Structural Attacks

This chapter is about structural attacks on point function-based logic locking. These attacks rely on the structural properties of a locked netlist to identify the correct functionality of the original version. The chapter presents four attacks: the signal probability skew (SPS) attack, the AppSAT-guided removal (AGR) attack, sensitization-guided SAT (SGS) attack, and the Bypass attack. The SPS attack targets the basic Anti-SAT block; the AGR attack circumvents the functional and structural obfuscation added on top of basic Anti-SAT; the SGS attack exposes the security vulnerabilities associated with AND-tree detection (ATD); the Bypass attack integrates the Double-DIP attack with simple post-processing steps to recover an exact netlist. Structural/removal attacks on point function-based logic locking exploit the structural traces embedded in a netlist to identify and/or bypass the protection offered by the point-function and recover the correct functionality of the target netlist. This chapter describes the operation of four structural attacks on logic locking. Section 7.1 presents the SPS attack that can identify and remove the basic (unobfuscated) Anti-SAT block to retrieve the original circuit. Section 7.2 elaborates on the operation of the AGR attack that integrates AppSAT with simple netlist analysis to break obfuscated Anti-SAT (OA). Section 7.3 presents the SGS attack that exploits the security vulnerabilities of ATD to weaken the security it promises. Section 7.4 discusses how the Bypass attack recovers an exact netlist by adding a bypass circuit to an approximate netlist.