Due to the globalization of Integrated Circuit (IC) supply chain, hardware trojans and the attacks that can trigger them have become an important security issue. One type of hardware Trojans leverages the don't care transitions in Finite State Machines (FSMs) of hardware designs. In this paper, we present a symbolic approach to detecting don't care transitions and the hidden Trojans. Our detection approach works at both RTL and gate-level, does not require a golden design, and works in three stages. In the first stage, it explores the reachable states. In the second stage, it performs an approximate analysis to find the don't care transitions. In the third stage, it performs a state-space exploration from reachable states that have incoming don't care transitions to find behavioral discrepancies with respect to what has been observed in the first stage. We also present a pruning technique based on the reachability of FSM states. We present a methodology that leverages both RTL and gate-level for soundness and efficiency. Specifically, we show that don't care transitions must be detected at the gate-level, i.e., after synthesis has been performed, for soundness. However, under specific conditions, Trojan detection can be performed more efficiently at RTL. Evaluation of our approach on a set of benchmarks from OpenCores and TrustHub and using gate-level representation generated by two synthesis tools, Yosys and Synopsis Design Compiler (SDC), shows that our approach is both efficient (up to 10X speedup w.r.t. no pruning) and precise (0% false positives) in detecting don't care transitions and the Trojans that leverage them. Additionally, the total analysis time can achieve up to 3.40X (using Yosys) and 2.52X (SDC) speedup when synthesis preserves the FSM structure and the Trojan detection is performed at RTL.
翻译:由于集成电路(IC)供应链的全球化,硬铁马车和能够触发它们的袭击已成为一个重要的安全问题。 一种硬件特洛伊木马可以使硬件设计Finite States(FSMs)的转型变得无关紧要。 在本文中, 我们展示了一种象征性的检测方法, 以探测不关心过渡和隐藏的Trojans。 我们的检测方法在 RTL 和 门级运作, 不需要黄金设计, 并分三个阶段工作。 在第一阶段, 它探索可达的状态。 在第二阶段, 它进行大概的分析, 以寻找不关心过渡的过渡。 在第三阶段, 它从可达的州进行州级探索, 不关心在第一阶段所观察到的行为差异。 我们还展示了一种基于FSMTF的可达度的快速技术。 我们展示了一种方法, 利用 RTL和门级的检测方法, 在OFSDRMS上, 在精确的测试中, 运行的准确度分析中, 在10级的测试中, 可以检测到正确的时间。