NetDeTox: Adversarial and Efficient Evasion of Hardware-Security GNNs via RL-LLM Orchestration

TL;DR

NetDeTox is an automated framework that uses reinforcement learning and large language models to efficiently generate adversarial netlist rewrites, significantly degrading hardware security GNNs with fewer modifications and lower overheads.

Contribution

It introduces a novel RL-LLM orchestration approach for targeted netlist rewriting, reducing overheads and improving scalability over existing adversarial methods.

Findings

Successfully degrades security GNNs across multiple schemes.

Reduces area overheads by over 50% in some cases.

Can optimize and reduce circuit area while performing adversarial rewrites.

Abstract

Graph neural networks (GNNs) have shown promise in hardware security by learning structural motifs from netlist graphs. However, this reliance on motifs makes GNNs vulnerable to adversarial netlist rewrites; even small-scale edits can mislead GNN predictions. Existing adversarial approaches, ranging from synthesis-recipe perturbations to gate transformations, come with high design overheads. We present NetDeTox, an automated end-to-end framework that orchestrates large language models (LLMs) with reinforcement learning (RL) in a systematic manner, enabling focused local rewriting. The RL agent identifies netlist components critical for GNN-based reasoning, while the LLM devises rewriting plans to diversify motifs that preserve functionality. Iterative feedback between the RL and LLM stages refines adversarial rewritings to limit overheads. Compared to the SOTA work AttackGNN, NetDeTox successfully degrades the effectiveness of all security schemes with fewer rewrites and substantially lower area overheads (reductions of 54.50% for GNN-RE, 25.44% for GNN4IP, and 41.04% for OMLA, respectively). For GNN4IP, ours can even optimize/reduce the original benchmarks' area, in particular for larger circuits, demonstrating the practicality and scalability of NetDeTox.