The safety, security, and reliability of microelectronic systems depend on a trustworthy, secured supply chain and design flow. Globally distributed supply chains or unintentional design weaknesses leave the door open for attacks on the hardware level. These scenarios encompass counterfeiting, hardware trojans, or on-device attacks. For these, hardware reverse engineering (RE) results play a pivotal role. The ongoing publication of new RE-involved attacks motivated the development of the common RE scoring system (CRESS). The system enables a general classification of RE-involved scenarios for a common, consistent rating. In this work, the originally qualitative system is extended to a quantitative system. We performed an extensive interview study with experts in the field. The interview results allowed us to derive weights that measure the severity of different RE-involved attack categories. The weights form an equation that quantifies scenarios, resulting in the severity-indicating CRESS score. The score enables the coherent rating of novel scenarios, renders them comparable, and supports the development of effective countermeasures. To showcase the effectiveness of the quantitative CRESS Score, six selected case studies are rated qualitatively and quantitatively. The CRESS Score proves to be significantly more expressive than the industry-standard Common Vulnerability Scoring System (CVSS).

翻译：微电子系统的安全性、可靠性与可信赖性依赖于可信任的供应链和设计流程。全球化分布式的供应链或非故意的设计缺陷为硬件层面的攻击打开了大门。这些场景涵盖伪造、硬件木马或设备级攻击。其中，硬件逆向工程（RE）的结果扮演着关键角色。新型涉RE攻击的持续发表推动了一致性逆向工程评分系统（CRESS）的开发。该系统能够对涉RE场景进行通用分类，以实现一致性的标准化评级。本研究将原本定性的系统扩展为定量系统。我们对该领域专家进行了广泛的访谈研究。访谈结果使我们得以推导出衡量不同涉RE攻击类别严重程度的权重。这些权重构成一个量化场景的公式，最终得出指示严重程度的CRESS评分。该评分能够对新型场景进行一致性评级，使其具有可比性，并支持开发有效的防护对策。为展示定量CRESS评分的有效性，我们选取六个案例研究进行定性与定量双重评级。事实证明，CRESS评分比行业标准通用漏洞评分系统（CVSS）具有显著更强的表现力。