Equivalence Checking a Floating-point Unit against a High-level C Model

Semiconductor companies have increasingly adopted a methodology that starts with a system-level design specification in C/C++/SystemC. This model is extensively simulated to ensure correct functionality and performance. Later, a Register Transfer Level (RTL) implementation is created in Verilog, either manually by a designer or automatically by a high-level synthesis tool. It is essential to check that the C and Verilog programs are consistent. In this paper, we present a two-step approach, embodied in two equivalence checking tools, VERIFOX and HW-CBMC, to validate designs at the software and RTL levels, respectively. VERIFOX is used for equivalence checking of an untimed software model in C against a high-level reference model in C. HW-CBMC verifies the equivalence of a Verilog RTL implementation against an untimed software model in C. To evaluate our tools, we applied them to a commercial floating-point arithmetic unit (FPU) from ARM and an open-source dual-path floating-point adder

Formally Verifiable Synthesis Flow In FPGAs

FPGAs are used in a wide variety of digital systems. Due to their ability to support parallelism and specialization, these devices are becoming more commonplace in fields such as machine learning. One of the biggest benefits of FPGAs, logic specialization, can lead to security risks. Prior research has shown that a large variety of malicious circuits can snoop on sensitive user data, induce circuit faults, or physically damage the FPGA. These Trojan circuits can easily be crafted and embedded in FPGA designs. Often, these Trojans are small, consume little power in comparison to the target circuit, and are hard to detect via simulation or physical inspection. Computer-aided design (CAD) software in FPGAs has been the subject of extensive research and development of FPGAs for the past thirty-five years. The current FPGA software landscape includes vendors that provide widely used software flows to convert behavioral and register-transfer level (RTL) descriptions to bitstreams needed to program an FPGA device. Given the complexity of the algorithms needed to perform this translation, these CAD tool flows are generally structured as black boxes with limited transparency regarding design conversion steps or the logical equivalence of the generated design and initial design specification. vi This work explores the enhancement of open-source FPGA software, SymbiFlow, that focuses on FPGA RTL synthesis, place and route and bitstream generation. SymbiFlow uses Yosys for synthesis, VPR for place and route, and Project X-Ray for bitstream generation. We focus on synthesis using Yosys and formal verification using the Cadence Conformal Logic Equivalence Checker (LEC) for Xilinx Artix-7 FPGAs. Yosys is used to synthesize 160 benchmarks written in Verilog. We implement required code modifications to Yosys for designs to pass the equivalence checker. For Conformal, this work involves processing 160 benchmark designs with the equivalence checker. Parameters can be toggled on or off to obtain results that indicates if a design has passed formal verification when comparing RTL and synthesized netlists

Strengthening Model Checking Techniques with Inductive Invariants

This paper describes optimized techniques to efficiently compute and reap benefits from inductive invariants within SAT-based model checking. We address sequential circuit verification, and we consider both equivalences and implications between pairs of nodes in the logic networks. First, we present a very efficient dynamic procedure, based on equivalence classes and incremental SAT, specifically oriented to reduce the set of checked invariants. Then, we show how to effectively integrate the computation of inductive invariants within state-of-the-art SAT-based model checking procedures. Experiments (on more than 600 designs) show the robustness of our approach on verification instances on which stand-alone techniques fai

Formal Analysis of Arithmetic Circuits using Computer Algebra - Verification, Abstraction and Reverse Engineering

Despite a considerable progress in verification and abstraction of random and control logic, advances in formal verification of arithmetic designs have been lagging. This can be attributed mostly to the difficulty in an efficient modeling of arithmetic circuits and datapaths without resorting to computationally expensive Boolean methods, such as Binary Decision Diagrams (BDDs) and Boolean Satisfiability (SAT), that require “bit blasting”, i.e., flattening the design to a bit-level netlist. Approaches that rely on computer algebra and Satisfiability Modulo Theories (SMT) methods are either too abstract to handle the bit-level nature of arithmetic designs or require solving computationally expensive decision or satisfiability problems. The work proposed in this thesis aims at overcoming the limitations of analyzing arithmetic circuits, specifically at the post-synthesized phase. It addresses the verification, abstraction and reverse engineering problems of arithmetic circuits at an algebraic level, treating an arithmetic circuit and its specification as a properly constructed algebraic system. The proposed technique solves these problems by function extraction, i.e., by deriving arithmetic function computed by the circuit from its low-level circuit implementation using computer algebraic rewriting technique. The proposed techniques work on large integer arithmetic circuits and finite field arithmetic circuits, up to 512-bit wide containing millions of logic gates

Formal Verification throughout the Development of Robust Systems

As transistors are becomming smaller and smaller, they become more susceptible to transient faults due to radiation. A system can be modified to handle these faults and prevent errors that are visible from outside. We present a formal method for equivalence checking to verify that this modification does not change the nominal behavior of the system. On the other hand, we contribute an algorithm to formally verify that a circuit is robust against transient faults under all possible input assignments and variability. If equivalence or robustness cannot be shown, a counterexample is generated

Is Register Transfer Level Locking Secure?

Register Transfer Level (RTL) locking seeks to prevent intellectual property (IP) theft of a design by locking the RTL description that functions correctly on the application of a key. This paper evaluates the security of a state-of-the-art RTL locking scheme using a satisfiability modulo theories (SMT) based algorithm to retrieve the secret key. The attack first obtains the high-level behavior of the locked RTL, and then use an SMT based formulation to find so-called distinguishing input patterns (DIP). The attack methodology has two main advantages over the gate-level attacks. First, since the attack handles the design at the RTL, the method scales to large designs. Second, the attack does not apply separate unlocking strategies for the combinational and sequential parts of a design; it handles both styles via a unifying abstraction. We demonstrate the attack on locked RTL generated by TAO [1], a state-of-the-art RTL locking solution. Empirical results show that we can partially or completely break designs locked by TAO

Automatic Generation of High-Coverage Tests for RTL Designs using Software Techniques and Tools

Register Transfer Level (RTL) design validation is a crucial stage in the hardware design process. We present a new approach to enhancing RTL design validation using available software techniques and tools. Our approach converts the source code of a RTL design into a C++ software program. Then a powerful symbolic execution engine is employed to execute the converted C++ program symbolically to generate test cases. To better generate efficient test cases, we limit the number of cycles to guide symbolic execution. Moreover, we add bit-level symbolic variable support into the symbolic execution engine. Generated test cases are further evaluated by simulating the RTL design to get accurate coverage. We have evaluated the approach on a floating point unit (FPU) design. The preliminary results show that our approach can deliver high-quality tests to achieve high coverage

Analog and Mixed Signal Verification using Satisfiability Solver on Discretized Models

With increasing demand of performance constraints and the ever reducing size of the IC chips, analog and mixed-signal designs have become indispensable and increasingly complex in modern CMOS technologies. This has resulted in the rise of stochastic behavior in circuits, making it important to detect all the corner cases and verify the correct functionality of the design under all circumstances during the earlier stages of the design process. It can be achieved by functional or formal verification methods, which are still widely unexplored for Analog and Mixed-Signal (AMS) designs. Design Verification is a process to validate the performance of the system in accordance with desired specifications. Functional verification relies on simulating different combinations of inputs for maximum state space coverage. With the exponential increase in the complexity of circuits, traditional functional verification techniques are getting more and more inadequate in terms of exhaustiveness of the solution. Formal verification attempts to provide a mathematical proof for the correctness of the design regardless of the circumstances. Thus, it is possible to get 100% coverage using formal verification. However, it requires advanced mathematics knowledge and thus is not feasible for all applications. In this thesis, we present a technique for analog and mixed-signal verification targeting DC verification using Berkeley Short-channel Igfet Models (BSIM) for approximation. The verification problem is first defined using the state space equations for the given circuit and applying Satisfiability Modulo Theories (SMT) solver to determine a region that encloses complete DC equilibrium of the circuit. The technique is applied to an example circuit and the results are analyzed in turns of runtime effectiveness