A Gate-Level Information Leakage Detection Framework of Sequential Circuit Using Z3

Round 1

Reviewer 1 Report

Author should clarify the following points:

1. Is this IFT method suitable for complex design circuits?, how will you validated for complex design?

2. Figures are very poor, particularly fig 4, 9 & table.2.

3.  Compare your proposed method with convention algorithms?

4. Abstract should be rewritten, with highlights of the proposed system.

5. Literature survey on this field is not enough add more by including recent papers.

Author Response

Reply to reviewer1

We have carefully revised the paper based on the reviewers’ comments and suggestions. We thank all reviewers for their time and consideration in providing such thorough and insightful comments. We would also like to thank the Guest Editor and Editor-in-Chief for allowing us to revise our work in response to these comments. The following revisions have been made in response to each set of reviewers’ comments. The modified text in the paper has also been highlighted using different colors.

 

 

Review#1:

1: Is this IFT method suitable for complex design circuits? How will you validate for complex design?

Response: We thank the reviewer for the question.

IFT method is suitable for validating a complex design. The IFT method is proposed to analyze the dependency of sensitive information from a whole circuit. In the IFT, data and operations are associated with labels that stand for trust levels. The labels are propagated to other data relying on the information flow policy. Generally, we evaluate the security of a system by observing if data with labels could be propagated to the trust/untrust portion of the system. In the above procedure, the major computation work is limited to analyzing a partition of the whole design related to the validation target. Therefore, IFT is a method that can handle a complex system to validate various properties. Moreover, it’s convenient for verifiers to choose which data or operation to track and design the tracking rules.

 

As to the details of validating a complex (or larger scale) circuit, first, the IFT model of a complex circuit is generated using our self-developed parser. Then the IFT property is designed along with automatically generating the shadow logic value of input/output ports. Specifically, depending on the property in the experiment section, the shadow logic value of sensitive information and suspicious output port is set as true. In the end, the SMT solver tells if there is a solution, and if so, there is a path that can leak sensitive information. The validation procedure is carried out using our automatic tools, which is another key contribution to eliminating the scalability issue.

 

2: Figures are very poor, particularly fig 4, 9 & table.2.

Response: We thank the reviewer for the comments. We have redrawn Figure 1, Figure 3, Figure 4, Figure 9, and Table 2. These figures and tables have been updated in the review revision of the manuscript.

 

3: Compare your proposed method with convention algorithms?

Response: We thank the reviewer for the question.

The differences between our method and existing formal methods are discussed in Table 1, in terms of 1) design stage hardware security, 2) dynamic or static, and 3) automatic or not. The characteristics of convention algorithms are discussed in Section 2.2 Related work. To summarize, compared with conventional IFT methods, our proposed method's advantages are listed as follows. Firstly, the GLIFT algorithm is applied in gate-level hardware design statically, which avoids large dynamic simulation overhead. Secondly, our proposed framework provides a fully automatic process to verify hardware security compared with theorem proving based approaches. That is, we deliver an automatic toolset to convert hardware design at gate-level to a formal model and then generate IFT property. Specifically, the model-generating parser supports at least two kinds of logic cell libraries. The automatic tool further reduces manual participation in conventional IFT verification methods.

 

4: Abstract should be rewritten, with highlights of the proposed system.

Response: We thank the reviewer’s suggestion. The abstract has been rewritten, and the proposed framework is highlighted.

 

“[Abstract] The hardware intellectual property (IP) cores from untrusted vendors are widely used, which has raised security concerns for system designers. Although formal methods provide powerful solutions for detecting malicious behaviors in hardware, the participation of manual work prevents the methods from practical applications. For example, Information Flow Tracking (IFT) is a powerful approach to preventing sensitive information leakage. However, existing IFT solutions either introduce hardware overhead or lack practical automatic working procedures, especially for the hardware sequential logic. To alleviate these challenges, we propose a framework that fully automates information leakage detection at the gate level of hardware. This framework introduces Z3, an SMT solver, to automatically check the violation of confidentiality. On the other hand, an automatic tool is developed to remove the manual workload further. In this tool, the gate-level hardware is converted to the formal model first, and then the model’s integrity is checked. Along with the model converting step, the property for leakage detection is also generated. The proposed solution is tested on 25 gate-level netlist benchmarks, where sequential designs are included to validate the effectiveness. As a result, the Trojans leaking information from circuit outputs can be automatically detected. The time consumption of the whole working procedure validates the efficiency of the proposed approach.”

 

 

5: Literature survey on this field is not enough add more by including recent papers.

Response：We thank the reviewer for the suggestion. Related work, including recent papers, is added in Table 1 and Section 2.

 

“[Section2] CELLIFT [31 ] provides a dynamic information flow tracking method for hardware. It leverages the logical macrocell abstraction to achieve scalability, precision and completeness in RTL design. However, its performance is limited by the amount of logic cell types.

[24] [30] propose a unified formal model which combines IFT Taint-propagation and X-propagation to verify the security and integrity of the hardware design. This work realize efficient model building for multiple property verification. But it causes a large simulation overhead because of the extra tracking logic in RTL code.”

 

Author Response File: Author Response.pdf

Reviewer 2 Report

This paper proposed an automatic framework to formalize and check information flow in gate-level hardware design for security purposes. The authors designed an EDA tool to generate the GLIFT model and property of sequential circuits in Z3 SMT solver. The solver is designed to detect the leakage path in the hardware design.

Pros:
1. This work applies GLIFT at the gate-level statically which shows the novelty of purposed methodology.
2. The proposed framework shows a high degree of automation and a complete translation and verification process.
3. The proposed framework is evaluated to address and locate the leakage path.
4. The designed tool can automatically translate the net-list to Z3 constraints and generate security property based on GLIFT theory, which significantly improves the practicability of the GLIFT method.


Cons:
1. The working procedure shown in Figure3 does not include the function of the tool.
2. How is the leakage path extracted? Is this work automatically performed?
3. It would be better if a more general and efficient sequential processing algorithm could be discussed.

Overall, this paper is in a good shape. I believe it is adequate to publish it if the missing parts of this paper are addressed.

Author Response

Reply to reviewer2

We have carefully revised the paper based on the reviewers’ comments and suggestions. We thank all reviewers for their time and consideration in providing such thorough and insightful comments. We would also like to thank the Guest Editor and the Editor-in-Chief for giving us an opportunity to revise our work in response to these comments. The following revisions have been made in response to each set of reviewers’ comments.

The modified text in the paper has also been highlighted using different colors.

 

Review#2:

1: The working procedure shown in Figure3 does not include the function of the tool.

Response: We thank the reviewer for the suggestions. Figure 3 has been updated in the paper.

 

2: How is the leakage path extracted? Is this work automatically preformed?

Response: We thank the reviewer for the question. The leakage path is extracted based on the solution of the SMT solver. The solution of the SMT solver includes the original logic value and shadow logic value of all the logic cells that trigger the leakage path. As discussed in Section 3.1, we set the shadow logic value of secret information at the input as true. Then if the shadow logic value of an intermediate logic cell is true, it is tainted by secret information. Therefore, the leakage path existing means the logic cells' shadow logic value is true. The output port where the secret information propagates is located at first. Then, the logic cell from which the secret information propagates is extracted according to the shadow logic value. Repeat this extraction operation until the secret information input port is extracted. Moreover, the leakage from input ports to output ports, including a series of intermediate logic cells, is extracted. This framework has been automatically realized with Python scripts.

 

3: It would be better if a more general and efficient sequential processing algorithm could be discussed.

Response: We thank the reviewer for the comment. We have studied complex sequential structure analysis and corresponding sequential label analysis methods. Our future work will consider a more general and efficient sequential processing algorithm.

 

Author Response File: Author Response.pdf