We are glad to host a wide variety of renowned speakers from academia and industry that are presenting on the diverse aspects of hardware reverse engineering. Please see below for an overview of the speakers (listed in alphatical order) and the titles and abstracts of their talks.

List of Speakers

Opening Remarks

Welcome to HARRIS
Christof Paar, MPI-SP, Germany

Opening of the workshop and a brief journey through hardware security and Trojans in particular.


Hardware Reverse Engineering: A Vital Necessity Facing Tremendous Challenges
Olivier Thomas, Texplained, France

The semiconductor industry is one of the most evolving sector of the last 60 years. From the military dedicated simple chips to the nowadays extremely complex components embedded in everything, the heart of technology have quickly and intensely revolutionized our world. First used for piracy and anti-piracy activities, the Hardware Reverse Engineering has evolved along with the semiconductor development. From the very basic tools and processes of the 90’s made for recovering data from ICs, to the current automated solutions, hardware reverse engineering has become the method required for many purposes. Nowadays used for criminal investigations, backdoor research, IP infringement investigation, obsolete devices management, hardware security evaluation, etc. reversing chips brings together an ever-growing community. More advanced tools, more experience, more knowledge sharing will allow to face the future of reverse engineering, which is paved with many challenges due to the increase of complexity and protection of ICs and devices.


A Structured Approach to FPGA Reverse Engineering
Nils Albartus, MPI-SP, Germany

In this talk, we present a structured approach to semi-automatically reverse engineer a modern FPGA design in a black-box setting. Utilizing an ensemble of novel techniques, we demonstrate the applicability of our approach on an FPGA found in a smartphone. Our case study includes automated extraction of a gate-level netlist from the FPGA bitstream, sophisticated netlist analysis techniques to detect word-level structures and their bit order, and a novel approach called hardware-assisted virtual probing for dynamic netlist analysis. Our work highlights the importance of hardware reverse engineering (HRE) for assuring trust in third-party integrated circuits.

GNN-RE: Graph Neural Networks for Reverse Engineering of Gate-Level Netlists
Lilas Alrahis, NYUAD, UAE

Graph Neural Networks (GNNs) have shown great success in facilitating learning on graph-structured data, such as social networks, recommendation systems, and protein-protein interactions. Since electronic circuits can be represented naturally as graphs, GNNs provide great potential to advance Machine Learning (ML)-based methods for all aspects of electronic system design and Computer-Aided Design (CAD). This talk gives a deep dive on how to design and employ GNNs to learn the properties of circuits. Starting with a background on GNNs and their different classification tasks, moving to circuit-to-graph conversion, and finally to design and employment. Taking hardware security as a target application, this talk demonstrates how graph-based learning on circuits aids in representing and analyzing flattened/unstructured gate-level netlists.

Using Reverse Engineering Techniques to Build a Secure Open-Source IC
Leonid Azriel, Technion, Israel

Open-source IC is not a new concept. Nevertheless, usage of open-source by the hardware community has been limited until recently. In the last few years, the introduction of the RISC-V open architecture helped to bring fresh energy to open-source IC, and many new projects have emerged. In addition to many benefits in productivity and quality, the open-source model contributes to product security by following the Kerckhoff's principle of open algorithm. However, unlike in software, in the IC world there is a long way from the source to the finished product, and it is hard to guarantee that the product indeed implements the algorithm as advertised. In this talk, I will discuss possible schemes, methodologies and policies to verify the compliance of the integrated circuit to the claimed open source and how the reverse engineering techniques may help with this task.

The Human Factor in HRE: an Interdisciplinary Approach to Hardware Security
Steffen Becker & René Walendy, RUB, Germany

In HRE research, as in other IT security–related subdisciplines, we observe an arms race between defenders proposing ever more computationally intractable security schemes and attackers developing increasingly powerful algorithmic tools capable of breaking or circumventing them. Prior research has predominantly focused on mathematical complexity and overhead. However, in both attack and defense, it is humans who integrate such measures and operate these algorithms. We believe that taking human factors into account when assessing the security of hardware protection schemes, but also when developing special tooling for reverse engineering, has the potential to drive exciting new technologies for offensive and defensive hardware security – from human-in-the-loop reverse engineering tools to cognitive obfuscation schemes. In this talk, we provide insights into our previous research on modeling HRE from a human factors perspective, and would like to start a discussion on the benefits and risks that this emerging field could bring to our community.

The Perfect Reverse Engineering Result - Truth or Myth
Michaela Brunner & Johanna Baehr, TUM, Germany

Hardware reverse engineering is an emerging field with an increasing number of published reverse engineering algorithms. However, there is a lack of strategies for how to compare or evaluate reverse engineering results. This talk focuses on an important but not often discussed aspect: What is the ground truth for a reverse engineering result? What is the perfect result of a reverse engineering algorithm? These questions become significantly more challenging when facing the evaluation of intermediate reverse engineering results, such as for state machine extraction or netlist partitioning. We provide insight into the complexity of this topic and present some first, concrete ideas on how to address this issue.

Deep Learning-based Analysis of Microscopic IC Images for Hardware Assurance
Cheng Deruo, NTU, Singapore

With the advancements in microscopic imaging, high-resolution digital images can be captured at each layer of manufactured ICs with proper sample preparation. It is then feasible to analyse the microscopic IC images to uncover the circuit components and their three-dimensional interconnections for function-level authentication before IC deployment. However, the huge amount of image data with unforeseeable image defects and variations poses great challenge to the image analysis process, where conventional approaches are incompetent. In this talk, we will share our latest research on analysing microscopic IC images with deep learning, which includes a Generative Adversarial Network-based model for identifying defective IC images without supervision and a Convolutional Neural Network-based framework for retrieving circuit information from microscopic IC images. We will also discuss the challenges we have been facing with the data-driven learning-based approaches and provide some possible solutions or research directions.

Open Source HW and Hardware Trojans: a reverse engineering perspective
Alexander Hepp & Johanna Baehr, TUM, Germany

Major industry-led initiatives such as RISC-V and OpenTitan strive for verified, customizable and standardized products, based on a combination of Open Source Hardware and custom intellectual property. The protection of these products against reverse-engineering-based threats such as Hardware Trojan insertion, and physical attacks is of equal importance as for closed source designs. However, Open Source Hardware generates novel threats to the security of a design and the protection of IP. In this talk, we inspect how open-source ISAs and processors enable improved, as well as diminished security. Detailed insights into the inner workings of hardware designs allow (reverse-engineering-based) inspection for vulnerabilities such as hardware trojans. But at the same time, this deep understanding also allows external parties to compose attacks more easily. We will examine reverse engineering methods and threat analysis techniques on a toy example and perform a RISC-V IP attack. We conclude that open hardware includes new opportunities and threats that must be investigated further.

Introduction to CRESS
Alexander Hepp & Matthias Ludwig, TUM & Infineon, Germany

Efficient hardware attacks often require an element of hardware reverse engineering (RE), both for attack planning and as a threat itself. The constant publication of new RE-related scenarios and countermeasures renders a profound rating of these extremely RE-based attacks difficult. The common reverse engineering scoring system (CRESS) framework provides a methodology to assess the offensive role of reverse engineering in common attack scenarios using selective attributes. The open-source framework is available online, and will be extended by a definite score, based on expert knowledge and input from the reverse engineering and hardware security community.

Homogeneous Delayering - a Key Challenge for Successful Reverse Engineering
Nicola Kovac, Fraunhofer EMFT, Germany

The ability for full layer-by-layer reverse engineering of integrated circuits is key for achieving trust in critical devices from global supply chains. While their feature sizes shrink to few Nanometers the thickness of layers is reduced to some ten Nanometers. One challenge tackling physical and technical limits is to achieve homogeneity across several mm chip dimensions as a prerequisite for further imaging by means of EBeam and IonBeam chip scanning. In this talk we present and discuss today’s methods and results from our CC-EAL6 certified analysis lab and technologies down to 7 nm.

Mastering RE on Modern Chips. Essential Milestones. Practical Recommendations
Silke Christiansen & Olena Kulyk, Fraunhofer IKTS & REATISS, Germany & Ukraine

This talk introduces our company that has a wide experience in reverse engineering of semiconductor devices and in providing “technical evidence of the use of Client’s IP” services for semiconductor manufacturers, IP owners. Highlights of major stages in complex process include descriptions of essential conditions in reaching certain quality levels for different sets of operations. The talk is generously illustrated by pictures of sample preparation, imaging, layout, and circuitry extractions.

The Physical Verification Challenge for IoT-Security
Bernhard Lippmann, Infineon, Germany

The acceptance of today’s highly connected world through applications – ranging from autonomous driving, smart home, industrial internet, health care and cloud services, the evaluation of information created by IoT devices or authentication using ID or payment devices – requires built-in security solutions. Technically, this is implemented by a hardware root of trust.
As traditional verification flows as used for many commercial products only handle function, reliability and safety aspects, a trusted design flow extends this by including consideration of hardware security in verification and certification. Consequently, without comprehensive trust throughout the globally distributed development and production flow, semiconductor manufacturers need to check that no malicious modification is inserted. Verification can be executed on physical devices extracted from the field. For this task, the multifaceted feature sets of today’s advanced security solutions require innovative physical analysis inspection methods.

Hardware Trust Through Physical Inspection
Matthias Ludwig, Infineon, Germany

Trust in microelectronics has become an acute issue, with the industry pursuing a globally distributed supply-chain in which possibly non-trustworthy actors are involved. The door for potentially malicious tampering in the form of counterfeiting or the inclusion of malicious modifications during hardware specification, design, manufacturing, and even recycling has been opened. To regain trust in the physical layers, new post-silicon verification and validation techniques are in demand. This talk elaborates ways to verify product integrity through physical inspection. First, a physical layout verification technique is introduced. The methodology and results to validate layout integrity are presented on a 40 nm test device. Furthermore, a novel anti-counterfeiting method on the silicon-level is presented and experimental results are shown.

Design for Security
Avi Mendelson, Technion, Israel

In this talk, I will present our recent research that aims at developing a method and tool aiming at assisting designers to enhance the security of their systems. I will discuss several possible options and will focus on the GNN-based alternative.

ZEISS MultiSEM: towards Full Chip Scanning in Semiconductor Reverse Engineering
Stephan Nickell, Carl Zeiss MultiSEM GmbH, Germany

Reverse engineering of semiconductor integrated circuits (ICs) enables detection of violations of intellectual property or adverse manipulations of product designs. The continuous shrink of semiconductor patterns imposes several challenges not only on the fabrication of ICs, but also on the imaging of their structures used in process control and reverse engineering. Scanning electron microscopy (SEM) can resolve the relevant patterns, but so far has not been able to achieve the throughput requirements for large area screening at a practicable time frame. Using a multi-beam SEM increases the throughput dramatically and therefore allows to image entire chips. Here, we will present details on the ZEISS MultiSEM and how this worldwide fastest multi-beam electron microscope can facilitate imaging and analysis of modern integrated circuits.

Fabrication-time Insertion of Hardware Trojan Horses
Samuel Pagliarini, TalTech, Estonia

For more than almost two decades now, researchers have hypothesized that Hardware Trojan Horses can be inserted in integrated circuits (ICs) while they are being fabricated. These trojans are malicious circuits that typically aim to corrupt the computation being carried out by a chip or they may expose privileged data such as keys utilized in cryptography. Even though only a few real examples have been observed, the risk of a security breach due to hardware tampering has been in the hardware security community's focus for many years. In this talk, the practicality of a fabrication-time attack is going to be addressed. Tampering with a layout while having no additional information other than the layout itself has often been considered a colossal effort. However, with the help of the same tools utilized for chip design, it is shown that the attacker has the capability to modify a layout effortlessly. By doing so, many of the regarded security metrics are no longer valid and fabrication-time attacks become (more) feasible.

Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations
Endres Puschner & Steffen Becker, MPI-SP & RUB, Germany

Verifying the absence of maliciously inserted Trojans in Integrated Circuits (ICs) is a crucial task - especially for security-enabled products. Assuming that the original IC layout is benign and free of backdoors, the primary security threats are usually identified as the outsourced manufacturing and transportation. To ensure the absence of Trojans in commissioned chips, one straightforward solution is to compare the received semiconductor devices to the design files that were initially submitted to the foundry. Clearly, conducting such a comparison requires advanced laboratory equipment and qualified experts. Nevertheless, the fundamental techniques to detect Trojans which require evident changes to the silicon layout are nowadays well-understood. Despite this, there is a glaring lack of public case studies describing the process in its entirety while making the underlying data sets publicly available. In this talk, we present a public and open hardware Trojan detection case study based on four different digital ICs using a Red Team vs. Blue Team approach. Our results spark optimism for the Trojan seekers and answer common questions about the efficiency of such techniques for relevant IC sizes. Further, they allow to draw conclusions about the impact of technology scaling on the detection performance.

Bringing hardware reverse engineering to the 3rd dimension
Martin Rasche, Raith GmbH, Dortmund, Germany

Despite the possibility that in the future non-destructive methods might replace the current ‘delayer and image process’ we show that with our Chipscanner we can image very precisely even large chip dimensions so that a 3D remodeling based on layer stacking already works for current high-end reverse engineering tasks. Together with software packages that we developed together with Infineon we can image layers, stitch them 2D/3D and convert them to CAD for further functional analysis.

No Need for Reverse Engineering – Machine Learning Will Do It for Us
Jean-Pierre Seifert, TU Berlin, Germany

Usually, hardware vendors commonly believe that the ever-growing physical complexity of the integrated circuit (IC) designs can be a natural barrier against potential adversaries. In this work, we present a novel approach that can extract secrets without any knowledge of the IC’s layout, and independent from the employed memory technology as key storage. Using deep learning methods, we automate the – traditionally very labor-intensive – reverse-engineering and data extraction process. We showcase the potential of our approach by targeting keys on three different hardware platforms, which are utilized as RoT in different products.

HAL - A Modular Framework for Netlist Reverse Engineering
Julian Speith, MPI-SP, Germany

This talk will provide an overview of HAL, a comprehensive netlist reverse engineering and manipulation framework that enables researchers and analysts to improve reproducibility of research results and abstract away recurring basic tasks such as netlist parsing and visualisation. Attendees will learn about the tool's high-performance C++ core, interactive GUI, built-in Python bindings, and modular plugin system, which provide a flexible and stable platform for the analysis of digital circuits. The ultimate vision of HAL is to become the go-to tool for netlist reverse engineering, similar to IDA or Ghidra for software reverse engineering.

Graph Neural Network for Circuit Netlist Analysis
Lin Tong, NTU, Singapore

Recovered circuit netlist, be it from ASIC or FPGA, contains vital information for hardware assurance of ICs. Conventional methods for analysing it usually require expert knowledge and are largely ad hoc and manual. Intuitively, a netlist can be analysed as a graph with logic gates as nodes and interconnections as edges. Recent advancement in AI/deep-learning on graphs, epitomized by the advent of Graph Neural Network (GNN), points to new ways of analysing circuit netlist from a data-driven perspective. In this talk, we will share our latest research in this area, where we follow a ‘divide-and-conquer’ approach. We will present our proposed GNN-based methods in solving the two fundamental problems involved in netlist analysis, namely netlist partition and netlist identification. We will discuss the advantages of using GNN as compared to using the conventional methods. We will also address the limitations of existing GNN and point to possible solutions.

Open Source T&M for Hardware Reverse Engineering
Andrew D. Zonenberg, IOActive, USA

Hardware security testers must be able to study any form of digital communication. High speed interfaces such as PCIe require special probing techniques and expensive equipment. Proprietary or emerging protocols may not be supported by oscilloscope protocol decode packages. Better open source tooling can help with both of these problems.
In this talk, we discuss work over the past several years towards building a high performance open source T&M ecosystem to aid in reverse engineering and testing of modern embedded hardware. This work includes a family of active and passive probes covering frequency ranges from DC to 7.5 GHz, a hardware abstraction layer (libscopehal) for instrument control and data acquisition, a suite of protocol decoders and DSP blocks (libscopeprotocols), and GUI frontends (ngscopeclient and glscopeclient) for experiment setup and data analysis. The architecture is highly extensible, allowing new decodes to be easily layered on top of existing protocols.