{"id":98,"date":"2023-11-06T00:01:11","date_gmt":"2023-11-06T05:01:11","guid":{"rendered":"https:\/\/www.ece.ucf.edu\/~kamali\/?page_id=98"},"modified":"2025-09-27T11:25:06","modified_gmt":"2025-09-27T15:25:06","slug":"publications","status":"publish","type":"page","link":"https:\/\/www.ece.ucf.edu\/~kamali\/publications\/","title":{"rendered":"Publications"},"content":{"rendered":"\n
\"\"<\/span>
\n
\n
\n

WARNING<\/span><\/strong>: This directory contains pdf\/ps files of articles that may be covered by copyright<\/strong><\/em>. You may browse the articles at your convenience, in the same spirit as you may read a journal or a proceedings article in a public library. Retrieving, copying, or distributing these files may violate copyright protection laws.<\/p>\n<\/div><\/div>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n

\n
\n
\"\"<\/figure>\n<\/div>\n\n\n\n
\n

You can find the latest updates of publications here in Google Scholar Profile<\/strong><\/mark><\/a>!<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n
\n
\n

2<\/h3>\n\n\n\n
\n

Books<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

1<\/h3>\n\n\n\n
\n

Book Chapters<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

6<\/h3>\n\n\n\n
\n

Pending\/Issued Patents<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

15<\/h3>\n\n\n\n
\n

Journals<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

49<\/h3>\n\n\n\n
\n

Conferences<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

3<\/h3>\n\n\n\n
\n

Abstract\/Non
Refereed<\/p>\n<\/div><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n

\n\n\n\n

Books [2 Books]<\/h2>\n\n\n\n
\n
\n

[B2]<\/p>\n<\/div>\n\n\n\n

\n

Hardware Security: A Look into the Future <\/h2>\n\n\n\n

Mark Tehranipoor, Kimia Azar, Hadi Kamali<\/span><\/strong>, Navid Asadizanjani, Fahim Rahman, Farimah Farahmandi<\/p>\n\n\n\n

Springer Nature<\/em><\/strong>.<\/p>\n\n\n\n

\n
Link to the Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[B1]<\/p>\n<\/div>\n\n\n\n

\n

Understanding Logic Locking <\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

Springer Nature<\/em><\/strong>.<\/p>\n\n\n\n

\n
Link to the Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n\n\n\n

Book Chapters [1 Book Chapters]<\/h2>\n\n\n\n
\n
\n

[BC1]<\/p>\n<\/div>\n\n\n\n

\n

Sequential and Combinational Satisfiability Attacks<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Avesta Sasan<\/p>\n\n\n\n

Encyclopedia of Cryptography, Security and Privacy, Springer Nature<\/strong><\/em>.<\/p>\n\n\n\n

\n
Link to the Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n\n\n\n

Patents [4 Patents]<\/h2>\n\n\n\n
\n
\n

[P5]<\/p>\n<\/div>\n\n\n\n

\n

Secure Test Process for Advanced Packaging Assisted Heterogeneous Inte-
grated Microelectronic Devices<\/h2>\n\n\n\n

Mark Tehranipoor, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Galib I Heidar<\/p>\n\n\n\n

US Patent<\/em><\/strong>, TBD.<\/p>\n<\/div>\n\n\n\n

\n

TBD<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[P4]<\/p>\n<\/div>\n\n\n\n

\n

Adaptive and Design-agnostic Active Watermarking for Authentication of Hardware Intellectual Property Core Ownership<\/h2>\n\n\n\n

Farimah Farahmandi, Hadi Kamali<\/span><\/strong>, Mark Tehranipoor, Zahin Ibnat, Mohammad Sazadur Rahman, Mridha Md Mashahedur Rahman<\/p>\n\n\n\n

US Patent<\/em><\/strong>, TBD.<\/p>\n<\/div>\n\n\n\n

\n

TBD<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[P3]<\/p>\n<\/div>\n\n\n\n

\n

Building And Redaction Of Universal Function Models For Hardware Protection<\/h2>\n\n\n\n

Mark Tehranipoor, Mohammad Sazadur Rahman, Hadi Kamali<\/span><\/strong>, Fahim Rahman, Kimia Azar, Farimah Farahmandi, Rui Guo<\/p>\n\n\n\n

\n
US Patent – Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[P2]<\/p>\n<\/div>\n\n\n\n

\n

Clock Gating System and Method For Protecting Hardware Design<\/h2>\n\n\n\n

Mark Tehranipoor, Farimah Farahmandi, Hadi Kamali<\/span><\/strong>, Fahim Rahman, Mohammad Sazadur Rahman, Rui Guo<\/p>\n\n\n\n

\n
US Patent – Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[P1]<\/p>\n<\/div>\n\n\n\n

\n

Runtime Security Monitoring of Hardware Designs<\/h2>\n\n\n\n

Mark Tehranipoor, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Kimia Azar, Tao Zhang<\/p>\n\n\n\n

\n
US Patent – Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n\n\n\n

Journal Papers [14 Papers]<\/h2>\n\n\n\n
\n
\n

[J15]<\/p>\n<\/div>\n\n\n\n

\n

EvoLUTe+: Fine-Grained Look-Up-Table-based RTL IP Redaction<\/h2>\n\n\n\n

Rui Guo, Sazadur Rahman, Jingbo Zhou, Hadi Kamali, Farimah Farahmandi<\/p>\n\n\n\n

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (IEEE TCAD)<\/strong><\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Hardware obfuscation is an active trustworthy design technique targeting threats in the IC supply chain, such as IP piracy and overproduction. Recent research on Intellectual Property (IP) protection technologies suggests that using embedded reconfigurable components (e.g., eFPGA redaction) could be a promising approach to hide the functional and structural information of security-critical designs. However, such techniques suffer from almost prohibitive overhead in terms of area, power, delay, and testability. This paper proposes an obfuscation technique called EvoLUTe+, which is a unique and more fine-grained redaction approach using smaller reconfigurable components (e.g., Look-Up Tables (LUTs)). EvoLUTe+ achieves fine-grained partitioning, sub-circuit coloring, and scoring of IP, and then encrypts the original IP through the substitution of some subcircuits. Different attacks are used to test the robustness of EvoLUTe+, including structural and machine learning attacks, as well as Bounded Model Checking (BMC) attacks. The overhead of the obfuscation design is also analyzed. Experimental results demonstrate that EvoLUTe+ exhibits robustness with acceptable overhead while resisting such threat models.<\/p>\n<\/details>\n<\/div>\n\n\n\n

\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J14]<\/p>\n<\/div>\n\n\n\n

\n

Advancing Trustworthiness in System-in-Package: A Novel Root-of-Trust Hardware Security Module for Heterogeneous Integration<\/h2>\n\n\n\n

Md Sami Ul Islam Sami, Tao Zhang, Amit Mazumder Shuvo, Md Saad Ul Haque, Paul E. Calzada, Kimia Azar, Hadi Kamali<\/span><\/strong>, Fahim Rahman, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

IEEE Access<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

The semiconductor industry has adopted heterogeneous integration (HI), incorporating modular intellectual property (IP) blocks (chiplets) into a unified system-in-package (SiP) to overcome the slowdown in Moore\u2019s Law and Dennard scaling and to respond to the increasing demand for advanced integrated circuits (ICs). Despite the manifold benefits of HI, such as enhanced performance, reduced area overhead, and improved yield, this transformation has also led to security vulnerabilities in the SiP supply chain and in-field operations, ranging from chiplet piracy and SiP reverse engineering (RE) to information leakage. Although conventional countermeasures provide the desired robustness for monolithic ICs, they are insufficient for addressing these challenges in the context of HI. To address these concerns, this paper presents a novel root-of-trust architecture, augmenting the process of integration using a centralized chiplet hardware security module (CHSM), aiming to provide comprehensive and robust protection throughout the SiP supply chain and in-field operations. Also, the proposed architecture equipped with the CHSM effectively addresses potential security breaches while providing robust protection against zero-day attacks through its reconfigurable capabilities. Throughout five detailed case studies, this paper performs a comprehensive security analysis to illustrate the resilience of CHSM against contemporary attack scenarios in the HI domain.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J13]<\/p>\n<\/div>\n\n\n\n

\n

Improving Bounded Model Checkers Scalability for Circuit De-obfuscation: An Exploration<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

IEEE Transactions on Information Forensics and Security (IEEE TIFS)<\/strong>.<\/p>\n\n\n\n

Abstract<\/summary>\n

With the globalization and distribution of the semiconductor supply chain, intellectual property (IP) protection has become a necessity. Recent years have witnessed a surge of interest in logic locking as a proactive IP protection solution. However, in recent years, we also have seen an increase in logic\/circuit de-obfuscation attacks that put the strength of logic locking at risk. One of these attacks on locked circuits is the bounded-model-checker (BMC)-based attack, where the adversary has limited access to the design-for-testability (DFT) (known as scan chain). While the BMC-based attack is widely known as an algorithmic attack, numerous studies show that the attack lacks scalability since it has two unrolling factors: sequential unrolling and miter duplication. Inspired by straightforward heuristics widely used for satisfiability problems in the computer science SAT community, in this paper, we will explore a set of methodologies that can have a significant impact on mitigating the BMC attack\u2019s scalability issue. For this purpose, through the BMC attack process, we explore the efficacy of \u201crestart\u201d and \u201cinitialization\u201d on the attack performance, in which we apply some modification on the locked design before (\u201cinitialization\u201d) or within (\u201crestart\u201d) the BMC execution. By applying \u201crestart\u201d and \u201cinitialization\u201d in numerous different configurations, our experimental results show >85% consistent improvement in the BMC attack that can lead to a stronger algorithmic attack scenario on logic locking.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J12]<\/p>\n<\/div>\n\n\n\n

\n

Exploring the Abyss? Unveiling Systems-on-Chip Hardware Vulnerabilities beneath Software<\/h2>\n\n\n\n

Sree Ranjani Rajendran, Nusrat Farzana, Shams Tarek, Hadi Kamali<\/span><\/strong>,
Mark Tehranipoor, Farimah Farahmandi<\/p>\n\n\n\n

IEEE Transactions on Information Forensics and Security (IEEE TIFS<\/strong>).<\/p>\n\n\n\n

Abstract<\/summary>\n

Due to the increasing size and complexity of system-on-chips (SoCs), new threats and vulnerabilities are emerging, mainly related to flaws at the system level. Due to the lack of decisive security requirements and properties from the perspective of the SoC designer, the system-level verification process, whose violation may lead to exploiting a hardware vulnerability, is not studied comprehensively. To enable more comprehensive verification of system-level properties, this paper presents a framework known as HUnTer (Hardware Underath Trigger) for identifying sets of instructions (sequences) at the processor unit (PU) that reveal the underlying hardware vulnerabilities. HUnTer automates (i) threat modeling, (ii) threat-based formal verification, (iii) generating counterexamples, and (iv) generating snippet code to exploit the vulnerability. Furthermore, the HUnTer framework defines a unique security coverage metric (HUnT_Coverage) to measure the performance and effectiveness of vulnerability exploits. To demonstrate the high effectiveness of the proposed framework, we conduct a wide variety of case studies using the HUnTer framework on RISC-V-based open-source SoC architecture and attains the security coverage of 86% as an average for 11 benchmarks of the Trust-Hub database.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J11]<\/p>\n<\/div>\n\n\n\n

\n

SiPGuard: Run-time System-in-Package Security Monitoring via Power Noise Variation<\/h2>\n\n\n\n

Tao Zhang, Latifur Rahman, Hadi Kamali<\/span><\/strong>, Kimia Azar, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

IEEE Transactions on Very Large Scale Integration (VLSI) Systems (IEEE TVLSI)<\/strong>.<\/p>\n\n\n\n

Abstract<\/summary>\n

As Moore\u2019s law comes to a crawl, advanced package and integration techniques become increasingly crucial by allowing for the combination of fabricated silicon dies, so-called chiplet, to constitute system-in-package (SiP) achieving a much better yield and time-to-market. However, due to inherent security concerns within the convoluted semiconductor supply chain and in-field environment, hostile attacks targeting software and hardware applications can present a formidable challenge to ensuring the security of SiP. Even worse, the immanent black-box nature of product chiplets renders most conventional security inspection and testing solutions less useful. Therefore, we present our SiPGuard in this article to enable the security monitoring capability during run time to noninvasively track the application-level behaviors of target chiplets and detect any deviations potentially induced by underlying malicious intrusions. The security monitoring mechanism utilizes information-bearing system-level power noise variation and machine learning (ML) techniques. Specifically, we utilize a trusted field-programmable gate array (FPGA) chiplet as our trust anchor to implement the lightweight power sensor and on-chip ML inference engine for near-sensor analysis. We prototype our solution on a 2.5-D chiplet-based FPGA device and demonstrate the effectiveness against threats at software\/hardware levels by identifying the consequent power anomalies of malicious activities.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J10]<\/p>\n<\/div>\n\n\n\n

\n

ReTrustFSM: Towards RTL Hardware Obfuscation – A Hybrid FSM Approach<\/h2>\n\n\n\n

Mohammad Sazadur Rahman, Rui Guo, Hadi Kamali<\/span><\/strong>, Fahim Rahman, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

IEEE Access<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Hardware obfuscating is a proactive design-for-trust technique against IC supply chain threats, i.e., IP piracy and overproduction. Many studies have evaluated numerous techniques for obfuscation purposes. Nevertheless, de-obfuscation attacks have demonstrated their insufficiency. This paper proposes a register-transfer (RT) level finite-state-machine (FSM) obfuscation technique called ReTrustFSM that allows designers to obfuscate at the earliest possible stage. ReTrustFSM combines three types of secrecy: explicit external secrecy via an external key, implicit external secrecy based on specific clock cycles, and internal secrecy through a concealed FSM transition function. So, the robustness of ReTrustFSM relies on the external key, the external primary input patterns, and the cycle accuracy of applying such external stimuli. Additionally, ReTrustFSM defines a cohesive relationship between the features of Boolean problems and the required time for de-obfuscation, ensuring a maximum execution time for oracle-guided de-obfuscation attacks. Various attacks are employed to test ReTrustFSM\u2019s robustness, including structural and machine learning attacks, functional I\/O queries (BMC), and FSM attacks. We have also analyzed the corruptibility and overhead of design-under-obfuscation. Our experimental results demonstrate the robustness of ReTrustFSM at acceptable overhead\/corruption while resisting such threat models.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J9]<\/p>\n<\/div>\n\n\n\n

\n

Enabling Security Of Heterogeneous Integration: From Supply Chain To In-Field Operations<\/h2>\n\n\n\n

Md Sami Ul Islam Sami, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Fahim Rahman, Mark Tehranipoor<\/p>\n\n\n\n

IEEE Design and Test (IEEE D&T)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Witnessing significant signs of a slowdown of Moore\u2019s law and Dennard scaling has pushed leading semiconductor companies toward advanced packaging with heterogeneous integration (HI) to stay away from the challenges of monolithic IC in more shrunk technology with higher complexity. In light of the advances made in monolithic ICs, this paper explores how these promising solutions can be extended for secure HI. For this purpose, by investigating the trustworthiness of the system-in-package (SiP) supply chain, we introduce possible trust validation and attack mitigation methodologies leading to establishing the fundamentals of end-to-end secure HI.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J8]<\/p>\n<\/div>\n\n\n\n

\n

HLock+: A Robust and Low-Overhead Logic Locking at the High-Level Language<\/h2>\n\n\n\n

Md Rafid Muttaki, Roshanak Mohammadivojdan, Hadi Kamali<\/span><\/strong>, Mark Tehranipoor, Farimah Farahmandi<\/p>\n\n\n\n

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems (IEEE TCAD)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

With the emergence of the horizontal business model in the semiconductor industry, numerous hardware security concerns have been emerged, including intellectual property (IP) theft, malicious functionality insertion, and IC overproduction. To combat these threats, logic locking has been introduced as one of the most prominent countermeasures, and advances in logic locking have led the most recent techniques toward higher levels of abstractions, i.e., register transfer language (RTL) or high-level languages (C\/C++). In this article, we propose HLock+, a robust logic locking framework at the high-level design language. HLock+ consists of two main parts to achieve multiple goals: 1) Locking in HLock+ is based on a formal analysis over design specifications, assets, and critical operations to determine locking points in the design to provide the best solution in terms of desired attack resiliency (e.g., SAT attacks), and locking key size and 2) we integrate the formal analysis with a point function locking technique, in which the locking candidates have been chosen by an optimization algorithm helping us to boost the efficiency of the approach with the given area, power, and performance constraints. Furthermore, the proposed framework ensures a dynamic\/automatic locking solution based on a set of specifications, and it is well suited for large-scale designs. Apart from having lesser development\/verification efforts, HLock+ at high-level language will be followed by high-level synthesis (HLS) and RTL synthesis, which provides superior uniform distribution and optimum output corruptibility. We show that HLock+ provides potent robustness against de-obfuscation attacks, e.g., SAT and machine-learning-based attacks, while the overhead is kept low.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J7]<\/p>\n<\/div>\n\n\n\n

\n

From cryptography to logic locking: A survey on the architecture evolution of secure scan chains<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IEEE Access<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

The availability of access to Integrated Circuits’ scan chain is an inevitable requirement of modern ICs for testability\/debugging purposes. However, leaving access to the scan chain OPEN resulted in numerous security threats on ICs. It raises challenging concerns particularly when the secret asset, like secret information, is placed within the chip, such as the keys of cryptographic algorithms, or similarly logic obfuscation key. So, to combat these threats, numerous secure scan chain architectures have been proposed in the literature to prevent any unauthorized access to the scan chain. They also keep the availability of the scan chain for testability\/debugging. In this paper, we first show why a secure scan chain architecture is required when security primitives, like logic obfuscation, are in place. Then, we provide a holistic overview of all secure scan chain architectures starting from preliminary methods introduced when cryptography is in place and the adversary threat model is very limited. It is then followed by newer and more advanced methods introduced when logic obfuscation is in place and the adversary threat model is much stronger. Hence, we have more concentration on the architecture proposed more recently on logic obfuscation. We evaluate all secure scan chain architectures in terms of security and resiliency, testability\/debugging time and complexity, and area\/power\/delay overhead.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2021<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J6]<\/p>\n<\/div>\n\n\n\n

\n

Deep graph learning for circuit deobfuscation<\/h2>\n\n\n\n

Zhiqian Chen, Lei Zhang, Gaurav Kolhe, Hadi Kamali<\/span><\/strong>, Setareh Rafatirad, Sai Manoj Pudukotai Dinakarrao, Houman Homayoun, Chang-Tien Lu, and Liang Zhao<\/p>\n\n\n\n

Frontiers in big Data (Frontier)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Circuit obfuscation is a recently proposed defense mechanism to protect the intellectual property (IP) of digital integrated circuits (ICs) from reverse engineering. There have been effective schemes, such as satisfiability (SAT)-checking based attacks that can potentially decrypt obfuscated circuits, which is called de-obfuscation. De-obfuscation runtime could be days or years, depending on the layouts of the obfuscated ICs. Hence, accurately pre-estimating the de-obfuscation runtime within a reasonable amount of time is crucial for IC designers to optimize their defense. However, it is challenging due to (1) the complexity of graph-structured circuit; (2) the varying-size topology of obfuscated circuits; (3) requirement on efficiency for de-obfuscation method. This study proposes a framework that predicts the de-obfuscation runtime based on graph deep learning techniques to address the challenges mentioned above. A conjunctive normal form (CNF) bipartite graph is utilized to characterize the complexity of this SAT problem by analyzing the SAT attack method. Multi-order information of the graph matrix is designed to identify the essential features and reduce the computational cost. To overcome the difficulty in capturing the dynamic size of the CNF graph, an energy-based kernel is proposed to aggregate dynamic features into an identical vector space. Then, we designed a framework, Deep Survival Analysis with Graph (DSAG), which integrates energy-based layers and predicts runtime inspired by censored regression in survival analysis. Integrating uncensored data with censored data, the proposed model improves the standard regression significantly. DSAG is an end-to-end framework that can automatically extract the determinant features for de-obfuscation runtime. Extensive experiments on benchmarks demonstrate its effectiveness and efficiency.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2021<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J5]<\/p>\n<\/div>\n\n\n\n

\n

Data Flow Obfuscation: A New Paradigm for Obfuscating Circuits<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Shervin Roshanisefat, Houman Homayoun, Christos P. Sotiriou, Avesta Sasan<\/p>\n\n\n\n

IEEE Transactions on Very Large Scale Integration (VLSI) Systems (IEEE TVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this article, unlike almost all state-of-the-art obfuscation solutions that focus on functional\/logic obfuscation, we introduce a new paradigm, called data flow obfuscation, which exploits the essence of asynchronicity. In data flow obfuscation, by benefiting from the handshaking mechanism of asynchronous circuits, the system’s FFs\/latches will operate out of sync. Hence, the adversary has no sufficient knowledge to apply unrolling\/BMC. Also, due to the inherited asynchronicity, the exact time of writing\/capturing data into\/from the scan chain becomes hidden. Hence, the SAT attack cannot be applied even while scan chain access is open. Moreover, our new proposed paradigm creates stateful\/oscillating combinational cycles into the design which extensively boosts the difficulty of modeling this technique. We also demonstrate how data flow obfuscation could easily be integrated with any circuit at low overhead while there is no limitation such as compromising test flow.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2021<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J4]<\/p>\n<\/div>\n\n\n\n

\n

SAT-hard Cyclic Logic Obfuscation for Protecting the IP in the Manufacturing Supply Chain<\/h2>\n\n\n\n

Shervin Roshanisefat, Hadi Kamali<\/span><\/strong>, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IEEE Transactions on Very Large Scale Integration (VLSI) Systems (IEEE TVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this article, unlike almost all state-of-the-art obfuscation solutions that focus on functional\/logic obfuscation, we introduce a new paradigm, called data flow obfuscation, which exploits the essence of asynchronicity. In data flow obfuscation, by benefiting from the handshaking mechanism of asynchronous circuits, the system’s FFs\/latches will operate out of sync. Hence, the adversary has no sufficient knowledge to apply unrolling\/BMC. Also, due to the inherited asynchronicity, the exact time of writing\/capturing data into\/from the scan chain becomes hidden. Hence, the SAT attack cannot be applied even while scan chain access is open. Moreover, our new proposed paradigm creates stateful\/oscillating combinational cycles into the design which extensively boosts the difficulty of modeling this technique. We also demonstrate how data flow obfuscation could easily be integrated with any circuit at low overhead while there is no limitation such as compromising test flow.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2020<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J3]<\/p>\n<\/div>\n\n\n\n

\n

SMT Attack: Next Generation Attack on Obfuscated Circuits with Capabilities and Performance Beyond The SAT Attacks<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IACR Transactions on Cryptographic Hardware and Embedded Systems (IACR TCHES)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we introduce the Satisfiability Modulo Theory (SMT) attack on obfuscated circuits. The proposed attack is the superset of Satisfiability (SAT) attack, with many additional features. It uses one or more theory solvers in addition to its internal SAT solver. For this reason, it is capable of modeling far more complex behaviors and could formulate much stronger attacks. In this paper, we illustrate that the use of theory solvers enables the SMT to carry attacks that are not possible by SAT formulated attacks. As an example of its capabilities, we use the SMT attack to break a recent obfuscation scheme that uses key values to alter delay properties (setup and hold time) of a circuit to remain SAT hard. Considering that the logic delay is not a Boolean logical property, the targeted obfuscation mechanism is not breakable by a SAT attack. However, in this paper, we illustrate that the proposed SMT attack, by deploying a simple graph theory solver, can model and break this obfuscation scheme in few minutes. We describe how the SMT attack could be used in one of four different attack modes: (1) We explain how SMT attack could be reduced to a SAT attack, (2) how the SMT attack could be carried out in Eager, and (3) Lazy approach, and finally (4) we introduce the Accelerated SMT (AccSMT) attack that offers significant speed-up to SAT attack. Additionally, we explain how AccSMT attack could be used as an approximate attack when facing SMT-Hard obfuscation schemes.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2019<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J2]<\/p>\n<\/div>\n\n\n\n

\n

DuCNoC: A High-Throughput FPGA-Based NoC Simulator Using Dual-Clock Lightweight Router Micro-Architecture<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Shaahin Hessabi<\/p>\n\n\n\n

IEEE Transactions on Computers (IEEE TC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

On-chip interconnections play an important role in multi\/many-processor systems-on-chip (MPSoCs). In order to achieve efficient optimization, each specific application must utilize a specific architecture, and consequently a specific interconnection network. For design space exploration and finding the best NoC solution for each specific application, a fast and flexible NoC simulator is necessary, especially for large design spaces. In this paper, we present an FPGA-based NoC co-simulator, which is able to be configured via software. In our proposed NoC simulator, entitled DuCNoC<\/em> , we implement a Dual-Clock<\/em> router micro-architecture, which demonstrates 75x \u2212 350x speed-up against BOOKSIM. Additionally, we implement a two-layer configurable global interconnection in our proposed architecture to (1) reduce virtualization time overhead, (2) make an efficient trade-off between the resource utilization and simulation time of the whole simulator, and especially (3) provide the capability of simulating irregular topologies. Migration of some important sub-modules like traffic generators (TGs) and traffic receptors (TRs) to software side, and implementing a dual-clock context switching in virtualization are other major features of DuCNoC. Thanks to its dual-clock router micro-architecture, as well as TGs and TRs migration to software side, DuCNoC can simulate a 100-node (10 \u00d7 10) non-virtualized or a 2048-node virtualized mesh network on Xilinx Zynq-7000.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2017<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[J1]<\/p>\n<\/div>\n\n\n\n

\n

A Fault Tolerant Parallelism Approach for Implementing High-throughput Pipelined Advanced Encryption Standard<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Shaahin Hessabi<\/p>\n\n\n\n

Journal of Circuits, Systems and Computers (JCSC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Advanced Encryption Standard (AES) is the most popular symmetric encryption method, which encrypts streams of data by using symmetric keys. The current preferable AES architectures employ effective methods to achieve two important goals: protection against power analysis attacks and high-throughput. Based on a different architectural point of view, we implement a particular parallel architecture for the latter goal, which is capable of implementing a more efficient pipelining in field-programmable gate array (FPGA). In this regard, all intermediate registers which have a role for unrolling the main loop will be removed. Also, instead of unrolling the main loop of AES algorithm, we implement pipelining structure by replicating nonpipelined AES architectures and using an auto-assigner mechanism for each AES block. By implementing the new pipelined architecture, we achieve two valuable advantages: (a) solving single point of failure problem when one of the replicated parts is faulty and (b) deploying the proposed design as a fault tolerant AES architecture. In addition, we put emphasis on area optimization for all four AES main functions to reduce the overhead associated with AES block replication. The simulation results show that the maximum frequency of our proposed AES architecture is 675.62MHz, and for AES128 the throughput is 86.5Gbps which is 30.9% better than its closest existing competitor.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2016<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n\n\n\n

Conference Papers [49 Papers]<\/h2>\n\n\n\n
\n
\n

[C49]<\/p>\n<\/div>\n\n\n\n

\n

CircuitGuard: Mitigating LLM Memorization in RTL Code Generation Against IP Leakage<\/h2>\n\n\n\n

Nowfel Mashnoor, Mohammad Akyash, Hadi Kamali<\/span><\/strong>, Kimia Azar<\/p>\n\n\n\n

IEEE International Conference on Computer Design (ICCD)<\/strong><\/p>\n<\/div>\n\n\n\n

\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C48]<\/p>\n<\/div>\n\n\n\n

\n

SAGE-HLS: Syntax-Aware AST-Guided LLM for High-Level Synthesis Code Generation<\/h2>\n\n\n\n

M Khan, Nowfel Mashnoor, Mohammad Akyash, Kimia Azar, Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

IEEE International Conference on Computer Design (ICCD)<\/strong><\/p>\n<\/div>\n\n\n\n

\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C47]<\/p>\n<\/div>\n\n\n\n

\n

DecoRTL: A Run-time Decoding Framework for RTL Code Generation with LLMs<\/h2>\n\n\n\n

Nowfel Mashnoor, Mohammad Akyash, Hadi Kamali<\/span><\/strong>, Kimia Azar<\/p>\n\n\n\n

IEEE\/ACM International Conference On Computer Aided Design (ICCAD)<\/strong><\/p>\n<\/div>\n\n\n\n

\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C46]<\/p>\n<\/div>\n\n\n\n

\n

TimelyHLS: LLM-Based Timing-Aware and Architecture-Specific FPGA HLS Optimization<\/h2>\n\n\n\n

Nowfel Mashnoor, Mohammad Akyash, Hadi Kamali<\/span><\/strong>, Kimia Azar<\/p>\n\n\n\n

IEEE International Conference on Omni-layer Intelligent Systems (COINS)<\/strong><\/p>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C45]<\/p>\n<\/div>\n\n\n\n

\n

RTL++: Graph-enhanced LLM for RTL Code Generation<\/h2>\n\n\n\n

Mohammad Akyash, Kimia Azar, Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

IEEE International Conference on LLM-Aided Design (ICLAD)<\/strong><\/p>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C44]<\/p>\n<\/div>\n\n\n\n

\n

LLM-IFT: LLM-Powered Information Flow Tracking for Secure Hardware<\/h2>\n\n\n\n

Nowfel Mashnoor, Mohammad Akyash, Hadi Kamali<\/span><\/strong>, Kimia Azar<\/p>\n\n\n\n

IEEE VLSI Test Symposium (VTS)<\/strong><\/p>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C43]<\/p>\n<\/div>\n\n\n\n

\n

StepGrade: Grading Programming Assignments with Context-Aware LLMs<\/h2>\n\n\n\n

Mohammad Akyash, Kimia Azar, Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

IEEE Integrated STEM Education Conference (ISEC)<\/strong><\/p>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

The Best Paper Award – ISEC 2023<\/strong><\/p>\n<\/div>\n\n\n\n

\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C42]<\/p>\n<\/div>\n\n\n\n

\n

SimEval: Investigating the Similarity Obstacle in LLM-based Hardware Code Generation<\/h2>\n\n\n\n

Mohammad Akyash, Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

Asia and South Pacific Design Automation Conference (ASP-DAC)<\/strong><\/p>\n\n\n\n

<\/p>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n

<\/p>\n<\/div>\n\n\n\n

\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C41]<\/p>\n<\/div>\n\n\n\n

\n

NoXLock: SiP Activation and Licensing through Obfuscated on-Chip Network and Fuzzy Traffic<\/h2>\n\n\n\n

Md Saad Ul Haque, Azim Uddin, Jingbo Zhou, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

Asia and South Pacific Design Automation Conference (ASP-DAC)<\/strong><\/p>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

Nominated for the Best Paper Award – ASP-DAC 2025<\/strong><\/p>\n<\/div>\n\n\n\n

\n

2025<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C40]<\/p>\n<\/div>\n\n\n\n

\n

Self-HWDebug: Automation of Self-Instructing for LLM in Hardware Security<\/h2>\n\n\n\n

Mohammad Akyash, Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

IEEE Computer Society Annual Symposium on VLSI (ISVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

The rise of instruction-tuned Large Language Models (LLMs) marks a significant advancement in artificial intelligence (AI) (tailored to respond to specific prompts). Despite their popularity, applying such models to debug security vulnerabilities in hardware designs, i.e., register transfer language (RTL) modules, particularly at system-on-chip (SoC) level, presents considerable challenges. One of the main issues lies in the need for precisely designed instructions for pinpointing and mitigating the vulnerabilities, which requires substantial time and expertise from human experts. In response to this challenge, this paper proposes Self-HWDebug, an innovative framework that leverages LLMs to automatically create required debugging instructions. In Self-HWDebug, a set of already identified bugs from the most critical hardware common weakness enumeration (CWE) listings, along with mitigation resolutions, is provided to the framework, followed by prompting the LLMs to generate targeted instructions for such mitigation. The LLM-generated instructions are subsequently used as references to address vulnerabilities within the same CWE category but in totally different designs, effectively demonstrating the framework’s ability to extend solutions across related security issues. Self-HWDebug significantly reduces human intervention by using the model’s own output to guide debugging. Through comprehensive testing, Self-HWDebug proves not only to reduce experts’ effort\/time but also to even improve the Quality of the debugging process.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C39]<\/p>\n<\/div>\n\n\n\n

\n

Evolutionary Large Language Models for Hardware Security: A Comparative Survey<\/h2>\n\n\n\n

Mohammad Akyash, Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

ACM Great Lakes Symposium on VLSI (GLSVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Automating hardware (HW) security vulnerability detection and mitigation during the design phase is imperative for two reasons: (i) It must be before chip fabrication, as post-fabrication fixes can be costly or even impractical; (ii) The size and complexity of modern HW raise concerns about unknown vulnerabilities compromising CIA triad. While Large Language Models (LLMs) can revolutionize both HW design and testing processes, within the semiconductor context, LLMs can be harnessed to automatically rectify security-relevant vulnerabilities inherent in HW designs. This study explores the seeds of LLM integration in register transfer level (RTL) designs, focusing on their capacity for autonomously resolving security-related vulnerabilities. The analysis involves comparing methodologies, assessing scalability, interpretability, and identifying future research directions. Potential areas for exploration include developing specialized LLM architectures for HW security tasks and enhancing model performance with domain-specific knowledge, leading to reliable automated security measurement and risk mitigation associated with HW vulnerabilities.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C38]<\/p>\n<\/div>\n\n\n\n

\n

GATE-SiP: Enabling Authenticated En- cryption Testing in Systems-in-Package<\/h2>\n\n\n\n

Galib I Heidar, Kimia Azar, Hadi Kamali<\/span><\/strong>, Mark Tehranipoor, Farimah Farahmandi<\/p>\n\n\n\n

Design Automation Conference (DAC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

A heterogeneous integrated system in package (SIP) system integrates chiplets outsourced from different vendors into the same substrate for better performance. However, during post-integration testing, the sensitive testing data designated for a specific chiplet can be blocked, tampered or sniffed by other malicious chiplets. This paper proposes GATE-SiP which is an authenticated partial encryption protocol to enable secure testing. Within GATE-SiP, the sensitive testing pattern will only be sent to the authenticated chiplet. In addition, partial encryption of the sensitive data prevents data sniff threats without causing significant penalties on timing overhead. Extensive simulation results show the GATE-SiP protocol only brings 6.74% and 14.31% on area and timing overhead, respectively.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C37]<\/p>\n<\/div>\n\n\n\n

\n

PQC-HI: PQC-enabled Chiplet authentication and Key Exchange in Heterogeneous Integration<\/h2>\n\n\n\n

Md Saad Ul Haque, Kimia Azar, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

IEEE Electronic Components and Technology Conference (IEEE ECTC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Integrating heterogeneous components in multi-chiplet packaging, known as system-in-package (SiP), is a significant step forward in overcoming limitations by Moore\u2019s Law and Dennard scaling. This innovative approach offers enhanced efficiency, cost-effectiveness, and accelerated time-to-market. However, with its globalized supply chain, SiP technology introduces security vulnerabilities distinct from those in system-on-chip (SoC) designs. These risks include potential data leaks, the insertion of malicious circuits within the active interposer, and the possibility of extracting security assets through probing attacks. Current defenses used for traditional SoCs are not adequately designed for this multi-chiplet integration. Moreover, these solutions are vulnerable to quantum attacks due to their reliance on classical methods. In this paper, we introduce PQC-HI, a novel post-quantum-enabled chiplet authentication and key encapsulation framework to safeguard SiP security assets against the supply chain and in-field vulnerabilities. PQC-HI relies on two critical components that need to be integrated into the SiP architecture: the chiplet hardware security module (CHSM) and chiplet security intellectual property (CSIP). Our approach is based on NIST standards CRYSTALS-Kyber and CRYSTALS-Dilithium, providing a protocol resilient to quantum attacks and ensuring secure SiP communication. We implemented this protocol on an FPGA platform and demonstrated the efficiency and area overhead.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C36]<\/p>\n<\/div>\n\n\n\n

\n

From Full-Custom to Gate-Array ASIC for Hardware IP Protection<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

IEEE Dallas Circuits and Systems Conference (IEEE DCAS)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

The employment of fully reconfigurable logic and routing modules represents a promising and potentially resilient approach to combating intellectual property (IP) piracy and the overproduction of integrated circuits (IC). Over time, the utilization of such reconfigurable logic has evolved within the realm of hardware security, encompassing a spectrum of protective measures and security monitoring solutions. This evolution underscores a technological transition within this domain, shifting from full-custom ASICs to gate-array ASICs to enhance robustness. This paper delineates the progression within this field, tracing advancements from rudimentary look-up-table based methods to sophisticated partial reconfigurable ASICs featuring embedded FPGAs (eFPGAs). The investigation critically evaluates the merits and limitations of each technique, and advocates for a strategic trajectory that optimizes efficiency and upholds the promised robustness.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2024<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C35]<\/p>\n<\/div>\n\n\n\n

\n

GEM-Water: Generation of EM-based Watermark for SoC IP Validation with Hidden FSMs<\/h2>\n\n\n\n

Pantha Sarker, Upoma Das, Mohammed Monjil, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

International Symposium for Testing and Failure Analysis (ISTFA)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Intellectual property (IP) core reuse is a common practice for accelerating new product development in modern system-on-chip (SoC) architectures. However, reusing and sharing IP cores in today\u2019s competitive market poses significant security risks. IP watermarking is a potential solution for detecting unauthorized IP duplication and overuse. In this paper, we propose GEM-Water, a robust IP watermark verification scheme that uses electromagnetic (EM) radiation of an IP in an SoC for watermark extraction during boot-up. This is accomplished by applying an n-bit challenge to the IP that triggers some certain state transition in a Finite State Machine (FSM) during boot-up. The FSM output is then mapped into an EM signature which can be extracted and processed to generate expected responses to prove IP ownership. GEM-Water has been implemented in a wide variety of benchmarks using several AMD Xilinx 7 series FPGAs, and the experimental results validate the robustness and viability of the suggested approach with >95% accuracy.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C34]<\/p>\n<\/div>\n\n\n\n

\n

SHI-Lock: Enabling Co-Obfuscation for Secure Heterogeneous Integration against RE and Cloning<\/h2>\n\n\n\n

Md Saad Ul Haque, Rui Guo, Mohammad Sazadur Rahman, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

IEEE Conference on Physical Assurance and inspection of Electronics (PAINE)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

With the limitations of Moore’s Law and Dennard scaling in integrated circuits (ICs) on the horizon, the concept of heterogeneous integration (HI) has gained significant traction as a favored method for creating System-in-Packages (SiP) through the utilization of chiplets. However, this shift brings forth a fresh set of security concerns, wherein the SiPs or their chiplets are vulnerable to a vector of threats, including reverse engineering and unauthorized overproduction. In this paper, we introduce SHI-Lock, as a first-of-its-kind hardware co-obfuscation countermeasure for System-in-Package. In SHI-Lock, by relying on a chiplet-hardware-security-module (CHSM), a co-obfuscation mechanism has been shared (interaction-based) between the chiplet designer(s) and the SiP integrator, allowing them to extend the protection in both intra-chiplet and inter-chiplet domains. SHI-Lock consists of a {obfuscation + key provisioning} protocol that enables forward trusts for chiplet designers to extend the chiplet-level obfuscation techniques to be used in multiple SiP designs. The co-obfuscation relies on a finite-state-machine (FSM) obfuscation and acts as a license activation protocol in HI. We evaluate the robustness of SHI-Lock using various metrics and threats including functional and structural attacks and perform overhead analysis of design-under-obfuscation, verifying that SHI-Lock can effectively be integrated into chiplets to create obfuscation at both Chiplet-level and system-level to protect SiPs from piracy and overproduction.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C33]<\/p>\n<\/div>\n\n\n\n

\n

PALLET: Protecting Analog Devices using a Last-Level Edit Technique<\/h2>\n\n\n\n

Md Rafid Muttaki, Hadi Kamali<\/span><\/strong>, Mark Tehranipoor, Farimah Farahmandi<\/p>\n\n\n\n

IEEE Conference on Physical Assurance and inspection of Electronics (PAINE)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

For the past decade, hardware obfuscation has been a popular approach for protecting integrated circuits (ICs) against supply chain threats such as intellectual property (IP) piracy and overproduction. Despite this, the design of these techniques was originally for the digital domain and is not appropriate for analog circuits due to their intrinsic features, such as their small size. In this paper, we propose PALLET, a last-level edit (LLE) relying on a unique keyless obfuscation technique for pure analog and mixed-signal circuits to protect the design against untrusted foundries. In PALLET, design functionality is obfuscated by adding misleading (false) elements to the circuit layout based on design specifications and area overhead constraints. In PALLET, after fabrication of the LLEed (obfuscated) IC, the design house with a trusted focused-ion beam (FIB) facility performs the circuits edit at the top metal layers to de-obfuscate (remove LLE from) the IC with minimal effort. We also focus on a mathematical representation to show adversarial computation complexity based on the LLE framework. Finally, to validate the efficacy of LLE, we perform a security assessment against prominent attacks and compare post-layout performance parameters for a bandgap reference (BGR) design to demonstrate compliance with design specifications.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C32]<\/p>\n<\/div>\n\n\n\n

\n

Iterative Mitigation of Insecure Resource Sharing Produced by High-level Synthesis<\/h2>\n\n\n\n

Zahin Ibnat, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi<\/p>\n\n\n\n

Int’l Symp. on Defect and Fault Tolerance in VLSI and Nanotechnology Systems (DFT)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

High-level synthesis (HLS) has revolutionized hardware design by allowing engineers to code their designs in higher abstraction levels like C\/C++. To generate register-transfer level (RTL) design, HLS optimizes hardware designs for improving overheads (e.g., area, power, throughput). However, the optimizations are not done with security in mind. Therefore, HLS can introduce new vulnerabilities (e.g., information leakage and access control violations) to the design through optimizing. One such security violation is vulnerable resource sharing where in attempting to minimize the area of the hardware design, HLS uses the same resources between assets without taking into account the secure and non-secure computing. The secure asset’s operations are then not done in a secure manner, allowing for the possibility of an attacker controlling such resources to gain valuable insight into the asset’s information. Mitigating such a vulnerability would require the integration of identification algorithms to separate the secure and non-secure operations. In this paper, we introduce a toolflow to mitigate vulnerable resource sharing by utilizing intermediate representations (IR) files to identify the shared resource(s) and conducting an intellectual property (IP) separation at the high-level language (HLL) to have a separate resource handling the security operations.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C31]<\/p>\n<\/div>\n\n\n\n

\n

Security of Hardware Generators: Enabling Assurance in High-Level Synthesis<\/h2>\n\n\n\n

Md Rafid Muttaki, Zahin Ibnat, Shang Shi, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi<\/p>\n\n\n\n

IEEE International Midwest Symposium on Circuits and Systems (MWSCAS)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

High-level synthesis (HLS) has revolutionized hardware design by allowing engineers to code their designs in higher abstraction levels like C\/C++. To generate register-transfer level (RTL) design, HLS optimizes hardware designs for improving overheads (e.g., area, power, throughput). However, the optimizations are not done with security in mind. Therefore, HLS can introduce new vulnerabilities (e.g., information leakage and access control violations) to the design through optimizing. One such security violation is vulnerable resource sharing where in attempting to minimize the area of the hardware design, HLS uses the same resources between assets without taking into account the secure and non-secure computing. The secure asset’s operations are then not done in a secure manner, allowing for the possibility of an attacker controlling such resources to gain valuable insight into the asset’s information. Mitigating such a vulnerability would require the integration of identification algorithms to separate the secure and non-secure operations. In this paper, we introduce a toolflow to mitigate vulnerable resource sharing by utilizing intermediate representations (IR) files to identify the shared resource(s) and conducting an intellectual property (IP) separation at the high-level language (HLL) to have a separate resource handling the security operations.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C30]<\/p>\n<\/div>\n\n\n\n

\n

ActiWate: Adaptive and Design-agnostic Active Watermarking for IP Ownership in Modern SoCs<\/h2>\n\n\n\n

Zahin Ibnat, M Sazadur Rahman, Mridha Mashahedur Rahman, Hadi Kamali<\/span><\/strong>, Mark Tehranipoor, Farimah Farahmandi<\/p>\n\n\n\n

Design Automation Conference (DAC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Watermarking offers a viable solution to combat IP piracy and illegal re-use. However, watermarking verification techniques rely heavily on manual testing by verification engineers and ignore the possibility of having a rogue SoC design house. To automate the watermarking-based verification process and to be against wider attacks (e.g., rogue design house), this paper presents ActiWate, which conducts automatic self-verification by communicating with various peripherals within the SoC. Showing its resilience against removal and spoofing attacks, ActiWate is architectured to be an IP\/SoC-agnostic watermarking and our experiments demonstrate its versatility by implementing it on multiple RISC-V SoCs with different components\/peripherals.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C29]<\/p>\n<\/div>\n\n\n\n

\n

Metrics-to-Methods: Decisive Reverse Engineering Metrics for Resilient Logic Locking<\/h2>\n\n\n\n

Mohammad Sazadur Rahman, Kimia Azar, Farimah Farahmandi, Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

ACM Great Lakes Symposium on VLSI (GLSVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

As logic locking becomes more sophisticated and new technologies emerge (e.g., laser probing for failure analysis), the statement “logic locking is dead” will become more common. While recent studies have investigated the possibility of defining a security metric(s) for logic locking, none are sufficient against all threat models and potential future threats. In this paper, we first examine the quantitative and qualitative metrics as a MUST for logic locking. Then, by establishing a bridge between metrics and the potential methods, we introduce a compound-style logic locking that can meet the criteria needed for logic locking based on the defined metrics.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C28]<\/p>\n<\/div>\n\n\n\n

\n

FISHI: Fault Injection Detection in Secure Heterogeneous Integration via Power Noise Variation<\/h2>\n\n\n\n

Tao Zhang, Hadi Kamali<\/span><\/strong>, Kimia Azar, Mark Tehranipoor, Farimah Farahmandi<\/p>\n\n\n\n

IEEE Electronic Components and Technology Conference (ECTC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

As Moore’s law comes to a crawl, heterogeneous integration-based system-in-package emerges as a promising direction to maintain the speedy rate of performance density improvement of modern integrated circuits by integrating fabricated silicon dies into a unified package. However, hardware security threats such as fault injection attacks present formidable challenges to the protection of on-chip assets. Even worse than a conventional monolithic device, system-in-package (SiP) might introduce malicious chiplets to allow for internal and remote power fault injection attacks due to the obscurity of the semiconductor supply chain. In order to thwart fault injection attacks, we present FISHI which aims to include a root-of-trust chiplet in the SiP to enable run-time system-level power noise variation monitoring capabilities and near-sensor machine learning inference for attack-induced anomaly detection. Specifically, we design a time-to-digital converter to collect power profiles of targeted applications as a reference and create a hardware ML engine accordingly to measure the deviations between the run-time power fluctuations and the golden ones. We prototype our FISHI solution on one of the chiplets in a Xilinx 2.5D FPGA SiP and demonstrate its effectiveness by detecting power fault injection attempts on an AES implementation on the other chiplet.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C27]<\/p>\n<\/div>\n\n\n\n

\n

HUnTer: Hardware Underneath Trigger for Exploiting SoC-level Vulnerabilities<\/h2>\n\n\n\n

Sree Ranjani Rajendran, Shams Tarek, Benjamin Myers Hicks, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

Design, Automation and Test in Europe Conference (DATE)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Systems-on-chip (SoCs) have become increasingly large and complex, resulting in new threats and vulnerabilities, mainly related to system-level flaws. However, the system-level verification process, whose violation may lead to exploiting a hardware vulnerability, is not studied comprehensively due to the lack of decisive (security) requirements and properties from the SoC designer’s perspective. To enable a more comprehensive verification for system-level properties, this paper presents HUnTer (Hardware Underneath Trigger), a framework for identifying sets (sequences) of instructions at the processor unit (PU) that unveils the underneath hardware vulnerabilities. The HUnTer framework automates (i) threat modeling, (ii) threat-based formal verification, (iii) generation of counterexamples, and (iv) generation of snippet code for exploiting the vulnerability. The HUnTer framework also defines a security coverage metric (HUnT_Coverage) to measure the performance and efficacy of the proposed approach. Using the HUnTer framework on a RISC-V-based open-source SoC architecture, we conduct a wide variety of case studies of Trust-HUB vulnerabilities to demonstrate the high effectiveness of the proposed framework.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C26]<\/p>\n<\/div>\n\n\n\n

\n

RTLock: IP Protection using Scan-Aware Logic Locking at RTL<\/h2>\n\n\n\n

Md Rafid Muttaki, Shuvagata Saha, Hadi Kamali<\/span><\/strong>, Fahim Rahman, Mark Tehranipoor and Farimah Farahmandi<\/p>\n\n\n\n

Design, Automation and Test in Europe Conference (DATE)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Conventional logic locking techniques mainly focus on gate-level netlists to combat IP piracy and IC overproduction. However, this is generally not sufficient for protecting semantics and behaviors of the design. Further, these techniques are even more objectionable when the IC supply chain is at risk of insider threats. This paper proposes RTLock, a robust logic locking framework at the RTL abstraction. RTLock provides a detailed formal analysis of the design specs at the RTL that determines the locking candidate points w.r.t. attacks resiliency (SAT\/BMC), locking key size, and overhead. RTLock incorporates (partial) DFT infrastructure (scan chain) at the RTL, enabled with a scan locking mechanism. It allows us to push all the necessary security-driven actions to the highest abstraction level, thus making the flow EDA tool agnostic. Additionally, RTLock demonstrates why RTL-based locking must be coupled with encryption and management protocols (e.g., IEEE P1735), to be effective against insider threats. Our experimental results show that, vs. other techniques, RTLock protects the design against broader threats at low overhead and without compromising testability.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

Nominated for the Best Paper Award – DATE 2023<\/p>\n<\/div>\n\n\n\n

\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C25]<\/p>\n<\/div>\n\n\n\n

\n

EvoLUTe: Evaluation of Look-Up-Table-based Fine-Grained IP Redaction<\/h2>\n\n\n\n

Rui Guo, M Sazadur Rahman, Hadi Kamali<\/span><\/strong>, Fahim Rahman, Farimah Farahmandi and Mark Tehranipoor<\/p>\n\n\n\n

Design, Automation and Test in Europe Conference (DATE)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Recent studies on intellectual property (IP) protection techniques demonstrate that engaging embedded reconfigurable components (e.g., eFPGA redaction) would be a promising approach to concealing the functional and structural information of the security-critical design. However, detailed investigation reveals that such techniques suffer from almost prohibited overhead in terms of area, power, delay, and testability. In this paper, we introduce EvoLUTe, a distinct and significantly more fine-grained redaction methodology using smaller reconfigurable components (such as look-up-tables (LUTs)). In EvoLUTe, we examine both eFPGA-based and LUT-based design spaces, demonstrating that a novel cone-based and fine-grained universal function modeling approach using LUTs is capable of providing the same degree of resiliency at a much lower area\/power\/delay and testability costs.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

Nominated for the Best Paper Award – DATE 2023<\/p>\n<\/div>\n\n\n\n

\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C24]<\/p>\n<\/div>\n\n\n\n

\n

SheLL: Shrinking eFPGA Fabrics for Logic Locking<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Farimah Farahmandi and Mark Tehranipoor<\/p>\n\n\n\n

Design, Automation and Test in Europe Conference (DATE)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

The utilization of fully reconfigurable logic and routing modules may be considered as one potential and even provably resilient technique against intellectual property (IP) piracy and integrated circuits (IC) overproduction. The embedded FPGA (eFPGA) is one instance that could be used for IP redaction leading to hiding the functionality through the untrusted stages of the IC supply chain. The eFPGA architecture, albeit reliable, unnecessarily results in exploding the die size even while it is supposed to be at fine granularity targeting small modules\/IPs. In this paper, we propose SheLL, which primarily embeds the interconnects (routing channels) of the design and secondarily twists the minimal logic parts of the design into the eFPGA architecture. In SheLL, the eFPGA architecture is customized for this specific logic locking methodology, allowing us to minimize the overhead of eFPGA fabric as possible. Our experimental results demonstrate that SheLL guarantees robustness against notable attacks while the overhead is significantly lower compared to the existing eFPGA-based competitors.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C23]<\/p>\n<\/div>\n\n\n\n

\n

SecHLS: Enabling Security Awareness in High-Level Synthesis<\/h2>\n\n\n\n

Shang Shi, Nitin Pundir, Hadi Kamali<\/span><\/strong>, Mark Tehranipoor, Farimah Farahmandi<\/p>\n\n\n\n

Asia and South Pacific Design Automation Conference (ASP-DAC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In their quest for further optimization, High-level synthesis (HLS) utilizes advanced automatic optimization algorithms to achieve lower implementation time\/effort for even more complex designs. These optimization algorithms are for the HLS tools’ backend stages, e.g., allocation, scheduling, and binding, and they are highly optimized for resources\/latency constraints. However, current HLS tools’ backend is unaware of designs’ security assets, and their algorithms are incapable of handling security constraints. In this paper, we propose Secure-HLS (SecHLS), which aims to define underlying security constraints for HLS tools’ backend stages and intermediate representations. In SecHLS, we improve a set of widely-used scheduling and binding algorithms by integrating the proposed security-related constraints into them. We evaluate the effectiveness of SecHLS in terms of power, performance, area (PPA), security, and complexity (execution time) on small and real-size benchmarks, showing how the proposed security constraints can be integrated into HLS while maintaining low PPA\/complexity burdens.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C22]<\/p>\n<\/div>\n\n\n\n

\n

An ISA-based Software Snippet Generation for Exploiting Hardware Vulnerabilities<\/h2>\n\n\n\n

Sree Ranjani Rajendran, Shams Tarek, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi<\/p>\n\n\n\n

Government Microcircuit Applications & Critical Technology Conference (GoMACTech)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Modern Systems-on-chip (SoCs) have grown in size and complexity, giving rise to fresh concerns and susceptibilities, especially with flaws at the system level. Nevertheless, a thorough exploration of the system-level verification process, which, if breached, could result in the exploitation of hardware vulnerabilities, is still lacking. This deficiency is primarily attributed to the absence of definitive security criteria and attributes from the perspective of SoC designers. To facilitate a more comprehensive assessment of system-level characteristics, this paper introduces a framework designed to identify sequences of instructions within the processor unit (PU) that expose underlying hardware vulnerabilities. The framework streamlines various aspects, including (i) threat modeling, (ii) formal verification based on potential threats, (iii) the creation of counterexamples, and (iv) the generation of code snippets that exploit these vulnerabilities. Additionally, the framework establishes a security coverage metric (referred to as Coverage) to gauge the performance and efficiency of the proposed methodology. To demonstrate the effectiveness of the methodology, we conducted a diverse range of case studies on a RISC-V-based open-source SoC architecture, showcasing its ability to uncover Trust-HUB vulnerabilities.<\/p>\n<\/details>\n<\/div>\n\n\n\n

\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C21]<\/p>\n<\/div>\n\n\n\n

\n

O’Clock: Lock the Clock via Clock-gating for SoC IP Protection<\/h2>\n\n\n\n

M. Sazadur Rahman, Rui Guo, Hadi Kamali<\/span><\/strong>, Fahim Rahman, Farimah Farahmandi, Mohamed Abdel-Moneum, Mark Tehranipoor<\/p>\n\n\n\n

Design Automation Conference (DAC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Existing logic locking techniques can prevent IP piracy or tampering. However, they often come at the expense of high overhead and are gradually becoming vulnerable to emerging deobfuscation attacks. To protect SoC IPs, we propose O’Clock<\/em>, a fully-automated clock-gating-based approach that ‘locks the clock’ to protect IPs in complex SoCs. O’Clock<\/em> obstructs data\/control flows and makes the underlying logic dysfunctional for incorrect keys by manipulating the activity factor of the clock tree. O’Clock<\/em> has minimal changes to the original design and no change to the IC design flow. Our experimental results show its high resiliency against state-of-the-art de-obfuscation attacks (e.g., oracle-guided SAT, unrolling-\/BMC-based SAT, removal, and oracle-less machine learning-based attacks) at negligible power, performance, and area (PPA) overhead.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2023<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C20]<\/p>\n<\/div>\n\n\n\n

\n

Warm Up before Circuit De-obfuscation? An Exploration through Bounded-Model-Checkers<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

IEEE International Symposium on Hardware Oriented Security and Trust (HOST)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

With the emergence of numerous circuit de-obfuscation attacks, the strength of logic locking has been jeopardized in recent years. Amongst them, bounded-model-checker (BMC)-based attack on locked circuits with limited design-for-testability (DFT) access received significant attention in recent years. However, scalability is a crucial challenge in such an attack due to having two unrolling factors, namely sequential unrolling and miter duplication. This paper will explore some techniques for warming up the BMC before its main invocation to expedite the attack procedure. Our experimental results reflect that the efficacy of BMC-based attacks can be enhanced once the BMC is initiated meticulously through the studied methodologies.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

The Best Poster (Short Paper) Award \u2013 HOST 2022<\/p>\n<\/div>\n\n\n\n

\n

2022<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C19]<\/p>\n<\/div>\n\n\n\n

\n

RANE: An Open-Source Formal De-obfuscation Attack for Reverse Engineering of Logic Encrypted Circuits<\/h2>\n\n\n\n

Shervin Roshanisefat, Hadi Kamali<\/span><\/strong>, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

ACM Great Lakes Symposium on VLSI (GLSVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

To enable trust in the IC supply chain, logic locking as an IP protection technique received significant attention in recent years. Over the years, by utilizing Boolean satisfiability (SAT) solver and its derivations, many de-obfuscation attacks have undermined the security of logic locking. Nonetheless, all these attacks receive the inputs (locked circuits) in a very simplified format (Bench or remapped and translated Verilog) with many limitations. This raises the bar for the usage of the existing attacks for modeling and assessing new logic locking techniques, forcing the designers to undergo many troublesome translations and simplifications. This paper introduces the RANE Attack, an open-source CAD-based toolbox for evaluating the security of logic locking mechanisms that implement a unique interface to use formal verification tools without a need for any translation or simplification. The RANE attack not only performs better compared to the existing de-obfuscation attacks, but it can also receive the library-dependent logic-locked circuits with no limitation in written, elaborated, or synthesized standard HDL, such as Verilog. We evaluated the capability\/performance of RANE on FOUR case studies, one is the first de-obfuscation attack model on FSM locking solutions (e.g., HARPOON) in which the key is not a static bit-vector but a sequence of input patterns.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2021<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C18]<\/p>\n<\/div>\n\n\n\n

\n

ChaoLock: Yet Another SAT-hard Logic Locking using Chaos Computing<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IEEE International Symposium on Quality Electronic Design (ISQED)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Logic locking has been widely evaluated as a proactive countermeasure against the hardware security threats within the IC supply chain. However, the introduction of the SAT attack, and many of its derivatives, has raised big concern about this form of countermeasure. In this paper, we explore the possibility of exploiting chaos computing as a new means of logic locking. We introduce the concept of chaotic logic locking, called ChaoLock, in which, by leveraging asymmetric inputs in digital chaotic Boolean gates, we define the concept of programmability (key-configurability) to the sets of underlying initial conditions and system parameters. These initial conditions and system parameters determine the operation (functionality) of each digital chaotic Boolean gate. Also, by proposing dummy inputs in chaotic Boolean gates, we show that during reverse-engineering, the dummy inputs conceal the main functionality of the chaotic Boolean gates, which make the reverse-engineering almost impossible. By performing a security analysis of ChaoLock, we show that with no restriction on conventional CMOS-based ASIC implementation and with no test\/debug compromising, none of the state-of-the-art attacks on logic locking, including the SAT attack, could reformulate chaotic Boolean gates while dummy inputs are involved and their parameters are locked. Our analysis and experimental results show that with a low number of chaotic Boolean gates mixed with CMOS digital gates, ChaoLock can guarantee resiliency against the state-of-the-art attacks on logic locking at low overhead.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2021<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C17]<\/p>\n<\/div>\n\n\n\n

\n

ExTru: A Lightweight, Fast, and Secure Expirable Trust for the Internet of Things<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Shervin Roshanisefat, Ashkan Vakil, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IEEE Dallas Circuits and Systems Conference (IEEE DCAS 2020)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

The resource-constrained nature of the Internet of Things (IoT) edges, poses a challenge in designing a secure and high-performance communication for this family of devices. Although side-channel resistant ciphers (either block or stream) could guarantee the security of the communication, the energy intensive nature of these ciphers makes them undesirable for lightweight IoT solutions. In this paper, we introduce ExTru, an encrypted communication protocol based on stream ciphers that adds a configurable switching & toggling network (CSTN) to not only boost the performance of the communication in these devices, it also consumes far less energy than the conventional side-channel resistant ciphers. Although the overall structure of the proposed scheme is leaky against physical attacks, we introduce a dynamic encryption mechanism that removes this vulnerability. We demonstrate how each communicated message in the proposed scheme reduces the level of trust. Accordingly, since a specific number of messages, N, could break the communication and extract the key, by using the dynamic encryption mechanism, ExTru can re-initiate the level of trust periodically after T messages where T <; N, to protect the communication against side-channel and scan-based attacks (e.g. SAT attack). Furthermore, we demonstrate that by properly configuring the value of T, ExTru not only increases the strength of security from per \u201cdevice\u201d to per \u201cmessage\u201d, it also significantly improves energy saving as well as throughput vs. an architecture that only uses a conventional side-channel resistant block\/stream cipher.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

The Best Paper Award \u2013 DCAS 2020<\/p>\n<\/div>\n\n\n\n

\n

2020<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C16]<\/p>\n<\/div>\n\n\n\n

\n

NNgSAT: Neural Network guided SAT Attack on Logic Locked Complex Structures<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

International Conference On Computer Aided Design (ICCAD)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

The globalization of the IC supply chain has raised many security threats, especially when untrusted parties are involved. This has created a demand for a dependable logic obfuscation solution to combat these threats. Amongst a wide range of threats and countermeasures on logic obfuscation in the 2010s decade, the Boolean satisfiability (SAT) attack, or one of its derivatives, could break almost all state-of-the-art logic obfuscation countermeasures. However, in some cases, particularly when the logic locked circuits contain complex structures, such as big multipliers, large routing networks, or big tree structures, the logic locked circuit is hard-to-be-solved for the SAT attack. Usage of these structures for obfuscation may lead a strong defense, as many SAT solvers fail to handle such complexity. However, in this paper, we propose a neural-network-guided SAT attack (NNgSAT), in which we examine the capability and effectiveness of a message-passing neural network (MPNN) for solving these complex structures (SAT-hard instances). In NNgSAT, after being trained as a classifier to predict SAT\/UNSAT on a SAT problem (NN serves as a SAT solver), the neural network is used to guide\/help the actual SAT solver for finding the SAT assignment(s). By training NN on conjunctive normal forms (CNFs) corresponded to a dataset of logic locked circuits, as well as fine-tuning the confidence rate of the NN prediction, our experiments show that NNgSAT could solve 93.5% of the logic locked circuits containing complex structures within a reasonable time, while the existing SAT attack cannot proceed the attack flow in them.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2020<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C15]<\/p>\n<\/div>\n\n\n\n

\n

InterLock: An Intercorrelated Logic And Routing Locking<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

International Conference On Computer Aided Design (ICCAD)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we propose a canonical prune-and-SAT<\/em> (CP&SAT<\/em>) attack for breaking state-of-the-art routing-based obfuscation techniques. In the CP&SAT<\/em> attack, we first encode the key-programmable routing blocks (keyRBs) based on an efficient SAT encoding mechanism suited for detailed routing constraints, and then efficiently re-encode and reduce the CNF corresponded to the keyRB using a bounded variable addition (BVA) algorithm. In the CP&SAT<\/em> attack, this is done before subjecting the circuit to the SAT attack. We illustrate that this encoding and BVA-based pre-processing significantly reduces the size of the CNF corresponded to the routing-based obfuscated circuit, in the result of which we observe 100% success rate for breaking prior art routing-based obfuscation techniques. Further, we propose a new intercorrelated logic and routing locking<\/em> technique, or in short InterLock<\/em>, as a countermeasure to mitigate the CP&SAT attack. In Interlock, in addition to hiding the connectivity, a part of the logic (gates) in the selected timing paths are also implemented in the keyRB(s). We illustrate that when the logic gates are twisted with keyRBs, the BVA could not provide any advantage as a pre-processing step. Our experimental results show that, by using InterLock, with only three 8\u00d78 or only two 16\u00d716 keyRBs (twisted with actual logic gates), the resilience against existing attacks as well as our new proposed CP&SAT<\/em> attack would be guaranteed while, on average, the delay\/area overhead is less than 10% for even medium-size benchmark circuits.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2020<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C14]<\/p>\n<\/div>\n\n\n\n

\n

On Designing Secure and Robust Scan Chain for Protecting Obfuscated Logic<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

ACM Great Lakes Symposium on VLSI (GLSVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we assess the security and testability of the state-of-the-art design-for-security (DFS) architectures in the presence of scan-chain locking\/obfuscation, a group of solution that has previously proposed to restrict unauthorized access to the scan chain. We discuss the key leakage vulnerability in the recently published prior-art DFS architectures. This leakage relies on the potential glitches in the DFS architecture that could lead the adversary to make a leakage condition in the circuit. Also, we demonstrate that the state-of-the-art DFS architectures impose some substantial architectural drawbacks that moderately affect both test flow and design constraints. We propose a new DFS architecture for building a secure scan chain architecture while addressing the potential of key leakage. The proposed architecture allows the designer to perform the structural test with no limitation, enabling an untrusted foundry to utilize the scan chain for manufacturing fault testing without having a need to access the scan chain. Our proposed solution poses negligible limitation\/overhead on the test flow, as well as the design criteria.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2020<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C13]<\/p>\n<\/div>\n\n\n\n

\n

SCRAMBLE: The State, Connectivity and Routing Augmentation Model for Building Logic Encryption<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IEEE Computer Society Annual Symposium on VLSI (ISVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we introduce SCRAMBLE, as a novel logic locking solution for sequential circuits while the access to the scan chain is restricted. The SCRAMBLE could be used to lock an FSM by hiding its state transition graph (STG) among a large number of key-controlled false transitions. Also, it could be used to lock sequential circuits (sequential datapath) by hiding the timing paths’ connectivity among a large number of key-controlled false connections. Besides, the structure of SCRAMBLE allows us to engage this scheme as a new scan chain locking solution by hiding the correct scan chain sequence among a large number of the key-controlled false sequences. We demonstrate that the proposed scheme resists against both (1) the 2-stage attacks on FSM, and (2) SAT attacks integrated with unrolling as well as bounded-model checking. We have discussed two variants of SCRAMBLE: (I) Connectivity SCRAMBLE (SCRAMBLE-C), and (b) Logic SCRAMBLE (SCRAMBLE-L). The SCRAMBLE-C relies on the SAT-hard and key-controlled modules that are built using near non-blocking logarithmic switching networks. The SCRAMBLE-L uses input multiplexing techniques to hide a part of the FSM in a memory. In the result section, we describe the effectiveness of each variant against state-of-the-art attacks.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

Nominated for the Best Paper Award \u2013 ISVLSI 2020<\/p>\n<\/div>\n\n\n\n

\n

2020<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C12]<\/p>\n<\/div>\n\n\n\n

\n

DFSSD: Deep Faults and Shallow State Duality, A Provably Strong Obfuscation Solution for Circuits with Restricted Access to Scan Chain<\/h2>\n\n\n\n

Shervin Roshanisefat, Hadi Kamali<\/span><\/strong>, Kimia Azar, Sai Manoj Pudukotai Dinakarrao, Naghmeh Karimi, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IEEE VLSI Test Symposium (VTS 2020)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we introduce DFSSD, a novel logic locking solution for sequential and FSM circuits with a restricted (locked) access to the scan chain. DFSSD combines two techniques for obfuscation: (1) Deep Faults, and (2) Shallow State Duality. Both techniques are specifically designed to resist against sequential SAT attacks based on bounded model checking. The shallow state duality prevents a sequential SAT attack from taking a shortcut for early termination without running an exhaustive unbounded model checker to assess if the attack could be terminated. The deep fault, on the other hand, provides a designer with a technique for building deep, yet key recoverable faults that could not be discovered by sequential SAT (and bounded model checker based) attacks in a reasonable time.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2020<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C11]<\/p>\n<\/div>\n\n\n\n

\n

Security and Complexity Analysis of LUT-based Obfuscation: From Blueprint to Reality<\/h2>\n\n\n\n

Gaurav Kolhe, Hadi Kamali<\/span><\/strong>, Miklesh Naicker, Tyler David Sheaves, Setareh Rafatirad, Avesta Sasan, Sai Manoj Pudukotai Dinakarrao, Hamid Mahmoodi, Houman Homayoun<\/p>\n\n\n\n

International Conference On Computer Aided Design (ICCAD)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Recent obfuscation schemes have leveraged reconfigurable logics to alleviate various hardware security threats. However, existing reconfigurable logic-based obfuscation schemes focus on specific design factors such as gate replacement strategy or an optimization metric such as SAT-hardness. Despite meeting the focused metrics such as security, the obfuscation also incurs overheads, which are not well analyzed in the existing works. In this work, we provide a comprehensive analysis on reconfigurable logic obfuscation schemes i.e., LUT-based obfuscation by investigating 3-key design factors such as (1) LUT size, (2) number of LUTs, and (3) replacement strategy as they have a considerable impact on design criteria, i.e., Power-Performance-Area (PPA) and Security (PPA\/S). Our results show that among the studied parameters the size of LUT has the most prominent impact on improving the resiliency of LUT-based obfuscation against the SAT and removal attacks. However, using large size LUTs incur significant PPA overheads, making such solutions unfeasible and unpractical. To address this challenge, this work proposes a pragmatic solution based on a customized LUT, where the security provided by each LUT is superior to that of traditional LUT-based obfuscation. The proposed solution primarily benefits from LUT-based obfuscation reinforced with additional logic\/routing obfuscation that is implemented using small 2-input LUTs. We evaluate the hardware security and overhead of the proposed customized LUT-based obfuscation on various benchmarks to prove that the customized LUT-based obfuscation breaks the PPA tradeoffs while exhibiting robustness against the SAT and removal attacks. The customized LUT-based obfuscation comes with 8\u00d7 reduced area and 2\u00d7 reduced power on an average compared to state-of-the-art LUT-based obfuscation without compromising security.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n\n\n\n
\n\n\n\n

Nominated for the Best Paper Award – ICCAD 2019<\/p>\n<\/div>\n\n\n\n

\n

2019<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C10]<\/p>\n<\/div>\n\n\n\n

\n

COMA: Communication and Obfuscation Management Architecture<\/h2>\n\n\n\n

Kimia Azar, Farnoud Farahmand, Hadi Kamali<\/span><\/strong>, Shervin Roshanisefat, Houman Homayoun, William Diehl, Kris Gaj, Avesta Sasan<\/p>\n\n\n\n

International Symposium on Research in Attacks, Intrusions and Defenses (RAID)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we introduce a novel Communication and Obfuscation Management Architecture (COMA) to handle the storage of the obfuscation key and to secure the communication to\/from untrusted yet obfuscated circuits. COMA addresses three challenges related to the obfuscated circuits: First, it removes the need for the storage of the obfuscation unlock key at the untrusted chip. Second, it implements a mechanism by which the key sent for unlocking an obfuscated circuit changes after each activation (even for the same device), transforming the key into a dynamically changing license. Third, it protects the communication to\/from the COMA protected device and additionally introduces two novel mechanisms for the exchange of data to\/from COMA protected architectures: (1) a highly secure but slow double encryption, which is used for exchange of key and sensitive data (2) a high-performance and low-energy yet leaky encryption, secured by means of frequent key renewal. We demonstrate that compared to state-of-the-art key management architectures, COMA reduces the area overhead by 14%, while allowing additional features including unique chip authentication, enabling activation as a service (for IoT devices), reducing the side channel attack on key management architecture, and providing two new means of the secure communication to\/from an COMA-secured untrusted chip.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2019<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C9]<\/p>\n<\/div>\n\n\n\n

\n

Muffin: Minimally-Buffered Zero-Delay Power-Gating Technique in On-Chip Routers<\/h2>\n\n\n\n

Hossein Farrokhbakht, Hadi Kamali<\/span><\/strong>, Natalie Enright Jerger<\/p>\n\n\n\n

International Symposium on Low Power Electronics and Design (ISLPED)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Although conventional Network-on-Chip (NoC) designs provide high bandwidth, many modern applications for many-core architectures have significant periods of low NoC utilization. Highly provisioned NoCs provide the required performance during periods of high activity; yet, large NoC designs come with high power costs. Furthermore, as technology shrinks, the contribution of static power increases. Hence, numerous NoC power-gating techniques have been proposed to alleviate the growing contribution of static power. However, the efficiency of power-gating techniques decreases due to sporadic packet arrivals across a range of injection rates. In this paper, we propose Minimally-Buffered Router Infrastructure (Muffin), which increases the number of traversals that can be made without needing to power on the routers. Empirical results on SPLASH-2 show that, compared to conventional power-gating scheme, Muffin improves static power consumption by an average of 95.4%, while improving the average packet latency by 73.7%.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2019<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C8]<\/p>\n<\/div>\n\n\n\n

\n

Full-Lock: Hard Distributions of SAT instances for Obfuscating Circuits using Fully Configurable Logic and Routing Blocks<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

Design Automation Conference (DAC)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we propose a novel and SAT-resistant logic-locking technique, denoted as Full-Lock, to obfuscate and protect the hardware against threats including IP-piracy and reverse-engineering. The Full-Lock is constructed using a set of small-size fully Programmable Logic and Routing block (PLR) networks. The PLRs are SAT-hard instances with reasonable power, performance and area overheads which are used to obfuscate (1) the routing of a group of selected wires and (2) the logic of the gates leading and proceeding the selected wires. The Full-Lock resists removal attacks and breaks a SAT attack by significantly increasing the complexity of each SAT iteration.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2019<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C7]<\/p>\n<\/div>\n\n\n\n

\n

Threats on Logic Locking: A Decade Later<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

ACM Great Lakes Symposium on VLSI (GLSVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

To reduce the cost of ICs and to meet the market’s demand, a considerable portion of manufacturing supply chain, including silicon fabrication, packaging and testing may be pushed offshore. Utilizing a global IC manufacturing supply chain, and inclusion of non-trusted parties in the supply chain has raised concerns over security and trust related challenges including those of overproduction, counterfeiting, IP piracy, and Hardware Trojans to name a few. To reduce the risk of IC manufacturing in an untrusted and globally distributed supply chain, the researchers have proposed various locking and obfuscation mechanisms for hiding the functionality of the ICs during the manufacturing, that requires the activation of the IP after fabrication using the key value(s) that is only known to the IP\/IC owner. At the same time, many such proposed obfuscation and locking mechanisms are broken with attacks that exploit the inherent vulnerabilities in such solutions. The past decade of research in this area, has resulted in many such defense and attack solutions. In this paper, we review a decade of research on hardware obfuscation from an attacker perspective, elaborate on attack and defense lessons learned, and discuss future directions that could be exploited for building stronger defenses.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2019<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C6]<\/p>\n<\/div>\n\n\n\n

\n

LUT-Lock: A Novel LUT-Based Logic Obfuscation for FPGA-Bitstream and ASIC-Hardware Protection<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Kimia Azar, Kris Gaj, Houman Homayoun, Avesta Sasan<\/p>\n\n\n\n

IEEE Computer Society Annual Symposium on VLSI (ISVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this work, we propose LUT-Lock, a novel Look-Up-Table-based netlist obfuscation algorithm, for protecting the intellectual property that is mapped to an FPGA bitstream or an ASIC netlist. We, first, illustrate the effectiveness of several key features that make the LUT-based obfuscation more resilient against SAT attacks and then we embed the proposed key features into our proposed LUT-Lock algorithm. We illustrate that LUT-Lock maximizes the resiliency of the LUT-based obfuscation against SAT attacks by forcing a near exponential increase in the execution time of a SAT solver with respect to the number of obfuscated gates. Hence, by adopting LUT-Lock algorithm, SAT attack execution time could be made unreasonably long by increasing the number of utilized LUTs.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2018<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C5]<\/p>\n<\/div>\n\n\n\n

\n

SPONGE: A Scalable Pivot-based On\/Off Gating Engine for Reducing Static Power in NoC Routers<\/h2>\n\n\n\n

Hossein Farrokhbakht, Hadi Kamali<\/span><\/strong>, Natalie Enright Jerger, Shaahin Hessabi<\/p>\n\n\n\n

International Symposium on Low Power Electronics and Design (ISLPED)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Due to high aggregate idle time of Networks-on-Chip (NoCs) routers in practical applications, power-gating techniques have been proposed to combat the ever-increasing ratio of static power. Nevertheless, the sporadic packet arrivals compromise the effectiveness of power-gating by incurring significant latency and energy overhead. In this paper, we propose a Scalable Pivot-based On\/Off Gating Engine (SPONGE) which efficiently manages power-gating decisions and routing mechanism by adaptively selecting a small set of powered-on columns of routers and keeping the others in power-gated state. To this end, a router architecture augmented with a novel routing algorithm is proposed in which a packet can traverse powered-off routers without waking them up, and can only turn in predetermined powered-on routers. Experimental results on SPLASH-2 benchmarks demonstrate that, compared to the conventional power-gating method, SPONGE on average not only improves static power consumption by 81.7%, it also improves average packet latency by 63%.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2018<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C4]<\/p>\n<\/div>\n\n\n\n

\n

SRCLock: SAT-Resistant Cyclic Logic Locking for Protecting the Hardware<\/h2>\n\n\n\n

Shervin Roshanisefat, Hadi Kamali<\/span><\/strong>, Avesta Sasan<\/p>\n\n\n\n

ACM Great Lakes Symposium on VLSI (GLSVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

In this paper, we claim that cyclic obfuscation, when properly implemented, poses exponential complexity on SAT or CycSAT attack. The CycSAT, in order to generate the necessary cycle avoidance clauses, uses a pre-processing step. We show that this pre-processing step has to compose its cycle avoidance condition on all cycles in a netlist, otherwise, a missing cycle could trap the SAT solver in an infinite loop or force it to return an incorrect key. Then, we propose several techniques by which the number of cycles is exponentially increased with respect to the number of inserted feedbacks. We further illustrate that when the number of feedbacks is increased, the pre-processing step of CycSAT faces an exponential increase in complexity and runtime, preventing the correct composition of loop avoidance clauses in a reasonable time before invoking the SAT solver. On the other hand, if the pre-processing is not completed properly, the SAT solver will get stuck or return incorrect key. Hence, when the cyclic obfuscation in accordance to the conditions proposed in this paper is implemented, it would impose an exponential complexity with respect to the number of inserted feedback, even when the CycSAT solution is used.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2018<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C3]<\/p>\n<\/div>\n\n\n\n

\n

MUCH-SWIFT: A High-Throughput Multi-Core HW\/SW Co-design K-means Clustering Architecture<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Avesta Sasan<\/p>\n\n\n\n

ACM Great Lakes Symposium on VLSI (GLSVLSI)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

K-mean clustering is an essential tool for many big data applications including data mining, predictive analysis, forecasting studies, and machine learning. However, due to large size (volume) of Big-Data, and large dimensionality of its data points, even the application of a simple k-mean clustering may become extremely time and resource demanding. In this paper, we propose a two-level filtering algorithm based on binary kd-tree structure, which considerably decreases the time of convergence in K-means algorithm for large datasets. The proposed modification to the classification algorithm, evolves the SW to naturally divide the classification into smaller data sets, based on the number of available cores and size of logic available in an FPGA. The empirical results show that on a multi-core FPGA, provides 330x speed-up compared to a conventional SW-only solution.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2018<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C2]<\/p>\n<\/div>\n\n\n\n

\n

SMART: A Scalable Mapping And Routing Technique for Power-Gating in NoC Routers<\/h2>\n\n\n\n

Hossein Farrokhbakht, Hadi Kamali<\/span><\/strong>, Shaahin Hessabi<\/p>\n\n\n\n

IEEE\/ACM International Symposium on Networks-on-Chip (NOCS)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Reducing the size of the technology increases leakage power in Network-on-Chip (NoC) routers drastically. Power-gating, particularly in NoC routers, is one of the most efficient approaches for alleviating the leakage power. Although applying power-gating techniques alleviates NoC power consumption due to high proportion of idleness in NoC routers, since the timing behavior of packets is irregular, even in low injection rates, performance overhead in power-gated routers is significant. In this paper, we present SMART, a Scalable Mapping And Routing Technique, with virtually no area overhead on the network. It improves the irregularity of the timing behavior of packets in order to mitigate leakage power and lighten the imposed performance overhead. SMART employs a special deterministic routing algorithm, which reduces number of packets encounter power-gated routers. It establishes a dedicated path between each source-destination pair to maximize using powered-on routers, which roughly halves the number of wake-ups. Additionally, in order to maximize the efficiency of the proposed routing algorithm, SMART provides an exclusive mapping for each communication task graph. In proposed mapping, all cores should be arranged with a special layout suited for the proposed routing, which helps us to minimize the number of hops. Furthermore, we modify the predictor of conventional power-gating technique to reduce energy overhead of inconsistent wake-ups. Experimental results on SPLASH-2 benchmarks indicate that the proposed technique can save 21.9% of static power, and reduce the latency overhead by 42.9% compared with the conventional power-gating technique.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2017<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[C1]<\/p>\n<\/div>\n\n\n\n

\n

AdapNoC: A Fast and Flexible FPGA-based NoC Simulator<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong>, Shaahin Hessabi<\/p>\n\n\n\n

International Conference on Field Programmable Logic and Applications (FPL)<\/strong><\/p>\n\n\n\n

Abstract<\/summary>\n

Network on Chip (NoC) is the most common interconnection platform for multiprocessor systems-on-chips (MPSoCs). In order to explore the design space of this platform, we need a high-speed, cycle-accurate, and flexible simulation tool. In this paper, we present AdapNoC, a configurable cycle-accurate FPGA-based NoC simulator, which can be configured via software. A wide range of parameters are configurable in FPGA side of the proposed simulator, and the software side is implemented on an embedded soft-core processor. We transfer some parts of simulator, such as Traffic Generators (TGs) and Traffic Receptors (TRs), to software side without any degradation in simulation speed. Moreover, we implement a dual-clock architecture as an innovation in virtualization methodology, which is also capable to share idle time-slots, which helps not only simulate bigger NoCs, but also reduce simulation time drastically. Also, by employing a traffic aggregator architecture, AdapNoC provides table-based adaptive routing algorithm as a configurable parameter in router microarchitecture. We evaluate simulation time of AdapNoC by using Xilinx Virtex-6 XC6VLX240T, and demonstrate 53x\u2013180x speed-up against BOOKSIM. Also, due to our proposed virtualization, and TGs and TRs migration to software side, we can implement a 64-node non-virtualized or a 1024-node virtualized mesh network in only %72 of Xilinx Virtex-6 XC6VLX240T resources.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2016<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n\n\n\n

Non-Refereed Articles [3 Articles]<\/h2>\n\n\n\n
\n
\n

[NR3]<\/p>\n<\/div>\n\n\n\n

\n

Advances in Logic Locking: Past, Present, and Prospects<\/h2>\n\n\n\n

Kimia Azar, Hadi Kamali<\/span><\/strong>, Farimah Farahmandi, Mark Tehranipoor<\/p>\n\n\n\n

Cryptology ePrint Archive<\/p>\n\n\n\n

Abstract<\/summary>\n

Logic locking is a design concealment mechanism for protecting the IPs integrated into modern System-on-Chip (SoC) architectures from a wide range of hardware security threats at the IC manufacturing supply chain. Logic locking primarily helps the designer to protect the IPs against reverse engineering, IP piracy, overproduction, and unauthorized activation. For more than a decade, the research studies that carried out on this paradigm has been immense, in which the applicability, feasibility, and efficacy of the logic locking have been investigated, including metrics to assess the efficacy, impact of locking in different levels of abstraction, threat model definition, resiliency against physical attacks, tampering, and the application of machine learning. However, the security and strength of existing logic locking techniques have been constantly questioned by sophisticated logical and physical attacks that evolve in sophistication at the same rate as logic locking countermeasure approaches. By providing a comprehensive definition regarding the metrics, assumptions, and principles of logic locking, in this survey paper, we categorize the existing defenses and attacks to capture the most benefit from the logic locking techniques for IP protection, and illuminating the need for and giving direction to future research studies in this topic. This survey paper serves as a guide to quickly navigate and identify the state-of-the-art that should be considered and investigated for further studies on logic locking techniques, helping IP vendors, SoC designers, and researchers to be informed of the principles, fundamentals, and properties of logic locking.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2022<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[NR2]<\/p>\n<\/div>\n\n\n\n

\n

Secure and Robust Key-Trapped Design-for-Security Architecture for Protecting Obfuscated Logic<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

Cryptology ePrint Archive<\/p>\n\n\n\n

Abstract<\/summary>\n

Having access to the scan chain of Integrated Circuits (ICs) is an integral requirement of the debug\/testability process within the supply chain. However, the access to the scan chain raises big concerns regarding the security of the chip, particularly when the secret information, such as the key of logic obfuscation, is embedded\/stored inside the chip. Hence, to relieve such concerns, numerous secure scan chain architectures have been proposed in the literature to show not only how to prevent any unauthorized access to the scan chain but also how to keep the availability of the scan chain for debug\/testability. In this paper, we first provide a holistic overview of all secure scan chain architectures. Then, we discuss the key leakage possibility and some substantial architectural drawbacks that moderately affect both test flow and design constraints in the state-of-the-art published design-for-security (DFS) architectures. Then, we propose a new key-trapped DFS (kt-DFS) architecture for building a secure scan chain architecture while addressing the potential of key leakage. The proposed kt-DFS architecture allows the designer to perform the structural test with no limitation, enabling an untrusted foundry to utilize the scan chain for manufacturing fault testing without needing to access the scan chain. Finally, we evaluate and compare the proposed architecture with state-of-the-art ones in terms of security, testability time and complexity, and area\/power\/delay overhead.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2022<\/p>\n<\/div>\n<\/div>\n\n\n\n

\n
\n

[NR1]<\/p>\n<\/div>\n\n\n\n

\n

Using Multi-Core HW\/SW Co-design Architecture for Accelerating K-means Clustering Algorithm<\/h2>\n\n\n\n

Hadi Kamali<\/span><\/strong><\/p>\n\n\n\n

ACM Journal on Emerging Technologies in Computing Systems (ACM JETC<\/strong>), 2018.<\/p>\n\n\n\n

Abstract<\/summary>\n

The capability of classifying and clustering a desired set of data is an essential part of building knowledge from data. However, as the size and dimensionality of input data increases, the run-time for such clustering algorithms is expected to grow superlinearly, making it a big challenge when dealing with BigData. K-mean clustering is an essential tool for many big data applications including data mining, predictive analysis, forecasting studies, and machine learning. However, due to large size (volume) of Big-Data, and large dimensionality of its data points, even the application of a simple k-mean clustering may become extremely time and resource demanding. Specially when it is necessary to have a fast and modular dataset analysis flow. In this paper, we demonstrate that using a two-level filtering algorithm based on binary kd-tree structure is able to decrease the time of convergence in K-means algorithm for large datasets. The two-level filtering algorithm based on binary kd-tree structure evolves the SW to naturally divide the classification into smaller data sets, based on the number of available cores and size of logic available in a target FPGA. The empirical result on this two-level structure over multi-core FPGA-based architecture provides 330X speed-up compared to a conventional software-only solution.<\/p>\n<\/details>\n\n\n\n

\n
Online Version<\/a><\/div>\n\n\n\n
Cited by<\/a><\/div>\n<\/div>\n<\/div>\n\n\n\n
\n

2018<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"You can find the latest updates of publications here in Google Scholar Profile! 2 Books 1 Book Chapters 6 Pending\/Issued Patents 15 Journals 49 Conferences 3 Abstract\/NonRefereed Books [2 Books] [B2] Hardware Security: A Look into the Future Mark Tehranipoor, Kimia Azar, Hadi Kamali, Navid Asadizanjani, Fahim Rahman, Farimah Farahmandi Springer Nature. 2024 [B1] Understanding…","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-98","page","type-page","status-publish","hentry"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/pages\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":107,"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/pages\/98\/revisions"}],"predecessor-version":[{"id":991,"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/pages\/98\/revisions\/991"}],"wp:attachment":[{"href":"https:\/\/www.ece.ucf.edu\/~kamali\/wp-json\/wp\/v2\/media?parent=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}