Full Ebook of Cad For Hardware Security 1St Edition Farimah Farahmandi Online PDF All Chapter

CAD for Hardware Security 1st Edition
Farimah Farahmandi
Visit to download the full and correct content document:
https://ebookmeta.com/product/cad-for-hardware-security-1st-edition-farimah-farahm
andi/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Behavioral Synthesis for Hardware Security Srinivas

Katkoori (Editor)
https://ebookmeta.com/product/behavioral-synthesis-for-hardware-
security-srinivas-katkoori-editor/
The Hardware Hacking Handbook Breaking Embedded

Security with Hardware Attacks 1st Edition Jasper Van
Woudenberg
https://ebookmeta.com/product/the-hardware-hacking-handbook-
breaking-embedded-security-with-hardware-attacks-1st-edition-
jasper-van-woudenberg/
The Hardware Hacking Handbook Breaking Embedded

Security with Hardware Attacks Early Release 1st
Edition Jasper Van Woudenberg
breaking-embedded-security-with-hardware-attacks-early-
release-1st-edition-jasper-van-woudenberg/
Nanoelectronic Devices for Hardware and Software

Security (Security, Privacy, and Trust in Mobile
Communications) 1st Edition Arun Kumar Singh (Editor)
https://ebookmeta.com/product/nanoelectronic-devices-for-
hardware-and-software-security-security-privacy-and-trust-in-
mobile-communications-1st-edition-arun-kumar-singh-editor/
The Hardware Hacking Handbook Breaking embedded
security with hardware attacks 1st Edition Jasper Van
Woudenberg Colin O Flynn
breaking-embedded-security-with-hardware-attacks-1st-edition-
jasper-van-woudenberg-colin-o-flynn/
The Next Era in Hardware Security A Perspective on

Emerging Technologies for Secure Electronics 1st
Edition Nikhil Rangarajan
https://ebookmeta.com/product/the-next-era-in-hardware-security-
a-perspective-on-emerging-technologies-for-secure-
electronics-1st-edition-nikhil-rangarajan/
Scrum for Hardware Design 1st Edition David G. Ullman
https://ebookmeta.com/product/scrum-for-hardware-design-1st-
edition-david-g-ullman/
Git for Electronic Circuit Design: CAD and Version

Control for Electrical Engineers 1st Edition Altay
Brusan
https://ebookmeta.com/product/git-for-electronic-circuit-design-
cad-and-version-control-for-electrical-engineers-1st-edition-
altay-brusan/
Git for Electronic Circuit Design: CAD and Version

Control for Electrical Engineers 1st Edition Altay
Brusan
https://ebookmeta.com/product/git-for-electronic-circuit-design-
cad-and-version-control-for-electrical-engineers-1st-edition-
altay-brusan-2/
Farimah Farahmandi
M. Sazadur Rahman
Sree Ranjani Rajendran
Mark Tehranipoor
CAD for Hardware

Security
CAD for Hardware Security
Farimah Farahmandi • M. Sazadur Rahman •
Sree Ranjani Rajendran • Mark Tehranipoor
CAD for Hardware Security

Farimah Farahmandi M. Sazadur Rahman
University of Florida University of Florida
Gainesville, FL, USA Gainesville, FL, USA
Sree Ranjani Rajendran Mark Tehranipoor

University of Florida University of Florida
Gainesville, FL, USA Gainesville, FL, USA
ISBN 978-3-031-26895-3 ISBN 978-3-031-26896-0 (eBook)

https://doi.org/10.1007/978-3-031-26896-0
© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland
AG 2023
This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whether
the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse
of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and
transmission or information storage and retrieval, electronic adaptation, computer software, or by similar
or dissimilar methodology now known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors, and the editors are safe to assume that the advice and information in this book
are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or
the editors give a warranty, expressed or implied, with respect to the material contained herein or for any
errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.
This Springer imprint is published by the registered company Springer Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Farimah Farahmandi would like to dedicate
this book to her Parents: Fatemeh
Hashmei-Kashani and Mohammad
Farahmandi, Sisters: Farzaneh Farahmandi
and Fargol Farahmandi, Friends: Roshanak
Mohammdivojdan and Masi Rajabi for their
constant support in my up and down times.
M Sazadur Rahman would like to dedicate
this book to his parents-Ghulmaur Rahman
and Shamima Rahman, wife-Tasnuva
Farheen, siblings-Shaikhur Rahman and
Sabrina Rahman, friend-Adib Nahiyan for
their constant support, encouragement, and
effort whenever he needed.
Sree Ranjani Rajendran would like to
dedicate this book to her daughter Tanusree.
S, Parents: A. R. Rajendran and R.
Thilagavathy, sibling: R. Rajpradeep,
friends, and teachers for their
encouragement and constant support.
Mark Tehranipoor would like to dedicate
this book to his project sponsors.
Preface
Emerging hardware security vulnerabilities are menacing since it is almost impossi-

ble to amend the design after fabrication. Recent studies reported vulnerabilities,
including side-channel leakage, information leakage, access control violations,
malicious functionality, etc. Software-level security mechanisms can easily bypass
these attacks and put the devices or systems at risk. Increased design complexity,
aggressive time to markets, and exotic hardware attacks portent the security of
hardware designs. Ensuring the security of system-on-chip (SoC) in terms of trust-
worthiness, privacy, and reliability is exacting for its wide usage. However, there is
a lack of automation in the existing techniques, and they rely on manual approaches
that are neither efficient nor scalable for complex designs. The semiconductor
industries are looking for automatic computer-aided design (CAD) tools for design
verification, and validation efficiently increases the design accuracy with minimal
testing time. The hardware engineers examine the security features by utilizing the
CAD tools to aid analysis, identifying, root-causing, and mitigating SoC security
problems to ensure the trustworthiness of the design.
This book attempts to cover the utilization of CAD tools in hardware security.
Whereas vulnerabilities in SoCs arise due to design mistakes, lack of secu-
rity understanding, design transformations, various attack surfaces, and malicious
intents. Further, existing CAD tools used in SoC design flow can unintentionally
introduce additional vulnerabilities in the SoCs. Considering the above challenges
and potential solutions, the scope of this book presents a comprehensive summary
of hardware security defenses, describes the fundamentals of CAD tool usage, and
highlights the significant research results. The book systematizes the knowledge
of CAD tools used in hardware security and elaborates on its imperative features.
The book contains 18 chapters and an appendix on VLSI testing. Each chapter has
been planned to emphasize the utilization of CAD tools in the domain of hardware
vii
viii Preface
security. We anticipate that this book will provide comprehensive knowledge to

graduate students, researchers, and professionals in SoC design and CAD tool
development.
Gainesville, FL, USA Farimah Farahmandi

August 30, 2022 M Sazadur Rahman
Sree Ranjani Rajendran
Mark Tehranipoor
Acknowledgements
A handful of books in the community cover CAD tools in the automation of

electronic design. However, writing the first ever textbook dedicated to the security-
aware usage of CAD tools was not a piece of cake due to many obstacles. It
was a lasting and relentless journey to plan the book, prepare it, and finally
combine them into a printable format. However, the outcome of the journey was
more rewarding than our imagination. The footprint of this book was enriched
by our friends, colleagues, and students. This book wouldn’t have been possible
without the generous contributions of many researchers and experts in the field of
hardware security from industry and academia. Their valuable inputs have shaped
various book elements, e.g., chapter contents, illustrations, exercises, and results.
We thank the following authors for contributing to academic research as the CAD
for Hardware Security book chapter.
• Mohammad, Sajeed, University of Florida, USA
• Ayalasomayajula, Avinash, University of Florida, USA
• Md Kawser Bepary, University of Florida, USA
• Md Rafid Muttaki, University of Florida, USA
• Henian Li, University of Florida, USA
• Shuvagata Saha, University of Florida, USA
• Dr. Nitin Pundir, IBM, USA,
• Tanvir Rahman, University of Florida, USA
• Arash Vafaei, University of Florida, USA
• Amit Mazumder Shuvo, University of Florida, USA
• Nusrat Farzana Dipu, University of Florida, USA
• Md Sami Ul Islam, University of Florida, USA
• Pantha Protim Sarker, University of Florida, USA
• Nashmin Alam, University of Florida, USA
• Tao Zhang, University of Florida, USA
• Ahmed, Bulbul, University of Florida, USA
• Dr. Dhwani Mehta, AMD, USA
ix
Contents
1 Introduction to CAD for Hardware Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 Emergence of Threats in Hardware Supply Chain. . . . . . . 2
1.1.2 SoC Security Development Life-cycle (SDL) . . . . . . . . . . . 5
1.1.3 Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 CAD Tools in SoC Supply Chain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.2.1 Significance of CAD Tools in SoC Life-cycle Security . 9
1.2.2 CAD Tools in SoC Life-cycle Threats . . . . . . . . . . . . . . . . . . . 9
1.2.3 CAD Tools as Vulnerability Source: The Other
Side of the Coin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.2.4 The Need for CAD Solutions For SoC Security
Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.3 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 CAD for Security Asset Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Motivation and Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.2 Classification of Security Assets . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.3 Assessing Security Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3 CAD for Security Asset Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1 Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.2 Asset Propagation Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.3 Candidate Component Identification . . . . . . . . . . . . . . . . . . . . . 28
2.3.4 Pruning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3 Metrics for SoC Security Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2 Motivating Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
xi
xii Contents
3.3 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.3.1 IP Piracy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.3.2 Power Side Channel (PSC) Leakage . . . . . . . . . . . . . . . . . . . . . 41
3.3.3 Fault Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.3.4 Malicious Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.3.5 Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.4 IP-level Security Metrics and Design Parameters
Contributing to the IP-level Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.4.1 Metrics to Assess an IP’s Vulnerability to
Piracy and Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.4.2 IP-Level Parameters Contributing IP Piracy
Security Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Power Side-Channel (PSC) Attacks . . . . . . . . . . . . . . . . . . . . . 47
3.4.4 IP-Level Parameters Contributing Power
Side-Channel (PSC) Security Metrics . . . . . . . . . . . . . . . . . . . . 49
3.4.5 IP-level Parameters Contributing to an IP’s
Vulnerability to Fault Injection Attacks . . . . . . . . . . . . . . . . . 50
Malicious Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.4.7 IP-Level Parameters Contributing Malicious
Hardware Security Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.4.8 Metrics to Assess an IP’s Vulnerabilities to
Supply Chain Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5 Transition from IP to Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.5.1 Platform-level Parameters for IP Piracy . . . . . . . . . . . . . . . . . 56
3.5.2 Platform-level Parameters for Power
Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.5.3 Platform-level Parameters for Fault Injection . . . . . . . . . . . . 60
3.5.4 Platform-level Parameters for Malicious Hardware . . . . . 61
3.5.5 Supply Chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6 Security Measurement and Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.7 Platform-level Security Measurement and Estimation Approaches 64
3.7.1 Platform-level Security Measurement and
Estimation Approaches for IP Piracy. . . . . . . . . . . . . . . . . . . . . 64
3.7.2 Result and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.8 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.8.1 Challenges in Platform-Level Security
Estimation and Measurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
3.8.2 Challenges in Achieving Accurate Estimation. . . . . . . . . . . 74
3.9 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Contents xiii
4 CAD for Information Leakage Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.2 Motivation and Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.2.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.2.2 Information Flow Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.3 Information Flow Tracking Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.3.1 Software-Based IFT Techniques . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.3.2 Hardware-Based IFT Techniques. . . . . . . . . . . . . . . . . . . . . . . . . 88
4.3.3 HDL-Level Based IFT Technique . . . . . . . . . . . . . . . . . . . . . . . . 95
4.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5 CAD for Hardware Trojan Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.2 Literature Survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.3 SymbA: Symbolic Execution at C-level for Hardware
Trojan Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.3.1 Preliminary Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.3.2 Why C-level Symbolic Execution? . . . . . . . . . . . . . . . . . . . . . . . 112
5.3.3 SymbA Trojan Detection Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.3.4 Tackling Scalability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.3.5 SymbA Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
6 CAD for Power Side-Channel Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.2 Background on Security Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.2.1 Power Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
6.2.2 General Workflow of Security Evaluation . . . . . . . . . . . . . . . 125
6.2.3 Security Vulnerability Evaluation Metrics . . . . . . . . . . . . . . . 126
6.2.4 Pre- and Post-silicon Evaluation. . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.3.1 Machine Learning-Based Side-Channel
Leakage Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.3.2 Side-Channel Leakage Detection at
Register-Transfer Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.3.3 Computer-Aided SCA Design Environment
(CASCADE). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.3.4 System Side-Channel Leakage Emulation for
HW/SW Security Co-verification . . . . . . . . . . . . . . . . . . . . . . . . 139
6.3.5 Holistic Power Side-Channel Leakage
Assessment (HAC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
xiv Contents
7 CAD for Fault Injection Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
7.2 Background on FI Prevention and Detection . . . . . . . . . . . . . . . . . . . . . . . 151
7.2.1 Delay-Based Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
7.2.2 Hardware Platforms for FI Vulnerability Assessment . . . 152
7.2.3 Analyzing Vulnerabilities in FSMs (AVFSMs) . . . . . . . . . . 152
7.3 Literature Survey Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.3.1 The Efficiency of a Glitch Detector Against
Fault Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
7.3.2 HackMyMCU: Low-Cost Security Assessment
Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
7.3.3 Analyzing Vulnerabilities in Finite State
Machine (AVFSM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
7.3.4 Security-Aware FSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
7.3.5 Multi-fault Attacks Vulnerability Assessment . . . . . . . . . . . 162
7.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
8 CAD for Electromagnetic Fault Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
8.2 Background Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
8.3.1 Electromagnetic Security Tests for SoC . . . . . . . . . . . . . . . . . 172
8.3.2 Electromagnetic Fault Injection Against
a System-on-Chip, Toward New
Micro-architectural Fault Models . . . . . . . . . . . . . . . . . . . . . . . . 174
8.3.3 Security Evaluation Against Electromagnetic
Analysis at Design Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
8.3.4 Design for EM Side-Channel Security Through
Quantitative Assessment of RTL Implementations . . . . . . 179
8.3.5 Resilience of Error Correction Codes Against
Harsh Electromagnetic Disturbances . . . . . . . . . . . . . . . . . . . . . 182
8.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
9 CAD for Hardware/Software Security Verification . . . . . . . . . . . . . . . . . . . . 187
9.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
9.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
9.3.1 System-on-Chip Platform Security Assurance:
Architecture and Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
9.3.2 Secure RISC-V System-on-Chip . . . . . . . . . . . . . . . . . . . . . . . . . 194
9.3.3 Symbolic Assertion Mining for Security Validation. . . . . 198
9.3.4 Hardware/Software Co-verification Using
Interval Property Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Contents xv
9.3.5 Verification Driven Formal Architecture and

Microarchitecture Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
9.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
10 CAD for Machine Learning in Hardware Security . . . . . . . . . . . . . . . . . . . . . 211
10.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
10.2 Background on the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
10.2.1 Machine Learning Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
10.2.2 Threat Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
10.3.1 ML-Based Side-Channel Analysis Techniques . . . . . . . . . . 218
10.3.2 Trojan Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
10.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
11 CAD for Securing IPs Based on Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . 231
11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
11.2 Background and Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
11.2.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
11.2.2 EPIC: Ending Piracy of Integrated Circuits . . . . . . . . . . . . . . 233
11.2.3 Fault Analysis-Based Logic Encryption . . . . . . . . . . . . . . . . . 234
11.2.4 Security Analysis of Logic Obfuscation and
Strong Logic Locking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
11.2.5 On Improving the Security of Logic Locking . . . . . . . . . . . 239
11.2.6 Evaluation of the Security of Logic Encryption
Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
11.2.7 SARLock: SAT Attack Resistant Logic Locking . . . . . . . . 244
11.2.8 Anti-SAT: Mitigating SAT Attack on Logic Locking . . . 247
11.2.9 Attacking Logic Locked Circuits by Bypassing
Corruptible Output and Trade-off Analysis
Against all known Logic Locking Attacks
based on BDD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
11.2.10 AppSAT: Approximately Deobfuscating
Integrated Circuits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
11.2.11 CAS-Lock: A Logic Locking Scheme without
Trade-off between Security and Corruptibility . . . . . . . . . . 253
11.3 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
12 CAD for High-Level Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
12.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
12.2 Background on the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
12.2.1 Trojan Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
12.2.2 Task Scheduling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
xvi Contents
12.3.1 Secure High-Level Synthesis: Challenges and Solutions 263

12.3.2 Examining the Consequences of High-Level
Synthesis Optimizations on Power Side Channel. . . . . . . . 265
12.3.3 High-Level Synthesis with Timing-Sensitive
Information Flow Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
12.3.4 TL-HLS: Security-Aware Scheduling with
Optimal Loop Unrolling Factor . . . . . . . . . . . . . . . . . . . . . . . . . . 269
12.3.5 Secure by Construction: Addressing Security
Vulnerabilities Introduced During High-Level Synthesis 272
12.3.6 Analyzing Security Vulnerabilities Introduced
by High-Level Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
12.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
13 CAD for Anti-counterfeiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
13.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
13.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
13.2.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
13.2.2 Supply Chain Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
13.2.3 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
13.3 Counterfeit Avoidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
13.4 Counterfeit Detection Using CDIR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
13.5 Protection Against Untrusted Foundry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
13.5.1 Counterfeit Test Method Selection . . . . . . . . . . . . . . . . . . . . . . . 300
13.5.2 Counterfeit Chip Defects in Infrared (IR) Domain . . . . . . 304
13.5.3 Defective Pin Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
13.6 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
14 CAD for Anti-probing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
14.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
14.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
14.2.1 Probing Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
14.2.2 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
14.3 Detection of Probing Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
14.3.1 Principle Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
14.3.2 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
14.3.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
14.4 Cryptographically Secure Shields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
14.4.1 Operation Principle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
14.4.2 Back-side Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
14.4.3 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
14.5 Vulnerability Assessment to Probing Attacks. . . . . . . . . . . . . . . . . . . . . . . 324
14.5.1 Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
14.5.2 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
14.6 Layout-driven Assessment Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Contents xvii
14.6.1 Bypass Attack Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

14.6.2 Reroute Attack Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
14.6.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
14.7 Anti-probing Physical Design Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
14.7.1 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
14.8 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
15 CAD for Reverse Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
15.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
15.3 Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
15.3.1 CLARION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
15.3.2 FSM Extraction Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
15.3.3 FSM Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
15.3.4 RERTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
15.4 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
16 CAD for PUF Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
16.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
16.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
16.3.1 Error Correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
16.3.2 Real-Valued Physical Unclonable Functions (RV-PUF). 360
16.3.3 Soft Decision IBS Encoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
16.3.4 Soft Decision IBS Decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
16.3.5 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
16.4 DNN Based Modeling Attack (PUFNet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
16.4.1 XOR-Inverter RO-PUF Design Analysis and
Vulnerability Assessment by Machine Learning . . . . . . . . 365
16.4.2 Modeling Attacks of PUF on Silicon Data . . . . . . . . . . . . . . . 366
16.5 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
17 CAD for FPGA Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
17.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
17.2 FPGA Security Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
17.2.1 CAD for FPGA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
17.2.2 Information Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
17.2.3 Anti-tamper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
17.3 SoC FPGA Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
17.3.1 Security Architectural Features . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
17.3.2 Attack Vectors and Possible Mitigation . . . . . . . . . . . . . . . . . . 381
17.4 Cloud FPGA Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
17.4.1 Remote Side-Channel Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
xviii Contents
17.4.2 Remote Fault Injection Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . 388

17.4.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
17.5 FPGA Initialization Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
17.5.1 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
17.5.2 SeRFI Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
17.5.3 Protocol Timeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
17.5.4 SeRFI Attack Resiliency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
17.6 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
18 The Future of CAD for Hardware Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
18.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
18.2 Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
18.2.1 Introduction to CAD for Hardware Security . . . . . . . . . . . . . 398
18.2.2 CAD for Detecting Hardware Threats . . . . . . . . . . . . . . . . . . . 398
18.2.3 CAD for Frontend Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
18.2.4 CAD for Physical Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
18.2.5 CAD for FPGA Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
18.3 Conclusion and Future Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Chapter 1
Introduction to CAD for Hardware
Security
1.1 Introduction
We live in a world where embedded, and internet of things (IoT) devices have
become a part of our daily lives. In addition to smart consumer products, electronic
system-on-chips (SoCs) are used in industrial automation solutions and military
and space applications. Over the last four decades, digital convergence has created
a demand for functionally complex integrated circuits (ICs) at mass-market costs
every six to nine months. As shown in Fig. 1.1, the number of IoT devices has
risen significantly to 30 billion in 2020 [58] in contrast to a human population
of eight billion, which boils down to, on average, four devices per person. VLSI
system-on-chip (SoC) designers face enormous challenges as VLSI technologies
grow in speed and shrink in size. Thus, billions of transistors are integrated into a
single chip with digital/analog circuits. SoC is a single unified structure integrated
with formerly individual microelectronic devices. The semiconductor industry has
made a profound technological development in modern electronic devices through a
system-level architecture. The main objective of SoC is to build a system through the
integration of pre-designed hardware and software blocks, often collectively known
as intellectual properties (IPs). Based on the target specification, the SoC integration
team collects the IPs either from in-house or third-party vendors and assembles them
as a target device. The behavior of a design is involved in the operations of IPs and
the communication of IP interface providers in the context of SoC design. High
SoC integration is achieved through advances in IC process technology, computer-
aided design (CAD) tools, and system-level IP blocks. The primary purpose of
component integration in SoC products is to reduce costs, improve performance,
and reduce time to market. System reliability and low power dissipation are some
of the other advantages of SoC integration. However, SoC design integration is
not straightforward, and many challenges arise while meeting tight time-to-market
deadlines. The facets of complexity in today’s SoCs are functional complexity and
architectural and verification challenges.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 1

F. Farahmandi et al., CAD for Hardware Security,
https://doi.org/10.1007/978-3-031-26896-0_1
2 1 Introduction to CAD for Hardware Security
Fig. 1.1 Electronic Devices

have become a part of our
daily lives from smart home,
smart cars, to handheld PDA
devices and wearable.
According to [58], there are
30 billion electronic devices
surfacing around the world of
eight billion population
8 Billion
People
30 Billion
Electronic Devices
Due to the complexity of modern computing devices, challenges in SoC design

are rapidly increasing with factors like performance, functionality, speed, reliability,
cost, and, more importantly, security. The heterogeneity of components plays
a significant role in the challenges due to the design complexity, which may
include complexity in the problem domain, development process, choice domain,
testing, and packaging-related complexity. However, the arrival of electronic design
automation (EDA) tools in the early 1980s resolved the many challenging attributes
of design engineers. Automated EDA tools reduce the time and cost of designing
complex integrated circuits and help in the virtual testing of the electronic circuits,
resulting in decreased production costs. EDA companies exploit CAD tools to
overcome design complexity challenges. CAD tools used in the SoC design flow
will automate the design workflow by supporting the basic features of logical design,
circuit schematic design, layout generation, and design checks. The usage of CAD
tools has also been extended for verification processes and has proven to be a highly
accomplished tool in the IC design process.
1.1.1 Emergence of Threats in Hardware Supply Chain
A modern computing system is illustrated in Fig. 1.2 in terms of different fields

of security. The field of network security concerns the network’s vulnerabilities
that connect computer systems and the mechanisms to safeguard its integrity
and usability under attack. Malicious attacks on software, such as inconsistent
error handling and buffer overflows, can be exploited through software security,
and techniques are developed to ensure reliable software operation even when
1.1 Introduction 3
Network Security
1. Denial of Service
Information Security
2. Man-in-the-middle attacks Software Security
1. Corruption
3. Phishing/spoofing Attacks 1. IP theft/piracy
2. Leakage
4. Social engineering 2. Privilege escalation
3. Unavailability ... Software 3. Man-in-the-middle
4. Malware
Storage 5. Denial of service
Smart Car
PDA
IC
Hardware Security
Electronic 1. IP theft/piracy
Wearables Modem/
Hardware 2. Hardware trojan
Router 3. Reverse-engineering
4. Cloning/overproduction
5. Side-channel attack
6. Fault-injection attack
Computers Smart home Servers 7. Privilege escalation
Fig. 1.2 The spectrum of hardware security threats in various user application level [4]. The
overall threats on hardware security can be categorized among—network, information, software,
and hardware related threats
potential security risks are present. Information security ensures confidentiality,

integrity, and availability by protecting information against unauthorized access,
use, modification, or destruction. In contrast, hardware security deals with attacks
targeting the hardware, its entirety, and protection against those attacks. It forms the
foundation of system security, providing a trust anchor for other system components
to interact with it.
While ubiquitous computing has several benefits, security and trust concerns
have been raised by its rapid increase. The modern electronics industry is vulnerable
to hardware-assisted and software-centric attacks that have been prevalent for
decades. Those tools and techniques that are used for designing, implementing,
optimizing performance, verifying the design, performing advanced failure analyses
(FA), localizing defects, testing manufacturing processes, and analyzing reliability
can pose a security threat to hardware if an adversary possesses them. IP piracy,
hardware trojan, malicious modification, counterfeit, side-channel analysis, probing,
fault injection, photon emission, or reverse engineering may allow attackers to
extract secret information or intellectual property (IP) from electronic systems.
These days, SoCs are built in collaboration with various parties, including the
system owner, designer, foundry, assembly, and test facility. Academic, industry, and
government researchers have been reporting security issues on the hardware used in
a wide range of applications for over a decade [4, 28, 44, 53]. Figure 1.3 illustrates
a simplified supply chain flow of electronic devices from the equipment owner to
the end user where any party can be potentially untrusted and pose a severe threat
to the original equipment manufacturer (OEM). One example of a recent hardware
attack is the “The Big Hack” incident [46] shown in Fig. 1.3. Bloomberg reports that
several Supermicro data centers are found to possess motherboards infected with
Tens of parties involved!
Owner Designer Foundry OSAT End-user
Bloomberg: Design stolen by

Suspicious
employee from ASML, 2015 [47]
Chip?!
Bloomberg: Tampered Chip

in Amazon, Apple, CIA, DoD,
NASA, Navy, 2018 [45]
Theverge: Remote attacker Insecure Asset, e.g.,
unlocks and starts Tesla, 2022 [65] credentials, design data, etc.
Fig. 1.3 Several events of hardware security breaches in last five years. These treats span from
hardware trojan to IP theft and remote attacks which make user data and credentials insecure
malware every time they booted up due to a small malicious chip in the motherboard.
Though the attack was initiated in 2014, this incident got publicly exposed no
sooner than 2018. Supermicro’s motherboards are used in data centers of NASA, US
Navy, DoD, CIA, Amazon, Apple, etc. Very recently, Bloomberg reported another
incident [45] where an insider engineer from ASML, the largest company for
manufacturing lithography equipment that shrinks and prints transistor patterns onto
silicon wafers, stole intellectual property and fled to a different country. Another
recent incident [65] shows that attackers can exploit network security to unlock and
start a smart car in seconds without requiring any key. All these current threats to
the electronic hardware supply chain raise the security concern about personal data
and credentials stored in these potentially suspicious devices.
The possible hardware attacks like side-channel attacks, exploitation of Test/De-
bug infrastructure, fault injection, information leakage, and malicious hardware
known as Hardware Trojans (HT) can also be potentially detected using CAD
tools [5]. Such hardware attacks must be carefully addressed due to their possible
impact on the hardware and the underlying software and firmware. Based on a
common vulnerability exposure (CVE-MITRE) [37] report, the overall system
1.1 Introduction 5
vulnerability gets reduced by 43% if hardware vulnerabilities are expunged from

any design. These hardware vulnerabilities are highly challenging to the community
of design and manufacturing companies. Today, more than ever, design houses are
willing to invest in security solutions to provide security assurance and build trust
in their products. This opens a high demand for hardware security experts in the
government and industry. The role of the hardware security team is to include
security features and support throughout the design, testing, manufacturing, and
validation. These teams strive to incorporate security features into the product
development life-cycle (PLC) and develop a security development life-cycle (SDL)
[17] to reduce security risk before deployment [28]. Even though the security solu-
tions included in the life-cycle development adds some advantage, EDA tools used
to design and manufacture hardware plays a major role in incorporating security
objectives. In addition to the power, performance, and area (PPA), EDA tools should
provide security assurance with minimal cost and effort with high efficiency. In
2015 EDA companies began using CAD tools for hardware verification/validation
during the pre-and post-silicon stages of hardware design culminating in hardware
assurance [1]. Hence, researchers brought CAD for security techniques to build the
trust of end-user and product developers [16, 54]. CAD for security techniques
is being increasingly applied to SoC design to enhance security assurance with
concurrent validation [5, 57].
1.1.2 SoC Security Development Life-cycle (SDL)
Figure 1.4a, b shows the various stages of the SoC and security development
life-cycle. In any SoC design, IPs developed by different IP vendors, known as
third-party IP (3PIP) vendors, are integrated, synthesized using CAD tools, and
fabricated. The end products are used in many applications, including the internet
of things (IoT), cyber-physical systems (CPS), and embedded computing systems.
CAD Tools Utilization
...
SoC Synthesis Physical End
3rd party IP Fabrication
Integrator DFT & DFF Layout product
(a) SoC Development Lifecycle
Product Concept Threat Security Design Security Incident

& Definition Model Architecture Review Testing Response
(b) Security Development Lifecycle
Fig. 1.4 SoC development life-cycle alongside with SoC security development life-cycle (SDL)
SoC used in any such systems should be verified and validated for hardware and
software security threats. However, the design complexity of modern SoC chips
makes verification a bottleneck problem, and the chip manufacturing companies are
utilizing more than 70% of efforts and resources to ensure the correctness of the
chip design in all aspects of performance, functionality, timing, and reliability [13].
On the other hand, the verification techniques were expected to provide the required
security against hardware bugs or vulnerabilities in the life-cycle of the SoC. The
hardware bugs are more challenging because patching is not always possible at
any level of abstraction and results in persistent/permanent denial-of-service, IP/IC
leakage, or exposure of assets to untrusted entities. However, the semiconductor
industry has taken extensive measures to provide security assurances with the
existing simulation, emulation, and formal verification techniques to detect or
prevent hardware bugs in the design. On the contrary, the security development life-
cycle starts from product conceptualization and definition, as shown in Fig. 1.4b.
Later it performs threat modeling, secure architecture development and deployment,
design review, testing, and critical incident response.
1.1.3 Security Requirements
This section describes the security requirements to be considered while designing

an SoC. These SoC requirements are based on a threat model developed by the
potential vulnerabilities at different stages of the SoC life-cycle.
Computing devices are being employed in banking, shopping, and personal infor-
mation tracking, including health monitoring, fitness tracking, etc., which must be
protected from malicious or unauthorized access. Other than the personalized usage
of computing systems, device architectures are used widely in high confidential
applications such as cryptographic and digital rights management (DRM) keys,
programmable fuses, on-chip debug instrumentation, and defeature bits. Hence,
when designing a modern SoC, several sensitive assets are to be considered to
protect from unauthorized access. System-critical and security-sensitive information
stored in the chips are the two massive assets to be considered. In [14], the assets
are utilized to develop security policies to provide a valid authentication of the
design. However, in any SoC, security assets are disseminated across the IPs,
and access control is provided based on the requirements of security policies.
A security property is a statement that can check conditions, assumptions, and
expected behavior of a design [36]. However, these security properties are specific
to a security vulnerability and formally describe the expected behavior.
The security properties are developed from the essential assets and their cor-
responding security levels. An asset is a resource with a security-critical property
that is to be protected from adversaries [3]. These assets may be different from one
abstraction level to another, depending upon the adversarial intention. In any SoC
assets can be classifies as two categories as listed in Fig. 1.5 [14]:
1.1 Introduction 7
Asset
Secondary Asset
Primary Asset (Supports Primary Assets, e.g.,
(High Priority Protection)
shared bus)
Static Asset
(Stored in SoC key, password,
Firmware, etc.)
Dynamic Asset
(Generated in run-time, e.g., on-
chip generated key, true random
numbers, etc.)
Fig. 1.5 Classification of security assets in an SoC [14]. Assets in an SoC are classified based on
their abstraction level and adversarial intention
1. Primary Assets—High priority of protection is given by the designer. For

example, device keys, passwords, firmware, true random number generator
(TRNG), on-chip key generator (e.g., Physically unclonable functions (PUFs))
are included as primary assets. The primary assets under consideration can be
classified as below:
(a) Static—these primary assets are stored within SoC and utilized whenever
required, e.g., key, password, firmware, etc.
(b) Dynamic—these primary assets are generated during the run-time of SoC
and used for authentication.
2. Secondary Assets—Infrastructures that support the protection of primary assets

during rest or transition. For example, a shared bus ensures the protection of key
moving from an on-chip ROM to an encryption engine within an SoC.
The security properties developed from the specific assets will provide security
assurance to the SoC. Threat models violating confidentiality, integrity, and avail-
ability are identified in [14] and security properties are developed according to the
assets. Security property/rule databases are available in [57] are widely used by the
researchers to verify and validate an SoC design.
1.2 CAD Tools in SoC Supply Chain
CAD tools play a vital role in the rapid increase of SoC design complexity. The
full span of design flow utilizes CAD tools: High-level synthesis (discussed in
Chap. 12), Verification (discussed in Chap. 9), Logic Synthesis, Placement and
Routing, Static Timing Analysis, Post-Silicon Validation, and Manufacturing Test-
ing. Figure 1.6 describes how CAD tools are utilized for synthesizing, analyzing,
and testing the SoC design flow. CAD tools may be used in behavioral, RTL,
FPGA, Logic, physical, and DSP synthesis, and while optimizing, CAD tools can
perform transistor sizing, process variation, and statistical design. While analyzing
an SoC design for threats, CAD tools may perform as checkers and verifiers. The
checkers do a design rule check (DRC) to ensure that the designers do not violate
design rules to achieve a high overall yield and reliability for the design. Electric
rule check (ERC), netlist compare, ratio checker, fan-in/fan-out checker, and power
checkers are applied to check the correctness of the design to meet the specification.
However, verifiers will check/verify the condition explicitly specified as part of
the design. The verifiers are of two types, timing, and functional verifiers. Timing
verifiers optimize the circuit performance by determining the longest delay path and
also checking for a correct clock cycle. Functional verifiers are symbolic checkers,
which compare the symbolic description of circuit functionality with its individual
parts derived behavior. However, in both cases, checkers ensure that rules meet the
design specification. The CAD tools also perform as testers by generating suitable
automatic test patterns to test the design, which is done by an automatic test pattern
generation (ATPG) and a design-for-Test (DFT).
Synopsys, Mentor, and Cadence are the three major commercial CAD tool
vendors, Fig. 1.8 shows the usage of those CAD tools in various stages of the SoC
design flow. Other than these tools there exist open-source tools also, in a vast and
vibrant ecosystem. However, the post-silicon validating tools are not common and
only Mentor Graphics have Tessent.
VLSI CAD Tools Utilization in SoC Design Flow
Synthesis Tools Analysis Tools Testing Tools
Synthesis Checkers Verifiers Testers

Behavioral Synthesis DRC, ERC Timing Verifier ATPG
RTL Synthesis Netlist Compare ICE/Hardware DFT
FPGA Synthesis Ratio Checkers Formal Verifier
Logic Synthesis Fan-in/Fan-out Checkers
Circuit Optimization Power Checker
Transistor Sizing
Statistical Design
Physical Synthesis
DSP Synthesis
Fig. 1.6 Steps in semiconductor design where CAD tools are used, such as synthesis, analysis,
and testing in the SoC design flow
1.2 CAD Tools in SoC Supply Chain 9
1.2.1 Significance of CAD Tools in SoC Life-cycle Security
This section describes how CAD tools play a significant role in the supply chain
challenges of the SoC life-cycle and various possible hardware threats associated
with each stage. Due to globalization, the SoC development cycle is distributed
globally, and the possibility of adding/embedding threats to the design increases. As
a result, the end-users and IC manufacturing industries lose trust in their products.
The significance of commercially available and newly developed CAD tools in
hardware security is highlighted below.
• With the exponential growth in design complexity and the number of potential
attack surfaces, the effort required to secure electronic circuits tends to grow
drastically. Therefore, there is only one way to address the mismatch between
demand and supply to ensure hardware security: to improve the qualitative
security that these CAD tools can offer. Qualitative security is meant the CAD
tools not only perform design implementation, optimization, verification, and
testing as mentioned at the beginning of Sect. 1.2 but also ensure that the
underlying electronic circuit meets the security requirements as discussed in
Sect. 1.1.3.
• Using CAD tools can ensure that hardware security requirements can be assessed
and addressed (when required) during the design and implementation stage of
the semiconductor supply chain. It is more suitable to detect any vulnerability
in the design at the early stage, for instance, RT-level, than in later stages,
such as physical layout. As presented in Fig. 1.6, CAD tools are already used
throughout the different stages of the SoC design flow for various tests, checks,
and verification tasks. For example, logical equivalency is checked between the
input and output of any synthesis step to ensure functional similarity during the
flow. Suppose security requirements mentioned in Sect. 1.1.3 can be broken down
into tangible rules and checks. Then those can be verified during the design flow
using CAD tools. In that case, scalable hardware security can be ensured.
• The researchers proposed several solutions [4] to meet hardware security require-
ments. However, their practical usage is severely challenged due to being ad-hoc
in nature and a lack of automation, implementation overhead, and scalability.
The use of CAD tools can bring enhanced productivity, scalability, and reduced
turnaround times with minimal cost to meet security requirements in supply
chain.
1.2.2 CAD Tools in SoC Life-cycle Threats
Figure 1.7 highlights the existing hardware security threats in the SoC life-cycle.
On the other hand, Fig. 1.8 shows different CAD tools from different vendors that
are used in the industry throughout the different steps of the SoC design flow. The
SoC Life-Cycle Hardware Threats

Hardware Trojan
IP Vendor Hidden Backdoor
Information Leakage
IP Piracy Fault Injection

SoC Design house Trojan Insertion by Tools Side-channel Analysis
Information Leakage
Trojan Implant Fault Injection

Foundry IC Overproduction Side-channel Analysis
Reverse Engineering
Leak Secret Information Reverse Engineering

Deployment Side-Channel Attack
Fault Injection
Fig. 1.7 Hardware threats in globally distributed supply chain on SoC life-cycle
following briefly explains the major hardware security threats from Fig. 1.7 and
associated CAD tools used exploit those threats.
1. IP Piracy: Intellectual property is an original design idea of any IC. The attacker
may steal the intellectual property of the design without the knowledge of the
designer [6, 25, 32, 38]. During the design phase, any synthesis, place, and route
CAD tools from Fig. 1.8 can be used to exploit these threats. Techniques to
mitigate IP piracy are discussed in Chap. 11.
2. Hidden Backdoor: Hidden backdoor is the logic functions added to the design
and they enable remote control of the IC, such that the adversary can access the
design when the IC is functioning [30]. The adversary can leak the secret infor-
mation or create any malfunction to the design. Usually such threats are included
during the design synthesis or manufacturing phase. Hence, synthesis, place and
route CAD tools from Fig. 1.8 are mostly used to insert such vulnerabilities.
3. Reverse Engineering: IC reverse engineering is a process of identifying the
device functionality by extracting the gate-level netlist [35, 56]. The attacker may
reverse engineer either the end product or the GDSII layout of the design [10, 56].
Nowadays reverse engineering tools and techniques are available at lower cost
[9, 11], to steal or pirate a design (discussed in Chap. 15).
4. IC Overbuilding: The attacker in the foundry may overproduce the IC and sell
those illegally in the market [7, 48]. Overproduction does not necessarily require
any specific CAD tools. The GDSII shared with the foundry for fabrication is
good enough to build more chips than the contract and sell those in the open
market.
5. Counterfeiting: The counterfeit ICs are produced and distributed in the market
at less price without the knowledge of the original component manufacturer [30]
(discussed in Chap. 13).
VCS, ModelSim, NCSim, Conformal LEC,
Vivado HLS, Stratus, JasperGold, Incisive Design Compiler, Formality
LegUp, Bambu, Genus, Precision,
Catapult C Functional Post-synthesis
Yosys PrimePower,
Verification Verification Voltus, RedHawk
High Level Logic
Power and
1.2 CAD Tools in SoC Supply Chain
Synthesis Synthesis
Security DFM SigSeT, Tessent
Security
Verification Verification Post-Silicon
IC Compiler,
Innovus, Xpedition Validation
System Security Placement Physical Verification Security

Specification Synthesis DFT Fabrication
Integration Verification & Routing & Signoff Verification
Platform DFT Compiler, IC Validator,
Manufacturing
Architect Modus Static Calibre, Assura
Testing
Timing
TetraMax,
Primetime, StarRC Encounter Test,
Tempus, Quantus FastScan
Fig. 1.8 The list of CAD tools used at different stages of SoC design flow
11
6. Hardware Trojans: Once triggered, malicious modifications to the circuit may

modify the design functionality, cause a denial-of-service, or leak secret infor-
mation about the design [27, 31, 39, 52]. A detailed description of Trojans and
their classifications are described in [49, 51]. Trojan detection is difficult due to
its stealthy nature, and the technology scaling of the devices is limited, so it is
very difficult to distinguish Trojan malfunction from the process variation [50].
These Trojans are embedded at any design stage, either at the specification phase,
design phase, fabrication phase, testing phase, or assembly and package phase.
Several CAD tools from Fig. 1.8, such as synthesis tools, DFT tools, verification
tools, testing tools, etc., can be used to embed these hardware Trojans in the
design. Still, no specific tools or standard measurements exist to detect or prevent
Trojan insertion. Whereas, Salmani et al.[50], had proposed a vulnerability
analysis flow to determine the location of Trojan embedded in the design, and
they have developed a Trojan detectability metric to quantify Trojan activation
and effect. The Trojan detectability metric analyzes the weaknesses and strengths
of Trojan detection techniques (discussed in Chap. 5).
7. Information Leakage: During run-time the attacker can attain the confidential
information either by means of side-channel analysis [23] or through the
deployed Trojan [18]. The attacker can easily attain the private key of a crypto
module (elaborated in Chap. 4). Researchers have shown that several synthesis,
verification, testing, and DFT tools can be exploited to leak sensitive design
information. Details of these threats are thoroughly discussed in Chap. 4.
8. Side-channel Attacks: By exploiting side-channel signals like power, electromag-
netic waves, timing, acoustic, optical, memory cache, and hardware weaknesses,
the attacker can easily attain the information of crypto modules [34, 55]. By
employing side-channel attacks, the attacker can extract the secret key without
learning the direct relation between plaintext and ciphertext. With the secret key,
it is easy to decipher the encrypted information. (elaborated in Chaps. 6 and 8).
Researchers exploit power analysis and design for manufacturability (DFM)
tools from Fig. 1.8 to analyze the side-channel information of a design, localize
the target asset, and later carry out the side-channel attack on the device [34, 55].
On the other hand, their associated mitigation can also be integrated into the
design using synthesis and place and route CAD tools.
9. Fault Injection Attacks (FIAs): A transient fault is induced during the execution
of normal chip operation and thereby results either in the disabling of security
features and countermeasures or by leaking the secret information in crypto
modules [15, 26]. Clock glitching, voltage glitching, electromagnetic (EM), light
and laser, and focused ion beam (FIB) are the most prominent FIA approaches
to cause violation of device integrity, confidentiality, and availability [61]. The
attacks are performed in the fabricated device. However, several DFT, testing,
verification, power, and manufacturability tools from Fig. 1.8 are vastly used to
fully or partially localize the asset in the device. Details on fault injection attacks
and usage of CAD tools in their detection and mitigations is discussed in Chap. 7.
To overcome these hardware security challenges [16] and to provide trustable
hardware, design-for-trust techniques are proposed. CAD tools are utilized at SoC
design stage to develop a design-for-trust techniques such as watermarking [24], IC

metering [2, 29], split manufacturing [19, 21, 22, 22, 59], IC camouflaging [12, 42,
60, 64], and logic encryption [40, 41, 43, 48, 62, 63]. Among the all design-for-trust
techniques, logic locking is most significant as it provides a protection at all stages
of IC supply chain, (Discussed in Chap. 11). Whereas the other techniques like IC
camouflaging and split manufacturing can protect the design only against particular
malicious entities, CAD tools are used at the logic synthesis level is recommended.
Generally, the hardware security and trust schemes developed using CAD tools are
proposed for the detection/prevention of hardware threats in the SoC supply chain.
However, researchers employed CAD tools in each stage of the SoC design flow
to provide an end-to-end security verification and assurance, and this results in a
security base life-cycle, which runs parallel to the SoC design flow as described
below.
The security development life-cycle (SDL), is one of the measures included in
the SoC development life-cycle to provide security assessment as shown in Fig. 1.3.
The security requirements are considered an SDL flow specification, including the
adversary threat model. From the security specifications, a list of assets, capabilities
of an adversary, and objectives of security architecture are provoked to mitigate
any threat. Along with the security test cases, these specification objectives are
interpreted as micro-architectural security specifications. So once the design is
implemented, pre-silicon security verification is carried on either utilizing dynamic
verification, formal verification, or manual RTL analysis. Only the chips that pass
the security verification and meet security specifications are taped out. Post-silicon
security verification begins once the chip is taped out. However, the bugs identified
in both pre-silicon and post-silicon phases are fixed according to the severity rating.
The challenge in SDL flow is that the security specification varies for every threat
model. Therefore, human expertise is required to define and run the test cases.
Nowadays, CAD tools are widely used to validate the security assessments in SDL
flow and conform to meet industry security requirements.
1.2.3 CAD Tools as Vulnerability Source: The Other Side of

the Coin
While CAD tools are an integral part of the modern SoC design flow, several
researchers explored the possibility of CAD tools inserting vulnerabilities in the
design unintentionally. Authors of [8] analyzes IEEE P1735, which describes
methods for encrypting electronic-design intellectual property (IP) and managing
access rights, and highlights that the standard contains several cryptographic errors.
By exploiting the most egregious errors, authors were able to recover the entire
plaintext IP. Padding-oracle attacks, for instance, are well-known attack vectors
exploited in [8]. As a result of the underlying IP being required to support typical
applications, new capabilities emerge, for instance, commercial system-on-chip
(SoC) tools that combine multiple IP pieces into a fully specified chip design. On the
other hand, in a black-box oracle approach an attacker can exploit various mistakes
made in a commercial SoC tool. As well as recovering plaintext IP, authors of [8]
demonstrates how to create ciphertexts of IP that include targeted hardware Trojans
in a standard-compliant way.
Researchers have also shown that circuit design CAD tools can be leveraged
to insert and avoid detection of hardware trojans [47]. Figure 1.8 shows how
CAD tools are being used in the IC designs for the purpose of verifying the
security assurance of the chip. Due to scaling, the entire RTL to GDSII design
flow has moved from standalone synthesis, placement, and routing algorithms to an
integrated construction and analysis approach. Apart from the traditional functional
design implementation, optimization, and verification steps, the SoC design flow
must undergo security verification steps after every design transformation steps as
depicted in Fig. 1.8. These security verification steps ensure that the final GDSII is
free from any potential security vulnerabilities. Moreover, the required effort and
resource to identify and fix any security vulnerability increases multiple times as
the design moves from one abstraction level to another. Therefore, the subsequent
chapters of this book discusses how security vulnerabilities can be detected and
mitigated at the early stage of the SoC design flow.
1.2.4 The Need for CAD Solutions For SoC Security

Verification
Hardware validation is more challenging at the SoC level due to the stealthy nature
of the potential attacks and the diversity of vulnerabilities. EDA companies [20, 33]
face security challenges while designing SoC chips. Security challenges such as
design complexity, integration of third-party IPs, customized functionality, and
globally distributed supply chain are addressed using verification and validation
techniques of CAD tools. Figure 1.8 describes the usage of CAD tools in IC
chip design for verification and validation of security assurance. The evolution of
CAD tools results in compact electronic gadgets and systems, whereas the design
complexity challenges are also resolved to an extent. However, CAD tools used
in SDL will provide security assurance for most existing attacks. This book is a
collection of existing CAD techniques providing security assurance by validating
the security specifications.
The book is an attempt to cover the foundation of understanding CAD tools
used to enhance the security assurance of the hardware verification and validation
techniques. It presents a comprehensive summary of the threat models and attack
scenarios and describes the fundamental principles with highlighted research results.
The book systematizes the application of CAD tools to the SoC life-cycle devel-
opment to provide an assessment of existing security development techniques. It
groups similar analysis and verification techniques to explain the common principles
in detail. Important concepts are elaborated with illustrative circuit examples. The
book includes 18 chapters. Each chapter highlights the fundamental principles
behind the application of CAD techniques in the existing security assessments of
the SoC development life-cycle. The first chapter is an introduction to SoC life-
cycle development with the security development life-cycle. The following chapter
will focus on the application of CAD approaches, in the assessment, at the pre-
silicon level of the SoC life-cycle. Below is a conspectus of each chapter:
• Chapter 2 describes security assets and their classification. This chapter also
discusses the existing challenges to identify security vulnerabilities and necessity
of an automated framework for security asset identification. The later part of
the chapter provides an overview of automated security asset identification
framework.
• Chapter 3 is all about security metric. The security of a system greatly depends
on the standard it is founded. The mitigation technique for one threat might
be hurting the security of another threat. Therefore, this Chap. 3 discusses the
metrics for IP-level security metric, platform-level security metric, transition of
a metric from IP to the platform, security quantification and estimation, etc.
• Chapter 4 focuses on the usage of CAD techniques for Information Leakage
Assessment. It also discusses the various state-of-the-art techniques which
track the flow of information at different abstraction levels, including software,
hardware, and the HDL level. This chapter summarizes information flow tracking
in three categories and presents the designer with methodologies that may prevent
system violations.
• Chapter 5 presents computer-aided hardware Trojan detection techniques. The
focus of this chapter is to introduce tools developed by academics and provide an
overview of the concepts incorporated to address the Trojan detection schemes.
• Chapter 6 presents a survey on CAD for Power Side-Channel Detection. The
chapter includes a collection of CAD techniques used for power side-channel
analysis at various stages of the design flow.
• Chapter 7 elaborates on fault injection attacks by addressing challenges asso-
ciated with clock glitching. It includes the challenges associated with current
vulnerability assessment tools and how CAD tools are used to detect fault
injection attacks to safeguard the device.
• Chapter 8 focuses on Electromagnetic (EM) Fault injection attacks on SoC. The
chapter includes a review of CAD techniques used to inject EM attacks on a
targeted SoC and possible countermeasures that can be incorporated at the design
stage. This chapter aims to consolidate the attack models against SoCs, security
evaluation metrics of a design at the pre-silicon stage, and a triplication-based
error correction code that is resilient against varying electromagnetic fields.
• Chapter 9 elaborates on a collection of CAD techniques used to enhance security
verification at hardware and software levels to find design vulnerabilities.
• Chapter 10 describes the machine learning (ML) techniques used in hardware
security verification and validation. This chapter includes various machine
learning techniques used for different threat models addressed in the domain of
hardware security.
• Chapter 11 focuses on the application of CAD tools to reinforce the logic locking
technique. This chapter elaborates on cutting-edge logic locking techniques,
along with their advantages and limitations, to ensure trust in the design.
• Chapter 12 discusses the vulnerabilities addressed while designing hardware with
High-level languages (HLL) by using High-level synthesis (HLS) tools. This
chapter provides a literature survey of prominent research done in this domain
and highlights research work that ensures security-aware HLS translation.
• Chapter 13 elaborates on anti-counterfeiting techniques and how machine learn-
ing algorithms are applied to detect counterfeit ICs accurately. This chapter
presents the taxonomy of counterfeit types in detail with the detection of
counterfeit IC and existing countermeasures.
• Chapter 14 focuses on the countermeasures against a probing attack. It includes
a survey of existing probing attacks, limitations of detecting probing attacks, and
an assessment of IC vulnerability through a layout-driven framework.
• Chapter 15 compiles a collection of CAD tools applicable for reverse engineer-
ing. It presents a high-level algorithm to extract gate-level netlists with reverse
engineering techniques.
• Chapter 16 discusses the CAD techniques applied to Physical Unclonable
Functions (PUF) security. This chapter enumerates error correction technology
for PUF and numerical modeling attacks on several PUF implementations.
• Chapter 17 elaborates on the state-of-the-art of Field-programmable gate array
(FPGA) security, including general FPGA security mechanisms, system-on-chip
(SoC) FPGA security, cloud FPGA security, and FPGA initialization security.
High-level security issues in FPGAs are discussed to provide an overview of
various concerns in wide applications.
• Chapter 18 finally concludes the book by providing a summary of the chapter
contents and provides direction for future research in using CAD tools for
hardware security.
1.3 Summary
This chapter elaborates on the hardware vulnerability challenges in the SoC design
flow and the utilization of CAD tools to address the need for security assurance.
The hardware threats related to the SoC life-cycle are discussed, and the SDL
flow developed with CAD tools to provide a security assessment at all stages of
SoC design was elaborated. This chapter also highlights a brief description of each
chapter on how CAD tools are applicable in the domain of hardware security.
References 17
References
1. S. Aftabjahani, R. Kastner, M. Tehranipoor, F. Farahmandi, J. Oberg, A. Nordstrom, N. Fern, A.

Althoff, Special session: cad for hardware security-automation is key to adoption of solutions,
in 2021 IEEE 39th VLSI Test Symposium (VTS) (IEEE, Piscataway, 2021), pp. 1–10
2. Y. Alkabani, F. Koushanfar, Active hardware metering for intellectual property protection and
security, in USENIX Security Symposium (2007), pp. 291–306
3. A. ARM, Security Technology Building a Secure System Using TrustZone Technology (White
Paper) (ARM Limited, Cambridge, 2009)
4. S. Bhunia, M. Tehranipoor, Hardware Security: A Hands-on Learning Approach (Morgan
Kaufmann, Burlington, 2018)
5. CAD/IP for security, trust-hub. https://www.trust-hub.org/#/cad-ip-sec/cad-solutions.
Accessed 04 Aug 2021
6. E. Castillo, U. Meyer-Baese, A. García, L. Parrilla, A. Lloris, IPP@ HDL: efficient intellectual
property protection scheme for IP cores. IEEE Trans. Very Large Scale Integr. VLSI Syst.
15(5), 578–591 (2007)
7. R.S. Chakraborty, S. Bhunia, Harpoon: an obfuscation-based soc design methodology for
hardware protection. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 28(10), 1493–
1502 (2009)
8. A. Chhotaray, A. Nahiyan, T. Shrimpton, D. Forte, M. Tehranipoor, Standardizing bad
cryptographic practice: a teardown of the IEEE standard for protecting electronic-design
intellectual property, in Proceedings of the 2017 ACM SIGSAC Conference on Computer and
Communications Security (2017), pp. 1533–1546
9. Chipworks, Reverse engineering software. http://www.chipworks.com/en/technical-
competitive-analysis/resources/reerse-engineering-software
10. L. Chow, J.P. Baukus, W.M. Clark Jr, Integrated circuits protected against reverse engineering
and method for fabricating the same using an apparent metal contact line terminating on field
oxide (2007). US Patent 7,294,935
11. Degate, http://www.degate.org/documentation/
12. M. El Massad, S. Garg, M.V. Tripunitara, Integrated circuit (IC) decamouflaging: reverse
engineering camouflaged ICs within minutes, in NDSS (2015), pp. 1–14
13. F. Farahmandi, Y. Huang, P. Mishra, System-on-Chip Security (Springer, Berlin, 2020)
14. N. Farzana, F. Farahmandi, M. Tehranipoor, Soc security properties and rules. Cryptology
ePrint Archive (2021)
15. O. Faurax, T. Muntean, Security analysis and fault injection experiment on AES, in Proceed-
ings of SAR-SSI, vol. 2007 (2007)
16. D. Gardner, P. Ramrakhani, S. Jeloka, P. Song, C. Vishik, S. Aftabjahani, R. Cammarota, M.
Chen, A. Xhafa, J. Oakley, et al., Research needs: trustworthy and secure semiconductors and
systems (T3S), semiconductor research corporation (2019)
17. M. Howard, S. Lipner, The Security Development Lifecycle, vol. 8 (Microsoft Press Redmond,
Washington, 2006)
18. N. Hu, M. Ye, S. Wei, Surviving information leakage hardware trojan attacks using hardware
isolation. IEEE Trans. Emerg. Top. Comput. 7(2), 253–261 (2017)
19. F. Imeson, A. Emtenan, S. Garg, M. Tripunitara, Securing computer hardware using 3D
integrated circuit ({IC}) technology and split manufacturing for obfuscation, in Presented as
Part of the 22nd {USENIX} Security Symposium ({USENIX} Security 13) (2013), pp. 495–510
20. Intel, Intel bug bounty program. https://www.intel.com/content/www/us/en/security-center/
bug-bounty-program.html
21. M. Jagasivamani, P. Gadfort, M. Sika, M. Bajura, M. Fritze, Split-fabrication obfuscation:
metrics and techniques, in 2014 IEEE International Symposium on Hardware-oriented Security
and Trust (HOST) (IEEE, Piscataway, 2014), pp. 7–12
22. R.W. Jarvis, M.G. Mcintyre, Split manufacturing method for advanced semiconductor circuits
(2007). US Patent 7,195,931
23. M. Joye, F. Olivier, Side-channel analysis (2011). https://marcjoye.github.io/papers/

JO05encyclo.pdf
24. A.B. Kahng, J. Lach, W.H. Mangione-Smith, S. Mantik, I.L. Markov, M. Potkonjak, P.
Tucker, H. Wang, G. Wolfe, Watermarking techniques for intellectual property protection,
in Proceedings of the 35th Annual Design Automation Conference (ACM, New York, 1998),
pp. 776–781
25. A.B. Kahng, J. Lach, W.H. Mangione-Smith, S. Mantik, I.L. Markov, M. Potkonjak, P. Tucker,
H. Wang, G. Wolfe, Constraint-based watermarking techniques for design IP protection. IEEE
Trans. Comput. Aided Des. Integr. Circuits Syst. 20(10), 1236–1252 (2001)
26. M. Karpovsky, K.J. Kulikowski, A. Taubin, Robust protection against fault-injection attacks
on smart cards implementing the advanced encryption standard, in International Conference
on Dependable Systems and Networks (IEEE, Piscataway, 2004), pp. 93–101
27. R. Karri, J. Rajendran, K. Rosenfeld, M. Tehranipoor, Trustworthy hardware: identifying and
classifying hardware trojans. Computer 43(10), 39–46 (2010)
28. H. Khattri, N.K.V. Mangipudi, S. Mandujano, HSDL: a security development lifecycle
for hardware technologies, in 2012 IEEE International Symposium on Hardware-Oriented
Security and Trust (IEEE, Piscataway, 2012), pp. 116–121
29. F. Koushanfar, Provably secure active IC metering techniques for piracy avoidance and digital
rights management. IEEE Trans. Inf. Forensics Secur. 7(1), 51–63 (2011)
30. F. Koushnafar, I. Markov, Designing chips that protect themselves, in Front End Topics.
Proceedings of the conference on Design Automation Conference (2010)
31. F. Koushanfar, A. Mirhoseini, A unified framework for multimodal submodular integrated
circuits trojan detection. IEEE Trans. Inf. Forensics Secur. 6(1), 162–174 (2010)
32. F. Koushanfar, G. Qu, Hardware metering, in Proceedings of the 38th Design Automation
Conference (IEEE Cat. No. 01CH37232) (IEEE, Piscataway, 2001), pp. 490–493
33. Lenovo, Lenovo:taking action on product security. https://www.lenovo.com/us/en/product-
security/about-lenovo-product-security,2017
34. Y. Lyu, P. Mishra, A survey of side-channel attacks on caches and countermeasures. J. Hardw.
Syst. Secur. 2(1), 33–50 (2018)
35. G. Masalskis, et al., Reverse engineering of CMOS integrated circuits. Elektronika ir elek-
trotechnika 88(8), 25–28 (2008)
36. P. Mishra, M. Tehranipoor, S. Bhunia, Security and trust vulnerabilities in third-party IPs, in
Hardware IP Security and Trust (Springer, Berlin, 2017), pp. 3–14
37. Mitre, Common vulnerabilities and exposures (2005)
38. D.C. Musker, Protecting and exploiting intellectual property in electronics, in IBC Confer-
ences, vol. 10 (1998)
39. S.R. Rajendran, M.N. Devi, Malicious hardware detection and design for trust: an analysis.
Elektrotehniski Vestnik 84(1/2), 7 (2017)
40. S.R. Rajendran, M.N. Devi, Enhanced logical locking for a secured hardware IP against key-
guessing attacks, in International Symposium on VLSI Design and Test (Springer, Berlin,
2018), pp. 186–197
41. J. Rajendran, Y. Pino, O. Sinanoglu, R. Karri, Security analysis of logic obfuscation, in
Proceedings of the 49th Annual Design Automation Conference (ACM, New York, 2012),
pp. 83–89
42. J. Rajendran, M. Sam, O. Sinanoglu, R. Karri, Security analysis of integrated circuit camou-
flaging, in Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications
Security (ACM, New York, 2013), pp. 709–720
43. J. Rajendran, H. Zhang, C. Zhang, G.S. Rose, Y. Pino, O. Sinanoglu, R. Karri, Fault analysis-
based logic encryption. IEEE Trans. Comput, 64(2), 410–424 (2013)
44. S.R. Rajendran, R. Mukherjee, R.S. Chakraborty, SoK: physical and logic testing techniques
for hardware trojan detection, in Proceedings of the 4th ACM Workshop on Attacks and
Solutions in Hardware Security (2020), pp. 103–116
45. J. Robertson, M. Riley, The big hack: How China used a tiny chip to infiltrate US companies.
Bloomberg Businessweek 4 (2018)
References 19
46. J. Robertson, M. Riley, The big hack: how China used a tiny chip to infiltrate us companies.
Bloomberg Businessweek 4(2018) (2018)
47. J. Roy, F. Koushanfar, I. Markov, Extended abstract: circuit cad tools as a security threat,
in 2008 IEEE International Workshop on Hardware-oriented Security and Trust, pp. 65–66
(2008)
48. J.A. Roy, F. Koushanfar, I.L. Markov, Ending piracy of integrated circuits. Computer 43(10),
30–38 (2010)
49. H. Salmani, M. Tehranipoor, Trojan benchmarks [Online]. Available: https://trust-hub.org/
benchmarks/trojan
50. H. Salmani, M. Tehranipoor, R. Karri, On design vulnerability analysis and trust benchmarks
development, in 2013 IEEE 31st International Conference on Computer Design (ICCD) (IEEE,
Piscataway, 2013), pp. 471–474
51. B. Shakya, T. He, H. Salmani, D. Forte, S. Bhunia, M. Tehranipoor, Benchmarking of hardware
trojans and maliciously affected circuits. J. Hardw. Syst. Secur. 1(1), 85–102 (2017)
52. M. Tehranipoor, F. Koushanfar, A survey of hardware trojan taxonomy and detection. IEEE
Des. Test Comput. 27(1), 10–25 (2010)
53. M. Tehranipoor, C. Wang, Introduction to Hardware Security and Trust (Springer Science &
Business Media, Berlin, 2011)
54. M. Tehranipoor, R. Cammarota, S. Aftabjahani, Microelectronics security and trust-grand
challenges. TAME: Trusted and Assured MicroElectronics Working Group Report (2019)
55. K. Tiri, Side-channel attack pitfalls, in 2007 44th ACM/IEEE Design Automation Conference
(IEEE, Piscataway, 2007), pp. 15–20
56. R. Torrance, D. James, The state-of-the-art in semiconductor reverse engineering, in 2011 48th
ACM/EDAC/IEEE Design Automation Conference (DAC) (IEEE, Piscataway, 2011), pp. 333–
338
57. Trust-hub Benchmark. [online]. https://www.trust-hub.org
58. I. Ullah, Q.H. Mahmoud, Design and development of a deep learning-based model for anomaly
detection in IoT networks. IEEE Access 9, 103906–103926 (2021)
59. K. Vaidyanathan, B.P. Das, E. Sumbul, R. Liu, L. Pileggi, Building trusted ICs using split
fabrication, in 2014 IEEE International Symposium on Hardware-oriented Security and Trust
(HOST) (IEEE, Piscataway, 2014), pp. 1–6
60. A. Vijayakumar, V.C. Patil, D.E. Holcomb, C. Paar, S. Kundu, Physical design obfuscation of
hardware: a comprehensive investigation of device and logic-level techniques. IEEE Trans. Inf.
Forensics Secur. 12(1), 64–77 (2016)
61. H. Wang, H. Li, F. Rahman, M.M. Tehranipoor, F. Farahmandi, SoFI: security property-driven
vulnerability assessments of ICs against fault-injection attacks. IEEE Trans. Comput. Aided
Des. Integr. Circuits Syst. 41(3), 452–465 (2022)
62. Y. Xie, A. Srivastava, Mitigating sat attack on logic locking, in International Conference on
Cryptographic Hardware and Embedded Systems (Springer, Berlin, 2016), pp. 127–146
63. M. Yasin, B. Mazumdar, J. Rajendran, O. Sinanoglu, SARLock: sat attack resistant logic
locking, in 2016 IEEE International Symposium on Hardware Oriented Security and Trust
(HOST) (IEEE, Piscataway, 2016), pp. 236–241
64. M. Yasin, B. Mazumdar, O. Sinanoglu, J.V. Rajendran, CamoPerturb: secure IC camouflaging
for minterm protection, in 2016 IEEE/ACM International Conference on Computer-Aided
Design (ICCAD) (IEEE, Piscataway, 2016), pp. 1–8
65. K. Zetter, New attack can unlock and start a Tesla Model Y in seconds, say researchers. The
Verge (2022). https://www.theverge.com/2022/9/12/23348765/tesla-model-y-unlock-drive-
car-thief-nfc-relay-attack
Chapter 2
CAD for Security Asset Identification
2.1 Introduction
Systems on Chips (SoCs) have become integral to every computing system. SoCs
integrate multiple hardware functional blocks, called intellectual property (IP)
blocks, to provide the various functionality demanded by the current computing
systems. Each IP block performs a specific functionality that the SoC requires.
Examples include the ALU IP block performing arithmetic operations, crypto IP
blocks performing the cryptographic function, etc. As the SoC design process inte-
grates many hardware IP blocks, hidden under this shadow of higher functionality
lies the threat of security vulnerabilities. As SoCs get more and more complicated,
the lack of security awareness in the SoC design process has resulted in various
security threats such as Spectre [18], Meltdown [20], MDS [8, 29].
As computing devices become ubiquitous and user data is digitalized, it is
no longer safe to assume that secure software is enough to protect user data.
In the current horizontal model of silicon fabrication, with design, fabrication,
and assembly spread over various parts of the world, threats can be introduced
through unintentional design practices or through malicious implants [3, 4, 31] as
well. Comprehensive hardware security is paramount during the device’s lifecycle,
starting at the design phase. Incorporating security from the design phase gives
designers greater flexibility for design changes. It can reduce security vulnerabilities
at the post-silicon stage and save the design house money and time [1]. Achieving
comprehensive security of the SoC requires complete knowledge of the SoC
functionality and the threats that the SoC would face under various operating
conditions. With this knowledge, designers can now identify the critical components
in the SoC design that carry user and device-sensitive data and need to be protected.
These critical components are called security assets.
As more devices connect to the internet of things network, more and more user
data is being stored in devices. The critical security assets of these devices need to
be secured. Security assets in current computation devices range from the hardware
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 21

F. Farahmandi et al., CAD for Hardware Security,
https://doi.org/10.1007/978-3-031-26896-0_2
22 2 CAD for Security Asset Identification
registers storing user bank details, health data, passwords, photos, etc. to the intricate
state machines controlling mechanisms that can give a user or adversary access to
the user information. These control mechanisms can be finite state machines that
check for password or fingerprint matching and can be attacked by fault injection
[21]. Security assets can also comprise the firmware that is stored and interacts with
the hardware and thus can cause security leaks.
Identifying security assets is the first and one of the most crucial steps toward
ensuring SoC security. However, current practices of identifying security assets are a
manual and laborious task. It requires a designer/security engineer to understand the
functionality of each hardware IP block and its interactions with the rest of the sys-
tem. The designer/security engineer also needs to understand the various conditions
of the environment in which the SoC operates and assess all possible security threats
that the SoC faces. Gathering all such information, the designer/security engineer
needs to identify the various design components that must be protected. Any lapse
in judgment of either the threat faced or the importance of the design component
can result in design choices that leave a security asset vulnerable. The possibility
of these qualms demands a technique for the automated identification of security
assets in an SoC.
The rest of the chapter is organized as follows. Section 2.2 describes the
background for security assets and their classification. Section 2.2.1 describes the
various literature delved into security asset identification. Section 2.3 explores some
of the tools developed for the automated identification of security assets. Section 2.4
talks about future work and concludes the chapter.
2.2 Motivation and Background
2.2.1 Motivation
SoC system requires a complete understanding of the functional boundary of

each hardware IP block and insight into which functional behavior can cause
a security vulnerability under adversarial conditions. As SoC designs become
more compact, integrating a higher number of hardware IP blocks, it becomes
impossible for designers/security engineers to analyze the SoC design and identify
security vulnerability concerns related to each design component. Thus, it becomes
imperative for designers/security engineers to identify those design components
called security assets that carry information that when under threat, can leak
device secrets. By providing measures to protect the security assets from various
threats, designers/security engineers can ensure that the secrets of the SoC are safe.
However, identifying these security assets is not intuitive and varies from design to
design and the adversarial threat model under consideration.
SoCs integrating tens of hardware IP blocks containing a few hundred design
components can be manually analyzed to identify the security assets for the given
2.2 Motivation and Background 23
threat models. However, for bigger SoCs containing hundreds of IP blocks and
thousands of signals, manual analysis of the design for security assets is not
pragmatic. This problem requires an automated approach that can easily integrate
into the current design process.
2.2.2 Classification of Security Assets
As described in Sect. 2.2.1, as the designs and threat models change, so do the
security assets. Hence it becomes nearly impossible to give a proper definition
for security assets that can help designers/security engineers to identify them. To
help address this, Nusrat et al. in [14] have described the classification of security
assets. This classification describes characteristics that can help designers/security
engineers with security asset identification. The two board categories of security
assets described in [14] are:
1. Primary Assets: Primary assets are the design components that are the ultimate
target of the adversary/attack. These primary assets can be design components
that contain hardware secrets such as hardware keys, firmware, users’ passwords,
and personal information. Other design components, such as PCR registers,
entropy to true random number generator (TRNG), physical unclonable functions
(PUF), etc., which provide security for authentication and integrity, can also be
considered primary assets.
2. Secondary Assets: Secondary assets are design components that interact with/
propagate the secondary asset to various design regions. Secondary assets can be
design components that inherit sensitive information from primary assets through
functionality. These can also be design components that can help propagate the
sensitive information from the primary asset to its target location in the design.
Some secondary assets in an SoC are system buses, peripheral ports, internal
registers, etc.
An overview of security asset classification can be seen in Fig. 2.1. Primary
security assets are further classified as Static and Dynamic assets. Static security
assets are secrets embedded in the hardware during design and manufacturing.
Static assets are embedded into the ROM or FLASH of the SoC. Examples of static
assets are secure hardware, encryption & logic locking keys, etc. Dynamic security
assets are security assets that are generated during the runtime of the SoC infield.
True random numbers, PUF responses, on-chip generated keys, etc. are examples of
dynamically generated security assets.
This classification of security assets aids designers in observing the characteris-
tics of various design components and categorizing them as primary and secondary
assets. This categorizing can help design houses to identify regions of the design
that require protective measures, i.e., primary and secondary security assets. This
classification further helps designers to focus security efforts towards protecting the
Fig. 2.1 Classification of security assets into Primary and Secondary assets. Primary assets are the
ultimate target of protection and can further be classified as static and dynamic assets. Static assets
are stored in the chip from design time, whereas dynamic assets are generated during the run-time.
Secondary assets are all design components that help propagate or store the primary asset
security assets, thus providing a higher level of security with lesser effort rather than
trying to protect all design components.
2.2.3 Assessing Security Assets
A vulnerability-free, secure SoC encapsulates a tight and secure integration of the

various induvial secure hardware IP blocks. The security assets for an SoC include
the design components of each hardware IP that are crucial for the security of that
IP block and the design components that integrate these various hardware IP blocks.
Figure 2.2 shows a sample SoC. The sample SoC consists of a processing core that
acts as the brain of the SoC. It consists of two types of memory an external ROM
containing a few secure memory blocks and internal RAM and a DMA block to
access the ROM. Various security-related IP blocks are present such as a symmetric
encryption core, public key encryption core, and security primitive blocks such
as a TRNG and PUF. Connecting these various hardware blocks is a system bus.
SOC consists of peripherals such as the general purpose I/O ports and a debug port,
through which inputs and outputs flow to the processor core aided by the peripheral
bus and system bus.
A designer can identify various security assets for the SoC shown based on the
threat model under consideration. Below we present how and what security assets
are identified for the SoC shown.
1. Confidentiality Threat Model: In the confidentiality threat model, no secret or
sensitive information to leak from a highly secure region of the design to a
lowly secure region. For the SoC shown, the security IP block is a high-secure
region. IP blocks such as the GPIO and debug ports are low-secure regions, as
adversaries can access them. Sensitive information, such as encryption keys,
should never flow to these peripheral ports. The encryption keys become our
primary assets, our ultimate protection target. The encryption can either be
2.3 CAD for Security Asset Identification 25
Fig. 2.2 A sample SoC consisting of a processor core and security IPs like Symmetric Encryption
Core, Public Key Encryption Core, TRNG, PUF. A RAM and ROM memory and DMA memory
controller. Also present are peripherals such as GPIO and UART and a system and peripheral bus
to connect all the components together
embedded in the secure memory regions of the ROM or be generated by the PUF
responses, making them either static or dynamic primary assets, respectively. The
keys flow to/from the encryption cores through the system bus. As the system bus
propagates these security assets, it is our secondary asset.
2. Integrity Threat Model: In the integrity threat model, no access should be there
from a lowly secure region to a highly secure region that can modify the secure
data. The “program counter” value stored in registers in the processor core keeps
track of the program running. An adversary who can gain access to the program
counter and change it can alter its running, resulting in a malignant program or
denial-of-service. The program counter now becomes our primary asset.
2.3 CAD for Security Asset Identification
From the previous section, we have determined that for an SoC integrating a few
diverse hardware IP blocks, multiple design components are identified as security
assets depending on the threat model under consideration. For an SoC integrating
a few hundred hardware IPs with tens of threat models, this task becomes nay
impossible. However, there has not been much progress in this area of research. The
authors in the works [2, 24] describe security policy enforcement through security
asset identification but do not describe how these assets have been identified. The
works described in [10, 22] analyze the confidentiality and integrity of hardware
designs with DfT inserted, utilizing security assets. They chose the primary assets
through complete manual analysis or selected every primary input as an asset but
did not specify any methodology for asset identification. Reference [25] emphasize
the need for automation of security assets but do not provide any tool to accomplish
it.
All the previous works described above discuss how security assets can be
utilized for security assurance but do not lay out any methodologies for security
asset identification. In [13] authors, Nusrat et al., have developed an automated CAD
framework titled “Secondary Asset Identification Tool” (SAIF). The authors of [13]
developed SAIF as an automated tool to help designers identify the secondary assets
in their designs for various threat models. It is the first-of-its-kind tool developed
to help detect security assets in an SoC design. We explore SAIF in detail in the
following sections.
2.3.1 Inputs
Figure 2.3 shows an overview of the SAIF tool. SAIF identifies secondary assets in
an SoC at the register-transfer level (RTL). SAIF requires the following inputs to
detect secondary assets in an SoC at the RTL.
Fig. 2.3 Overview of SAIF workflow. It consists of three steps. Asset propagation analysis to
identify the common components. Candidate components identification to identify the common
components. Pruning steps to identity common components vulnerable to threats and then output
the final set of secondary assets
2.3 CAD for Security Asset Identification 27
1. Primary Assets: SAIF defines primary assets as input ports or design components
into secure or sensitive information flows for the SoC or hardware IP block
under consideration. Analyzing the design specification and documentation can
easily discern these primary assets. As observed in the Sect. 2.2.3, security of
the program counter (PC) value is paramount to prevent any modification to the
program execution. Hence the PC register is annotated as a primary asset and can
be input into the SAIF tool.
2. Observable Points: SAIF defines observable points as the design points inter-
acting with the outside world. Information flow control defines and classifies
data into trusted and untrusted lattices [11]. The observable points to which the
primary asset information can flow as defined by the architectural specification
are annotated as trusted observable points. All other observable points are
annotated as untrusted observable points. Reverting to our sample SoC in
Fig. 2.2, taking the PC as the primary asset, the PC value can flow to the
debug port in “HALT” debug mode of operation, when the processor halts
for debugging [9, 32]. The processor then allows the user to see the program
execution via PC value and debug through the debug port [23]. However, in the
normal mode of operation, the PC value should never flow to the debug port,
as it exposes the program execution. Hence in the normal mode of operation, the
“debug port” of the SoC is an untrusted observable point, and all other observable
points are annotated as trusted.
The designer must identify and annotate the primary assets, trusted and
untrusted observable points for the SoC. SAIF can read multiple primary assets
and observable points and output the secondary assets. Once inputs are given,
SAIF performs three significant steps for identifying the secondary assets.
2.3.2 Asset Propagation Analysis
The design search space for secondary assets in an SoC consisting of thousands
of design components can be computationally expensive. SAIF tackles this issue
through its “Asset Propagation Analysis” step. SAIF prunes the design search
space for secondary asset identification through the asset propagation analysis step.
SAIF utilizes structural analysis of the design to perform the design space pruning.
Modern CAD tools such as Synopsys Design Compiler [26] and Cadence Synthesis
[7] can analyze a design and identify all the components connected structurally,
i.e., a path exists for information propagation between the two nodes. SAIF utilizes
the principle stated: “While the presence of a structural path between two nodes in
a design does necessarily imply an information flow, the absence of a structural
path confirms the absence of any information flow between the nodes.” Hence
by detecting all the design components that are not structurally connected to the
primary input asset, we can prune out the various design components that cannot
be security assets. The asset propagation analysis step is made up of three smaller
substeps defined below:
1. Forward Analysis: SAIF performs a fan-out analysis for the primary inputs
annotated as primary assets. A fan-out analysis is a technique for analyzing the
RTL design and, for a given component, identifying its cone of influence. Using
modern CAD design tools [7, 26], SAIF performs this fan-out analysis for the
primary assets and identifies all the design components structurally connected to
it. All the identified components are stored as a set
2. Backward Analysis: To further prune the design components search space, SAIF
tries to identify the design components accessible from the observable points.
An adversary can exploit any structural path from a design component to an
observable point to gather information from it or manipulate its value. For this,
employ a technique called fan-in analysis. A fan-in analysis takes a design
component and identifies all components that affect the said design component.
By doing this we come to a trusted observable point, we can identify all the
design components structurally connected to the trusted observable point. All the
identified components are stored in a set.
3. Intersection Analysis: The final step is the intersection analysis step. With the
result sets from the forward and backward analysis, SAIF performs a common
component analysis step to identify the common components between the two
result sets. These identified components are the subset of design components in
the RTL, which are structurally connected to the primary asset and hence can
carry a non-zero probability of propagating sensitive information. They are also
connected to observable points and carry a non-zero probability of being attacked
by an adversary. This set of common design components is stored in a set termed
“Common Components.”
Thus, SAIF utilized the asset propagation analysis step for pruning the design
search space and identifying only design components with a non-zero probability
of propagating secret and secure information and a non-zero probability of being
accessed through an observable point.
2.3.3 Candidate Component Identification
A structural connection from the primary asset to the design component does not
entail carrying any of the primary asset’s sensitive information. There needs to exist
a functional path that propagates the sensitive information from the primary asset
to the design component for it to annotate it as a secondary asset. The sensitive
information would undergo various operations along the functional. Hence it also
becomes essential to identify how much of the sensitive information is preserved
in the final information reaching the design component. The candidate component
identification step allows SAIF to take the set of common components identified
from the asset propagation analysis step. It identifies all the design components
with a functional path connection to the primary asset input. It also calculates the
Another random document with
no related content on Scribd:
et en habit du soir; où au sortir Sa Majesté toucha les malades, puis
disnèrent encore ensemble.» (Statuts de l’Ordre de Saint-Michel.)
La fraternité qui régnait entre les chevaliers de Saint-Michel contrastait
singulièrement avec la division qui désolait la France. Les dévots serviteurs
de l’Archange avaient besoin de fidélité, d’union et de dévouement, pour
soutenir les intérêts de l’Église et de l’État; car, bientôt après, la guerre
éclata et couvrit le royaume de sang et de ruines. Le prince de Condé se mit
à la tête des hérétiques et se déclara l’ennemi juré de Charles IX, son
souverain, et de tous les catholiques de France. Comme en toutes les
calamités publiques, les regards se portèrent aussitôt vers le prince de la
milice céleste. Paris donna l’exemple. Le 29 septembre 1568, jour de la fête
de saint Michel, on fit dans la capitale une procession solennelle pour
implorer la protection de l’Archange vainqueur de Satan; la cour, plusieurs
évêques, les ordres religieux, une foule innombrable de fidèles assistaient à
cette pieuse cérémonie; au milieu des rangs pressés de la multitude, on
portait les reliques insignes de toutes les églises de la ville. Jamais Paris
n’avait organisé une manifestation plus imposante en l’honneur de saint
Michel. L’année suivante, les ennemis furent taillés en pièce à Jarnac et à
Moncontour, et, en 1570, la paix fut signée à Saint-Germain.
De son côté le mont Tombe recevait chaque jour de nombreux pèlerins.
Ceux-ci venaient, à la suite de l’évêque et des chanoines d’Avranches,
déposer leurs trésors sous la garde des moines; ceux-là priaient le saint
Archange de les protéger contre les attaques des hérétiques, et de les délivrer
des embûches du démon; d’autres imploraient des grâces surnaturelles ou
demandaient la santé du corps. Le roi de France, Charles IX, voulut se mêler
à cette foule de pieux visiteurs, et, en 1561, un an après avoir reçu le titre de
chevalier, il vint en pèlerinage au Mont avec son frère, le prince Henri. Le 3
avril 1565, il modifia, comme nous l’avons dit, certains articles des statuts
primitifs, et réduisit le nombre des frères à cinquante. D’après les manuscrits
du temps, et au témoignage des autorités les plus graves citées par S.
Prévost, Feuardent et dom Huynes, cette époque fut signalée par des faits
miraculeux.
Bientôt les pèlerinages allaient devenir plus difficiles et plus périlleux, à
cause des attaques continuelles qui devaient être dirigées contre le Mont. En
1570, François le Roux se démit de sa charge en faveur de l’évêque de
Coutances, Arthur de Cossé-Brissac. Pendant que ce dernier vidait ses
démêlés avec Jean de Grimouville, prieur claustral, et le parlement de
Normandie, les disciples de Calvin, nommés huguenots, levaient de nouveau
l’étendard de la révolte et dévastaient une partie des campagnes. En l’année
1576, le Mont-Saint-Michel embrassa contre eux le parti de la ligue et
résolut de leur opposer une vigoureuse résistance. Alors, comme au temps de
la guerre des Anglais, la cité de l’Archange devint le boulevard de la France
en Normandie, et l’épée victorieuse des chevaliers repoussa les attaques des
calvinistes.
Au mois de juillet de l’année 1577 une bande de huguenots, conduits par
le sieur «du Touchet,» s’approchèrent du Mont à la faveur de la nuit. Sur les
huit heures du matin, vingt-cinq d’entre eux placèrent des armes sous la selle
de leurs chevaux et pénétrèrent dans la place déguisés en pèlerins; les autres,
cachés sur la rive d’Ardevon, attendaient le moment favorable pour voler au
secours de leurs compagnons d’armes. Les huguenots, après avoir entendu la
messe et visité le monastère, se réunirent sur le Saut-Gautier, et, de là, se
répandirent dans la ville pour accomplir leur dessein. Au signal donné, ils
désarmèrent les soldats, en tuèrent un qui refusait de rendre son épée, et
frappèrent plusieurs moines et pèlerins. Jean Le Mansel, secrétaire de
l’abbaye, reçut un coup de sabre sur la tête. En même temps le sieur «du
Touchet sortit de son embuscade avec ses cavaliers et se dirigea au galop
vers les portes de la ville.» Déjà les calvinistes criaient: «ville gaignée, ville
gaignée.» Les habitants étaient dans la consternation et n’avaient d’espoir
que dans la protection de Saint-Michel.
Le lendemain on vit apparaître à la tête d’une poignée de soldats Louis de
la Moricière, seigneur de Vicques, et enseigne du maréchal de Matignon. Il
triompha des huguenots, les fit sortir de la ville et rentra dans la forteresse au
milieu des acclamations des Montois qui le regardaient comme un libérateur.
En récompense d’un tel service, le roi de France, Henri III, le nomma
capitaine du Mont, à la place de René de Baternay et lui donna le titre de
gouverneur du château. Le brave officier repoussa pendant dix ans les
attaques réitérées des calvinistes. En 1589, le sieur de Montgommery
accompagné des capitaines Corboson et La Coudraye, surprit la ville et la
livra au pillage; mais tous ses efforts échouèrent devant la résistance de la
citadelle dont il ne put jamais s’emparer. Le gouverneur alors absent du
Mont-Saint-Michel, accourut en toute hâte et pénétra dans la place par une
entrée secrète; il rallia autour de lui une poignée de braves, fit une
vigoureuse sortie contre les huguenots et les rejeta loin des remparts.
L’année suivante, le héros chrétien mourut au siège de Pontorson victime
d’une lâche perfidie. Les moines transportèrent sa glorieuse dépouille dans
la basilique de Saint-Michel, et, après lui avoir rendu tous les honneurs
funèbres, ils l’inhumèrent dans la chapelle Sainte-Anne, où reposaient déjà
plusieurs guerriers célèbres. Au-dessus de la tombe on suspendit «la lance, le
guidon, le casque et la rondache» dont l’illustre capitaine se servait dans les
combats. Sa digne épouse, Esther de Tessier, mourut trente ans plus tard et
reçut la sépulture à l’ombre du même autel. Leur fils, Jacques de la
Moricière, doyen de la cathédrale de Bayeux, donna quarante-cinq livres de
rente au monastère pour une fondation de trois messes annuelles; l’une
devait être chantée en l’honneur des saints anges, le 23ᵉ jour de juillet; à la
procession tous les moines portaient un cierge de cire blanche, afin de
témoigner leur reconnaissance «à Dieu, à la Vierge et à saint Michel» qui
s’étaient servi de l’épée du bon et pieux gouverneur, pour délivrer la ville de
l’oppression des huguenots.
Louis de la Moricière fut remplacé par le sieur de Boissuzé. Les
calvinistes occupaient alors une partie de l’Avranchin, et le Mont-Saint-
Michel leur offrait seul une sérieuse résistance. Pendant plusieurs années, ils
employèrent tour à tour la force et la ruse pour s’emparer de cette place,
mais toujours ils furent pris dans les pièges qu’ils tendaient eux-mêmes aux
catholiques. Dom Huynes raconte en ces termes une des tentatives de
Montgommery: «Les huguenots tenant une grande partie de cette province
de Normandie sous leur puissance et particulièrement les villes et chasteaux
des environs de ce Mont, dressoient des embusches pour envahir ce sainct
lieu. Et dès aussy tost qu’ils pouvoient attraper quelqu’un de cette place le
tuoient sur le champ ou le réservoient pour le mener au gibet. Il arriva un
jour en autres qu’ils prirent un soldat et luy ayant desjà mis la corde au col
luy dirent que s’il vouloit sauver sa vie qu’il leur promit de leur livrer cette
abbaye, et que de plus ils lui donneroient une bonne somme de deniers. Cet
homme bien content de ne finir sitost ses jours, et alléché de l’argent qu’ils
luy promettoient, dit qu’il le feroit et convint avec eux des moyens de mettre
cette promesse à exécution, qui furent que le soldat reviendroit en ce Mont,
espiroit sans faire semblant de rien la commodité de les introduire
secrettement en cette abbaye et leur assigneroit le jour qu’il jugeroit plus
commode pour cet effect. Le soldat leur ayant promis de n’y manquer, ils luy
donnèrent cent escus, et, bien résolu de jouer son coup, revint où il fut receu
du capitaine de ce Mont et des soldats, sans aucun soupçon, puis se mit en
devoir d’exécuter sa promesse. Pour donc la mettre à chef, il advertit
quelques jours après ces huguenots de venir le vingt-neufiesme de
septembre, à huict heures du soir, jour de dimanche et de la dédicace des
esglises Sainct-Michel, qu’ils montassent le long des degrez de la Fontaiyne
Sainct-Aubert; qu’estant là au pied de l’édifice, il se trouveroit en la plus
basse sale de dessous le cloistre, ou se mettant dans la roue il en esleveroit
quelques-uns des leurs qui par après luy ayderoient en grand silence à
monter les autres. Ainsi par cet artifice, ce Mont estoit vendu. Mais ce soldat
considérant le mal dont il alloit estre cause, fut marry de sa lascheté et
advertit le capitaine de tout ce qui se passoit. Iceluy luy pardonna et se
résolut avec tous ses soldats et autres aydes de passer tous ses ennemys au fil
de l’espée. Quant à eux ne sçachant le changement de volonté de cet homme,
et se réjouissans de ce que le temps sembloit favoriser leur dessein, tout l’air
estant ce jour là rempli d’espaisses vapeurs (comme nous voyons arriver
souvent), qui empeschoit qu’on les put veoir venants de Courteil jusques sur
ce rocher, ne manquèrent de se trouver au lieu assigné à l’heure prescrite.
Alors le soldat faisant semblant qu’il estoit encore pour eux, se mit dans la
roue et commença de les enlever l’un après l’autre, puis deux soldats de cette
place les recevoient à bras ouverts, les conduisant jusques dans la sale qui est
dessous le refectoire, où ils leur faisoient boire plein un verre de vin pour
leur donner bon courage, mais les menant par après dans le corps de garde,
ils les transperçoient à jour, se comportans ainsy consécutivement envers
tous. Sourdeval, Montgomery et Chaseguey, conducteurs de cette canaille,
s’esmerveillans de ce qu’ils n’entendoient aucun tumulte, y en ayant desjà
tant de montez, demandoient impatiemment qu’on leur jettast un religieux
par les fenestres afin de connoistre par ce signe si tout alloit bien pour eux,
ce qui poussa les soldats de céans desjà tout acharnez de tuer un prisonnier
de guerre qu’ils avoient depuis quelques jours, lequel ils revestirent d’un
habit de religieux, puis luy firent une couronne et le jettèrent à ces ennemys.
Mais entrant en soupçon si c’estoit un religieux, Montgomery voulant
sçavoir la vérité, donna le mot du gué à un de ses plus fidelles soldats et le fit
monter devant luy; estant monté en haut et ne voyant personne des siens, il
ne manqua de s’escrier: trahison! trahison! et de ce cry les ennemys prenant
l’espouvante descendirent au plus fort du rocher, se sauvèrent le mieux
qu’ils purent, laissant quatre vingt dix huict soldats de leur compagnie,
lesquels on enterra dans les grèves à quinze pas des poulins.» Cette tentative
eut lieu en 1591.
Le Mont-Saint-Michel triomphait des ennemis de l’Église; mais la
discipline religieuse s’affaiblissait au milieu du tumulte des armées. Le
cardinal de Joyeuse, qui porta le titre d’abbé de 1588 à 1615, ne fut pas aimé
des bénédictins; en retour, il parut insensible aux intérêts du monastère et
négligea les réparations même les plus urgentes. En 1594, un onzième
incendie allumé par le feu du ciel renversa la flèche et fondit les cloches. Le
sieur de Brévent, gouverneur de l’abbaye, et Jean de Surtainville élevèrent la
tour massive qui existe aujourd’hui; mais cette belle «pyramide» qui «estoit,
au dire des annalistes, l’une des plus hautes du royaume,» ne fut pas
reconstruite et l’on ne vit plus l’image de l’Archange dominer sur le pinacle
de l’édifice.
La trahison se joignit encore aux horreurs de la guerre et de l’incendie.
Jacques de Boissuzé, jaloux de voir le sieur Vaulouet nommé à sa place
capitaine du château, jura de tirer une vengeance éclatante et tourna ses
armes contre la cité de saint Michel. Après plusieurs tentatives il pénétra
dans la ville en 1595; mais il ne put se rendre maître de la citadelle, et
quelque temps après il fut tué par les habitants du Mont. Un an plus tard, le
marquis de Belle-Isle voulut se faire ouvrir les portes de la forteresse, en sa
qualité de gouverneur de la Basse-Normandie, et, «aussy, disait-il, pour prier
l’Archange saint Michel.» Henri de la Touche, frère et lieutenant du
capitaine Julien de Quéroland, qui venait de succéder au sieur de Vaulouet,
sortit du corps de garde et alla représenter au marquis de Belle-Isle, qu’il
n’était pas prudent de pénétrer dans l’intérieur du château avec sa suite
nombreuse. Il fut convenu que cinq hommes seulement le suivraient. Julien
de Quéroland, gentilhomme breton aussi loyal que brave, reçut le traître avec
tous les honneurs possibles, sans soupçonner sa perfidie; mais comme tout le
monde entrait malgré les conventions, le caporal de garde ferma la porte. Le
sieur de Belle-Isle dit alors que si sa suite n’entrait pas il allait sortir.
Aussitôt, par ordre du capitaine, la porte fut ouverte de nouveau. Le traître
mit la main à l’épée, se précipita sur le caporal et le tua; puis, se tournant
vers Henri de la Touche, il l’étendit mort sur le pavé. Ceux de sa suite armés
de pistolets et d’épées attaquèrent le sieur de Quéroland, massacrèrent sept
hommes de la garnison et s’emparèrent du corps de garde; mais le capitaine
rallia ses hommes et revint au combat. Le marquis de Belle-Isle tomba mort,
et parmi ses gens les uns furent tués ou blessés, et les autres prirent la fuite.
Le brave de Quéroland restait maître de la ville. Les annalistes disent qu’il
reçut dans le combat «dix-huit coups tant d’espée que de pistolet.» Après
avoir triomphé d’un traître, il périt victime d’un infâme complot. Un jour, il
était sorti de la place et chevauchait sur les grèves suivi de son valet; celui-ci
soudoyé par la famille de Belle-Isle, s’approcha de lui, le tua d’un coup de
pistolet et prit la fuite à toute bride. Le héros breton fut inhumé avec son
frère dans la basilique de l’Archange auprès de la tour.
Les mêmes scènes se reproduisaient dans le reste de la France, et partout
saint Michel était vénéré comme le vainqueur de l’hérésie; il suffira d’en
citer un exemple. Avallon, perchée à la cime de son rocher de granit, était au
pouvoir de la Ligue. Dans la nuit du 28 au 29 septembre 1591, les
assiégeants y pénétrèrent après avoir pratiqué une large brèche dans le mur
d’enceinte. Ils croyaient la ville prise, quand le maire et le syndic
accoururent à la tête des habitants et les repoussèrent avec vigueur. Ce
triomphe, coïncidant avec la fête de saint Michel, fut attribué à la protection
du glorieux Archange, et, l’année suivante, les magistrats de la ville, de
concert avec les chanoines de Saint-Lazare, arrêtèrent que l’on ferait en
l’honneur du prince de la milice céleste une procession générale à laquelle
assisteraient les habitants d’Avallon «jusqu’aux escoliers, deux à deux,
honestement vestus, ayant chacun ung cierge ardent, accompagnés et
conduits par le principal du collège et ses subalternes;» et tout celà, disaient-
ils, parce que «l’Archange, monsieur saint Michel,» les avait protégés contre
les efforts de «Sathan,» et s’était montré sur la «braîche» de la place pour en
défendre l’entrée «aux hérétiques» et à leurs suppôts; de même que jadis, au
«temps de Jehanne la Pucelle,» il parut sur le pont d’Orléans et préserva la
ville contre les attaques des Anglais.
Toutes ces luttes ajoutèrent plus d’une page émouvante à l’histoire de
saint Michel. D’un autre côté, la perfidie et la cruauté des huguenots
n’arrêtèrent pas complètement les manifestations religieuses. Les rois de
France, il est vrai, ne visitaient plus le sanctuaire national depuis la mort de
Charles IX; mais ils favorisaient la dévotion du peuple envers le saint
Archange: par lettres patentes de 1585, 1588 et 1601, Henri III et Henri IV
confirmèrent les privilèges de la confrérie établie dans la capitale pour les
pèlerins du Mont-Saint-Michel. Cependant l’abbaye était en décadence.
François de Joyeuse avait réduit à treize le nombre des religieux et plusieurs
articles de la règle primitive étaient tombés en désuétude; mais l’Archange
veillait à l’honneur de son sanctuaire et l’on vit bientôt se lever des jours
plus calmes et plus prospères.
II.
SAINT MICHEL ET LE SIÈCLE DE LOUIS XIV.

e dix-septième siècle était à son aurore. La vérité avait triomphé de
l’erreur. Louis XIII, dit le Juste, siégeait sur le trône de France. Quelle
place le glorieux Archange devait-il occuper dans la pensée des
fidèles, au milieu de ce grand siècle, qui fut comme une halte entre les
guerres religieuses et les horribles scènes de la révolution? Saint Michel
resta sur le trône que la piété de nos pères lui avait élevé, immédiatement au-
dessous du Sauveur et de sa divine Mère; les sciences et les arts,
l’éloquence, la poésie, la peinture, l’architecture publièrent à l’envi sa
puissance et sa gloire; des paroisses érigèrent en son honneur de nouvelles
confréries; le titre de chevalier fut regardé comme la récompense de la
bravoure et du savoir; de nombreux pèlerins fréquentèrent les chemins
montois, et plusieurs d’entre eux furent témoins des merveilles que le ciel ne
cessait d’opérer dans la vieille basilique du mont Tombe. Toutefois, les
beaux jours du moyen âge ne devaient plus refleurir. Sous Louis XIII, saint
Michel perdit son titre de premier patron du royaume; peu à peu la
popularité de son nom diminua; la magistrature, l’armée, les écoles, les
corporations se choisirent des protecteurs particuliers; les protestants ne
crurent pas mieux faire pour se débarrasser d’un tel ennemi que de nier son
existence personnelle, et Bossuet, le plus grand génie des temps modernes,
dut prendre la défense du prince de la milice céleste.
Le principal sanctuaire de l’Archange inaugura cette ère nouvelle par une
réforme que l’affaiblissement de la discipline avait rendue nécessaire. En
1615, Louis XIII choisit pour remplacer François de Joyeuse un descendant
de la maison de Guise, Henri de Lorraine. A la demande du souverain
Pontife, l’administration de l’abbaye fut confiée au général de l’Oratoire de
France, Pierre de Bérulle, qui devait être honoré plus tard du titre de cardinal
(fig. 112). Aussitôt un prêtre de cette congrégation, appelé Jacques Gastaud,
se rendit au Mont-Saint-Michel, et travailla de concert avec le duc de Guise
à réparer les bâtiments qui tombaient en ruine, et à ramener les moines à la
stricte observance des règles de saint Benoît. Pour consolider à l’ouest de la
montagne les
Fig. 112.—Portrait du cardinal Pierre de Bérulle, fondateur de la congrégation de l’Oratoire. D’après
la gravure de B. Audran, conservée au collège des oratoriens à Juilly.
constructions de Robert de Torigni, il éleva le contre-fort marqué aux armes

de l’abbé. L’année suivante, il fit orner le chœur de la basilique et achever
les lambris de la nef.
La réforme des moines offrit de plus grandes difficultés. D’après les
historiens du temps, la princesse de Guise, mère du jeune Henri de Lorraine,
apprit avec peine que plusieurs pèlerins du Mont parlaient «en mauvaise
part» de l’abbé commendataire et des religieux; elle n’omit rien pour faire
accepter à ces derniers un prieur d’un autre monastère. Ils y consentirent, et
reçurent successivement dom Noël Georges et dom Henri du Pont. Ce
remède n’étant pas proportionné à l’étendue du mal, il fallut songer à une
réforme complète. Des tentatives furent faites pour introduire au Mont-Saint-
Michel des prêtres de l’Oratoire, ou des bénédictins anglais de Saint-Malo;
elles échouèrent devant l’opposition des religieux. Alors un des membres de
la congrégation de Saint-Maur, Anselme Rolle, alla secrètement étudier la
situation de
Fig. 113.—Sceau de l’abbaye du Mont-Saint-Michel. Dix-septième siècle. Archives nationales.
l’abbaye. Dom Martène rapporte, dans l’histoire manuscrite de son ordre,

que ce bon religieux passa la nuit dans l’église du mont Tombe et fut
favorisé d’une vision céleste: un personnage mystérieux lui apparut et lui dit:
«Votre voyage ne sera pas inutile, vous réussirez dans votre entreprise et
Dieu sera servi sur cette montagne par les bénédictins de Saint-Maur.» En
effet, après de longs pourparlers, douze religieux de cette congrégation
s’établirent au Mont-Saint-Michel, le 27 octobre 1622. Ainsi, grâce au duc
de Guise et à sa noble épouse, l’antique abbaye, fondée par Richard Iᵉʳ, en
966, voyait naître une ère nouvelle, 656 ans après l’arrivée des premiers
enfants de saint Benoît. La ferveur des anciens jours allait revivre, et des
années de prospérité s’annonçaient pour la cité de l’Archange. On attribua
une large part au chef de la milice céleste dans cette œuvre de rénovation;
aussi, quand la petite colonie arriva au Mont, conduite par l’évêque
d’Avranches, elle monta directement à l’église et entonna «un respond de
saint Michel,» immédiatement après le chant du Veni Creator. Le même jour
et au même moment, dit dom Huynes, le duc de Guise «deffit l’armée navale
des impies et rebelles Rochelois,» et sa victoire «bien marquée sur les
tablettes du Mont» fut attribuée à l’archange saint Michel, protecteur de la
France, qui voulut de la sorte témoigner le «grand contentement qu’il
recevoit de cette nouvelle réforme sur ce rocher esleu et choisy par luy pour
estre réclamé et invoqué de toutes les nations ennemyes des heretiques.»
A la mort de l’illustre gentilhomme, l’héritier de son nom, Henri de
Lorraine, renonça pour toujours à ses droits sur l’abbaye du Mont-Saint-
Michel,
Fig. 114.—Cachet d’Étienne de Hautefeuille, abbé commendataire 1689.
et en 1644, le souverain Pontife ratifia l’élection de Jacques de Souvré,

chevalier de Malte et commandeur de Valence. Il était, disent les
chroniqueurs, «homme de grande vertu et prudence,» il aima ses religieux et
soutint leurs intérêts avec énergie contre Jacques de Montgommery, seigneur
de Lorges, et Roger d’Aumont, évêque d’Avranches. En 1670, la crosse
passa aux mains d’Étienne Le Bailly de Hautefeuille, chevalier de Malte et
commandeur de Villedieu (fig. 114). Il sut gagner l’affection des religieux
par l’aménité de son caractère; mais sa prélature n’eut rien de remarquable.
Il mourut à Paris, le 4 mars 1703, à l’âge de soixante-dix-sept ans.
Parmi les prieurs qui gouvernèrent le Mont, pendant l’absence des
commendataires, un certain nombre, comme Charles de Malleville, Augustin
Moynet, brillèrent par l’éclat de leurs vertus; Placide de Sarcus, Bède de
Fiesque, Dominique Huillard, Pierre Terrien et Joseph Aubrée travaillèrent à
la restauration de l’abbaye; d’autres, à l’exemple de Michel Pirou et de
Maieul Hazon, rétablirent les hautes études et restituèrent au mont Tombe
une partie de son ancienne réputation. Il existait pour les religieux des
chaires de rhétorique, de philosophie et de théologie. Dom Hunault professa
la rhétorique avec succès; dom Pirou commença en 1633 un cours de
philosophie, et les RR. PP. Jérôme d’Harancourt et Philibert Tesson
enseignèrent la théologie à «quinze profès de la congrégation.» De 1635 à
1640, dom Huynes, natif du diocèse de Beauvais, écrivit dans son style naïf
l’Histoire générale du Mont-Saint-Michel. Elle fut annotée et complétée par
Louis de Camps et Étienne Jobart. En 1647, un autre bénédictin du même
monastère, Thomas le Roy, commença le livre des Curieuses recherches du
Mont-Saint-Michel depuis l’an 709 jusqu’au 24 février 1648. Le plus sérieux
de ces annalistes, dom Huynes, mérite l’éloge que lui décerne M. E. de
Robillard de Beaurepaire: il est «consciencieux jusqu’au scrupule, exact
jusqu’à la minutie et d’une absolue sincérité.» Comme Guillaume de Saint-
Pair, il a composé son ouvrage pour répondre à la juste curiosité des
pèlerins: «Si vous désirez en faire la lecture, leur dit-il dans sa préface, vous
pourez voir apertement quel est et a esté de tout temps ce Mont-Saint-
Michel, en quel estime les fidelles l’ont eu, ce qui s’y est faict et passé et
combien ce rocher est agréable aux anges, mais particulièrement à
l’Archange st Michel, lequel vous veille un jour présenter devant le Throsne
du Roy des roys pour jouir à jamais avec luy de la présence de Dieu.» A
chaque page, le pieux auteur nous donne des preuves de sa dévotion envers
les saints anges et spécialement envers le prince de la milice céleste; il leur
demande avant tout de guider sa plume et de ne pas permettre qu’il s’écarte
jamais de la vérité: «Soyez, je vous prie, o esprits célestes, conducteurs de
cette mienne entreprise et gardez tellement mon esprit et ma plume qu’en
tout ce que j’escriroy, je ne m’esloigne nullement de la vérité.»
Les constructions de cette époque n’ont plus la grandeur, ni la beauté des
édifices du moyen age. Il faut l’attribuer en grande partie à la décadence de
l’art au dix-septième et surtout au dix-huitième siècle. Dom Placide Sarcus
bâtit sur la tour Gabrielle un moulin dont il existe encore des traces; le
sanctuaire fut enrichi de vases et d’ornements précieux; Jacques de Souvré
donna pour la chapelle de l’Archange un tableau d’une grande valeur; de
concert avec le prieur dom Moynet, il fit exécuter des travaux importants
pour isoler l’abbaye de toute communication avec la place dont il avait été
nommé capitaine et gouverneur. Quelques moines s’occupèrent avec succès
de la culture des arts, et laissèrent des œuvres qui n’étaient pas sans mérite.
Si nous en croyons Louis de Camps, l’écusson du monastère portait toujours:
«d’argent chargé de coquilles saint Michel de sable sans nombre, au chef
d’azur à trois fleurs de lys d’or.» D’après un manuscrit fort curieux
Fig. 115.—Armoiries de l’abbaye au seizième et au dix-septième siècle.
sur les Monuments des abbayes de Bayeux et d’Avranches, les armoiries

définitivement arrêtées se lisaient ainsi: «de sable à dix coquilles, ou navets
d’argent posées 4, 3, 2, 1, au chef d’azur chargé de trois fleurs de lys d’or,
surmonté d’une mitre et d’une crosse d’or.» Des archéologues distingués
veulent, au contraire, que l’émail soit d’argent et les coquilles de sable (fig.
115).
Dans le cours du dix-septième siècle, plusieurs pèlerins visitèrent le
Mont-Saint-Michel. L’un des plus célèbres, Charles de Gonzague, donna
pour l’autel un tableau qui représentait la «cheute du démon.» L’an 1631, dit
dom Huynes, «Henri de Bourbon, prince de Condé, lors la première
personne de ce royaume de France après le roy, et Monsieur frère unique de
Sa Majesté» allèrent au Mont et y passèrent la nuit pour entendre la messe le
lendemain, avant leur départ. Le vénérable père Montfort visita aussi le
sanctuaire du mont Tombe et plaça ses grands travaux sous la protection de
l’Archange.
Dom Louis de Camps et dom Étienne Jobart nous fournissent des détails
curieux sur les pèlerinages de cette époque. En 1644, il arriva au Mont une
compagnie d’Argentan, composée de cent vingt hommes «avec quatre bons
tambours.» Deux ans plus tard, trente-cinq femmes de la ville de Beaugé, en
Anjou, exécutèrent à pied le voyage du mont Tombe. L’une d’elles marchait
en tête, portant un guidon d’une main et de l’autre un chapelet. «Un petit
garçon de 10 à 12 ans leur battoit la caisse.» Elles entrèrent dans l’église
deux à deux, se confessèrent, reçurent la sainte communion et accomplirent
leurs dévotions à saint Michel. Au sortir de la ville, elles rencontrèrent une
procession de cent vingt hommes de leur paroisse; ceux-ci les firent passer
entre leurs rangs et gravirent à leur tour la pente de la montagne. L’année
suivante, cinquante jeunes gens, «dont le capitaine, le lieutenant et le porte-
enseigne estoient de fort honnestes gentilshommes,» arrivèrent du diocèse de
Séez et se trouvèrent au Mont avec quarante pèlerins d’une paroisse du
Mans. Le lendemain une compagnie de cinquante-cinq hommes, aussi du
diocèse du Mans, firent leur entrée dans la ville avec bannière déployée et
«tambour battant.» Deux mois après, les villes de Bayeux et de Vire
envoyaient au Mont plus de deux cents pèlerins, dont plusieurs appartenaient
aux premières familles du pays. Au dire des annalistes, l’année 1663 vit se
renouveler les grandes manifestations du moyen âge. Dans une seule
semaine, les moines reçurent «deux compagnies dont la moindre estoit de six
cents personnes. En l’une il y avait plus de quatre cents chevaux.»
Monsieur de Montausier, gouverneur de Normandie, vint à la même
époque prier devant l’autel de l’Archange. Les religieux lui firent une
brillante réception, et l’invitèrent à s’asseoir à leur table. Deux ans plus tard,
le duc de Mazarin, lieutenant du roi pour la province de Bretagne, fut
accueilli avec les mêmes signes de distinction. La communauté, «revêtue en
froc,» l’attendait au bas du Saut-Gautier; le R. P. prieur, accompagné de
deux chantres en chappe et de deux acolytes en aube, présenta de l’eau
bénite au duc et lui fit «une harangue.» Avant de quitter ses hôtes, le pieux
gentilhomme se confessa et s’assit à la table sainte.
Les pèlerins devaient quitter leurs armes à l’entrée de la ville; les
chevaliers de Saint-Michel et les princes du sang avaient seuls le privilège de
franchir les portes du château l’épée au côté. Cet usage occasionna souvent
de fâcheuses collisions. Un jour, Henri de la Vieuville, commandeur de
Savigny, voulut traverser le poste des gardes sans se soumettre à la loi
commune; les bourgeois de la ville lui fermèrent le passage; aussitôt le jeune
cavalier dégaîna et dit avec colère: «On me laisse pénétrer ainsi dans le
Louvre;» puis, il donna sur un portier plusieurs coups de plat de sabre.
«Après quoi, dit une chronique, il se fit un grand tumulte à la porte, et peu
s’en fallut qu’on ne le canardât. Mais bien lui en prit que cela arriva de bon
matin et que les cervaulx de nos bourgeois n’estoient point encore
eschauffez du cyldre de Normandie.»
Alors comme au moyen âge, la puissante protection de l’Archange se
manifesta par des prodiges éclatants. Dans un fléau qui décima la ville de
Pontorson, la rue saint Michel fut seule épargnée. Une famille du diocèse de
Coutances reçut par l’entremise de l’Archange une grâce signalée. Au milieu
d’un incendie des enfants furent trouvés sains et saufs sous les débris d’une
maison; ils racontèrent qu’un ange au visage radieux était venu les secourir
et les avait arrachés à la mort. Tous ces faits merveilleux furent contrôlés
avec soin par les moines et relatés dans les annales de l’abbaye.
La dévotion envers le glorieux Archange n’était pas éteinte dans la
maison de France. Au commencement du dix-septième siècle, Mˡˡᵉ Marie de
Montpensier, comtesse de Mortain, fit bâtir sur le rocher qui domine cette
ville un oratoire dédié à saint Michel. Au milieu des désordres qui
accompagnèrent la minorité de Louis XIV, la reine mère, Anne d’Autriche,
fit vœu d’élever un autel en l’honneur de l’Archange et le pieux fondateur de
Saint-Sulpice, M. Olier, composa pour elle cette formule de consécration:
«Abîmée dans mon néant, et prosternée aux pieds de votre auguste et sacrée
majesté, honteuse dans la vue de mes péchés de paraître devant vous, ô mon
Dieu, je reconnais la juste vengeance de votre sainte colère irritée contre moi
et contre mon État; et je me présente toutefois devant vous au souvenir des
saintes paroles que vous dîtes autrefois à un prophète: J’aurai pitié de lui et
je lui pardonnerai, à cause que je le vois humilié en ma présence. En cette
confiance, ô mon Dieu, j’ose vous faire vœu d’ériger un autel à votre gloire,
sous le titre de saint Michel et de tous les Anges; et, sous leur intercession, y
faire célébrer solennellement, tous les premiers mardis des mois, le très saint
sacrifice de la messe, où je me trouverai, s’il plaît à votre divine bonté de
m’y souffrir, quand les affaires importantes du royaume me le pourront
permettre, afin d’obtenir la paix de l’Église et de l’État. Glorieux saint
Michel, prince de la milice du ciel, et général des armées de Dieu, je vous
reconnais tout-puissant par lui sur les royaumes et les États. Je me soumets à
vous avec toute ma cour, mon État et ma famille, afin de vivre sous votre
protection, et je me renouvelle, autant qu’il est en moi, dans la piété de tous
mes prédécesseurs, qui vous ont toujours regardé comme leur défenseur
particulier. Donc, par l’amour que vous avez pour cet État, assujettissez-le
tout à Dieu et à ceux qui le représentent.»
Bientôt la paix succéda aux horreurs de la guerre civile et le règne
glorieux de Louis XIV fit oublier les mesquines rivalités de la Fronde. Le
jeune roi reçut le collier de Saint-Michel en 1643 et le porta soixante-douze
ans. Le 12 janvier 1665, il entreprit la réforme de l’Ordre. Dans ce but, il
réduisit à cent le nombre des chevaliers, et ordonna de les choisir parmi les
hommes de naissance et de mérite; de plus, il joignit treize articles aux
statuts primitifs. Le sceau de l’ordre était perdu. Le marquis de Torcy fit
exécuter plusieurs dessins, et les proposa au monarque; «Sa Majesté choisit
celuy qui avoit esté fait d’après le fameux tableau de Raphaël (fig. 116).»
Louis XIV voulut aussi favoriser les pèlerinages du Mont-Saint-Michel, et,
par ses lettres patentes du 15 janvier 1669, il confirma les privilèges de la
confrérie dont le siège était à Paris, et lui donna l’autorisation de nommer
tous les ans, à la manière accoutumée, deux maîtres et administrateurs, qui
devaient avoir fait le voyage du Mont-Saint-Michel. A cette époque nos rois
et les princes du sang étaient encore jaloux de «rendre le pain bénit à cette
confrérie.» Les pèlerins, de leur côté, avaient conservé l’habitude de faire
prier pour les confrères décédés dans le cours de l’année; à cette intention
une grand’messe était célébrée dans la chapelle du palais le dimanche qui
suivait la fête de saint Michel, et une messe basse était dite, le lendemain,
ainsi que les seconds dimanches de chaque mois.
Fig. 116.—Sceau et contre-sceau de la chevalerie de Saint-Michel, exécutés sous Louis XIV.
Au point de vue stratégique, l’abbaye-forteresse eut son importance sous

ce règne, comme sous les précédents. En 1661, Louis XIV envoya au Mont
trente soldats dont dix étaient pour le fort de Tombelaine; mais comme cette
garnison imposait à la ville des charges trop onéreuses, l’abbé de Souvré
réduisit à cinq le nombre des soldats; c’est pourquoi, dit dom Louis de
Camps, les religieux lui souhaitèrent «toute prospérité en ce monde et la
gloire en la vie éternelle.» Cependant, comme la guerre devenait de plus en
plus imminente avec les Anglais, le sieur de la Chastière, qui espérait, selon
l’expression d’Étienne Jobart, «monter sur la roue de la Fortune,» et rendre
sa personne «plus considérable,» fit venir au Mont-Saint-Michel une
compagnie de piétons. Ils s’installèrent dans la ville et le château, le 10
janvier 1666. Mais ce capitaine se rendit odieux par ses vexations, au point
que les moines invoquèrent solennellement contre lui l’assistance «du
glorieux Archange saint Michel.» Il mourut peu de temps après, et, le 13
juillet 1667, l’abbé commendataire, Jacques de Souvré, obtint le titre de
gouverneur. Cette nouvelle fut accueillie avec reconnaissance par les
habitants du Mont, «lesquels, dit dom Jobart, en feirent des feux de joye
avec les salvades et descharges de l’artillerie tant de la ville que du chasteau,
ce qui fut encore réitéré avec joye et allégresse le 25 du mesme mois, jour de
saint Jacques, apostre, patron de M. nostre abbé et gouverneur.» Maieul
Hazon, prieur claustral, fut chargé de la garde du mont Tombe en qualité de
lieutenant; il divisa toute la bourgeoisie en six escouades de 9 à 10 hommes,
et les chargea de veiller tour à tour aux portes de la ville, et de fournir trois
hommes pour garder le château avec les portiers de l’abbaye.
Tel était le Mont-Saint-Michel sous le règne de Louis XIV. A cette
époque fameuse dans l’histoire, la cité de l’Archange apparut encore
«orgueilleuse et fière» selon la belle expression de Mᵐᵉ de Sévigné. La
vieille basilique fut, comme au moyen âge, le centre et le foyer de la
dévotion des peuples envers le prince de la milice céleste. Plusieurs pèlerins,
après avoir visité le sanctuaire du mont Tombe, élevèrent des chapelles ou
des autels en l’honneur du saint Archange; d’autres établirent des confréries
ou firent de pieuses fondations. La paroisse du Sap, dans le diocèse de Séez,
nous en offre un exemple remarquable. En 1688, plusieurs bourgeois de cette
localité, entreprirent un voyage au sanctuaire «du bienheureux Archange
saint Michel par esprit de dévotion,» afin d’obtenir sa puissante protection
«pendant et après le cours de leur vie.» De retour au Sap, ils fondèrent «à
l’honneur de Dieu, sous les auspices et intercession» du glorieux Archange,
«une messe solennelle à diacre, sous-diacre et chappiers.» Elle devait être
célébrée tous les ans et à perpétuité le jour de la fête de saint Michel, «le 16
octobre.» Cette messe était précédée d’une procession où l’on chantait les
litanies de tous les saints anges; elle se
Fig 117.—Médaille (face et revers) des membres de la confrérie de Saint-Michel à Joseph-Bourg.
Fig. 118.—Bourdon des processions solennelles (face et revers) de la confrérie électorale de Saint-
Michel, pour les agonisants, érigée premièrement à Joseph-Bourg, en Bavière. 1693.
terminait par le chant du Libera et la récitation du Pater pour les fondateurs

défunts, leurs parents et leurs amis. La solennité était annoncée par quatorze
coups de cloche, suivis du carillon. Pour cette fondation annuelle, les
bourgeois du Sap versèrent entre les mains de Jean Lesage, trésorier, la
somme de cinquante livres. Les membres de la confrérie devaient choisir
tous les ans l’un d’entre eux pour «roy,» à charge de présenter à la messe du
16 octobre un pain à bénir, avec deux cierges blancs. Le roi veillait aussi à
l’exécution des règlements et poursuivait les membres qui voulaient s’y
soustraire.
Les autres confréries n’étaient pas moins prospères. Un ouvrage
intéressant, l’Explication de l’institution des règles et des usages de la
confrérie électorale de Saint-Michel archange, nous fournit des détails
curieux sur l’association érigée en 1693 pour les agonisants à Joseph-Bourg
en Bavière. Le but de l’œuvre était d’imiter la douceur et l’humilité de Jésus-
Christ en se dévouant au service des agonisants et des défunts. La devise
était le cri de guerre de saint Michel: Quis ut Deus! L’esprit dont les
confrères devaient donner l’exemple, était exprimé par quatre lettres: F. P. P.
F.: force, piété, persévérance, fidélité. Un archichapelain, un prédicateur et
deux autres prêtres administraient la confrérie. Chaque membre devait porter
la médaille qu’il recevait le jour de son entrée dans l’association (fig. 117).
Le costume variait selon les circonstances: il y avait l’habit solennel, l’habit
ordinaire, l’habit de pénitence, l’habit de funérailles, l’habit de pèlerinage
(fig. 114 à 129). Chacun de ces costumes était accompagné d’une croix
particulière comme marque distinctive: la croix double pour l’habit solennel,
la croix simple pour l’habit ordinaire, la croix recroisée pour l’habit de
pénitence, la croix orbée pour l’habit de funérailles, la croix en sautoir pour
l’habit de pèlerinage. Tous les confrères portaient le bourdon à la main (fig.
118). Cette pieuse association s’établit à Freisengen, à Bonne, à Cologne, à
Liège et en plusieurs autres localités; elle était très florissante au
commencement du dix-huitième siècle, et, en 1706, elle recruta trois cent
quatre-vingt-quinze membres dans la seule cité de Lille. Elle comptait alors
cent mille affiliés.
Cependant, comme nous l’avons déjà dit, le culte de saint Michel trouva
des contradicteurs à cette époque. Des catholiques, par exemple à Malines,
avancèrent hardiment que le chef des anges en sa qualité de pur esprit ne
pouvait être représenté sous des formes sensibles, et
Fig. 119.—Pièces d’un habit de confrère.

Fig. 120.—L’habit solennel.
Fig. 121.—L’habit ordinaire.
Fig. 122.—L’habit de pénitence.
qu’il n’était pas permis de porter son image en procession; d’autres, parmi
les protestants, osèrent nier l’existence personnelle de saint Michel, malgré
l’enseignement unanime de l’Écriture sainte, de la tradition et de la
théologie. Bossuet dans son langage énergique vengea le nom et la gloire du
saint Archange: «Il ne faut point hésiter, dit-il, à reconnaître saint Michel
pour défenseur de l’Église, comme il l’étoit de l’ancien peuple, après le
témoignage de saint Jean... conforme à celui de Daniel... Les protestants qui
par une grossière imagination

Full Ebook of Cad For Hardware Security 1St Edition Farimah Farahmandi Online PDF All Chapter

Uploaded by

Copyright:

Available Formats

You might also like

Full Ebook of Cad For Hardware Security 1St Edition Farimah Farahmandi Online PDF All Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Full Ebook of Cad For Hardware Security 1St Edition Farimah Farahmandi Online PDF All Chapter

Uploaded by

Copyright:

Available Formats

CAD for Hardware Security 1st Edition

Behavioral Synthesis for Hardware Security Srinivas

The Hardware Hacking Handbook Breaking Embedded

The Hardware Hacking Handbook Breaking Embedded

Nanoelectronic Devices for Hardware and Software

The Next Era in Hardware Security A Perspective on

Scrum for Hardware Design 1st Edition David G. Ullman

Git for Electronic Circuit Design: CAD and Version

Git for Electronic Circuit Design: CAD and Version

CAD for Hardware

CAD for Hardware Security

Sree Ranjani Rajendran Mark Tehranipoor

ISBN 978-3-031-26895-3 ISBN 978-3-031-26896-0 (eBook)

Emerging hardware security vulnerabilities are menacing since it is almost impossi-

security. We anticipate that this book will provide comprehensive knowledge to

Gainesville, FL, USA Farimah Farahmandi

A handful of books in the community cover CAD tools in the automation of

1 Introduction to CAD for Hardware Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

3.3 Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

4 CAD for Information Leakage Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

7 CAD for Fault Injection Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

9.3.5 Verification Driven Formal Architecture and

12.3.1 Secure High-Level Synthesis: Challenges and Solutions 263

14.6.1 Bypass Attack Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

17.4.2 Remote Fault Injection Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . 388

© The Author(s), under exclusive license to Springer Nature Switzerland AG 2023 1

Fig. 1.1 Electronic Devices

Due to the complexity of modern computing devices, challenges in SoC design

1.1.1 Emergence of Threats in Hardware Supply Chain

A modern computing system is illustrated in Fig. 1.2 in terms of different fields

potential security risks are present. Information security ensures confidentiality,

Tens of parties involved!

Owner Designer Foundry OSAT End-user

Bloomberg: Design stolen by

Bloomberg: Tampered Chip

vulnerability gets reduced by 43% if hardware vulnerabilities are expunged from

1.1.2 SoC Security Development Life-cycle (SDL)

CAD Tools Utilization

Product Concept Threat Security Design Security Incident

1.1.3 Security Requirements

This section describes the security requirements to be considered while designing

1. Primary Assets—High priority of protection is given by the designer. For

2. Secondary Assets—Infrastructures that support the protection of primary assets

1.2 CAD Tools in SoC Supply Chain

VLSI CAD Tools Utilization in SoC Design Flow

Synthesis Tools Analysis Tools Testing Tools

Synthesis Checkers Verifiers Testers

1.2.1 Significance of CAD Tools in SoC Life-cycle Security

1.2.2 CAD Tools in SoC Life-cycle Threats

SoC Life-Cycle Hardware Threats

IP Piracy Fault Injection

Trojan Implant Fault Injection

Leak Secret Information Reverse Engineering

System Security Placement Physical Verification Security

6. Hardware Trojans: Once triggered, malicious modifications to the circuit may

design stage to develop a design-for-trust techniques such as watermarking [24], IC

1.2.3 CAD Tools as Vulnerability Source: The Other Side of

1.2.4 The Need for CAD Solutions For SoC Security