CRESS: Framework for Vulnerability Assessment of Attack Scenarios in Hardware Reverse Engineering

Trust and security of microelectronic systems are a major driver for game-changing trends like autonomous driving or the internet of things. These trends are endangered by threats like soft- and hardware attacks or IP tampering – wherein often hardware reverse engineering (RE) is involved for efficient attack planning. The constant publication of new RE-related scenarios and countermeasures renders a profound rating of these extremely difficult. Researchers and practitioners have no tools or framework which aid a common, consistent classification of these scenarios. In this work, this rating framework is introduced: the common reverse engineering scoring system (CRESS). The framework allows a general classification of published settings and renders them comparable. We introduce three metrics: exploitability, impact, and a timestamp. For these metrics, attributes are defined which allow a granular assessment of RE on the one hand, and attack requirements, consequences, and potential remediation strategies on the other. The system is demonstrated in detail via five case studies and common implications are discussed. We anticipate CRESS to evaluate possible vulnerabilities and to safeguard targets more proactively.