Fabrication-Aware Reverse Engineering

• Fabrication-aware reverse engineering is a multidisciplinary approach that incorporates real-world fabrication artifacts and constraints to extract high-fidelity design models.
• The methodology integrates SAT-based probing, model checking, and advanced imaging techniques to overcome challenges like process noise and intentional camouflaging.
• Practical insights include the use of reconfigurable logic and adversarial machine learning to enhance countermeasures against supply chain vulnerabilities.

Fabrication-aware reverse engineering is a research area at the intersection of hardware security, physical design, logic, and algorithmics that addresses the extraction, inference, or reconstruction of system designs by explicitly considering the constraints, opportunities, and artifacts introduced by real-world fabrication processes. Unlike conventional reverse engineering approaches that assume "ideal" circuit representations or architectural abstractions, fabrication-aware methods leverage or must overcome the physical realities of manufacturing—including process noise, camouflaging techniques, layer artifacts, measurement limitations, and the absence of privileged scan or debug access—in order to recover high-fidelity structural or functional models of the underlying device or object.

1. Methodological Foundations: From SAT and Model Checking to Physical Probing

Fabrication-aware reverse engineering integrates a variety of algorithmic and experimental methodologies, often tailored to the attack surface and available information:

• SAT-based Reverse Engineering with Fault Injection and Probing: Standard Boolean satisfiability (SAT) attacks, historically effective for combinational circuits with oracle access, are extended to handle scenarios where neither gate function nor wiring is known, particularly under aggressive physical camouflaging. In this context, the attacker models the circuit schematic with configuration variables for both connections and gate functions. Crucially, practical fabricated circuits are interrogated using laser fault injection—forcing internal nodes to known states—and backside voltage probing. These experiments provide direct constraints and high-resolution observability signals that, when incorporated into the SAT formulation, allow the precise gate-by-gate reconstruction of the schematic (Keshavarz et al., 2018).
• Model Checking for Sequential Circuits Without Scan Access: For sequential circuits lacking scan chains or other forms of internal state observation (a common defense in fabrication), reverse engineering must reason about hidden states. Here, iterative use of bounded and unbounded model checking identifies discriminating sets of input sequences—carefully chosen stimuli that, together, rule out all but one functionally correct completion of the circuit's camouflaged elements. Sufficient conditions such as Unique Completion (UC) and Combinational Equivalence (CE) tests are employed to terminate the attack efficiently (Massad et al., 2017).
• Physical and Imaging Modalities: For both integrated circuits (ICs) and printed circuit boards (PCBs), reverse engineering accounts for the destructive (delayering, etching) and non-destructive (computed tomography, backside SEM) imaging steps. Here, image analysis, feature segmentation, and machine learning methods become abetted by the recognition that real fabricated features suffer from process-specific artifacts (etch residues, nonuniformity, drift), which must be modeled or corrected to recover credible netlists or geometric assemblies (Botero et al., 2020).

2. Attack Surfaces and Fabrication-Driven Vulnerabilities

The fabrication process introduces both challenges and opportunities for reverse engineers:

• Camouflaging and Obfuscation: Techniques like gate camouflaging, logic locking, and scan chain restriction are specifically designed to obfuscate functionality or wiring at the physical layer. However, the empirical validation of such defenses often presumes an attacker's ignorance of fabrication realities; in practice, enhanced attacks utilizing internal probing or exploiting process artifacts may bypass these measures, especially if defensive schemes are not sufficiently robust to realistic threat models (e.g., ability to induce glitches, observe intermediate voltages, or extract configuration bitstreams) (Keshavarz et al., 2018, Massad et al., 2017, Abideen et al., 2021).
• Supply Chain Exposure and Split Manufacturing: The globalization of chip fabrication renders designs accessible to potentially untrusted parties during manufacturing, increasing vulnerability to overproduction, piracy, Trojan insertion, and direct layout inspection. Split manufacturing, wherein only sensitive portions are fabricated in trusted environments, is invoked as a partial countermeasure, though attackers may still leverage incomplete layouts to infer functionality, especially with knowledge of standard cell libraries or imaging data (Dhavlle, 2022).
• Vulnerability Quantification: The difficulty of fabrication-aware reverse engineering is highly context-dependent, combining task properties (circuit size, interconnect complexity, fabrication artifacts) and human/operator properties (domain expertise, cognitive load) (Fyrbiak et al., 2019). No universal metric exists; instead, complexity must be assessed for each intended countermeasure or attack.

3. Hardware and System-Level Implications

Fabrication-aware reverse engineering has driven fundamental innovations and security analyses across hardware layers:

• Obfuscated Systems with Reconfigurable Fabrics: The insertion of FPGA-style programmable LUTs or eFPGAs into otherwise static ASIC flows allows for post-fabrication configuration (bitstream programming), which can hide IP at fabrication time. The effectiveness of such obfuscation hinges on maintaining a high percentage of reconfigurable logic (empirically >86%) and customizing the interconnect topology and bitstream formats to resist SAT-based and structural analysis attacks. Security is not solely a function of bitstream length but also of routing complexity, cyclic dependencies, and unique masking pattern distributions (Abideen et al., 2021, Bhandari et al., 2021).
• Countermeasures based on Adversarial Machine Learning: CAPTIVE demonstrates that by embedding DRC-compliant adversarial perturbations into IC layout images, automated gate-recognition ML tools (e.g., RecoG-Net) can be rendered highly unreliable, with gate classification accuracy dropping from near 100% to 30%. Critically, these perturbations are constrained to adhere to fabrication rules (minimum spacing), thus are not trivially distinguishable from normal process variation (Zargari et al., 2021).
• Obfuscated Secure Interconnects: At the SoC and chiplet level, obfuscating network topologies using reconfigurable hardware switches (e.g., programmable MUX/DEMUX structures controlled by activation packages) can produce massive redundancy in legal topologies (combinatorial explosion), making functional reverse engineering or SAT-based topology recovery prohibitively difficult (Halder, 2023).

4. Cognitive and Human Factors

Reverse engineering is intrinsically a human-computer interaction challenge, especially in the context of flattened or highly obfuscated netlists:

• Cognitive Load and Multifaceted Process Phases: Empirical studies evidence a phase model—comprising candidate identification (algorithmic and manual), functional verification (divide-and-conquer, hypothesis testing), and realization (modification or analysis of extracted logic). Efficiency is strongly correlated with working memory capacity; designs that overload human cognitive resources (e.g., by inserting numerous decoy structures or diffusing relevant logic among similar substructures) can impede reverse engineering and inform new "cognitive obfuscation" countermeasures (Becker et al., 2021, Fyrbiak et al., 2019).
• Interdisciplinary Research: Comprehensive reverse engineering metrics must simultaneously account for behavioral/cognitive factors and technical hurdles imposed by fabrication—leading to calls for interdisciplinary methods combining laboratory studies, problem-solving research, and technical assessment (Fyrbiak et al., 2019).

5. Extending Fabrication-Awareness: Beyond ICs to Computational Optics and 3D Fabrication

Fabrication-aware reverse engineering principles are generalized in adjacent domains:

• Computational Diffractive Optics: For large-area diffractive optical elements (DOEs), accurately simulating, manufacturing, and ultimately reverse engineering such systems requires explicit modeling of fabrication-induced interpolation kernels, laser exposure, resist development, and imprinting-induced distortions. Integration of super-resolved neural lithography models into end-to-end differentiable optics frameworks enables not only forward design with process compensation but also the diagnosis of performance discrepancies in legacy elements—a digital twin paradigm for reverse engineering (Wei et al., 28 May 2025).
• Shape and Assembly Recovery in Manufactured Objects: In carpentry and manufacturing, reverse engineering from images must map the physical assembly and joint constraints into a recoverable part decomposition with fabrication-aware parametric geometry. The process leverages domain-specific constraints, multi-view segmentation, and geometric program factorization to recover not only the appearance but also the manufacturability and connectivity of the object (Noeckel et al., 2021, You et al., 19 Jul 2024).

6. Implications, Countermeasures, and Future Directions

The evolution and analysis of fabrication-aware reverse engineering have several notable implications:

• Design for Security Under Fabrication Constraints: Robust circuit protection cannot rely solely on scan chain restriction, logic locking, or static netlist obfuscation. Adversaries, assuming fabrication-related access (fault injection, backside probing, process-aware image analysis), can bypass traditional defenses unless these explicitly account for all plausible fabrication attack vectors (Massad et al., 2017, Keshavarz et al., 2018, Wallat et al., 2019, Dhavlle, 2022).
• Multi-layered and Adaptive Countermeasures: Effective countermeasures—such as dynamic opaque predicates, runtime integrity checks, randomized power profiles, encrypted or diversified configuration bitstreams—must anticipate both technical and human-driven reverse engineering. New defenses increasingly prioritize combinatorial redundancy, dynamic configuration, and cognitive or information-theoretic hardness (Abideen et al., 2021, Wallat et al., 2019, Becker et al., 2021).
• Trust and Assurance Roadmaps: The integration of advanced image processing, machine learning, and standardized benchmarks enables the development of automated, fabrication-aware workflows for trust and assurance (Trojan detection, authenticity verification, obsolescence management), with clear calls for benchmark datasets and modular, iterative workflows (Botero et al., 2020).
• Reverse Engineering as a Tool for Design Verification: Fabrication-aware reverse engineering, while often associated with offensive security, serves as a critical method for ensuring design integrity and supply chain trust—employing the same physical analyses to validate that as-fabricated devices implement intended functionalities without unauthorized modifications or embedded hardware malware (Botero et al., 2020, Dhavlle, 2022).
• Future Research Vectors: Anticipated directions include further exploration of fabrication-aware topology optimization, uncertainty-aware robust design under process fluctuations, expanded application to volumetric and multi-physics structures, and the development of scalable, fully automated cognitive-technical defense generators.

In summary, fabrication-aware reverse engineering is a rapidly maturing field that exposes the necessity of co-designing physical hardware, logical obfuscation, and cognitive defense strategies in light of both known and emerging capabilities of adversaries with realistic access to the fabrication process and its artifacts. The state of the art blends advanced algorithmics, physical modeling, experimental probing, cognitive human factors analysis, and interdisciplinary roadmap strategies. This blend is necessary to analyze, defend, and ultimately improve the resilience of contemporary and future hardware systems against sophisticated forms of unauthorized design extraction and manipulation.