skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: RERTL: Finite State Transducer Logic Recovery at Register Transfer Level
Increasingly complex Intellectual Property (IP) design, coupled with shorter Time-To-Market (TTM), breeds flaws at various levels of the Integrated Circuit (IC) production. With access to IPs at all stages of production, design defects can easily be found and corrected, i.e., knowledge of the Register Transfer Level (RTL) code allows for the option of easy defect detection. However, third-party IPs are typically delivered as hard IPs or gate-level netlists, which complicates the defect detection process. The inaccessibility of source RTL code and the lack of RTL recovery tools make the task of finding high-level security flaws in logic intractable. Upon this request, in this paper, we present an RTL recovery tool suite named RERTL that leverages advanced graph algorithms including Lengauer-Tarjan's dominator tree and Euler tour tree technique to assist in netlist analysis. Supported by RERTL, logical states and their interactions are recovered from the initial design in the format of gate-level netlists. After the recovery of state interaction, RERTL further converts the full design into human-readable RTL. A series of netlist case studies were examined using RERTL covering benign logic structures, designs with accidental defects, and designs with deliberate backdoors. The experimental results show that all of our designs at various complexities were recoverable within seconds.  more » « less
Award ID(s):
1812071
PAR ID:
10166324
Author(s) / Creator(s):
; ; ; ;
Date Published:
Journal Name:
2019 Asian Hardware Oriented Security and Trust Symposium (AsianHOST)
Page Range / eLocation ID:
1 to 6
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; ; ; ; (, IEEE)
    Functional reverse engineering of flattened Field Programmable Gate Array (FPGA) Look-Up Table (LUT) netlists to Register Transfer Level (RTL) representation is essential to understand, reconstruct and enhance the existing legacy designs. Recent advances in machine learning show promising results in solving EDA problems. In this paper, we propose a tool, RELUT-GNN that uses Graph Neural Networks (GNNs) to extract high-level functionality of data path elements from LUT-level netlists. For GNNs, the netlist structure is represented as a graph with FPGA leaf cells as nodes and the nets among them as edges. We extract features for each node and train the GNN to learn the structure of the netlist by aggregating their node features and their neighbors. The training dataset includes a comprehensive custom dataset consisting of various Operators, Shifters, Counters, FSMs, and their combinations of varying bit widths. The model is validated and tested on unseen real-world designs obtained from Opencores and ITC99. It is observed that RELUT-GNN achieved a combined accuracy of 97.12% for the classification of selected benchmarks from arithmetic and DSP cores and the ITC‘99 benchmarks. 
    more » « less
  2. ; (, ACM Transactions on Design Automation of Electronic Systems)
    Due to the globalization of Integrated Circuit supply chain, hardware Trojans and the attacks that can trigger them have become an important security issue. One type of hardware Trojans leverages the “don’t care transitions” in Finite-state Machines (FSMs) of hardware designs. In this article, we present a symbolic approach to detecting don’t care transitions and the hidden Trojans. Our detection approach works at both register-transfer level (RTL) and gate level, does not require a golden design, and works in three stages. In the first stage, it explores the reachable states. In the second stage, it performs an approximate analysis to find the don’t care transitions and any discrepancies in the register values or output lines due to don’t care transitions. The second stage can be used for both predicting don’t care triggered Trojans and for guiding don’t care aware reachability analysis. In the third stage, it performs a state-space exploration from reachable states that have incoming don’t care transitions to explore the Trojan payload and to find behavioral discrepancies with respect to what has been observed in the first stage. We also present a pruning technique based on the reachability of FSM states. We present a methodology that leverages both RTL and gate-level for soundness and efficiency. Specifically, we show that don’t care transitions and Trojans that leverage them must be detected at the gate-level, i.e., after synthesis has been performed, for soundness. However, under specific conditions, Trojan payload exploration can be performed more efficiently at RTL. Additionally, the modular design of our approach also provides a fast Trojan prediction method even at the gate level when the reachable states of the FSM is known a priori . Evaluation of our approach on a set of benchmarks from OpenCores and TrustHub and using gate-level representation generated by two synthesis tools, YOSYS and Synopsis Design Compiler (SDC), shows that our approach is both efficient (up to 10× speedup w.r.t. no pruning) and precise (0% false positives both at RTL and gate-level netlist) in detecting don’t care transitions and the Trojans that leverage them. Additionally, the total analysis time can achieve up to 1.62× (using YOSYS) and 1.92× (using SDC) speedup when synthesis preserves the FSM structure, the foundry is trusted, and the Trojan detection is performed at RTL. 
    more » « less
  3. ; ; ; (, IEEE International Symposium on Hardware Oriented Security and Trust (HOST))
    null (Ed.)
    With many fabless companies outsourcing integrated circuit (IC) fabrication, the extent of design information recoverable by any third-party foundry remains clouded. While traditional reverse engineering schemes from the layout employ expensive high-resolution imaging techniques to recover design information, the extent of design information that can be recovered by the foundry remains ambiguous. To address this ambiguity, we propose ReGDS, a layout reverse engineering (RE) framework, posing as an inside-foundry attack to acquire original design intent. Our framework uses the layout, in GDSII format, and the technology library to extract the transistor-level connectivity information, and exploits unique relationship-based matching to identify logic gates and thereby, recover the original gate-level netlist. Employing circuits ranging from few hundreds to millions of transistors, we validate the scalability of our framework and demonstrate 100% recovery of the original design from the layout. To further validate the effectiveness of the framework in the presence of obfuscation schemes, we apply ReGDS to layouts of conventional XOR/MUX locked circuits and successfully recover the obfuscated netlist. By applying the Boolean SATisfiability (SAT) attack on the recovered obfuscated netlist, one can recover the entire key and, thereby, retrieve the original design intent. Thus ReGDS results in accelerated acquisition of the gate-level netlist by the attacker, in comparison to imaging-based RE schemes. Our experiments unearth the potential threat of possible intellectual property (IP) piracy at any third-party foundry. 
    more » « less
  4. ; ; ; ; ; ; ; (, 2023 60th ACM/IEEE Design Automation Conference (DAC))
    Oracle-less machine learning (ML) attacks have broken various logic locking schemes. Regular synthesis, which is tailored for area-power-delay optimization, yields netlists where key-gate localities are vulnerable to learning. Thus, we call for security-aware logic synthesis. We propose ALMOST, a framework for adversarial learning to mitigate oracle-less ML attacks via synthesis tuning. ALMOST uses a simulated-annealing-based synthesis recipe generator, employing adversarially trained models that can predict state-of-the-art attacks’ accuracies over wide ranges of recipes and key-gate localities. Experiments on ISCAS benchmarks confirm the attacks’ accuracies drops to around 50% for ALMOST-synthesized circuits, all while not undermining design optimization. 
    more » « less
  5. ; ; ; (, 2022 IEEE/ACM International Conference On Computer Aided Design (ICCAD))
    Hardware Description Language (HDL) is a common entry point for designing digital circuits. Differences in HDL coding styles and design choices may lead to considerably different design quality and performance-power tradeoff. In general, the impact of HDL coding is not clear until logic synthesis or even layout is completed. However, running synthesis merely as a feedback for HDL code is computationally not economical especially in early design phases when the code needs to be frequently modified. Furthermore, in late stages of design convergence burdened with high-impact engineering change orders (ECO’s), design iterations become prohibitively expensive. To this end, we propose a machine learning approach to Verilog-based Register-Transfer Level (RTL) design assessment without going through the synthesis process. It would allow designers to quickly evaluate the performance-power tradeoff among different options of RTL designs. Experimental results show that our proposed technique achieves an average of 95% prediction accuracy in terms of post-placement analysis, and is 6 orders of magnitude faster than evaluation by running logic synthesis and placement. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email