Ph.D Thesis

Ph.D StudentAzriel Leonid
SubjectFrom Device Level to Systems - Advance Topics in Hardware
DepartmentDepartment of Electrical and Computers Engineering
Supervisors PROFESSOR EMERITUS Ran Ginosar
PROF. Avi Mendelson
Full Thesis textFull thesis text - English Version


The hardware security field raises two research questions: how to build hardware for trusted applications and how to protect hardware from attacks. The former covers security primitives, such as cryptographic accelerators and true random number generators as well as trusted architectures. The latter starts from characterization of hardware vulnerabilities that can be exploited with different types of attacks, such as fault injection, invasive and side-channel attacks or injection of malicious hardware. 

This research spans several topics of hardware security and comprises two main parts. The first part studies application of the scan side channel to reverse engineering of integrated circuits. The scan technique provides convenient access to the internal logic of a digital integrated circuit (IC) allowing for efficient production test. Previous research demonstrated usage of the scan as a side channel that exposes the IC's internal secrets. This work points to a different type of vulnerability -- possibility of reverse engineering of an entire IC via scan, turning the reverse engineering of hardware to a non-invasive operation.

Direct access to the device state makes the learning problem combinational. While this is still a computationally hard problem, heuristic algorithms that exploit digital circuit properties can estimate the IC logic function with notable accuracy. The algorithms proposed in this thesis were proven effective with a number of circuit benchmarks, including a 6,000-register AES engine.

When the circuit logic is too complex to be fully reconstructed, semantic or syntactic match algorithms can be used to estimate the IC functionality. This work shows harnessing of the scan method to detect IP theft using library-matching. The method was evaluated with an 80,000-register SHA-256 accelerator.

Lastly, this thesis shows first results of reverse engineering of a physical IC. Scan-based circuit extraction combined with algorithmic specification discovery successfully identified several functional components in the IC.

The second part of this research studies applications of emerging memristive technologies to hardware security. High-capacity byte-addressable and non-volatile memory can radically improve data-centric applications. Yet, an adequate protection scheme is paramount when addressing shared and persistent memory. However, mechanisms that rely on virtual memory paging suffer from the tension between performance and protection granularity. Moreover, working with persistent memory requires a

revision of revocation scheme to prevent data leak through power cycles. This work proposes the Capability Enforcement Coprocessor (CEP), a programmable memory controller, which implements fine-grained protection and revocation through the capability model.

The memristor's non-linearity and non-volatility may also allow for building new or enhancing existing security primitives. For example, hardware hash functions potentially present a low cost and low power alternative to the classical implementations of mathematical cryptographic algorithms. This work proposes MemHash, a hardware secure hash function that exploits unique properties of memristors. MemHash exploits intrinsic device characteristics for entropy and process variations for implicit key embedding, thus creating a keyed-hash primitive. MemHash statistical performance was evaluated in simulation with a 16X16 memristive crossbar. The results show uniqueness and diffuseness close to optimal.