research-article

Public Access

Trusting the trust anchor: towards detecting cross-layer vulnerabilities with hardware fuzzing

Authors:

Pouya Mahmoody,

Ahmad-Reza Sadeghi,

JV RajendranAuthors Info & Claims

DAC '22: Proceedings of the 59th ACM/IEEE Design Automation Conference

Pages 1379 - 1383

https://doi.org/10.1145/3489517.3530638

Published: 23 August 2022 Publication History

Abstract

The rise in the development of complex and application-specific commercial and open-source hardware and the shrinking verification time are causing numerous hardware-security vulnerabilities. Traditional verification techniques are limited in both scalability and completeness. Research in this direction is hindered due to the lack of robust testing benchmarks. In this paper, in collaboration with our industry partners, we built an ecosystem mimicking the hardware-development cycle where we inject bugs inspired by real-world vulnerabilities into RISC-V SoC design and organized an open-to-all bug-hunting competition. We equipped the participating researchers with industry-standard static and dynamic verification tools in a ready-to-use environment. The findings from our competition shed light on the strengths and weaknesses of the existing verification tools and highlight the potential for future research in developing new vulnerability detection techniques.

References

[1]

2021. Proxy Kernel source code. https://github.com/riscv/riscv-pk. Accessed: 2021-04-28.

[2]

2022. AWS. https://aws.amazon.com/?nc2=h_lg. Accessed: 2022-04-18.

[3]

2022. Hack@EVENT. https://hackatevent.org/. Accessed: 04/08/2022.

[4]

2022. IEEE Standard Test Access Port and Boundary-Scan Architecture. https://standards.ieee.org/ieee/1149.1/1727/. Accessed: 04/19/2022.

[5]

2022. Synopsys. https://www.synopsys.com/. Accessed: 2022-04-18.

[6]

Jonathan Balkind, et al. 2016. OpenPiton: An Open Source Manycore Research Framework. (2016), 217--232.

Digital Library

[7]

Sadullah Canakci, et al. 2021. Directfuzz: Automated Test Generation for RTL Designs using Directed Graybox Fuzzing. 58th ACM/IEEE Design Automation Conference (2021), 529--534.

Digital Library

[8]

Wen Chen, et al. 2017. Challenges and Trends in Modern SoC Design Verification. IEEE D&T 34, 5 (2017), 7--22.

[9]

G. Dessouky, et al. 2019. HardFails: Insights into Software-Exploitable Hardware Bugs. USENIX Security (2019), 213--230.

[10]

OpenHW Group. 2021. Ariane SoC source code. https://github.com/openhwgroup/cva6. Accessed: 2021-04-28.

[11]

Jaewon Hur, et al. 2021. DifuzzRTL: Differential Fuzz Testing to Find CPU Bugs. IEEE S&P (2021), 1286--1303.

[12]

R. Kande, et al. 2022. TheHuzz: Instruction Fuzzing of Processors Using Golden-Reference Models for Finding Software-Exploitable Vulnerabilities. USENIX Security (2022).

[13]

Kevin Laeufer, et al. 2018. RFUZZ: Coverage-directed Fuzz Testing of RTL on FPGAs. IEEE/ACM ICCAD (2018), 1--8.

Digital Library

[14]

Lcamtuf. [n. d.]. American Fuzzy Lop (AFL) Fuzzer. http://lcamtuf.coredump.cx/afl/technical_details.txt. Accessed: 04/08/2021.

[15]

LLVM. 2022. LibFuzzer - a library for coverage-guided fuzz testing. https://llvm.org/docs/LibFuzzer.html. Accessed: 04/08/2022.

[16]

Ben Marshall. 2019. Hardware Verification in an Open Source Context. ODSA (2019).

[17]

MITRE. 2021. Hardware CWEs. https://cwe.mitre.org/data/definitions/1194.html. Accessed: 2021-04-28.

[18]

Sujit Kumar Muduli, et al. 2020. Hyperfuzzing for SoC Security Validation. IEEE/ACM ICCAD (2020), 1--9.

[19]

NIST. 2022. CVSS. https://nvd.nist.gov/vuln-metrics/cvss. Accessed: 2022-04-18.

[20]

Ahmad-Reza Sadeghi, et al. [n. d.]. Organizing The World's Largest Hardware Security Competition: Challenges, Opportunities, and Lessons Learned. ([n. d.]), 95--100.

[21]

Kostya Serebryany. 2017. OSS-Fuzz - Google's continuous fuzzing service for open source software. USENIX Security (2017).

[22]

Timothy Trippel, et al. 2021. Fuzzing Hardware Like Software. arXiv preprint arXiv:2102.02308 (2021).

[23]

Andrew Waterman, et al. 2014. The RISC-V Instruction Set Manual. Volume 1: User-Level ISA, Version 2.0. https://content.riscv.org/wp-content/uploads/2017/05/riscv-spec-v2.2.pdf.

[24]

Wooseung Yang, et al. 2003. Current Status and Challenges of SoC Verification for Embedded Systems Market. IEEE SOCC (2003), 213--216.

Cited By

Wan GWong SWang X(2024)Jailbreaking Pre-trained Large Language Models Towards Hardware Vulnerability Insertion AbilityProceedings of the Great Lakes Symposium on VLSI 202410.1145/3649476.3658799(579-582)Online publication date: 12-Jun-2024
https://dl.acm.org/doi/10.1145/3649476.3658799
Kande RPearce HTan BDolan-Gavitt BThakur SKarri RRajendran J(2024)(Security) Assertions by Large Language ModelsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337280919(4374-4389)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3372809
Zhang GWang PYue TLiu DGuo YLu K(2024)Instiller: Toward Efficient and Realistic RTL FuzzingIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.336031843:7(2177-2190)Online publication date: Jul-2024
https://doi.org/10.1109/TCAD.2024.3360318
Show More Cited By

Recommendations

Side-channel analysis of MAC-Keccak hardware implementations
HASP '15: Proceedings of the Fourth Workshop on Hardware and Architectural Support for Security and Privacy

As Keccak has been selected as the new SHA-3 standard, Message Authentication Code (MAC) (MAC-Keccak) using a secret key will be widely used for integrity checking and authenticity assurance. Recent works have shown the feasibility of side-channel ...
Side-channel attacks on the bitstream encryption mechanism of Altera Stratix II: facilitating black-box analysis using software reverse-engineering
FPGA '13: Proceedings of the ACM/SIGDA international symposium on Field programmable gate arrays

In order to protect FPGA designs against IP theft and related issues such as product cloning, all major FPGA manufacturers offer a mechanism to encrypt the bitstream used to configure the FPGA. From a mathematical point of view, the employed encryption ...
Defeating Cisco trust anchor: a case-study of recent advancements in direct FPGA bitstream manipulation
WOOT'19: Proceedings of the 13th USENIX Conference on Offensive Technologies

Field-programmable gate arrays (FPGAs) are widely used in real-time, data-intensive, and mission critical system designs. In the space of trusted computing, FPGA-based security modules have appeared in a number of widely used security conscious devices. ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

DAC '22: Proceedings of the 59th ACM/IEEE Design Automation Conference

July 2022

1462 pages

ISBN:9781450391429

DOI:10.1145/3489517

General Chair:
Rob Oshana
NXP

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGDA: ACM Special Interest Group on Design Automation
IEEE CEDA

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 August 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research

Conference

DAC '22

Sponsor:

SIGDA

DAC '22: 59th ACM/IEEE Design Automation Conference

July 10 - 14, 2022

California, San Francisco

Acceptance Rates

Overall Acceptance Rate 1,770 of 5,499 submissions, 32%

Upcoming Conference

DAC '25

Sponsor:
sigda

62nd ACM/IEEE Design Automation Conference

June 22 - 26, 2025

San Francisco , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
588
Total Downloads

Downloads (Last 12 months)284
Downloads (Last 6 weeks)28

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wan GWong SWang X(2024)Jailbreaking Pre-trained Large Language Models Towards Hardware Vulnerability Insertion AbilityProceedings of the Great Lakes Symposium on VLSI 202410.1145/3649476.3658799(579-582)Online publication date: 12-Jun-2024
https://dl.acm.org/doi/10.1145/3649476.3658799
Kande RPearce HTan BDolan-Gavitt BThakur SKarri RRajendran J(2024)(Security) Assertions by Large Language ModelsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.337280919(4374-4389)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3372809
Zhang GWang PYue TLiu DGuo YLu K(2024)Instiller: Toward Efficient and Realistic RTL FuzzingIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.336031843:7(2177-2190)Online publication date: Jul-2024
https://doi.org/10.1109/TCAD.2024.3360318
Cheng XCui AJin Y(2024)A Hardware Security Evaluation Platform on RISC-V SoC2024 IEEE International Test Conference in Asia (ITC-Asia)10.1109/ITC-Asia62534.2024.10661352(1-6)Online publication date: 18-Aug-2024
https://doi.org/10.1109/ITC-Asia62534.2024.10661352
Dan NZhao LPan WCai Y(2024)Research on Dynamic Fuzzy Testing in Securing Cloud Infrastructure based on Deep Learning2024 3rd International Conference on Cloud Computing, Big Data Application and Software Engineering (CBASE)10.1109/CBASE64041.2024.10824501(859-863)Online publication date: 11-Oct-2024
https://doi.org/10.1109/CBASE64041.2024.10824501
Chen CGohil VKande RSadeghi ARajendran J(2023)PSOFuzz: Fuzzing Processors with Particle Swarm Optimization2023 IEEE/ACM International Conference on Computer Aided Design (ICCAD)10.1109/ICCAD57390.2023.10323913(1-9)Online publication date: 28-Oct-2023
https://doi.org/10.1109/ICCAD57390.2023.10323913

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten