Exploiting the Lock: Leveraging MiG-V's Logic Locking for Secret-Data Extraction

Abstract

This study analyzes the MiG-V, the first commercially available logic-locked RISC-V processor, examining whether its logic locking mechanism impacts runtime data confidentiality. Researchers demonstrate a critical vulnerability by deliberately altering the logic locking key while the processor executes SSL cryptographic algorithms. Exploiting this hardware flaw allows attackers to change a single bit of the logic locking key to expose 100% of the cryptographic encryption key, mandating comprehensive security reassessment of this protection method.

Report

Structured Report: Exploiting the Lock: Leveraging MiG-V's Logic Locking for Secret-Data Extraction

Key Highlights

• Target Device: The MiG-V, noted as the first commercially available logic-locked RISC-V processor designed for high-security applications.
• Security Paradigm Shift: Logic locking, conventionally used to protect IP design during untrusted manufacturing (anti-Trojan defense), is repurposed as an attack vector for runtime data confidentiality compromise.
• Attack Success: The study successfully identified and exploited data leakages resulting from manipulating the logic locking hardware during operation.
• Critical Vulnerability: By altering only a single bit of the logic locking key, the researchers were able to successfully extract 100% of the cryptographic encryption key running through SSL algorithms.
• Mandated Review: The research emphasizes that security assessments must extend beyond traditional logic locking key-recovery attacks to evaluate runtime data leakage potential.

Technical Details

• Architecture Tested: MiG-V RISC-V processor.
• Mechanism Attacked: Key-driven logic gates used for design obfuscation (logic locking).
• Attack Methodology: The core technique involves actively altering the hardware's logic locking key while the processor is engaged in critical cryptographic processes (specifically, SSL cryptographic algorithms).
• Observation: The alteration of the logic locking key causes internal misconfigurations or side effects that expose sensitive data (the encryption key) being processed by the system.

Implications

• Compromised Trust in Hardware Security: This finding severely undermines the trust placed in logic locking as a comprehensive hardware protection measure, especially in architectures intended for high-security environments like the MiG-V.
• New Attack Surface: Logic locking is not merely a static defense against design extraction or modification, but a potential dynamic attack surface that can be leveraged by adversaries with physical access or exploit capabilities.
• RISC-V Ecosystem Impact: As the RISC-V architecture relies heavily on customizability and potentially distributed manufacturing chains, the failure of a primary hardware security feature (logic locking) in a commercial chip signals the need for far more robust verification across all hardware security IPs.
• Design Rework Required: Future implementations of logic locking must incorporate protective measures that prevent runtime manipulation of the locking key, or secure the processor state such that key changes do not induce observable or exploitable data leakage.