SMT Sampling via Model-Guided Approximation

We investigate the domain of satisfiable formulas in satisfiability modulo theories (SMT), in particular, automatic generation of a multitude of satisfying assignments to such formulas. Despite the long and successful history of SMT in model checking and formal verification, this aspect is relatively under-explored. Prior work exists for generating such assignments, or samples, for Boolean formulas and for quantifier-free first-order formulas involving bit-vectors, arrays, and uninterpreted functions (QF_AUFBV). We propose a new approach that is suitable for a theory T of integer arithmetic and to T with arrays and uninterpreted functions. The approach involves reducing the general sampling problem to a simpler instance of sampling from a set of independent intervals, which can be done efficiently. Such reduction is carried out by expanding a single model - a seed - using top-down propagation of constraints along the original first-order formula

FACTPLA: Functional analysis and the complexity of testing programmable logic array

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.A computer aided method for analyzing the testability of Programmable Logic Arrays (PLAs) is described. The method, which is based on a functional verification approach, estimates the complexity of testing a PLA according to the amount of single undetectable faults in the array structure. An analytic program (FACTPLA) is developed to predict the above complexity without analyzing the topology of the array as such. Thus, the method is technology invariant and depends only on the functionality of the PLA. The program quantitatively evaluates the effects of undetectable faults and produces some testability measures to manifest these effects. A testability profile for different PLA examples is provided and a number of suggestions for further research to establish definitely the usefulness of some functional properties for testing were made

A neighborhood decoupling algorithm for truncated sum minimization

The article of record as published may be found at http://dx.doi.org/10.1109/ISMVL.1990.122611Published in: Proceedings of the Twentieth International Symposium on Multiple-Valued LogicThere has been considerable interest in heuristic method for minimizing multiple-valued logic functions because exact methods are intractable. This paper describes a new heuristic, called the neighborhood decoupling (ND) algorithm. It first selects a minterm and then selects an implicant, a two step process employed in previous heuristics, e.g., Besslich [2] and Dueck and Miller [4]. The approach taken here more closely resembles the Dueck and Miller heuristic; however, it makes more efficient use of minterms truncated to the highest logic value. The ND-algorithm was developed in conjunction with HAMLET [12], a computer software created at the Naval Postgraduate School for the purpose of designing heuristics for multiple-valued logic minimization. In this paper, we present the algorithm, discuss the implementation, show that it performs consistently better than others and explain the reason for its improved performance

Fast Heuristic and Exact Algorithms for Two-Level Hazard-Free Logic Minimization

None of the available minimizers for 2-level hazard-free logic minimization can synthesize very large circuits. This limitation has forced researchers to resort to manual and automated circuit partitioning techniques. This paper introduces two new 2-level logic minimizers:ESPRESSO-HF, a heuristic method which is loosely based on ESPRESSO-II, and IMPYMIN, an exact method based on implicit data structures. Both minimizers can solve all currently available examples, which range up to 32 inputs and 33 outputs.These include examples that have never been solved before.For examples that can be solved by other minimizers our methods are several orders of magnitude faster. As by-products of these algorithms, we also present two additional results. First, we introduce a fast new algorithm to check if a hazard-free covering problem can feasibly be solved. Second, we introduce a novel formulation of the 2-level hazard-free logic minimization problem by capturing hazard-freedom constraints within a synchronous function by adding new variables

Fast Heuristic and Exact Algorithms for Two-Level Hazard-Free Logic Minimization

None of the available minimizers for 2-level hazard-free logic minimization can synthesize very large circuits. This limitation has forced researchers to resort to manual and automated circuit partitioning techniques. This paper introduces two new 2-level logic minimizers:ESPRESSO-HF, a heuristic method which is loosely based on ESPRESSO-II, and IMPYMIN, an exact method based on implicit data structures. Both minimizers can solve all currently available examples, which range up to 32 inputs and 33 outputs.These include examples that have never been solved before.For examples that can be solved by other minimizers our methods are several orders of magnitude faster. As by-products of these algorithms, we also present two additional results. First, we introduce a fast new algorithm to check if a hazard-free covering problem can feasibly be solved. Second, we introduce a novel formulation of the 2-level hazard-free logic minimization problem by capturing hazard-freedom constraints within a synchronous function by adding new variables

FuncTeller: How Well Does eFPGA Hide Functionality?

Hardware intellectual property (IP) piracy is an emerging threat to the global supply chain. Correspondingly, various countermeasures aim to protect hardware IPs, such as logic locking, camouflaging, and split manufacturing. However, these countermeasures cannot always guarantee IP security. A malicious attacker can access the layout/netlist of the hardware IP protected by these countermeasures and further retrieve the design. To eliminate/bypass these vulnerabilities, a recent approach redacts the design's IP to an embedded field-programmable gate array (eFPGA), disabling the attacker's access to the layout/netlist. eFPGAs can be programmed with arbitrary functionality. Without the bitstream, the attacker cannot recover the functionality of the protected IP. Consequently, state-of-the-art attacks are inapplicable to pirate the redacted hardware IP. In this paper, we challenge the assumed security of eFPGA-based redaction. We present an attack to retrieve the hardware IP with only black-box access to a programmed eFPGA. We observe the effect of modern electronic design automation (EDA) tools on practical hardware circuits and leverage the observation to guide our attack. Thus, our proposed method FuncTeller selects minterms to query, recovering the circuit function within a reasonable time. We demonstrate the effectiveness and efficiency of FuncTeller on multiple circuits, including academic benchmark circuits, Stanford MIPS processor, IBEX processor, Common Evaluation Platform GPS, and Cybersecurity Awareness Worldwide competition circuits. Our results show that FuncTeller achieves an average accuracy greater than 85% over these tested circuits retrieving the design's functionality.Comment: To be published in the proceedings of the 32st USENIX Security Symposium, 202

Worst and best irredundant sum-of-products expressions

In an irredundant sum-of-products expression (ISOP), each product is a prime implicant (Pl) and no product can be deleted without changing the function. Among the ISOPs for some function f, a worst ISOP (WSOP) is an ISOP with the largest number of Pls and a minimum ISOP (MSOP) is one with the smallest number. We show a class of functions for which the Minato-Morreale ISOP algorithm produces WSOPs. Since the ratio of the size of the WSOP to the size of the MSOP is arbitrarily large when it, the number of variables, is unbounded, the Minato-Morreale algorithm can produce results that are very far from minimum. We present a class of multiple-output functions whose WSOP size is also much larger than its MSOP size. For a set of benchmark functions, we show the distribution of ISOPs to the number of Pls. Among this set are functions where the MSOPs have almost as many Pls as do the WSOPs. These functions are known to be easy to minimize. Also, there are benchmark functions where the fraction of ISOPs that are MSOPs is small and MSOPs have many fewer Pls than the WSOPs. Such functions are known to be hard to minimize. For one class of functions, we show that the fraction of ISOPs that are MSOPs approaches 0 as n approaches infinity, suggesting that such functions are hard to minimiz

Optimizations of Cisco’s Embedded Logic Analyzer Module

Cisco’s embedded logic analyzer module (ELAM) is a debugging device used for many of Cisco’s application specific integrated chips (ASICs). The ELAM is used to capture data of interest to the user and stored for analysis purposes. The user enters a trigger expression containing data fields of interest in the form of a logical equation. The data fields associated with the trigger expression are stored in a set of Match and Mask (MM) registers. Incoming data packets are matched against these registers, and if the user-specified data pattern is detected, the ELAM triggers and begins a countdown sequence to stop data capture. The current ELAM implementation is restricted in the form of trigger expressions that are allowed and in the allocation of resources. Currently, data fields in the trigger expression can only be logically ANDed together, Match and Mask registers are inefficiently utilized, and a static state machine exists in the ELAM trigger logic. To optimize the usage of the ELAM, a trigger expression is first treated as a Boolean expression so that minimization algorithms can be run. Next, the data stored in the Match and Mask registers is analyzed for redundancies. Finally, a dynamic state machine is programmed with a distinct set of states generated from the trigger expression. This set of states is further minimized. A feasibility study is done to analyze the validity of the results