@article{52686, author = {{Ahmed, Qazi Arbab and Wiersema, Tobias and Platzner, Marco}}, issn = {{2509-3428}}, journal = {{Journal of Hardware and Systems Security}}, keywords = {{General Engineering, Energy Engineering and Power Technology}}, publisher = {{Springer Science and Business Media LLC}}, title = {{{Post-configuration Activation of Hardware Trojans in FPGAs}}}, doi = {{10.1007/s41635-024-00147-5}}, year = {{2024}}, } @inproceedings{29945, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Reuter, Lucas David and Platzner, Marco}}, booktitle = {{2022 59th ACM/IEEE Design Automation Conference (DAC)}}, location = {{San Francisco, USA}}, title = {{{Search Space Characterization for Approximate Logic Synthesis }}}, year = {{2022}}, } @inproceedings{29865, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Artmann, Matthias and Platzner, Marco}}, booktitle = {{Design, Automation and Test in Europe (DATE)}}, location = {{Online}}, title = {{{MUSCAT: MUS-based Circuit Approximation Technique}}}, year = {{2022}}, } @phdthesis{26746, abstract = {{Previous research in proof-carrying hardware has established the feasibility and utility of the approach, and provided a concrete solution for employing it for the certification of functional equivalence checking against a specification, but fell short in connecting it to state-of-the-art formal verification insights, methods and tools. Due to the immense complexity of modern circuits, and verification challenges such as the state explosion problem for sequential circuits, this restriction of readily-available verification solutions severely limited the applicability of the approach in wider contexts. This thesis closes the gap between the PCH approach and current advances in formal hardware verification, provides methods and tools to express and certify a wide range of circuit properties, both functional and non-functional, and presents for the first time prototypes in which circuits that are implemented on actual reconfigurable hardware are verified with PCH methods. Using these results, designers can now apply PCH to establish trust in more complex circuits, by using more diverse properties which they can express using modern, efficient property specification techniques.}}, author = {{Wiersema, Tobias}}, keywords = {{Proof-Carrying Hardware, Formal Verification, Sequential Circuits, Non-Functional Properties, Functional Properties}}, pages = {{293}}, publisher = {{Paderborn University}}, title = {{{Guaranteeing Properties of Reconfigurable Hardware Circuits with Proof-Carrying Hardware}}}, year = {{2021}}, } @inproceedings{21953, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Raeisi Nafchi, Masood and Bockhorn, Arne and Platzner, Marco}}, booktitle = {{Proceedings of International Symposium on Applied Reconfigurable Computing (ARC'21)}}, editor = {{Hannig, Frank and Derrien, Steven and Diniz, Pedro and Chillet, Daniel}}, location = {{Virtual conference}}, publisher = {{Springer Lecture Notes in Computer Science}}, title = {{{Timing Optimization for Virtual FPGA Configurations}}}, doi = {{10.1007/978-3-030-79025-7_4}}, year = {{2021}}, } @article{27841, abstract = {{Verification of software and processor hardware usually proceeds separately, software analysis relying on the correctness of processors executing machine instructions. This assumption is valid as long as the software runs on standard CPUs that have been extensively validated and are in wide use. However, for processors exploiting custom instruction set extensions to meet performance and energy constraints the validation might be less extensive, challenging the correctness assumption. In this paper we present a novel formal approach for hardware/software co-verification targeting processors with custom instruction set extensions. We detail two different approaches for checking whether the hardware fulfills the requirements expected by the software analysis. The approaches are designed to explore a trade-off between generality of the verification and computational effort. Then, we describe the integration of software and hardware analyses for both techniques and describe a fully automated tool chain implementing the approaches. Finally, we demonstrate and compare the two approaches on example source code with custom instructions, using state-of-the-art software analysis and hardware verification techniques.}}, author = {{Jakobs, Marie-Christine and Pauck, Felix and Platzner, Marco and Wehrheim, Heike and Wiersema, Tobias}}, journal = {{IEEE Access}}, keywords = {{Software Analysis, Abstract Interpretation, Custom Instruction, Hardware Verification}}, publisher = {{IEEE}}, title = {{{Software/Hardware Co-Verification for Custom Instruction Set Processors}}}, doi = {{10.1109/ACCESS.2021.3131213}}, year = {{2021}}, } @inproceedings{20681, abstract = {{The battle of developing hardware Trojans and corresponding countermeasures has taken adversaries towards ingenious ways of compromising hardware designs by circumventing even advanced testing and verification methods. Besides conventional methods of inserting Trojans into a design by a malicious entity, the design flow for field-programmable gate arrays (FPGAs) can also be surreptitiously compromised to assist the attacker to perform a successful malfunctioning or information leakage attack. The advanced stealthy malicious look-up-table (LUT) attack activates a Trojan only when generating the FPGA bitstream and can thus not be detected by register transfer and gate level testing and verification. However, also this attack was recently revealed by a bitstream-level proof-carrying hardware (PCH) approach. In this paper, we present a novel attack that leverages malicious routing of the inserted Trojan circuit to acquire a dormant state even in the generated and transmitted bitstream. The Trojan's payload is connected to primary inputs/outputs of the FPGA via a programmable interconnect point (PIP). The Trojan is detached from inputs/outputs during place-and-route and re-connected only when the FPGA is being programmed, thus activating the Trojan circuit without any need for a trigger logic. Since the Trojan is injected in a post-synthesis step and remains unconnected in the bitstream, the presented attack can currently neither be prevented by conventional testing and verification methods nor by recent bitstream-level verification techniques.}}, author = {{Ahmed, Qazi Arbab and Wiersema, Tobias and Platzner, Marco}}, booktitle = {{2021 Design, Automation & Test in Europe Conference & Exhibition (DATE)}}, location = {{Alpexpo | Grenoble, France}}, publisher = {{2021 Design, Automation and Test in Europe Conference (DATE)}}, title = {{{Malicious Routing: Circumventing Bitstream-level Verification for FPGAs}}}, doi = {{10.23919/DATE51398.2021.9474026}}, year = {{2021}}, } @article{17358, abstract = {{Approximate circuits trade-off computational accuracy against improvements in hardware area, delay, or energy consumption. IP core vendors who wish to create such circuits need to convince consumers of the resulting approximation quality. As a solution we propose proof-carrying approximate circuits: The vendor creates an approximate IP core together with a certificate that proves the approximation quality. The proof certificate is bundled with the approximate IP core and sent off to the consumer. The consumer can formally verify the approximation quality of the IP core at a fraction of the typical computational cost for formal verification. In this paper, we first make the case for proof-carrying approximate circuits and then demonstrate the feasibility of the approach by a set of synthesis experiments using an exemplary approximation framework.}}, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Platzner, Marco}}, issn = {{1557-9999}}, journal = {{IEEE Transactions On Very Large Scale Integration Systems}}, keywords = {{Approximate circuit synthesis, approximate computing, error metrics, formal verification, proof-carrying hardware}}, number = {{9}}, pages = {{2084 -- 2088}}, publisher = {{IEEE}}, title = {{{Proof-carrying Approximate Circuits}}}, doi = {{10.1109/TVLSI.2020.3008061}}, volume = {{28}}, year = {{2020}}, } @unpublished{20748, abstract = {{On the circuit level, the design paradigm Approximate Computing seeks to trade off computational accuracy against a target metric, e.g., energy consumption. This trade-off is possible for many applications due to their inherent resiliency against inaccuracies. In the past, several automated approximation frameworks have been presented, which either utilize designated approximation techniques or libraries to replace approximable circuit parts with inaccurate versions. The frameworks invoke a search algorithm to iteratively explore the search space of performance degraded circuits, and validate their quality individually. In this paper, we propose to reverse this procedure. Rather than exploring the search space, we delineate the approximate parts of the search space which are guaranteed to lead to valid approximate circuits. Our methodology is supported by formal verification and independent of approximation techniques. Eventually, the user is provided with quality bounds of the individual approximable circuit parts. Consequently, our approach guarantees that any approximate circuit which implements these parts within the determined quality constraints satisfies the global quality constraints, superseding a subsequent quality verification. In our experimental results, we present the runtimes of our approach.}}, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Platzner, Marco}}, booktitle = {{Fifth Workshop on Approximate Computing (AxC 2020)}}, pages = {{2}}, title = {{{Search Space Characterization for AxC Synthesis}}}, year = {{2020}}, } @article{3585, abstract = {{Existing approaches and tools for the generation of approximate circuits often lack generality and are restricted to certain circuit types, approximation techniques, and quality assurance methods. Moreover, only few tools are publicly available. This hinders the development and evaluation of new techniques for approximating circuits and their comparison to previous approaches. In this paper, we first analyze and classify related approaches and then present CIRCA, our flexible framework for search-based approximate circuit generation. CIRCA is developed with a focus on modularity and extensibility. We present the architecture of CIRCA with its clear separation into stages and functional blocks, report on the current prototype, and show initial experiments.}}, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Ghasemzadeh Mohammadi, Hassan and Awais, Muhammad and Platzner, Marco}}, issn = {{0026-2714}}, journal = {{Microelectronics Reliability}}, keywords = {{Approximate Computing, Framework, Pareto Front, Accuracy}}, pages = {{277--290}}, publisher = {{Elsevier}}, title = {{{CIRCA: Towards a Modular and Extensible Framework for Approximate Circuit Generation}}}, doi = {{10.1016/j.microrel.2019.04.003}}, volume = {{99}}, year = {{2019}}, } @inproceedings{9913, abstract = {{Reconfigurable hardware has received considerable attention as a platform that enables dynamic hardware updates and thus is able to adapt new configurations at runtime. However, due to their dynamic nature, e.g., field-programmable gate arrays (FPGA) are subject to a constant possibility of attacks, since each new configuration might be compromised. Trojans for reconfigurable hardware that evade state-of-the-art detection techniques and even formal verification, are thus a large threat to these devices. One such stealthy hardware Trojan, that is inserted and activated in two stages by compromised electronic design automation (EDA) tools, has recently been presented and shown to evade all forms of classical pre-configuration detection techniques. This paper presents a successful pre-configuration countermeasure against this ``Malicious Look-up-table (LUT)''-hardware Trojan, by employing bitstream-level Proof-Carrying Hardware (PCH). We show that the method is able to alert innocent module creators to infected EDA tools, and to prohibit malicious ones to sell infected modules to unsuspecting customers.}}, author = {{Ahmed, Qazi Arbab and Wiersema, Tobias and Platzner, Marco}}, booktitle = {{Applied Reconfigurable Computing}}, editor = {{Hochberger, Christian and Nelson, Brent and Koch, Andreas and Woods, Roger and Diniz, Pedro}}, isbn = {{978-3-030-17227-5}}, location = {{Darmstadt, Germany}}, pages = {{127--136}}, publisher = {{Springer International Publishing}}, title = {{{Proof-Carrying Hardware Versus the Stealthy Malicious LUT Hardware Trojan}}}, doi = {{10.1007/978-3-030-17227-5_10}}, volume = {{11444}}, year = {{2019}}, } @unpublished{3586, abstract = {{Existing approaches and tools for the generation of approximate circuits often lack generality and are restricted to certain circuit types, approximation techniques, and quality assurance methods. Moreover, only few tools are publicly available. This hinders the development and evaluation of new techniques for approximating circuits and their comparison to previous approaches. In this paper, we first analyze and classify related approaches and then present CIRCA, our flexible framework for search-based approximate circuit generation. CIRCA is developed with a focus on modularity and extensibility. We present the architecture of CIRCA with its clear separation into stages and functional blocks, report on the current prototype, and show initial experiments.}}, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Ghasemzadeh Mohammadi, Hassan and Awais, Muhammad and Platzner, Marco}}, booktitle = {{Third Workshop on Approximate Computing (AxC 2018)}}, keywords = {{Approximate Computing, Framework, Pareto Front, Accuracy}}, pages = {{6}}, title = {{{CIRCA: Towards a Modular and Extensible Framework for Approximate Circuit Generation}}}, year = {{2018}}, } @unpublished{1165, author = {{Witschen, Linus Matthias and Wiersema, Tobias and Platzner, Marco}}, booktitle = {{4th Workshop On Approximate Computing (WAPCO 2018)}}, title = {{{Making the Case for Proof-carrying Approximate Circuits}}}, year = {{2018}}, } @article{68, abstract = {{Proof-carrying hardware (PCH) is a principle for achieving safety for dynamically reconfigurable hardware systems. The producer of a hardware module spends huge effort when creating a proof for a safety policy. The proof is then transferred as a certificate together with the configuration bitstream to the consumer of the hardware module, who can quickly verify the given proof. Previous work utilized SAT solvers and resolution traces to set up a PCH technology and corresponding tool flows. In this article, we present a novel technology for PCH based on inductive invariants. For sequential circuits, our approach is fundamentally stronger than the previous SAT-based one since we avoid the limitations of bounded unrolling. We contrast our technology to existing ones and show that it fits into previously proposed tool flows. We conduct experiments with four categories of benchmark circuits and report consumer and producer runtime and peak memory consumption, as well as the size of the certificates and the distribution of the workload between producer and consumer. Experiments clearly show that our new induction-based technology is superior for sequential circuits, whereas the previous SAT-based technology is the better choice for combinational circuits.}}, author = {{Isenberg, Tobias and Platzner, Marco and Wehrheim, Heike and Wiersema, Tobias}}, journal = {{ACM Transactions on Design Automation of Electronic Systems}}, number = {{4}}, pages = {{61:1----61:23}}, publisher = {{ACM}}, title = {{{Proof-Carrying Hardware via Inductive Invariants}}}, doi = {{10.1145/3054743}}, year = {{2017}}, } @article{222, abstract = {{Virtual field programmable gate arrays (FPGA) are overlay architectures realized on top of physical FPGAs. They are proposed to enhance or abstract away from the physical FPGA for experimenting with novel architectures and design tool flows. In this paper, we present an embedding of a ZUMA-based virtual FPGA fabric into a complete configurable system-on-chip. Such an embedding is required to fully harness the potential of virtual FPGAs, in particular to give the virtual circuits access to main memory and operating system services, and to enable a concurrent operation of virtualized and non-virtualized circuitry. We discuss our extension to ZUMA and its embedding into the ReconOS operating system for hardware/software systems. Furthermore, we present an open source tool flow to synthesize configurations for the virtual FPGA, along with an analysis of the area and delay overheads involved.}}, author = {{Wiersema, Tobias and Bockhorn, Arne and Platzner, Marco}}, journal = {{Computers & Electrical Engineering}}, pages = {{112----122}}, publisher = {{Elsevier}}, title = {{{An Architecture and Design Tool Flow for Embedding a Virtual FPGA into a Reconfigurable System-on-Chip}}}, doi = {{10.1016/j.compeleceng.2016.04.005}}, year = {{2016}}, } @inproceedings{132, abstract = {{Runtime reconfiguration can be used to replace hardware modules in the field and even to continuously improve them during operation. Runtime reconfiguration poses new challenges for validation, since the required properties of newly arriving modules may be difficult to check fast enough to sustain the intended system dynamics. In this paper we present a method for just-in-time verification of the worst-case completion time of a reconfigurable hardware module. We assume so-called run-to-completion modules that exhibit start and done signals indicating the start and end of execution, respectively. We present a formal verification approach that exploits the concept of proof-carrying hardware. The approach tasks the creator of a hardware module with constructing a proof of the worst-case completion time, which can then easily be checked by the user of the module, just prior to reconfiguration. After explaining the verification approach and a corresponding tool flow, we present results from two case studies, a short term synthesis filter and a multihead weigher. The resultsclearly show that cost of verifying the completion time of the module is paid by the creator instead of the user of the module.}}, author = {{Wiersema, Tobias and Platzner, Marco}}, booktitle = {{Proceedings of the 11th International Symposium on Reconfigurable Communication-centric Systems-on-Chip (ReCoSoC 2016)}}, pages = {{1----8}}, title = {{{Verifying Worst-Case Completion Times for Reconfigurable Hardware Modules using Proof-Carrying Hardware}}}, doi = {{10.1109/ReCoSoC.2016.7533910}}, year = {{2016}}, } @inproceedings{269, abstract = {{Proof-carrying hardware is an approach that has recently been proposed for the efficient verification of reconfigurable modules. We present an application of proof-carrying hardware to guarantee the correct functionality of dynamically reconfigured image processing modules. Our prototype comprises a reconfigurable-system-on-chip with an embedded virtual FPGA fabric. This setup allows us to leverage open source FPGA synthesis and backend tools to produce FPGA configuration bitstreams with an open format and, thus, to demonstrate and experimentally evaluate proof-carrying hardware at the bitstream level.}}, author = {{Wiersema, Tobias and Wu, Sen and Platzner, Marco}}, booktitle = {{Proceedings of the International Symposium in Reconfigurable Computing (ARC)}}, pages = {{365----372}}, title = {{{On-The-Fly Verification of Reconfigurable Image Processing Modules based on a Proof-Carrying Hardware Approach}}}, doi = {{10.1007/978-3-319-16214-0_32}}, year = {{2015}}, } @inproceedings{399, abstract = {{Ensuring memory access security is a challenge for reconfigurable systems with multiple cores. Previous work introduced access monitors attached to the memory subsystem to ensure that the cores adhere to pre-defined protocols when accessing memory. In this paper, we combine access monitors with a formal runtime verification technique known as proof-carrying hardware to guarantee memory security. We extend previous work on proof-carrying hardware by covering sequential circuits and demonstrate our approach with a prototype leveraging ReconOS/Zynq with an embedded ZUMA virtual FPGA overlay. Experiments show the feasibility of the approach and the capabilities of the prototype, which constitutes the first realization of proof-carrying hardware on real FPGAs. The area overheads for the virtual FPGA are measured as 2x-10x, depending on the resource type. The delay overhead is substantial with almost 100x, but this is an extremely pessimistic estimate that will be lowered once accurate timing analysis for FPGA overlays become available. Finally, reconfiguration time for the virtual FPGA is about one order of magnitude lower than for the native Zynq fabric.}}, author = {{Wiersema, Tobias and Drzevitzky, Stephanie and Platzner, Marco}}, booktitle = {{Proceedings of the International Conference on Field-Programmable Technology (FPT)}}, pages = {{167--174}}, title = {{{Memory Security in Reconfigurable Computers: Combining Formal Verification with Monitoring}}}, doi = {{10.1109/FPT.2014.7082771}}, year = {{2014}}, } @inproceedings{408, abstract = {{Verification of hardware and software usually proceeds separately, software analysis relying on the correctness of processors executing instructions. This assumption is valid as long as the software runs on standard CPUs that have been extensively validated and are in wide use. However, for processors exploiting custom instruction set extensions to meet performance and energy constraints the validation might be less extensive, challenging the correctness assumption.In this paper we present an approach for integrating software analyses with hardware verification, specifically targeting custom instruction set extensions. We propose three different techniques for deriving the properties to be proven for the hardware implementation of a custom instruction in order to support software analyses. The techniques are designed to explore the trade-off between generality and efficiency and span from proving functional equivalence over checking the rules of a particular analysis domain to verifying actual pre and post conditions resulting from program analysis. We demonstrate and compare the three techniques on example programs with custom instructions, using stateof-the-art software and hardware verification techniques.}}, author = {{Jakobs, Marie-Christine and Platzner, Marco and Wiersema, Tobias and Wehrheim, Heike}}, booktitle = {{Proceedings of the 11th International Conference on Integrated Formal Methods (iFM)}}, editor = {{Albert, Elvira and Sekerinski, Emil}}, pages = {{307--322}}, title = {{{Integrating Software and Hardware Verification}}}, doi = {{10.1007/978-3-319-10181-1_19}}, year = {{2014}}, } @inproceedings{433, abstract = {{Virtual FPGAs are overlay architectures realized on top of physical FPGAs. They are proposed to enhance or abstract away from the physical FPGA for experimenting with novel architectures and design tool flows. In this paper, we present an embedding of a ZUMA-based virtual FPGA fabric into a complete configurable system-on-chip. Such an embedding is required to fully harness the potential of virtual FPGAs, in particular to give the virtual circuits access to main memory and operating system services, and to enable a concurrent operation of virtualized and non-virtualized circuitry. We discuss our extension to ZUMA and its embedding into the ReconOS operating system for hardware/software systems. Furthermore, we present an open source tool flow to synthesize configurations for the virtual FPGA.}}, author = {{Wiersema, Tobias and Bockhorn, Arne and Platzner, Marco}}, booktitle = {{Proceedings of the International Conference on ReConFigurable Computing and FPGAs (ReConFig)}}, pages = {{1--6 }}, title = {{{Embedding FPGA Overlays into Configurable Systems-on-Chip: ReconOS meets ZUMA}}}, doi = {{10.1109/ReConFig.2014.7032514}}, year = {{2014}}, }