pith. sign in

arxiv: 2606.05459 · v1 · pith:KXMN36SRnew · submitted 2026-06-03 · 💻 cs.CR · cs.SY· eess.SY

CRESS: Quantifying Vulnerabilities of Attack Scenarios in Hardware Reverse Engineering

Pith reviewed 2026-06-28 05:09 UTC · model grok-4.3

classification 💻 cs.CR cs.SYeess.SY
keywords hardware reverse engineeringvulnerability scoringCRESSattack scenariosCVSSexpert interviewsquantitative assessmenthardware security
0
0 comments X

The pith

Expert-derived weights turn qualitative hardware reverse engineering attack categories into a quantitative CRESS score that rates scenarios more expressively than CVSS.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper extends an earlier qualitative classification of reverse engineering attacks into a quantitative system called CRESS. Researchers conducted an interview study with domain experts to assign weights that reflect the relative severity of different attack categories. These weights feed into an equation that produces a single numerical score for any given scenario. When the scores are applied to six case studies, they distinguish risk levels in ways the standard CVSS metric cannot. The result is a consistent, comparable rating method intended to guide countermeasures across known and new attack scenarios.

Core claim

The CRESS score is produced by an equation that multiplies category weights—obtained from expert interviews—by the presence of each category in a scenario; the resulting number quantifies severity, enables direct comparison of disparate attacks, and demonstrates greater expressiveness than CVSS ratings on the same cases.

What carries the argument

The CRESS score equation, which sums weighted severities of reverse engineering attack categories determined by expert study.

If this is right

  • New attack scenarios receive numerical ratings without requiring a fresh qualitative analysis each time.
  • Scenarios involving different combinations of counterfeiting, trojans, or on-device attacks become directly comparable by score.
  • Countermeasure priorities can be set according to the magnitude of the calculated scores rather than narrative descriptions.
  • A shared numerical language emerges for discussing hardware reverse engineering risks across research and industry teams.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the weighting approach generalizes, similar expert-derived equations could be developed for other hardware security domains such as side-channel or fault-injection attacks.
  • Supply-chain risk assessments that currently rely on CVSS might incorporate CRESS scores to capture reverse-engineering-specific factors.
  • Periodic re-interview of experts could be used to update weights as new attack techniques appear.

Load-bearing premise

The weights derived from the expert interviews correctly capture relative severity and remain valid when applied to attack scenarios not seen during the study.

What would settle it

A replication in which a new panel of experts assigns materially different weights to the same categories or in which CRESS scores for additional scenarios show no greater differentiation than CVSS scores.

Figures

Figures reproduced from arXiv: 2606.05459 by Alexander Hepp, Georg Sigl, Johanna Baehr, Matthias Ludwig, Michaela Brunner.

Figure 1
Figure 1. Figure 1: Process flow for hardware reverse engineering of integrated circuits [13]. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the CRESS. The metrics result in a [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Exemplary questions of the interactive interview [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Self-rated Interviewee expertise and experience for [PITH_FULL_IMAGE:figures/full_fig_p006_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Standard Deviation and mean • / median (×) of Numeric Values for Exploitability and Attribute Weights for Impact Finally, we define the total CRESS score CRESS Score = (4) 10 ·    [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Histogram of CRESS Scores for all combinations of [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
read the original abstract

The safety, security, and reliability of microelectronic systems depend on a trustworthy, secured supply chain and design flow. Globally distributed supply chains or unintentional design weaknesses leave the door open for attacks on the hardware level. These scenarios encompass counterfeiting, hardware trojans, or on-device attacks. For these, hardware reverse engineering (RE) results play a pivotal role. The ongoing publication of new RE-involved attacks motivated the development of the common RE scoring system (CRESS). The system enables a general classification of RE-involved scenarios for a common, consistent rating. In this work, the originally qualitative system is extended to a quantitative system. We performed an extensive interview study with experts in the field. The interview results allowed us to derive weights that measure the severity of different RE-involved attack categories. The weights form an equation that quantifies scenarios, resulting in the severity-indicating CRESS score. The score enables the coherent rating of novel scenarios, renders them comparable, and supports the development of effective countermeasures. To showcase the effectiveness of the quantitative CRESS Score, six selected case studies are rated qualitatively and quantitatively. The CRESS Score proves to be significantly more expressive than the industry-standard Common Vulnerability Scoring System (CVSS).

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The manuscript introduces the Common Reverse Engineering Scoring System (CRESS) as a quantitative extension of a prior qualitative framework for classifying hardware reverse engineering (RE) attack scenarios. Weights for RE attack categories are derived from an expert interview study and combined into an equation yielding a severity-indicating CRESS score; the system is then applied to six case studies, with the central claim that CRESS is significantly more expressive than CVSS.

Significance. If the interview-derived weights prove robust and the expressiveness advantage is demonstrated with a reproducible metric, CRESS could supply a needed standardized, comparable rating for RE-involved threats in hardware supply chains and thereby support prioritized countermeasures. The work's use of external expert input rather than purely internal parameters is a positive feature, but the current absence of methodological transparency and quantitative validation limits its assessed contribution.

major comments (3)
  1. [Abstract / Case Studies] Abstract and case-study section: the claim that CRESS 'proves to be significantly more expressive' than CVSS rests on narrative description of six case studies without a formal definition of expressiveness (e.g., number of distinct score bins, mutual information with ground-truth severity, or inter-rater agreement delta) or any statistical comparison; this directly undermines the central superiority assertion.
  2. [Interview Study / Weight Derivation] Interview-study section (methodology): no information is supplied on sample size, participant recruitment, interview protocol, bias controls, or inter-rater reliability for the expert-derived category severity weights; without these, the quantitative equation cannot be evaluated for reproducibility or generalizability.
  3. [Quantitative Model] Quantitative equation: the abstract states that the weights 'form an equation' but provides neither the explicit formula nor the list of categories and their numerical weights, preventing independent verification or application to novel scenarios.
minor comments (1)
  1. [Case Studies] Clarify whether the CRESS score is intended to be used in isolation or in conjunction with CVSS, and provide at least one worked numerical example from a case study.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback on our manuscript. We address each major comment below and will revise the paper to improve methodological transparency, clarity of the model, and the strength of the expressiveness claim.

read point-by-point responses
  1. Referee: [Abstract / Case Studies] Abstract and case-study section: the claim that CRESS 'proves to be significantly more expressive' than CVSS rests on narrative description of six case studies without a formal definition of expressiveness (e.g., number of distinct score bins, mutual information with ground-truth severity, or inter-rater agreement delta) or any statistical comparison; this directly undermines the central superiority assertion.

    Authors: We agree that the superiority claim would be strengthened by a formal definition and quantitative comparison rather than relying solely on narrative description of the six case studies. In the revision we will add an explicit definition of expressiveness (e.g., number of distinct score bins produced and the count of scenarios that receive identical CVSS scores but distinct CRESS scores) together with a comparative table and, where possible, a simple statistical summary of differentiation. revision: yes

  2. Referee: [Interview Study / Weight Derivation] Interview-study section (methodology): no information is supplied on sample size, participant recruitment, interview protocol, bias controls, or inter-rater reliability for the expert-derived category severity weights; without these, the quantitative equation cannot be evaluated for reproducibility or generalizability.

    Authors: The current manuscript does not provide these methodological details. We will expand the interview-study section in the revision to report sample size, recruitment method, interview protocol, bias-mitigation steps, and any inter-rater reliability or consensus measures used when deriving the weights. revision: yes

  3. Referee: [Quantitative Model] Quantitative equation: the abstract states that the weights 'form an equation' but provides neither the explicit formula nor the list of categories and their numerical weights, preventing independent verification or application to novel scenarios.

    Authors: We acknowledge that the explicit formula and the numerical weights are not stated in the abstract and are insufficiently prominent for independent use. In the revision we will include the complete equation and a table listing all categories with their derived weights, ensuring the model is fully specified and reproducible from the text. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation uses external interview data

full rationale

The paper's central derivation obtains category weights via an external expert interview study, then assembles them into a scoring equation. This step is independent of the target CRESS values or the CVSS comparison. No equations, self-citations, or fitted parameters are shown that reduce the claimed score or expressiveness result to the inputs by construction. The six case studies constitute an application and narrative comparison, not a self-referential prediction. The derivation chain is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The quantitative score rests on the assumption that expert interview responses yield stable, unbiased weights for attack categories and that the chosen categories plus six case studies suffice to demonstrate superiority over CVSS.

free parameters (1)
  • category severity weights
    Numerical values assigned to each RE attack category based on aggregated expert interview responses
axioms (1)
  • domain assumption Expert interviews produce reliable and generalizable severity measures for RE attack categories
    Invoked to convert qualitative categories into the quantitative scoring equation

pith-pipeline@v0.9.1-grok · 5762 in / 1260 out tokens · 29355 ms · 2026-06-28T05:09:27.304968+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

47 extracted references

  1. [1]

    Benso and P

    A. Benso and P . Prinetto, Eds.,Fault Injection Techniques and Tools for Embedded Systems Reliability Evaluation. 2003, 1241 pp

  2. [2]

    Mangard, E

    S. Mangard, E. Oswald, and T. Popp,Power Analysis Attacks: Revealing the Secrets of Smart Cards, 1st. 2010

  3. [3]

    M. M. Tehranipoor, U. Guin, and D. Forte,Counterfeit Integrated Circuits: Detection and Avoidance. 2015

  4. [4]

    Bhunia and M

    S. Bhunia and M. M. Tehranipoor,The Hardware Trojan War: Attacks, Myths, and Defenses. 2017

  5. [5]

    Common Criteria Certification

    Bundesamt f ¨ur Sicherheit in der Informationstechnik. “Common Criteria Certification. ”https://www.commoncriteriaportal.org/ cc/

  6. [6]

    Platform Security Architecture (PSA) Certifica- tion

    PSA Certified. “Platform Security Architecture (PSA) Certifica- tion. ”https://www.psacertified.org/

  7. [7]

    https://www.sae.org/standards/content/ as6171/

    SAE International,Test Methods Standard; General Requirements, Suspect/Counterfeit, Electrical, Electronic, and Electromechanical Parts AS6171, 2016. https://www.sae.org/standards/content/ as6171/

  8. [8]

    https://www

    SAE International,Counterfeit Materiel; Assuring Acquisition of Authentic and Conforming Materiel AS6174, 2017. https://www. sae.org/standards/content/as6174/

  9. [9]

    https://idofea.org/quality- standards/

    The Independent Distributors of Electronics Association (IDEA), IDEA-STD-1010-B: Acceptability of Electronic Components Dis- tributed in the Open Market, 2018. https://idofea.org/quality- standards/

  10. [10]

    The Common Vulnerabilities and Ex- posures (CVE)

    The MITRE Corporation. “The Common Vulnerabilities and Ex- posures (CVE). ”https://www.cve.org/

  11. [11]

    Common Weakness Enumeration (CWE)

    The MITRE Corporation. “Common Weakness Enumeration (CWE). ”https://cwe.mitre.org/

  12. [12]

    Common Vulnerability Scoring System version 3.1: Specification Document

    I. FIRST.Org. “Common Vulnerability Scoring System version 3.1: Specification Document. ”https : / / www. first . org / cvss / v3.1/specification-document

  13. [13]

    CRESS: Frame- work for Vulnerability Assessment of Attack Scenarios in Hard- ware Reverse Engineering,

    M. Ludwig, A. Hepp, M. Brunner, and J. Baehr, “CRESS: Frame- work for Vulnerability Assessment of Attack Scenarios in Hard- ware Reverse Engineering,” in2021 IEEE Physical Assurance Inspection Electron.s (P AINE), (Dec. 2021), 2021

  14. [14]

    Increasing the efficiency of laser fault injections using fast gate level reverse engineering,

    F. Courbon, P . Loubet-Moundi, J. J. A. Fournier, and A. Tria, “Increasing the efficiency of laser fault injections using fast gate level reverse engineering,” in2014 IEEE Int. Symp. Hardware- Oriented Secur. Trust (HOST), 2014

  15. [15]

    Tapeout of a RISC-V Crypto Chip with Hardware Trojans,

    A. Hepp and G. Sigl, “Tapeout of a RISC-V Crypto Chip with Hardware Trojans,” inProc. 18th ACM Int. Conf. Comput. Frontiers. 2021

  16. [16]

    Stealthy dopant-level hardware Trojans: Extended version,

    G. Becker, F. Regazzoni, C. Paar, and W. Burleson, “Stealthy dopant-level hardware Trojans: Extended version,”J. Cryptogr. Eng., 2014

  17. [17]

    The State-of-the-art in Semiconductor Reverse Engineering,

    R. Torrance and D. James, “The State-of-the-art in Semiconductor Reverse Engineering,” inProc. 48th Des. Automat. Conf., 2011

  18. [18]

    Large-Area Automated Lay- out Extraction Methodology for Full-IC Reverse Engineering,

    R. Quijada, R. Dura, and J. Pallares, “Large-Area Automated Lay- out Extraction Methodology for Full-IC Reverse Engineering,” in J. Hardware Syst. Secur., 2018

  19. [19]

    Verification of physical designs using an integrated reverse engineering flow for nanoscale technologies,

    B. Lippmann et al., “Verification of physical designs using an integrated reverse engineering flow for nanoscale technologies,” Integration, 2020

  20. [20]

    PLaNe: Reverse Engineering of Planar Layouts to Gate-Level Netlists,

    M. Putz, M. Ludwig, B. Lippmann, and H. Graeb, “PLaNe: Reverse Engineering of Planar Layouts to Gate-Level Netlists,” in 2023 IEEE Physical Assurance Inspection Electron.s (P AINE), 2023

  21. [21]

    Reverse Engineering Digital Circuits Using Structural and Functional Analyses,

    P . Subramanyan et al., “Reverse Engineering Digital Circuits Using Structural and Functional Analyses,”IEEE Trans. Emerg. Topics Comput., 2014

  22. [22]

    Reverse En- gineering of Cryptographic Cores by Structural Interpretation Through Graph Analysis,

    M. Werner, B. Lippmann, J. Baehr, and H. Gr ¨ab, “Reverse En- gineering of Cryptographic Cores by Structural Interpretation Through Graph Analysis,” in3rd IEEE Int. Verification Secur. Workshop, 2018

  23. [23]

    Functional block identification in circuit design recovery,

    J. Couch, E. Reilly, M. Schuyler, and B. Barrett, “Functional block identification in circuit design recovery,” in2016 IEEE Int. Symp. Hardware Oriented Secur. Trust (HOST), 2016

  24. [24]

    DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering,

    N. Albartus, M. Hoffmann, S. Temme, L. Azriel, and C. Paar, “DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering,”IACR Trans. Cryptogr. Hardware Embedded Syst., 2020

  25. [25]

    Extracting functional modules from flattened gate-level netlist,

    Y. Shi, B. Gwee, Ye Ren, Thet Khaing Phone, and Chan Wai Ting, “Extracting functional modules from flattened gate-level netlist,” in2012 Int. Symp. Commun. Information Technologies (ISCIT), 2012

  26. [26]

    Netlist reverse engineering for high-level functionality reconstruction,

    T. Meade, S. Zhang, and Y. Jin, “Netlist reverse engineering for high-level functionality reconstruction,” in21st Asia South Pacific Des. Automat. Conf., 2016

  27. [27]

    Improving on State Register Identification in Sequential Hardware Reverse Engineering,

    M. Brunner, J. Baehr, and G. Sigl, “Improving on State Register Identification in Sequential Hardware Reverse Engineering,” in 2019 IEEE Int. Symp. Hardware Oriented Secur. Trust (HOST), 2019

  28. [28]

    Defeating Silicon Reverse Engineering Using a Layout-Level Standard Cell Camouflage,

    H. Gomez, C. Duran, and E. Roa, “Defeating Silicon Reverse Engineering Using a Layout-Level Standard Cell Camouflage,” IEEE Trans. Consum. Electron., 2019

  29. [29]

    Logic Locking: A Survey of Pro- posed Methods and Evaluation Metrics,

    S. Dupuis and M.-L. Flottes, “Logic Locking: A Survey of Pro- posed Methods and Evaluation Metrics,”J. Electron. Testing, 2019

  30. [30]

    Puschner, T

    E. Puschner, T. Moos, S. Becker, C. Kison, A. Moradi, and C. Paar, Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations, Cryptology ePrint Archive, Paper 2022/1720, 2022. https : / / eprint.iacr.org/2022/1720

  31. [31]

    Counterfeit Detection by Semiconductor Process Technology Inspection,

    M. Ludwig, A.-C. Bette, B. Lippmann, and G. Sigl, “Counterfeit Detection by Semiconductor Process Technology Inspection,” in 2023 IEEE European Test Symp. (ETS), 2023

  32. [32]

    Building trusted ICs using split fabrication,

    K. Vaidyanathan, B. P . Das, E. Sumbul, R. Liu, and L. Pileggi, “Building trusted ICs using split fabrication,” in2014 IEEE Int. Symp. Hardware-Oriented Secur. Trust (HOST), 2014

  33. [33]

    Date and Time on the Internet: Timestamps,

    G. Klyne and C. Newman, “Date and Time on the Internet: Timestamps,” Tech. Rep., 2002

  34. [34]

    Announcing CVSS v4.0

    FIRST.Org, Inc. “Announcing CVSS v4.0. ”https://www.first. org/cvss/v4-0/cvss-v40-presentation.pdf

  35. [35]

    Conceptboard

    Conceptboard. “Conceptboard. ”https://conceptboard.com/

  36. [36]

    Com- mon Reverse Engineering Scoring System (CRESS) resource page

    A. Hepp, M. Ludwig, M. Brunner, J. Baehr, and G. Sigl. “Com- mon Reverse Engineering Scoring System (CRESS) resource page. ”https://purl.org/cress/thetool

  37. [37]

    Fault Attacks Resistant AES Hardware Implementation,

    H. Mestiri, N. Benhadjyoussef, and M. Machhout, “Fault Attacks Resistant AES Hardware Implementation,” in2019 IEEE Int. Conf. Des. & Test Integr. Micro & Nano-Syst. (DTS), 2019

  38. [38]

    Reversing Stealthy Dopant-Level Circuits,

    T. Sugawara et al., “Reversing Stealthy Dopant-Level Circuits,” inCryptogr. Hardware Embedded Syst.2014

  39. [39]

    Common Vulnerability Scoring System Version 3.1 Calculator – Result

    FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

  40. [41]

    Common Vulnerability Scoring System Version 3.1 Calculator – Result

    FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L

  41. [42]

    Common Vulnerability Scoring System Version 3.1 Calculator – Result

    FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

  42. [43]

    Common Vulnerability Scoring System Version 3.1 Calculator – Result

    FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

  43. [44]

    Common Vulnerability Scoring System Version 3.1 Calculator – Result

    FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. 13

  44. [45]

    The First Collision for Full SHA-1,

    M. Stevens, E. Bursztein, P . Karpman, A. Albertini, and Y. Markov, “The First Collision for Full SHA-1,” inAdvances Cryp- tology – CRYPTO 2017, J. Katz and H. Shacham, Eds., 2017

  45. [46]

    Reverse En- gineering Flash EEPROM Memories Using Scanning Electron Microscopy,

    F. Courbon, S. Skorobogatov, and C. Woods, “Reverse En- gineering Flash EEPROM Memories Using Scanning Electron Microscopy,” inSmart Card Research Advanced Applications, K. Lemke-Rust and M. Tunstall, Eds., 2017

  46. [47]

    A Survey on Chip to System Reverse Engineering,

    S. E. Quadir et al., “A Survey on Chip to System Reverse Engineering,”J. Emerg. Technol. Comput. Syst., 2016

  47. [48]

    CWE VIEW: Hardware Design

    The MITRE Corporation. “CWE VIEW: Hardware Design. ”https: //cwe.mitre.org/data/definitions/1194.html