# OBS Demo: A demonstration of standard-cell based obfuscation for imaging security in SKY130

Ckristian Duran, 2024

SPDX-License-Identifier: Apache-2.0

#### Team Members 

|Name|Affiliation|IEEE Member|SSCS Member|
|:--:|:----------:|:----------:|:----------:|
| Ckristian Duran (Maker) <br /> Email IDs: <br /> ckdur.iso [at] gmail [dot] com <br /> ckristian.duran [at] correo [dot] uis [dot] edu [dot] com <br /> duran [at] silicon [dot] u-tokyo [dot] ac [dot] jp|Universidad Industrial de Santander (UIS) <br /> The University of Tokyo (東京大学)| Yes |Yes |

Replace `[at]` with `@`

Replace `[dot]` with `.`

## Abstract

This project demonstrates a standard-cell based obfuscation of an example digital circuit to protect against imaging tools.
The obfuscator works by replacing cells from a netlist by cells with identical behavior but different layout.
This obfuscation is performed in the post-synthesis digital circuit, and the rest of the steps are executed in a typical digital composition (ej: PnR, DRC, LVS, Simulation, etc).
The alternative cells layout do not have a significant impact in area, but the timing and capacitances can vary a little, making Static Timing Analysis vary between the original circuit and an obfuscated one.
The cell library was previously built and characterized with enough files to perform digital synthesis and implementation.
As part of the demo, an additional imaging-reversal procedure is built by template matching, to try to recognize back the cells in the digital circuit.
This demo is built for Skywater 130nm (SKY130).

## 1. Introduction

Circuit security is a rising concern in recent years. The analysis of digital circuits to extract information has been a common ocurrence in reverse-engineering. Such analysis includes the extraction of a netlist from different stages of design and fabrication. Despite numerous intents to obscure and secretize the process in such stages, attacks always arise at the end of the production cycle. An attacker can perform decaping of a chip and perform image-reversal of a circuit in critical locations to extract information. This project is yet another way to prevent attacks from chip imaging by obfuscating the digital circuit.

### 1.1 Standard cell library

The first component of this project is an standard cell library which contains the obfuscation cells. These cells contains the same circuit but contains different layouts. To exemplify this, lets take a regular NAND cell.

```spice
* This file can be found in obs_demo/lib/sky130.lvs
.SUBCKT ND2D1 a1 a2 vdd vss zn
*.PININFO a1:I a2:I zn:O vdd:B vss:B 
M_M13 zn a1 xi1_n6 vss nfet_01v8 l=1.500e-07 w=6.500e-07
M_M14 xi1_n6 a2 vss vss nfet_01v8 l=1.500e-07 w=6.500e-07
M_M12 zn a2 vdd vdd pfet_01v8 l=1.500e-07 w=1.000e-06
M_M11 zn a1 vdd vdd pfet_01v8 l=1.500e-07 w=1.000e-06
.ENDS
```

This circuit contains 4 transistors, 2 NMOS and 2 PMOS. At the moment of creating the layout, there are different ways to arrange the transistors. In the case of the NAND there are 4 possible arrangements for a minimum space layout:

```
Arrange 1             Arrange 2          Arrange 3          Arrange 4
       a1   a2            a1    a2         a1    a2             a1   a2
P: vdd | z  | vdd     z   | vdd | z      z | vdd | z        vdd | z  | vdd
N: gnd | n6 | z       gnd | n6  | z      z | n6  | gnd      z   | n6 | gnd
       a1   a2            a1    a2         a2    a1             a2   a1
```

With these arrangements, is possible to place and route such cells in 4 different manners in the case of the NAND

![ND2D1](assets/img/ND2D1.toon.png "NAND A.1")![ND2D1_2](assets/img/ND2D1_2.toon.png "NAND A.2")![ND2D1_3](assets/img/ND2D1_3.toon.png "NAND A.3")![ND2D1_1](assets/img/ND2D1_1.toon.png "NAND A.4")

This behaviour can be extended to other cells. In the included library, the cells are limited to 4 different layouts, but this process can be repeated as many times as different arrangements are possible for a cell. This is an example of a D-Flip-Flop.

![DFQD1](assets/img/DFQD1.toon.png "DFQD1 A.1")![DFQD1_1](assets/img/DFQD1_1.toon.png "DFQD1 A.2")

![DFQD1_2](assets/img/DFQD1_2.toon.png "DFQD1 A.3")![DFQD1_3](assets/img/DFQD1_3.toon.png "DFQD1 A.4")

With these cells,  a library is composed which contains combinational and sequential circuitry. Such layouts are going to be ramdomly swapped in a netlist to obfuscate the digital circuit at the moment of producing a layout.

### 1.2 Obfuscation procedure

The obfuscation consists of perform synthesis, obfuscation, place, and route the circuit with the standard cell library. The next figure details the overall flow of this implementation.

![Obfuscation procedure](assets/img/obs_demo_flow.png "OBS flow")

After getting a netlist of the circuit from synthesis, the obfuscation is performed to the output netlist from [yosys](https://github.com/YosysHQ/yosys).
The script contains a link list to replace the existing cells to any of the 4 possible alternatives (if they exist).
The cell is chosen randomly using the `obs_demo/syn/tcl/aleatorize.py` script.
For example, an instance of `ND2D1` can be replaced by `ND2D1`, `ND2D1_1`, `ND2D1_2`, or `ND2D1_3`.
The output of this script is a obfuscated netlist, where all the cells are replaced with equivalent circuits with theoretical different layouts.

The next steps are included in the typical digital flow to output a macro layout.
Placement, Clock Tree Synthesis (CTS) and route of the circuit is done using the obfuscated library and the geometry abstracts.
Such process are executed with [OpenROAD](https://github.com/The-OpenROAD-Project/OpenROAD) with scripts included in the project.
The output is a definition file which contains placement and routing of the geometry abstract, which is used by [Magic](https://github.com/RTimothyEdwards/magic) to create a final layout GDS file. DRC and LVS can be also performed at this stage.

TODO: The DRC and LVS do not work at this point, as the standard cell library does not pass DRC and has connectivity issues.

### 1.3 Reverse enginering the circuit

After creating the GDS layout of the digital macro, the user can perform a test for a imaging reverse-engineering of the circuit.
Imaging tools are used to create a photo-like realistic image of the layouts of the digital macro, as well as every cell implemented in the obfuscated library.
Afterwards, all the images are imported into a imaging reversing tool named [degate](https://github.com/DegateCommunity/Degate).
This tool allows the user to perform imaging-reversing to a series of die photos to identify digital circuits and their netlists.
The user can perform a template matching of the images of this demo to simulate an attack and evaluate the identification rate at a first iteration.

![Reverse test procedure](assets/img/obs_demo_rev.png "REV flow")

## 2. Contents of the notebook

This notebook contans an step-to-step guide to execute the [obs_demo](https://github.com/ckdur/obs_demo) project.
In the following sections, we will describe to to the following:

1. Install tools and dependencies, working for (almost) every linux platform.
2. Create the obfuscated circuit, which guide the user to perform synthesis, aleatorize, place/CTS/route, and signoff of the digital macro.
3. Perform reverse-engineering using imaging tools, where we guide the user to perform an attack to the image of the layout, either automatically or via scripts.

The demo by itself contains the following:

1. Synthesis scripts.
2. Aleatorize script in the synthesis container.
3. Place and route scripts.
4. Signoff scripts, including GDS creation, DRC, and LVS.
5. Imaging scripts to create photo-like imaging.
6. Reverse-engineering scripts, to execute degate with the previous images.

## 3. Preparing the environment

### 3.1 Installing tools and dependencies 

The following code will allow you to install the dependencies from a new conda environment. Several steps can be skipped if you either installed these requirements locally in your system or in a separate conda environment you already have prepared for digital integration. The checks for these tools are automatically implemented, and this block of code can be ran just as it is.

In [None]:
import os
import pathlib
import sys

# Section for checking the status of the conda installation
conda_prefix_path = os.environ.get('CONDA_PREFIX', None)
conda_exists = True
if conda_prefix_path is None:
    conda_prefix_path = str(pathlib.Path('conda-env').resolve())
    if not os.path.isdir(conda_prefix_path):
        conda_exists = False
%env CONDA_PREFIX={conda_prefix_path}
!mkdir -p {conda_prefix_path}/conda-meta

# We are going to use micromamba, as seems to be the most neutral to work in any environment
micromamba_path=str(pathlib.Path('micromamba').resolve())
micromamba=micromamba_path + "/bin/micromamba"
if not os.path.isfile(micromamba):
    !mkdir -p {micromamba_path}/bin
    !cd {micromamba_path} && curl -Ls https://micro.mamba.pm/api/micromamba/linux-64/latest | tar -xvj bin/micromamba
# Only create the environment if the conda does not exist
if not conda_exists:
    print("Create the conda environment")
    !{micromamba} create --yes --prefix {conda_prefix_path}

# Forcing this conda environment to work with python 3.10
!echo 'python == 3.10*' >> {conda_prefix_path}/conda-meta/pinned

# Set some environment variables
PATH = "{}/bin:{}".format(conda_prefix_path, os.environ['PATH'])  # Is supposed to not fail
LD_LIBRARY_PATH = "{0}/lib:{0}/lib/python3.10:{1}".format(conda_prefix_path, os.environ.get('LD_LIBRARY_PATH', ''))
%env PATH={PATH}
%env LD_LIBRARY_PATH={LD_LIBRARY_PATH}

# Now, check progressively for all the dependencies, which will list in this dict
req = {
    "magic": {"cmd": "magic --version", "channel": "main"},
    "klayout": {"cmd": "klayout -v", "channel": "main"},
    "yosys": {"cmd": "yosys --version", "channel": "main"},
    "netgen": {"cmd": "which netgen", "channel": "main"},
    "openroad": {"cmd": "openroad -version", "channel": "main"},
    "git>=2.34.1": {"cmd": "git --version", "channel": "conda-forge"},
    "pkg-config>=0.29.2": {"cmd": "false", "channel": "conda-forge"},     # FORCED
    "cmake>=3.22.1": {"cmd": "false", "channel": "conda-forge"},          # FORCED
    "gcc>=12.3.0": {"cmd": "gcc --version", "channel": "conda-forge"},
    "gxx>=12.3.0": {"cmd": "g++ --version", "channel": "conda-forge"},
    "qt6-main>=6.4.1": {"cmd": "which qtdiag6", "channel": "conda-forge"},
    "qt6-charts>=6.4.1": {"cmd": "which qtdiag6", "channel": "conda-forge"},
    "qt6-3d>=6.4.1": {"cmd": "which qtdiag6", "channel": "conda-forge"}
}
for key, elem in req.items():
    ret = os.system(elem["cmd"])
    if ret != 0:
        # This command does not exist, or does not execute. Regardless, install
        print("Attempting to install: {}".format(key))
        channel = elem["channel"]
        !{micromamba} install --yes --prefix {conda_prefix_path} --channel litex-hub --channel {channel} "{key}"
    else:
        # Detected. Just assume is there
        print("Detected!: {}".format(key))

# Check exclusively for the PDK_ROOT separatelly... I wish there is a better way to check for the PDK
PDK_ROOT = os.environ.get('PDK_ROOT', None)
if PDK_ROOT is None:
    !{micromamba} install --yes --prefix {conda_prefix_path} --channel litex-hub --channel main open_pdks.sky130a
    PDK_ROOT = "{0}/share/pdk".format(conda_prefix_path)
    %env PDK_ROOT={PDK_ROOT}

### 3.2 Download the repository

The code below will download the repository where this demo is hosted.

In [None]:
import os
import pathlib
import sys

obs_demo_path = str(pathlib.Path('obs_demo').resolve())
obs_demo_settings = obs_demo_path + "/settings.mk"

if not os.path.isdir(obs_demo_path):
    # Download the repository
    !git clone -b main --recursive https://github.com/ckdur/obs_demo.git {obs_demo_path}

%env ROOT_DIR={obs_demo_path}

### 3.3 Build degate

This is an extra tool which is not listed in conda packages. The next block will use the repository to build Degate.

In [None]:
import os
import pathlib
import sys

!mkdir -p $ROOT_DIR/rev/src/Degate/build
!cd $ROOT_DIR/rev/src/Degate/build && cmake $ROOT_DIR/rev/src/Degate
!make -C $ROOT_DIR/rev/src/Degate/build all

## 4. Creating the obfuscated circuit

### 4.1 Synthesis and obfuscation

### 4.2 Place and route, and signoff

## 5. Reverse-engineering the circuit

### 5.1 Imaging the circuits

### 5.2 Setup the attack

### 5.3 Judging the success of the attack

## 6. Conclusions