Due to the globalization of semiconductor manufacturing and test processes, the system-on-a-chip (SoC) designers no longer design the complete SoC and manufacture chips on their own. This outsourcing of the design and manufacturing of Integrated Circuits (ICs) has resulted in several threats, such as overproduction of ICs, sale of out-of-specification/rejected ICs, and piracy of Intellectual Properties (IPs). Logic locking has emerged as a promising defense strategy against these threats. However, various attacks about the extraction of secret keys have undermined the security of logic locking techniques. Over the years, researchers have proposed different techniques to prevent existing attacks. In this article, we propose a novel attack that can break any logic locking techniques that rely on the stored secret key. This proposed TAAL attack is based on implanting a hardware Trojan in the netlist, which leaks the secret key to an adversary once activated. As an untrusted foundry can extract the netlist of a design from the layout/mask information, it is feasible to implement such a hardware Trojan. All three proposed types of TAAL attacks can be used for extracting secret keys. We have introduced the models for both the combinational and sequential hardware Trojans that evade manufacturing tests. An adversary only needs to choose one hardware Trojan out of a large set of all possible Trojans to launch the TAAL attack.

中文翻译：

---

塔尔

由于半导体制造和测试流程的全球化，片上系统 (SoC) 设计人员不再自行设计完整的 SoC 和制造芯片。这种集成电路 (IC) 设计和制造的外包导致了多种威胁，例如 IC 的生产过剩、不合格/被拒绝的 IC 的销售以及知识产权 (IP) 的盗版。逻辑锁定已成为对抗这些威胁的一种有前途的防御策略。然而，各种关于提取密钥的攻击已经破坏了逻辑锁定技术的安全性。多年来，研究人员提出了不同的技术来防止现有的攻击。在本文中，我们提出了一种新颖的攻击，可以破坏任何依赖于存储密钥的逻辑锁定技术。这个提议塔尔攻击基于在网表中植入硬件木马，一旦激活就会将密钥泄露给攻击者。由于不受信任的代工厂可以从布局/掩模信息中提取设计的网表，因此实现这样的硬件木马是可行的。所有三种建议的类型塔尔攻击可用于提取密钥。我们已经介绍了逃避制造测试的组合和顺序硬件木马的模型。攻击者只需从一大堆可能的木马中选择一个硬件木马即可启动塔尔攻击。