COVERT: Trojan Detection in COTS Hardware via Statistical Activation of Microarchitectural Events

TL;DR

COVERT is a novel framework that detects hardware Trojans in COTS microprocessors by using statistical activation of microarchitectural events and leveraging language models to generate targeted test programs, enabling scalable and golden-free verification.

Contribution

It introduces a new method for Trojan detection in COTS hardware that does not require a golden model and employs LLMs to generate effective test programs for triggering Trojans.

Findings

Achieved over 80% trigger coverage on open-source RISC-V processors.

Effectively activates both combinational and sequential Trojan triggers.

Demonstrated scalability across various COTS microprocessors.

Abstract

Commercial Off-The-Shelf (COTS) hardware, such as microprocessors, are widely adopted in system design due to their ability to reduce development time and cost compared to custom solutions. However, supply chain entities involved in the design and fabrication of COTS components are considered untrusted from the consumer's standpoint due to the potential insertion of hidden malicious logic or hardware Trojans (HTs). Existing solutions to detect Trojans are largely inapplicable for COTS components due to their black-box nature and lack of access to a golden model. A few studies that apply require expensive equipment, lack scalability, and apply to a limited class of Trojans. In this work, we present a novel golden-free trust verification framework, COVERT for COTS microprocessors, which can efficiently test the presence of hardware Trojan implants by identifying microarchitectural rare events and transferring activation knowledge from existing processor designs to trigger highly susceptible internal nodes. COVERT leverages Large Language Models to automatically generate test programs that trigger rare microarchitectural events, which may be exploited to develop Trojan trigger conditions. By deriving these events from publicly available Register Transfer Level implementations, COVERT can verify a wide variety of COTS microprocessors that inherit the same Instruction Set Architecture. We have evaluated the proposed framework on open-source RISC-V COTS microprocessors and demonstrated its effectiveness in activating combinational and sequential Trojan triggers with high coverage, highlighting the efficiency of the trust verification. By pruning rare microarchitectural events from mor1kx Cappuccino OpenRISC processor design, COVERT has been able to achieve more than 80% trigger coverage for the rarest 5% of events in or1k Marocchino and PicoRV32 as COTS processors.