HAL—The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion

Hardware manipulations pose a serious threat to numerous systems, ranging from a myriad of smart-X devices to military systems. In many attack scenarios an adversary merely has access to the low-level, potentially obfuscated gate-level netlist. In general, the attacker possesses minimal information and faces the costly and time-consuming task of reverse engineering the design to identify security-critical circuitry, followed by the insertion of a meaningful hardware Trojan. These challenges have been considered only in passing by the research community. The contribution of this work is threefold: First, we present $\sf {HAL}$HAL, a comprehensive reverse engineering and manipulation framework for gate-level netlists. $\sf {HAL}$HAL allows automating defensive design analysis (e.g., including arbitrary Trojan detection algorithms with minimal effort) as well as offensive reverse engineering and targeted logic insertion. Second, we present a novel static analysis Trojan detection technique $\sf {ANGEL}$ANGEL which considerably reduces the false-positive detection rate of the detection technique $\sf {FANCI}$FANCI. Furthermore, we demonstrate that $\sf {ANGEL}$ANGEL is capable of automatically detecting Trojans obfuscated with $\sf {DeTrust}$DeTrust. Third, we demonstrate how a malicious party can semi-automatically inject hardware Trojans into third-party designs. We present reverse engineering algorithms to disarm and trick cryptographic self-tests, and subtly leak cryptographic keys without any a priori knowledge of the design's internal workings.