2 research outputs found
Hardware Trojan Detection through Information Flow Security Verification
Semiconductor design houses are increasingly becoming dependent on third
party vendors to procure intellectual property (IP) and meet time-to-market
constraints. However, these third party IPs cannot be trusted as hardware
Trojans can be maliciously inserted into them by untrusted vendors. While
different approaches have been proposed to detect Trojans in third party IPs,
their limitations have not been extensively studied. In this paper, we analyze
the limitations of the state-of-the-art Trojan detection techniques and
demonstrate with experimental results how to defeat these detection mechanisms.
We then propose a Trojan detection framework based on information flow security
(IFS) verification. Our framework detects violation of IFS policies caused by
Trojans without the need of white-box knowledge of the IP. We experimentally
validate the efficacy of our proposed technique by accurately identifying
Trojans in the trust-hub benchmarks. We also demonstrate that our technique
does not share the limitations of the previously proposed Trojan detection
techniques.Comment: 10 pages, 8 Figure
Boosting the Bounds of Symbolic QED for Effective Pre-Silicon Verification of Processor Cores
Existing techniques to ensure functional correctness and hardware trust
during pre-silicon verification face severe limitations. In this work, we
systematically leverage two key ideas: 1) Symbolic Quick Error Detection
(Symbolic QED or SQED), a recent bug detection and localization technique using
Bounded Model Checking (BMC); and 2) Symbolic starting states, to present a
method that: i) Effectively detects both "difficult" logic bugs and Hardware
Trojans, even with long activation sequences where traditional BMC techniques
fail; and ii) Does not need skilled manual guidance for writing testbenches,
writing design-specific assertions, or debugging spurious counter-examples.
Using open-source RISC-V cores, we demonstrate the following: 1. Quick (<5
minutes for an in-order scalar core and <2.5 hours for an out-of-order
superscalar core) detection of 100% of hundreds of logic bug and hardware
Trojan scenarios from commercial chips and research literature, and 97.9% of
"extremal" bugs (randomly-generated bugs requiring ~100,000 activation
instructions taken from random test programs). 2. Quick (~1 minute) detection
of several previously unknown bugs in open-source RISC-V designs.Comment: 16 Pages, 6 Figures; Re-organize Table