Formal Methods for Reverse Engineering Gate-Level Netlists
نویسندگان
چکیده
Components An abstract component α is a triple (I, O,S), where I and O are sets of input and output signals, respectively, and S is a formal specification defining allowed input-output behavior of the component. An instance of an abstract component α is any circuit or netlist that satisfies the specification S of α. We illustrate the notion of an abstract component using an example. Example 2. Consider an arbiter servicing two (input) request lines r0 and r1 with two grant lines g0, g1 as outputs. The abstract arbiter component would comprise the following LTL properties: G ¬(g1 ∧ g2) [G F ¬(r0 ∧ r1)]⇒ G (r0 ⇒ F g0) [G F ¬(r0 ∧ r1)]⇒ G (r1 ⇒ F g1) The first property states that both requests cannot be granted at the same cycle. The last two properties state that a request must eventually be granted, provided there are infinitely many cycles where no competing requests are present – the latter assumption is the property G F ¬(r0 ∧ r1). High-Level Description Informally, a high-level description of a netlist is a composition of abstract components. This includes a mapping from netlist slices to abstract components, as well as the datapaths that connect these components. A library of abstract components (component library, for short) L is a set {α1, α2, . . . , αn} of abstract components. We will assume that each abstract component is also accompanied by at least one concrete instance; this is reasonable, as the abstract component library is typically constructed from observations of commonly occurring components in hardware designs. Example 3. Examples of abstract components include common hardware design patterns and modules such as an arbiter, FIFO buffer, adder, multiplier, content-addressable memory (CAM), and crossbar. Abstract descriptions of finite-state machines are relevant for circuits that implement protocols; e.g., transmitter or receiver modules implementing the Ethernet or IC protocols. A high-level description (HLD) of a netlist N with input signals I and output signals O is a tuple (I, O,Γ) where Γ is a set of instances of abstract components drawn from L plus CHAPTER 2. REVERSE ENGINEERING GATE-LEVEL NETLISTS 13 some “glue” logic such that the synchronous composition of these instances and the “glue” logic is (sequentially) equivalent to the original netlist N . 2.2.2 Problem Definition We are now ready to formally define the problem of reverse engineering a high-level description (REHLD) of a circuit. Definition 2.1. Given • an unknown netlist N containing cells R and G interconnected by wires W , • a library L = {α1, α2, . . . , αn} of abstract components, the REHLD problem for N is to derive a high-level description N ′ = (I, O,Γ) where N ′ is equivalent to N and Γ is a composition of instances of abstract components from L and a collection of registers R′ ⊆ R, gates G′ ⊆ G and wires W ′ ⊆ W that make up the “glue” logic. Solving the REHLD problem involves multiple steps. We rephrase each of these steps using the notation introduced in this section. There are four main steps: • Word-level datapaths extraction: Extract word-level datapaths G from the bit-level netlist N . • Library definition: Constructing an abstract component library L; • Netlist slice identification: Extract from the given unknown netlist N a set of netlist slices n1, n2, . . . , nk, where each ni can be used as a candidate for matching against the component library L; • Matching against component library: Given a candidate netlist slice n and an abstract component library L = {α1, α2, . . . , αn}, determine whether there exists an abstract component αi such that: (a) Input-output correspondence: Each input (respectively, output) signal of αi that appears in the formal specification of αi is mapped 1-1 to some input (respectively, output) signal of n . (b) Verification: n is an instance of αi; i.e., Cn satisfies the specification Si associated with αi. These steps can be categorized into datapath extraction (Step 1) and function identification (Step 2, 3 and 4). In the rest of this report, we first describe how word-level datapaths can be extracted from a bit-level netlist. Afterwards, we present two novel approaches for finding the mapping from netlist slices to abstract components. Equivalence is defined with respect to the semantics of the associated circuit CN of N . CHAPTER 2. REVERSE ENGINEERING GATE-LEVEL NETLISTS 14 2.3 Finding Word-Level Datapath In this section, we describe a systematic approach for identifying word-level datapaths in a (bit-level) netlist. The approach involves a combination of two sub-procedures – word identification and word propagation. In word identification, the goal is to find candidate groupings of wires that may form words. Starting with the candidate words and other known words (such as ones at the primary inputs and outputs), the second procedure tries to infer more words by iteratively propagating them across gates in the netlist. 2.3.1 Word Identification We employ two techniques for finding candidate words in a netlist. The first is based on bitslice aggregation [35], and the second is based on a notion called shapehashing. On a high level, the first technique uses functional matching while the second uses structural information to group “equivalent” wires into words. Bitslice Aggregation This technique is not our contribution and is described in detail in [35]. We briefly review it in this section. The function of a wire w in the netlist can be characterized by a feasible cut of w. This is defined as a set of wires in the transitive fan-in cone of w such that an arbitrary assignment of truth values to each wire in the set completely determines the value of w [10]. A cut is said to be k-feasible if it has no more than k inputs. As in [35], we enumerate the set of 6-feasible cuts for each node. Each cut then forms a bitslice rooted at w, which is a Booolean function with a single output and no more than 6 inputs. Once all the bitslices are identified, they can be grouped into equivalence classes using permutation-independent Boolean matching. For example, a bitslice matching the function y = a ∧ b ∨ c and a bitslice matching the function y = b ∧ c ∨ a are grouped into the same class. Now that we have found all the duplicated bitslices across the netlist that compute a particular function, we can look for aggregates of them that are connected in specific patterns. Following the approach described in [35], we group all matching bitslices that (1) have a common select signal; (2) the output of one bitslice feeds to the input of another (e.g. carry chain in a ripple carry adder). Since aggregated bitslices are essentially circuits that operate on sets of nodes simultaneously. We group the inputs or outputs of aggregated bitslices together to form candidate words. Note that in the case of a carry chain, the words are ordered in the carry direction. The number 6 is chosen for efficiency reasons, as the number of cuts for k > 6 becomes significantly larger in our experience. Also, most common bitslices have less than six inputs, e.g., a full adder bitslice has 3 inputs [35]. CHAPTER 2. REVERSE ENGINEERING GATE-LEVEL NETLISTS 15
منابع مشابه
Gate-Level Netlist Reverse Engineering Tool Set for Functionality Recovery and Malicious Logic Detection
Reliance on third-party resources, including thirdparty IP cores and fabrication foundries, as well as wide usage of commercial-off-the-shelf (COTS) components has raised concerns that backdoors and/or hardware Trojans may be inserted into fabricated chips. Defending against hardware backdoors and/or Trojans has primarily focused on detection at various stages in the supply chain. Netlist rever...
متن کاملIP protection through gate-level netlist security enhancement
In modern Integrated Circuits (IC) design flow, from specification to chip fabrication, various security threats are emergent. These range from malicious modifications in the design, to the Electronic Design Automation (EDA) tools, during layout or fabrication, or to the packaging. Of particular concern are modifications made to third-party IP cores and commercial off-the-shelf (COTS) chips whe...
متن کاملHAL- The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion
Hardware manipulations pose a serious threat to numerous systems, ranging from a myriad of smart-X devices to military systems. In many attack scenarios an adversary merely has access to the low-level, potentially obfuscated gate-level netlist. In general, the attacker possesses minimal information and faces the costly and time-consuming task of reverse engineering the design to identify securi...
متن کاملStructural Reverse Engineering of Arithmetic Circuits
This paper focuses on detecting arithmetic components in large gate-level circuits using cut enumeration and structural analysis. It is based on the assumption that adder trees, the key part of arithmetic components, are represented using halfand full-adders, whose boundaries can be traced down to individual nodes present in the gatelevel circuit structure. The proposed method detects the eleme...
متن کاملPeak Dynamic Power Estimation of FPGA-mapped Digital Designs
The Peak Dynamic Power Estimation (PDPE) problem involves finding input vector pairs that cause maximum power dissipation (maximum toggles) in circuits. The PDPE problem is essential for analyzing the reliability and performance of digital circuits prior to fabrication. This paper proposes a methodology for solving the PDPE problem on circuits mapped onto Field Programmable Gate Arrays (FPGAs)....
متن کامل