Formal Methods for Reverse Engineering Gate-Level Netlists

Components An abstract component α is a triple (I, O,S), where I and O are sets of input and output signals, respectively, and S is a formal specification defining allowed input-output behavior of the component. An instance of an abstract component α is any circuit or netlist that satisfies the specification S of α. We illustrate the notion of an abstract component using an example. Example 2. Consider an arbiter servicing two (input) request lines r0 and r1 with two grant lines g0, g1 as outputs. The abstract arbiter component would comprise the following LTL properties: G ¬(g1 ∧ g2) [G F ¬(r0 ∧ r1)]⇒ G (r0 ⇒ F g0) [G F ¬(r0 ∧ r1)]⇒ G (r1 ⇒ F g1) The first property states that both requests cannot be granted at the same cycle. The last two properties state that a request must eventually be granted, provided there are infinitely many cycles where no competing requests are present – the latter assumption is the property G F ¬(r0 ∧ r1). High-Level Description Informally, a high-level description of a netlist is a composition of abstract components. This includes a mapping from netlist slices to abstract components, as well as the datapaths that connect these components. A library of abstract components (component library, for short) L is a set {α1, α2, . . . , αn} of abstract components. We will assume that each abstract component is also accompanied by at least one concrete instance; this is reasonable, as the abstract component library is typically constructed from observations of commonly occurring components in hardware designs. Example 3. Examples of abstract components include common hardware design patterns and modules such as an arbiter, FIFO buffer, adder, multiplier, content-addressable memory (CAM), and crossbar. Abstract descriptions of finite-state machines are relevant for circuits that implement protocols; e.g., transmitter or receiver modules implementing the Ethernet or IC protocols. A high-level description (HLD) of a netlist N with input signals I and output signals O is a tuple (I, O,Γ) where Γ is a set of instances of abstract components drawn from L plus CHAPTER 2. REVERSE ENGINEERING GATE-LEVEL NETLISTS 13 some “glue” logic such that the synchronous composition of these instances and the “glue” logic is (sequentially) equivalent to the original netlist N . 2.2.2 Problem Definition We are now ready to formally define the problem of reverse engineering a high-level description (REHLD) of a circuit. Definition 2.1. Given • an unknown netlist N containing cells R and G interconnected by wires W , • a library L = {α1, α2, . . . , αn} of abstract components, the REHLD problem for N is to derive a high-level description N ′ = (I, O,Γ) where N ′ is equivalent to N and Γ is a composition of instances of abstract components from L and a collection of registers R′ ⊆ R, gates G′ ⊆ G and wires W ′ ⊆ W that make up the “glue” logic. Solving the REHLD problem involves multiple steps. We rephrase each of these steps using the notation introduced in this section. There are four main steps: • Word-level datapaths extraction: Extract word-level datapaths G from the bit-level netlist N . • Library definition: Constructing an abstract component library L; • Netlist slice identification: Extract from the given unknown netlist N a set of netlist slices n1, n2, . . . , nk, where each ni can be used as a candidate for matching against the component library L; • Matching against component library: Given a candidate netlist slice n and an abstract component library L = {α1, α2, . . . , αn}, determine whether there exists an abstract component αi such that: (a) Input-output correspondence: Each input (respectively, output) signal of αi that appears in the formal specification of αi is mapped 1-1 to some input (respectively, output) signal of n . (b) Verification: n is an instance of αi; i.e., Cn satisfies the specification Si associated with αi. These steps can be categorized into datapath extraction (Step 1) and function identification (Step 2, 3 and 4). In the rest of this report, we first describe how word-level datapaths can be extracted from a bit-level netlist. Afterwards, we present two novel approaches for finding the mapping from netlist slices to abstract components. Equivalence is defined with respect to the semantics of the associated circuit CN of N . CHAPTER 2. REVERSE ENGINEERING GATE-LEVEL NETLISTS 14 2.3 Finding Word-Level Datapath In this section, we describe a systematic approach for identifying word-level datapaths in a (bit-level) netlist. The approach involves a combination of two sub-procedures – word identification and word propagation. In word identification, the goal is to find candidate groupings of wires that may form words. Starting with the candidate words and other known words (such as ones at the primary inputs and outputs), the second procedure tries to infer more words by iteratively propagating them across gates in the netlist. 2.3.1 Word Identification We employ two techniques for finding candidate words in a netlist. The first is based on bitslice aggregation [35], and the second is based on a notion called shapehashing. On a high level, the first technique uses functional matching while the second uses structural information to group “equivalent” wires into words. Bitslice Aggregation This technique is not our contribution and is described in detail in [35]. We briefly review it in this section. The function of a wire w in the netlist can be characterized by a feasible cut of w. This is defined as a set of wires in the transitive fan-in cone of w such that an arbitrary assignment of truth values to each wire in the set completely determines the value of w [10]. A cut is said to be k-feasible if it has no more than k inputs. As in [35], we enumerate the set of 6-feasible cuts for each node. Each cut then forms a bitslice rooted at w, which is a Booolean function with a single output and no more than 6 inputs. Once all the bitslices are identified, they can be grouped into equivalence classes using permutation-independent Boolean matching. For example, a bitslice matching the function y = a ∧ b ∨ c and a bitslice matching the function y = b ∧ c ∨ a are grouped into the same class. Now that we have found all the duplicated bitslices across the netlist that compute a particular function, we can look for aggregates of them that are connected in specific patterns. Following the approach described in [35], we group all matching bitslices that (1) have a common select signal; (2) the output of one bitslice feeds to the input of another (e.g. carry chain in a ripple carry adder). Since aggregated bitslices are essentially circuits that operate on sets of nodes simultaneously. We group the inputs or outputs of aggregated bitslices together to form candidate words. Note that in the case of a carry chain, the words are ordered in the carry direction. The number 6 is chosen for efficiency reasons, as the number of cuts for k > 6 becomes significantly larger in our experience. Also, most common bitslices have less than six inputs, e.g., a full adder bitslice has 3 inputs [35]. CHAPTER 2. REVERSE ENGINEERING GATE-LEVEL NETLISTS 15