Security Properties for Open-Source Hardware Designs
Jayden Rogers, Niyaz Shakeel, Divya Mankani, Samantha Espinosa, Cade Chabra, Kaki Ryan, Cynthia Sturton
TL;DR
The paper addresses the lack of open-source security properties for hardware designs and proposes four sets of SystemVerilog Assertions (SVA) targeting buggy designs OR1200, PULPissimo, and CVA6/OpenPiton (2019 and 2021). It details a replicable property-writing methodology and provides a public benchmark repository with 71, 20, 11, and 20 properties, each linked to corresponding CWEs and design snapshots, verified using JasperGold FPV. By including case studies on reproducibility, the work demonstrates how open properties improve comparability and repeatability across verification tools and research groups. Overall, it offers a practical open-source resource and process to accelerate evaluation of formal verification methods in hardware security and invites community collaboration.
Abstract
The hardware security community relies on databases of known vulnerabilities and open-source designs to develop formal verification methods for identifying hardware security flaws. While there are plenty of open-source designs and verification tools, there is a gap in open-source properties addressing these flaws, making it difficult to reproduce prior work and slowing research. This paper aims to bridge that gap. We provide SystemVerilog Assertions for four common designs: OR1200, Hack@DAC 2018's buggy PULPissimo SoC, Hack@DAC 2019's CVA6, and Hack@DAC 2021's buggy OpenPiton SoCs. The properties are organized by design and tagged with details about the security flaws and the implicated CWE. To encourage more property reporting, we describe the methodology we use when crafting properties.