Table of Contents
Fetching ...

COVERT: Trojan Detection in COTS Hardware via Statistical Activation of Microarchitectural Events

Mahmudul Hasan, Sudipta Paria, Swarup Bhunia, Tamzidul Hoque

TL;DR

COVERT addresses the challenge of verifying trust in Commercial Off-The-Shelf (COTS) microprocessors without access to golden, Trojan-free designs. It introduces a golden-free trust verification framework that extracts rare microarchitectural events from RTL, links them to architecturally invariant concepts, and then uses a Large Language Model (LLM) to synthesize targeted test programs that activate these events, enabling Trojan trigger discovery. The approach combines event exploration, rarity analysis, and an iterative, knowledge-base–driven program-generation loop, validated on OpenRISC mor1kx-based designs and two COTS targets (Marocchino and PicoRV32), achieving high trigger coverage for rare events (over 80% for the rarest 5% of events) and demonstrating effectiveness for both combinational and sequential Trojan triggers. This golden-free, scalable framework provides OEMs with a practical tool to assess trust in untrusted COTS components, with open-source artifacts and a methodology applicable across ISA-compatible processors; it also highlights opportunities to enhance coverage and diversity of test stimuli in future work. $\theta$-based rarity analysis and coverage formulas illustrate the probabilistic nature of Trojan trigger activation under repeated testing, underscoring the statistical basis of COVERT’s security assurances.

Abstract

Commercial Off-The-Shelf (COTS) hardware, such as microprocessors, are widely adopted in system design due to their ability to reduce development time and cost compared to custom solutions. However, supply chain entities involved in the design and fabrication of COTS components are considered untrusted from the consumer's standpoint due to the potential insertion of hidden malicious logic or hardware Trojans (HTs). Existing solutions to detect Trojans are largely inapplicable for COTS components due to their black-box nature and lack of access to a golden model. A few studies that apply require expensive equipment, lack scalability, and apply to a limited class of Trojans. In this work, we present a novel golden-free trust verification framework, COVERT for COTS microprocessors, which can efficiently test the presence of hardware Trojan implants by identifying microarchitectural rare events and transferring activation knowledge from existing processor designs to trigger highly susceptible internal nodes. COVERT leverages Large Language Models to automatically generate test programs that trigger rare microarchitectural events, which may be exploited to develop Trojan trigger conditions. By deriving these events from publicly available Register Transfer Level implementations, COVERT can verify a wide variety of COTS microprocessors that inherit the same Instruction Set Architecture. We have evaluated the proposed framework on open-source RISC-V COTS microprocessors and demonstrated its effectiveness in activating combinational and sequential Trojan triggers with high coverage, highlighting the efficiency of the trust verification. By pruning rare microarchitectural events from mor1kx Cappuccino OpenRISC processor design, COVERT has been able to achieve more than 80% trigger coverage for the rarest 5% of events in or1k Marocchino and PicoRV32 as COTS processors.

COVERT: Trojan Detection in COTS Hardware via Statistical Activation of Microarchitectural Events

TL;DR

COVERT addresses the challenge of verifying trust in Commercial Off-The-Shelf (COTS) microprocessors without access to golden, Trojan-free designs. It introduces a golden-free trust verification framework that extracts rare microarchitectural events from RTL, links them to architecturally invariant concepts, and then uses a Large Language Model (LLM) to synthesize targeted test programs that activate these events, enabling Trojan trigger discovery. The approach combines event exploration, rarity analysis, and an iterative, knowledge-base–driven program-generation loop, validated on OpenRISC mor1kx-based designs and two COTS targets (Marocchino and PicoRV32), achieving high trigger coverage for rare events (over 80% for the rarest 5% of events) and demonstrating effectiveness for both combinational and sequential Trojan triggers. This golden-free, scalable framework provides OEMs with a practical tool to assess trust in untrusted COTS components, with open-source artifacts and a methodology applicable across ISA-compatible processors; it also highlights opportunities to enhance coverage and diversity of test stimuli in future work. -based rarity analysis and coverage formulas illustrate the probabilistic nature of Trojan trigger activation under repeated testing, underscoring the statistical basis of COVERT’s security assurances.

Abstract

Commercial Off-The-Shelf (COTS) hardware, such as microprocessors, are widely adopted in system design due to their ability to reduce development time and cost compared to custom solutions. However, supply chain entities involved in the design and fabrication of COTS components are considered untrusted from the consumer's standpoint due to the potential insertion of hidden malicious logic or hardware Trojans (HTs). Existing solutions to detect Trojans are largely inapplicable for COTS components due to their black-box nature and lack of access to a golden model. A few studies that apply require expensive equipment, lack scalability, and apply to a limited class of Trojans. In this work, we present a novel golden-free trust verification framework, COVERT for COTS microprocessors, which can efficiently test the presence of hardware Trojan implants by identifying microarchitectural rare events and transferring activation knowledge from existing processor designs to trigger highly susceptible internal nodes. COVERT leverages Large Language Models to automatically generate test programs that trigger rare microarchitectural events, which may be exploited to develop Trojan trigger conditions. By deriving these events from publicly available Register Transfer Level implementations, COVERT can verify a wide variety of COTS microprocessors that inherit the same Instruction Set Architecture. We have evaluated the proposed framework on open-source RISC-V COTS microprocessors and demonstrated its effectiveness in activating combinational and sequential Trojan triggers with high coverage, highlighting the efficiency of the trust verification. By pruning rare microarchitectural events from mor1kx Cappuccino OpenRISC processor design, COVERT has been able to achieve more than 80% trigger coverage for the rarest 5% of events in or1k Marocchino and PicoRV32 as COTS processors.
Paper Structure (22 sections, 6 equations, 7 figures, 3 tables)

This paper contains 22 sections, 6 equations, 7 figures, 3 tables.

Figures (7)

  • Figure 1: (a) Modern IC design flow; (b) COTS IC integration flow cots_surveyip_cots.
  • Figure 2: COVERT framework overview for Trojan detection in COTS hardware.
  • Figure 3: Overview of the event exploration process, where it maps RTL signals into microarchitectural events by hierarchical logic unrolling through AST.
  • Figure 4: Proposed agent-driven workflow in COVERT for test program generation leveraging LLM to activate microarchitectural rare events.
  • Figure 5: Overview of iterative prompt refinement process in COVERT framework. The figure highlights the progression from (a) initial query through (b-c) repair-based iterations and (d) subsequent refinements. The initial prompt instructs the LLM to generate a minimal C/C++ or inline assembly program that satisfies the event's conditions. If compilation or simulation fails, the error output is appended to the next prompt so the model can repair the code. If the program runs but does not activate the event, logical feedback and previous successful examples are added to the next prompt. This loop continues until the refined prompt produces a legal program that successfully triggers the rare event.
  • ...and 2 more figures