡改性。

PUFs are used for (1) “fingerprinting” or authentication of hardware, using
the so-called “weak PUFs” that provide capabilities for processing only one/few
fixed inputs, or (2) challenge-response-based security schemes, using the so-called
“strong PUFs” that provide capabilities for processing a large number of inputs
[Her+14, MV10, CZZ17]. Note that “weak PUFs” are not necessarily inferior to
“strong” PUFs [Rüh+13a]. On the contrary, powerful machine learning attacks such
as [CZZ17, Rüh+13a, Liu+18, Gan17] do not apply for weak PUFs, only for strong
PUFs. The main difference between weak and strong PUFs is that, as indicated, the
former work on a (few) fixed input(s), or inputs or challenge(s), whereas the latter
have to support a large range of challenges. See Fig. 1.13 for the outline of a default,
generic authentication scheme using a strong PUF.
PUF可被用于：(1)采用所謂的“弱 PUF”（僅能處理一個(gè)/少數(shù)固定輸入信號(hào)），實(shí)現(xiàn)硬件的指紋或認(rèn)證；
(2)采用所謂的 “強(qiáng)PUF”（具備處理大量輸入信號(hào)的能力），實(shí)現(xiàn)基于"挑戰(zhàn)-響應(yīng)"模式的諸多安全特性[Her+14, MV10, CZZ17]。
值得注意的是，弱PUF并不一定比強(qiáng)PUF脆弱[Rüh+13a]。相反，基于機(jī)器學(xué)習(xí)的強(qiáng)力攻擊，例如
[CZZ17, Rüh+13a, Liu+18, Gan17]等都對弱PUF無效，只適用于強(qiáng)PUF。如前所述，弱PUF和強(qiáng)PUF的主要區(qū)別在于，前者是在少量的固定輸入/挑戰(zhàn)上工作，而后者則必須支持大量的挑戰(zhàn)。圖1.13展示了一個(gè)使用強(qiáng)PUF進(jìn)行認(rèn)證的缺省的通用方案。

Electronic PUFs represent the dominant class of PUFs, with prominent types
of electronic PUFs using ring oscillators, arbiters, bistable rings, and memories
[MV10, Her+14, Gan17, CZZ17]. Such PUFs are relatively simple to implement
and integrate, even for advanced processing nodes. The core principle for such
PUFs is to leverage the process variations inherent to CMOS fabrication and
operation, through various dedicated circuitry. However, the resulting randomness
is limited for most CMOS PUF implementations; it may be machine-learned and,
thus, cloned [CZZ17, Rüh+13a, Liu+18, Gan17].

Fig. 1.13 A default, generic authentication scheme using a strong PUF. The trusted entity A
collects a set L of challenge-response pairs (C, R) generated from the PUF P and stores L in
a database for interrogation in the field. P is then delivered to B so that the PUF can be used by
B for authentication with A. To do so, A randomly selects an unseen challenge ci , sends it to B,
who applies it to P to generate the response ri . This response is sent back, whereupon A checks
ri against the corresponding response ri in its database; in case these responses match (subject to
error tolerances as allowed for by the particular protocol), B is successfully authenticated using P.
Adopted from [CZZ17]

電子PUFs代表了PUFs的主流，其主要類型的實(shí)現(xiàn)基于環(huán)形振蕩器、仲裁器、雙穩(wěn)態(tài)環(huán)和存儲(chǔ)器[MV10, Her+14, Gan17, CZZ17]。此類 PUF 的實(shí)現(xiàn)和集成相對簡單，即使對于依賴先進(jìn)工藝處理的節(jié)點(diǎn)，亦是如此。此類PUF的核心原理是通過各種專用電路來利用CMOS制造與操作中固有的工藝變化。然而，對于大多數(shù)CMOS PUF的實(shí)現(xiàn)而言，其產(chǎn)生的隨機(jī)性是有限的，可通過機(jī)器學(xué)習(xí)來破解，并實(shí)現(xiàn)克隆[CZZ17, Rüh+13a, Liu+18, Gan17]。

Fig. 1.13 缺省的、使用強(qiáng)PUF的通用認(rèn)證方案示例，摘自[CZZ17]。受信實(shí)體A 存有一組由PUF P生成的挑戰(zhàn)-響應(yīng)對（C，R），稱之為集合L，并將L存儲(chǔ)在數(shù)據(jù)庫中，以供現(xiàn)場質(zhì)詢。 然后將P交付給B，這樣PUF就可以被B用來結(jié)合A進(jìn)行認(rèn)證。
為此，A 隨機(jī)選擇一個(gè)未見過的挑戰(zhàn)碼 ci，將其發(fā)送給 B，B 將其應(yīng)用于 P 以生成響應(yīng)碼ri。
此響應(yīng)碼再被送回A，并由 A 檢查ri是否與其數(shù)據(jù)庫中的對應(yīng)的響應(yīng)碼匹配；如果匹配（匹配機(jī)制受制于特定協(xié)議的容錯(cuò)要求），則認(rèn)為B使用P認(rèn)證成功。

Optical PUFs represent another interesting class [Pap+02, Rüh+13b, T?07,
MV10, Gru+17, Kne+19]. In fact, the very first PUF proposal in the literature,
proposed by Pappu et al. [Pap+02] in 2002, devised an optical token from
transparent epoxy with randomly inserted, micrometer-sized glass spheres. Thus,
the idea of optical PUFs is to manufacture an “optical token” that, in addition
to structural variations inherently present in selected optical media, may contain
randomly included materials, e.g., nanoparticles. Besides such a token, optical
PUFs require further components, for generating the optical input and processing
the output. The fundamental phenomena underlying an optical PUF are scattering,
reflection, coupling, and absorption of light within the optical token. Depending
on the materials used for the token and the inclusions as well as the design
of the token itself, these phenomena can be highly chaotic and nonlinear by
nature [Kne+19, Gru+17]. Hence, optical PUFs are considered more powerful than
electronic PUFs.

另一類有趣的PUF是基于光學(xué)的 [Pap+02, Rüh+13b, T?07,
MV10, Gru+17, Kne+19]。事實(shí)上，文獻(xiàn)中第一個(gè) PUF 提案是由 Pappu 等人于2002年提出的[Pap+02] ；在該方案中，作者設(shè)計(jì)了一個(gè)由透明環(huán)氧樹脂制成的光學(xué)標(biāo)記，其中隨機(jī)插入了的微米級(jí)的球狀玻璃。 因此，光學(xué)PUF的理念是制造一個(gè)基于光學(xué)的特定標(biāo)記，其中除了具有所選光學(xué)介質(zhì)中固有的結(jié)構(gòu)變化之外，還可包含諸如納米粒子等隨機(jī)材料。除了這樣的標(biāo)記，光學(xué)PUF還需要更多的組件，用于生成輸入光學(xué)信號(hào)和處理輸出光學(xué)信號(hào)。光學(xué) PUF 的基本現(xiàn)象是光線在光學(xué)標(biāo)記內(nèi)的散射、反射、耦合與吸收。這些現(xiàn)象本質(zhì)上是高度混亂和非線性的，具體取決于標(biāo)記與內(nèi)含物所用的材料以及標(biāo)記本身的設(shè)計(jì) [Kne+19, Gru+17]。因此，通常光學(xué) PUF被認(rèn)為強(qiáng)于電子 PUF。

1.2 Limitations of CMOS Technology for Hardware Security
Most of the hardware security primitives we have visited in the previous sections
have been predominantly CMOS-centric. However, emerging devices bring a new
facet to this equation, by offering unique properties that can reshape the way we
think about hardware security. This confluence of hardware security and emerging
devices has been gaining traction over the recent years owing to new physics and
materials research, which has resulted in the development of novel logic and memory
devices. In this section, we first discuss the limitations of CMOS technology for
hardware security, which have driven this push toward emerging technology-based
solutions, before delving into the specific characteristics of emerging technologies
that make them promising for upcoming security primitives:

1.2 CMOS技術(shù)在硬件安全方面的局限性

本文前幾節(jié)中所介紹的的大多數(shù)硬件安全基元，在主體上均以CMOS為中心的。 然而，新興的元器件打破了這種單一的局面，通過提供獨(dú)特的技術(shù)屬性，重塑了我們對硬件安全的思考方式。近年來，得益于物理學(xué)和材料科學(xué)的最新研究進(jìn)展，使硬件安全和新興元器件的結(jié)合獲得了助力，推動(dòng)了新型邏輯和存儲(chǔ)器件的發(fā)展。 未來具有前景的安全基元都會(huì)基于這些新興技術(shù)。在本節(jié)中，在深入探討新興技術(shù)的先進(jìn)特性之前，我們將首先討論CMOS技術(shù)在硬件安全方面的局限性，因?yàn)檎沁@些局限，才構(gòu)成了新興技術(shù)演進(jìn)的動(dòng)力：

1. In general, emerging technologies seek to overcome the fundamental CMOS
   limitations regarding power consumption, among other aspects. Power overheads
   are a crucial consideration while securing any CMOS IP, with full-chip protection
   often requiring a large sacrifice in terms of constraining the power budget. This
   typically prohibits the percentage of the chip that we can feasibly secure. On
   the other hand, many emerging devices have been shown to exhibit ultra-low
   operating power, thus enabling the designer to secure a larger portion of the chip
   without exacerbating power consumption.

總的來說，新興技術(shù)尋求克服CMOS在功耗等方面的限制。在保護(hù)任何 CMOS IP 時(shí)，功率開銷是一個(gè)重要的考慮因素，全芯片級(jí)別的保護(hù)通常需要在限制功率預(yù)算方面做出巨大犧牲。這通常限制了保護(hù)芯片IP的可行性。 另一方面，許多新興的器件已被證明具有超低的運(yùn)行功耗，從而使設(shè)計(jì)人員能夠?qū)崿F(xiàn)更大部分芯片IP的保護(hù)，而不加劇功耗。

2. Similarly, the scalability of CMOS-based security primitives has been a cause for
   concern, since they can often result in blowing up the chip area, thus increasing
   the fabrication costs. In contrast, emerging devices cannot only possess a smaller
   device footprint, but in most cases also allow the designer to implement logic
   more efficiently, thus saving valuable die area.

同樣，基于CMOS的安全基元的可擴(kuò)展性也令人擔(dān)憂。因?yàn)樗鼈兺ǔ?huì)導(dǎo)致芯片面積的膨脹，從而增加了 制造成本。
相比之下，新興器件不僅擁有更小的尺寸，而且在通常情況下還使得設(shè)計(jì)人員能夠更有效地實(shí)現(xiàn)功能邏輯，從而節(jié)省寶貴的芯片面積。

3. The existing CMOS framework has always been built with the primary intent of
   improving the performance and efficiency of modern electronics, with security
   being retrofitted as an afterthought. Emerging devices afford us the opportunity
   to embed security as a primary design metric in the supply chain and allow a
   security-focused device-circuit co-design process.

現(xiàn)有的CMOS框架創(chuàng)建一直是以提高現(xiàn)代電子產(chǎn)品的性能和效率為主要目的，而安全性則被作為事后才需要考慮的問題。
新興設(shè)器件為我們提供了機(jī)會(huì)，使安全性可成為供應(yīng)鏈中的主要設(shè)計(jì)指標(biāo)，并使得元器件的電路設(shè)計(jì)成為以安全為中心的協(xié)同設(shè)計(jì)過程。

4. Conventional CMOS logic styles and synthesis techniques are well documented
   and have been around for a long time. These do not offer much flexibility in terms
   of patching circuit- and system-level security vulnerabilities. However, emerging
   devices can potentially allow completely new logic design styles to counter those
   vulnerabilities, owing to their unique construction and operation. For instance,
   novel ferroelectric and spintronic logic devices with non-volatility can enable
   memory-in-logic, thus opening the doors to new non-von Neumann computing
   paradigms.

傳統(tǒng)的 CMOS 邏輯樣式和綜合技術(shù)都是有據(jù)可查的，且在業(yè)界有著較長的應(yīng)用歷史。但是，對于電路級(jí)和系統(tǒng)級(jí)的安全漏洞的修補(bǔ)，它們并沒有提供太多的靈活性。然而，得益于新興器件獨(dú)特的結(jié)構(gòu)和操作功能，它們可提供全新的邏輯樣式來應(yīng)對這些安全漏洞。例如，具有非易失性的新型鐵電和自旋電子邏輯器件可以實(shí)現(xiàn)邏輯記憶(memory-in-logic)，從而開啟了通往新型"非馮.諾依曼計(jì)算范式"的大門。

It must be noted that although these emerging technologies appear promising
and practical for the near future, they will likely be built to augment the existing
CMOS framework, not supplant or replace it. In this context hybrid CMOS-emerging
electronics such as the N3XT architecture [Aly+18], which combine carbon nanotubes
and spintronics within CMOS 3D ICs, might not be a distant reality.

必須指出的是，盡管這些新興技術(shù)頗具前景，在不久的未來就會(huì)投入實(shí)用，但它們很可能是為了增強(qiáng)現(xiàn)有的 CMOS框架，而不是取而代之。在此情況下，混合新興CMOS電子器件( hybrid CMOS-emerging electronics)，如N3XT架構(gòu)[Aly+18] （它將碳納米管和自旋電子結(jié)合在CMOS 3D集成電路中），可能在不遠(yuǎn)的將來就會(huì)實(shí)現(xiàn)。

1.3 Inherent Properties of Emerging Technologies to
Advance Hardware Security

As mentioned in Sect. 1.2, various emerging technologies offer the potential to
advance the notion of hardware security. Figure 1.14 outlines selected emerging
technologies, their properties relevant and beneficial for hardware security, the
security schemes that are supported accordingly, and the security threats countered
by such schemes.

1.3 促進(jìn)硬件安全的新興技術(shù)內(nèi)在特性

正如在第1.2節(jié)中提到的，各種新興技術(shù)都提供了推進(jìn)硬件安全概念的潛力。
圖 1.14 概括了所選的新興技術(shù)，包括它們裨益于硬件安全的相關(guān)特性、特性所支持的安全方案，以及這些方案
所應(yīng)對的安全威脅。

The emerging devices included in Fig. 1.14 have some interesting properties in
common, which are more difficult to achieve in traditional CMOS technology.More
specifically, spintronic devices, memristors, carbon nanotube field effect transistors
(CNTFETs), and Silicon Nanowire field effect transistors (SiNWFETs) can all be
tailored to achieve significant variability/randomness, reconfigurability or polymorphic
behavior, resilience against reverse engineering, heterogeneous integration,
and also the possibility of separating trusted and untrusted parts. Therefore, these
devices can serve well for PUFs, TRNGs, IP protection schemes, and to mask sidechannel
leakage. Moreover, memristors may also offer resilience against tampering,
by means of destructive data management. It should be understood that the prospects
for actual implementation of such security schemes based on emerging devices
depend on various aspects, ranging from circuit design and security analysis in
general, down to manufacturing capabilities and device maturity, among others.
Next, we briefly discuss some of these unique properties of emerging devices, which
make them prime candidates for the next era of secure electronics.

圖 1.14 所列新興器件具有一些有趣的、且很難通過傳統(tǒng) CMOS 技術(shù)實(shí)現(xiàn)的特性。
具體而言，自旋電子器件、憶阻器、碳納米管場效應(yīng)管(CNTFETs)以及納米線場效應(yīng)管(SiNWFETs)都可以通過定制來實(shí)現(xiàn)顯著的可變性/隨機(jī)性、可重構(gòu)性或多態(tài)性行為、抗逆向工程的防護(hù)韌性、異構(gòu)集成，以及拆分可信與非可信部分的能力。
還有可能將可信和不可信的部分分開。因此，這些器件可以很好地用于PUFs、TRNGs、IP保護(hù)方案以及掩蓋側(cè)信道泄漏信號(hào)。
此外，憶阻器還可以通過對數(shù)據(jù)的破壞性管理，來提供對篡改攻擊的防護(hù)韌性。
應(yīng)該了解的是，此類基于新興器件的安全方案的實(shí)際應(yīng)用前景取決于多方面因素，一般來說，從電路設(shè)計(jì)和安全分析，直至制造能力和器件成熟度等等。接下來，我們將簡要討論新興器件的部分獨(dú)特性質(zhì)，正是這些特性使其成為新一代電子安全的首選。

1.3.1 Reconfigurability
Reconfigurability, in the context of emerging devices, refers to the ability of a single
device topology to be configured for different logic functionalities, depending on
external control signals or internal parameters like doping, etc. Essentially, it means
that the same device layout could possibly implement one of several logic gates,
each indistinguishable from each other. However, once configured and deployed
in the field, the reconfigurable device will retain its functionality. Yet, the very
fact that the particular functionality it implements could be one of many, increases
the computational complexity for an attacker seeking to decipher its true nature.
This is particularly useful for static camouflaging schemes, where the number of
functionalities that the emerging logic gate can implement decides the number of
key bits per camouflaged gate. Here, the multi-functional gate could be configured
for its intended logic, post-fabrication, in a secure facility. Some classes of devices
that exhibit reconfigurability include the giant spin Hall effect device [Ran+19],
SiNWFETs [Rai+18], and memristors [Xia+09].

1.3.1 可重構(gòu)性

在新興器件的背景下，可重構(gòu)性是指單一器件拓?fù)浣Y(jié)構(gòu)可根據(jù)不同的邏輯功能被重新配置的能力，
這取決于外部控制信號(hào)或內(nèi)部參數(shù)，如摻雜程度(doping)等。本質(zhì)上，這意味著相同的器件布局可能
實(shí)現(xiàn)多個(gè)邏輯門之一的功能，而每個(gè)邏輯門都無法與彼此區(qū)分開。而一旦可重構(gòu)器件完成了重構(gòu)并在現(xiàn)場部署完畢，它將一直保留特定的功能。然而，關(guān)鍵事實(shí)是，該特定功能只是它能實(shí)現(xiàn)的眾多功能之一，對于尋求破解其真實(shí)性質(zhì)的攻擊者而言，這極大增加了計(jì)算復(fù)雜度。這一點(diǎn)對靜態(tài)偽裝方案特別有用，因?yàn)樵陟o態(tài)偽裝方案中，新興器件（多功能門）可實(shí)現(xiàn)的功能數(shù)量決定了每個(gè)偽裝門的關(guān)鍵比特位數(shù)。在這里，在完成制造后，可以在安全設(shè)施中將多功能門配置為支持預(yù)期邏輯。一些支持可重構(gòu)性的器件類別包括巨型自旋霍爾效應(yīng)器件 [Ran+19]、硅納米線場效應(yīng)管 [Rai+18] 和憶阻器 [Xia+09]。

Fig. 1.14 A selective overview on emerging technologies, their properties, matching security schemes, and countered threats
Fig. 1.14 對新興技術(shù)及其特性、對應(yīng)的安全方案、威脅應(yīng)對的選擇性概述

1.3.2 Runtime Polymorphism
The ability to undergo reconfiguration in the field is referred to as runtime
polymorphism in this monograph. Runtime polymorphic emerging devices cannot
only be programmed for functionality once post-fabrication, but can be morphed any
number of times on-the-fly. This characteristic makes them useful for implementing
polymorphic logic for hardware security. The difference between reconfigurable and
polymorphic logic from the context of the attacker is that while reconfigurable gates
present the attacker with the conundrum of correctly identifying the true nature of
the logic from many possible functionalities, polymorphic logic actually morphs
between those various possible functional states in real-time. Thus, an attacker
seeking to RE the polymorphic circuit not only has to identify these functional
states but also the transformation scheme between the states. Polymorphic emerging
devices proposed in prior works include the magnetoelectric spin–orbit device
(MESO) [Man+19] and magnetic domain wall (DW)-based devices [Par+17].

1.3.2 運(yùn)行時(shí)多態(tài)性

在本文中，將"在現(xiàn)場進(jìn)行功能重構(gòu)的能力"稱為運(yùn)行時(shí)多態(tài)性。支持運(yùn)行時(shí)多態(tài)性的新興器件
不僅可以在制造完成后進(jìn)行一次功能編程，還可以隨時(shí)隨地調(diào)整變化。此特性使其可用于實(shí)現(xiàn)
硬件安全的多態(tài)邏輯。從攻擊者的角度來看，可重構(gòu)邏輯和多態(tài)邏輯的區(qū)別在于，可重構(gòu)門
給攻擊者的難題是如何從許多可能的功能項(xiàng)中正確識(shí)別系統(tǒng)真實(shí)的性質(zhì)，而多態(tài)邏輯實(shí)際上是在這些可能的
功能狀態(tài)之間實(shí)時(shí)變遷。因此，對于尋求逆向破解多態(tài)電路的攻擊者而言，不僅要識(shí)別這些功能狀態(tài)，還要識(shí)別狀態(tài)間的轉(zhuǎn)移方案。在之前的工作中提出的多態(tài)性的新興器件包括磁電自旋軌道器件(MESO) [Man+19] 和基于磁疇壁的器件[Par+17]。

1.3.3 Nonlinearity and Intrinsic Entropy
Nonlinearity in an emerging device refers to its ability to perform nonlinear
transformation operations on the input stimulus, wherein the input to output
mapping becomes nonlinear or deviates from direct proportionality. Such an
injective one-way nonlinear transformation is quite useful for generating keys in
a physical unclonable function setting. Examples of nonlinear emerging devices
finding applications in cryptographic key generation include memristors [Zha+18b]
and photonic micro-cavity-based devices [Gru+17].
Intrinsic entropy of an emerging device is the innate randomness in the physical
phenomenon driving the device. Such randomness could arise due to any number
of factors such as metastability or abruptness in switching processes, or chaotic
dynamics. Evidence of intrinsic entropy has been observed in several emerging
devices such as spintronics switches [Ven+15] and photonic systems [SR07].

1.3.3 非線性和內(nèi)在熵

新興器件中的非線性是指其對輸入激勵(lì)信號(hào)進(jìn)行非線性轉(zhuǎn)換的能力。其中輸入與輸出的映射關(guān)系為非線性或偏離直接的等比例關(guān)系。這種單向非線性變換可用于在物理不可克隆函數(shù)設(shè)置中生成密鑰。用于加密密鑰生成的非線性新興器件類別包括憶阻器[Zha+18b]和基于光子微腔的器件[Gru+17]。
新興器件的內(nèi)在熵指的是驅(qū)動(dòng)器件的物理學(xué)現(xiàn)象的內(nèi)在隨機(jī)性。這種隨機(jī)性可能是由于多種因素引起的，例如狀態(tài)切換過程中的亞穩(wěn)態(tài)或突發(fā)性，或混沌動(dòng)力學(xué)特性。內(nèi)在熵的證據(jù)已經(jīng)在幾種新興器件中觀察得到，例如自旋電子開關(guān) [Ven+15] 和光子系統(tǒng) [SR07] 等。

1.3.4 Heterogeneous Physical Integration
Emerging technologies like 3D and 2.5D integration allow for the bifurcation of
the chip into security-critical and non-critical components, thus enabling schemes
like split manufacturing to come into the picture. The possibility of physical
separation and integration of the chip in the supply chain enables the designer
to incorporate safeguards against IP theft and insertion of malicious Trojans.
Besides, the heterogeneous integration of novel emerging devices into hybrid-
CMOS configurations within the 3D framework opens up opportunities to tap
the unique characteristics of those devices, for e.g., in-memory computing in 3D
architecture [Aly+18].

1.3.4 異構(gòu)物理集成

3D與2.5D集成等新興技術(shù)，允許將芯片分為安全攸關(guān)和非安全攸關(guān)組件部分，從而使拆分制造等方案成為可能。
在供應(yīng)鏈中，通過對芯片進(jìn)行物理拆分和集成，使得設(shè)計(jì)人員可以采納入保護(hù)措施，以對抗知識(shí)產(chǎn)權(quán)盜竊和木馬的惡意植入。
除此之外，在3D框架內(nèi)將新興器件異構(gòu)集成至混合CMOS的配置中，也為開發(fā)利用這些器件的獨(dú)特性質(zhì)提供了機(jī)會(huì)，例如，實(shí)現(xiàn)3D架構(gòu)中的內(nèi)存計(jì)算[Aly+18]。

1.3.5 Resilience Against Tampering and Side-Channel Attacks
Tamper- and side-channel resilience in an emerging device or technology arises
from the ability to shield its internal operation and switching activity from an outsider.
This could be achieved via a number of techniques like materials engineering
to make the device impervious to external stimuli from probes, or constructing
physical barriers to obstruct an attacker from accessing internal nodes and
wires. Immunity against side-channel attacks also stems from features that aid
in securing the leakage channels, like masking or modifying the power activity
visible to the attacker. For instance, triple-independent gate field effect transistors
(TIGFET) [Sha+20] and all-spin logic [AYL18] have been shown to be resistant
to power side-channel attacks due to symmetric I-V and symmetric read/write
characteristics, respectively.

1.3.4 抵御篡改與側(cè)信道攻擊的韌性

新興器件和技術(shù)對于篡改和側(cè)信道攻擊的防御韌性，源自于它保護(hù)內(nèi)其部操作和開關(guān)活動(dòng)不受外界影響的能力。
這可以通過材料工程等多種技術(shù)來實(shí)現(xiàn)，使器件不受來自探測器的外部刺激的影響，或構(gòu)建阻止攻擊者訪問內(nèi)部節(jié)點(diǎn)和
線路的物理屏障。對側(cè)信道攻擊的免疫能力也源于有助于保護(hù)泄露信道的特性，例如屏蔽或修改功率相關(guān)的活動(dòng)，使之對
攻擊者不可見。例如，三重獨(dú)立門場效應(yīng)管(TIGFET)[Sha+20]和全自旋邏輯[AYL18]得益于對稱的I-V和讀/寫特性，已被證明對功率側(cè)通道攻擊有一定的抵抗能力。

1.4 Closing Remarks
Our future electronics and computing systems can be fortified against various
classes of hardware threats by looking beyond conventional CMOS design practices,
toward the vast array of emerging logic and memory technologies. Some of these
emerging devices have shown promise in mitigating the common hardware-based
concerns known to plague CMOS systems, owing to their unique and peculiar
properties. In this chapter, we first looked at the fundamentals of hardware security,
including the various threat scenarios and attack landscapes against modern computing
systems, and the plethora of solutions proposed to counter them. Then we tried to
understand the limitations of CMOS hardware with respect to securing hardware, at
the root level, and also delved into the specific properties of emerging technologies
that can address these limitations. These properties, viz. reconfigurability, runtime
polymorphism, nonlinearity, intrinsic entropy, heterogeneous physical integration,
tamper-resilience, and resistance against side-channel leakage, form the basis of
individual security primitives that will be discussed in the upcoming chapters.

1.4 結(jié)束語

針對未來的電子和計(jì)算系統(tǒng)，我們可以通過超越傳統(tǒng)的CMOS設(shè)計(jì)實(shí)踐，并將目光投向大量的新興邏輯和存儲(chǔ)技術(shù)，
來加強(qiáng)對各類硬件威脅的防范。其中一些新興的器件已經(jīng)展示出了獨(dú)特的性質(zhì)，有望減輕困擾CMOS系統(tǒng)的常見安全問題。
在本章中，我們首先探討了硬件安全的基本原理，包括針對現(xiàn)代計(jì)算系統(tǒng)的各種威脅和攻擊概況，以及為應(yīng)對這些威脅而提出的大量解決方案。 然后，我們試圖從根源上理解CMOS在保護(hù)硬件安全方面的局限性，并深入研究了可以克服這些限制的
一系列新興技術(shù)特性。 這些特性，包括可重構(gòu)性、運(yùn)行時(shí)多態(tài)性、非線性、內(nèi)在熵、異構(gòu)物理集成、抗篡改性以及抗側(cè)信道泄露，逐一構(gòu)成了基本的安全基元。我們將在接下來的章節(jié)中分別討論這些安全基元。

五
級(jí)
標(biāo)題文章來源地址http://www.zghlxwxcb.cn/news/detail-663642.html

六級(jí)標(biāo)題

到了這里，關(guān)于新一代硬件安全：第一章-簡介的文章就介紹完了。如果您還想了解更多內(nèi)容，請?jiān)谟疑辖撬阉鱐OY模板網(wǎng)以前的文章或繼續(xù)瀏覽下面的相關(guān)文章，希望大家以后多多支持TOY模板網(wǎng)！