

#### **Stealthy Opaque Predicates in Hardware -**Obfuscating Constant Expressions at Negligible Overhead

Max Hoffmann, Christof Paar

Ruhr University Bochum, Horst-Görtz Institute for IT-Security, Germany

hg Horst Görtz Institut für IT-Sicherheit

10.09.2018

CHES 2018 | Amsterdam

#### **Obfuscation**



















"insanely difficult"



• One target in software is control flow obfuscation.





• One target in software is control flow obfuscation.





• Opaque Predicates are used as a basic building block.

- Opaque Predicates are used as a basic building block.
- An opaque predicate:
  - is an expression
  - looks like having a dynamic value
  - evaluates to a constant, known value

| Example:  |       |     |      |
|-----------|-------|-----|------|
| (x * (x + | 1)) 2 | % 2 | == 0 |



#### Stealthy Opaque Predicates in Hardware | CHES 2018 | 10.09.2018

#### **Software Obfuscation**

- Opaque Predicates are used as a basic building block.
- An opaque predicate:
  - is an expression
  - looks like having a dynamic value
  - evaluates to a constant, known value
- Meant to harden against static analysis.
  - **Static Analysis**: analysis performed solely on a static data, e.g., a binary.
  - **Dynamic Analysis**: analysis performed during operation, e.g., while executing a binary.



#### **Example: Software Opaque Predicates**





 Control flow graph of a static analyzer:



• "True" control flow graph:



### A Software Obfuscation Technique in Hardware?

- How can a software obfuscation technique help in hardware?
- Obfuscation should harden against reverse engineering.

### A Software Obfuscation Technique in Hardware?

- How can a software obfuscation technique help in hardware?
- Obfuscation should harden against reverse engineering.
- Reverse engineers rarely analyze an entire design.
- Mostly: small parts of a design.

### A Software Obfuscation Technique in Hardware?

- How can a software obfuscation technique help in hardware?
- Obfuscation should harden against reverse engineering.
- Reverse engineers rarely analyze an entire design.
- Mostly: small parts of a design.
- **Goal**: hide as much information as possible.
  - $\rightarrow$  reduces starting points for reverse engineers.
  - $\rightarrow$  makes understanding of any component harder.

#### **Example: Hardware Reversing**





 $a_3$ 

 $b_3$ 

 $b_2$ 

 $a_2$ 

#### **Example: Hardware Reversing**





 $\rightarrow$  Use OPs to hide information introduced by constant signals.



## Previous Work

Stealthy Opaque Predicates in Hardware | CHES 2018 | 10.09.2018

18

#### **Translation to Hardware**

- Only one prior work on opaque predicates.
- Sergeichik et al. presented LFSR-based OPs in 2014 [1].



[1] Sergeichik and Ivaniuk. "Implementation of opaque predicates for fpga designs hardware obfuscation." (JICMS, 2014).

#### **Stealthiness**



- **Problem**: Easy to detect, uncommon structure
- Removal via static analysis demonstrated in [1].



[1] Wallat, Fyrbiak, Schlögel, and Paar. "A Look at the Dark Side of Hardware Reverse Engineering – A Case Study" (IVSW, 2017)

#### **Stealthiness**



- **Problem**: Easy to detect, uncommon structure
- Removal via static analysis demonstrated in [1].



- **Desired Metric**: "Stealthiness"
  - Impossible (?) to measure
  - Human factor plays a role
  - Different in hardware and software

[1] Wallat, Fyrbiak, Schlögel, and Paar. "A Look at the Dark Side of Hardware Reverse Engineering – A Case Study" (IVSW, 2017)



# **OPAQUE PREDICATES IN** HARDWARE

22

#### Hardware OPs – Idea



- Stealthiness: use common structures.
- Try to use existing circuitry.

#### Hardware OPs – Idea

- Stealthiness: use common structures.
- Try to use existing circuitry.
- Observation:
  - Signals are changing constantly.
  - A signal's value is only important while evaluated.

#### Hardware OPs – Idea

- Stealthiness: use common structures.
- Try to use existing circuitry.
- Observation:
  - Signals are changing constantly.
  - A signal's value is only important while evaluated.
- → Use an existing signal which
  - 1. has the required state whenever we need it
  - 2. switches "randomly" when not needed.









- Constant value required in Work1, Work2, and Work3.
- Multiple options to use the state of an FSM as an OP.





- Constant value required in Work1, Work2, and Work3.
- Multiple options to use the state of an FSM as an OP.





- Constant value required in Work1, Work2, and Work3.
- Multiple options to use the state of an FSM as an OP.



- Example:
  - Constant 1101000, to be obfuscated.
  - 5-bit FSM passes 3 states during the processing period.





• 1<sup>st</sup> State:





• 2<sup>nd</sup> State:





• 3<sup>rd</sup> State:





• 4<sup>th</sup> State:





- Very stealthy: existing FSMs are used.
- Zero additional gates (in theory...)



- Very stealthy: existing FSMs are used.
- Zero additional gates (in theory...)
- Applicable to nearly all designs.
- Considerably increases reversing effort: Reversing of control- and data-path required for identification of constants.

#### Hardware OPs



- Very stealthy: existing FSMs are used.
- Zero additional gates (in theory...)
- Applicable to nearly all designs.
- Considerably increases reversing effort: Reversing of control- and data-path required for identification of constants.
- Applicable to ASICs and FPGAs.
- Forces a reverse engineer to apply dynamic analysis.

#### Hardware OPs



- If no suitable FSM available, add a new FSM-like module.
  - Make it reset outside of the processing period.
  - Make it stabilize in a known state after some cycles.
  - Generate OP value from stable state.
- Still stealthy (FSMs are common).
- Stabilizing FSMs are also common (DONE state).





## CASE STUDIES

Stealthy Opaque Predicates in Hardware | CHES 2018 | 10.09.2018

#### **Scenario**





#### Scenario

Algorithm 1 Subverted RSA KeyGen Input:  $1^{\lambda}$ **Output:** pk = (n, e), sk = (d)1: Choose p, q as random  $\lambda/2$ -bit primes 2:  $n \leftarrow pq$ 3:  $e \leftarrow p^{E_{adv}} \mod N_{adv}$ 4: while  $gcd(e, \Phi(n)) \neq 1$  do 5:  $e \leftarrow e+1$ 6:  $d \leftarrow e^{-1} \mod \Phi(n)$ 7: **return** pk = (n, e), sk = (d)

#### **Results**



| Design  |              | LUTs  |        | FFs  |        |
|---------|--------------|-------|--------|------|--------|
| PRESENT | Unobfuscated | 304   |        | 347  |        |
|         | Strategy 1   | 307   | +0.99% | 347  | +0%    |
|         | Strategy 2   | 304   | +0%    | 350  | +0.86% |
| RSA     | Unobfuscated | 10570 |        | 5316 |        |
|         | Strategy 1   | 10811 | +2.28% | 5314 | -0.04% |
|         | Strategy 2   | 10692 | +1.15% | 5323 | +0.13% |

| Platform: XILINX A<br>Legend: | Artix-7 35T FPGA                         |   |
|-------------------------------|------------------------------------------|---|
| Unobfuscate                   | d: no opaque predicates were used        |   |
| Strategy 1:                   | opaque predicate from existing circuitry |   |
| Strategy 2:                   | new circuitry for the opaque predicate   |   |
|                               |                                          | _ |



# APPLICATION: WATERMARKING

Stealthy Opaque Predicates in Hardware | CHES 2018 | 10.09.2018

#### Watermarking

- A watermark enables identification of IPtheft.
- A vendor can inspect products for presence of his watermark.
- Schmid et al. proposed a watermarking scheme for FPGAs which implements a watermark into LUT configurations [1].



[1] Schmid, Moritz, and Ziener, Daniel, and Teich, Jurgen. "Netlist-level IP protection by watermarking for LUT-based FPGAs." (FPT 2008)

#### **FPGA LUT Configuration**



- A LUT is configured by defining it's output values.
- Example:



• These configurations can be read from the bitstream of an FPGA.

#### Watermarking by Schmid et al.



• **Idea**: fix some inputs to GND.

#### Watermarking by Schmid et al.



- **Idea**: fix some inputs to GND.
- Configuration bits for other cases become effectively unused.

#### Watermarking by Schmid et al.

RUB

- **Idea**: fix some inputs to GND.
- Configuration bits for other cases become effectively unused.
- Embed watermark there.

#### **Applying OPs**



- Netlist-level attacker was included in attacker model.
- **Problem**: Tracing GND to LUTs  $\rightarrow$  detected  $\rightarrow$  easy to remove the watermark.

#### Applying OPs



- Netlist-level attacker was included in attacker model.
- **Problem**: Tracing GND to LUTs  $\rightarrow$  detected  $\rightarrow$  easy to remove the watermark.
- **Solution**: Use our OPs instead of GND.



## CONCLUSION

Stealthy Opaque Predicates in Hardware | CHES 2018 | 10.09.2018

#### Conclusion

RUB

- Novel technique for opaque predicates in hardware (ASICs + FPGAs).
- Strong technique (discussion in the paper).
- Instantiation strategies:
  - Existing circuitry.
  - Additional circuitry.
- Practical evaluation.
- Demonstrate potential to mitigate existing attacks.



### **Thank You For Your Attention! Any Questions?**

CHES 2018 | Amsterdam

Horst Görtz Institut 10.09.2018

hgi

für IT-Sicherheit