COVERT: Trojan Detection in COTS Hardware via Statistical Activation of Microarchitectural Events
Mahmudul Hasan, Sudipta Paria, Swarup Bhunia, Tamzidul Hoque
TL;DR
COVERT addresses the challenge of verifying trust in Commercial Off-The-Shelf (COTS) microprocessors without access to golden, Trojan-free designs. It introduces a golden-free trust verification framework that extracts rare microarchitectural events from RTL, links them to architecturally invariant concepts, and then uses a Large Language Model (LLM) to synthesize targeted test programs that activate these events, enabling Trojan trigger discovery. The approach combines event exploration, rarity analysis, and an iterative, knowledge-base–driven program-generation loop, validated on OpenRISC mor1kx-based designs and two COTS targets (Marocchino and PicoRV32), achieving high trigger coverage for rare events (over 80% for the rarest 5% of events) and demonstrating effectiveness for both combinational and sequential Trojan triggers. This golden-free, scalable framework provides OEMs with a practical tool to assess trust in untrusted COTS components, with open-source artifacts and a methodology applicable across ISA-compatible processors; it also highlights opportunities to enhance coverage and diversity of test stimuli in future work. $\theta$-based rarity analysis and coverage formulas illustrate the probabilistic nature of Trojan trigger activation under repeated testing, underscoring the statistical basis of COVERT’s security assurances.
Abstract
Commercial Off-The-Shelf (COTS) hardware, such as microprocessors, are widely adopted in system design due to their ability to reduce development time and cost compared to custom solutions. However, supply chain entities involved in the design and fabrication of COTS components are considered untrusted from the consumer's standpoint due to the potential insertion of hidden malicious logic or hardware Trojans (HTs). Existing solutions to detect Trojans are largely inapplicable for COTS components due to their black-box nature and lack of access to a golden model. A few studies that apply require expensive equipment, lack scalability, and apply to a limited class of Trojans. In this work, we present a novel golden-free trust verification framework, COVERT for COTS microprocessors, which can efficiently test the presence of hardware Trojan implants by identifying microarchitectural rare events and transferring activation knowledge from existing processor designs to trigger highly susceptible internal nodes. COVERT leverages Large Language Models to automatically generate test programs that trigger rare microarchitectural events, which may be exploited to develop Trojan trigger conditions. By deriving these events from publicly available Register Transfer Level implementations, COVERT can verify a wide variety of COTS microprocessors that inherit the same Instruction Set Architecture. We have evaluated the proposed framework on open-source RISC-V COTS microprocessors and demonstrated its effectiveness in activating combinational and sequential Trojan triggers with high coverage, highlighting the efficiency of the trust verification. By pruning rare microarchitectural events from mor1kx Cappuccino OpenRISC processor design, COVERT has been able to achieve more than 80% trigger coverage for the rarest 5% of events in or1k Marocchino and PicoRV32 as COTS processors.
