Raj Gautam Dutta

Pre-silicon security verification and validation: a formal perspective

Reusable hardware Intellectual Property (IP) based System-on-Chip (SoC) design has emerged as a pervasive design practice in the industry today. The possibility of hardware Trojans and/or design backdoors hiding in the IP cores has raised security concerns. As existing functional testing methods fall short in detecting unspecified (often malicious) logic, formal methods have emerged as an alternative for validation of trustworthiness of IP cores. Toward this direction, we discuss two main categories of formal methods used in hardware trust evaluation: theorem proving and equivalence checking. Specifically, proof-carrying hardware (PCH) and its applications are introduced in detail, in which we demonstrate the use of theorem proving methods for providing high-level protection of IP cores. We also outline the use of symbolic algebra in equivalence checking, to ensure that the hardware implementation is equivalent to its design specification, thus leaving little space for malicious logic insertion.

Scalable SoC trust verification using integrated theorem proving and model checking

The wide usage of hardware Intellectual Property (IP) cores and software programs from untrusted vendors have raised security concerns for system designers. Existing solutions for detecting and preventing software attacks do not usually consider the presence of malicious logic in hardware. Similarly, hardware solutions for detecting Trojans and/or design backdoors do not consider the software running on it. Formal methods provide powerful solutions in detecting malicious behaviors in both hardware and software. However, they suffer from scalability issues and cannot be easily used for large-scale computer systems. To alleviate the scalability challenge, we propose a new integrated formal verification framework to evaluate the trust of computer systems constructed from untrusted third-party software and hardware resources. This framework combines an automated model checker with an interactive theorem prover for proving system-level security properties. We evaluate a vulnerable program executed on a bare metal LEON3 SPARC V8 processor and prove system security with considerable reduction in effort. Our method systematically reduces the effort required for verifying the program running on the System-on-Chip (SoC) compared to traditional interactive theorem proving methods.

Synthesis of insulin pump controllers from safety specifications using Bayesian model validation

Insulin pump controllers seek to alleviate the chronic suffering caused by diabetes that affects over 6% of the world population. The design of control laws for insulin pump controllers has been well studied. However, the parameters involved in the control law are difficult to synthesize. Traditionally, ad hoc approaches using animal models and random sampling have been used to construct these parameters. We suggest a synthesis algorithm that uses Bayesian statistical model validation to reduce the number of simulations needed. We apply this algorithm to the problem of insulin pump controller synthesis using in silico simulation of the glucose-insulin metabolism model.

Parameter discovery for stochastic biological models against temporal behavioral specifications using an SPRT based Metric for simulated annealing

Stochastic models are often used to study the behavior of biochemical systems and biomedical devices. While the structure of such models is often readily available from first principles, several quantitative features of the model are not easily determined. These quantitative features are often incorporated into the model as parameters. The algorithmic discovery of parameter values from experimentally observed facts (including extreme-scale data) remains a challenge for the computational systems biology community. In this paper, we present a new parameter discovery algorithm based on Walds sequential probability ratio test (SPRT). Our algorithm uses a combination of simulated annealing and sequential hypothesis testing to reduce the number of samples required for parameter discovery of stochastic models. We use probabilistic bounded linear temporal logic (PBLTL) to express the desired behavioral specification of a model. We also present theoretical results on the correctness of our algorithm, and demonstrate the effectiveness of our algorithm by studying a detailed model of glucose and insulin metabolism.

Eliminating the Hardware-Software Boundary: A Proof-Carrying Approach for Trust Evaluation on Computer Systems

The wide usage of hardware intellectual property (IP) cores and software programs from untrusted third-party vendors has raised security concerns for computer system designers. The existing approaches, designed to ensure the trustworthiness of either the hardware IP cores or to verify software programs, rarely secure the entire computer system. The semantic gap between the hardware and the software lends to the challenge of securing computer systems. In this paper, we propose a new unified framework to represent both the hardware infrastructure and the software program in the same formal language. As a result, the semantic gap between the hardware and the software is bridged, enabling the development of system-level security properties for the entire computer system. Our unified framework uses a cross-domain formal verification method to protect the entire computer system within the scope of proof-carrying hardware. The working procedure of the unified framework is demonstrated with a sample embedded system which includes an 8051 microprocessor and an RC5 encryption program. In our demonstration, we show that the embedded system is trusted if the system level security properties are provable. Supported by the unified framework, the system designers/integrators will be able to formally verify the trustworthiness of the computer system integrated with hardware and software both from untrusted third-party vendors.

IP Trust: The Problem and Design/Validation-Based Solution

Globalization of the integrated circuit (IC) supply chain has raised security vulnerabilities at various stages of the IC design flow. Due to increasing demand for products, companies are trying to reduce the time-to-market (TTM) of ICs which, combined with the increased design complexity, boosts the intellectual property (IP) cores transaction market, and supports the growth of third-party design houses. Meanwhile, the exorbitant cost of in-house chip manufacturing and testing forces companies to outsource these services to foundries and third-party testing facilities. The use of third-party IPs and the outsourcing of fabrication and testing services have raised security concerns, thereby compelling companies to evaluate trustworthiness of their circuit designs. Many defense mechanisms have been proposed to protect IP/IC from reverse engineering, malicious tampering, piracy, counterfeiting, cloning, and overbuilding. In this chapter, we first illustrate different threats to an IP/IC as well as locations of possible adversaries in the supply chain. Subsequently, we discuss different protection methods for soft and firm IP cores. Among the two categories of protection methods, authentication, and prevention, we explain the prevention methods in greater details. We divide the prevention methods into combinational logic locking/encryption and finite state machine locking/encryption. Methods for protecting field-programmable gate array (FPGA) bitstreams are also included in the chapter. We then discuss various IP certification methods, which are used to ensure trustworthiness of IPs. Two main categories of formal methods are particularly elaborated within the scope of IP certification: theorem proving and equivalence checking.

Automatic Code Converter Enhanced PCH Framework for SoC Trust Verification

The wide usage of hardware intellectual property cores from untrusted vendors has raised security concerns for system designers. Existing solutions for functionality testing and verification do not usually consider the presence of malicious logic in hardware. Formal methods provide powerful solutions for detecting malicious behaviors in hardware. However, they suffer from scalability issues and cannot be easily used for large-scale computing systems. To alleviate the scalability challenge, we propose a new integrated formal verification framework to evaluate the trust of system-on-chip (SoC) constructed from untrusted third-party hardware resources. This framework combines an automated model checker with an interactive theorem prover to reduce the time for proving the system-level security properties of SoCs. Another factor contributing to the scalability issue is the effort required for manual conversion of the hardware design from register transfer level (RTL) code to a domain-specific language prior to verification. Consequently, we develop an automatic code converter for translating VHSIC hardware description language (VHDL) to Formal-HDL, which is a domain specific language for representing hardware designs in the language of Coq. To demonstrate the effectiveness of our integrated verification framework and automated code conversion tool, we evaluate a vulnerable program executed on a bare metal LEON3 SPARC V8 processor and prove system security with considerable reduction in verification effort.

Quantifying trust in autonomous system under uncertainties

Over the years, autonomous systems have entered almost all the facets of human life. Gradually, higher levels of autonomy are being incorporated into cyber-physical systems (CPS) and Internet-of-things (IoT) devices. However, safety and security has always been a lurking fear behind adoption of autonomous systems such as self-driving vehicles. To address these issues, we develop a framework for quantifying trust in autonomous system. This framework consist of an estimation method, which considers effect of adversarial attacks on sensor measurements. Our estimation algorithm uses a set-membership method during identification of safe states of the system. An important feature of this algorithm is that it can distinguish between adversarial noise and other disturbances. We also verify the autonomous system by first modeling it as networks of priced timed automata (NPTA) with stochastic semantics and then using statistical probabilistic model checking to verify it against probabilistic specifications. The verification process ensures that the autonomous system behave in accordance to safety specifications within a probabilistic threshold. For quantifying trust on the system, we use confidence results provided by the model checking tool. We have demonstrated our approach by using a case study of adaptive cruise control system under sensor spoofing attacks.

Automatic RTL-to-Formal Code Converter for IP Security Formal Verification

The wide usage of hardware intellectual property (IP) cores from untrusted vendors has raised security concerns in the integrated circuit (IC) industry. Existing testing methods are designed to validate the functionality of the hardware IP cores. These methods often fall short in detecting unspecified (often malicious) logic. Formal methods like Proof-Carrying Hardware (PCH), on the other hand, can help eliminate hardware Trojans and/or design backdoors by formally proving security properties on soft IP cores despite the high proof development cost. One of the causes to the high cost is the manual conversion of the hardware design from RTL code to a domain-specific language prior to verification. To mitigate this issue and to lower the overall cost of PCH framework, we propose an automatic code converter for translating VHDL to Formal-HDL, a domain specific language for representing hardware designs in Coq language. Our code converter provides support to wide variety of hardware designs. Towards the goal of speeding up the verification procedure in our PCH framework, the code converter is the important first step. The applicability of the tool is demonstrated by converting soft IP cores of AES to its Coq equivalent code.

Hierarchy-Preserving Formal Verification Methods for Pre-silicon Security Assurance

The wide usage of hardware intellectual property (IP) cores from untrusted vendors has raised security concerns in the integrated circuit (IC) industry. Existing testing methods are designed to validate the functionality of the hardware IP cores. These methods often fall short in detecting unspecified (often malicious) logic. Formal methods, on the other hand, can help eliminate hardware Trojans and/or design backdoors by formally proving security properties on soft IP cores despite the high proof development cost. To alleviate the computation burden, we propose a new hierarchy-preserving formal verification (HiFV) framework for circuit trust evaluation at the pre-silicon stage. This framework is derived from the Proof-Carrying Hardware (PCH) and is dedicated for security property verification of System-on-Chip (SoC) platforms, where third-party soft IPs are integrated as sub-modules. The key novelty lies in the improvement of the proof construction process of the previously developed security property verification framework, so that the framework can support building theorem proofs in a hierarchical way. We assume a trusted third-party verification house exists, which can use the proposed framework for security theorem construction and proof writing. The applicability of the proposed framework is demonstrated by formally verifying the memory integrity property on an 8051 microprocessor whose sub-modules were treated as untrusted third-party IPs.