Information Flow Analysis for VHDL by Tolstrup, Terkel Kristian et al.
Information Flow Analysis for VHDL
Terkel K. Tolstrup, Flemming Nielson, and Hanne Riis Nielson
Informatics and Mathematical Modelling, Technical University of Denmark
{tkt, nielson, hrn}@imm.dtu.dk
Abstract. We describe a fragment of the hardware description language
VHDL that is suitable for implementing the Advanced Encryption Stan-
dard algorithm. We then define an Information Flow analysis as required
by the international standard Common Criteria. The goal of the analysis
is to identify the entire information flow through the VHDL program.
The result of the analysis is presented as a non-transitive directed graph
that connects those nodes (representing either variables or signals) where
an information flow might occur. We compare our approach to that of
Kemmerer and conclude that our approach yields more precise results.
1 Introduction
Modern technical equipment often depends on the reliable performance of em-
bedded systems. The present work is part of an ongoing eﬀort to validate the
security properties of such systems. Here it is a key requirement that the pro-
grams maintain the conﬁdentiality of information it handles. To document this,
an evaluation against the criteria of the international standard Common Criteria
[13] is a main objective.
In this paper we focus on the Covert Channel analysis described in Chapter
14 of [13]. The main technical ingredient of the analysis is to provide a descrip-
tion of the direct and indirect ﬂows of information that might occur. This is
then followed by a further step where the designer argues that all information
ﬂows are permissible — or where an independent code evaluator asks for further
clariﬁcation. We present the result of the analysis as a directed graph: the nodes
represent the resources, and there is a direct edge from one node to another
whenever there might be a direct or indirect information ﬂow from one to the
other. In general, the graph will be non-transitive [4,14].
The programming language used is the hardware description language VHDL
[7]. Systems consist of a number of processes running in parallel where each pro-
cess has its own local data space and communication between processes is per-
formed at synchronization points using signals. In Section 2 we give an overview
of the fragment VHDL1. We present a formal Semantics of VHDL1 in Section 3.
The problem of analysing VHDL programs has already been addressed in
previously published approaches. The paper by Hymans [6] uses abstract inter-
pretation to give an over-approximation of the set of reachable conﬁgurations
for a fragment of VHDL not unlike ours. This suﬃces for checking safety prop-
erties: if the safety property is true on all states in the over-approximation it
V. Malyshkin (Ed.): PaCT 2005, LNCS 3606, pp. 79–98, 2005.
c© Springer-Verlag Berlin Heidelberg 2005
80 T.K. Tolstrup, F. Nielson, and H.R. Nielson
will be true for all executions of the VHDL program. Hence when synthesizing
the VHDL speciﬁcation one does not need to generate circuits for enforcing the
reference monitor (called an observer in [6]).
The paper by Hsieh and Levitan [5] considers a similar fragment of VHDL and
is concerned with optimising the synthesis process by avoiding the generation
of circuits needed to store values of signals. One component of the required
analyses is a Reaching Deﬁnitions analysis with a similar scope to ours although
speciﬁed in a rather diﬀerent manner. Comparing the precision of their approach
(to the extent actually explained in the paper) with ours, we believe that our
analysis is more precise in that it allows also to kill signals being set in other
processes than where they are used. Furthermore the presented analysis is only
correct for processes with one synchronization point, because deﬁnition sets are
only inﬂuenced by deﬁnitions in other processes at the end (or beginning) of
a process. Therefore deﬁnitions is lost if they are present at a synchronization
point within the process but overwritten before the end of the process.
Our approach is based around adapting a Reaching Deﬁnitions analysis
(along the lines of [9]) to the setting of VHDL1. A novel feature of our analysis is
that it has two components for tracking the ﬂow of values of active signals: one is
the traditional over-approximation whereas the other is an under-approximation.
Finally, a Reaching Deﬁnitions analysis tracks the ﬂow of variables and present
values of signals. The details are developed in Section 4.
The ﬁrst step of the Information Flow analysis determines the local depen-
dencies for each statement; this takes the form of an inference system that is
local to each process. The second step constructs the directed graph by per-
forming the necessary “transitive closure”; this takes the form of a constraint
system and makes use of the Reaching Deﬁnitions analysis. The results obtained
are therefore more precise than those obtained by more standard methods like
that of Kemmerer [8] and only ignore issues like timing and power-consumption.
The analysis is presented in Section 5 and has been implemented in the Succinct
Solver Version 1.0 [10,11] and has been used to validate several programs for
implementing the NSA Advanced Encryption Standard (AES) [17].
2 Background
VHDL1 is a fragment of VHDL that concentrates on the behavioral speciﬁcation
of models. A program in VHDL1 consists of entities and architectures, uniquely
identiﬁed by indexes ie, ia ∈ Id. An entity describes how an architecture is
connected to the environment. The architectures comprise the behavioral or
structural speciﬁcation of the entities.
An entity speciﬁes a set of signals referred to as ports (prt ∈ Prt), each port
is represented by a signal (s ∈ Sig) used for reference in the speciﬁcation of the
architecture; furthermore a notion of the intended usage of the signal is speciﬁed
by the keywords in and out deﬁning if the signals value can be altered or read
by the environment, and the type of the signal’s value (either logical values or
vectors of logical values).
Information Flow Analysis for VHDL 81
pgm ∈ Pgm programs
pgm ::= ent | arch | pgm1 pgm2
ent ∈ Ent entities
ent ::= entity ie is port(prt); end ie;
prt ∈ Prt ports
prt ::= s : in type | s : out type | prt1; prt2
type ∈ Type types
type ::= std logic | std logic vector(z1 downto z2)
| std logic vector(z1 to z2)
arch ∈ Arch architectures
arch ::= architecture ia of ie is begin css; end ia;
css ∈ Css concurrent statements
css ::= s <= e | s(z1 downto z2) <= e | s(z1 to z2) <= e
| ip : process decl; begin ss; end process ip
| ib : block decl; begin css; end block ib | css1|css2
decl ∈ Decl declarations
decl ::= variable x : type := e | signal s : type := e | decl1; decl2
ss ∈ Stmt statements
ss ::= null | x := e | x(z1 downto z2) := e | x(z1 to z2) := e | s <= e
| s(z1 downto z2) <= e | s(z1 to z2) <= e | wait on S until e
| ss1; ss2 | if e then ss1 else ss2 | while e do ss
e ∈ Exp expressions
e ::= m | a | x | x(z1 downto z2) | x(z1 to z2) | s | s(z1 downto z2)
| s(z1 to z2) | opum e | e1 opbm e2 | e1 opa e2
Fig. 1. The subset VHDL1 of VHDL
An architecture model is speciﬁed by a family of concurrent statements (css ∈
Css) running in parallel; here the index ip ∈ Id is a unique identiﬁer in a ﬁnite
set of process identiﬁers (Ip ⊆fin Id). Each process has a statement (ss ∈ Stmt)
as body and may use logical values (m ∈ LV al), vectors of logical values (we
write a ∈ V V al, where a has the form ”m1 . . .mk” where mi ∈ LV al), local
variables (x ∈ V ar) as well as signals (s ∈ Sig, S ⊆fin Sig). When accessing
variables and signals we always refer to their present value and when we assign to
variables it is always the present value that is modiﬁed. However, when assigning
to a signal its present value is not modified, rather its so-called active value is
modiﬁed; this representation of signal’s values, as illustrated in Figure 2, is used
to take care of the physical aspect of propagating an electrical current through a
system, the time consumed by the propagation is usually called a delta-cycle. The
wait statements are synchronization points, where the active values of signals are
used to determine the new present values that will be common to all processes.
Concurrent statements could also be block statements that allow local signal
declarations for the use of internal communication between processes declared
82 T.K. Tolstrup, F. Nielson, and H.R. Nielson
10
Past Now Delta Future
Present
Signals Signals
Active
Fig. 2. The representation of abstract time in the signal store
within the block. The index ib ∈ Id is a unique identiﬁer in a ﬁnite set of block
identiﬁers (Ib ⊆fin Id). The scope of the local signals declared in the block
deﬁnition is within the concurrent statements speciﬁed inside the block.
Signal assignment can also be performed as a concurrent statement, this
corresponds to a process that is sensitive to the free signals in the right-hand
side expression and that has the same assignment inside [2].
Since VHDL describe digital hardware we are concerned with the details of
electrical signals, and it is therefore necessary to include types to represent dig-
itally encoded values. We consider logical values (LV al) of the standard logic
type std logic, that includes traditional boolean values as well as values for elec-
trical properties. VHDL1 also allow the usage of vectors of logical values, values
of this type is written using double quotes (e.g. ”1” = ’1’). There are a number
of arithmetic operators available on vectors of logical values.
The formal syntax is given in Figure 1. In VHDL it is allowed to omit com-
ponents of wait statements. Writing FS(e) for the free signals in e, the eﬀect
of ’on FS(e)’ may be obtained by omitting the ’on S’ component, and the ef-
fect of ’until true’ may be obtained by omitting the ’until e’ component. (In
other words, the default values of S and e are FS(e) and true, respectively.)
Semantically, S is the set of signals waited on, i.e. at least one of the signals of
S must have a new active value, and e is a condition on the new present values
that must be fulﬁlled, in order to leave the wait statement.
In VHDL1 the notion of signals is simpliﬁed with respect to full VHDL and
thus does not allow references further into time than the following delta-cycle.
This not only simpliﬁes the analysis but also simpliﬁes deﬁning the semantics:
Of the many accounts to be found in the literature [3,16] we have found the
one of [16] to best correspond to our practical experiments, based on test pro-
grams simulated with the ModelSim SE 5.7d VHDL simulator. Even with this
restriction VHDL1 is suﬃciently expressive to deal with the programs of the
AES implementation.
3 Structural Operational Semantics
The main idea when deﬁning the semantics for VHDL1 programs is to execute
each process by itself until a synchronization point is reached (i.e. a wait state-
ment). When all processes of the program have reached a synchronization point
synchronization is handled, while taking care of the resolution of signals in case
a signal has been assigned diﬀerent values by the processes. This synchroniza-
tion will leave the processes in a state where they are ready either to continue
execution by themselves or wait for the next synchronization.
Information Flow Analysis for VHDL 83
Basic semantic domains. The syntax of programs in VHDL1 is limited to state-
ments operating on a state of logical values. These logical values are deﬁned as
v ∈ LV alue = {’U’, ’X’, ’0’, ’1’, ’Z’, ’W’, ’L’, ’H’, ’-’} where the values indicate the
properties
’U’ Uninitialized ’X’ Forcing Unknown ’0’ Forcing zero
’1’ Forcing one ’Z’ High Impedance ’W’ Weak Unknown
’L’ Weak zero ’H’ Weak one ’-’ Don’t care
these values are said to capture the behavior of an electrical system better than
traditional boolean values [2].
Furthermore we have vectors of logical values a ∈ AV alue = LV alue∗. We
have a function mapping logicals in the syntax to logical values in the semantics
L : LV al → LV alue, and vectors of logical values to their semantical equivalence
A : V V al → AV alue. The semantical values are collected in the set V alue =
LV alue unionmultiAV alue.
Constructed semantic domains. VHDL1 includes local variables and signals. The
values of the local variables are stored in a local state. The local state is a
mapping from variable names to logical values.
σ ∈ State = (V ar → V alue)
The idea is that we have a local state for each process, keeping track of assign-
ments to local variables encountered in the execution of the process so far.
For communication between the processes we have the signals, the values of
signals are stored in local states. The processes can communicate by synchroniz-
ing the signals of their local signal state with other processes.
ϕ ∈ Signals = (Sig → ({0, 1} ↪→ V alue))
The value assigned to a signal is available after the following synchronization,
therefore we keep the present value of a signal s in ϕ s 0. In ϕ s 1 we store
the assigned value, meaning that it is available after a delta-cycle. Each signal
state has a time line for each signal. Values in the past are not used and therefore
forgotten by the semantics; in VHDL1 it is not possible to assign values to signals
further into the future than one delta-cycle.
All signals have a present value, so ϕ s 0 is deﬁned for all s. Not all signals
need to be active meaning they have a new value waiting in the following delta-
cycle, thus ϕ s 1 need not be deﬁned; hence we use {0, 1} ↪→ V alue in the
deﬁnition of the signal state to indicate that it is a partial function.
The semantics handles expressions following the ideas of [12]. For expressions
E : Expr → (State× Signals ↪→ V alue)
evaluates the expression. The function is deﬁned in Table 1. Note that for signals
we use the current value of the signal, i.e. ϕ s 0.
84 T.K. Tolstrup, F. Nielson, and H.R. Nielson
Table 1. Semantics of Expressions
E [[m]]〈σ, ϕ〉 = L[[m]]
E [[a]]〈σ, ϕ〉 = A[[a]]
E [[x]]〈σ, ϕ〉 = σ x
E [[x(z1 downto z2)]]〈σ, ϕ〉 = split(σ x, z1, z2)
E [[s]]〈σ, ϕ〉 = ϕ s 0
E [[s(z1 downto z2)]]〈σ, ϕ〉 = split(ϕ s 0, z1, z2)
E [[opum e]]〈σ, ϕ〉 = opum v where E [[e]]ϕ = v
and opum v defined
E [[e1 opbm e2]]〈σ, ϕ〉 = v1 opbm v2 where E [[e1]]ϕ = v1
and E [[e2]]ϕ = v2
and v1 opbm v2 defined
E [[e1 opa e2]]〈σ, ϕ〉 = v1 opa v2 where E [[e1]]ϕ = v1
and E [[e2]]ϕ = v2
and v1 opa v2 defined
In the speciﬁcation of the Semantics all vector values and deﬁnitions are
normalized to the direction of ranging from a smaller index to a larger index.
This simpliﬁcation allows us to consider a signiﬁcantly smaller number of rules.
We deﬁne the function split which withdraws the elements of a vector in the
range speciﬁed by the last two parameters (split : a× z × z → a).
3.1 Statements
The semantics of statements and concurrent statements are speciﬁed by transi-
tion systems, more precisely by structural operational semantics. For statements
we shall use conﬁgurations of the form:
〈ss′, σ, ϕ〉 ∈ Stmt′ × State× Signals
Here Stmt′ refers to the statements from the syntactical category Stmt with
an additional statement (final) indicating that a ﬁnal conﬁguration has been
reached. Therefore the transition relation for statements has the form:
〈ss, σ, ϕ〉 ⇒ 〈ss′, σ′, ϕ′〉
which speciﬁes one step of computation. The transition relation is speciﬁed in
Table 2 and brieﬂy commented upon below.
An assignment to a signal is deﬁned as an update to the value at the delta-
time, i.e. ϕ s 1. We use the notation ϕ[i][s 	→ v] to mean ϕ[s 	→ ϕ(s)[i 	→ v]]. For
updating the variable and signal store with vector values we use the notation
σ[x(zi . . . zj)  v] to mean σ[x 	→ σ(x)[zi 	→ v1] . . . [zj 	→ vj−i]], similarly for
signals.
The wait statement is handled in Section 3.2, along with the handling of the
concurrent processes. This is due to the fact that the wait statement is in fact a
synchronization point of the processes.
Information Flow Analysis for VHDL 85
Table 2. Statements
[Local Variable Assignment] :
〈x := e, σ, ϕ〉 ⇒ 〈final, σ[x → v], ϕ〉 where E [[e]]〈σ, ϕ〉 = v
〈x(z1 downto z2) := e, σ, ϕ〉 ⇒ 〈final, σ[x(z1 . . . z2)  v], ϕ〉
where E [[e]]〈σ, ϕ〉 = v
[Signal Assignment] :
〈s <= e, σ, ϕ〉 ⇒ 〈final, σ, ϕ[1][s → v]〉 where E [[e]]〈σ, ϕ〉 = v
〈s(z1 downto z2) <= e, σ, ϕ〉 ⇒ 〈final, σ, ϕ[1][s(z1 . . . z2)  v]〉
where E [[e]]〈σ, ϕ〉 = v
[Skip] :
〈null, σ, ϕ〉 ⇒ 〈final, σ, ϕ〉
[Composition] :
〈ss1, σ, ϕ〉 ⇒ 〈ss′1, σ′, ϕ′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss′1; ss2, σ′, ϕ′〉
where ss′1 ∈ Stmt
〈ss1, σ, ϕ〉 ⇒ 〈final, σ′, ϕ′〉
〈ss1; ss2, σ, ϕ〉 ⇒ 〈ss2, σ′, ϕ′〉
[Conditional] :
〈if e then ss1 else ss2, ϕ〉 ⇒ 〈ss1, σ, ϕ〉 if E [[e]]〈σ, ϕ〉 = ’1’
〈if e then ss1 else ss2, ϕ〉 ⇒ 〈ss2, σ, ϕ〉 if E [[e]]〈σ, ϕ〉 = ’0’
[Loop] :
〈while e do ss, σ, ϕ〉 ⇒ 〈if e then (ss;while e do ss) else null, σ, ϕ〉
3.2 Concurrent Statements
The semantics for concurrent statements handles the concurrent processes and
their synchronizations of a VHDL1 program. We rewrite process declarations
into statements so the process declaration i: process decli; begin ssi; end
process i is rewritten to null; while ’1’ do ssi as the intention is that
the statement ss is repeated indeﬁnitely.
The transition system for concurrent statements has conﬁgurations of the
form:
‖i∈I 〈ss′i, σi, ϕi〉
for I ⊆fin Id and ss′i ∈ Stmt′, σi ∈ State, ϕi ∈ Signals for all i ∈ Id. Thus
each process has a local variable and signal state.
The initial conﬁguration of a VHDL1 program is:
‖i∈I 〈null; while true do ssi, σ0i , ϕ0i 〉
The ith process uses an initial state for signals deﬁned by the Semantics for
declarations of signals. If no initial value is speciﬁed the following are used:
σ0i x = ’U’ and ϕ
0
i s 0 = ’U’ for all non-vector signals used in the process
ssi. All vectors has a string of ’U’’s corresponding to the length of the vector
(i.e. ”U...U”). ϕ0i s 1 is undef for all signals used in the process ssi.
86 T.K. Tolstrup, F. Nielson, and H.R. Nielson
Table 3. Concurrent statements
[Handle non-waiting processes (H)] :
〈ssj , σj , ϕj〉 ⇒ 〈ss′j , σ′j , ϕ′j〉
‖i∈I∪{j} 〈ssi, σi, ϕi〉 =⇒‖i∈I∪{j} 〈ss′i, σ′i, ϕ′i〉
where ss′i = ssi ∧ σ′i = σi ∧ ϕ′i = ϕi for all i 	= j.
[Active signals (A)] :
‖i∈I 〈wait on Si until ei; ssi, σi, ϕi〉 =⇒‖i∈I 〈ss′i, σi, ϕ′i〉
if ∃i ∈ I. active(ϕi)
where
ϕ′i s 0 =
{
fs{{vj |ϕj s 1 = vj}} if ∃j ∈ I. ϕj s 1 is defined
ϕi s 0 otherwise
ϕ′i s 1 = undef
ss′i =
⎧⎨
⎩
ssi if ((∃s ∈ Si. ϕi s 0 	= ϕ′i s 0)∧
E [[ei]]〈σ′i, ϕ′i〉 =′ 1′)
wait on Si until bi; ssi otherwise
The transition relation for concurrent statements has the form:
‖i∈I 〈ss′i, σ, ϕi〉 =⇒‖i∈I 〈ssi′′, σ′i, ϕ′i〉
which speciﬁes one step of computation.
The transition relation is speciﬁed in Table 3 and explained below.
As mentioned the idea when deﬁning the semantics of programs in VHDL1 is
that we execute processes locally until they have all arrived at a wait statement,
this is reﬂected in the rule [Handle non-waiting processes (H)].
When all processes are ready to execute a wait statement we perform a
synchronization covered by the rule [Active signals (A)]. If one signal waited
for is active, those processes waiting for that signal may proceed; this is expressed
using the predicate active(ϕ) deﬁned by
active(ϕ) ≡ ∃s∃v : ϕ s 1 = v
The delta-time values of signals will be synchronized for all processes and
in order to do this we use a resolution function fs : multiset(V alue) → V alue.
Thus fs combines the multi-set of values assigned to a signal into one value that
then will be the new (unique) value of the signal.
Notice that even though a signal that a wait statement is waiting for becomes
active, it is not enough to guarantee that it proceeds with its execution. This is
because we have the side condition ’until e’. This is reﬂected in the deﬁnition
of the statement ss′i of the next conﬁguration. Notice that the state of local
variables is unchanged.
3.3 Architectures
The Semantics for architectures basically initializes the local variable and signal
stores for each process and rewrites the other constructions to processes. Con-
Information Flow Analysis for VHDL 87
current assignments are rewritten to processes and blocks are handled by adding
the signals the block declares to the scope of the processes declared inside the
block. Vector variables or signals declared using the to speciﬁer, where the value
is reversed to match the expected ordering in the Semantics of expressions and
statements.
4 Reaching Definitions Analysis
The main purpose of the Reaching Deﬁnitions analysis is to gather information
about which assignments may have been made and not overwritten, when the
execution reaches each point in the program.
The semantics divides signal states into two parts, namely the present value
of a signal and the active value of a signal. Following this the analysis is divided
into two parts as well, one for the active value of a signal and one for local
variables and the present value of a signal. The two parts are connected since
the active values of a signal inﬂuence the present value of the signal after the
following synchronization. Therefore we will ﬁrst deﬁne the analysis of active
signals in Section 4.1, and then, that of the local variables and present values of
signals in Section 4.2.
The analysis for active signals is concerned only with a single process, and
thus has no information about the other processes. It collects information about
which signals might be active in order to gather all the inﬂuences on the present
value; this information is gathered for the process i by an over-approximation
analysis of the active signals RD∪ iϕ . It also collects information about which
signals must be active so that the overwritten signals can be removed from
the analysis result; this information is gathered for the process i by an under-
approximation analysis of the active signals RD∩ iϕ .
The analysis of the local variables and present values of signals will be an
over-approximation. It is concerned with the entire program and thus collects
information for all processes at the same time.
Common analysis domains. The analyses use a labeling scheme, a block deﬁni-
tion and a ﬂow relation, similar to the ones described in [9], the only diﬀerence
being the wait statements which are given labels and treated as blocks. For each
process i in a program ‖i∈I i : process decli; begin ssi; end process i the
set of blocks is denoted blocks(ssi) and the ﬂow relation is denoted flow(ssi).
Similarly we use init(ssi) to denote the label of the initial block when executing
the process i.
We deﬁne the cross ﬂow relation cf for a program as the set of all possible
synchronizations, i.e. cf is the Cartesian product of the set of labels of wait
statements in each process.
The labeling scheme is deﬁned so that each block has a label which is initially
unique for the program. During execution the labels might not be unique within
the processes, but the same label is not found in two diﬀerent processes. Hence,
we shall sometimes implicitly use that to each label (l ∈ Lab) there is a unique
process identiﬁer (i ∈ Id) in which it occurs.
88 T.K. Tolstrup, F. Nielson, and H.R. Nielson
The analyses are presented in a simpliﬁed way, following the tradition of
the literature (see [9]), where all programs considered are assumed to have so-
called isolated entries (meaning that the entry nodes cannot be reentered once
left). This is reasonable as each process in VHDL1 can be considered as a skip
statement followed by a loop with an always true condition around the statement
deﬁning the process. We shall write FV (ss) for the set of free variables of the
statement ss and similarly FS(ss) for the set of free signals.
4.1 Analysis of Active Signals
The Reaching Deﬁnitions analysis takes the form of a Monotone Framework as
given in [9]. It is a forward Data Flow analysis, with both an over- (RD∪ iϕ )
and an under- (RD∩ iϕ ) approximation part; it operates over a complete lattice
P(Sig × Lab) where Sig is the set of signals and Lab is the set of labels
present in the program.
In both cases we shall introduce functions recording the required information
at the entry and at the exit of the program points. So for the over-approximation
we have
RD∪ iϕentry, RD
∪ i
ϕexit : Lab → P(Sig × Lab)
and similarly for the under-approximation
RD∩ iϕentry, RD
∩ i
ϕexit : Lab → P(Sig × Lab)
To deﬁne the analysis we deﬁne in Table 4 a function
killiRDϕ : Blocks → P(Sig × Lab)
which produces a set of pairs of signals and labels corresponding to the assign-
ments that are killed by the block. A signal assignment can be killed for two
reasons: Another block in the same process assigns a new value to the already
active signal, or a wait statement in the same process will synchronize all active
signals, and therefore kill all signal assignments.
In Table 4 we also deﬁne the function
geniRDϕ : Blocks → P(Sig × Lab)
that produces a set of pairs of signals and labels corresponding to the assignments
generated by the block.
The over-approximation part of the analysis is deﬁned in terms of the in-
formation that may be available at the entry of the statement. Therefore the
over-approximation part considers a union of the information available at the
exit of all statements that have a ﬂow directly to the statement considered.
The under-approximation part of the analysis is deﬁned in terms of the in-
formation that must be available at the entry of the statement. Therefore the
under-approximation part considers an intersection of the information available
at the exit of all statements that have a ﬂow directly to the statement considered.
The full details are presented in Table 4.
Information Flow Analysis for VHDL 89
Table 4. Reaching Definitions Analysis for active signals; labels l are implicitly as-
sumed to occur in process i : process decli; begin ssi; end process i
kill and gen functions for the process i : process decli; begin ssi; end process i
killiRDϕ([s <= e]
l) = {(s, l′)|Bl′ assigns to s in process i}
killiRDϕ([wait on S until e]
l) = {(s, l′)|Bl′ assigns to s in process i}
killiRDϕ([. . . ]
l) = ∅ otherwise
geniRDϕ([s <= e]
l) = {(s, l)}
geniRDϕ([s(z1 downto z2) <= e]
l) = {(s, l)}
geniRDϕ([s(z1 to z2) <= e]
l) = {(s, l)}
geniRDϕ([. . . ]
l) = ∅ otherwise
data flow equations: RDϕ for the process i : process decli; begin ssi; end process i
RD∪ iϕentry(l) =
{ ∅ if l = init(ssi)⋃{RD∪ iϕexit(l′)|(l′, l) ∈ flow(ssi)} otherwise
RD∪ iϕexit(l) = (RD
∪ i
ϕentry(l)\killiRDϕ(Bl)) ∪ geniRDϕ(Bl)
RD∩ iϕentry(l) =
{ ∅ if l = init(ssi)⋂˙{RD∩ iϕexit(l′)|(l′, l) ∈ flow(ssi)} otherwise
RD∩ iϕexit(l) = (RD
∩ i
ϕentry(l)\killiRDϕ(Bl)) ∪ geniRDϕ(Bl)
For the under-approximation analysis we deﬁne a special intersection op-
erator;
⋂˙∅ = ∅, and ⋂˙X = ⋂X for X = ∅, to guarantee that RD∩ iϕentry ⊆
RD∪ iϕentry, will hold for the smallest solution to the equation systems.
4.2 Analysis of Local Variables and Present Values of Signals
The Reaching Deﬁnitions analysis for the local variables corresponds to the
Reaching Deﬁnitions analysis given in [9]. For the present value of signals it
will use the result of the Reaching Deﬁnitions analysis for active signals. The
idea is that if a signal has an active value when execution of the program arrives
at a synchronization point, then the active value of the signal will become the
present value of the signal after the synchronization.
The result of the Reaching Deﬁnitions analysis for active signals can be com-
puted before we perform the Reaching Deﬁnitions analysis for local variables
and signals. Hence the result can be considered a static set, and therefore the
Reaching Deﬁnitions analysis for local variables and signals remains an instance
of a Monotone Framework.
The Reaching Deﬁnitions analysis for present values of signals operates over
the complete lattice P(Sig × Lab) and is a forward data ﬂow analysis. It
yields an over-approximation of the assignments that might have inﬂuenced
the present value of the signal. Its goal is to deﬁne two functions holding the
information at the entry and exit of a given label in the program:
90 T.K. Tolstrup, F. Nielson, and H.R. Nielson
Table 5. Reaching Definitions Analysis for the local variables and present value of sig-
nals, for all labels l in the program ‖i∈I i : process decli; begin ssi; end process i
kill and gen functions
killcfRD([x := e]
l) = {(x, ?)}∪
{(x, l′)|Bl′ assigns to x in process i}
killcfRD([wait on S until e]
l) =
⋂˙
(l1,...,ln)∈cf,s.t. li=l⋃n
j=1 fst(RD
∩ i
ϕentry(lj))× wS(ssi)
killcfRD([. . . ]
l) = ∅ otherwise
gencfRD([x := e]
l) = {(x, l)}
gencfRD([x(z1 downto z2) := e]
l) = {(x, l)}
gencfRD([x(z1 to z2) := e]
l) = {(x, l)}
gencfRD([wait on S until e]
l) =
⋃
(l1,...,ln)∈cf,s.t. li=l⋃n
j=1 fst(RD
∪ i
ϕentry(lj))× {l}
gencfRD([. . . ]
l) = ∅ otherwise
data flow equations: RD
RDcfentry(l) =
{ {(x, ?) | x ∈ FV (ssi)} ∪ {(s, ?) | s ∈ FS(ssi)} if l = init(ssi)⋃{RDcfexit(l′)|(l′, l) ∈ flow(ssi)} otherwise
where B and i is uniquely given by Bl ∈ blocks(ssi)
RDcfexit(l) = RD
cf
entry(l)\killcfRD(Bl) ∪ gencfRD(Bl)
RDcfentry, RD
cf
exit : Lab → P((V ar ∪ Sig)× Lab)
The Reaching Deﬁnitions analysis for local variables and signals is given in Table
5 and makes use of two auxiliary functions. One is
killcfRD : Blocks → P((V ar ∪ Sig)× Lab)
that produces a set of pairs of variables or signals and labels corresponding to
assignments that are overwritten by the block. An assignment to a local variable
will overwrite all previous assignments on the execution path. A signal value can
only be overwritten by a wait statement where at least one of the synchronizing
processes has an active value for the signal. To guarantee that an active value for
a signal is available, the under-approximation analysis (RD∩ iϕ ) described above
in Section 4.1 is used.
Since the active signal has to be present in all possible processes the consid-
ered wait statement could synchronize with, an intersection over the set cf of
cross ﬂow information is needed.
The other auxiliary function is
gencfRD : Blocks → P((V ar ∪ Sig)× Lab)
Information Flow Analysis for VHDL 91
that produces a set of pairs of variables or signals, and labels corresponding
to the assignments generated by the block. Only assignments to local variables
generate deﬁnitions of a variable. Only wait statements are capable of changing
a signal’s value at present time. This means that in our analysis signals will get
their present value at wait statements in the processes. The result of the over-
approximation analysis (RD∪ iϕ ) contains all the signals that might be active and
thus deﬁnes the present value after the synchronization. Therefore we perform
a union over all the signals that might be active in any process, that might be
synchronized with.
Finally, all signals are considered to have an initial value in VHDL1 hence a
special label (?) is introduced to indicate that the initial value might be the one
deﬁning a signal at present time. The operator fst is deﬁned by fst(D) = {s |
(s, l) ∈ D} and extracts the ﬁrst components of pairs.
5 Information Flow Analysis
The Information Flow analysis is performed in two steps. First we identify the
ﬂow of information to a variable or signal locally at each assignment; this is
speciﬁed in Section 5.1. Then we perform a transitive closure of this information
guided by our Reaching Deﬁnitions analysis; this is described in Section 5.2
where we also compare the result of our method with that of Kemmerer [8].
The result of the Information Flow analysis is given in the form of a directed
graph. The graph has a node for each variable or signal used in the program,
and an edge from the node n1 to the node n2 if information might ﬂow from n1
to n2 in the program. This graph will in general be non-transitive. To illustrate
this point consider the following programs:
(a): [c := b]1; [b := a]2 (b) : [b := a]1; [c := b]2
In program (a) there is a ﬂow from b to c and a ﬂow from a to b and therefore
the resulting graph shown in Figure 3(a) has an edge from node b to node c and
an edge from node a to node b. There is no ﬂow from a to c and indeed there is
no edge from a to c. In program (b) on the other hand there is a ﬂow from a to
c and the resulting graph shown in Figure 3(b) indeed has an edge from a to c.
5.1 Local Dependencies
It is clear that an assignment of a variable to another variable will cause a ﬂow of
information. As an example, a := b causes a ﬂow of information from b to a. We
also need to consider implicit ﬂows due to conditional statements. As an example,
if c then a := b else null has an implicit ﬂow from c to a because an observer
could use the resulting value of a to gain information about the value of c.
In this fashion we must consider all the statements of VHDL1 and determine
how information might ﬂow. For a VHDL1 program we deﬁne a set of structural
rules that deﬁne the set of dependencies between local variables and signals. The
analysis is deﬁned using judgments of the form
B  ss : RM
92 T.K. Tolstrup, F. Nielson, and H.R. Nielson
(b) c
b
a
(a)
a
c
b
Fig. 3. Result of the Information Flow Analysis for programs (a) and (b)
where B ⊆ (Var∪Sig), ss ∈ Stmt and RM ⊆ ((Var∪Sig)×Lab×{M0,M1, R0,
R1}). Here ss is the statement analyzed under the assumption that it is only
reachable when values of variables and signals in B have certain values. The
result is the set RM containing entries (n, l,Mj) if the variable or signal n
might be modiﬁed at label l in ss; we use M0 for variables and present values
of signals and M1 for active values of signals. Similarly, RM contains entries
(n, l, Rj) if the variable or signal n might be read at label l in ss; we use R0 for
variables and present values of signals and R1 for the synchronization of active
values of signals.
The local dependency analysis of the ﬂow between variables and signals is
speciﬁed in Table 6 and is explained below. Assignments to variables result in
local dependencies, there are no other statements that causes information to ﬂow
into variables.
For the active signals in a program it holds that information can only ﬂow
to the signal through signal assignment. Hence only the signal assignment con-
tributes dependencies to the resulting set. Notice that the information ﬂowing to
active signals (M1) might come from both local variables and the present value
of signals, but never from the active value of signals.
The variables and signals used in the evaluation of conditions within if and
while statements are collected in the block-set B as they might implicitly ﬂow
into assigned variables or signals in the branches. This is taken care of in rules
[Conditional] and [Loop]. Notice that these rules do not handle termination
or timing channels that might occur.
The synchronization statements (i.e. wait) cause information about the ac-
tive signals to ﬂow to the present value of the same signals. Hence we will update
(writing R1) all signals present in the process considered.
5.2 Global Dependencies
Using the local dependencies deﬁned above we can construct a Resource Matrix
specifying for each point in the program which resources (i.e. a variable or signal)
was modiﬁed and which resources were read meanwhile [8]. First we apply the
local dependency analysis on each process in the considered program the result
is collected in RMlo =
⋃
i RMi where ∅  ssi : RMi. Then we need to compute
the global dependencies; one way to do this is to take the transitive closure of
Information Flow Analysis for VHDL 93
Table 6. Structural rules for constructing a Resource Matrix for the process i :
process decli begin ssi; end process i
[Local Variable Assignment] :
B  [x := e]l : {(x, l,M0)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪B}
B  [x(z1 downto z2) := e]l :
{(x, l,M0)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪ B}
B  [x(z1 to z2) := e]l :
{(x, l,M0)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪ B}
[Signal Assignment] :
B  [s <= e]l : {(s, l,M1)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪B}
B  [s(z1 downto z2) <= e]l :
{(s, l,M1)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪ B}
B  [s(z1 to z2) <= e]l :
{(s, l,M1)} ∪ {(n, l, R0) | n ∈ FV (e) ∪ FS(e) ∪ B}
[Skip] :
B  [null]l : ∅
[Composition] :
B  ss1 : RM1 B  ss2 : RM2
B  ss1; ss2 : RM1 ∪RM2
[Conditional] :
B′  ss1 : RM1 B′  ss2 : RM2
B  if [e]l then ss1 else ss2 : RM1 ∪RM2
where B′ = B ∪ FV (e) ∪ FS(e)
[Loop] :
B′  ss : RM
B  while [e]l do ss : RM
where B′ = B ∪ FV (e) ∪ FS(e)
[Synchronization] :
B  [wait on S until e]l : {(s, l, R1) | s ∈ FS(ssi)}∪
{(n, l, R0) | n ∈ B ∪ S ∪ FV (e) ∪ FS(e)}
where ssi is the body of process i in which l resides
the local dependencies; this method is attributed to Kemmerer and is described
in [8] in case of traditional programming languages.
Let us evaluate the traditional method for constructing the Resource Matrix.
For this we consider the program (a) deﬁned above. The result of the transitive
closure will correspond to the graph presented in Figure 3(b), but not to the
true behavior of the program as depicted in the graph in Figure 3(a). This is
due to the ﬂow-insensitivity of the transitive closure method: The imprecision
is a result of the method failing to consider information about the ﬂow between
labels in the programs.
94 T.K. Tolstrup, F. Nielson, and H.R. Nielson
Table 7. Specialization of RD∪ iϕentry and RD
cf
entry
[RD for active signals]
(s, li, R1) ∈ RMlo (s, l) ∈ RD∪ iϕentry(li)
(s, l) ∈ RD†ϕ(li)
if ∃−→l ∈ cf : li occurs in −→l
[RD for present signals and local variables]
(n, l′, R0) ∈ RMlo (n, l) ∈ RDcfentry(l′)
(n, l) ∈ RD†(l′)
Table 8. Transitive closure of Resource Matrix, based on RD† and RD†ϕ
[Initialization]
(n, l, A) ∈ RMlo
(n, l, A) ∈ RMgl where A ∈ {R0, R1,M0,M1}
[Present values and local variables]
(n′, l′) ∈ RD†(l) (n, l′, R0) ∈ RMgl
(n, l, R0) ∈ RMgl
[Synchronized values]
(s′, li) ∈ RD†(l) (s′, l′′) ∈ RD†ϕ(lj) (s, l′′, R0) ∈ RMgl
(s, l, R0) ∈ RMgl
if ∃−→l ∈ cf : li and lj occur in −→l
Closure based on Reaching Definitions. This motivates modifying the closure
condition to make use of Reaching Deﬁnitions information. Indeed the Reaching
Deﬁnitions analysis speciﬁed in Section 4 supplies us with the needed information
to exclude some of the “spurious ﬂows” when performing the transitive closure.
Before doing so we specialize in Table 7 the result of the Reaching Deﬁnitions
analysis to allow a better precision in the closure of the Resource Matrix. The
specialization ensures that deﬁnitions are only considered to reach a labeled
construct if they are actually used in the labeled construct. This is done by
considering the result of the local dependency analysis; notice the usage of the
cross ﬂow relation in rule [RD for active signals] which determines if the
signal might in fact be synchronized.
We can now update the speciﬁcation of the transitive closure using the result
of the Reaching Deﬁnitions analysis, as is done in Table 8. We specify a rule for
initializing the Global Resource Matrix [Initialization].
The closure is done by rule [Present values and local variables] consid-
ering the result of the Reaching Deﬁnitions analyses for the program. For the
present value of a signal and for local variables we consider each entry in the Re-
source Matrix, if the present value of a variable or signal is read (R0) we can use
the information of the Reaching Deﬁnitions analysis to ﬁnd the label where the
variable or signal was deﬁned. Therefore we copy all the entries about variables
and signals read at this label in the Resource Matrix. This rule also handles the
Information Flow Analysis for VHDL 95
c◦
c•
c
a
c
b b
a
(b)
a◦
a• b◦
b•
(a)
Fig. 4. Result of the Information Flow Analysis for program (b)
case where information ﬂows from the variables and signals in a condition on a
synchronization point.
The rule [Synchronized values] uses the result of the Reaching Deﬁnitions
analysis to determine which signals were read in the Resource Matrix and follow
them to their deﬁnition. When synchronizing signals the matter is complicated
as the signal is deﬁned at a synchronization point, therefore the rule needs to
consider all the information about signals ﬂowing into the synchronization points
that might be synchronized with. Which synchronization points the deﬁnition
point synchronizes with is gathered in the cf predicate, hence we apply the
Reaching Deﬁnitions analysis for active signals on all the synchronization points
and copy all the entries indicating variables and signals being read from the
point the signal could be deﬁned.
5.3 Improvement of the Information Flow Analysis
For the example program (b) (i.e. [b := a]1; [c := b]2) we previously described
how the Information Flow Analysis would yield the result presented in Figure
4(a). In fact the resulting graph indicates that the resulting value of the variable
b can be read from the resulting value of the variable c, which is entirely correct.
However, the initial value of the variable b cannot be read from the variable c; to
see this consider a scenario where b initially contained a value, this value would
never ﬂow to c, as the ﬁrst assignment would overwrite the variable.
The Information Flow Analysis based on the Reaching Deﬁnitions Analysis
can be improved to handle the initial and outgoing values of signals with greater
accuracy. The idea is to add a node to the graph for each incoming signal,
annotating the incoming node of a variable with a ◦, and for each outgoing
signal, annotating the outgoing node with a •. Using this scheme a more precise
result for program (b) can be constructed as shown in Figure 4(b), where we
consider the last statement to be outcoming and therefore update the Resource
Matrix in the same fashion as for wait statements.
The extension of the analysis is based on adding special variables and signals
for incoming and outgoing values. The rules for improving the information ﬂow
analysis are presented in Table 9 and explained below.
In a traditional sequential programming language the improvement could be
handled by adding assignments of the form x := x◦ for each variable read in
front of the program, and similarly adding assignments x• := x in the end for
96 T.K. Tolstrup, F. Nielson, and H.R. Nielson
Table 9. Rules for the improved Information Flow Analysis
[Initial values]
(n, ?) ∈ RD†(l)
(n◦, l, R0) ∈ RMgl
[Incoming values]
(n, l′) ∈ RD†(l) l′ ∈ WS
(n◦, l, R0) ∈ RMgl
[Outgoing values]
n ∈ Sigout
(n•, ln• ,M1) ∈ RMgl
[Outcoming values]
l ∈ WS (n, l′) ∈ RD†ϕ(l) (n′, l′, R0) ∈ RMgl
(n′, ln• , R0) ∈ RMgl
handling the outgoing values. Having this in mind we introduce the rule [Initial
values] that uses the special symbol (?) from the Reaching Deﬁnitions analysis
to propagate the initial value of a variable or locally deﬁned signal.
VHDL1 consists of processes running as inﬁnite loops in parallel with other
processes and under the inﬂuence of the environment. Therefore signals might
carry incoming values at any synchronization point, similarly a process might
communicate values out of the system at any synchronization point. We intro-
duce a new process π to illustrate how the incoming and outgoing signals are
handled. The process has the form
π : process begin [sin1 <= s
◦
1]; . . . [wait on S
π]; [s•1 <= s
out
1 ]
ls•1 ; . . .
end process π
where sin1 , sin2 , . . . are the incoming signals, sout1 , sout2 , . . . are the outgoing signals
and Sπ is the set of all incoming and outgoing signals, as speciﬁed in the entity
declaration of the program.
The assignments prior to the synchronization point in process π can be syn-
chronized into the system at each wait statement and this is handled by rule
[Incoming values] where WS =
⋃
i WS(ssi) are all the wait statements in the
program.
We add two rules for the outgoing values to the closure method. The ﬁrst
rule [Outgoing values] speciﬁes a special label for each signal (i.e. the label of
the assignment to n• in process π) used on the left-hand side in an assignment,
at which the signal is set to be modiﬁed in the Resource Matrix. The second rule
[Outcoming values] handles the right-hand side of the outgoing assignments
in process π by considering all active signals coming into a wait statement,
the values read when these active signals where modiﬁed are the signals that
inﬂuence the outgoing value. Sigout is the set of signals that are declared as
outgoing (i.e. with the keyword out in the entity declaration).
6 Results
In order to compare our work to Kemmerer’s method we shall consider part of the
NSA Advanced Encryption Standard test implementation of the 128 bit version
of the encryption algorithm [17]. Both the presented analyses and Kemmerer’s
method have been implemented using the Succinct Solver.
Information Flow Analysis for VHDL 97
(a)
a_1_1
a_3_2
a_1_2
a_1_3
a_1_0
a_2_2
a_2_3
a_2_0
a_2_1
a_3_3
a_3_0
a_3_1
(b)
a_3_1
a_3_2
a_3_3
a_3_0
a_2_3
a_2_1
a_2_2
a_2_0
a_1_1
a_1_0
a_1_3
a_1_2
Fig. 5. Resulting graphs of Kemmerer’s method (a) and our analysis (b) on a shift
function
The analysed programs use several temporary variables. These variables are
overwritten and reused for each input state. The graphs computed by Kem-
merer’s method indicate the problem of the method not taking control ﬂow
information into account; many edges are false positives resulting from the over
approximation. Our analysis correctly eliminates the edges introduced by the
overwritten variables.
To illustrate the diﬀerence between the two approaches, we consider the
function shifting rows in a block. The ﬁrst row is not altered by the function,
while the last three rows are shifted 1, 2 and 3 positions respectively. The values
ﬂow through temporary variables, which are used for all three rows. The function
is preprocessed by unrolling the loops and replacing constants with their values.
The resulting graphs are simpliﬁed so that only the nodes for the three shifted
rows are presented. Furthermore we have merged incoming and outgoing nodes
in the graph of our analysis. Therefore both of the resulting graphs for the three
shifted rows have 12 nodes, and are now comparable. Kemmerer’s method is
unable to separate the shifts on each row as shown in Figure 5(a). Our analysis
computes the precise result as shown in Figure 5(b).
7 Conclusion
One main achievement of the paper is the adaptation of the classical notion of
Reaching Deﬁnitions analysis from traditional programming languages to real-
time languages in the context of hardware description languages. We performed
a development for a useful fragment of VHDL and correctly deal with the com-
plications due to active and present values of signals. One unusual ingredient is
the under-approximation analysis for active signals in order to be able to specify
non-trivial kill-components for present values.
The other main achievement is the demonstration of the usefulness of the
Reaching Deﬁnitions analysis for developing an Information Flow analysis that
is more precise than the traditional method of Kemmerer. The local depen-
dencies were speciﬁed by a straightforward inference system in the manner of
information ﬂow analyses. The global dependencies made good use of all aspects
of the Reaching Deﬁnitions analysis.
98 T.K. Tolstrup, F. Nielson, and H.R. Nielson
Furthermore the improved information ﬂow analysis correctly analyses pro-
grams that would incorrectly be rejected by typical security-type systems; as it
is described in the Open Challenge F of [15]. This is due to the fact that the
Reaching Deﬁnitions analysis allows us to kill overwritten variables and signals.
The current implementation directly follows the structure of the speciﬁca-
tions given in the previous sections and one can argue that its worst case com-
plexity is O(n5). So far this has posed no problems, however we conjecture that
the implementation can be improved to have a cubic worst case complexity.
The reason is that the analysis basically is a combination of three bit-vector
frameworks (each being linear time in practice) [9] and a cubic time reachability
analysis [1].
References
1. A. Aho, J. Hopcroft, and J. Ullman. Data Structures and Algorithms. Addison-
Wesley, 1983.
2. P. J. Ashenden. The Designer’s Guide To VHDL. Morgan Kaufmann, 2nd edition,
2002.
3. K. G. W. Goossens. Reasoning About VHDL Using Operational and Observational
Semantics. In CHDM, volume 987 of LNCS, pages 311–327. Springer, 1995.
4. J. T. Haigh and W. D. Young. Extending the Non-Interference Version of MLS
for SAT. In IEEE Symposium on Security and Privacy, pages 232–239, 1986.
5. Y-W. Hsieh and S. P. Levitan. Control/Data-Flow Analysis for VHDL Semantic
Extraction. Journal of Information Science and Engineering, 14(3):547–565, 1998.
6. C. Hymans. Checking Safety Properties of Behavioral VHDL Descriptions by
Abstract Interpretation. In SAS, volume 2477 of LNCS, pages 444–460. Springer,
2002.
7. IEEE inc. IEEE Standard VHDL Language Reference Manual. IEEE, 1988.
8. J. McHugh. Covert Channel Analysis. Handbook for the Computer Security Cer-
tification of Trusted Systems, 1995.
9. F. Nielson, H. R. Nielson, and C. Hankin. Principles of Program Analysis. Springer,
1999.
10. F. Nielson, H. R. Nielson, and H. Seidl. A Succinct Solver for ALFP. Nordic
Journal of Computing, 9(4):335–372, 2002.
11. F. Nielson, H. R. Nielson, H. Sun, M. Buchholtz, R. R. Hansen, H. Pilegaard, and
H. Seidl. The Succinct Solver Suite. In TACAS, volume 2988 of LNCS, pages
251–265. Springer, 2004.
12. H. R. Nielson and F. Nielson. Semantics with Applications - A Formal Introduction.
John Wiley & Sons, 1992.
13. International Standards Organisation. Common Criteria for information technol-
ogy security (CC). ISO/IS 15408 Final Committee Draft, version 2.0., 1998.
14. J. Rushby. Noninterference, Transitivity, and Channel-Control Security Policies.
Technical Report CSL-92-02, SRI International, December 1992.
15. A. Sabelfeld and A. C. Myers. Language-Based Information-Flow Security. IEEE
Journal on Selected Areas in Communications, 21(1):5–19, 2003.
16. K. Thirunarayan and R. L. Ewing. Structural Operational Semantics for a Portable
Subset of Behavioral VHDL-93. FMSD, 18(1):69–88, 2001.
17. B. Weeks, M. Bean, T. Rozylowicz, and C. Ficke. Hardware performance sim-
ulations of round 2 advanced encryption standard algorithms. Technical report,
National Security Agency, 2000.
