Alif Ahmed

Bio: Alif Ahmed is an academic researcher from University of Florida. The author has contributed to research in topics: Computer science & Concolic testing. The author has an hindex of 7, co-authored 14 publications receiving 184 citations. Previous affiliations of Alif Ahmed include Samsung & Bangladesh University of Engineering and Technology.

Hardware Trojan Detection Using ATPG and Model Checking

Abstract: The threat of hardware Trojans' existence in inte-gratedcircuits has become a major concern in System-on-Chip (SoC) design industry as well as in military/defense organizations. There is an increased emphasis on finding effective ways to detect and activate hardware Trojans in current research efforts. However, state-of-the-art approaches suffer from the lack of completeness and scalability. Moreover, most of the existing methods cannot generate efficient tests to activate the potential hidden Trojan. In this paper, we propose an effective test generation approach which is capable of activating malicious functionality hidden in large sequential designs. Automatic test pattern generation (ATPG) works well on full-scan designs, whereas model checking is suitable for logic blocks without scan chain. Due to overhead considerations, partial-scan chain insertion is the standard practice today. Unfortunately, neither ATPG nor model checking is suitable for partial-scan designs. Our proposed hardware Trojan detection technique utilizes the combination of ATPG and model checking approaches. We use model checking on a subset of non-scan elements and ATPG on scan elements to avoid common pitfalls of running the original design using any one of these techniques. Experimental results demonstrate the effectiveness of tests generated by our proposed approach to detect Trojans on Trust-hub benchmarks.

Directed test generation using concolic testing on RTL models

Abstract: Functional validation is one of the most time consuming steps in System-on-Chip (SoC) design methodology. In today's industrial practice, simulating designs using billions of random or constrained-random tests can lead to high functional coverage. However, it is hard to cover the remaining small fraction of corner cases and rare functional scenarios. While formal methods are promising in such cases, it is infeasible to apply them on large designs. In this paper, we propose a fully automated and scalable approach for generating directed tests using concolic testing of RTL models. While application of concolic testing on hardware designs has shown some promising results, existing approaches are tuned for improving overall coverage, rather than covering a specific target. We developed a Control Flow Graph (CFG) assisted directed test generation method that can efficiently generate a test to activate a given target. Our experimental results demonstrate that our approach is both efficient and scalable compared to the state-of-the-art test generation methods.

Scalable Hardware Trojan Activation by Interleaving Concrete Simulation and Symbolic Execution

Abstract: Intellectual Property (IP) based System-on-Chip (SoC) design is a widely used practice today. The IPs gathered from third-party vendors may not be trustworthy since they may contain malicious implants (hardware Trojans). To avoid the detection of the Trojan, adversaries usually hide it under rare branches or rare assignments triggered under extremely rare input sequences. Due to exponential input space complexity, state-of-the-art constrained-random test generation methods are not suitable for activating these rare scenarios. While existing model checking based directed test generation approaches are promising, they are not capable of generating tests for large RTL designs due to the capacity restrictions of formal methods. In this paper, we propose an automated and scalable test generation approach for activation of hardware Trojans in RTL designs. This paper makes three important contributions. First, it provides a scalable test generation framework by effective utilization of symbolic execution and concrete simulation. Next, it is a fully automated approach for generating directed tests for activating rare branches and rare assignments. Finally, our experimental results demonstrate that the generated tests are able to activate hard-to-cover Trojans in large and complex RTL benchmarks.

Automated Activation of Multiple Targets in RTL Models using Concolic Testing

Abstract: Simulation is widely used for validation of Register-Transfer-Level (RTL) models. While simulating with millions of random (or constrained-random) tests can cover majority of the targets (functional scenarios), the number of remaining targets can still be huge (hundreds or thousands) in case of today’s industrial designs. Prior work on directed test generation using concolic testing can cover only one target at a time. A naive extension of prior work to activate the remaining targets would be infeasible due to wasted effort in multiple overlapping searches. In this paper, we propose an automated test generation technique for activating multiple targets in RTL models using concolic testing. This paper makes three important contributions. First, it efficiently prunes the targets that can be covered by the tests generated for activating the other targets. Next, it minimizes the overlapping searches while trying to generate tests for activating multiple targets. Finally, our approach effectively utilizes clustering of related targets as well as common path sharing between the targets in the same cluster to drastically reduce the test generation time. Experimental results demonstrate that our approach significantly outperforms the existing methods in terms of overall coverage (up to 5X, 1.2X on average) as well as test generation time (up to 146X, 80X on average).

QUEBS: Qualifying Event Based Search in Concolic Testing for Validation of RTL Models

Abstract: Input vector generation is an important step during validation and debugging of hardware designs. Validation using random and directed random tests are widely used today. However, these methods can lead to unacceptable functional coverage under tight deadlines. Concolic testing is a semi-formal method to address this issue. It combines concrete simulation guided by symbolic execution. Application of concolic testing in hardware domain is still in its infancy due to the lack of effective traversal strategies. In this paper, we present Qualifying Event Based Search (QUEBS) heuristic for concolic testing. During exhaustive concolic testing, same branch may be selected many times for traversal. Our heuristic limits the number of times a branch can be selected. By preventing repeated selection, it facilitates wider coverage within limited time. Also, whenever a previously uncovered branch is encountered, this limit is relaxed to permit thorough exploration of the newly reached area. Our experimental results demonstrate that this approach provides better branch coverage than state-of-the-art test generation methods in a given time budget. To further improve the performance of QUEBS, we provide two optimization techniques - unsolvable branch elimination and incremental solving by context reuse.

Overcoming an untrusted computing base: detecting and removing malicious hardware automatically

Abstract: The computer systems security arms race between attackers and defenders are largely taken place in the domain of software systems, but as hardware complexity and design processes have envolved, novel and potent hardware-based security threats are now possible. This article presents Unused Circuit Identification (UCI), an approach for detecting suspicious circuits during design time, and BlueChip, a hybrid hardware/software approach to detaching suspicious circuits and making up for UCI classifier errors during runtime.

The Design of CMOS Radio-Frequency Integrated Circuits: RF CIRCUITS THROUGH THE AGES

Abstract: This expanded and thoroughly revised edition of Thomas H. Lee's acclaimed guide to the design of gigahertz RF integrated circuits features a completely new chapter on the principles of wireless systems. The chapters on low-noise amplifiers, oscillators and phase noise have been significantly expanded as well. The chapter on architectures now contains several examples of complete chip designs that bring together all the various theoretical and practical elements involved in producing a prototype chip. First Edition Hb (1998): 0-521-63061-4 First Edition Pb (1998); 0-521-63922-0

An automated configurable Trojan insertion framework for dynamic trust benchmarks

Abstract: Malicious hardware modification, also known as hardware Trojan attack, has emerged as a serious security concern for electronic systems. Such attacks compromise the basic premise of hardware root of trust. Over the past decade, significant research efforts have been directed to carefully analyze the trust issues arising from hardware Trojans and to protect against them. This vast body of work often needs to rely on well-defined set of trust benchmarks that can reliably evaluate the effectiveness of the protection methods. In recent past, efforts have been made to develop a benchmark suite to analyze the effectiveness of pre-silicon Trojan detection and prevention methodologies. However, there are only a limited number of Trojan inserted benchmarks available. Moreover, there is an inherent bias as the researcher is aware of Trojan properties such as location and trigger condition since the current benchmarks are static. In order to create an unbiased and robust benchmark suite to evaluate the effectiveness of any protection technique, we have developed a comprehensive framework of automatic hardware Trojan insertion. Given a netlist, the framework will automatically generate a design with single or multiple Trojan instances based user-specified Trojan properties. It allows a wide variety of configurations, such as the type of Trojan, Trojan activation probability, number of triggers, and choice of payload. The tool ensures that the inserted Trojan is a valid one and allow for provisions to optimize the Trojan footprint (area and switching). Experiments demonstrate that a state-of-the-art Trojan detection technique provides poor efficacy when using benchmarks generated by our tool. This tool is available for download from http://www.trust-hub.org/.

Automated Test Generation for Hardware Trojan Detection using Reinforcement Learning

Abstract: Due to globalized semiconductor supply chain, there is an increasing risk of exposing System-on-Chip (SoC) designs to malicious implants, popularly known as hardware Trojans. Unfortunately, traditional simulation-based validation using millions of test vectors is unsuitable for detecting stealthy Trojans with extremely rare trigger conditions due to exponential input space complexity of modern SoCs. There is a critical need to develop efficient Trojan detection techniques to ensure trustworthy SoCs. While there are promising test generation approaches, they have serious limitations in terms of scalability and detection accuracy. In this paper, we propose a novel logic testing approach for Trojan detection using an effective combination of testability analysis and reinforcement learning. Specifically, this paper makes three important contributions. 1) Unlike existing approaches, we utilize both controllability and observability analysis along with rareness of signals to significantly improve the trigger coverage. 2) Utilization of reinforcement learning considerably reduces the test generation time without sacrificing the test quality. 3) Experimental results demonstrate that our approach can drastically improve both trigger coverage (14.5% on average) and test generation time (6.5 times on average) compared to state-of-the-art techniques.