The integrated circuits (IC) manufacturing industry has developed significantly and scaled down to 7nm technology that has made the integration of numerous transistors possible. However, the hardware engineers could not keep up with rapid advancement in the fabrication technology, and they fail to use all of the available transistors in the die. To close this productivity gap under time-to-market pressure, hardware Intellectual Property (IP) core design has grabbed substantial attention from the semiconductor industry and has dramatically reduced the design and verification cost .
The globalization of the IC supply chain poses a high risk of theft for design companies that share their most valuable assets, IPs, with other entities. IP piracy is a serious issue in the current economy, with a drastic need for an effective detection method. According to the U.S. Department of Commerce study, 38% of the American economy is composed of IP-intensive industries  that lose between $225 billion to $600 billion annually because of Chinese companies stealing American IPs mainly in the semiconductor industry, based on the U.S. Trade Representative report .
Hardware IP is considered as any stand-alone component of a system-on-chip design that is classified into three categories based on the level of abstraction: Soft IP (i.e., synthesizable HDL source code), Firm IP (i.e., netlists and placed RTL block), and Hard IP (i.e., GDSII and physical layout).
Conventionally, the IP protection techniques fall into preventive (i.e., logic encryption, camouflaging, metering, and split manufacturing) and detective (i.e., digital signature) methods. All these methods add excessive implementation overhead to the hardware design that limits their applications in practice. Moreover, they mainly focus on security at the IC level, while many commercial IPs comprise the soft IPs due to flexibility, independence of platform technology, portability, and easy integration with other components. The high level of abstraction makes the IP protection more challenging since it is easier for an adversary to slightly change the source code and redistribute it illegally at the lower levels of abstraction. Although the existing preventive countermeasures deter IP theft, they cannot guarantee IP security as the adversaries keep developing more sophisticated attacks to bypass them. Therefore, an effective IP piracy detection method is crucial for IP providers to disclose the theft.
To this end, the state-of-the-art piracy detection method is embedding signatures of IP owner known as watermark and legal IP user known as a fingerprint in the circuit design to assure authorship and trace legal/illegal IP usage. IP watermarking and fingerprinting are prone to removal, masking, or forging attacks that attempt to omit the watermark, distort its extraction process, or embed another watermark in IP .
In this work, we propose a novel methodology for IP piracy detection that, instead of insertion and extraction of a signature to prove the ownership, models the circuits and assess the similarity between IP designs. Therefore, our method does not require additional hardware overhead as the signature and is not vulnerable to removal, masking, or forging attacks. It also effectively expose the infringement between two IPs when the adversary complicates the original IP to deceive the IP owner. Modeling the hardware design is challenging since it is a structural non-Euclidean data type, despite most modeling techniques. Thus, similar to , we represent the circuit as a data-flow graph (DFG) due to similar data types and properties. Afterward, we model it using state-of-the-art graph learning method.
I-a Motivational Example
We study the concept of piracy and similarity among hardware designs in a test case of two different variations of the full adder circuit. As shown in Figure 1, although the Verilog codes for adder 1 and 2 are different, they both have fundamentally the same design, as depicted in the schematic figure. We unveil the similarity between two adders using DFG, which expresses the signals dependency and computational structure. At first glance, the generated DFGs for adders seem varied, but a deep look into data flows (DF) indicates the same signal relations. For instance, the output signal Sum depends on Num1, Num2, and Cin input signals through the DF1, DF2, and DF3, respectively. Suppose we focus on critical nodes in the flow (XOR nodes) and ignore the excessive nodes related to concatenation and internal signals. In that case, the DFs in both DFGs represent the same operations.
I-B Research Challenges
The development of an effective IP piracy detection method poses paramount research challenges as follows:
Hardware overhead: All existing piracy detection methods add hardware overhead to IP design.
Attacks: Signatures-based countermeasures are vulnerable to removal, forging, and masking attacks.
Same behaviors, different topologies: As the case study exemplified, varied HDL codes generate different DFGs even if they represent the same hardware design. The different typologies in DFGs can easily fool the standard graph similarity algorithms, and behavioral analysis of graphs is required to learn circuit design.
Scalability: The manual review of hardware design is not feasible in practice. The graph similarity is an NP-complete problem, and existing algorithms  suffer from high complexity and are not scalable to large designs and industrial-level IPs with thousands of code lines.
I-C Our contribution
We propose a novel methodology based on graph learning to surmount research challenges and propose these contributions:
To overcome the shortcomings of current IP piracy detection methods, we propose a novel countermeasure based on hardware design analysis that does not require adding any signature and overhead to IP design.
We develop a scalable, automated framework called hw2vec that generates the DFG for hardware designs and assigns a embedding to them such that the proximity in the embeddings indicates similarity between circuits.
We construct a Graph Neural Network (GNN) model to learn the circuit’s behavior and assess the similarity between a pair of IPs according to graph embeddings.
We gather a dataset of hardware designs in RTL and gate-level netlist to develop and assess our methodology.
Ii Backgrounds and Related Works
Ii-a Hardware IP Security
The hardware is susceptible to security threats such as IP piracy (unlicensed usage of IP), overbuilding, counterfeiting (producing a faithful copy of circuit), reverse engineering, hardware Trojan (malicious modification of circuit) [8, 9, 28], and side-channel attacks . The IP protection methods proposed in the literature can be classified as follows:
Watermarking and fingerprinting : The IP owner and legal IP user’s signatures, known as watermark and fingerprint, are added to circuit to prove infringement.
Hardware metering : The designer assigns a unique tag to each chip, which can be used for chip identification (passive tag) or enabling/disabling the chip (active tag).
Obfuscation : There are two obfuscation methodologies; logic locking (encryption)  and IC camouflaging . In logic locking, additional gates such as XOR are inserted in non-critical wires. The circuit would be functional only if the correct key is provided which is stored in a secure memory out of reach of the attacker. Camouflaging modifies the design such that cells with different functionalities look similar to the attacker and confuses the reverse engineering process.
Split manufacturing : IP house split the design to separate ICs and have them fabricated in different foundries. Thus, none of the foundries have access to the whole design to overbuild, reverse engineer, or perform malicious activities.
The existing defenses suffer from a large overhead on area, power, and timing that restrict their application. As the new countermeasures are developed, the attacks are advanced to bypass them. SAT attack is a powerful method used to formulate and solve a sequence of SAT formulas iteratively to unlock the encrypted circuit, reverse engineer the Boolean functionalities of camouflaged gates , or reconstruct the missing wire in 2.5D split manufactured ICs . Anti-SAT , and AND-tree insertion 29] break them. Proximity attack  is another attack against 2.5D split manufacturing that iteratively connects the inputs to outputs in two IC partitions until a loop is formed. Removal, masking, and forging attacks bypass watermarking by eliminating, distorting, or embedding a ghost watermark 
. There is a rising trend in machine learning-based defenses[28, 27] and the recent advances made the models even resistant against adversarial attacks .
Ii-B Graph Neural Networks (GNNs)
, we leverage GNN, a deep learning methodology that tackles graph data. Several works in the literature have shown the effectiveness of GNN in identifying software clones and detecting binary code similarity [7, 26]
. Our architecture is inspired by the Spatial-based Graph Convolution Neural Network, which defines the convolution operation based on a node’s spatial relations with the following phases: (i)message propagation phase and (ii) the read-out phase. The message propagation phase involves two sub-functions: AGGREGATE and COMBINE, given by,
where denotes the node embedding after iterations for the node. Essentially, the AGGREGATE function collects the features of the neighboring nodes to extract an aggregated embedding for the layer , and the COMBINE function combines the previous node features with to output next embedding . This message propagation is carried out for a pre-determined number of iterations . Next, in the read-out phase, the overall graph-level embedding extraction is carried out by either summing up or averaging up the node embeddings in each iteration. The graph-level embedding is denoted as and is defined as,
In our work, we use as the hardware design embedding to assess the similarity between circuits and discover piracy.
Iii GNN4IP Methodology
In this work, we formulate the problem of IP piracy detection as finding the similarity between two hardware designs. We assume the existence of a feed-forward function that outputs whether two circuits and are subject to piracy or not through a binary label as given in Equation 4.
To approximate , we extract the DFGs and from circuits pair using the DFG generation pipeline and pass it to a graph embedding layer, hw2vec, to acquire embeddings . Lastly, our model infer the piracy label,
, by computing the cosine similarity between.
Iii-a Threat Model
In our threat model, we examine the IP designs in RTL or gate-level netlist to discover piracy. We assume that the design is a soft IP, firm IP, or derived by reverse engineering a hard IP or IC. The adversary can be a hardware designer, competitor company, or the fabrication foundry who present the stolen IP as their genuine design and sell it as an IC or an IP at the same or lower level of abstraction. The attack scenario may involve modification of IP design to tamper piracy detection. The attacker can get access to the original IP through one of these means: I) purchase the IP for limited usage, II) leaked through a rogue employee in the design house, or III) reverse engineered the physical layout or IC.
Iii-B Hardware Data Flow Graph Extraction
Hardware design is non-Eulicidian structural data that shares similar properties with a graph. We generate DFGs from either RTL code or gate-level netlist as the first step to model it. The DFG is a rooted directed graph illustrating the computation structure and the data flow from the circuit’s output signals (the root nodes) to the input signals (the leaf nodes). It is defined as graph where is the vertices set and each node represents a signal, constant value, or operations such as concatenation, branch, Boolean operators, etc. We define set of directed edges for all such that if the operation is applied on or the value of depends on the value of .
To extract DFG, we develop an automated framework using a hardware design toolkit called Pyverilog . Figure 2 demonstrates our DFG generation pipeline that is consisted of five phases: preprocess, parser, data flow analysis, merge, and trim. The procedure begins with preprocessing the RTL code or gate-level netlist in Verilog format to flatten the modular codes and resolve incompatibilities and syntax errors. Afterward, the parser scans the code and produces the corresponding abstract syntax tree used by the data flow analyzer to generate a data flow tree per signal. Next, the signal’s trees are merged to construct one main DFG for the whole design. Eventually, the redundant nodes and disconnected subgraphs are trimmed, and the final DFG is generated.
Iii-C Hardware IP Piracy Detection Algorithm
Our IP piracy detection algorithm is shown in Algorithm 1. In the algorithm, GNN4IP refers to approximating function , which can yield the inference of whether two circuits and are subject to IP piracy. Applying typical machine learning methodologies to hardware designs, which are non-euclidean in nature, usually requires feature engineering and immense expert knowledge in hardware design. Thus, we propose our scalable, automated IP piracy detection framework, hw2vec with an architecture depicted in Figure 3.
The hw2vec uses the DFG generation pipeline and acquires the corresponding graph for circuit in the form of where represents the initial list of node embeddings and stands for the adjacency information of . Next, the hw2vec begins the message propagation phase, denoted as Graph_Conv in the algorithm, which is Graph Convolution Network (GCN) . In each iteration of message propagation, the node embeddings will be updated as follows,
where is a trainable weight used in the GCN layer. is the adjacency matrix of
used in the layer for aggregating the feature vectors of the neighboring nodes where
is an identity matrix that adds the self-loop connection to make sure the features calculated in the previous iteration will also be considered in the current iteration.is the diagonal degree matrix used for normalizing . and initialize each node embedding , , by directly converting the node’s name to its corresponding one-hot vector. We denote the final propagation node embedding as , and denote the corresponding adjacency matrix as .
Once propagated the information on , the resultant node embedding is further processed with an attention-based graph pooling layer Graph_Pool. Denote the collection of all node embeddings of after passing through layers of GCN as . The is passed to a self-attention graph pooling layer that learns to filter out irrelevant nodes from the graph, creating the pooled set of node embeddings and their edges . In this layer, we use a graph convolution layer to predict the scoring and use to perform top-k filtering over the nodes in the DFG .
Then, the Graph_Readout in our algorithm aggregates the node embeddings to acquire the graph-level embedding for the DFG using this formula . The READOUT operation can be either summation, averaging, or selecting the maximum of each feature dimension over all the node embeddings, denoted as sum-pooling, mean-pooling, or max-pooling respectively. Lastly, hw2vec returns the embedding of each hardware.
The gnn4ip utilizes hw2vec to transform and into the corresponding DFG embeddings, denoted as and . Then, it calculates the cosine similarity of and to produce the final IP piracy prediction, denoted as . The formula can be written as follows,
Finally, our gnn4ip utilizes predefined decision boundary and to judge whether two programs and are a piracy to one another as described in Algorithm 1 and to return the results of IP piracy detection using a binary label (0 or 1).
As both gnn4ip and hw2vec
include several trainable parameters, we need to train these parameters for IP piracy detection via computing the cosine embedding loss function, denoted as, between true label and the predicted label . The calculation of loss can be described as follows,
where the margin is constant to prevent the learned embedding to be distorted (always set to 0.5 in our work). Once the model is trained, our algorithm uses the and a decision boundary to make the final judgement of IP piracy.
In hw2vec, we use 2 GCN layers with 16 hidden units for each layer. For the graph_pool, we use the pooling ratio of 0.5 to perform top-k filtering. For the graph_readout, we use max-pooling for aggregating node embeddings of each graph. In training, we apply dropout with a rate of 0.1 after each GCN layer. We train the model using the batch gradient descent algorithm with batch size 64 and the learning rate to be 0.001.
One of the significant challenges of machine learning model development is data collection. To construct GNN4IP, we gather RTL codes and gate-level netlists of hardware designs in Verilog format and extract their DFGs using our automated graph generation pipeline. Our collection comprises 50 distinct circuit designs and several hardware instances for each circuit design that sums up 143 netlists and 390 RTL codes. As our model works on pairs of hardware instances, we form a dataset of 19094 similar pairs and 66631 different pairs, dedicate 20% of these 85725 pairs for testing and the rest for training.
Iv-B IP Piracy Detection Accuracy and Timing
The GNN4IP examines a pair of hardware designs, label it as piracy (positive) or no-piracy (negative), and outputs a similarity score in range [-1, +1] where the higher score indicates more similarity. We evaluate the model on RTL and netlist datasets, which results in the confusion matrices depicted in Figure 4
(a). We compute the IP piracy detection accuracy as the evaluation metrics, which express the correctly labeled sample ratio, true positive (TP) plus true negative (TN), to all data. The accuracy and timing results in TableI show that our model pinpoints IP piracy with high accuracy rapidly, making it scalable to large designs. The training and testing time depend on the graph size. The longer timing for netlists lies in the fact that in our dataset, the netlist DFGs with 3500 nodes on average are larger than RTL DFGs with 1000 nodes on average. We run the model on a computer with Intel Core i7-7820X CPU @3.60GHz with 16GB RAM and two NVIDIA GeForce GTX 1050 Ti and 1080 Ti GPUs and measure the timing for this computing platform.
|RTL||75855||390||97.21%||0.577 ms||0.566 ms|
|Netlist||9870||143||94.61%||5.999 ms||5.918 ms|
Iv-C Embedding Visualization
The hw2vec generates vectorized embedding for hardware designs and maps them to the points in the multi-dimensional space such that similar circuits are in close proximity. We visualize the hw2vec
embeddings using dimensionality-reduction algorithms such as Principal Component Analysis (PCA) and t-distributed Stochastic Neighbor Embedding (t-SNE). Figure4 (b,c) illustrate embedding projection of 250 hardware instances for two distinct processor designs, pipeline MIPS and single-cycle MIPS, using PCA and t-SNE.
In the PCA plot, the first two principal components are depicted that express the two orthogonal directions, which maximize the variance of the projected data. t-SNE is a nonlinear machine learning algorithm that performs transformations on the data and approximate spectral clustering. We have deliberately chosen two MIPS processors with similar functionality for this experiment to harden the differentiation between them. The processors’ contrast lies only in their design and specifications. According to the plots, two well-separated clusters of hardware instances are formed such that data points for the same processor design are close. It demonstrates thathw2vec is a compelling tool to distinguish between various hardware designs. It not only considers the functionality and DFG structure but also recognizes the design.
Iv-D Similarity Score Results
Our model identifies piracy based on its generated similarity score for two designs, and the decision boundary is controlled by a hyper-parameter . We have tuned the to achieve maximum accuracy, but the user can adjust it to decide how much similarity is considered piracy. We calculate the similarity score in 3 cases: 1) different designs, 2) different codes with the same design, and 3) a design and its subset. For each case, 4 examples and the mean score for 50 examples are mentioned in Table II. As the results present, our model successfully discriminates hardware designs since the score is very low for different designs (case1) and close to 1 for similar designs (case2). In case3, MIPS is a processor which comprises an ALU block. This relation is captured by the model and resulted in a score of approximately 0.5.
|FPA: Floating Point Adder, P.MIPS: Pipeline MIPS, M.MIPS: Multi-cycle|
|MIPS, S.MIPS: Single-cycle MIPS, : instance of hardware X.|
Iv-E Piracy Detection in Obfuscated Netlists
To further evaluate our model, we test it on a dataset of ISCAS’85 benchmarks, and their obfuscated instances in the gate-level netlist format, derived from TrustHub . Obfuscation complicates the circuit and confuses reverse engineering but does not change the behavior of the circuit. Our model recognizes the similarity between the circuits despite the obfuscation because it learns the circuit’s behavior. We test this capability in this experiment by comparing each benchmark with its obfuscated instances and computing each benchmark’s average similarity score, presented in Table III. In the experimental results, all the similarity scores are very close to 1. It means GNN4IP can identify the original IP in the obfuscated design 100% of the time and is resilient against the attacks when the adversary manipulates the design to conceal the stolen IP. Furthermore, we assess our model on the pairs of different netlist instances, and the resultant average similarity is very low and closer to -1. It demonstrates that GNN4IP is potent in differentiating the varied designs at the netlist level.
Iv-F Comparison with Rival Methods
The current state-of-the-art IP piracy detection method is watermarking. The concept of accuracy is not defined for it, and another metric called the probability of coincidence () is used. It declares the probability that a different designer inserts the same watermark and depends on the watermark signature size. Although the quantitative comparison with watermarking is not plausible, the false-negative rate provides similar intuition in machine learning. The state-of-the-art  outperforms its previous rival algorithms by reporting = 1.11 with the cost of adding 0.13% to 26.12% overhead to design. Our model false-negative rate is zero for netlist and 6.65 for RTL dataset which is very low and acceptable. Compared to , our model have the paramount advantages of zero overhead and resiliency over attacks against watermarking. Moreover, our model is powerful enough to recognize the similarity between designs despite obfuscation.
To the best of our knowledge, we are the first to model hardware as a graph for IP piracy detection.  utilizes graph similarity algorithm to assess obfuscation, similar to Section IV-E. Due to different datasets exact comparison is not feasible. However, our similarity scores on obfuscation assessment notably better identify the original IP in the obfuscated one and distinguish the different designs. Their computation time is in order of minutes and significantly slower due to the graph similarity algorithm’s high complexity and lack of scalability.
|Circuit||Circuit Function||# of circuits||Score|
|c432||27-channel interrupt controller||24||+0.9998|
|c499||32-bit single error correcting||23||+0.9928|
|c1355||32-bit single error correcting||19||+0.9993|
|c1908||16-bit single/double error detecting||22||+0.9999|
|c6288||16 × 16 multiplier||25||+0.9945|
|Between benchmarks and their obfuscated instances||+0.9976|
|Between different benchmarks||-0.1606|
In this paper, we propose a novel IP piracy detection methodology, called GNN4IP, which does not have existing countermeasures shortcomings such as overhead and vulnerability to attacks. Our automated framework extracts the DFGs from RTL codes and gate-level netlist. Then, hw2vec, our graph neural network generates embeddings for graphs according to the similarity between designs. Based on embeddings, we infer IP piracy between circuits with 96% accuracy.
-  (2018) Towards side channel secure cyber-physical systems. In Real-Time and Embedded Systems and Technologies, Cited by: §II-A.
-  (2020) R2AD: randomization and reconstructor-based adversarial defense on deep neural network. In Workshop on Machine Learning for CAD, Cited by: §II-A.
-  (2016) Hardware ip watermarking and fingerprinting. In Secure System Design and Trustable Computing, Cited by: §I, §I, §II-A.
-  (2020) DECOY: deflection-driven hls-based computation partitioning for obfuscating intellectual property. In Design Automation Conference (DAC), Cited by: §I, §II-A.
-  (2018) Copyrights and patents, piracy and theft. The Washington Times. Cited by: §I.
-  (2019) The sat attack on ic camouflaging: impact and potential countermeasures. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems. Cited by: §II-A.
-  (2020) Detecting code clones with graph neural network and flow-augmented abstract syntax tree. In IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), Cited by: §II-B.
-  (2021) Brain-inspired golden chip free hardware trojan detection. IEEE Transaction on Information Forensics and Security (IEEE TIFS’21). Cited by: §II-A.
HTnet: transfer learning for golden chip-free hardware trojan detection. IEEE/ACM Design Automation and Test in Europe Conference (DATE’21). Cited by: §II-A.
-  (2019) Graph similarity and its applications to hardware security. IEEE Transactions on Computers. Cited by: 4th item, §IV-F.
-  (2016) Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907. Cited by: §III-C.
-  (2017) Active hardware metering by finite state machine obfuscation. In Hardware Protection through Obfuscation, Cited by: §II-A.
-  (2019) Self-attention graph pooling. arXiv preprint arXiv:1904.08082. Cited by: §III-C.
-  (2017) Provably secure camouflaging strategy for ic protection. Computer-Aided Design of Integrated Circuits and Systems. Cited by: §II-A.
-  (2018) Raise your game for split manufacturing: restoring the true functionality through beol. In Design Automation Conference (DAC), Cited by: §II-A.
-  (2019) Hardware watermarking using polymorphic inverter designs based on reconfigurable nanotechnologies. In 2019 IEEE Computer Society Annual Symposium on VLSI (ISVLSI), Cited by: §II-A, §IV-F.
-  (2013) Is split manufacturing secure?. In Design, Automation & Test in Europe Conference (DATE), Cited by: §II-A.
-  (2013) Security analysis of integrated circuit camouflaging. In ACM conference on Computer & communications security, Cited by: §II-A.
-  (2017) Special 301 report. the United States Trade Representative. Cited by: §I.
-  (2015) Pyverilog: a python-based hardware design processing toolkit for verilog hdl. In International Symposium on Applied Reconfigurable Computing, Cited by: §III-B.
-  (2016) Trusthub. Available on-line: https://www.trust-hub.org. Cited by: §IV-E.
-  (2019) Reverse engineering for 2.5 d split manufactured ics. Computer-Aided Design of Integrated Circuits and Systems. Cited by: §II-A.
-  (2020) A comprehensive survey on graph neural networks. IEEE Transactions on Neural Networks and Learning Systems. Cited by: §II-B.
-  (2017) Delay locking: security enhancement of logic locking against ic counterfeiting and overproduction. In Design Automation Conference (DAC), Cited by: §II-A.
-  (2016) Mitigating sat attack on logic locking. In conference on cryptographic hardware and embedded systems, Cited by: §II-A.
-  (2017) Neural network-based graph embedding for cross-platform binary code similarity detection. In SIGSAC Conference on Computer and Communications Security, Cited by: §II-B.
IoT-cad: context-aware adaptive anomaly detection in iot systems through sensor association. In IEEE/ACM International Conference On Computer Aided Design (ICCAD), Cited by: §II-A.
-  (2021) GNN4TJ: graph neural networks for hardware trojan detection at register transfer level. IEEE/ACM Design Automation and Test in Europe Conference (DATE’21). Cited by: §I, §II-A, §II-A.
-  (2017) Removal attacks on logic locking and camouflaging techniques. IEEE Trans. on Emerging Topics in Computing. Cited by: §II-A.