Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
Springer Nature Link
Log in

EXERTv2: Exhaustive Integrity Analysis for Information Flow Security with FSM Integration

  • Published:
Journal of Hardware and Systems Security Aims and scope Submit manuscript

Abstract

Hardware information flow analysis detects security vulnerabilities resulting from microarchitectural design flaws, design-for-test/debug (DfT/D) backdoors, and hardware Trojans. Though information flow violations can be manifested through a multitude of possible ways, prior research has only focused on detecting the existence of such vulnerabilities and no approach has been proposed to exhaustively activate all vulnerable points and reduce false positives. In this paper, we propose EXERTv2, a novel analysis framework that combines ATPG, SAT, and FSM analysis as well as FSM integration to detect information flow violations and perform exhaustive analysis that reports the complete set of integrity-violating input patterns for vulnerable control points. Compared with the original version of EXERT, the significant contribution of EXERTv2 is its algorithm for integrating FSMs, which simplifies the process of constraining multiple FSMs. The FSM analysis and integration, in particular, consider the behavior of all the FSMs in the design as a whole, which can be performed offline and helps resolve scalability limitations in prior approaches while remaining exhaustive. We also demonstrate EXERT’s usage in the application of fault injection vulnerability analysis and attacks. As a proof-of-concept, EXERTv2 is evaluated on multiple Trojan benchmarks from Trust-Hub and two additional ciphers. It detects rare Trojan triggers (activation probability \(\approx\) 1.4243e\(-\)70), generates all activation patterns within minutes, and shows a 15\(\times\) to 110\(\times\) faster runtime compared with Cadence Jasper Security Path Verification (SPV). EXERT is also applied to a larger RISC-V benchmark to identify instruction sequences with and without fault injection that result in privilege escalation.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Algorithm 1
Fig. 2
Fig. 3
Algorithm 2
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Algorithm 3
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Notes

  1. Our framework analyzes designs at the gate level instead of RTL because the synthesis process may introduce vulnerabilities due to optimization of don’t cares [25], DfT insertion [5], etc. Nevertheless, EXERT can analyze RTL after it is synthesized into a netlist.

References

  1. Tehranipoor M, Koushanfar F (2010) A survey of hardware Trojan taxonomy and detection. IEEE Des Test Comput 27(1):10–25

    Article  Google Scholar 

  2. Zhang X, Tehranipoor M (2011) Case study: detecting hardware Trojans in third-party digital IP cores. In 2011 IEEE International Symposium on Hardware-Oriented Security and Trust, pp 67–70

  3. Kocher P, Horn J, Fogh A, Genkin D, Gruss D, Haas W, Hamburg M, Lipp M, Mangard S, Prescher T, Schwarz M, Yarom Y (2018) Spectre attacks: exploiting speculative execution. In 2019 IEEE Symposium on Security and Privacy (SP), pp 1–19

  4. Lipp M, Schwarz M, Gruss D, Prescher T, Haas W, Fogh A, Horn J, Mangard S, Kocher P, Genkin D, Yarom Y, Hamburg M (2018) Meltdown: reading kernel memory from user space. In 27th USENIX Security Symposium (USENIX Security 18), (Baltimore, MD), pp 973–990. USENIX Association

  5. Contreras GK, Nahiyan A, Bhunia S, Forte D, Tehranipoor M (2017) Security vulnerability analysis of design-for-test exploits for asset protection in SoCs. In 2017 22nd Asia and South Pacific Design Automation Conference (ASP-DAC), pp 617–622

  6. Buhren R, Jacob H-N, Krachenfels T, Seifert J-P (2021) One glitch to rule them all: fault injection attacks against AMD’s secure encrypted virtualization. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, (New York, NY, USA), p 2875-2889. Association for Computing Machinery

  7. Roy S, Millican SK, Agrawal VD (2021) Training neural network for machine intelligence in automatic test pattern generator. In 2021 34th International Conference on VLSI Design and 2021 20th International Conference on Embedded Systems (VLSID), pp 316–321

  8. Hu W, Mu D, Oberg J, Mao B, Tiwari M, Sherwood T, Kastner R (2014) Gate-level information flow tracking for security lattices. ACM Trans Des Autom Electron Syst 20

  9. Ardeshiricham A, Hu W, Marxen J, Kastner R (2017) Register transfer level information flow tracking for provably secure hardware design. In Design. Automation Test in Europe Conference Exhibition (DATE) 2017:1691–1696

    Article  Google Scholar 

  10. Zhang D, Wang Y, Suh GE, Myers AC (2015) A hardware design language for timing-sensitive information-flow security. SIGARCH Comput Archit News 43:503–516

    Article  Google Scholar 

  11. Cruz J, Farahmandi F, Ahmed A, Mishra P (2018) Hardware trojan detection using ATPG and model checking. In 2018 31st International Conference on VLSI Design and 2018 17th International Conference on Embedded Systems (VLSID), pp 91–96

  12. Nahiyan A, Sadi M, Vittal R, Contreras G, Forte D, Tehranipoor M (2017) Hardware Trojan detection through information flow security verification. In 2017 IEEE International Test Conference (ITC), pp 1–10

  13. Jasper security path verification app (2023). https://www.cadence.com/en_US/home/tools/system-design-and-verification/formal-and-static-verification/jasper-gold-verification-platform/

  14. Goldstein L, Thigpen E (1980) SCOAP: Sandia controllability/observability analysis program. In 17th Design Automation Conference, pp 190–196

  15. Salmani H (2017) COTD: reference-free hardware trojan detection and recovery based on controllability and observability in gate-level netlist. IEEE Transactions on Information Forensics and Security 12:338–350

    Article  Google Scholar 

  16. Suh GE, Lee JW, Zhang D, Devadas S (2004) Secure program execution via dynamic information flow tracking. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XI, (New York, NY, USA), p 85-96. Association for Computing Machinery

  17. Hu W, Ardeshiricham A, Kastner R (2021) Hardware information flow tracking. ACM Comput Surv 54

  18. Synopsys TetraMAX II Speeds Test Generation (2016). https://news.synopsys.com/2016-07-12-Synopsys-TetraMAX-II-Speeds-Test-Generation-for-STMicroelectronics-SoC-Designs

  19. Stephan P, Brayton R, Sangiovanni-Vincentelli A (1996) Combinational test generation using satisfiability. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 15(9):1167–1176

    Article  Google Scholar 

  20. Eggersglüß S, Wille R, Drechsler R (2013) Improved SAT-based ATPG: more constraints, better compaction. In 2013 IEEE/ACM International Conference on Computer-Aided Design (ICCAD), pp 85–90

  21. Meade T, Portillo J, Zhang S, Jin Y (2019) Neta: When IP fails, secrets leak. In Proceedings of the 24th Asia and South Pacific Design Automation Conference, ASPDAC ’19, (New York, NY, USA), p 90-95. Association for Computing Machinery

  22. Wang L-T (2009) Chapter 3 - design for testability. In Electronic Design Automation (L.-T. Wang, Y.-W. Chang, and K.-T. T. Cheng, eds.), pp 97–172 Boston: Morgan Kaufmann

  23. Reimann LM, Hanel L, Sisejkovic D, Merchant F, Leupers R (2021) QFlow: quantitative information flow for security-aware hardware design in Verilog. In 2021 IEEE 39th International Conference on Computer Design (ICCD), (Los Alamitos, CA, USA), pp 603–607 IEEE Computer Society

  24. Guo X, Dutta RG, He J, Tehranipoor MM, Jin Y (2019) QIF-Verilog: quantitative information-flow based hardware description languages for pre-silicon security assessment. In 2019 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), pp 91–100

  25. Nahiyan A, Xiao K, Yang K, Jin Y, Forte D, Tehranipoor M (2016) AVFSM: a framework for identifying and mitigating vulnerabilities in FSMS. In 2016 53nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp 1–6

  26. The glucose SAT solver (2017). https://www.labri.fr/perso/lsimon/glucose/

  27. Berkeley Logic Synthesis and Verification Group, ABC: A System for Sequential Synthesis and Verification (2012). http://www.eecs.berkeley.edu/~alanmi/abc/

  28. Biere A, Heljanko K, Wieringa S (2011) AIGER 1.9 and beyond, Tech. Rep. 11/2, Institute for Formal Models and Verification, Johannes Kepler University, Altenbergerstr. 69, 4040 Linz, Austria

  29. pyAiger: a python library for manipulating sequential and combinatorial circuits (2018). https://github.com/mvcisback/py-aiger

  30. Xin-Feng Z, Jian-Dong W, Bin L, Jun-Wu Z, Jun W (2009) Methods to tackle state explosion problem in model checking. 2009 Third International Symposium on Intelligent Information Technology Application 2:329–331

  31. Salmani H, Tehranipoor M, Karri R (2013) On design vulnerability analysis and trust benchmarks development. In 2013 IEEE 31st International Conference on Computer Design (ICCD), pp 471–474

  32. Rajendran J, Vedula V, Karri R (2015) Detecting malicious modifications of data in third-party intellectual property cores. In 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp 1–6

  33. PIC16F84A data sheet (2010). https://ww1.microchip.com/downloads/en/DeviceDoc/35007b.pdf

  34. Daemen J, Massolino PMC, Mehrdad A, Rotella Y (2020) The Subterranean 2.0 cipher suite. IACR Trans Symmetric Cryptol 2020:262-294

  35. Naito Y, Matsui M, Sugawara T, Suzuki D (2019) SAEB: a lightweight blockcipher-based AEAD mode of operation. Cryptology ePrint Archive. Paper 2019/700. https://eprint.iacr.org/2019/700

  36. The RISC-V instruction set manual (2017). https://riscv.org/wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf

  37. Wu J, Fowze F, Forte D (2022) EXERT: exhaustive integrity analysis for information flow security. In 2022 Asian Hardware Oriented Security and Trust Symposium (AsianHOST), pp 1–6

Download references

Author information

Authors and Affiliations

  1. Electrical and Computer Engineering (ECE) Department, University of Florida, Gainesville, FL, USA

    Jiaming Wu & Domenic Forte

Authors
  1. Jiaming Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Domenic Forte
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jiaming Wu.

Ethics declarations

Funding

This research was partially supported by NSF under award # 2016624 and AFOSR under Award ID FA8650-20-C-1719.

Competing Interests

The authors declare no competing interests.

Author Contribution

Jiaming Wu and Domenic Forte wrote the whole manuscript. All authors reviewed the manuscript.

Availability of Data and Materials

Not applicable

Ethical Approval

Not applicable

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Wu, J., Forte, D. EXERTv2: Exhaustive Integrity Analysis for Information Flow Security with FSM Integration. J Hardw Syst Secur 7, 147–164 (2023). https://doi.org/10.1007/s41635-023-00141-3

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41635-023-00141-3

Keywords

Search

Navigation