CN107367686A - A kind of generation method of RTL hardware Trojan horses test vector - Google Patents
A kind of generation method of RTL hardware Trojan horses test vector Download PDFInfo
- Publication number
- CN107367686A CN107367686A CN201710462372.XA CN201710462372A CN107367686A CN 107367686 A CN107367686 A CN 107367686A CN 201710462372 A CN201710462372 A CN 201710462372A CN 107367686 A CN107367686 A CN 107367686A
- Authority
- CN
- China
- Prior art keywords
- node
- sentence
- assignment
- variable
- test vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01R—MEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
- G01R31/00—Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
- G01R31/28—Testing of electronic circuits, e.g. by signal tracer
- G01R31/317—Testing of digital circuits
- G01R31/3181—Functional testing
- G01R31/3183—Generation of test inputs, e.g. test vectors, patterns or sequences
- G01R31/318371—Methodologies therefor, e.g. algorithms, procedures
-
- G—PHYSICS
- G01—MEASURING; TESTING
- G01R—MEASURING ELECTRIC VARIABLES; MEASURING MAGNETIC VARIABLES
- G01R31/00—Arrangements for testing electric properties; Arrangements for locating electric faults; Arrangements for electrical testing characterised by what is being tested not provided for elsewhere
- G01R31/28—Testing of electronic circuits, e.g. by signal tracer
- G01R31/317—Testing of digital circuits
- G01R31/31719—Security aspects, e.g. preventing unauthorised access during test
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Debugging And Monitoring (AREA)
Abstract
It is main to include generation control flow chart the invention discloses a kind of generation method of RTL hardware Trojan horses test vector;Concurrent semiology analysis;Satisfiability solving and generation test vector.The method that the present invention uses static analysis Veri log codes, the concurrent semiology analysis of Veri log codes is realized using multi-thread concurrent technology, so as to reach the purpose for the test vector for quickly generating high path coverage.
Description
Technical field
The present invention relates to integrated circuit testing field, and in particular to a kind of generation side of RTL hardware Trojan horses test vector
Method, can be directed to condition flip-over type hardware Trojan horse feature quickly generate with high path coverage and comprising can activation condition touch
The test vector of hair style hardware Trojan horse.
Background technology
In Design of Digital Integrated Circuit, different design links correspond to the design of different abstraction hierarchies.Level of abstraction
From high to low, it is respectively functional specification, algorithm level/microarchitecture-level design, Method at Register Transfer Level design (register-
Transfer level, RTL), gate leve (gate level) design and physical level design.Hardware Trojan horse can be distributed in different
On abstraction hierarchy, mainly there are system-level, behavior description level, Method at Register Transfer Level, gate leve, transistor level and physical level.N Jacob
Et al. " analyzed in document in Hardware Trojans_current challenges and approaches " hard at present
The stage that part wooden horse may insert, it has been suggested that hardware Trojan horse it is more concentrate on Functional Design stage (register transfer
Level).
In current hardware Trojan horse detection technique, only seldom document is to Functional Design stage and physical design phase
(gate leve) is detected, and documents several greatly all concentrates on the detection of fabrication stage absolutely;The technology of Functional Design stage detection uses
Be formal Verification Techniques, the functional analysis that physical design phase uses, the detection technique that the fabrication stage uses is mainly side
Multiple Channel Analysis and structural modification.Side Multiple Channel Analysis is a kind of nondestructive detection technique, sequential, work(in Main Analysis circuit
The signals such as rate, electromagnetism, heat, wooden horse is found according to the comparison with gold template.Bypass analysis energy effective detection goes out fairly large
Hardware Trojan horse, but easily influenceed by state-variable and various noises, it is difficult to detect small-scale hardware Trojan horse.For gate leve
Gate leve net of the gate leve information Flow Technique of safety detection to gate leve Logic of Information Currents of the original gate level netlist generation comprising information flow
Table, but its newly-generated gate level netlist complexity is compared with original gate level netlist, it is high nearly 2^n times, greatly limit its
Application in practice.
The hardware Trojan horse detection of Method at Register Transfer Level, has some new methods to propose in recent years.Ni Lin etc. " is based in document
A kind of hardware Trojan horse inspection method is proposed in the soft core hardware Trojan horse detections of IP of characteristic matching ", this method is by analyzing RTL generation
Code rules for writing, the angle realized from hardware Trojan horse in the soft cores of RTL IP, hardware Trojan horse is built based on Trust-Hub
Feature recognition storehouse, by analyzing the typical logical construction of hardware Trojan horse and behavioural characteristic, to hardware Trojan horse feature database and IP to be measured
Soft core carries out logical abstraction, and then completes the soft core hardware Trojan horse identifications of IP.The method of characteristic matching need to be according to substantial amounts of hardware wood
Horse model, feature database is created, is then matched.This method from software security test can not find new malicious code.
Wait ripple etc. and suffered a kind of method in document " hardware Trojan horse detection method and system based on test vector ", by obtaining integrated electricity
The upset information and coverage information of each circuit node in road, upset information and coverage information are met to preset low roll over condition respectively
Candidate's wooden horse node is chosen for the circuit node for presetting low coverage condition, according to the information of candidate's wooden horse node from test vector
Middle selection final test vector.
It can be analyzed from these documents, main Method at Register Transfer Level safety detection method concentrates on characteristic matching, shape
In terms of formula chemical examination card, Self -adaptive.Formalization verification method then still has very big analysis when tackling large-scale complex design
Difficulty.Self -adaptive method is still a kind of very important detection means.Due to by the way of exhaustive to all inputs
It is unpractical that value, which carries out detection, therefore the key issue of Self -adaptive method is the situation that test vector space constantly increases
Under, how to efficiently generate test vector value.Therefore the safety detection of Method at Register Transfer Level, with the close phase of Self -adaptive method
Close.VV Acharya et al. are in document " Branch Guided Functional Test Generation at the RTL "
In employ the method for semiology analysis the hardware description language of RTL analyzed.Its basic thought is by verilog generations
Code is converted into C/C++, is then analyzed using the symbolic excution methodology of comparatively ripe C/C++ language, then again will
The test vector of generation is analyzed again with returning in verilog codes.This method is not divided verilog codes directly
Analysis, by the way of code conversion, it is difficult to accomplish completely the same with original verilog designs.
The content of the invention
In view of the shortcomings of the prior art, the present invention is intended to provide a kind of generation method of RTL hardware Trojan horses test vector, is used
To solve the problems, such as the Self -adaptive of testing conditions flip-over type hardware Trojan horse.This method uses the side of static analysis Verilog code
Method, the concurrent semiology analysis of Verilog code is realized using multi-thread concurrent technology, high path covering is quickly generated so as to reach
The purpose of the test vector of rate.
To achieve these goals, the present invention adopts the following technical scheme that:
A kind of generation method of RTL hardware Trojan horses test vector, comprises the following steps:
S1 generates the controlling stream graph CFG of verilog codes;
The controlling stream graph CFG that S2 generates according to step S1, concurrent symbolic execution technique is used to module file to be analyzed,
The semiology analysis expression formula of output variable under specified path condition pc is obtained, i.e.,<pc,exp>;
S3 carries out satisfiability solving to the path condition pc obtained in step S2, obtains satiable path condition set
And its corresponding input variable value, generate test vector;
The test vector obtained in S4 foundation steps S3, by<pc,exp>Mapping relations, solve output variable can
Corresponding semiology analysis expression formula exp value under the path condition pc that satisfaction property solves;Obtain<Test vector, output vector>
Mapping relations.
It should be noted that in step S1, by definition statement node types, generated statement node, sentence node is established
Forerunner and follow-up relation, generate controlling stream graph.
Explanation is needed further exist for, step S1 specifically comprises the following steps:
The sentence node types of S1.1 designs have:ALWAYS, ALWAYS_END, IF, ELSE, IF_END, CASE, CASEX,
CASEZ, CASE_ITEM, CASE_END, FOR, FOR_END, TASK, TASK_END, ASSIGN_BLOCK, ASSIGN_
NONBLOCK, ASSIGN_CONTINUOUS, INSTANTIATION;
In addition, whole code starts to increase an ENTER node, end one EXIT node of increase, type is not known
It is NONE nodes, wherein always, if, case (casex, casez), the node corresponding to for, task is control node,
ENTER and EXIT is control node, blocks assignment, non-obstruction assignment and is continuously entered as assignment node;Using what is increased income
The verilog2001.g4 that antrl4 and Terence Parr write, parsing verilog Method at Register Transfer Level design codes
Grammer, every verilog sentence is extracted successively and is analyzed;The sentence node of design generation controlling stream graph;One sentence is corresponding
A node in controlling stream graph, the type of sentence node are set for the sentence that verilog can be integrated;In order to effective district
The variable in disparate modules file is separated, the variable name of all analyses is changed to following form:Module name _ M_ original variable names;
The forerunner and follow-up relation that S1.2 is established between sentence node according to sentence node types:Control between sentence node
Flow relation processed is embodied between control node and the connection between control node and assignment node, between assignment node
Connection, does not indicate that control planning, it is merely meant that go out position relationship of the sentence of assignment node representative in code, addition
ENTER nodes are the beginning nodes of whole code, and EXIT nodes are the end nodes of whole code, Always statement interludes, example
It is concurrency relation between sentence and continuous assignment statement, there is language between if, case, for sentence in Always statement interludes
The relation of the related control interval of method and control sequence;Determined according to control interval and control planning between each sentence node
Forerunner and follow-up relation;
S1.3, using breadth first traversal, generates verilog according to the forerunner between each sentence node and follow-up relation
The controlling stream graph CFG of code.
It should be noted that step S2 is specific as follows:
Each example sentence of S2.1 circular treatments, submodule filename corresponding to acquisition example module, obtains submodule
The semiology analysis result of file;
Submodule port variable name is substituted for module to be analyzed by S2.2 according to example sentence port variable mapping relations
File port variable name, while the submodule port variable name included in pc and exp is substituted for module file end to be analyzed
Mouth variable name;
Module file to be analyzed S2.3 carries out semiology analysis operation, while path condition pc is converted into SMT-LIBv2
Grammatical form, exp is converted to SMT-LIBv2 grammatical form;It is then back to corresponding to output variable<pc,exp>Collection
Close.
Explanation is needed further exist for, step S2.3 is specific as follows:
Pc and exp verilog infix expressions are converted into the SMT-LIBv2 grammers of prefix expression by S2.3.1;Its
In, control path condition and self-conditions of the path condition of node=control node belonging to it;The path condition of assignment node
The path condition of=control node belonging to it;
S2.3.2 is directed to ALWAYS sentences node and ASSIGN_CONTIUNOUS sentence nodes, starts sub-line journey
SymbolExecutionThread is concurrently analyzed each always statement interlude and continuous assignment statement;
S2.3.3 terminates when the sub-line journey analysis of all startups, by the non-input variable replacement in pc into input variable, obtains
Arrive<pc,exp>.
Further it should be noted that step 2.3.2 is specific as follows:
S2.3.2.1 finds first node of the always statement interludes for needing to analyze, or continuous asignment statement from CFG
Sentence node is as subroot;
S2.3.2.2 is according to the follow-up relation of node, subtree of the depth-first traversal using subroot as root, to therein every
One node conducts interviews;If sentence node types are non-obstruction assignment, obstruction assignment or continuous assignment, then symbol is judged
The isDone marks of non-input variable var_i in number executable expressions exp;If isDone is false, sub-line journey is hung
Rise, wait var_i semiology analysis to terminate, that is, wait var_i isDone marks to be set to true;If isDone is true,
Take out var_i's<pc’,exp’>Set, the var_i in former expression formula, pc ' and former assignment statement are replaced with exp ' therein
Pc carry out and operation;
Extreme saturations of the S2.3.2.3 using subroot as the subtree of root terminates, and puts in always statement interludes and is assigned change
The isDone of amount or continuous assigned variable is true, and notice is hung up because of this always variables collections or continuous assigned variable
Sub-line journey solution is hung.
It should be noted that step S3 is specific as follows:
S3.1 takes out path condition pc one by one, builds the solution sentence of SMT-LIBv2 forms;
Solution sentences of the S3.2 to SMT-LIBv2 forms carries out satisfiability solving;
If S3.3 pc can be solved, the input variable value solved is obtained, skips to step S3.1;Otherwise refuse
Processing
Step 3.4:The pc solved is gathered, performed into step S4.
The beneficial effects of the present invention are:Can be by analyzing verilog top documents, and then by whole relevant sub-module
Completion is all automatically analyzed, accelerates the speed and validity of RTL hardware Trojan horse test vector generations, improves point of code analysis
Branch coverage rate, improve the whole efficiency of code analysis.
Brief description of the drawings
Fig. 1 is the global design protocol procedures figure of the present invention;
Fig. 2 is the controlling stream graph product process schematic diagram of the present invention;
Fig. 3 is the concurrent semiology analysis schematic flow sheet of the present invention;
Fig. 4 is the test vector generation schematic flow sheet of the present invention;
Fig. 5 be the embodiment of the present invention 1 uart.v in 63-69 rows controlling stream graph schematic diagram;
Fig. 6 be the embodiment of the present invention 1 uart.v in 71-77 rows controlling stream graph schematic diagram;
The controlling stream graph schematic diagram of 79-86 rows in the uart.v of Fig. 7 embodiment of the present invention 1;
The controlling stream graph schematic diagram of 88-98 rows in the uart.v of Fig. 8 embodiment of the present invention 1;
The controlling stream graph schematic diagram of 100-111 rows in the uart.v of Fig. 9 embodiment of the present invention 1.
Embodiment
Below with reference to accompanying drawing, the invention will be further described, it is necessary to which explanation, following examples are with this technology
Premised on scheme, detailed embodiment and specific operating process are given, but the scope of the present invention is not limited to this implementation
Example.
As shown in figure 1, the generation method of the RTL hardware Trojan horses test vector comprises the following steps
Step 1. generates the controlling stream graph CFG (Control Flow Graph) of verilog codes, as shown in Figure 2:
1.1) verilog2001.g4 write using antrl4 the and Terence Parr to increase income, verilog is parsed
The grammer of Method at Register Transfer Level design code, every verilog sentence is extracted successively and is analyzed.Design generation controlling stream graph
Sentence node.One sentence corresponds to a node in controlling stream graph, and the type of sentence node is directed to the language that verilog can be integrated
Sentence setting.The sentence node types of specific design have:ALWAYS, ALWAYS_END, IF, ELSE, IF_END, CASE, CASEX,
CASEZ, CASE_ITEM (case statement branch), CASE_END, FOR, FOR_END, TASK, TASK_END, ASSIGN_BLOCK
(obstruction assignment), ASSIGN_NONBLOCK (non-obstruction assignment), ASSIGN_CONTINUOUS (continuous assignment),
INSTANTIATION (example).In addition, whole code starts to increase an ENTER node, end increases an EXIT knot
Point, uncertain type are NONE nodes.Wherein always, if, case (casex, casez), the node corresponding to for, task
To control node, ENTER and EXIT are control nodes, block assignment, non-obstruction assignment and are continuously entered as assignment node.
1.2) forerunner established according to sentence node types between sentence node and follow-up relation.Control between sentence node
Flow relation processed is embodied between control node and the connection between control node and assignment node.For between assignment node
Connection, does not indicate that control planning, it is merely meant that going out position relationship of the sentence of assignment node representative in code.Addition
ENTER nodes are the beginning nodes of whole code, and EXIT nodes are the end nodes of whole code.Always statement interludes, example
It is concurrency relation between sentence and continuous assignment statement.There is control between if, case, for sentence in Always statement interludes
Section processed and the relation of control sequence.According to control interval and control planning determine forerunner between each sentence node and after
After relation.
1.3) according to the follow-up relation of forerunner between each sentence node, using breadth first traversal, verilog generations are generated
The controlling stream graph CFG of code.
The controlling stream graph CFG that step 2. generates according to step 1, using concurrent symbolic execution technique, obtain specified path bar
The semiology analysis expression formula of output variable under part pc (path condition), i.e., only represent that output becomes with input variable and constant
Amount, as shown in Figure 3:
2.1) each example sentence of circular treatment, filename filename corresponding to acquisition example module, obtains submodule
The semiology analysis result of block file.
2.2) according to example sentence port variable mapping relations, submodule port variable name is substituted for module to be analyzed
File port variable name, while the submodule port variable name included in pc and exp is substituted for module file end to be analyzed
Mouth variable name.
2.3) module file to be analyzed carries out semiology analysis operation, while path condition pc is converted into SMT-LIBv2
Grammatical form.
Return corresponding to output variable<pc,exp>Set
Wherein 2.3) in semiology analysis be one of key point of whole design, specific design is:Control is tied
Point path condition pc and semiology analysis expression formula exp verilog infix expressions are converted into the SMT-LIBv2 of prefix expression
Grammer.Wherein, the path condition and self-conditions of path condition=control node belonging to it of node are controlled;Assignment node
The path condition of path condition=control node belonging to it.For ALWAYS sentences node and ASSIGN_CONTIUNOUS sentences
Node, start sub-line journey symbolExecutionThread and each always statement interlude and continuous assignment statement are concurrently entered
Row analysis.When the sub-line journey analysis of all startups terminates, by the non-input variable replacement in pc into input variable.
Sub-line journey symbolExecutionThread realizes the function of concurrently performing always sentences and continuous assignment.
Due to the correlation between variable, in an always statement interlude or continuous assignment statement be assigned variable may rely on
Variable in other always statement interludes or continuous assignment statement, need in this case hang up sub-line journey, wait by according to
Rely the sub-line journey of variable to perform to terminate.Specifically designing is:First that the always statement interludes for needing to analyze are found from CFG
Node, or continuous assignment statement node is as subroot.According to the follow-up relation of node, depth-first traversal is with subroot
For the subtree of root, each node is conducted interviews.If sentence node types are non-obstruction assignment, obstruction assignment
Or continuous assignment, then judge that the isDone of the non-input variable var_i in semiology analysis expression formula indicates.If isDone is
False, then sub-line journey hang-up, waits var_i semiology analysis to terminate, that is, waits var_i isDone marks to be set to true;If
IsDone is true, then takes out var_i's<pc’,exp’>Set, the var_i in former expression formula is replaced with exp ' therein,
Pc ' and the pc of former assignment statement is carried out and operation.Extreme saturation using subroot as the subtree of root terminates, and puts always sentences
Be assigned variable or the isDone of continuous assigned variable in section are true, and notice is because this always variables collections or continuous
The sub-line journey solution that assigned variable is hung up is hung.
Step 3. carries out satisfiability solving to the path condition obtained in step 2, obtains satiable path condition pc
Set and its corresponding input variable value, generate test vector.This part has used the solver Z3 of Microsoft, realizes
The each path condition pc of verilog codes satisfiability solving.Specific design is as follows:
3.1) path condition pc is taken out one by one, builds the pc sentences of SMT-LIBv2 forms;
3.2) satisfiability solving is carried out to the pc sentences of SMT-LIBv2 forms;
If 3.3) pc can be solved, the input variable value solved is obtained, is skipped to 3.1);Otherwise not locate
Reason.
Step 4. as shown in figure 4, according to the test vector obtained in step 3, by<pc,exp>Mapping relations, solve
Output variable corresponding expression formula exp under the path condition pc of satisfiability solving value;Obtain<Test vector, output
Vector>Mapping relations.Due to have passed through satisfiability solving so that test vector space reduces significantly, so that<Test
Vector, output vector>Mapping relations be significantly smaller than original mapping relations space.From mapping relations, you can to find to lead
Cause the test vector value of abnormal output vector.
Embodiment 1
The RS232-T400 chosen on Trust-Hub is analysis object, wherein containing three verilog files:
Uart.v, u_xmit.v, u_rec.v.This three verilog files are as shown below.Wooden horse in top document uart.v touches
The data that hair device relatively sends and receives, when being both equal to 8 ' h4c, wooden horse is activated.The loading section of wooden horse will can connect
The 4bit received in data is replaced.
1.uart.v program's source codes:
2.u_xmit.v program's source codes:
3.u_rec.v program's source codes:
The present embodiment is by taking uart.v as an example, wherein containing 2 example sentences, it will analyzes u_xmit.v and u_ successively
rec.v。
Step 1:Controlling stream map generalization
1) the syntax parsing tree (parseTree) of extreme saturation uart.v files, the information of sentence node is obtained.Such as:
First node of whole file is ENTER nodes, and last node is EXIT nodes, and obtained sentence information is:
(1) the 0th node, ENTER nodes, index value 0, control interval [3,116] is (where 3, and 116 expression sentences
Line number, numerical value represents identical meanings in subsequent step square brackets);
(2) the 1st nodes, example node, corresponding example file u_xmit.v, index value 1, control interval [63,70], its
It is ENTER to control node, and ENTER control interval is [3,116];
(3) the 2nd nodes, example node, corresponding example file u_rec.v, index value 2, control interval [72,81], its
It is ENTER to control node, and ENTER control interval is [3,116];
(4) the 3rd nodes, always nodes, index value 3, control interval [83,90], it is ENTER that it, which controls node,
ENTER control interval is [3,116];
(5) the 4th nodes, if nodes, index value 4, control interval [84,89], it controls node as always nodes (knot
3), always nodes control interval is [83,90] to point;
(6) the 5th nodes, block assignment node, index value 5, control interval [85,85], it is if nodes that it, which controls node,
(node 4), the control interval of if nodes is [84,89];
(7) the 6th nodes, else nodes, index value 6, control interval [87,89], it is if node (nodes that it, which controls node,
4), the control interval of if nodes is [84,89];
(8) the 7th nodes, block assignment node, index value 7, control interval [88,88], it controls node to be tied for else
Point (node 6), the control interval of else nodes is [87,89];
(9) the 8th nodes, if statement interlude end nodes, index value 8, control interval [89,89], it is if that it, which controls node,
Node (node 6), the control interval of if nodes is [84,89];
(10) the 9th nodes, always statement interlude end nodes, index value 9, control interval [90,90], it controls node
For always nodes (node 3), the control interval of always nodes is [83,90];
(11) by that analogy, the 32nd node of node to the end, EXIT nodes, index value 32, control interval [116,
116], it is ENTER nodes that it, which controls node, and the control interval of ENTER nodes is [3,116].
2) by the control interval belonging relation between sentence node, the forerunner established between each node and follow-up pass
System.For the sentence node obtained in 1),
(1) node 0 is ENTER nodes;
(2) node is changed exemplified by node 1, because it is ENTER that it, which controls node, the forerunner of node 1 includes node 0, knot
The follow-up of point 0 includes node 1;
(3) node is changed exemplified by node 2, because it is ENTER that it, which controls node, the forerunner of node 2 includes node 0, knot
The follow-up of point 0 includes node 2;
(4) node 3 is always nodes, because it is ENTER that it, which controls node, the forerunner of node 3 includes node 0,
The follow-up of node 0 includes node 3;
(5) node 4 is if nodes, because it is node 3 that it, which controls node, the forerunner of node 4 includes node 3, node 3
Follow-up include node 4;
(6) node 5 is obstruction assignment node, because it is node 4 that it, which controls node, the forerunner of node 5 includes node
4, the follow-up of node 4 includes node 5;
(7) node 6 is else nodes, because it is node 4 that it, which controls node, the forerunner of node 6 includes node 4, knot
The follow-up of point 4 includes node 6;
(8) node 7 is obstruction assignment node, because it is node 6 that it, which controls node, the forerunner of node 7 includes node
6, the follow-up of node 6 includes node 7;
(9) node 8 is if statement interlude end nodes, because it is node 4 that it, which controls node, the forerunner of node 8 includes
Node 5 and 7, the follow-up of node 5 include node 8, and the follow-up of node 7 includes node 8;
(10) node 9 is always statement interlude end nodes, because it is node 3 that it, which controls node, the forerunner of node 9
Comprising node 8, the follow-up of node 8 includes node 9;
(11) by that analogy, the forerunner of all sentence nodes and follow-up relation are obtained.
3) traveled through according to breadth first algorithm, finally obtain the controlling stream graph of uart.v as shown in figures 5-9.Fig. 5-
Numerical value in 9 represents line number of the sentence node in source code, and ENTER represents the line number that code starts, and EXIT nodes represent generation
The line number that code terminates.
4) u_ximt.v, u_rec.v controlling stream graph are obtained with method.
Step 2:Concurrent semiology analysis
1) if example module, then recursive concurrent semiology analysis is carried out to each example module file.Then
Uart.v two example sentences can cause the concurrent semiology analysis to two files of u_ximt.v and u_rec.v;
For the concurrent semiology analysis of u_ximt.v files, its result by recursive call return to uart.v files and
Send out Symbolic Execution (in order to effectively distinguish the variable in disparate modules file, set the form of variable name as:Module
Name _ M_ original variable names, such as the variable sys_clk in former u_xmit.v, it is changed to u_xmit_M_sys_clk).
2) by uart.v file 63-69 rows, it is as follows to analyze port mapping relationship:
u_xmit_M_sys_clk<->uart_M_sys_clk
u_xmit_M_sys_rst_l<->uart_M_sys_rst_l
u_xmit_M_uart_xmitH<->uart_M_uart_XMIT_dataH
u_xmit_M_xmitH<->uart_M_xmitH
u_xmit_M_xmit_dataH<->uart_M_xmit_dataH
u_xmit_M_xmit_doneH<->uart_M_xmit_doneH
The change being substituted for u_ximt.v implementing result according to port mapping relationship obtained above in uart.v files
Amount.
By uart.v file 71-77 rows, it is as follows to analyze port mapping relationship:
u_rec_M_sys_rst_l<->uart_M_sys_rst_l
u_rec_M_sys_clk<->uart_M_sys_clk
u_rec_M_uart_dataH<->uart_M_uart_REC_dataH
u_rec_M_rec_dataH<->uart_M_rec_dataH_rec
u_rec_M_rec_readyH<->uart_M_rec_readyH
The change being substituted for u_rec.v implementing result according to port mapping relationship obtained above in uart.v files
Amount.
The concurrent remaining always statement interludes of semiology analysis and continuous assignment statement, return corresponding to output variable<pc,
exp>Set is as follows:
The result of always statement interludes and continuous assignment statement in one verilog file of concurrent semiology analysis is as follows
(multi-thread concurrent, which performs, has certain randomness, and the order of each sub-line journey operation is not necessarily identical every time, but correlated variables
Between constraint perform be constant.Numerical value in table represents that operation sentence corresponds to the line number in source code):
Table 1:The process of the concurrent semiology analysis of u_ximt.v
Table 2:The process of the concurrent semiology analysis of u_rec.v
Table 3:The process of the concurrent semiology analysis of uart.v
Return<pc,exp>Result 594 altogether, form is as follows:
Pc=(and true (=(bvnot uart_M_sys_rst_l) (_ bv1 0))),
Exp=uart_M_rec_dataH=#b00000000
Wherein, pc and exp is SMT-LIBv2 grammatical form
Step 3:Satisfiability solving
1) take out what is obtained in step 2 one by one<pc,exp>In path condition pc;
2) satisfiability solving is carried out to pc sentences;
If 3) pc can be solved, the input variable value solved is obtained, is skipped to 1);Otherwise disregard
Finally obtain the pc that can be solved.Uart_M_rec_dataH obtains 3 satiable solutions, uart_M_uart_
XMIT_dataH obtains 6 satiable solutions, and uart_M_xmit_doneH obtains 5 satiable solutions, uart_M_
Rec_readyH obtains 5 satiable solutions.
Step 4:Obtain input variable vector corresponding to each output variable solution.
1) output variable uart_M_rec_dataH, it is the variable influenceed after being activated by wooden horse, its corresponding input variable
It is satiable that solution value, which has 3 groups,:
(1) uart_M_sys_rst_l=0, corresponding situation are that reset signal is effective, when being low level, uart_M_
Rec_dataH is reset to 0;
(2) uart_M_sys_rst_l=1, uart_M_xmit_dataH=76, uart_M_uart_REC_dataH=
0.Corresponding situation is to work as uart_M_xmit_dataH=uart_M_rec_dataH, during uart_M_rec_dataH=76,
Output abnormality after uart_M_rec_dataH is influenceed by wooden horse activation;
(3) uart_M_sys_rst_l=1, uart_M_xmit_dataH=76, uart_M_uart_REC_dataH=
1, corresponding situation is when in addition to the 1st and the 2nd kind of situation, uart_M_rec_dataH is not influenceed just by wooden horse activation
Often output, remain that the 8bit data before sender's serial input are equal to the 8bit data of recipient's Serial output.
2) uart_M_uart_XMIT_dataH, it can meet that solution has corresponding to it:
(1) uart_M_sys_rst_l=0, corresponding situation are to send a road of x_IDLE states in finite state machine
Footpath condition;
(2) uart_M_sys_rst_l=1, corresponding situation are to send x_START states in finite state machine, x_WAIT
State, x_SHIFT states, five condition paths of x_STOP states and default states.
3) uart_M_xmit_doneH, it can meet that solution has 5 corresponding to it:
(1) uart_M_sys_rst_l=0, corresponding situation are to reset path condition;Value is 0
(2) uart_M_sys_rst_l=1, corresponding situation have send finite state machine in x_IDLE states and
Three path conditions of uart_M_xmitH=0, x_STOP state and default states, and one of other residual states
Path condition.Value is 1
4) uart_M_rec_readyH, it can meet that solution has 5 corresponding to it:
(1) uart_M_sys_rst_l=0, corresponding situation are to reset path condition;Value is 0
(2) uart_M_sys_rst_l=1, corresponding situation have receive finite state machine in r_START, r_STOP and
Default three path conditions, and a path condition of other residual states.Value is 1
Analysis result shows that the inventive method can have with rapid automatized a small amount of and effective test vector that constructs
There is high path coverage, and the test vector of activation condition flip-over type hardware Trojan horse can be included.
For those skilled in the art, technical scheme that can be more than and design, provide various corresponding
Change and deform, and all these change and deformation, should be construed as being included within the protection domain of the claims in the present invention.
Claims (7)
1. a kind of generation method of RTL hardware Trojan horses test vector, it is characterised in that comprise the following steps:
S1 generates the controlling stream graph CFG of verilog codes;
The controlling stream graph CFG that S2 generates according to step S1, concurrent symbolic execution technique is used to module file to be analyzed, obtained
The semiology analysis expression formula of output variable under specified path condition pc, i.e.,<pc,exp>;
S3 carries out satisfiability solving to the path condition pc that is obtained in step S2, obtain satiable path condition set and its
Corresponding input variable value, generate test vector;
The test vector obtained in S4 foundation steps S3, by<pc,exp>Mapping relations, solving output variable can meet
Property solve path condition pc under corresponding semiology analysis expression formula exp value;Obtain<Test vector, output vector>Reflect
Penetrate relation.
2. the generation method of RTL hardware Trojan horses test vector according to claim 1, it is characterised in that:In step S1, lead to
Definition statement node types, generated statement node, the forerunner for establishing sentence node and follow-up relation are crossed, generates controlling stream graph.
3. the generation method of RTL hardware Trojan horses test vector according to claim 2, it is characterised in that:Step S1 is specific
Comprise the following steps:
The sentence node types of S1.1 designs have:ALWAYS, ALWAYS_END, IF, ELSE, IF_END, CASE, CASEX,
CASEZ, CASE_ITEM, CASE_END, FOR, FOR_END, TASK, TASK_END, ASSIGN_BLOCK, ASSIGN_
NONBLOCK, ASSIGN_CONTINUOUS, INSTANTIATION;
In addition, whole code starts to increase an ENTER node, end increases an EXIT node, and uncertain type is
NONE nodes, wherein always, if, case (casex, casez), the node corresponding to for, task are to control node, ENTER
It is control node with EXIT, blocks assignment, non-obstruction assignment and be continuously entered as assignment node;Using the antrl4 to increase income and
The verilog2001.g4 that Terence Parr write, the grammer of verilog Method at Register Transfer Level design codes is parsed, is carried successively
Every verilog sentence is taken to be analyzed;The sentence node of design generation controlling stream graph;One sentence is corresponded in controlling stream graph
One node, the type of sentence node are set for the sentence that verilog can be integrated;In order to effectively distinguish disparate modules
Variable in file, the variable name of all analyses is changed to following form:Module name _ M_ original variable names;
The forerunner and follow-up relation that S1.2 is established between sentence node according to sentence node types:Controlling stream between sentence node
Relation is embodied between control node and the connection between control node and assignment node, for the company between assignment node
Connect, do not indicate that control planning, it is merely meant that going out position relationship of the sentence of assignment node representative in code, the ENTER of addition
Node is the beginning node of whole code, and EXIT nodes are the end nodes of whole code, Always statement interludes, example sentence and
It is concurrency relation between continuous assignment statement, it is related there is grammer between if, case, for sentence in Always statement interludes
Control interval and control sequence relation;Forerunner between each sentence node is determined according to control interval and control planning
With follow-up relation;
S1.3, using breadth first traversal, generates verilog codes according to the forerunner between each sentence node and follow-up relation
Controlling stream graph CFG.
4. the generation method of RTL hardware Trojan horses test vector according to claim 1, it is characterised in that step S2 is specific
It is as follows:
Each example sentence of S2.1 circular treatments, submodule filename corresponding to acquisition example module, obtains submodule block file
Semiology analysis result;
Submodule port variable name is substituted for module file to be analyzed by S2.2 according to example sentence port variable mapping relations
Port variable name, while the submodule port variable name included in pc and exp is substituted for the end of module file to be analyzed
Mouth variable name;
Module file to be analyzed S2.3 carries out semiology analysis operation, while path condition pc is converted to SMT-LIBv2 language
Method form, exp is converted to SMT-LIBv2 grammatical form;It is then back to corresponding to output variable<pc,exp>Set.
5. the generation method of RTL hardware Trojan horses test vector according to claim 3, it is characterised in that step S2.3 has
Body is as follows:
Pc and exp verilog infix expressions are converted into the SMT-LIBv2 grammers of prefix expression by S2.3.1;Wherein, control
The path condition and self-conditions of the path condition of node processed=control node belonging to it;The path condition of assignment node=its
The path condition of affiliated control node;
S2.3.2 is directed to ALWAYS sentences node and ASSIGN_CONTIUNOUS sentence nodes, starts sub-line journey
SymbolExecutionThread is concurrently analyzed each always statement interlude and continuous assignment statement;
S2.3.3 terminates when the sub-line journey analysis of all startups, by the non-input variable replacement in pc into input variable, obtains<
pc,exp>。
6. the generation method of RTL hardware Trojan horses test vector according to claim 4, it is characterised in that step 2.3.2 has
Body is as follows:
S2.3.2.1 finds first node of the always statement interludes for needing to analyze, or continuous assignment statement knot from CFG
Point is used as subroot;
S2.3.2.2 is according to the follow-up relation of node, subtree of the depth-first traversal using subroot as root, to each
Node conducts interviews;If sentence node types are non-obstruction assignment, obstruction assignment or continuous assignment, then judge that symbol is held
The isDone marks of non-input variable var_i in row expression exp;If isDone is false, sub-line journey is hung up, etc.
To the end of var_i semiology analysis, that is, var_i isDone marks are waited to be set to true;If isDone is true, take out
Var_i's<pc’,exp’>Set, the var_i in former expression formula, pc ' and former assignment statement pc are replaced with exp ' therein
Carry out and operate;
Extreme saturations of the S2.3.2.3 using subroot as the subtree of root terminates, put in always statement interludes be assigned variable or
The isDone of the continuous assigned variable of person is true, and notice is because the sub-line that this always variables collections or continuous assigned variable are hung up
Journey solution is hung.
7. the generation method of RTL hardware Trojan horses test vector according to claim 1, it is characterised in that step S3 is specific
It is as follows:
S3.1 takes out path condition pc one by one, builds the solution sentence of SMT-LIBv2 forms;
Solution sentences of the S3.2 to SMT-LIBv2 forms carries out satisfiability solving;
If S3.3 pc can be solved, the input variable value solved is obtained, skips to step S3.1;Otherwise disregard
Step 3.4:The pc solved is gathered, performed into step S4.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710462372.XA CN107367686B (en) | 2017-06-19 | 2017-06-19 | A kind of generation method of RTL hardware Trojan horse test vector |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710462372.XA CN107367686B (en) | 2017-06-19 | 2017-06-19 | A kind of generation method of RTL hardware Trojan horse test vector |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107367686A true CN107367686A (en) | 2017-11-21 |
CN107367686B CN107367686B (en) | 2019-11-22 |
Family
ID=60305385
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710462372.XA Active CN107367686B (en) | 2017-06-19 | 2017-06-19 | A kind of generation method of RTL hardware Trojan horse test vector |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107367686B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108664790A (en) * | 2018-05-14 | 2018-10-16 | 西北工业大学 | A kind of multiple-object information stream tracking towards security breaches detection |
CN109492337A (en) * | 2018-12-17 | 2019-03-19 | 北京计算机技术及应用研究所 | A kind of information flow tracing model generation method of programmable logic device |
CN109657461A (en) * | 2018-11-26 | 2019-04-19 | 浙江大学 | RTL hardware Trojan horse detection method based on gradient boosting algorithm |
CN109725900A (en) * | 2019-01-07 | 2019-05-07 | 西北工业大学 | The SMV model building method of Method at Register Transfer Level Verilog code |
CN110955892A (en) * | 2019-11-15 | 2020-04-03 | 南京航空航天大学 | Hardware Trojan horse detection method based on machine learning and circuit behavior level characteristics |
CN112445492A (en) * | 2020-12-02 | 2021-03-05 | 青岛海洋科学与技术国家实验室发展中心 | ANTLR 4-based source code translation method |
CN114253862A (en) * | 2021-12-29 | 2022-03-29 | 湖南泛联新安信息科技有限公司 | Asynchronous event-driven automatic analysis method for HDL (hardware description language) code simulation coverage rate |
CN114580325A (en) * | 2021-12-31 | 2022-06-03 | 上海盈方微电子有限公司 | Method for analyzing Tarmac log in chip RTL verification stage |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1688022A (en) * | 2005-03-18 | 2005-10-26 | 中国科学院计算技术研究所 | Observable register transmission stage covering analyzing and excitation producing method |
CN102662144A (en) * | 2012-03-30 | 2012-09-12 | 北京大学 | Activity measurement-based hardware trojan detection method |
CN102799813A (en) * | 2012-06-29 | 2012-11-28 | 武汉大学 | Hardware Trojan horse detection system based on puf |
CN103954904A (en) * | 2014-04-28 | 2014-07-30 | 工业和信息化部电子第五研究所 | Hardware Trojan horse test system |
-
2017
- 2017-06-19 CN CN201710462372.XA patent/CN107367686B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1688022A (en) * | 2005-03-18 | 2005-10-26 | 中国科学院计算技术研究所 | Observable register transmission stage covering analyzing and excitation producing method |
CN102662144A (en) * | 2012-03-30 | 2012-09-12 | 北京大学 | Activity measurement-based hardware trojan detection method |
CN102799813A (en) * | 2012-06-29 | 2012-11-28 | 武汉大学 | Hardware Trojan horse detection system based on puf |
CN103954904A (en) * | 2014-04-28 | 2014-07-30 | 工业和信息化部电子第五研究所 | Hardware Trojan horse test system |
Non-Patent Citations (1)
Title |
---|
李暾: "VLSI RTL级模拟矢量自动生成技术研究", 《中国优秀博硕士学位论文全文数据库(博士) 信息科技辑》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108664790A (en) * | 2018-05-14 | 2018-10-16 | 西北工业大学 | A kind of multiple-object information stream tracking towards security breaches detection |
CN109657461A (en) * | 2018-11-26 | 2019-04-19 | 浙江大学 | RTL hardware Trojan horse detection method based on gradient boosting algorithm |
CN109492337A (en) * | 2018-12-17 | 2019-03-19 | 北京计算机技术及应用研究所 | A kind of information flow tracing model generation method of programmable logic device |
CN109492337B (en) * | 2018-12-17 | 2023-02-03 | 北京计算机技术及应用研究所 | Information flow tracking model generation method of programmable logic device |
CN109725900A (en) * | 2019-01-07 | 2019-05-07 | 西北工业大学 | The SMV model building method of Method at Register Transfer Level Verilog code |
CN109725900B (en) * | 2019-01-07 | 2021-01-05 | 西北工业大学 | SMV (simple message modeling) model construction method of register transmission level Verilog code |
CN110955892A (en) * | 2019-11-15 | 2020-04-03 | 南京航空航天大学 | Hardware Trojan horse detection method based on machine learning and circuit behavior level characteristics |
CN110955892B (en) * | 2019-11-15 | 2022-05-13 | 南京航空航天大学 | Hardware Trojan horse detection method based on machine learning and circuit behavior level characteristics |
CN112445492A (en) * | 2020-12-02 | 2021-03-05 | 青岛海洋科学与技术国家实验室发展中心 | ANTLR 4-based source code translation method |
CN112445492B (en) * | 2020-12-02 | 2024-03-29 | 青岛海洋科技中心 | ANTLR 4-based source code translation method |
CN114253862A (en) * | 2021-12-29 | 2022-03-29 | 湖南泛联新安信息科技有限公司 | Asynchronous event-driven automatic analysis method for HDL (hardware description language) code simulation coverage rate |
CN114580325A (en) * | 2021-12-31 | 2022-06-03 | 上海盈方微电子有限公司 | Method for analyzing Tarmac log in chip RTL verification stage |
Also Published As
Publication number | Publication date |
---|---|
CN107367686B (en) | 2019-11-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107367686B (en) | A kind of generation method of RTL hardware Trojan horse test vector | |
CN105138335B (en) | A kind of function call path extraction method and device based on controlling stream graph | |
Dávid et al. | Foundations for streaming model transformations by complex event processing | |
CN101894236B (en) | Software homology detection method and device based on abstract syntax tree and semantic matching | |
CN105912381B (en) | A kind of compiling duration code security detection method in rule-based library | |
CN107193745B (en) | Automated construction method of the PLC program to NuSMV input model | |
CN101398758A (en) | Detection method of code copy | |
CN104794401A (en) | Static-analysis-assisted symbolic execution vulnerability detection method | |
Yang | An example of local reasoning in BI pointer logic: the Schorr-Waite graph marking algorithm | |
CN103713933B (en) | Focus function, the assemblage method of variable, apparatus and system in computer program | |
CN106371887A (en) | System and method for MSVL compiling | |
CN106415504A (en) | Test case generation system and recording medium wherein test case is recorded | |
US6990438B1 (en) | Method and apparatus for observability-based code coverage | |
CN107844415A (en) | A kind of model inspection path reduction method, computer based on interpolation | |
CN101261602A (en) | Program correctness verification method based on syntax tree | |
CN100377089C (en) | Identifying method of multiple target branch statement through jump list in binary translation | |
JP4951416B2 (en) | Program verification method and program verification apparatus | |
CN108763064A (en) | A kind of code tester generation method and device based on black box function and machine learning | |
CN105487983A (en) | Sensitive point approximation method based on intelligent route guidance | |
CN105224455B (en) | A kind of method for automatically generating character string type test case | |
CN116340952A (en) | Intelligent contract vulnerability detection method based on operation code program dependency graph | |
Heuer et al. | Defining variability in activity diagrams and Petri nets | |
CN116150757A (en) | Intelligent contract unknown vulnerability detection method based on CNN-LSTM multi-classification model | |
CN109725900A (en) | The SMV model building method of Method at Register Transfer Level Verilog code | |
CN109325217A (en) | A kind of document conversion method, system, device and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |