Verification and trust for unspecified IP functionality

Abstract

Traditional verification methods and metrics attempt to answer the question: does my design correctly perform the intended specified functionality? The question this chapter addresses is: does my design perform malicious functionality in addition to the intended functionality? Malicious functionality inserted into a chip is called a Hardware Trojan. In this chapter we address a less studied but extremely stealthy class of Trojan: Trojans which do not rely on rare triggering conditions to stay hidden, but instead only alter the logic functions of design signals which have unspecified behavior, meaning the Trojan never violates the design specification. In this chapter we define dangerous unspecified functionality in terms of information leakage and provide examples of how Trojans only modifying RTL don’t cares and on-chip bus functionality during idle bus cycles can completely undermine system security. We present a method for preventing Trojans in RTL don’t cares, and a methodology based on mutation testing applicable to any design type and abstraction level to identify dangerous unspecified functionality beyond RTL don’t cares.