Michael Rathmair

Applied formal methods for hardware Trojan detection

This paper addresses the potential danger using integrated circuits which contain malicious hardware modifications hidden in the silicon structure. A so called hardware Trojan may be added at several stages of the chip development process. This work concentrates on formal hardware Trojan detection during the design phase and highlights applied verification techniques. Selected methods are discussed and their combination used to increase an introduced “Trojan Assurance Level”.

Hardware Trojan detection by specifying malicious circuit properties

This work addresses the increasing danger of shipping integrated circuits (either fully digital or mixed signal) that contain malicious hardware modifications. Potential security threads are established by so called hardware Trojans, implemented in the physical silicon structure. A desire of system engineers is to identify such back-door functionalities during an early design phase. The paper discusses how techniques deduced from model checking applications can be used for Trojan detection. A set of potential malicious properties is defined and handed to an automatic tool. Any returned counterexample identifies a feasible attack path and is a basis for further detailed inspection.

A Process for the Detection of Design-Level Hardware Trojans Using Verification Methods

Hardware Trojans have emerged as a serious threat the past years. Several methods to detect possible hardware Trojans have been published, most of them aiming at detection during post-fabrication tests. Nevertheless, hardware Trojans are more probable to be inserted at design-level, as resources required to do so are much lower than those at fabrication. At design-level, verification methods have been shown to serve for Trojan detection. In this paper, we propose a design process to utilize verification methods in hardware Trojan detection, being able to be integrated into a state-of-the-art design flow for embedded systems. We outline the fundamental basics of verification methods and go then into the details of each step in the process. We identify assets and attackers, and outline which methods are suited to defend against which type of attack.

Load identification and management framework for private households

This paper describes a framework for the identification of household appliances based on a measured aggregated load profile. Device activation and deactivation events are detected by a set of non-intrusive algorithms collected in the software structure. These detections are then matched to a database of load values. The result which is basically a detection probability in combination with consumption data of the device, is displayed to the customer as energy feedback. This motivates users to apply energy-saving measures, or in combination with an home automation system appliances can be turned off automatically. Another concept is to implement more intelligence directly into the devices. Such smart appliances communicate with an energy management gateway and plan their activation autonomous. For the proof of concept a simulator for smart home appliances was developed and integrated into a demonstration setup. Finally the discussed results suggest that disaggregated energy feedback in combination with smart home appliances is a feasible approach in order to using the available energy in a more efficient way.

Verification of mixed-signal systems with affine arithmetic assertions

Embedded systems include an increasing share of analog/mixed-signal components that are tightly interwoven with functionality of digital HW/SW systems. A challenge for verification is that even small deviations in analog components can lead to significant changes in system properties. In this paper we propose the combination of range-based, semisymbolic simulation with assertion checking. We show that this approach combines advantages, but as well some limitations, of multirun simulations with formal techniques. The efficiency of the proposed method is demonstrated by several examples.

Towards Verification of Uncertain Cyber-Physical Systems.

Cyber-Physical Systems (CPS) pose new challenges to verification and validation that go beyond the proof of functional correctness based on high-level models. Particular challenges are, in particular for formal methods, its heterogeneity and scalability. For numerical simulation, uncertain behavior can hardly be covered in a comprehensive way which motivates the use of symbolic methods. The paper describes an approach for symbolic simulation-based verification of CPS with uncertainties. We define a symbolic model and representation of uncertain computations: Affine Arithmetic Decision Diagrams. Then we integrate this approach in the SystemC AMS simulator that supports simulation in different models of computation. We demonstrate the approach by analyzing a water-level monitor with uncertainties, self-diagnosis, and error-reactions.

Minimalist Qualitative Models for Model Checking Cyber-Physical Feature Coordination

Feature-based systems may have interacting features, where undesired feature interaction(s) may even lead to safety-critical behavior in cyber-physical systems. Automotive systems are such systems, where more and more features are currently being integrated, which have to be coordinated. Automated and formal verification of the resulting behavior against safetyrelevant properties is important, and it should not be restricted to the cyber-part (inside the software implementing the features.)In order to address this problem, we investigate coordination of physical feature interactions in this context using model checking. In particular, we created and used a qualitative model for formal verification against a property in time logic. This model is intended to be minimalist, in particular the logical model based on a physical model (including speed and distance). This logical model defines the essence of operations in the dedicated environment. As a result, we formally verified the high-level logic of a composite feature to be used in automotive systems against a formalized accident property. In summary, we employ minimalist qualitative models for model checking (safety-critical) cyberphysical feature coordination. Such a verified qualitative model may provide a reference model for both quantitative models and real software implementations.

Investigating and Coordinating Safety-critical Feature Interactions in Automotive Systems Using Simulation

Automotive systems are safety-critical cyber-physical systems. In particular, undesired feature interaction can lead to safety-critical behavior. In order to address this problem, we investigate physical feature interaction in this context using simulation (with more than one physical variable). This allows us to visualize both the behavior of features in isolation and their interaction. Our major result is a new insight about feature coordination. In such a cyberphysical context, it can be insufficient to coordinate as usual by giving one feature priority over another one. Instead, coordinating based on a physical variable involved in the feature interaction appears to be both necessary and sufficient. In summary, we present our investigation of safetycritical feature interactions and their coordination in automotive systems using simulation, and its results.

Consistently Formalizing a Business Process and its Properties for Verification: A Case Study

Formal verification of business process models can be done through model checking (also known as property checking), where a model checker tool may automatically find violations of properties in a process model. This approach obviously has formal representations as a prerequisite. However, a key challenge for applying this approach in practice is to consistently formalize the process and its properties, which clearly cannot be done automatically. We studied this challenge in a case study of formally verifying an informally given business process against a guideline written like a legal text. Major lessons learned from this case study are that formalizing is key to success and that in its course a semi-formal representation of properties is useful. In the course of such a step-wise and incremental formalization, problems with the given process model have been found already, apart from those found with a model checker tool that used the formal property specification. In total, our approach revealed five problems not found by the official review. In summary, this paper investigates in a case study consistently formalizing a business process and its properties for verification through model checking.

Verification of Business Processes Against Business Rules Using Object Life Cycles

While formal verification of business process models (BPMs) can be done through model checking (also known as property checking), formalizing corresponding properties having the process model available may negatively influence the formulation of properties to be checked. In addition, properties should be checkable for several processes. So, we address the problem of formalizing properties without knowing the process model. The solution proposed in this paper employs additional models of object life cycles. The new key idea is to formulate properties referring to these additional models, which together can represent certain business rules. These models have to be connected with the BPM to be checked in the formalism used for model checking. This combination facilitates more rigorous model checking with a better decoupling of the specification of the original BPM from the properties to be checked. In summary, this paper presents how a combination of conventional business process models (given, e.g., in BPMN), models of business object life cycles, and formalized business rules can be used for verification through model checking.