CRESS: Quantifying Vulnerabilities of Attack Scenarios in Hardware Reverse Engineering
Pith reviewed 2026-06-28 05:09 UTC · model grok-4.3
The pith
Expert-derived weights turn qualitative hardware reverse engineering attack categories into a quantitative CRESS score that rates scenarios more expressively than CVSS.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The CRESS score is produced by an equation that multiplies category weights—obtained from expert interviews—by the presence of each category in a scenario; the resulting number quantifies severity, enables direct comparison of disparate attacks, and demonstrates greater expressiveness than CVSS ratings on the same cases.
What carries the argument
The CRESS score equation, which sums weighted severities of reverse engineering attack categories determined by expert study.
If this is right
- New attack scenarios receive numerical ratings without requiring a fresh qualitative analysis each time.
- Scenarios involving different combinations of counterfeiting, trojans, or on-device attacks become directly comparable by score.
- Countermeasure priorities can be set according to the magnitude of the calculated scores rather than narrative descriptions.
- A shared numerical language emerges for discussing hardware reverse engineering risks across research and industry teams.
Where Pith is reading between the lines
- If the weighting approach generalizes, similar expert-derived equations could be developed for other hardware security domains such as side-channel or fault-injection attacks.
- Supply-chain risk assessments that currently rely on CVSS might incorporate CRESS scores to capture reverse-engineering-specific factors.
- Periodic re-interview of experts could be used to update weights as new attack techniques appear.
Load-bearing premise
The weights derived from the expert interviews correctly capture relative severity and remain valid when applied to attack scenarios not seen during the study.
What would settle it
A replication in which a new panel of experts assigns materially different weights to the same categories or in which CRESS scores for additional scenarios show no greater differentiation than CVSS scores.
Figures
read the original abstract
The safety, security, and reliability of microelectronic systems depend on a trustworthy, secured supply chain and design flow. Globally distributed supply chains or unintentional design weaknesses leave the door open for attacks on the hardware level. These scenarios encompass counterfeiting, hardware trojans, or on-device attacks. For these, hardware reverse engineering (RE) results play a pivotal role. The ongoing publication of new RE-involved attacks motivated the development of the common RE scoring system (CRESS). The system enables a general classification of RE-involved scenarios for a common, consistent rating. In this work, the originally qualitative system is extended to a quantitative system. We performed an extensive interview study with experts in the field. The interview results allowed us to derive weights that measure the severity of different RE-involved attack categories. The weights form an equation that quantifies scenarios, resulting in the severity-indicating CRESS score. The score enables the coherent rating of novel scenarios, renders them comparable, and supports the development of effective countermeasures. To showcase the effectiveness of the quantitative CRESS Score, six selected case studies are rated qualitatively and quantitatively. The CRESS Score proves to be significantly more expressive than the industry-standard Common Vulnerability Scoring System (CVSS).
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript introduces the Common Reverse Engineering Scoring System (CRESS) as a quantitative extension of a prior qualitative framework for classifying hardware reverse engineering (RE) attack scenarios. Weights for RE attack categories are derived from an expert interview study and combined into an equation yielding a severity-indicating CRESS score; the system is then applied to six case studies, with the central claim that CRESS is significantly more expressive than CVSS.
Significance. If the interview-derived weights prove robust and the expressiveness advantage is demonstrated with a reproducible metric, CRESS could supply a needed standardized, comparable rating for RE-involved threats in hardware supply chains and thereby support prioritized countermeasures. The work's use of external expert input rather than purely internal parameters is a positive feature, but the current absence of methodological transparency and quantitative validation limits its assessed contribution.
major comments (3)
- [Abstract / Case Studies] Abstract and case-study section: the claim that CRESS 'proves to be significantly more expressive' than CVSS rests on narrative description of six case studies without a formal definition of expressiveness (e.g., number of distinct score bins, mutual information with ground-truth severity, or inter-rater agreement delta) or any statistical comparison; this directly undermines the central superiority assertion.
- [Interview Study / Weight Derivation] Interview-study section (methodology): no information is supplied on sample size, participant recruitment, interview protocol, bias controls, or inter-rater reliability for the expert-derived category severity weights; without these, the quantitative equation cannot be evaluated for reproducibility or generalizability.
- [Quantitative Model] Quantitative equation: the abstract states that the weights 'form an equation' but provides neither the explicit formula nor the list of categories and their numerical weights, preventing independent verification or application to novel scenarios.
minor comments (1)
- [Case Studies] Clarify whether the CRESS score is intended to be used in isolation or in conjunction with CVSS, and provide at least one worked numerical example from a case study.
Simulated Author's Rebuttal
We thank the referee for the constructive and detailed feedback on our manuscript. We address each major comment below and will revise the paper to improve methodological transparency, clarity of the model, and the strength of the expressiveness claim.
read point-by-point responses
-
Referee: [Abstract / Case Studies] Abstract and case-study section: the claim that CRESS 'proves to be significantly more expressive' than CVSS rests on narrative description of six case studies without a formal definition of expressiveness (e.g., number of distinct score bins, mutual information with ground-truth severity, or inter-rater agreement delta) or any statistical comparison; this directly undermines the central superiority assertion.
Authors: We agree that the superiority claim would be strengthened by a formal definition and quantitative comparison rather than relying solely on narrative description of the six case studies. In the revision we will add an explicit definition of expressiveness (e.g., number of distinct score bins produced and the count of scenarios that receive identical CVSS scores but distinct CRESS scores) together with a comparative table and, where possible, a simple statistical summary of differentiation. revision: yes
-
Referee: [Interview Study / Weight Derivation] Interview-study section (methodology): no information is supplied on sample size, participant recruitment, interview protocol, bias controls, or inter-rater reliability for the expert-derived category severity weights; without these, the quantitative equation cannot be evaluated for reproducibility or generalizability.
Authors: The current manuscript does not provide these methodological details. We will expand the interview-study section in the revision to report sample size, recruitment method, interview protocol, bias-mitigation steps, and any inter-rater reliability or consensus measures used when deriving the weights. revision: yes
-
Referee: [Quantitative Model] Quantitative equation: the abstract states that the weights 'form an equation' but provides neither the explicit formula nor the list of categories and their numerical weights, preventing independent verification or application to novel scenarios.
Authors: We acknowledge that the explicit formula and the numerical weights are not stated in the abstract and are insufficiently prominent for independent use. In the revision we will include the complete equation and a table listing all categories with their derived weights, ensuring the model is fully specified and reproducible from the text. revision: yes
Circularity Check
No significant circularity; derivation uses external interview data
full rationale
The paper's central derivation obtains category weights via an external expert interview study, then assembles them into a scoring equation. This step is independent of the target CRESS values or the CVSS comparison. No equations, self-citations, or fitted parameters are shown that reduce the claimed score or expressiveness result to the inputs by construction. The six case studies constitute an application and narrative comparison, not a self-referential prediction. The derivation chain is therefore self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
free parameters (1)
- category severity weights
axioms (1)
- domain assumption Expert interviews produce reliable and generalizable severity measures for RE attack categories
Reference graph
Works this paper leans on
-
[1]
Benso and P
A. Benso and P . Prinetto, Eds.,Fault Injection Techniques and Tools for Embedded Systems Reliability Evaluation. 2003, 1241 pp
2003
-
[2]
Mangard, E
S. Mangard, E. Oswald, and T. Popp,Power Analysis Attacks: Revealing the Secrets of Smart Cards, 1st. 2010
2010
-
[3]
M. M. Tehranipoor, U. Guin, and D. Forte,Counterfeit Integrated Circuits: Detection and Avoidance. 2015
2015
-
[4]
Bhunia and M
S. Bhunia and M. M. Tehranipoor,The Hardware Trojan War: Attacks, Myths, and Defenses. 2017
2017
-
[5]
Common Criteria Certification
Bundesamt f ¨ur Sicherheit in der Informationstechnik. “Common Criteria Certification. ”https://www.commoncriteriaportal.org/ cc/
-
[6]
Platform Security Architecture (PSA) Certifica- tion
PSA Certified. “Platform Security Architecture (PSA) Certifica- tion. ”https://www.psacertified.org/
-
[7]
https://www.sae.org/standards/content/ as6171/
SAE International,Test Methods Standard; General Requirements, Suspect/Counterfeit, Electrical, Electronic, and Electromechanical Parts AS6171, 2016. https://www.sae.org/standards/content/ as6171/
2016
-
[8]
https://www
SAE International,Counterfeit Materiel; Assuring Acquisition of Authentic and Conforming Materiel AS6174, 2017. https://www. sae.org/standards/content/as6174/
2017
-
[9]
https://idofea.org/quality- standards/
The Independent Distributors of Electronics Association (IDEA), IDEA-STD-1010-B: Acceptability of Electronic Components Dis- tributed in the Open Market, 2018. https://idofea.org/quality- standards/
2018
-
[10]
The Common Vulnerabilities and Ex- posures (CVE)
The MITRE Corporation. “The Common Vulnerabilities and Ex- posures (CVE). ”https://www.cve.org/
-
[11]
Common Weakness Enumeration (CWE)
The MITRE Corporation. “Common Weakness Enumeration (CWE). ”https://cwe.mitre.org/
-
[12]
Common Vulnerability Scoring System version 3.1: Specification Document
I. FIRST.Org. “Common Vulnerability Scoring System version 3.1: Specification Document. ”https : / / www. first . org / cvss / v3.1/specification-document
-
[13]
CRESS: Frame- work for Vulnerability Assessment of Attack Scenarios in Hard- ware Reverse Engineering,
M. Ludwig, A. Hepp, M. Brunner, and J. Baehr, “CRESS: Frame- work for Vulnerability Assessment of Attack Scenarios in Hard- ware Reverse Engineering,” in2021 IEEE Physical Assurance Inspection Electron.s (P AINE), (Dec. 2021), 2021
2021
-
[14]
Increasing the efficiency of laser fault injections using fast gate level reverse engineering,
F. Courbon, P . Loubet-Moundi, J. J. A. Fournier, and A. Tria, “Increasing the efficiency of laser fault injections using fast gate level reverse engineering,” in2014 IEEE Int. Symp. Hardware- Oriented Secur. Trust (HOST), 2014
2014
-
[15]
Tapeout of a RISC-V Crypto Chip with Hardware Trojans,
A. Hepp and G. Sigl, “Tapeout of a RISC-V Crypto Chip with Hardware Trojans,” inProc. 18th ACM Int. Conf. Comput. Frontiers. 2021
2021
-
[16]
Stealthy dopant-level hardware Trojans: Extended version,
G. Becker, F. Regazzoni, C. Paar, and W. Burleson, “Stealthy dopant-level hardware Trojans: Extended version,”J. Cryptogr. Eng., 2014
2014
-
[17]
The State-of-the-art in Semiconductor Reverse Engineering,
R. Torrance and D. James, “The State-of-the-art in Semiconductor Reverse Engineering,” inProc. 48th Des. Automat. Conf., 2011
2011
-
[18]
Large-Area Automated Lay- out Extraction Methodology for Full-IC Reverse Engineering,
R. Quijada, R. Dura, and J. Pallares, “Large-Area Automated Lay- out Extraction Methodology for Full-IC Reverse Engineering,” in J. Hardware Syst. Secur., 2018
2018
-
[19]
Verification of physical designs using an integrated reverse engineering flow for nanoscale technologies,
B. Lippmann et al., “Verification of physical designs using an integrated reverse engineering flow for nanoscale technologies,” Integration, 2020
2020
-
[20]
PLaNe: Reverse Engineering of Planar Layouts to Gate-Level Netlists,
M. Putz, M. Ludwig, B. Lippmann, and H. Graeb, “PLaNe: Reverse Engineering of Planar Layouts to Gate-Level Netlists,” in 2023 IEEE Physical Assurance Inspection Electron.s (P AINE), 2023
2023
-
[21]
Reverse Engineering Digital Circuits Using Structural and Functional Analyses,
P . Subramanyan et al., “Reverse Engineering Digital Circuits Using Structural and Functional Analyses,”IEEE Trans. Emerg. Topics Comput., 2014
2014
-
[22]
Reverse En- gineering of Cryptographic Cores by Structural Interpretation Through Graph Analysis,
M. Werner, B. Lippmann, J. Baehr, and H. Gr ¨ab, “Reverse En- gineering of Cryptographic Cores by Structural Interpretation Through Graph Analysis,” in3rd IEEE Int. Verification Secur. Workshop, 2018
2018
-
[23]
Functional block identification in circuit design recovery,
J. Couch, E. Reilly, M. Schuyler, and B. Barrett, “Functional block identification in circuit design recovery,” in2016 IEEE Int. Symp. Hardware Oriented Secur. Trust (HOST), 2016
2016
-
[24]
DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering,
N. Albartus, M. Hoffmann, S. Temme, L. Azriel, and C. Paar, “DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering,”IACR Trans. Cryptogr. Hardware Embedded Syst., 2020
2020
-
[25]
Extracting functional modules from flattened gate-level netlist,
Y. Shi, B. Gwee, Ye Ren, Thet Khaing Phone, and Chan Wai Ting, “Extracting functional modules from flattened gate-level netlist,” in2012 Int. Symp. Commun. Information Technologies (ISCIT), 2012
2012
-
[26]
Netlist reverse engineering for high-level functionality reconstruction,
T. Meade, S. Zhang, and Y. Jin, “Netlist reverse engineering for high-level functionality reconstruction,” in21st Asia South Pacific Des. Automat. Conf., 2016
2016
-
[27]
Improving on State Register Identification in Sequential Hardware Reverse Engineering,
M. Brunner, J. Baehr, and G. Sigl, “Improving on State Register Identification in Sequential Hardware Reverse Engineering,” in 2019 IEEE Int. Symp. Hardware Oriented Secur. Trust (HOST), 2019
2019
-
[28]
Defeating Silicon Reverse Engineering Using a Layout-Level Standard Cell Camouflage,
H. Gomez, C. Duran, and E. Roa, “Defeating Silicon Reverse Engineering Using a Layout-Level Standard Cell Camouflage,” IEEE Trans. Consum. Electron., 2019
2019
-
[29]
Logic Locking: A Survey of Pro- posed Methods and Evaluation Metrics,
S. Dupuis and M.-L. Flottes, “Logic Locking: A Survey of Pro- posed Methods and Evaluation Metrics,”J. Electron. Testing, 2019
2019
-
[30]
Puschner, T
E. Puschner, T. Moos, S. Becker, C. Kison, A. Moradi, and C. Paar, Red Team vs. Blue Team: A Real-World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations, Cryptology ePrint Archive, Paper 2022/1720, 2022. https : / / eprint.iacr.org/2022/1720
2022
-
[31]
Counterfeit Detection by Semiconductor Process Technology Inspection,
M. Ludwig, A.-C. Bette, B. Lippmann, and G. Sigl, “Counterfeit Detection by Semiconductor Process Technology Inspection,” in 2023 IEEE European Test Symp. (ETS), 2023
2023
-
[32]
Building trusted ICs using split fabrication,
K. Vaidyanathan, B. P . Das, E. Sumbul, R. Liu, and L. Pileggi, “Building trusted ICs using split fabrication,” in2014 IEEE Int. Symp. Hardware-Oriented Secur. Trust (HOST), 2014
2014
-
[33]
Date and Time on the Internet: Timestamps,
G. Klyne and C. Newman, “Date and Time on the Internet: Timestamps,” Tech. Rep., 2002
2002
-
[34]
Announcing CVSS v4.0
FIRST.Org, Inc. “Announcing CVSS v4.0. ”https://www.first. org/cvss/v4-0/cvss-v40-presentation.pdf
-
[35]
Conceptboard
Conceptboard. “Conceptboard. ”https://conceptboard.com/
-
[36]
Com- mon Reverse Engineering Scoring System (CRESS) resource page
A. Hepp, M. Ludwig, M. Brunner, J. Baehr, and G. Sigl. “Com- mon Reverse Engineering Scoring System (CRESS) resource page. ”https://purl.org/cress/thetool
-
[37]
Fault Attacks Resistant AES Hardware Implementation,
H. Mestiri, N. Benhadjyoussef, and M. Machhout, “Fault Attacks Resistant AES Hardware Implementation,” in2019 IEEE Int. Conf. Des. & Test Integr. Micro & Nano-Syst. (DTS), 2019
2019
-
[38]
Reversing Stealthy Dopant-Level Circuits,
T. Sugawara et al., “Reversing Stealthy Dopant-Level Circuits,” inCryptogr. Hardware Embedded Syst.2014
2014
-
[39]
Common Vulnerability Scoring System Version 3.1 Calculator – Result
FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
-
[41]
Common Vulnerability Scoring System Version 3.1 Calculator – Result
FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L
-
[42]
Common Vulnerability Scoring System Version 3.1 Calculator – Result
FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
-
[43]
Common Vulnerability Scoring System Version 3.1 Calculator – Result
FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
-
[44]
Common Vulnerability Scoring System Version 3.1 Calculator – Result
FIRST.Org, Inc. “Common Vulnerability Scoring System Version 3.1 Calculator – Result. ”https://www.first.org/cvss/calculator/ 3.1#CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. 13
-
[45]
The First Collision for Full SHA-1,
M. Stevens, E. Bursztein, P . Karpman, A. Albertini, and Y. Markov, “The First Collision for Full SHA-1,” inAdvances Cryp- tology – CRYPTO 2017, J. Katz and H. Shacham, Eds., 2017
2017
-
[46]
Reverse En- gineering Flash EEPROM Memories Using Scanning Electron Microscopy,
F. Courbon, S. Skorobogatov, and C. Woods, “Reverse En- gineering Flash EEPROM Memories Using Scanning Electron Microscopy,” inSmart Card Research Advanced Applications, K. Lemke-Rust and M. Tunstall, Eds., 2017
2017
-
[47]
A Survey on Chip to System Reverse Engineering,
S. E. Quadir et al., “A Survey on Chip to System Reverse Engineering,”J. Emerg. Technol. Comput. Syst., 2016
2016
-
[48]
CWE VIEW: Hardware Design
The MITRE Corporation. “CWE VIEW: Hardware Design. ”https: //cwe.mitre.org/data/definitions/1194.html
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.