0278-0070 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCAD.2019.2957359, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems Reverse Engineering for 2.5D Split Manufactured ICs Wei-Che Wang, Yizhang Wu and Puneet Gupta Department of Electrical and Computer Engineering, University of California, Los Angeles Abstract—Integrated circuit (IC) split manufacturing has been shown to be one of the most effective protection schemes to prevent reverse engineering from malicious foundries. Among the existing split manufac- turing approaches, the 2.5D split manufacturing using silicon interposer has much less fabrication and testing costs compared to layer splitting approaches. In this paper we propose a Boolean Satisfiability(SAT)-based attack to reconstruct the wire connections of the 2.5D split manufacturing netlists. Our SAT-based attack can fully reconstruct the missing wires between modules with 100% correctness and therefore the functionality of the chip can be completely reverse engineered. In addition, we show that the runtime of attack is significantly reduced compared to existing 2.5D split manufacturing SAT attacks by applying grouping hints obtained from a Satisfiability Modulo Theories (SMT)-based grouping algorithm, which is purely depending on the circuit functionality, so no physical defensive mechanisms can prevent such attack. In our experiments we show that our grouping algorithm can speed up the existing SAT attack runtime by more than 1,000X and can successfully reverse engineer reasonable size benchmarks even when the split nets contains more than one fanouts and the total cut size is close to 1,000. I. I NTRODUCTION The globalization of Integrated circuit (IC) supply chain due to the higher fabrication cost and increasing complexity of modern designs has led to new security threats including IC overproduction and reverse engineering [1]. In the cost-effective fabless model, the foundries that the IC/IP owner outsourced the design to might not be trustworthy. Once the foundry obtains the whole GDSII of the design, it can overproduce or perform reverse engineering to obtain all design details, which leads to significant revenue lost. Split manufacturing, as one of the most promising defensive mechanisms to prevent foundry reverse engineering, has been studied intensively in recent years. A. Layer-based Split Manufacturing To protect ICs from the malicious foundries or attackers, Layer- based Split Manufacturing (LSM) has been proposed as a protecting mechanism to minimize the aforementioned risks [2]. LSM divides a design into Front End of Line (FEOL) and Back End of Line (BEOL) parts, and different parts are fabricated at different foundries. The FEOL (higher complexity and cost) part is fabricated at an untrusted foundry. Since the complete connections of the circuit are unknown to the untrusted foundry, the design cannot be fully reverse engineered. After the FEOL fabrication, the wafer is shipped back to an onshore trusted foundry for the BEOL fabrication and integration. While LSM may fit well with the advanced 3D IC fabrication model, however, the yield loss due to wafer transportation, integration, and the requirement of design rule compatibility of two foundries are still remaining as the major challenges [3]. Also, the cost of splitting lower metal layers can induce even higher cost [4], while splitting at higher layers may not provide sufficient security [5]. B. Module-based Split Manufacturing Another split manufacturing strategy is the Module-based Split Manufacturing (MSM), which is a promising IC integration technol- ogy that is designed to improve system performance by using silicon interposers [6]. MSM offers a high density and low cost package system [7] with inter-chip bandwidth benefits and power reduction [8]. 2.5D interposer products are already commercially available, such as AMD Radeon Fury GPU [9] and NVIDIA Tesla Accelerator [10]. Therefore, the security of MSM has become more and more important for the maturity of the technology, and research efforts have been devoted to this area, including security-purpose 2.5D integration [11], attacking, and defending techniques of MSM [12], [13]. Compared to LSM, the advantages of MSM include: 1) Alignment and integration: The integration of LSM is more challenging than MSM because of the larger pitch size of the interposer compared to metal layers. Also, each module of MSM can be packaged and tested as normal chip before being sent to the integrator. 2) Fabrication compatibility: No design rule compatibility require- ments for MSM since the connection is done through chip-to- chip interposers. C. Threat Model of the Proposed Attack We focus on reconstructing the missing connections of the MSM strategy given the following assumptions: 1) The adversaries are malicious foundries who have access to all the MSM parts including both FEOL and BEOL of the design. 2) Once the design is integrated at a trusted facility and sold to the open market, the adversaries can obtain the functional chip to find out correct input/output pairs. Our threat model is the same as existing SAT-based MSM attacks [12], [13], [14], where no physical reverse engineering of the func- tional chip is required. Please note that for the proximity attack on LSM [15], the BEOL and complete function of the chip are unknown and 100% correctness is not guaranteed. Our attack is on MSM connections and guarantees 100% correctness assuming that the complete function is available. The only thing the adversary does not know is the connection or interposers between the splitting parts. Since the splitting parts are known to the adversary, the intermediate input/output at the splitting interface are also known by the adversary. D. Problem Formation The goal of our attack is to reconstruct the missing connections of the MSM components without costly reverse engineering of the interposers. Figure 1 shows an example of a circuit split using the MSM strategy. Partition 1 and partition 2 can be either fabricated at the same or different foundries but none of them know the final connections between the two parts as indicated by the circles. The split can have no-fanout as indicated in Figure 1 (a) or include the fanout (3x4) as shown in Figure 1 (b). The cut nets of both fanout and no-fanout splits can be the same but the cut sizes are different. For both splits it is impractical for the adversary to brute-force all connections to find a correct solution simply because of the size of the solution space. Fig. 1: MSM example (a) without fanout and (b) with fanout split. Partition 1 and partition 2 can be fabricated at the same or different foundries but the connections between them are hidden. The goal of the adversary is to connect outputs of partition 1 to the inputs of partition 2 correctly. To address this problem, we propose to use a Boolean Satisfiability (SAT) solver with hints obtained from circuit function analysis. Dif- ferent from the SAT attack proposed in [14], we introduce grouping hints that can significantly reduce the runtime of the SAT attack. The main contributions of this paper include: • Two SAT-based attacks are compared. Results show that the grouping hint is much more effective than the no-fanout hint, Authorized licensed use limited to: UCLA Library. Downloaded on February 15,2020 at 02:37:42 UTC from IEEE Xplore. Restrictions apply.