Register Aggregation for Hardware Decompilation

TL;DR

The technique successfully recovers memory elements in all of the tested circuits, even aggregating beyond the source code expectation, and compares the quantity and widths of recovered registers and memory blocks with the original source code.

Abstract

Hardware decompilation reverses logic synthesis, converting a gate-level digital electronic design, or netlist, back up to hardware description language (HDL) code. Existing techniques decompile data-oriented features in netlists, like loops and modules, but struggle with sequential logic. In particular, they cannot decompile memory elements, which pose difficulty due to their deconstruction into individual bits and the feedback loops they form in the netlist. Recovering multi-bit registers and memory blocks from netlists would expand the applications of hardware decompilation, notably towards retargeting technologies (e.g. FPGAs to ASICs) and decompiling processor memories. We devise a method for register aggregation, to identify relationships between the data flip-flops in a netlist and group them into registers and memory blocks, resulting in HDL code that instantiates these memory elements. We aggregate flip-flops by identifying common enable pins, and derive the bit-order of the resulting registers using functional dependencies. This scales similarly to memory blocks, where we repeat the algorithm in the second dimension with special attention to the read, write, and address ports of each memory block. We evaluate our technique over a dataset of 13 gate-level netlists, comprising circuits from binary multipliers to CPUs, and we compare the quantity and widths of recovered registers and memory blocks with the original source code. The technique successfully recovers memory elements in all of the tested circuits, even aggregating beyond the source code expectation. In 10 / 13 circuits, all source code memory elements are accounted for, and we are able to compact up to 2048 disjoint bits into a single memory block.

Figures (6)

• Figure 1: The gate-level netlist for a 3-bit counter with an enable pin, with the corresponding register transfer arcs for each data flip-flop drawn in different colors.
• Figure 2: The dependency graph for the 3-bit counter in Figure 1 is topological sorted into an ordering in (a). The dependency graphs for a 3-bit bitwise operation (b) and a 3-bit shifter (c) are also shown for comparison.
• Figure 3: Table displaying each benchmark, the HDL used, gate count, register count, register metadata, memory dimensions, and memory counts.
• Figure 4: An overview of the register sizes and quantities for each benchmark. The source values are in green (same data from Figure 3), and the predictions outputted by the technique are in yellow.
• Figure 5: Three levels of additional aggregation. a) Source code directly matches the predicions. b) Some source code registers additionally aggregated: two 1-bit $\to$ one 2-bit register, two 32-bit + one 1-bit $\to$ one 65-bit register. c) All source code registers additionally aggregated into 1 131-bit register.