TAAL: Tampering Attack on Any Key-based Logic Locked Circuits

Due to the globalization of semiconductor manufacturing and test processes, the system-on-a-chip (SoC) designers no longer design the complete SoC and manufacture chips on their own. This outsourcing of design and manufacturing of Integrated Circuits (ICs) has resulted in a number of threats, such as overproduction of ICs, sale of out-of-specification/rejected ICs, and piracy of Intellectual Properties (IPs). Logic locking has emerged as a promising defense strategy against the afore-mentioned threats. However, various attacks pertaining to the extraction of secret keys have undermined the security of logic locking techniques. Over the years, researchers have proposed different techniques to prevent the existing attacks. In this paper, we propose a novel attack which can break any logic locking techniques that relies on stored secret key. This proposed TAAL attack is based on implanting a hardware Trojan in the netlist, which leaks the secret key to an adversary once activated. As an untrusted foundry has the capability to extract the netlist of a design from the layout/mask information, it is feasible for a malicious foundry to implement such a hardware Trojan. All of the three types of TAAL attacks can be used for extracting secret keys. We have introduced the models for both the combinational and sequential hardware Trojans that evade manufacturing tests as well. An adversary only needs to choose one hardware Trojan out of a large set of all possible Trojans to launch the TAAL attack.