Non-Invasive Reverse Engineering of One-Hot Finite State Machines Using Scan Dump Data

Abstract

Finite-state machine (FSM) always works as a core control unit of a chip or a system. As a high level design, FSM has also been exploited to build multiple secure designs as it is deemed hard to discern FSM structure from the netlist or physical design. However, these secure designs can never sustain once the FSM structure is reversed. Reverse engineering FSM not only indicates the access of the control scheme of a design, but also poses a severe threat to those FSM-based secure designs. As the one-hot encoding FSM is widely adopted in various circuit designs, this paper proposes a non-invasive method to reverse engineer the one-hot encoding FSM. The data dumped from the scan chain during chip operation is first collected. The scan data is then used to identify all the candidate sets of state registers which satisfy two necessary conditions for one-hot state registers. Association relationship between the candidate registers and data registers are further evaluated to identify the unique target set of state registers. The transitions among FSM states are finally retrieved based on the scan dump data from those identified state registers. The experimental results on the benchmark circuits of different size show that this proposed method can identify all one-hot state registers exactly and the transitions can be retrieved at a high accuracy while the existing methods cannot achieve a satisfactory correct detection rate for one-hot encoding FSM.