Leveraging Unspecified Functionality in Obfuscated Hardware for Trojan and Fault Attacks

Logic obfuscation is a promising countermeasure for thwarting hardware security threats such as Intellectual Property (IP) theft, counterfeit and hardware Trojans. However, existing works in this realm primarily focus on developing more secure obfuscation techniques or on the other hand more effective attacks to retrieve the obfuscation key while neglecting the potential security threats resulting from the huge unspecified design state space and don't care conditions associated with incorrect keys. In this paper, we demonstrate how such unspecified functionality could possibly open up a door for hardware Trojan and fault injection attacks. The security risks hidden behind these don't cares conditions can be both hard to identify and eliminate since there is no golden design specification under incorrect keys for comparison. We reveal this potential security threat, demonstrate possible attack scenarios, and provide detectability analysis to help eliminate such new attack surfaces.