EXERT: EXhaustive IntEgRiTy Analysis for Information Flow Security

Hardware information flow analysis detects security vulnerabilities resulting from microarchitectural design flaws, design-for-test/debug (DfT/D) backdoors, and hardware Trojans. Though information flow violations can be manifested through a multitude of possible ways, prior research has only focused on detecting the existence of such vulnerabilities and no approach has been proposed to exhaustively activate all vulnerable points and reduce false positives. In this paper, we propose EXERT, a novel analysis framework that combines ATPG, SAT, and FSM analysis to detect information flow violations and perform exhaustive analysis that reports the complete set of violating input patterns for vulnerable control points. The FSM analysis, in particular, can be performed offline and helps resolve scalability limitations in prior approaches while remaining exhaustive. As proof-of-concept, EXERT is evaluated on multiple Trojan benchmarks from Trust-Hub. It detects rare Trojan triggers (activation probability ≈ 1.4243e-70), generates all activation patterns within minutes, and shows a 15 x to 110 x faster run time compared with Cadence Jasper Security Path Verification (SPV). EXERT is also applied to a larger RISC-V benchmark to identify instruction sequences that result in privilege escalation.