^{a}, Cunxi Yu

^{b}, Xiangyu Zhang

^{c}and Daniel Holcomb

^{d}

^{a}duo@umass.edu

^{b}ycunxi@umass.edu

^{c}xiangyuzhang@umass.edu

^{d}holcomb@engin.umass.edu

Layout-level gate camouflaging has attracted interest as a countermeasure against reverse engineering of combinational logic. In order to minimize area overhead, typically only a subset of gates in a circuit are camouflaged, and each camouflaged gate layout can implement a few different logic functions. The security of camouflaging relies on the difficulty of learning the overall combinational logic function without knowing which logic functions the camouflaged gates implement.

In this paper, we present an incremental-SAT approach to reconstruct the logic function of a circuit with camouflaged gates. Our algorithm uses the standard attacker model in which an adversary knows only the non-camouflaged gate functions, and has the ability to query the circuit to learn the correct output vector for any input vector. Our results demonstrate a 5x speedup over the best existing deobfuscation algorithm.

Beyond demonstrating speedup, we use our powerful approach to produce new insights about the strength of obfuscation. First we show that deobfuscation is feasible even in the more challenging setting where layout reveals nothing about the possible logic function of camouflaged gates. Additionally, selectively camouflaging gates to maximize output corruption under incorrect deobfuscation hypotheses typically reduces the number of vectors needed to deobfuscate the circuit.