CN114238956A - Hardware Trojan horse search detection method based on automatic attribute extraction and formal verification - Google Patents
Hardware Trojan horse search detection method based on automatic attribute extraction and formal verification Download PDFInfo
- Publication number
- CN114238956A CN114238956A CN202111511312.5A CN202111511312A CN114238956A CN 114238956 A CN114238956 A CN 114238956A CN 202111511312 A CN202111511312 A CN 202111511312A CN 114238956 A CN114238956 A CN 114238956A
- Authority
- CN
- China
- Prior art keywords
- integrated circuit
- list
- attribute
- signal
- hardware trojan
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 title claims abstract description 117
- 238000012795 verification Methods 0.000 title claims abstract description 46
- 238000001514 detection method Methods 0.000 title claims abstract description 43
- 238000000605 extraction Methods 0.000 title claims abstract description 16
- 238000013461 design Methods 0.000 claims abstract description 86
- 238000000034 method Methods 0.000 claims abstract description 23
- 238000004088 simulation Methods 0.000 claims abstract description 22
- 230000007306 turnover Effects 0.000 claims abstract description 12
- 230000002194 synthesizing effect Effects 0.000 claims abstract description 6
- 238000012360 testing method Methods 0.000 claims description 22
- 239000013598 vector Substances 0.000 claims description 20
- 230000006399 behavior Effects 0.000 claims description 15
- 230000015572 biosynthetic process Effects 0.000 claims description 14
- 238000003786 synthesis reaction Methods 0.000 claims description 14
- 238000004458 analytical method Methods 0.000 claims description 11
- 241000913681 Questa Species 0.000 claims description 3
- 238000012546 transfer Methods 0.000 claims description 3
- 230000008859 change Effects 0.000 claims description 2
- 238000012905 input function Methods 0.000 claims description 2
- 230000028838 turning behavior Effects 0.000 claims description 2
- 230000004913 activation Effects 0.000 abstract description 5
- 230000008569 process Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000001960 triggered effect Effects 0.000 description 4
- 239000000284 extract Substances 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000001066 destructive effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000005670 electromagnetic radiation Effects 0.000 description 1
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 1
- 239000010931 gold Substances 0.000 description 1
- 229910052737 gold Inorganic materials 0.000 description 1
- 230000007257 malfunction Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
- 238000007619 statistical method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Design And Manufacture Of Integrated Circuits (AREA)
Abstract
The invention discloses a hardware Trojan horse search detection method based on automatic attribute extraction and formal verification, which comprises the following steps of: inputting an integrated circuit design to be detected; synthesizing the integrated circuit design into an FPGA netlist; performing random function simulation on the FPGA netlist, and storing a signal behavior list; analyzing the signal behavior list by combining the FPGA netlist to obtain a low-turnover-rate signal list and a low-coverage-rate LUT list which are converged to a stable set; extracting a steady attribute of the integrated circuit design according to the low turnover rate signal list and the low coverage rate LUT list; formalized verification is carried out on the extracted attributes, and trigger conditions of the hardware Trojan hidden in the design of the integrated circuit to be detected are searched, so that Trojan detection is realized. The method can search the hardware Trojan trigger condition based on specific condition activation and the satisfiability irrelevant item in the integrated circuit, and can realize the detection and the positioning of the Trojan in the early design stage of the integrated circuit.
Description
Technical Field
The invention belongs to the technical field of hardware safety, and particularly relates to a hardware Trojan horse searching and detecting method.
Background
Modern integrated circuit design and fabrication relies heavily on a global and multi-party coordinated industry chain architecture. The industry chain includes multiple links, such as chip design companies, third party Intellectual Property (IP) suppliers, design automation equipment vendors, tape-out factories, etc., and typically involves overseas collaboration. The industrial chain structure supporting design reuse, separation design and tape-out service can greatly improve the design efficiency, but simultaneously, the safety of the integrated circuit is threatened due to an untrusted link in the industrial chain. Hardware trojans refer to malicious modifications that may occur to an integrated circuit during design and production. Such malicious design modifications may occur at chip design companies, tape-out factories, untrusted third party IP providers, and untrusted design automation tools, among others. The hardware trojan is in a dormant state in most of the working time of the integrated circuit, and an attacker can activate the trojan in a specific input vector mode, a side channel attack mode, a fault injection attack mode and the like. Once activated, the hardware trojan may cause the integrated circuit to malfunction, degrade performance, leak sensitive information, and even cause the chip to be remotely controlled. The Trojan trigger signal is key logic for controlling the activation of the Trojan and can be used as an important basis for identifying the Trojan.
Aiming at the security threat brought by the hardware trojan, researchers provide a hardware trojan detection method based on reverse engineering, side channel analysis, functional verification and formal verification. When the credible original hardware design exists, the reverse engineering and the side channel analysis method can provide effective hardware Trojan detection, wherein the reverse engineering is a destructive hardware Trojan detection method, and expensive equipment and a large amount of time consumption are needed for realizing the high-concealment hardware Trojan detection along with the increase of the design scale of an integrated circuit; the side channel analysis method realizes hardware Trojan detection by measuring information such as path delay, power consumption, electromagnetic radiation and the like of a chip and based on measurement analysis such as statistical analysis, information theory and the like, but along with the reduction of the process size, noise introduced by process deviation provides challenges for Trojan detection precision. Aiming at the characteristic that the hardware trojan can be activated under the condition of a small probability, researchers provide a hardware trojan detection method based on turnover probability analysis, and the hardware trojan detection is carried out by carrying out functional simulation on integrated circuit design and identifying a low-turnover-rate signal. Formal verification achieves hardware trojan detection by detecting behaviors violating the safety attributes of integrated circuit design, such as confidentiality, integrity and the like. The existing method can realize hardware Trojan detection based on a counter or a specific input vector as an activation condition, but hardware Trojan detection using irrelevant items outside or inside an integrated circuit design space is difficult to realize, and meanwhile, the existing detection method cannot obtain a trigger condition of the hardware Trojan.
Disclosure of Invention
In order to overcome the defects of the prior art, the invention provides a hardware Trojan horse search detection method based on automatic attribute extraction and formal verification, which comprises the following steps: inputting an integrated circuit design to be detected; synthesizing the integrated circuit design into an FPGA netlist; performing random function simulation on the FPGA netlist, and storing a signal behavior list; analyzing the signal behavior list by combining the FPGA netlist to obtain a low-turnover-rate signal list and a low-coverage-rate LUT list which are converged to a stable set; extracting a steady attribute of the integrated circuit design according to the low turnover rate signal list and the low coverage rate LUT list; formalized verification is carried out on the extracted attributes, and trigger conditions of the hardware Trojan hidden in the design of the integrated circuit to be detected are searched, so that Trojan detection is realized. The method can search the hardware Trojan trigger condition based on specific condition activation and the satisfiability irrelevant item in the integrated circuit, and can realize the detection and the positioning of the Trojan in the early design stage of the integrated circuit.
The technical scheme adopted by the invention for solving the technical problem comprises the following steps:
step 1: inputting an integrated circuit design to be detected;
step 2: synthesizing an integrated circuit design to be detected into an FPGA netlist;
and step 3: performing random input function simulation on the FPGA netlist to obtain a signal behavior list;
and 4, step 4: analyzing the turning behavior of the signal according to the behavior list of the signal, identifying the signal with low turning, and obtaining a low turning rate signal list;
and 5: analyzing the signal behavior list by adopting an address line coverage analysis method to obtain the address line coverage rate;
step 6: analyzing the address coverage rate of each LUT in the FPGA netlist by combining the FPGA netlist obtained in the step 2 and the address line coverage rate obtained in the step 5, identifying the LUT which cannot be completely covered by the address line input combination, and obtaining a low coverage LUT list which converges to a stable set; said inability to fully cover means that at least one address line input combination is present and absent from testing;
and 7: extracting a steady attribute of the integrated circuit design according to the low turnover rate signal list and the low coverage rate LUT list;
the design attribute of the integrated circuit extracted from the low turnover rate signal is a fixed value in the integrated circuit design for the signal, and the value is not observed to change;
the integrated circuit design attribute extracted from the low coverage rate LUT is that the combination of the input values of the address lines of the LUT which are not covered cannot be met in the integrated circuit design, namely cannot appear; the non-covered means that the address line input combination does not appear in the test;
and 8: formalized verification is carried out on the fixed-time attributes extracted in the step 7, and trigger conditions of hardware trojans hidden in the design of the integrated circuit to be detected are searched, so that Trojan detection is realized.
Further, the integrated circuit design to be detected in the step 1 is input in the form of a register transfer level code or a gate level netlist.
Further, in the step 2, an FPGA synthesis tool is adopted to synthesize the design of the integrated circuit to be detected, so as to generate an FPGA netlist.
Further, in the step 3, an integrated circuit design simulation tool is used, and a random input test vector is adopted to perform functional simulation on the FPGA netlist to obtain a signal behavior list.
Further, in the step 8, an SVA assertion language is used to describe the constant attribute, and a formal verification method is used to verify the constant attribute so as to detect whether the attribute is violated, and a counter example obtained when the attribute verification fails is a hardware Trojan trigger condition, so that Trojan detection is realized.
Further, the FPGA comprehensive tool is Yosys or Vivado.
Further, the integrated circuit design simulation tool is QuestaSim.
Further, the Formal verification method adopts a tool of Questa Formal or Yosys.
The invention has the following beneficial effects:
1. the method of the invention adopts a standard integrated circuit design comprehensive, simulation and formal verification tool, does not need designers to learn new languages and tools, and can be better integrated into the design flow of the existing integrated circuit.
2. The invention takes the LUT as a basic unit for analysis, provides the hardware Trojan horse related attribute automatic extraction method based on signal turnover rate and LUT coverage rate analysis, can accurately search the hardware Trojan horse triggering condition through formal verification, and has unique advantages in the aspect of detecting the hardware Trojan horse based on irrelevant items in the integrated circuit.
3. The method of the invention automatically extracts and verifies the attribute of the register transmission level or netlist level circuit design, can search the Trojan horse triggering condition in the early stage of the integrated circuit design, realizes the detection and the positioning of the hardware Trojan horse, further can modify the integrated circuit design according to the Trojan horse triggering condition, and eliminates the potential safety hazard brought by the hardware Trojan horse.
4. The existing hardware Trojan horse detection method based on reverse engineering and side channel analysis usually depends on a gold chip which does not exist actually.
Drawings
FIG. 1 is a flow chart of the method of the present invention.
Fig. 2 is a schematic diagram of a hardware trojan design according to an embodiment of the present invention.
FIG. 3 is a schematic diagram of an LUT after Trust-Hub AES-T1000 test vector Trojan horse design and synthesis according to the embodiment of the present invention, where (a) is AES-T1000 test vector Trojan horse design, and (b) is a low flip LUT in an FPGA netlist after AES-T1000 test vector Trojan horse design trigger logic synthesis.
Fig. 4 is a schematic diagram of an LUT after Trojan horse design and synthesis based on satisfiability-independent items according to an embodiment of the present invention, where (a) is an example of satisfiability-independent items, signals (n2, n6) constitute one satisfiability-independent item, (b) is a representation of a Trojan horse design based on satisfiability-independent items, and (c) is a low-coverage LUT in an FPGA netlist after Trojan horse design synthesis based on satisfiability-independent items.
Fig. 5 is a schematic diagram of an AES cipher core with an inserted satisfiability-independent entry of a trojan according to an embodiment of the present invention.
Detailed Description
The invention is further illustrated with reference to the following figures and examples.
The technical purpose of the invention is to provide a hardware Trojan horse search detection method based on automatic attribute extraction and formal verification, which realizes automatic search of hardware Trojan horse trigger conditions based on condition trigger and irrelevant items in an integrated circuit and detects security threats brought by the hardware Trojan horse in the early stage of integrated circuit design.
As shown in fig. 1, a hardware trojan search detection method based on attribute automatic extraction and formal verification includes the following steps:
1. inputting an integrated circuit design to be detected, which is described in a register transmission level code or gate level netlist mode;
2. and synthesizing the design codes of the integrated circuit to be detected into an FPGA netlist, and performing logic synthesis by using an FPGA synthesis tool such as Yosys or Vivado. For different FPGA devices, the netlist basic units can comprise FPGA basic units such as 2-input to 6-input LUTs, selectors, registers, carry chain adders and the like;
3. using an integrated circuit design simulation tool such as QuestaSim, adopting a random input test vector to perform functional simulation on the FPGA netlist, and storing a signal behavior list;
4. and analyzing the signal behavior list by combining the FPGA netlist to obtain a low-turnover-rate signal list and a low-coverage-rate LUT list which are converged to a fixed set. Wherein, the low turnover rate signal refers to a signal with unchanged logic state in simulation time; the low coverage rate LUT refers to the LUT which is possible to take value combinations when the input address line does not cover all the address lines in the simulation time;
5. and extracting the steady-state property of the integrated circuit design according to the low-turnover-rate signal list and the low-coverage-rate LUT list. Wherein, the attribute extracted aiming at the low turnover rate signal is a fixed value in the integrated circuit design for the signal; the combination of input signals extracted for the low coverage LUT for which the attribute is uncovered will not be met, i.e., will not appear, in the integrated circuit design;
6. describing the extracted attributes by using SVA assertion language, verifying the attributes by using Formal verification tools such as Questa Formal and Yosys to detect whether the attributes are violated, wherein a counter example obtained when the attribute verification fails is a hardware Trojan trigger condition, so that Trojan detection is realized.
The specific embodiment is as follows:
the integrated circuit design shown in fig. 2 includes an untrusted third party embedded hardware trojan. The hardware trojan can be divided into two parts of trigger logic and load logic, wherein the trigger logic is responsible for controlling whether the trojan circuit is in an idle state or a trigger state. Before being triggered, the Trojan horse has no influence on the functions of the original circuit. When the trigger condition is met and the trojan is activated, the load logic is responsible for implementing malicious influence on the circuit function, such as leakage of sensitive information or system failure. Hardware trojan designers try to hide trojan circuits to avoid verification and testing of integrated circuits. To achieve this, it is desirable to have the Trojan horse effect manifest only in a very limited number of cases, preferably over a long period of operation to activate the Trojan horse. In embodiments of the present invention, the integrated circuit design to be tested is input in the form of a register transfer level code or a gate level netlist.
The use of counters or specific input vectors as a trojan activation condition is a common hardware trojan design. Since the trojan is activated with a small probability, hardware trojan detection and recovery of the trigger condition can be realized by identifying a low-turnover-rate signal, which refers to a signal with severely unbalanced probability distribution in observable time, for example, the probability of taking logic 1 of the signal is close to 0, and the probability of taking logic 0 is close to 1. FIG. 3(a) shows a hardware Trojan horse test set Trust-The AES-T1000 test vector in Hub, AES-T1000 cipher core, has embedded in it a hardware trojan triggered by a particular input vector, trojan trigger signal Tj _ Trig goes high if and only if the input plaintext is 128' h00112233_44556677_8899aabb _ ccddeff, at which point the trojan is activated and the key is revealed via cipher core output signal out. The Trojan trigger signal Tj _ Trig is a low-turnover-rate signal and is only 1/2128The probability of (d) is logic 1, and otherwise always is logic 0. When synthesizing AES-T1000 test vectors using integrated circuit design synthesis tool Yosys to generate an FPGA netlist, one LUT for generating Tj _ Trig signals has the form as shown in fig. 3(b), and for the 6-input LUT, if and only if the 6 input signals are 6' b000000, the output signal is logic 1, otherwise the output signal is logic 0.
In order to resist a hardware Trojan detection method based on turning probability analysis, a hardware Trojan design method based on satisfiability irrelevant items in an integrated circuit design space is provided, and satisfiability irrelevant items introduced by fan-out reconvergence are used as trigger signals of the Trojan. As shown in fig. 4(a), the signals n2 and n6 constitute satisfiability-independent items, the signals n2 and n6 cannot be logic 1 at the same time due to signal correlation, and a hardware trojan constructed based on the satisfiability-independent item signals n2 and n6 is shown in fig. 4 (b). When the integrated circuit design synthesis tool Yosys is used to logically synthesize the above-mentioned unrelated item trojan design to generate the FPGA netlist facing the Xilinx device, as shown in fig. 4(c), satisfiability unrelated item signals dc1 and dc2 will be connected to the same LUT, and since dc1 and dc2 cannot be logic 1 at the same time, the LUT generated by synthesis must have the condition that address line value combination cannot be covered, that is, the LUT to which two satisfiability unrelated items are connected is a low coverage LUT.
An AES cipher core with satisfiability independent item hardware trojans inserted is shown in fig. 5. Two satisfiability irrelevant item signals from the S box are used as trigger signals of the Trojan, the satisfiability irrelevant item signals dc1 and dc2 cannot be logic 1 at the same time under normal working conditions, the Trojan trigger conditions cannot be met, and the AES password core carries out normal encryption operation. An attacker may activate a hardware trojan through fault injection, such as over-clocking. When the two-bit satisfiability unrelated item signal is logic 1 at the same time, the trojan is triggered, the secret key of the AES cipher core is selected and output to the encryption output signal, and an attacker can extract the secret key of the AES cipher core by analyzing the encryption output signal.
The method for searching and detecting the hardware Trojan horse provided by the invention is used for analyzing the AES-T1000 test vector and the AES cipher core inserted with the satisfiability irrelevant item Trojan horse. Firstly, an integrated circuit design synthesis tool Yosys is adopted to carry out logic synthesis on the integrated circuit design containing the Trojan horse, and a generated FPGA netlist is derived. Then, using an integrated circuit design simulation tool QuestaSim to perform random function simulation on the netlist, saving a signal behavior list generated in the simulation process, and specifically using a linear shift register to generate a random input test vector. And then, analyzing the turnover rate of each signal and the coverage rate of each LUT according to the FPGA netlist and the generated signal behavior list, wherein the number of the low turnover rate signal list and the low coverage rate LUT list is gradually reduced and converged to a stable set as the simulation time is increased. And then, extracting the steady-state attribute related to the hardware Trojan in the integrated circuit design according to the low-turnover-rate signal list and the low-coverage-rate LUT list. And finally, describing the extracted attributes by adopting an assertion language, verifying the attributes by adopting a formalization tool to detect whether the attributes are violated, wherein a counter example obtained when the attribute verification fails is a hardware Trojan trigger condition, and the existence of the potential safety hazard of the hardware Trojan in the design is indicated.
In the concrete implementation column, the low-flip signal of the AES-T1000 test vector convergence to a stable set is Tj _ Trig, because the Tj _ Trig signal is kept as logic 0 in a long enough simulation time, the extracted attribute is described as follows by using an assertion language:
assert(Tj_Trig==0)
the above attributes can be further formalized validated based on the AES-T1000 test vector using the SAT solver of Yosys. Because the SAT solver of Yosys cannot automatically perform a search across register boundaries, it is necessary to trace the signal assignment relationship between different SAT certificates according to the counterexamples obtained by the solver. The proving process is shown in table 1, the SAT-pro Tj _ Trig 0 is proved to fail in the first step, and the counter example given by the SAT solver shows that the value of the low-roll-over-rate signal Tj _ Trig will be logic 1 when trigger.tj _ Trig is 1; analyzing the AES-T1000 design, the trigger.Tj _ Trig signal is generated from the signal _0779_ via a non-blocking assignment statement. Therefore, the second step verifies if the signal _0779_ is a fixed value of logic 0. Further analyzing the AES-T1000 design, _0779_ takes a logical 1 value if and only if the signal _0781_ is a logical 1. Therefore, the third step verifies whether the constant attribute of the signal _0781_ with a fixed value of logic 0 is satisfied, and as a result, the attribute verification fails, and the obtained counter example indicates that the attribute violation occurs when the state is 128' h00112233_44556677_8899aabb _ ccddeff, that is, the signal Tj _ Trig is logic 1, and the counter example obtained by the attribute verification failure is the hardware trojan trigger condition. Therefore, through formal verification of attributes, the trigger condition of the hardware Trojan in the AES-T1000 test vector is accurately searched, and the hardware Trojan detection triggered based on the specific condition is realized.
TABLE 1 AES-T1000 test vector Attribute attestation procedure
| Step (ii) of | Script | Results | Example obtained |
| 1 | sat-prove |
Failure of | Trigger.Tj_Trig=1 |
| 2 | sat-prove_0779_0 | Failure of | _0779_=1 |
| 3 | sat-prove_0781_0 | Failure of | state=128’h00112233_44556677_8899aabb_ccddeeff |
The AES cipher core with the inserted satisfiability-independent term trojan in a particular embodiment converges to a low-coverage LUT with 128 4 inputs in the stable set. The address line coverage of these 128 LUTs is 16' h0FFF, indicating that the upper two address lines of the LUTs are not satisfied at the same time, i.e., are not 1 at the same time. The upper two address bits of these LUTs are dc1 and dc2, and therefore, the extracted attributes can be described in an assertion language as:
assert(dc1&dc2==0)
further, the SAT prover of Yosys can be used for carrying out formal verification on the attributes based on AES password core design containing an irrelevant item Trojan. The attestation process is different from the AES-T1000 test vector in that two signals are required for satisfiability independent term trojan triggering, and thus attribute verification needs to be performed separately for each signal, as shown in table 2. When the tracing and verification of the signal assignment relationship across the boundary of the two stages of registers are completed, the verification of the attribute of the satisfiability irrelevant item Trojan horse is completed; the verification result shows that the attribute verification is successful, the signals dc1 and dc2 cannot be logic 1 at the same time, and the trigger condition of the hardware trojan which can satisfy the independent items is automatically extracted through the attribute and successfully searched through formal verification, namely the hardware trojan triggers when the signals dc1 and dc2 are logic 1 at the same time, so that the detection of the hardware trojan which can satisfy the independent items is realized.
Table 2 AES cipher core attribute attestation process to insert satisfiability independent item, trojan
The AES-T1000 test vector and AES code verification results of inserted satisfiability irrelevant item Trojan show that the hardware Trojan search detection method based on attribute automatic extraction and formal verification provided by the invention synthesizes integrated circuit design into an FPGA netlist, obtains a low-turnover-rate signal list and a low-coverage-rate LUT list converged to a stable set according to functional simulation, further extracts the constant attribute in the integrated circuit design, and successfully searches the triggering condition of the hardware Trojan based on specific condition triggering and satisfiability irrelevant item by using formal verification means, thereby realizing Trojan detection.
Claims (8)
1. A hardware Trojan horse search detection method based on attribute automatic extraction and formal verification is characterized by comprising the following steps:
step 1: inputting an integrated circuit design to be detected;
step 2: synthesizing an integrated circuit design to be detected into an FPGA netlist;
and step 3: performing random input function simulation on the FPGA netlist to obtain a signal behavior list;
and 4, step 4: analyzing the turning behavior of the signal according to the behavior list of the signal, identifying the signal with low turning, and obtaining a low turning rate signal list;
and 5: analyzing the signal behavior list by adopting an address line coverage analysis method to obtain the address line coverage rate;
step 6: analyzing the address coverage rate of each LUT in the FPGA netlist by combining the FPGA netlist obtained in the step 2 and the address line coverage rate obtained in the step 5, identifying the LUT which cannot be completely covered by the address line input combination, and obtaining a low coverage LUT list which converges to a stable set; said inability to fully cover means that at least one address line input combination is present and absent from testing;
and 7: extracting a steady attribute of the integrated circuit design according to the low turnover rate signal list and the low coverage rate LUT list;
the design attribute of the integrated circuit extracted from the low turnover rate signal is a fixed value in the integrated circuit design for the signal, and the value is not observed to change;
the integrated circuit design attribute extracted from the low coverage rate LUT is that the combination of the input values of the address lines of the LUT which are not covered cannot be met in the integrated circuit design, namely cannot appear; the non-covered means that the address line input combination does not appear in the test;
and 8: formalized verification is carried out on the fixed-time attributes extracted in the step 7, and trigger conditions of hardware trojans hidden in the design of the integrated circuit to be detected are searched, so that Trojan detection is realized.
2. The hardware Trojan horse search detection method based on automatic attribute extraction and formal verification as claimed in claim 1, wherein the integrated circuit design to be detected in step 1 is input in the form of register transfer level code or gate level netlist.
3. The method for hardware Trojan horse search detection based on automatic attribute extraction and formal verification as claimed in claim 1, wherein an FPGA synthesis tool is adopted in step 2 to synthesize the design of the integrated circuit to be detected to generate an FPGA netlist.
4. The method for hardware Trojan horse search detection based on automatic attribute extraction and formal verification as claimed in claim 1, wherein in step 3, an integrated circuit design simulation tool is used, and random input test vectors are adopted to perform functional simulation on the FPGA netlist to obtain a signal behavior list.
5. The hardware trojan search detection method based on attribute automatic extraction and formal verification as claimed in claim 1, wherein in step 8, a SVA assertion language is used to describe the steady attributes, and a formal verification method is used to verify the attributes so as to detect whether there is a condition of attribute violation, and a counter-example obtained when the attribute verification fails is a hardware trojan trigger condition, thereby implementing trojan detection.
6. The hardware trojan search detection method based on automatic attribute extraction and formal verification as claimed in claim 1, wherein the FPGA synthesis tool is Yosys or Vivado.
7. The method for hardware Trojan horse search detection based on automatic attribute extraction and formal verification as claimed in claim 1, wherein the integrated circuit design simulation tool is QuestaSim.
8. The hardware Trojan horse search detection method based on automatic attribute extraction and Formal verification of claim 1 is characterized in that a tool adopted by the Formal verification method is Questa Formal or Yosys.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111511312.5A CN114238956B (en) | 2021-12-06 | 2021-12-06 | Hardware Trojan horse searching and detecting method based on automatic attribute extraction and formal verification |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111511312.5A CN114238956B (en) | 2021-12-06 | 2021-12-06 | Hardware Trojan horse searching and detecting method based on automatic attribute extraction and formal verification |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114238956A true CN114238956A (en) | 2022-03-25 |
| CN114238956B CN114238956B (en) | 2024-02-23 |
Family
ID=80754956
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111511312.5A Active CN114238956B (en) | 2021-12-06 | 2021-12-06 | Hardware Trojan horse searching and detecting method based on automatic attribute extraction and formal verification |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114238956B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114861573A (en) * | 2022-04-08 | 2022-08-05 | 西北工业大学 | Hardware Trojan horse detection method based on LUT (look-up table) feature extraction and machine learning |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180032760A1 (en) * | 2016-07-27 | 2018-02-01 | Tortuga Logic Inc. | Method and System for Detecting Hardware Trojans and Unintentional Design Flaws |
| CN108595986A (en) * | 2018-05-09 | 2018-09-28 | 同济大学 | Miniature Trojan detecting method based on Bounded Model |
| CN108647533A (en) * | 2018-02-14 | 2018-10-12 | 清华大学 | Security assertions automatic generation method for detecting hardware Trojan horse |
| CN108846283A (en) * | 2018-06-15 | 2018-11-20 | 北京航空航天大学 | A kind of hardware Trojan horse real-time detecting system and its design method |
| CN110096907A (en) * | 2019-04-09 | 2019-08-06 | 西北工业大学深圳研究院 | A kind of hardware Trojan horse detection method based on Information Flow Security verifying |
-
2021
- 2021-12-06 CN CN202111511312.5A patent/CN114238956B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20180032760A1 (en) * | 2016-07-27 | 2018-02-01 | Tortuga Logic Inc. | Method and System for Detecting Hardware Trojans and Unintentional Design Flaws |
| CN108647533A (en) * | 2018-02-14 | 2018-10-12 | 清华大学 | Security assertions automatic generation method for detecting hardware Trojan horse |
| CN108595986A (en) * | 2018-05-09 | 2018-09-28 | 同济大学 | Miniature Trojan detecting method based on Bounded Model |
| CN108846283A (en) * | 2018-06-15 | 2018-11-20 | 北京航空航天大学 | A kind of hardware Trojan horse real-time detecting system and its design method |
| CN110096907A (en) * | 2019-04-09 | 2019-08-06 | 西北工业大学深圳研究院 | A kind of hardware Trojan horse detection method based on Information Flow Security verifying |
Non-Patent Citations (1)
| Title |
|---|
| 张荣;王丽娟;于宗光;: "基于结构特征的IP软核硬件木马检测方法", 电子设计工程, no. 15, 3 August 2020 (2020-08-03) * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114861573A (en) * | 2022-04-08 | 2022-08-05 | 西北工业大学 | Hardware Trojan horse detection method based on LUT (look-up table) feature extraction and machine learning |
| CN114861573B (en) * | 2022-04-08 | 2024-03-08 | 西北工业大学 | Hardware Trojan horse detection method based on LUT feature extraction and machine learning |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114238956B (en) | 2024-02-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Cruz et al. | An automated configurable Trojan insertion framework for dynamic trust benchmarks | |
| Leveugle et al. | Statistical fault injection: Quantified error and confidence | |
| Li et al. | A survey of hardware Trojan threat and defense | |
| Bhunia et al. | Protection against hardware trojan attacks: Towards a comprehensive solution | |
| Farzana et al. | Soc security verification using property checking | |
| Li et al. | A survey of hardware trojan detection, diagnosis and prevention | |
| US11144648B2 (en) | Trojan insertion tool | |
| Jin et al. | DFTT: Design for Trojan test | |
| Sabri et al. | SAT-based integrated hardware trojan detection and localization approach through path-delay analysis | |
| Moein et al. | An attribute based classification of hardware trojans | |
| Kitsos et al. | Towards a hardware Trojan detection methodology | |
| Hasan et al. | Translating circuit behavior manifestations of hardware Trojans using model checkers into run-time Trojan detection monitors | |
| Hoque et al. | Trust issues in microelectronics: The concerns and the countermeasures | |
| CN114238956B (en) | Hardware Trojan horse searching and detecting method based on automatic attribute extraction and formal verification | |
| Nahiyan et al. | Code coverage analysis for IP trust verification | |
| Veeranna et al. | S3cbench: Synthesizable security systemc benchmarks for high-level synthesis | |
| Shekarian et al. | Neutralizing a design-for-hardware-trust technique | |
| Mingfu et al. | Monte Carlo based test pattern generation for hardware Trojan detection | |
| Lodhi et al. | Formal analysis of macro synchronous micro asychronous pipeline for hardware Trojan detection | |
| Jacob et al. | Detection of malicious circuitry using transition probability based node reduction technique | |
| Weaver et al. | Golden Reference Library Matching of Structural Checking for securing soft IPs | |
| Le et al. | Hardware trojan detection and functionality determination for soft IPs | |
| Ayalasomayajula et al. | Prioritizing Information Flow Violations: Generation of Ranked Security Assertions for Hardware Designs | |
| Rajendran et al. | CAD tools pathway in hardware security | |
| Banga et al. | Hardware IP trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |