CN107367686A - A kind of generation method of RTL hardware Trojan horses test vector - Google Patents

Abstract

It is main to include generation control flow chart the invention discloses a kind of generation method of RTL hardware Trojan horses test vector；Concurrent semiology analysis；Satisfiability solving and generation test vector.The method that the present invention uses static analysis Veri log codes, the concurrent semiology analysis of Veri log codes is realized using multi-thread concurrent technology, so as to reach the purpose for the test vector for quickly generating high path coverage.

Description

A kind of generation method of RTL hardware Trojan horses test vector

Technical field

The present invention relates to integrated circuit testing field, and in particular to a kind of generation side of RTL hardware Trojan horses test vector Method, can be directed to condition flip-over type hardware Trojan horse feature quickly generate with high path coverage and comprising can activation condition touch The test vector of hair style hardware Trojan horse.

Background technology

In Design of Digital Integrated Circuit, different design links correspond to the design of different abstraction hierarchies.Level of abstraction From high to low, it is respectively functional specification, algorithm level/microarchitecture-level design, Method at Register Transfer Level design (register- Transfer level, RTL), gate leve (gate level) design and physical level design.Hardware Trojan horse can be distributed in different On abstraction hierarchy, mainly there are system-level, behavior description level, Method at Register Transfer Level, gate leve, transistor level and physical level.N Jacob Et al. " analyzed in document in Hardware Trojans_current challenges and approaches " hard at present The stage that part wooden horse may insert, it has been suggested that hardware Trojan horse it is more concentrate on Functional Design stage (register transfer Level).

In current hardware Trojan horse detection technique, only seldom document is to Functional Design stage and physical design phase (gate leve) is detected, and documents several greatly all concentrates on the detection of fabrication stage absolutely；The technology of Functional Design stage detection uses Be formal Verification Techniques, the functional analysis that physical design phase uses, the detection technique that the fabrication stage uses is mainly side Multiple Channel Analysis and structural modification.Side Multiple Channel Analysis is a kind of nondestructive detection technique, sequential, work(in Main Analysis circuit The signals such as rate, electromagnetism, heat, wooden horse is found according to the comparison with gold template.Bypass analysis energy effective detection goes out fairly large Hardware Trojan horse, but easily influenceed by state-variable and various noises, it is difficult to detect small-scale hardware Trojan horse.For gate leve Gate leve net of the gate leve information Flow Technique of safety detection to gate leve Logic of Information Currents of the original gate level netlist generation comprising information flow Table, but its newly-generated gate level netlist complexity is compared with original gate level netlist, it is high nearly 2^n times, greatly limit its Application in practice.

The hardware Trojan horse detection of Method at Register Transfer Level, has some new methods to propose in recent years.Ni Lin etc. " is based in document A kind of hardware Trojan horse inspection method is proposed in the soft core hardware Trojan horse detections of IP of characteristic matching ", this method is by analyzing RTL generation Code rules for writing, the angle realized from hardware Trojan horse in the soft cores of RTL IP, hardware Trojan horse is built based on Trust-Hub Feature recognition storehouse, by analyzing the typical logical construction of hardware Trojan horse and behavioural characteristic, to hardware Trojan horse feature database and IP to be measured Soft core carries out logical abstraction, and then completes the soft core hardware Trojan horse identifications of IP.The method of characteristic matching need to be according to substantial amounts of hardware wood Horse model, feature database is created, is then matched.This method from software security test can not find new malicious code. Wait ripple etc. and suffered a kind of method in document " hardware Trojan horse detection method and system based on test vector ", by obtaining integrated electricity The upset information and coverage information of each circuit node in road, upset information and coverage information are met to preset low roll over condition respectively Candidate's wooden horse node is chosen for the circuit node for presetting low coverage condition, according to the information of candidate's wooden horse node from test vector Middle selection final test vector.

It can be analyzed from these documents, main Method at Register Transfer Level safety detection method concentrates on characteristic matching, shape In terms of formula chemical examination card, Self -adaptive.Formalization verification method then still has very big analysis when tackling large-scale complex design Difficulty.Self -adaptive method is still a kind of very important detection means.Due to by the way of exhaustive to all inputs It is unpractical that value, which carries out detection, therefore the key issue of Self -adaptive method is the situation that test vector space constantly increases Under, how to efficiently generate test vector value.Therefore the safety detection of Method at Register Transfer Level, with the close phase of Self -adaptive method Close.VV Acharya et al. are in document " Branch Guided Functional Test Generation at the RTL " In employ the method for semiology analysis the hardware description language of RTL analyzed.Its basic thought is by verilog generations Code is converted into C/C++, is then analyzed using the symbolic excution methodology of comparatively ripe C/C++ language, then again will The test vector of generation is analyzed again with returning in verilog codes.This method is not divided verilog codes directly Analysis, by the way of code conversion, it is difficult to accomplish completely the same with original verilog designs.

The content of the invention

In view of the shortcomings of the prior art, the present invention is intended to provide a kind of generation method of RTL hardware Trojan horses test vector, is used To solve the problems, such as the Self -adaptive of testing conditions flip-over type hardware Trojan horse.This method uses the side of static analysis Verilog code Method, the concurrent semiology analysis of Verilog code is realized using multi-thread concurrent technology, high path covering is quickly generated so as to reach The purpose of the test vector of rate.

To achieve these goals, the present invention adopts the following technical scheme that：

A kind of generation method of RTL hardware Trojan horses test vector, comprises the following steps：

S1 generates the controlling stream graph CFG of verilog codes；

The controlling stream graph CFG that S2 generates according to step S1, concurrent symbolic execution technique is used to module file to be analyzed, The semiology analysis expression formula of output variable under specified path condition pc is obtained, i.e.,<pc,exp>；

S3 carries out satisfiability solving to the path condition pc obtained in step S2, obtains satiable path condition set And its corresponding input variable value, generate test vector；

The test vector obtained in S4 foundation steps S3, by<pc,exp>Mapping relations, solve output variable can Corresponding semiology analysis expression formula exp value under the path condition pc that satisfaction property solves；Obtain<Test vector, output vector> Mapping relations.

It should be noted that in step S1, by definition statement node types, generated statement node, sentence node is established Forerunner and follow-up relation, generate controlling stream graph.

Explanation is needed further exist for, step S1 specifically comprises the following steps：

The sentence node types of S1.1 designs have：ALWAYS, ALWAYS_END, IF, ELSE, IF_END, CASE, CASEX, CASEZ, CASE_ITEM, CASE_END, FOR, FOR_END, TASK, TASK_END, ASSIGN_BLOCK, ASSIGN_ NONBLOCK, ASSIGN_CONTINUOUS, INSTANTIATION；

In addition, whole code starts to increase an ENTER node, end one EXIT node of increase, type is not known It is NONE nodes, wherein always, if, case (casex, casez), the node corresponding to for, task is control node, ENTER and EXIT is control node, blocks assignment, non-obstruction assignment and is continuously entered as assignment node；Using what is increased income The verilog2001.g4 that antrl4 and Terence Parr write, parsing verilog Method at Register Transfer Level design codes Grammer, every verilog sentence is extracted successively and is analyzed；The sentence node of design generation controlling stream graph；One sentence is corresponding A node in controlling stream graph, the type of sentence node are set for the sentence that verilog can be integrated；In order to effective district The variable in disparate modules file is separated, the variable name of all analyses is changed to following form：Module name _ M_ original variable names；

The forerunner and follow-up relation that S1.2 is established between sentence node according to sentence node types：Control between sentence node Flow relation processed is embodied between control node and the connection between control node and assignment node, between assignment node Connection, does not indicate that control planning, it is merely meant that go out position relationship of the sentence of assignment node representative in code, addition ENTER nodes are the beginning nodes of whole code, and EXIT nodes are the end nodes of whole code, Always statement interludes, example It is concurrency relation between sentence and continuous assignment statement, there is language between if, case, for sentence in Always statement interludes The relation of the related control interval of method and control sequence；Determined according to control interval and control planning between each sentence node Forerunner and follow-up relation；

S1.3, using breadth first traversal, generates verilog according to the forerunner between each sentence node and follow-up relation The controlling stream graph CFG of code.

It should be noted that step S2 is specific as follows：

Each example sentence of S2.1 circular treatments, submodule filename corresponding to acquisition example module, obtains submodule The semiology analysis result of file；

Submodule port variable name is substituted for module to be analyzed by S2.2 according to example sentence port variable mapping relations File port variable name, while the submodule port variable name included in pc and exp is substituted for module file end to be analyzed Mouth variable name；

Module file to be analyzed S2.3 carries out semiology analysis operation, while path condition pc is converted into SMT-LIBv2 Grammatical form, exp is converted to SMT-LIBv2 grammatical form；It is then back to corresponding to output variable<pc,exp>Collection Close.

Explanation is needed further exist for, step S2.3 is specific as follows：

Pc and exp verilog infix expressions are converted into the SMT-LIBv2 grammers of prefix expression by S2.3.1；Its In, control path condition and self-conditions of the path condition of node=control node belonging to it；The path condition of assignment node The path condition of=control node belonging to it；

S2.3.2 is directed to ALWAYS sentences node and ASSIGN_CONTIUNOUS sentence nodes, starts sub-line journey SymbolExecutionThread is concurrently analyzed each always statement interlude and continuous assignment statement；

S2.3.3 terminates when the sub-line journey analysis of all startups, by the non-input variable replacement in pc into input variable, obtains Arrive<pc,exp>.

Further it should be noted that step 2.3.2 is specific as follows：

S2.3.2.1 finds first node of the always statement interludes for needing to analyze, or continuous asignment statement from CFG Sentence node is as subroot；

S2.3.2.2 is according to the follow-up relation of node, subtree of the depth-first traversal using subroot as root, to therein every One node conducts interviews；If sentence node types are non-obstruction assignment, obstruction assignment or continuous assignment, then symbol is judged The isDone marks of non-input variable var_i in number executable expressions exp；If isDone is false, sub-line journey is hung Rise, wait var_i semiology analysis to terminate, that is, wait var_i isDone marks to be set to true；If isDone is true, Take out var_i's<pc’,exp’>Set, the var_i in former expression formula, pc ' and former assignment statement are replaced with exp ' therein Pc carry out and operation；

Extreme saturations of the S2.3.2.3 using subroot as the subtree of root terminates, and puts in always statement interludes and is assigned change The isDone of amount or continuous assigned variable is true, and notice is hung up because of this always variables collections or continuous assigned variable Sub-line journey solution is hung.

It should be noted that step S3 is specific as follows：

S3.1 takes out path condition pc one by one, builds the solution sentence of SMT-LIBv2 forms；

Solution sentences of the S3.2 to SMT-LIBv2 forms carries out satisfiability solving；

If S3.3 pc can be solved, the input variable value solved is obtained, skips to step S3.1；Otherwise refuse Processing

Step 3.4：The pc solved is gathered, performed into step S4.

The beneficial effects of the present invention are：Can be by analyzing verilog top documents, and then by whole relevant sub-module Completion is all automatically analyzed, accelerates the speed and validity of RTL hardware Trojan horse test vector generations, improves point of code analysis Branch coverage rate, improve the whole efficiency of code analysis.

Brief description of the drawings

Fig. 1 is the global design protocol procedures figure of the present invention；

Fig. 2 is the controlling stream graph product process schematic diagram of the present invention；

Fig. 3 is the concurrent semiology analysis schematic flow sheet of the present invention；

Fig. 4 is the test vector generation schematic flow sheet of the present invention；

Fig. 5 be the embodiment of the present invention 1 uart.v in 63-69 rows controlling stream graph schematic diagram；

Fig. 6 be the embodiment of the present invention 1 uart.v in 71-77 rows controlling stream graph schematic diagram；

The controlling stream graph schematic diagram of 79-86 rows in the uart.v of Fig. 7 embodiment of the present invention 1；

The controlling stream graph schematic diagram of 88-98 rows in the uart.v of Fig. 8 embodiment of the present invention 1；

The controlling stream graph schematic diagram of 100-111 rows in the uart.v of Fig. 9 embodiment of the present invention 1.

Embodiment

Below with reference to accompanying drawing, the invention will be further described, it is necessary to which explanation, following examples are with this technology Premised on scheme, detailed embodiment and specific operating process are given, but the scope of the present invention is not limited to this implementation Example.

As shown in figure 1, the generation method of the RTL hardware Trojan horses test vector comprises the following steps

Step 1. generates the controlling stream graph CFG (Control Flow Graph) of verilog codes, as shown in Figure 2：

1.1) verilog2001.g4 write using antrl4 the and Terence Parr to increase income, verilog is parsed The grammer of Method at Register Transfer Level design code, every verilog sentence is extracted successively and is analyzed.Design generation controlling stream graph Sentence node.One sentence corresponds to a node in controlling stream graph, and the type of sentence node is directed to the language that verilog can be integrated Sentence setting.The sentence node types of specific design have：ALWAYS, ALWAYS_END, IF, ELSE, IF_END, CASE, CASEX, CASEZ, CASE_ITEM (case statement branch), CASE_END, FOR, FOR_END, TASK, TASK_END, ASSIGN_BLOCK (obstruction assignment), ASSIGN_NONBLOCK (non-obstruction assignment), ASSIGN_CONTINUOUS (continuous assignment), INSTANTIATION (example).In addition, whole code starts to increase an ENTER node, end increases an EXIT knot Point, uncertain type are NONE nodes.Wherein always, if, case (casex, casez), the node corresponding to for, task To control node, ENTER and EXIT are control nodes, block assignment, non-obstruction assignment and are continuously entered as assignment node.

1.2) forerunner established according to sentence node types between sentence node and follow-up relation.Control between sentence node Flow relation processed is embodied between control node and the connection between control node and assignment node.For between assignment node Connection, does not indicate that control planning, it is merely meant that going out position relationship of the sentence of assignment node representative in code.Addition ENTER nodes are the beginning nodes of whole code, and EXIT nodes are the end nodes of whole code.Always statement interludes, example It is concurrency relation between sentence and continuous assignment statement.There is control between if, case, for sentence in Always statement interludes Section processed and the relation of control sequence.According to control interval and control planning determine forerunner between each sentence node and after After relation.

1.3) according to the follow-up relation of forerunner between each sentence node, using breadth first traversal, verilog generations are generated The controlling stream graph CFG of code.

The controlling stream graph CFG that step 2. generates according to step 1, using concurrent symbolic execution technique, obtain specified path bar The semiology analysis expression formula of output variable under part pc (path condition), i.e., only represent that output becomes with input variable and constant Amount, as shown in Figure 3：

2.1) each example sentence of circular treatment, filename filename corresponding to acquisition example module, obtains submodule The semiology analysis result of block file.

2.2) according to example sentence port variable mapping relations, submodule port variable name is substituted for module to be analyzed File port variable name, while the submodule port variable name included in pc and exp is substituted for module file end to be analyzed Mouth variable name.

2.3) module file to be analyzed carries out semiology analysis operation, while path condition pc is converted into SMT-LIBv2 Grammatical form.

Return corresponding to output variable<pc,exp>Set

Wherein 2.3) in semiology analysis be one of key point of whole design, specific design is：Control is tied Point path condition pc and semiology analysis expression formula exp verilog infix expressions are converted into the SMT-LIBv2 of prefix expression Grammer.Wherein, the path condition and self-conditions of path condition=control node belonging to it of node are controlled；Assignment node The path condition of path condition=control node belonging to it.For ALWAYS sentences node and ASSIGN_CONTIUNOUS sentences Node, start sub-line journey symbolExecutionThread and each always statement interlude and continuous assignment statement are concurrently entered Row analysis.When the sub-line journey analysis of all startups terminates, by the non-input variable replacement in pc into input variable.

Sub-line journey symbolExecutionThread realizes the function of concurrently performing always sentences and continuous assignment. Due to the correlation between variable, in an always statement interlude or continuous assignment statement be assigned variable may rely on Variable in other always statement interludes or continuous assignment statement, need in this case hang up sub-line journey, wait by according to Rely the sub-line journey of variable to perform to terminate.Specifically designing is：First that the always statement interludes for needing to analyze are found from CFG Node, or continuous assignment statement node is as subroot.According to the follow-up relation of node, depth-first traversal is with subroot For the subtree of root, each node is conducted interviews.If sentence node types are non-obstruction assignment, obstruction assignment Or continuous assignment, then judge that the isDone of the non-input variable var_i in semiology analysis expression formula indicates.If isDone is False, then sub-line journey hang-up, waits var_i semiology analysis to terminate, that is, waits var_i isDone marks to be set to true；If IsDone is true, then takes out var_i's<pc’,exp’>Set, the var_i in former expression formula is replaced with exp ' therein, Pc ' and the pc of former assignment statement is carried out and operation.Extreme saturation using subroot as the subtree of root terminates, and puts always sentences Be assigned variable or the isDone of continuous assigned variable in section are true, and notice is because this always variables collections or continuous The sub-line journey solution that assigned variable is hung up is hung.

Step 3. carries out satisfiability solving to the path condition obtained in step 2, obtains satiable path condition pc Set and its corresponding input variable value, generate test vector.This part has used the solver Z3 of Microsoft, realizes The each path condition pc of verilog codes satisfiability solving.Specific design is as follows：

3.1) path condition pc is taken out one by one, builds the pc sentences of SMT-LIBv2 forms；

3.2) satisfiability solving is carried out to the pc sentences of SMT-LIBv2 forms；

If 3.3) pc can be solved, the input variable value solved is obtained, is skipped to 3.1)；Otherwise not locate Reason.

Step 4. as shown in figure 4, according to the test vector obtained in step 3, by<pc,exp>Mapping relations, solve Output variable corresponding expression formula exp under the path condition pc of satisfiability solving value；Obtain<Test vector, output Vector>Mapping relations.Due to have passed through satisfiability solving so that test vector space reduces significantly, so that<Test Vector, output vector>Mapping relations be significantly smaller than original mapping relations space.From mapping relations, you can to find to lead Cause the test vector value of abnormal output vector.

Embodiment 1

The RS232-T400 chosen on Trust-Hub is analysis object, wherein containing three verilog files： Uart.v, u_xmit.v, u_rec.v.This three verilog files are as shown below.Wooden horse in top document uart.v touches The data that hair device relatively sends and receives, when being both equal to 8 ' h4c, wooden horse is activated.The loading section of wooden horse will can connect The 4bit received in data is replaced.

1.uart.v program's source codes：

2.u_xmit.v program's source codes：

3.u_rec.v program's source codes：

The present embodiment is by taking uart.v as an example, wherein containing 2 example sentences, it will analyzes u_xmit.v and u_ successively rec.v。

Step 1：Controlling stream map generalization

1) the syntax parsing tree (parseTree) of extreme saturation uart.v files, the information of sentence node is obtained.Such as： First node of whole file is ENTER nodes, and last node is EXIT nodes, and obtained sentence information is：

(1) the 0th node, ENTER nodes, index value 0, control interval [3,116] is (where 3, and 116 expression sentences Line number, numerical value represents identical meanings in subsequent step square brackets)；

(2) the 1st nodes, example node, corresponding example file u_xmit.v, index value 1, control interval [63,70], its It is ENTER to control node, and ENTER control interval is [3,116]；

(3) the 2nd nodes, example node, corresponding example file u_rec.v, index value 2, control interval [72,81], its It is ENTER to control node, and ENTER control interval is [3,116]；

(4) the 3rd nodes, always nodes, index value 3, control interval [83,90], it is ENTER that it, which controls node, ENTER control interval is [3,116]；

(5) the 4th nodes, if nodes, index value 4, control interval [84,89], it controls node as always nodes (knot 3), always nodes control interval is [83,90] to point；

(6) the 5th nodes, block assignment node, index value 5, control interval [85,85], it is if nodes that it, which controls node, (node 4), the control interval of if nodes is [84,89]；

(7) the 6th nodes, else nodes, index value 6, control interval [87,89], it is if node (nodes that it, which controls node, 4), the control interval of if nodes is [84,89]；

(8) the 7th nodes, block assignment node, index value 7, control interval [88,88], it controls node to be tied for else Point (node 6), the control interval of else nodes is [87,89]；

(9) the 8th nodes, if statement interlude end nodes, index value 8, control interval [89,89], it is if that it, which controls node, Node (node 6), the control interval of if nodes is [84,89]；

(10) the 9th nodes, always statement interlude end nodes, index value 9, control interval [90,90], it controls node For always nodes (node 3), the control interval of always nodes is [83,90]；

(11) by that analogy, the 32nd node of node to the end, EXIT nodes, index value 32, control interval [116, 116], it is ENTER nodes that it, which controls node, and the control interval of ENTER nodes is [3,116].

2) by the control interval belonging relation between sentence node, the forerunner established between each node and follow-up pass System.For the sentence node obtained in 1),

(1) node 0 is ENTER nodes；

(2) node is changed exemplified by node 1, because it is ENTER that it, which controls node, the forerunner of node 1 includes node 0, knot The follow-up of point 0 includes node 1；

(3) node is changed exemplified by node 2, because it is ENTER that it, which controls node, the forerunner of node 2 includes node 0, knot The follow-up of point 0 includes node 2；

(4) node 3 is always nodes, because it is ENTER that it, which controls node, the forerunner of node 3 includes node 0, The follow-up of node 0 includes node 3；

(5) node 4 is if nodes, because it is node 3 that it, which controls node, the forerunner of node 4 includes node 3, node 3 Follow-up include node 4；

(6) node 5 is obstruction assignment node, because it is node 4 that it, which controls node, the forerunner of node 5 includes node 4, the follow-up of node 4 includes node 5；

(7) node 6 is else nodes, because it is node 4 that it, which controls node, the forerunner of node 6 includes node 4, knot The follow-up of point 4 includes node 6；

(8) node 7 is obstruction assignment node, because it is node 6 that it, which controls node, the forerunner of node 7 includes node 6, the follow-up of node 6 includes node 7；

(9) node 8 is if statement interlude end nodes, because it is node 4 that it, which controls node, the forerunner of node 8 includes Node 5 and 7, the follow-up of node 5 include node 8, and the follow-up of node 7 includes node 8；

(10) node 9 is always statement interlude end nodes, because it is node 3 that it, which controls node, the forerunner of node 9 Comprising node 8, the follow-up of node 8 includes node 9；

(11) by that analogy, the forerunner of all sentence nodes and follow-up relation are obtained.

3) traveled through according to breadth first algorithm, finally obtain the controlling stream graph of uart.v as shown in figures 5-9.Fig. 5- Numerical value in 9 represents line number of the sentence node in source code, and ENTER represents the line number that code starts, and EXIT nodes represent generation The line number that code terminates.

4) u_ximt.v, u_rec.v controlling stream graph are obtained with method.

Step 2：Concurrent semiology analysis

1) if example module, then recursive concurrent semiology analysis is carried out to each example module file.Then Uart.v two example sentences can cause the concurrent semiology analysis to two files of u_ximt.v and u_rec.v；

For the concurrent semiology analysis of u_ximt.v files, its result by recursive call return to uart.v files and Send out Symbolic Execution (in order to effectively distinguish the variable in disparate modules file, set the form of variable name as：Module Name _ M_ original variable names, such as the variable sys_clk in former u_xmit.v, it is changed to u_xmit_M_sys_clk).

2) by uart.v file 63-69 rows, it is as follows to analyze port mapping relationship：

u_xmit_M_sys_clk<->uart_M_sys_clk

u_xmit_M_sys_rst_l<->uart_M_sys_rst_l

u_xmit_M_uart_xmitH<->uart_M_uart_XMIT_dataH

u_xmit_M_xmitH<->uart_M_xmitH

u_xmit_M_xmit_dataH<->uart_M_xmit_dataH

u_xmit_M_xmit_doneH<->uart_M_xmit_doneH

The change being substituted for u_ximt.v implementing result according to port mapping relationship obtained above in uart.v files Amount.

By uart.v file 71-77 rows, it is as follows to analyze port mapping relationship：

u_rec_M_sys_rst_l<->uart_M_sys_rst_l

u_rec_M_sys_clk<->uart_M_sys_clk

u_rec_M_uart_dataH<->uart_M_uart_REC_dataH

u_rec_M_rec_dataH<->uart_M_rec_dataH_rec

u_rec_M_rec_readyH<->uart_M_rec_readyH

The change being substituted for u_rec.v implementing result according to port mapping relationship obtained above in uart.v files Amount.

The concurrent remaining always statement interludes of semiology analysis and continuous assignment statement, return corresponding to output variable<pc, exp>Set is as follows：

The result of always statement interludes and continuous assignment statement in one verilog file of concurrent semiology analysis is as follows (multi-thread concurrent, which performs, has certain randomness, and the order of each sub-line journey operation is not necessarily identical every time, but correlated variables Between constraint perform be constant.Numerical value in table represents that operation sentence corresponds to the line number in source code)：

Table 1：The process of the concurrent semiology analysis of u_ximt.v

Table 2：The process of the concurrent semiology analysis of u_rec.v

Table 3：The process of the concurrent semiology analysis of uart.v

Return<pc,exp>Result 594 altogether, form is as follows：

Pc=(and true (=(bvnot uart_M_sys_rst_l) (_ bv1 0))),

Exp=uart_M_rec_dataH=#b00000000

Wherein, pc and exp is SMT-LIBv2 grammatical form

Step 3：Satisfiability solving

1) take out what is obtained in step 2 one by one<pc,exp>In path condition pc；

2) satisfiability solving is carried out to pc sentences；

If 3) pc can be solved, the input variable value solved is obtained, is skipped to 1)；Otherwise disregard

Finally obtain the pc that can be solved.Uart_M_rec_dataH obtains 3 satiable solutions, uart_M_uart_ XMIT_dataH obtains 6 satiable solutions, and uart_M_xmit_doneH obtains 5 satiable solutions, uart_M_ Rec_readyH obtains 5 satiable solutions.

Step 4：Obtain input variable vector corresponding to each output variable solution.

1) output variable uart_M_rec_dataH, it is the variable influenceed after being activated by wooden horse, its corresponding input variable It is satiable that solution value, which has 3 groups,：

(1) uart_M_sys_rst_l=0, corresponding situation are that reset signal is effective, when being low level, uart_M_ Rec_dataH is reset to 0；

(2) uart_M_sys_rst_l=1, uart_M_xmit_dataH=76, uart_M_uart_REC_dataH= 0.Corresponding situation is to work as uart_M_xmit_dataH=uart_M_rec_dataH, during uart_M_rec_dataH=76, Output abnormality after uart_M_rec_dataH is influenceed by wooden horse activation；

(3) uart_M_sys_rst_l=1, uart_M_xmit_dataH=76, uart_M_uart_REC_dataH= 1, corresponding situation is when in addition to the 1st and the 2nd kind of situation, uart_M_rec_dataH is not influenceed just by wooden horse activation Often output, remain that the 8bit data before sender's serial input are equal to the 8bit data of recipient's Serial output.

2) uart_M_uart_XMIT_dataH, it can meet that solution has corresponding to it：

(1) uart_M_sys_rst_l=0, corresponding situation are to send a road of x_IDLE states in finite state machine Footpath condition；

(2) uart_M_sys_rst_l=1, corresponding situation are to send x_START states in finite state machine, x_WAIT State, x_SHIFT states, five condition paths of x_STOP states and default states.

3) uart_M_xmit_doneH, it can meet that solution has 5 corresponding to it：

(1) uart_M_sys_rst_l=0, corresponding situation are to reset path condition；Value is 0

(2) uart_M_sys_rst_l=1, corresponding situation have send finite state machine in x_IDLE states and Three path conditions of uart_M_xmitH=0, x_STOP state and default states, and one of other residual states Path condition.Value is 1

4) uart_M_rec_readyH, it can meet that solution has 5 corresponding to it：

(1) uart_M_sys_rst_l=0, corresponding situation are to reset path condition；Value is 0

(2) uart_M_sys_rst_l=1, corresponding situation have receive finite state machine in r_START, r_STOP and Default three path conditions, and a path condition of other residual states.Value is 1

Analysis result shows that the inventive method can have with rapid automatized a small amount of and effective test vector that constructs There is high path coverage, and the test vector of activation condition flip-over type hardware Trojan horse can be included.

For those skilled in the art, technical scheme that can be more than and design, provide various corresponding Change and deform, and all these change and deformation, should be construed as being included within the protection domain of the claims in the present invention.

Claims (7)

1. a kind of generation method of RTL hardware Trojan horses test vector, it is characterised in that comprise the following steps：

S1 generates the controlling stream graph CFG of verilog codes；

The controlling stream graph CFG that S2 generates according to step S1, concurrent symbolic execution technique is used to module file to be analyzed, obtained The semiology analysis expression formula of output variable under specified path condition pc, i.e.,<pc,exp>；

S3 carries out satisfiability solving to the path condition pc that is obtained in step S2, obtain satiable path condition set and its Corresponding input variable value, generate test vector；

The test vector obtained in S4 foundation steps S3, by<pc,exp>Mapping relations, solving output variable can meet Property solve path condition pc under corresponding semiology analysis expression formula exp value；Obtain<Test vector, output vector>Reflect Penetrate relation.

2. the generation method of RTL hardware Trojan horses test vector according to claim 1, it is characterised in that：In step S1, lead to Definition statement node types, generated statement node, the forerunner for establishing sentence node and follow-up relation are crossed, generates controlling stream graph.

3. the generation method of RTL hardware Trojan horses test vector according to claim 2, it is characterised in that：Step S1 is specific Comprise the following steps：

The sentence node types of S1.1 designs have：ALWAYS, ALWAYS_END, IF, ELSE, IF_END, CASE, CASEX, CASEZ, CASE_ITEM, CASE_END, FOR, FOR_END, TASK, TASK_END, ASSIGN_BLOCK, ASSIGN_ NONBLOCK, ASSIGN_CONTINUOUS, INSTANTIATION；

In addition, whole code starts to increase an ENTER node, end increases an EXIT node, and uncertain type is NONE nodes, wherein always, if, case (casex, casez), the node corresponding to for, task are to control node, ENTER It is control node with EXIT, blocks assignment, non-obstruction assignment and be continuously entered as assignment node；Using the antrl4 to increase income and The verilog2001.g4 that Terence Parr write, the grammer of verilog Method at Register Transfer Level design codes is parsed, is carried successively Every verilog sentence is taken to be analyzed；The sentence node of design generation controlling stream graph；One sentence is corresponded in controlling stream graph One node, the type of sentence node are set for the sentence that verilog can be integrated；In order to effectively distinguish disparate modules Variable in file, the variable name of all analyses is changed to following form：Module name _ M_ original variable names；

The forerunner and follow-up relation that S1.2 is established between sentence node according to sentence node types：Controlling stream between sentence node Relation is embodied between control node and the connection between control node and assignment node, for the company between assignment node Connect, do not indicate that control planning, it is merely meant that going out position relationship of the sentence of assignment node representative in code, the ENTER of addition Node is the beginning node of whole code, and EXIT nodes are the end nodes of whole code, Always statement interludes, example sentence and It is concurrency relation between continuous assignment statement, it is related there is grammer between if, case, for sentence in Always statement interludes Control interval and control sequence relation；Forerunner between each sentence node is determined according to control interval and control planning With follow-up relation；

S1.3, using breadth first traversal, generates verilog codes according to the forerunner between each sentence node and follow-up relation Controlling stream graph CFG.

4. the generation method of RTL hardware Trojan horses test vector according to claim 1, it is characterised in that step S2 is specific It is as follows：

Each example sentence of S2.1 circular treatments, submodule filename corresponding to acquisition example module, obtains submodule block file Semiology analysis result；

Submodule port variable name is substituted for module file to be analyzed by S2.2 according to example sentence port variable mapping relations Port variable name, while the submodule port variable name included in pc and exp is substituted for the end of module file to be analyzed Mouth variable name；

Module file to be analyzed S2.3 carries out semiology analysis operation, while path condition pc is converted to SMT-LIBv2 language Method form, exp is converted to SMT-LIBv2 grammatical form；It is then back to corresponding to output variable<pc,exp>Set.

5. the generation method of RTL hardware Trojan horses test vector according to claim 3, it is characterised in that step S2.3 has Body is as follows：

Pc and exp verilog infix expressions are converted into the SMT-LIBv2 grammers of prefix expression by S2.3.1；Wherein, control The path condition and self-conditions of the path condition of node processed=control node belonging to it；The path condition of assignment node=its The path condition of affiliated control node；

S2.3.2 is directed to ALWAYS sentences node and ASSIGN_CONTIUNOUS sentence nodes, starts sub-line journey SymbolExecutionThread is concurrently analyzed each always statement interlude and continuous assignment statement；

S2.3.3 terminates when the sub-line journey analysis of all startups, by the non-input variable replacement in pc into input variable, obtains< pc,exp>。

6. the generation method of RTL hardware Trojan horses test vector according to claim 4, it is characterised in that step 2.3.2 has Body is as follows：

S2.3.2.1 finds first node of the always statement interludes for needing to analyze, or continuous assignment statement knot from CFG Point is used as subroot；

S2.3.2.2 is according to the follow-up relation of node, subtree of the depth-first traversal using subroot as root, to each Node conducts interviews；If sentence node types are non-obstruction assignment, obstruction assignment or continuous assignment, then judge that symbol is held The isDone marks of non-input variable var_i in row expression exp；If isDone is false, sub-line journey is hung up, etc. To the end of var_i semiology analysis, that is, var_i isDone marks are waited to be set to true；If isDone is true, take out Var_i's<pc’,exp’>Set, the var_i in former expression formula, pc ' and former assignment statement pc are replaced with exp ' therein Carry out and operate；

Extreme saturations of the S2.3.2.3 using subroot as the subtree of root terminates, put in always statement interludes be assigned variable or The isDone of the continuous assigned variable of person is true, and notice is because the sub-line that this always variables collections or continuous assigned variable are hung up Journey solution is hung.

7. the generation method of RTL hardware Trojan horses test vector according to claim 1, it is characterised in that step S3 is specific It is as follows：

S3.1 takes out path condition pc one by one, builds the solution sentence of SMT-LIBv2 forms；

Solution sentences of the S3.2 to SMT-LIBv2 forms carries out satisfiability solving；

If S3.3 pc can be solved, the input variable value solved is obtained, skips to step S3.1；Otherwise disregard

Step 3.4：The pc solved is gathered, performed into step S4.