Hardware intellectual property (IP) piracy is an emerging threat to the global supply chain. Correspondingly, various countermeasures aim to protect hardware IPs, such as logic locking, camouflaging, and split manufacturing. However, these countermeasures cannot always guarantee IP security. A malicious attacker can access the layout/netlist of the hardware IP protected by these countermeasures and further retrieve the design. To eliminate/bypass these vulnerabilities, a recent approach redacts the design's IP to an embedded field-programmable gate array (eFPGA), disabling the attacker's access to the layout/netlist. eFPGAs can be programmed with arbitrary functionality. Without the bitstream, the attacker cannot recover the functionality of the protected IP. Consequently, state-of-the-art attacks are inapplicable to pirate the redacted hardware IP. In this paper, we challenge the assumed security of eFPGA-based redaction. We present an attack to retrieve the hardware IP with only black-box access to a programmed eFPGA. We observe the effect of modern electronic design automation (EDA) tools on practical hardware circuits and leverage the observation to guide our attack. Thus, our proposed method FuncTeller selects minterms to query, recovering the circuit function within a reasonable time. We demonstrate the effectiveness and efficiency of FuncTeller on multiple circuits, including academic benchmark circuits, Stanford MIPS processor, IBEX processor, Common Evaluation Platform GPS, and Cybersecurity Awareness Worldwide competition circuits. Our results show that FuncTeller achieves an average accuracy greater than 85% over these tested circuits retrieving the design's functionality.

翻译：硬件知识产权（IP）盗版正成为全球供应链面临的新兴威胁。相应地，逻辑锁定、伪装和分片制造等各类防护措施旨在保护硬件IP。然而，这些防护措施并不总能保证IP安全。恶意攻击者能够获取受这些防护措施保护的硬件IP的版图/网表，并进一步逆向还原设计。为消除/规避这些漏洞，近期一种方法将设计的IP内容修订至嵌入式现场可编程门阵列（eFPGA）中，从而切断攻击者对版图/网表的访问。eFPGA可编程实现任意功能。若缺少比特流，攻击者便无法恢复受保护IP的功能。因此，现有攻击手段无法盗取经修订的硬件IP。本文对基于eFPGA修订方案的安全性提出质疑，提出一种仅需对编程后eFPGA进行黑盒访问即可逆向获取硬件IP的攻击方法。我们观察到现代电子设计自动化（EDA）工具对实际硬件电路产生的影响，并利用这一发现指导攻击。据此，我们提出的FuncTeller方法通过选择最小项进行查询，在合理时间内恢复电路功能。我们在多个电路上验证了FuncTeller的有效性与效率，包括学术基准电路、Stanford MIPS处理器、IBEX处理器、通用评估平台GPS以及网络安全意识全球竞赛电路。结果表明，FuncTeller在这些测试电路上恢复设计功能的平均准确率超过85%。