Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Scalable Test Generation to Trigger Rare Targets in High-Level Synthesizable IPs for Cloud FPGAs

Mukta Debnath, Animesh Basak Chowdhury, Debasri Saha, Susmita Sur-Kolay

TL;DR

This paper tackles the security and robustness challenge of hardware Trojans in high-level synthesizable IPs deployed on cloud FPGAs by introducing GreyConE+, a scalable test-generation framework that targets rare, potentially malicious triggers. It fuses selective instrumentation, greybox fuzzing, and concolic execution, and anchors testing to a reference (golden) model when available to enable Trojan detection without exposing the original IP. The authors demonstrate that GreyConE+ improves rare-target coverage, reduces test-generation time and memory usage, and enhances Trojan detection compared to baselines such as AFL, S2E, and prior GreyConE variants across SystemC/C++ and Rosetta benchmarks. This approach offers CSPs a practical, cost-efficient pathway to verify third-party HLS IPs in cloud FPGA environments and mitigate security risks inherent in untrusted IP supply chains.

Abstract

High-Level Synthesis (HLS) has transformed the development of complex Hardware IPs (HWIP) by offering abstraction and configurability through languages like SystemC/C++, particularly for Field Programmable Gate Array (FPGA) accelerators in high-performance and cloud computing contexts. These IPs can be synthesized for different FPGA boards in cloud, offering compact area requirements and enhanced flexibility. HLS enables designs to execute directly on ARM processors within modern FPGAs without the need for Register Transfer Level (RTL) synthesis, thereby conserving FPGA resources. While HLS offers flexibility and efficiency, it also introduces potential vulnerabilities such as the presence of hidden circuitry, including the possibility of hosting hardware trojans within designs. In cloud environments, these vulnerabilities pose significant security concerns such as leakage of sensitive data, IP functionality disruption and hardware damage, necessitating the development of robust testing frameworks. This research presents an advanced testing approach for HLS-developed cloud IPs, specifically targeting hidden malicious functionalities that may exist in rare conditions within the design. The proposed method leverages selective instrumentation, combining greybox fuzzing and concolic execution techniques to enhance test generation capabilities. Evaluation conducted on various HLS benchmarks, possessing characteristics of FPGA-based cloud IPs with embedded cloud related threats, demonstrates the effectiveness of our framework in detecting trojans and rare scenarios, showcasing improvements in coverage, time efficiency, memory usage, and testing costs compared to existing methods.

Scalable Test Generation to Trigger Rare Targets in High-Level Synthesizable IPs for Cloud FPGAs

TL;DR

This paper tackles the security and robustness challenge of hardware Trojans in high-level synthesizable IPs deployed on cloud FPGAs by introducing GreyConE+, a scalable test-generation framework that targets rare, potentially malicious triggers. It fuses selective instrumentation, greybox fuzzing, and concolic execution, and anchors testing to a reference (golden) model when available to enable Trojan detection without exposing the original IP. The authors demonstrate that GreyConE+ improves rare-target coverage, reduces test-generation time and memory usage, and enhances Trojan detection compared to baselines such as AFL, S2E, and prior GreyConE variants across SystemC/C++ and Rosetta benchmarks. This approach offers CSPs a practical, cost-efficient pathway to verify third-party HLS IPs in cloud FPGA environments and mitigate security risks inherent in untrusted IP supply chains.

Abstract

High-Level Synthesis (HLS) has transformed the development of complex Hardware IPs (HWIP) by offering abstraction and configurability through languages like SystemC/C++, particularly for Field Programmable Gate Array (FPGA) accelerators in high-performance and cloud computing contexts. These IPs can be synthesized for different FPGA boards in cloud, offering compact area requirements and enhanced flexibility. HLS enables designs to execute directly on ARM processors within modern FPGAs without the need for Register Transfer Level (RTL) synthesis, thereby conserving FPGA resources. While HLS offers flexibility and efficiency, it also introduces potential vulnerabilities such as the presence of hidden circuitry, including the possibility of hosting hardware trojans within designs. In cloud environments, these vulnerabilities pose significant security concerns such as leakage of sensitive data, IP functionality disruption and hardware damage, necessitating the development of robust testing frameworks. This research presents an advanced testing approach for HLS-developed cloud IPs, specifically targeting hidden malicious functionalities that may exist in rare conditions within the design. The proposed method leverages selective instrumentation, combining greybox fuzzing and concolic execution techniques to enhance test generation capabilities. Evaluation conducted on various HLS benchmarks, possessing characteristics of FPGA-based cloud IPs with embedded cloud related threats, demonstrates the effectiveness of our framework in detecting trojans and rare scenarios, showcasing improvements in coverage, time efficiency, memory usage, and testing costs compared to existing methods.
Paper Structure (31 sections, 8 figures, 8 tables, 4 algorithms)

This paper contains 31 sections, 8 figures, 8 tables, 4 algorithms.

Table of Contents

  1. Introduction
  2. Background
  3. Overview of Cloud IPs in HLS with malicious circuits
  4. Security Testing of HWIPs
  5. Greybox fuzzing
  6. Symbolic and Concolic Execution
  7. Hybrid Test Generation Framework
  8. Reference Model Based Testing
  9. Motivation
  10. Threat Model and Verification Method
  11. Threat Model
  12. Verification Process in Cloud
  13. GreyConE$+$: Scalable Test Generation Framework
  14. Identifying Security Targets from Random Testing
  15. Selective Instrumentation for Targeted Testing
  16. ...and 16 more sections

Figures (8)

  • Figure 1: (a) Example code snippet. (b) Symbolic and concolic execution flow
  • Figure 2: Reference Model-based Testing (https://en.wikipedia.org/wiki/File:Mbt-process-example.png)
  • Figure 3: Threat Model and Verification Process in Cloud
  • Figure 4: GreyConE+ test generation framework --- Selectively instrumented DUT is generated individually at pre-processing stage and fed to both the test engines.Fuzz engine is fed with initial test-cases and Concolic engine starts when invoked with fuzzer test-cases. Test-cases are fed back and forth between Fuzz engine and Concolic engine to accelerate the search space exploration. The Coverage Evaluator checks for coverage of the targets whenever GreyConE+ generates a new test-case.
  • Figure 5: Time comparison of AFL, S2E, GreyConE and GreyConE+ for the benchmarks where they cover the same number of rare targets
  • ...and 3 more figures