About chameleons, the art of deception, and keeping your design away from predators
By Ron Keidar and Ron Cocchi, Inside Secure
Out in the wilderness, it is a known instinct that at times the key to survival is to stay invisible. Chameleons are just one out of many examples of beings that have mastered the art of camouflage as an important tool for survival, protecting themselves against the many dangers out there that might bring an end to their life if they are spotted and targeted.
In a major leap, transfer this thought into modern chip design – where new concepts are created by bright designers, who find themselves in a different struggle to survive, against hackers who dedicate their passion and sophistication to steal your data and even your design. In a nearly Darwinist survival of the fittest, if you are not able to keep your design away from such hackers – you are history! Thus, not only you must make sure that your data is kept safe, while stationary, in transit or in process, but you may find yourself in need to protect your very design as well, avoiding third parties from performing unauthorized copies and using them.
A fine way to do that is to apply the concept of camouflage to impair the capacity of predators to understand your design. If a wild wolf would look at a rabbit and see an elephant, he would surely not attempt to hunt it, as the odds would be against him. In this paper we will show how a bit of illusion can be used to avoid unauthorized copies, and if they happen, to make sure that the end-result of the copy is so badly damaged that it becomes in fact useless.
Inside Secure’s Circuit Camouflage Hardware Protection
In November 2017, Inside Secure acquired SypherMedia International Inc. (SMI) which has developed state-of-the-art technologies specifically for Anti-Tamper and Intellectual Property protection. These technologies provide hardware protection at the silicon level to secure high-value intellectual property. Inside Secure’s patented and trade-secret protection methods make reverse engineering of semiconductors virtually impossible. Using Inside Secure’s designs and techniques, chip manufacturers keep sensitive and strategic aspects of custom designs secret from anti-tamper attacks and reverse engineers. Inside Secure’s personnel are the authors of over 45 US patents, numerous international patents, and numerous pending patents in the field.
Inside Secure has worked with many of the world’s leading Integrated Circuit manufacturers to perfect this technology. At the heart of the solution, a ‘camouflage’ library is developed specifically to a Semiconductor foundry technology. The Camo library is a collection of physical design and layout techniques that has evolved over 20 years. The solutions have been fabricated in silicon technologies down to 28nm. 14nm FINFET is currently in process. It requires no foundry process changes and is 100% CMOS compatible. The circuit camouflage hardware protection techniques are compatible with non-protected circuitry so that standard cell logic, custom macros, and the Camo technology can coexist on the same chip.
The Camo technology can be implemented or adapted to a wide variety of manufacturers and application needs. SMI has licensed over 300 million chips protecting over 30 billion dollars of annual commerce utilizing this technology with no in-field failures or security compromises. Uses include providing IP protection, protection of smart card secrets, various Government applications, proprietary algorithm protection, and obfuscating unique requirements.
A conventional standard cell 2-input NOR gate is shown in Figure 1. Camo 2-input NAND and NOR gates are shown in Figures 2 and 3. The standard cell shown in Figure 1 shows distinctive features allowing it to be immediately recognizable and reverse-engineered by a pattern recognition program. No recognizable patterns or distinguishable features are apparent in Figures 2, 3.
Figure 1 (left): Conventional 2-Input NOR Gate; Figure 2 (center): Camo 2 Input NAND and NOR Gates; Figure 3 (right): Camo 2 Input NAND, NOR Gates without Metal.
Figures 2 and 3 illustrate two Camo gates sitting side-by-side. The three vertical traces in the centers of Figure 2 show a Camo 2-input NAND gate in the left image and a 2-input NOR gate in the right image. Figure 3 shows the same Camo gates with the metal removed. Notice that there are no distinctive patterns in the metal or silicon layers of these gates as compared to a standard cell in Figure 1. Cell boundaries are not visible, complicating the reverse engineering task.
SMI has developed a broad portfolio of circuit camouflage technologies. Three techniques are discussed in this paper to present an overview of the different approaches available. These techniques are referred to as Custom Cell, Foundry Standard Cell and In-field Programmable Cell based implementations.
In the Custom Cell approach, an entirely new cell library is developed and the application specific integrated circuit (ASIC) is synthesized to the Custom Cell library. The Custom Cell library is developed with an agreed set of logic functions. SMI has developed a number of Custom Cell libraries. Logic functions are designed so that individual logic cells appear identical at each mask layer, when in fact subtle changes are present to differentiate logic functions. Changes are designed so that the reverse engineer is unable to automate cell recognition.
The core of the Custom Cell Camo development is the physical design and layout of substructures of transistors and their interconnections to make them either invisible or to appear to be something else. All transistors are designed to have the same size and spacing as all other transistors and groups of cells are designed to have the same size and spacing as all other cells in the group. As shown in Figures 2 and 3, a 2-input NAND gate would not be distinguishable from a 2-input NOR gate. This provides the highest level of reverse-engineering and anti-tamper protection for intellectual property.
Foundry Standard Cell
In the Foundry Standard Cell approach, the target foundry’s standard cell library is used. Inside Secure designs many additional custom cells which appear to be foundry standard cells but in fact have different functions. Camo cells are used intermittently in an existing design. The reverse engineer would incorrectly interpret these cells, resulting in a non-functional netlist. The physical design and layout of substructures as discussed in the Custom Cell approach are utilized to construct these cells that appear to be part of the foundry’s standard cell library.
The advantage of the Foundry Standard Cell approach is that it can be designed, developed and implemented in a short time and at a lower cost.
In-field Programmable Cell
Standard Cell approach ideal for use with ASICs with aggressive development schedules. Further protection can be added using our In-field Programmable Cell technology. Programmed secrets that reside in OTP could potentially exposed, however using hidden camouflage circuitry containing circuit functions, keys, and/or data, and customer defined OTP encryption creates a powerful protection for provisioned keys. A successful hack needs to completely read the OTP and break both encryption and hidden camouflage circuitry. Programmable Cells are configured within the secure programming facility by the Customer, and not to the silicon fab, nor to any recipients of programmed or non-programmed parts. Existence of programmable cells is not known by the attacker. Post-production programming enables a fabricated logic block to be used in different applications with different functional and algorithmic results.
Additional, optional, protection can be added post Place and Route. Camo SmartFill is Inside Secure circuit camouflage technology that protects ASICs from tampering by removing available space in which an attacker might insert a Trojan circuit. Using filling and obfuscation techniques in all design layers, makes it is very difficult for a third party to make meaningful modifications to a camouflaged circuit without destroying the underlying functionality.
This optional element consists of overlaying patterns of metal that resemble real logical connections. The metal fill layers also include contacts/vias, resulting in a realistic but extremely dense network of metal routing. This added metal may contain active signals resulting in a higher level of obfuscation and a design layers as well, obscuring cell boundaries and identifiable design characteristics.
Camo SmartFill can be applied as an additional step to any of the three technical approaches, i.e. Custom Cell, Foundry Standard Cell and In-field Programmable Cell.
Reverse engineering a Camouflage Library is like a examining a 3D jigsaw puzzle. Various sets of circuit obfuscation techniques are utilized in each of the overlaying layers. Each cell must be properly analyzed and identified. This multi-dimensional task is extremely difficult as many obfuscation techniques are deployed in parallel within several layers. Combinations of obfuscation techniques create sufficient uncertainty which results in significant increases in complexity and time to reverse engineer. After searching for the various obfuscation techniques in each layer, the reverse engineer must properly align and interconnect the layers. The reverse engineer cannot easily leverage off prior work due to the similarity of recognizable structures in our construction and design techniques. The objectives of the circuit camouflage library are to complicate and inhibit automatic pattern recognition systems, and to increase the extraction error rate so that it is virtually impossible to extract a 100% accurate netlist.
Figures 4 and 5 below show a normal standard cell AND2 and a Camo standard cell camouflage gate that performs a different function. A reverse engineer would mistakenly interpret both gates as normal AND2 gates and will extract an incorrect netlist for the ASIC.
Figure 4: Standard cell AND2
Figure 5: Camo AND2 look-alike
Figure 6 and 7 below show the pre and post PP&R processing of the Poly, Contact and Active layers while Figure 8 and 9 show the pre and post PP&R of the metal and via layers. PP&R performs a realistic fill of the design layers so that the empty space appears to be part of the active design. PP&R significantly increases the work function required to extract a netlist from silicon.
Figures 6, 7: Pre/Post Poly, Contact and Active Camo SmartFill
Figures 8, 9: Pre/Post Layout Camo SmartFill
For more than 20 years, Inside Secure has provided Security IP that is meant to protect your data, thus allowing you to design a chip that secures it most efficiently whether at rest, in transit or in process. Security is provided in the form of Crypto Engines, Packet Protocol Blocks, and Keys Protection and Management in a silicon secure island. Now, Inside Secure expands to offer you design protection as well, to keep not only your data but also your design logic safe from hackers.
If your company has a unique idea, you certainly want to keep it away from cloners that copy your design and sell it for their own profit, thus hurting your company’s reputation and revenue stream. The insertion of Camo cells is automatic and fully integrated to a standard design flow.