针对硬件木马的形式化验证模型构造方法

doi:10.19665/j.issn1001-2400.2021.03.019

Abstract

Abstract:

The effectiveness of hardware security verification is affected by the way of constructing formal verification models.To solve this problem,this paper proposes a method which can automatically construct formal verification models for hardware Trojans detection.First,the method traverses the control flow graphs of the register transfer level design to extract the path conditions of assignment statements and the corresponding expressions.The constraint relations of the Kripke’ state transition are generated based on the path conditions and the expressions.Second,the constraint relations of the Verilog grammar are transformed to the grammar of the model checker and generate the formal verification models.Finally,a model checker verifies the models and detects the hardware Trojans when a predefined specification is verified as false.In experiments,the hardware Trojans in the Trust-HUB benchmarks are detected,which shows that the models constructed by our method can effectively detect hardware Trojans in register transfer level design.

Key words: formal verification, model checking, hardware security, hardware Trojan, security verification

CLC Number:

TP393.083

SHEN Lixiang,MU Dejun,CAO Guo,XIE Guangqian,SHU Fangyong. Constructing formal verification models for hardware Trojans[J].Journal of Xidian University, 2021, 48(3): 146-153.

Figures/Tables 8

References 15

[1]	LI H, LIU Q, Zhang J. A Survey of Hardware Trojan Threat and Defense[J]. Integration the VLSI Journal, 2016,55:426-437. doi: 10.1016/j.vlsi.2016.01.004
[2]	JIN Y, GUO X, DUTTA R G, et al. Data Secrecy Protection through Information Flow Tracking in Proof-carrying Hardware IP Part I:Framework Fundamentals[J]. IEEE Transactions on Information Forensics and Security, 2017,12(10):2416-2429. doi: 10.1109/TIFS.2017.2707323
[3]	BIDMESHKI M M, GUO X L, DUTTA R G, et al. Data Secrecy Protection through Information Flow Tracking in Proof-carrying Hardware IP Part II:Framework Automation[J]. IEEE Transactions on Information Forensics and Security, 2017,12(10):2430-2443. doi: 10.1109/TIFS.2017.2707327
[4]	GUO X, DUTTA R G, MISHRA P, et al. Automatic RTL-to-formal Code Converter for IP Security Formal Verification[C]// Proceedings of the 2016 17th International Workshop on Microprocessor and SOC Test and Verification.Piscataway:IEEE, 2017: 35-38.
[5]	GUO X, DUTTA R G, MISHAR P, et al. Automatic Code Converter Enhanced PCH Framework for SoC Trust Verification[J]. IEEE Transactions on Very Large Scale Integration Systems, 2017,25(12):3390-3400. doi: 10.1109/TVLSI.2017.2751615
[6]	秦茂源, 慕德俊, 胡伟, 等. 硬件安全门级细粒度形式化验证方法[J]. 西安电子科技大学学报, 2018,45(5):143-148.
	QIN Maoyuan, MU Dejun, HU Wei, et al. Fine-granularity Gate Level Formal Verification Method for Hardware Security[J]. Journal of Xidian University, 2018,45(5):143-148.
[7]	丁明, 张书玲, 张琛, 等. 一种航空电子系统安全性需求验证方法[J]. 西安电子科技大学学报, 2019,46(3):66-73.
	DING Ming, ZHANG Shuling, ZHANG Chen, et al. Method for the Verification of Safety Requirements of Avionics Systems[J]. Journal of Xidian University, 2019,46(3):66-73.
[8]	MUKHERJEE R, KROENING D, MELHAM T. Hardware Verification Using Software Analyzers[C]// Proceedings of the 2015 IEEE Computer Society Annual Symposium on VLSI.Piscataway:IEEE, 2015: 7-12.
[9]	IRFAN A, CIMATTI A, GRIGGIO A, et al. Verilog2SMV:aTool for Word-level Verification[C]// Proceedings of the 2016 Design,Automation and Test in Europe Conference and Exhibition.Piscataway:IEEE, 2016, 1156-1159.
[10]	WORF C. Yosys Open SYnthesis Suite[EB/OL]. [2019-10-20]. http://www.clifford.at/yosys/.
[11]	ROBERTO C A C, JOCHIM C A, KEIGHREN G, et al. NuSMV 2.6 User Manual[EB/OL]. [2019-10-20]. https://nusmv.fbk.eu/NuSMV/userman/v26/nusmv.pdf.
[12]	SALMANI H, TEHRANIPOOR M, KARRI R. On Design Vulnerability Analysis and Trust Benchmarks Development[C]// Proceedings of the 2013 IEEE 31st International Conference on Computer Design.Piscataway:IEEE, 2013: 471-474.
[13]	SHAKYA B, HE T, SALMANI H, et al. Benchmarking of Hardware Trojans and Maliciously Affected Circuits[J]. Journal of Hardware and Systems Security, 2017,1(1):85-102. doi: 10.1007/s41635-017-0001-6
[14]	张广泉. 形式化方法导论[M]. 北京: 清华大学出版社, 2015: 130-169.
[15]	SHEN L X, MU D J, CAO G, et al. Symbolic Execution Based Test-patterns Generation Algorithm for Hardware Trojan Detection[J]. Computers and Security, 2018,78:267-280. doi: 10.1016/j.cose.2018.07.006

行号	寄存器传输级Verilog代码
75	always @(posedge sys_clk or negedge sys_rst_l) begin
76	if (~sys_rst_l) begin
77	rec_dataH=0;
78	end
79	else begin
80	rec_dataH=rec_dataH_temp;
81	end
82	end

寄存器传输级的形式化验证模型	寄存器传输级的Verilog模块
MODULE u_xmit(sys_clk,sys_rst_l,uart_xmitH,	module u_xmit(sys_clk,sys_rst_l,uart_xmitH,xmitH,
xmitH,xmit_dataH,xmit_doneH )	xmit_dataH,xmit_doneH);
DEFINE x_IDLE :=0ub3_000; …	Parameter x_IDLE=3'b000;…
VAR state:unsigned word[3]; …	reg[2:0] state;…
ASSIGN	always @(posedge sys_clk or negedge sys_rst_l)
next(xmit_doneH):=	if (~sys_rst_l) xmit_doneH<=0;
case (!sys_rst_l >0ub1_0) :0ub1_0;	else xmit_doneH <=xmit_doneInH;
!(!sys_rst_l >0ub1_0) :xmit_doneInH;	endmodule
TRUE :xmit_doneH;	…
esac;…

Trust-HUB测试基准	安全验证属性
RS232 T900	CTLSPEC AG (iXMIT.DataSend_ena=0ub1_0)
RS232 T800	CTLSPEC AG (iRECEIVER.rec_readyH_temp=iRECEIVER.rec_readyH)
RS232 T700	CTLSPEC AG ((PRE_sys_rst_l=0ub1_1 & iXMIT.xmit_doneInH=0ub1_1) → AX(iXMIT.xmit_doneH=0ub1_1) )
RS232 T600	CTLSPEC AG ((iXMIT.xmitDataSelH<0ud2_1)→(iXMIT.xmit_doneH=0ud1_0))
RS232 T400	CTLSPEC AG (uart1.cntr=0ub1_0)
RS232 T200	CTLSPEC AG (iRECEIVER.ena=0ub1_0)
RS232 T100	CTLSPEC AG (iRECEIVER.ena=0ub1_0)
PIC16F84-T300	CTLSPEC AG (pic.Trojan_Trigger_Out=0ub1_0)
AES-T1000	CTLSPEC AG (Trigger.Tj_Trig=0ub1_0)

Trust-HUB	木马类型	触发机制	危害	是否发现木马或触发器	验证时间/s
RS232 T900	数据触发;时序电路	内部条件触发	拒绝服务	是	4.0
RS232 T800	数据触发;组合电路	内部条件触发	拒绝服务	是	1.6
RS232 T700	数据触发;时序电路	内部条件触发	拒绝服务	是	3.0
RS232 T600	数据触发;时序电路	内部条件触发	信息泄露和拒绝服务	是	21.0
RS232 T400	数据触发;时序电路	内部条件触发	信息泄露	是	659.0
RS232 T200	数据触发;组合电路	内部条件触发	降低设计可靠性	是	22.0
RS232 T100	数据触发;组合电路	内部条件触发	拒绝服务	是	291.0
PIC16F84-T300	数据触发;时序电路	内部条件触发	信息泄露	是	3 900.0
AES-T800	数据触发;时序电路	内部条件触发	信息泄露	是	1.6
AES-T1000	数据触发;时序电路	内部条件触发	信息泄露	是	1.3

Constructing formal verification models for hardware Trojans

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 15

Related Articles 15

Metrics

Comments

Recommended 10

[1]	SHU Xinfeng,WANG Changtai,WANG Yan,ZHANG Lili. Propositional projection temporal logic based distributed model checking method [J]. Journal of Xidian University, 2020, 47(4): 39-47.
[2]	WU Qiufeng,ZHANG Yuejun,WANG Pengjun,ZHANG Huihong. Hardware obfuscation design of the RM logical camouflage gate [J]. Journal of Xidian University, 2020, 47(2): 135-141.
[3]	LIU Zhiqiang,ZHANG Mingjin,CHI Yuan,LI Yunsong. Hardware Trojan detection algorithm based on deep learning [J]. Journal of Xidian University, 2019, 46(6): 37-45.
[4]	YANG Yajun,CHEN Zhang. Hardware trojan attack methods and security analysis under split manufacturing [J]. Journal of Xidian University, 2019, 46(4): 167-175.
[5]	DING Ming,ZHANG Shuling,ZHANG Chen,Zhang Jun. Method for the verification of safety requirements of avionics systems [J]. Journal of Xidian University, 2019, 46(3): 66-73.
[6]	DUAN Zhao, LIU Kunlong. Dynamic program verification via a CPAChecker [J]. Journal of Xidian University, 2019, 46(1): 33-38.
[7]	QIN Maoyuan;MU Dejun;HU Wei;MAO Baolei. Fine-granularity gate level formal verification method for hardware security [J]. Journal of Xidian University, 2018, 45(5): 143-148.
[8]	PANG Tao;DUAN Zhenhua;LIU Xiaofang. Symbolic model checking of Verilog programs with the propositional projection temporal logic [J]. J4, 2014, 41(2): 79-84.
[9]	YANG Yuanyuan;MA Wenping;LIU Weibo;YU You;GU Jian. Automatic detection of security protocols with XOR [J]. J4, 2012, 39(4): 120-125+183.
[10]	YANG Chen;DUAN Zhenhua. Stutter-invariant propositional interval temporal logic [J]. J4, 2011, 38(2): 151-156.
[11]	ZHANG Hai-bin;DUAN Zhen-hua. Model checking interval temporal logic [J]. J4, 2009, 36(2): 338-342.
[12]	ZHANG Hai-bin;DUANG Zhen-hua. Model checking multirate hybrid systems [J]. J4, 2008, 35(1): 60-648.
[13]	WANG Jin-shuang;ZHANG Xing-yuan;ZHANG Yu-sen. Mechanizing probability theory in Isabelle/HOL [J]. J4, 2007, 34(7): 197-200.
[14]	GUO Jian1;JIN Nai-yong2. Vacuity detection in computation temperal logic [J]. J4, 2007, 34(5): 794-799.
[15]	ZHANG Hai-bin;DUAN Zhen-hua. Decidability of the dense timed interval temporal logic [J]. J4, 2007, 34(3): 463-467.