# Verifying Functional, Safety and Security Requirements (for Standards Compliance)

### Mike Bartley (TVS) in collaboration with







## **TVS Agenda**

- 11.00 Introductions
- 11.05 TVS
- 11.20 OneSpin
- 11.55 Tortuga Logic
- 12.10 TVS
- 12.25 Q&A (TVS, OneSpin, Tortuga Logic)





### Introduction to your speakers

### Dr Mike Bartley, CEO of TVS

- PhD in Mathematical Logic, MSc in Software Engineering, MBA
- 25 years in Software Testing and Hardware Verification
- Started TVS (Test and Verification Solutions) in 2008
  - 125 engineers worldwide
  - UK, France, Germany, Italy, Sweden, Turkey, India, Singapore, Korea, China, US
  - Delivering SW test and HW verification products and services

» Focus on reliability, safety, security

#### asureSIGN

- "Requirements Driven Test and Verification" methodology
- Define requirements and refine them to verification plans and capture sign-off





# Jörg Große

## Product Manager for Functional Safety, OneSpin Solutions

Jörg Große recently joined OneSpin Solution as a Product Manager for Functional Safety.

He has more than 20 years of experience in EDA, functional verification and ASIC design, having served at companies in Europe, the United States and New Zealand.

As co-founder of a successful Silicon Valley based startup, he was central in developing the concept of fault/mutation testing into a state-of-the-art EDA tool. He deployed this technology in many leading semiconductor companies, increasing the quality of their functional verification.

He holds a Dipl.-Ing.(FH) in Electrical Engineering from the University of Applied Science Anhalt.





## Dr. Ryan Kastner co-founder of Tortuga Logic





Dr. Ryan Kastner is a co-founder of Tortuga Logic and has over 10 years of experience in realm of hardware security. He has served as a principal investigator on various government and industrial grants related to hardware security (over \$3 million in toto). This includes the National Science Foundation Innovation Corps award, which focuses on commercializing technology from academia. Dr. Kastner is a professor in the Computer Science and Engineering Department at UCSD. He received a PhD in Computer Science at UCLA, a masters degree (MS) in engineering and bachelor degrees (BS) in both Engineering and Computer Electrical Engineering, all from Northwestern University.





# **TVS Agenda**

11.00 Introductions

#### 11.05 TVS

- Safety and security in Hardware and Software
- Requirements Driven Test and Verification (RDTV)
- Using an ECC example and breaking it down into a test plan
- 11.20 OneSpin
- 11.55 Tortuga Logic
- **12.10** 
  - Analysing the results and signoff
  - Advantages of RDTV
- 12.25 Q&A (TVS, OneSpin, Tortuga Logic)





# Why are Safety and Security important?

#### IC Insights research

- The automotive industry is set to drive chip demand over the coming years.
- IC Insights research suggests the demand from automotive is expected to exhibit average annual growth of 10.8% into at least 2018.
- Demand will come from safety features that are increasingly becoming mandatory, such as backup cameras or eCall, and the near-ubiquitous driver-assistance systems.

#### IoT

- Drones (avionics), autonomous cars, robots, ....
- Connected devices have potential security threats

#### TTTech

- By 2020 50% of all ICs will be safety-related
- By 2020 50% of all ICs will be connected





## **Safety Standards**

- IEC61508: Functional Safety of Electrical/Electronic/Programmable Electronic Safetyrelated Systems
- DO254/DO178: Hardware/Software considerations in airborne systems and equipment certification
- EN50128: Software for railway control and protection systems
- IEC60880: Software aspects for computer-based systems performing category A functions
- IEC62304: Medical device software -- Software life cycle processes
- ISO26262: Road vehicles Functional safety





# Safety

"Freedom from unacceptable risk of physical injury or of damage to the health of people, either directly, or indirectly as a result of damage to property or to the environment"

# **Functional Safety**

"That part of the overall safety that depends on a system or equipment operating correctly in response to its inputs"





# **How Systems Fail**

### Random failures

- Can usually predict (statistically)
- Can undertake preventative activities

### Systematic failures

- Specified, designed or implemented incorrectly
- Can't usually predict

### Systemic failures

Shortcomings in culture or practices







Focus

Here

Todav

## **Basics of Safety Standards**

- The life cycle processes are identified
- Objectives and outputs for each process are described
  - Objectives are mandatory
  - But vary by Integrity Level
  - For higher Integrity Levels, some Objectives require Independence





### IEC61508

SYSTEMS INITIATIVE

### Dynamic analysis and testing

| Technique                                                 | SIL 1 | SIL 2 | SIL 3 | SIL 4 |
|-----------------------------------------------------------|-------|-------|-------|-------|
| Structural test coverage (entry points) 100%              | HR    | HR    | HR    | HR    |
| Structural test coverage (statements) 100%                | R     | HR    | HR    | HR    |
| Structural test coverage (branches) 100%                  | R     | R     | HR    | HR    |
| Structural test coverage (conditions, MC/DC) 100%         | R     | R     | R     | HR    |
| Test case execution from boundary value analysis          | R     | HR    | HR    | HR    |
| Test case execution from error guessing                   | R     | R     | R     | R     |
| Test case execution from error seeding                    | -     | R     | R     | R     |
| Test case execution from model-based test case generation | R     | R     | HR    | HR    |
| Performance modelling                                     | R     | R     | R     | HR    |
| Equivalence classes and input partition testing           | R     | R     | R     | HR    |



### **Key Processes**

- Plans & Standards
- Requirements
- Design Specifications
- Reviews and Analyses
- Testing (against specifications)
  - At different levels of hierarchy
- Test Coverage Criteria
- Requirements Traceability
- Independence





## **Key Deliverables**

- Verification Plan
- Validation and Verification Standards
- Traceability Data
- Review and Analysis Procedures
- Review and Analysis Results
- Test Procedures
- Test Results
- Acceptance Test Criteria
- Problem Reports
- Configuration Management Records
- Process Assurance Records



## **Key Deliverables**

- Verification Plan
- Validation and Verification Standards
- Traceability Data
- Review and Analysis Procedures
- Review and Analysis Results
- Test Procedures
- Test Results
- Acceptance Test Criteria
- Problem Reports
- Configuration Management Records
- Process Assurance Records





#### **Traceability in Practice**



Shows a mapping from features to verification and test plans





# Example – Safeguarding a FIFO

#### Safety Function

- Detect 1-bit errors and correct them
- Detect 2-bit errors and raise alarm



- Encoder adds e data bits stored in RAM
- Decoder detects & corrects 1-bit faults on read (error=0, corrected=1)

Decoder detects 2-bit faults on read (error=1)





# A full ? set of requirements

- R1 FIFO\_SINGLE\_BIT The FIFO will be able to detect and correct single bit errors.
- R2 ERR\_REPORT\_CPU Single bit errors must be reported to the CPU
- R3 MULT\_ERR\_CPU The FIFO will be able to detect and report multiple bit errors to the CPU
- R4 FIFO\_NOT\_FULL Data arriving on the write interface shall be written in to the FIFO as long as it is not full
- R5 FIFO\_NOT\_EMPTY Requests to read data shall return the oldest data in the FIFO as long as it is not empty
- R6 FIFO\_EMPTY\_READ Read attempts from an empty FIFO shall be reported to the CPU
- R7 FIFO\_WRITE\_FULL Write attempts to a full FIFO shall be reported to the CPU
- R8 WRITE\_APB\_INTERFACE Write data shall come across an APB interface
- R9 READ\_APB\_INTERFACE Read data shall be send across an APB interface
- R10 STATUS\_REG\_SINGLE\_ERR A status register will record a single bit error
- R11 STATUS\_REG\_MULTI\_ERR A status register will record a multibit error bit error
- R12 STATUS\_REG\_FIFO\_FULL\_ A status register will indicate a FULL fifo

A status bit will record underflow

only users with privilege level 1 or 2

only users with privilege level 1 can read from the FIFO

- R13 STATUS\_REG\_FIFO\_EMPTY A status register will indicate an empty fifo
- R14 STATUS\_REG\_FIFO\_OVERFLOW A status register will indicate overflow
- R15 STATUS\_BIT\_OVERFLOW
- R16 PRIVILEGE\_LEVEL\_1
- R17 PRIVILIGE\_LEVEL\_1\_2

Safety Functional Security





# Safety Requirement Decomposition (example)

Req: Safeguard Design against single bit soft errors

Sub-Concept/Req: Safeguarde each FIFO

#### Safety Reqirements for FIFO / Concept:

- Use ECC FIFO
- Detect 1-bit errors and correct them
- Detect 2-bit errors and raise alarm

### Safety Verification Requirement for ECC FIFO Implmementation

- If no error occurs, nothing is flagged and the data is uncorrupted
- If one error occurs, no error is flagged, the data is uncorrupted and the correction is flagged
- If two errors occur, an error is flagged, but no correction

#### Formal Safety Properties to verify Implementation

Separate slide



# **Mapping Security Requirements to Features**

 R16 - PRIVILEGE\_LEVEL\_1: only users with privilege level 1 can read from the FIFO

ECC\_SECURITY\_1 Reads without privilege level Reads without privilege level 1 or 2 will cause a bus error

ECC\_SECURITY\_2 Reads with privilege level

Reads with privilege level 1 or 2 will be successful





### **Mapping Requirements to Verification Metrics**



**Relationships can be:** 

- Bi-directional
- Many-many

Metrics can be:

- From HW verification
- From Silicon validation
- From SW testing





### asureSIGN Demo

Mapping the requirements to a test plan





# **TVS Agenda**

11.00 Introductions

### 11.05 TVS

- Safety and security in Hardware and Software
- Requirements Driven Test and Verification (RDTV)
- Using an ECC example and breaking it down into a test plan
- 11.20 OneSpin
- 11.55 Tortuga Logic
- 12.10 TVS
  - Analysing the results and signoff
  - Advantages of RDTV
- 12.25 Q&A (TVS, OneSpin, Tortuga Logic)





# Requirement Driven Verification for Safety & High Reliability

#### Jörg Große







# Why Safety & Reliability Verification is important - Risk Drivers

- Cars are computer on wheels
  - But reset is not an option, especially not when diving at high speeds

#### Systematic Errors

- Machine Errors
  - Synthesis bugs, ..
- Human Errors
  - Implementation bugs
  - Design bugs
- Driven by
  - Ever increasing complexity
  - Time to market and budget

#### **Random Errors**

- Hard Errors
  - Latch-ups
  - Burnouts (struck-at faults)
- Soft Errors
  - Transients (glitches, bit flips)
- Driven by
  - Decreasing geometries
  - Decreasing supply voltage

ESIGN AND VER

• Increasing area



# Consequence?



#### Functional Verification + Safeguard Verification = Functional Safety Verification





# Safeguarding against Random Errors



**Fault Detection** 

Raise alarm

Fault Handling

- Enter into safe mode
- Or correct erroneous output

#### Examples

- Parity, ECC, lock-step







#### Puts additional pressure on Time-to-Market & Budget! => Automation



# Minimizing Systematic Errors with Rigorous Requirement Based Verification





# Generic Verification Flow with Requirement Tracing



# Example Design Safeguarding a FIFO with ECC

- Safety Functions
  - Detect 1-bit errors and correct them
  - Detect 2-bit errors and raise alarm
- Design:



Encoder adds e data bits stored in FIFO





# Functional & Safety Requirements

#### Functional Requirements

The FIFO is not full and empty at the same time

The FIFO is empty after DEPTH many reads without writes

The FIFO is full after DEPTH many writes without reads

The FIFO is no longer empty after a write

The first data written to an empty FIFO leaves the FIFO unmodified on the first read

#### Safety Requirements

If no error occurs, nothing is flagged and the data is uncorrupted

If one error occurs, no error is flagged, the data is uncorrupted and the correction is flagged

If two errors occur, an error is flagged, but no correction





# **Mapping Requirements to Properties**

#### Functional Requirements

The FIFO is not full and empty at the same time

The FIFO is empty after DEPTH many reads without writes

The FIFO is full after DEPTH many writes without reads

The FIFO is no longer empty after a write

The first data written to an empty FIFO leaves the FIFO unmodified on the first read © Accellera Systems Initiative 36





# **Formal Property**

Requirement based verification → Create assertions for each requirement!

```
not_empty_after_write_a: assert property
(disable iff (!FIFO.reset_n) wr_en |=> !empty);
```

Example: assert.not\_empty\_after\_write\_a "The FIFO is no longer empty after a write"





# Formal Assertion Based Verification



- Early: No stimulus or testbench is needed
- Efficient: Typically check-debug-fix in minutes
- **Exhaustive:** If assertion holds -> no simulation needed





## **Mapping Requirements to Properties**

#### Functional Requirements

The FIFO is not full and empty at the same time

The FIFO is empty after DEPTH many reads without writes

The FIFO is full after DEPTH many writes without reads

The FIFO is no longer empty after a write



The first data written to an empty FIFO leaves the FIFO unmodified on the first read © Accellera Systems Initiative





## Reliable Quantification of Formal Assertion Sets Coverage Reloaded





#### Quantitative Analysis of Verification





SYSTEMS INITIATIVE

#### **Cone-of-Influence Coverage**





© Accellera Systems Initiative



## A Trivial Example – COI Coverage





DESIGN AND VERIE

#### **Prover Coverage**







#### A Trivial Example – Prover Coverage





## **Observation Coverage Principle**



**Example: Statement Coverage** 

- Has the statement been activated?
- If a statement has not been activated during verification, it can't break a check.

© Accellera Systems Initiative

- Has the effect been observed?
- If a statement is modified and activated, some assertion should fail.
- Measures quality of assertions.

• Measures reachability.







# Using Observation Coverage

|      |                                                                          | Unlike COI coverage,     |
|------|--------------------------------------------------------------------------|--------------------------|
| Anno | otated Source for shift_dvcon.sv                                         | observation coverage     |
| 1    | <pre>module shift_reg(input clk, input rst, input in, output out);</pre> | identifies all unchecked |
| 2    | logic [3:0] s;                                                           | assignments.             |
| 3    | assign out = s[3];                                                       |                          |
| 4    | always @(posedge clk)                                                    |                          |
| 5    | begin                                                                    |                          |
| 6    | if(rst)                                                                  |                          |
| 7    | s <= 4'b0000;                                                            |                          |
| 8    | else                                                                     |                          |
| 9    | begin                                                                    |                          |
| 10   | s[0] <= in;                                                              |                          |
| 11   | s[1] <= s[0];                                                            |                          |
| 12   | s[2] <= s[1];                                                            | Need better or more      |
| 13   | s[3] <= s[2];                                                            | assertion(s).            |
| 14   | end                                                                      | assertion(s).            |
| 15   | end                                                                      |                          |
| 16   | state_2i3 : assert property (                                            |                          |
| 17   | <pre>@(posedge clk) disable iff(rst) s[2]  =&gt; s[3]);</pre>            |                          |
| 18   | endmodule                                                                |                          |



DESIGN AND VERIFIC





#### **Quantify Coverage Report**

| Structural Coverage Overview |                  |            |        |          |        |  |
|------------------------------|------------------|------------|--------|----------|--------|--|
| Status                       |                  | Statements |        | Branches |        |  |
| 1                            | covered          | 15         | 40.54% | 21       | 67.74% |  |
| R                            | reached          | 0          | 0.00%  | 0        | 0.00%  |  |
| U                            | unknown          | 0          | 0.00%  | 0        | 0.00%  |  |
| 0R                           | unobserved       | 0          | 0.00%  | 0        | 0.00%  |  |
| 0                            | uncovered        | 22         | 59.46% | 10       | 32.26% |  |
| 0C                           | constrained      | 0          | 0.00%  | 0        | 0.00%  |  |
| 0D                           | dead             | 0          | 0.00%  | 0        | 0.00%  |  |
| Sum                          | quantify targets | 37         |        | 31       |        |  |

| Structural Coverage by File |           |   |          |  |  |  |
|-----------------------------|-----------|---|----------|--|--|--|
| File                        | Statement | 5 | Branches |  |  |  |
| decoder.v                   | 12        |   | 5        |  |  |  |
| encoder.v                   | 5         |   | 0        |  |  |  |
| fifo_fix4.sv                | 20        |   | 26       |  |  |  |

## Expecting FIFO to be fully covered!





### **Stronger Assertion Exposes Bug**

property data\_not\_corrupted\_p; ... (empty & wr\_en, dat=wr\_data[WIDTH-1:0]) ##1 !rd\_en[\*0:\$] ##1 rd\_en |=> rd\_data[WIDTH-1:0]==dat || (!full | empty); // Bad!





DESIGN AND VERIFICATION

CONFERENCE AND EXHIBITION

#### **Quantify Coverage Report**

| Structural Coverage Overview |                  |            |        |          |        |  |  |
|------------------------------|------------------|------------|--------|----------|--------|--|--|
| Status                       |                  | Statements |        | Branches |        |  |  |
| 1                            | covered          | 22         | 59.46% | 26       | 83.87% |  |  |
| R                            | reached          | 0          | 0.00%  | 0        | 0.00%  |  |  |
| U                            | unknown          | 0          | 0.00%  | 0        | 0.00%  |  |  |
| 0R                           | unobserved       | 0          | 0.00%  | 0        | 0.00%  |  |  |
| 0                            | uncovered        | 15         | 40.54% | 5        | 16.13% |  |  |
| 0C                           | constrained      | 0          | 0.00%  | 0        | 0.00%  |  |  |
| 0D                           | dead             | 0          | 0.00%  | 0        | 0.00%  |  |  |
| Sum                          | quantify targets | 37         |        | 31       |        |  |  |

| Structural Coverage by File |          |    |          |  |  |  |
|-----------------------------|----------|----|----------|--|--|--|
| File                        | Statemen | ts | Branches |  |  |  |
| decoder.v                   | 12       |    | 5        |  |  |  |
| encoder.v                   | 5        |    | 0        |  |  |  |
| fifo_fix4.sv                | 20       |    | 26       |  |  |  |

Much better after fix! But still something wrong. Visit our booth P6 for full demo!





#### **Quantify Properties**







### Summary Observation Coverage with Quantify

- Observation coverage algorithm drives precise coverage metric
  - Qualifies for safety-critical
  - Also identifies dead code and overconstrained code
  - Provides comprehensive progress metric
- Don't trust COI coverage
  - Maybe good for sanity/quick check
  - But not for safety-critical
- Prover coverage is also problematic for safety-critical
  - Not objective, results depend on prove engine







#### Verification of Safety Mechanism





# Efficient Verification of Safety Functions



#### **Safety Verification Problem**

- Safety functions are inactive under normal operation!
- Artificially inject faults into verification to activate

Fault Injection complexity for bit vectors:

- 2<sup>width</sup> possible data input combinations
- *(width)* 1-bit errors
- *(width<sup>\*</sup> width-1)* 2-bit errors

Simulation Based Verification is not a good solution:

Hard to anticipate all relevant conditions

© Accellera Systems Initiative

- Hard to deal with huge number of faults + combinations!
- No exhaustive testing feasible



Formal ABV with fault injection





- 1. Describe expected behavior with no fault injected and prove that it holds.
  property (<antecedent> |=> !Alarm)
- 2. Describe expected behavior with the fault(s) injected, inject the fault(s)
  and prove that it holds.
  property (<antecedent> |=> Alarm)
- 3. Describe expected behavior with correctable faults injected, inject the correctable faults and prove that it holds.

property (<antecedent> |=> Input'== CorrectedOutput

DESIGN AND VERI



& Corrected & !Alarm

© Accellera Systems Initiative

#### **FIFO Safety Requirements**

#### Functional Requirements

#### Safety Requirements

The FIFO is not full and empty at the same time

The FIFO is empty after DEPTH many reads without writes

The FIFO is full after DEPTH many writes without reads

The FIFO is no longer empty after a write

The first data written to an empty FIFO leaves the FIFO unmodified on the first read If no error occurs, nothing is flagged and the data is uncorrupted

If one error occurs, no error is flagged, the data is uncorrupted and the correction is flagged

If two errors occur, an error is flagged, but no correction





## Formal ABV with Fault Injection Application Scenario: FIFO

- For FIFO Example:
  - Create no\_error, corrected\_no\_error and error assertions according to the safety requirements
  - Depening on the assertion, inject Bit-Flip faults at the FIFO output





DESIGN AND VERIE

## Application Scenario: FIFO SV Assertions for Safety Features

No error  $\rightarrow$  nothing flagged, data uncorrupted:

One error  $\rightarrow$  no error flagged, data uncorrupted, correction flagged:

Two errors  $\rightarrow$  error flagged, no correction flagged:



© Accellera Systems Initiative



# How to inject the faults?

• Conveniently use formal fault injection:



Formal setup for n-bit faults of desired type

- User can automatically enable different number/kind of faults for individual assertions
- Possible to verify generic assertions like "a 2-bit fault gets detected"
- Supporting FLIP, ST0, ST1, OPEN



© Accellera Systems Initiative



## Using the Formal Fault Injection

inject\_fault -location rd\_data\_FIFO -type <type> -assert <assertion>

| Assertion                            | Inject Fault Type | Expect |
|--------------------------------------|-------------------|--------|
| safety.no_error                      | NONE              | HOLD   |
| <pre>safety.corrected_no_error</pre> | FLIP 1 bit        | HOLD   |
| safety.error                         | FLIP 2 bit        | HOLD   |





## Application Scenario: FIFO Failing Assertion for Safety Feature



© Accellera Systems Initiative

SYSTEMS INITIATIVE

#### FIFO Safety Requirements

#### Functional Requirements

The FIFO is not full and empty at the same time

The FIFO is empty after DEPTH many reads without writes

The FIFO is full after DEPTH many writes without reads

The FIFO is no longer empty after a write

The first data written to an empty FIFO leaves the FIFO unmodified on the first read © Accellera Systems Initiative

#### Safety Requirements

If no error occurs, nothing is flagged and the data is uncorrupted

If one error occurs, no error is flagged, the data is uncorrupted and the correction is flagged

If two errors occur, an error is flagged, but no correction





#### Summary Verification of Safety Mechanism

• ISO 26262-5 (page 28) highly recommends to apply model based fault injection testing:

Table 11 — Hardware integration tests to verify the completeness and correctness of the safety mechanisms implementation with respect to the hardware safety requirements

|   | Methods                              |    | ASIL |    |    |  |
|---|--------------------------------------|----|------|----|----|--|
|   | Methods                              |    |      | С  | D  |  |
| 1 | Functional testing <sup>a</sup>      | ++ | ++   | ++ | ++ |  |
| 2 | Fault injection testing <sup>b</sup> | +  | +    | ++ | ++ |  |
| 3 | Electrical testing <sup>c</sup>      | ++ | ++   | ++ | ++ |  |

- OneSpin provides formal fault injection to meet ISO 26262 and verify safety mechanisms
  - No modification of source code required
  - Supports different fault types and number of faults
  - Unlike simulation, it provides complete proof of all faults in one step
  - Easily maps assertions to faults and checks them









#### **Diagnostic Coverage**





## Diagnostic Coverage ISO 26262 Analysis Requirements



- Diagnostic coverage: proportion of hardware element failure rate that is detected or controlled by safety mechanisms
- High diagnostic coverage is needed to achieve a high Automotive Safety Integrity Level (ASIL)





© Accellera Systems Initiative

#### Discussing Diagnostic Coverage of Safety Mechanisms





© Accellera Systems Initiative



## Fault Classification in Semiconductor Context

- Safe faults
  - Faults which cannot propagate
  - Faults which only propagate to non-safety-critical functions (don't violate a safety goal)
  - Faults which are detected by a safety mechanism before they can cause harm
- Unsafe faults
  - Faults which propagate to a safety-critical function without being detected

Increase

Faults with unknown behavior

Minimize Unsafe Faults



**Diagnostic Coverage** 





#### Formal Propagation Analysis Summary

- Formal propagation analysis can identify
  - Faults which cannot propagate
  - Whether a fault propagates to a safety-critical function
  - Whether a fault propagates to a safety mechanism
- This information helps to classify faults as safe or unsafe and creates more precise diagnostic coverage of the safety mechanism

















## Thank you!

To learn more about safety critical design & verification:

- Read Safety Critical News
  - <u>http://safetycritical.onespin-solutions.com/</u>
- Visit us at Booth P6





#### Questions

#### Finalize slide set with questions slide





#### **TVS Agenda**

11.00 Introductions

#### 11.05 TVS

- Safety and security in Hardware and Software
- Requirements Driven Test and Verification (RDTV)
- Using an ECC example and breaking it down into a test plan
- 11.20 OneSpin
- 11.55 Tortuga Logic
- 12.10 TVS
  - Analysing the results and signoff
  - Advantages of RDTV
- 12.25 Q&A (TVS, OneSpin, Tortuga Logic)















# Not just these devices....







#### How A Creep Hacked A Baby Monitor To Say Lewd Things To A 2posted by Fox Van Allen on July 29, 2013

#### Security risks found in sensors fYear-Old consumer electronics

Published on May 16, 2013 Contact Nicole Casal Moore, U-M, (734) 647-7087, ncmoore@umich.e mcphailk@cec.sc.edu or Lan Yoon, KAIST, +82-42-350-2295, hlyoor

#### F 💌 🛐 🚳 🚱 🗜 🔁 🤇 21

ANN ARBOR-The type of sensors that pick up the rhythm of a beating heart in implanted cardiac defibrillators and pacemakers are vulnerable to tampering, according to a new study conducted in controlled laboratory conditions.

Implantable defibrillators monitor the heart for irregular beating and, when necessary, administer an electric shock to bring it back into normal rhythm. Pacemakers use electrical pulses to continuously keep + Comment Now + Follow Comments

Before I hacked a stranger's smart home, I asked for permission. An anonymous



Car Hacking: The Next Big Threat?

in Travel & Entertainment, News, Computers and Software, Car Tech & Safety, Blog, Automotive :: 0 comments



Charlie Miller and Chris Valasek are a 100-page research paper maliciously hack a car's computer, h and potentially kill its occupants. so with the support - and funding overnment.





Pinit



#### Hackers are now focusing on hardware







### Current "State-Of-The-Art" Designing Secure Hardware







Enable "Design-for-Security" from the ground up to minimize security breaches in hardware and systems

#### Tortuga Logic's PROSPECT Software Solution

| 🔵 💿 🛛 Tortuga Prospect Secure Information Flow Assertion Tool (               | v0.4)         |                                                                                                                                                                                                             |
|-------------------------------------------------------------------------------|---------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                               |               |                                                                                                                                                                                                             |
| Tortuga<br>Logic                                                              |               | Tortuga Prospect – Secure Information Flow Assertion Tool (v0.6)<br>prospect-> Ready.                                                                                                                       |
|                                                                               |               | Setting language of top level design to 'VHDL'                                                                                                                                                              |
| Step 1 - Add all verilog and vhdl (.v or .vhd) files in design                |               | prospect~> Ready.                                                                                                                                                                                           |
| RTL Files Chosen                                                              |               | prospect~> Ready.                                                                                                                                                                                           |
| /home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/rsacypher.vhd            |               | Analyzing RTL files                                                                                                                                                                                         |
| Add                                                                           | Remove        | prospect-> Files in design: /home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/rsacypher.vhd, /<br>home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/modmult.vhd                                        |
| Step 2 - Specify top module, top level language, and clock bound              |               | Ready.                                                                                                                                                                                                      |
| Top level language: O Verilog 💿 VHDL                                          |               | prospect-> Ready.                                                                                                                                                                                           |
| Top Module: rsacypher                                                         | Add           | Checking assertions<br>Assertion (inExp =/=> ready): Disproved<br>Counter Example Generated in VCD Format: output.cexs/cex_0.vcd                                                                            |
| Time Bound (optional - number of cycles to check assertions): 10              | Add           | Assertion (inExp =/>- cypher): Disproved<br>Counter Example Generated in VCD Format: output.cexs/cex_1.vcd<br>Assertion (inExp[0] =/=> ready && inExp[1] =/=> ready && inExp[2] =/=> ready && inExp[3] =/=> |
| Clock Name (optional - if design includes clock gating):                      | Add           | ready && inExp[4] =/=> ready && inExp[5] =/=> ready && inExp[6] =/=> ready && inExp[7] =/=> ready<br>&& inExp[8] =/=> ready && inExp[9] =/=> ready && inExp[10] =/=> ready && inExp[11] =/=> ready &&       |
| Step 3 - Process RTL Files (Re-process for any change in Step 1, Step 2, or V | erilog Files) | inExp[12] =/=> ready && inExp[13] =/=> ready && inExp[14] =/=> ready && inExp[15] =/=> ready):<br>Disproved                                                                                                 |
| Process RTL files                                                             |               | Counter Example Generated in VCD Format: output.cexs/cex_2.vcd<br>Ready.                                                                                                                                    |
| Step 4 - Select Assertion File                                                |               | prospect-> Ready.                                                                                                                                                                                           |
| Assertion file: rsacypher.as                                                  | Add           | Analyzing RTL files<br>prospect-> Files in design: /home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/rsacypher.vhd, /<br>home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/modmult.vhd                 |
| Step 5 - Check Assertions                                                     |               | Ready.                                                                                                                                                                                                      |
| Check Assertions                                                              |               | Checking assertions<br>Assertion (inExp =/=> ready): Disproved<br>Counter Example Generated in VCD Format: output.cexs/cex 0.vcd                                                                            |
| Step 6 - View Counterexample Waveforms (optional)                             |               | Assertion (inExp =/=> cypher): Disproved                                                                                                                                                                    |
| View Counterexamples                                                          |               | Save Console Copy Console Clear Console                                                                                                                                                                     |
|                                                                               |               | prospect~>                                                                                                                                                                                                  |





😣 🗇 🗇 Tortu

Step 1 - Add

Step 2 - Spe Top level lar Top Module Time Bound

Clock Name Step 3 - Pro

Step 4 - Sele Assertion fi

Step 5 - Che

Step 6 - Vier

#### **Prospect Tool flow**

#### **RTL**



#### **Prospect GUI**

| 🖱 💿 🛛 Tortuga Prospect Secure Information Flow Assertion Tool (                                                                                                                                                                                                                                                                                                                                                                       | v0.4)                              |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |  |  |  |  |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|
| Step 1 - Add all verilog and vhall (v or vhal) files in design<br>RTL Files Chosen<br>//ome/jonry/labtrospect/forsspect/tests/rtl/vhdl/rsa/rsacyober.vhd                                                                                                                                                                                                                                                                              |                                    | Tortuga Prospect – Secure Information Flow Assertion Tool (v0.6)<br>prospect – Ready.<br>Setting language of top level design to 'VHDL'<br>prospect – Seady.<br>prospect – Seady.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |  |  |  |  |
| Add                                                                                                                                                                                                                                                                                                                                                                                                                                   | Remove                             | Analyzing RTL files<br>prospect-> Files in design: /home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/rsacypher.vhd, ,<br>home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/modmult.vhd                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |  |  |  |
| Step 2 - Specify top module, top level language, and clock bound         Top level language:       Verilog       V VHDL         Top Module: rsacypher       Time Bound (optional-number of cycles to check assertions): 10         Clock Name (optional-if design includes clock gating):         Step 3 - Process RTL Files (Re-process for any change in Step 1, Step 2, or Vic         Process RTL Files         Process RTL Files | Add<br>Add<br>Add<br>erilog Files) | Ready.<br>prospect-> Ready.<br>Checking assertions<br>Assertion (Interpf=ready): Disproved<br>Assertion (Interpf=ready): Disproved<br>Counter Example Generated in VCD Format: output.cess/cex_0.vcd<br>Assertion (Interpf=ready & Bitch[1] ==> ready & Bitch[2] ==>> ready.<br>Assertion (Interpf=ready & Bitch[2] ==> ready & Bitch[2] ==>> ready.<br>Assertion (Interpf=ready & Bitch[2] ==> ready & Bitch[2] ==>> ready.<br>Bitch[2] ==> ready. |  |  |  |  |
| Assertion file: rsacypher.as                                                                                                                                                                                                                                                                                                                                                                                                          | Add                                | Analyzing RTL files<br>prospect-> Files in design: /home/jonny/git-prospect/prospect/tests/rtl/vhdl/rsa/rsacypher.vhd, ,<br>home/ionny/ditorospect/prospect/tests/rtl/vhdl/rsa/modmult.vhd                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |  |  |  |  |
| Step 5 - Check Assertions                                                                                                                                                                                                                                                                                                                                                                                                             |                                    | Ready.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |  |  |  |  |
| Check Assertions                                                                                                                                                                                                                                                                                                                                                                                                                      |                                    | Checking assertions<br>Assertion (inExp =//a>ready): Disproved<br>Counter Example Generated in VCD Format: output.cexs/cex_0.vcd<br>Assertion (inExp =/a> cyphei): Disproved                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |  |  |  |  |
| Step 6 - View Counterexample Waveforms (optional)                                                                                                                                                                                                                                                                                                                                                                                     |                                    | Save Console Copy Console Clear Consol                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |  |  |  |  |
| View Counterexamples                                                                                                                                                                                                                                                                                                                                                                                                                  |                                    | prospect->                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |  |  |  |  |
|                                                                                                                                                                                                                                                                                                                                                                                                                                       |                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |  |  |  |  |

#### **Security Properties**

key =/=> out coreA =/=> coreB



**Results and Debug feedback** 



# **PROSPECT: Key Values**

#### Automates HW security design

- Reduce security validation from months to hours
- Significant cost savings for certification

#### Increase security coverage and reduce risk

Many checks cannot be done manually

#### Makes design for security a priority





Types of addressable security properties







Critical component is adversely affected



Secret data is unintentionally leaked





## Case Study – Top-25 Semi Company Key Flowing Out Of Design

- Assertion: Key only flows through AES
  - assert iflow (key =/=> \$all\_outputs ignoring aes.\$all\_outputs);
  - If assertion holds, key only flows to outputs through AES first
- Real world results
  - State-of-the-art design with over 10 million gates
  - Actual required properties, impossible to visually inspect







## Case Study – Top-25 Semi Company Key Flowing Out Of Design

- Assertion: Key only flows through AES
  - assert iflow (key =/=> \$all\_outputs ignoring aes.\$all\_outputs);
  - If assertion holds, key only flows to outputs through AES first
- Real world results
  - State-of-the-art design with over 10 million gates
  - Actual required properties, impossible to visually inspect







## Case Study – Top-25 Semi Company Key Flowing Out Of Design

- Assertion: Key only flows through AES
  - assert iflow (key =/=> \$all\_outputs ignoring aes.\$all\_outputs);
  - If assertion holds, key only flows to outputs through AES first
- Real world results
  - State-of-the-art design with over 10 million gates
  - Actual required properties, impossible to visually inspect







<u>Property:</u> assert iflow (*key* =/=> *data\_o*);

#### Fails in 4 cycles

Key XOR Data flows to pins, security flaw







<u>Property:</u> assert iflow (*key* =/=> *data\_o*);

#### Fails in 506 cycles

Encrypted data flows to pins Flow is allowed, ready\_o







| Session Setup File Edit CC/MV EC Tools Window Help                                                  |                                                                                                                              |                                        |  |  |  |  |  |  |
|-----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------|--|--|--|--|--|--|
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
| Cesign Explorer      G Lint Browser     Ø Auto Checks     Ø Dead-Code Checks     Ø Assertion Checks |                                                                                                                              |                                        |  |  |  |  |  |  |
| Proof Status: fail Validity: up to dat                                                              | 0                                                                                                                            |                                        |  |  |  |  |  |  |
| Instance 🖉                                                                                          | Name 🛆 Proof Status Witness Status Validity Unres ourc Prove Runtime                                                         |                                        |  |  |  |  |  |  |
| B [top]                                                                                             | ! • ! <any !="" <any="" statu="" status:="" validity="" •=""> • ! •</any>                                                    |                                        |  |  |  |  |  |  |
|                                                                                                     | Assertions     sva/sec inst/assertion AES W FSM fail (506)     open up to date14r2 00:07:14                                  |                                        |  |  |  |  |  |  |
|                                                                                                     | Constraints                                                                                                                  |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
| 2 items total, 2 selected by filter                                                                 |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     | Shel                                                                                                                         |                                        |  |  |  |  |  |  |
| Shel O Messages III Progress                                                                        |                                                                                                                              |                                        |  |  |  |  |  |  |
| -I- Examination window for 'sva/sec :                                                               | nst/assertion_AES_W_FSM': [t+0,t+0]                                                                                          |                                        |  |  |  |  |  |  |
| -I- Size of assertion 'sva/sec_inst/<br>-I- Checking assertion 'sva/sec inst/                       | esertion AES W FSM': Vars(1437) Nodes(17538)<br>Vassertion AES W FSM'                                                        |                                        |  |  |  |  |  |  |
| -R- Assertion 'sva/sec_inst/assertion                                                               | -R- Assertion 'sva/sec_inst/assertion_AES_W_FSM' fails within 586 cycles from reset (checked in 07 min 14 sec, 5044 MB used) |                                        |  |  |  |  |  |  |
| -I- Database 'aes_w_fsn' saved to '/'<br>mv>                                                        | ome/zac/prospect-frontend-plugin/test/rtl/verilog/aes_w_fsm/aes_w_fsm.onespin'.                                              | •<br>•<br>•                            |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              |                                        |  |  |  |  |  |  |
|                                                                                                     |                                                                                                                              | Hide Shell Shell Mode Interrupt 🧳 Help |  |  |  |  |  |  |





<u>Property:</u> assert iflow (*key* =/=> *data\_o*) || *ready\_o*; <u>Result</u> Assertion Holds







| Session Setup File Edit CC/MV EC Tools Window Help                                                            |                                                                                                                                                              |                                                                                                                                                              |                                                                                                                   |                                      |                          |                                      |      |  |  |
|---------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|--------------------------------------|--------------------------|--------------------------------------|------|--|--|
| A C                                                                                                           |                                                                                                                                                              |                                                                                                                                                              |                                                                                                                   |                                      |                          |                                      |      |  |  |
| ፍ Design Explorer 🗈 🗳 Lint Browser 🗈 🖉 Auto Checks 🗈 📓 Dead-Code Checks 🗈 🔍 Assertion Checks 🖸 🧉 sva_DF1rUJ 🖸 |                                                                                                                                                              |                                                                                                                                                              |                                                                                                                   |                                      |                          |                                      |      |  |  |
| Proof Status: hold Validity: up to d                                                                          | iate                                                                                                                                                         |                                                                                                                                                              |                                                                                                                   |                                      |                          |                                      |      |  |  |
| Instance 🖉                                                                                                    | Name 🛆                                                                                                                                                       | Proof Status                                                                                                                                                 | Witness Status                                                                                                    | Validity                             | Jnres ourc Prove Runtime |                                      |      |  |  |
| ® B [top]                                                                                                     | 1                                                                                                                                                            | ! <any statu="" td="" •<=""><td>! <any status:="" td="" •<=""><td><pre>! <any validity=""></any></pre></td><td>• ! •</td><td></td><td></td></any></td></any> | ! <any status:="" td="" •<=""><td><pre>! <any validity=""></any></pre></td><td>• ! •</td><td></td><td></td></any> | <pre>! <any validity=""></any></pre> | • ! •                    |                                      |      |  |  |
|                                                                                                               | <ul> <li>Assertions</li> <li>[sva/sec inst/assertion AES W_FSM]</li> <li>Constraints</li> </ul>                                                              | hold<br>₽                                                                                                                                                    | open                                                                                                              | up_to_date                           | 14r2 00:01:26            |                                      |      |  |  |
| 2 items total, 2 selected by filter                                                                           |                                                                                                                                                              |                                                                                                                                                              |                                                                                                                   |                                      |                          |                                      |      |  |  |
|                                                                                                               |                                                                                                                                                              |                                                                                                                                                              | Shel                                                                                                              |                                      |                          |                                      |      |  |  |
| Shel () Messages III Progress                                                                                 | inst/assortion AES W ESM's [ta0 ta0]                                                                                                                         |                                                                                                                                                              |                                                                                                                   |                                      |                          |                                      |      |  |  |
| -I- Size of assertion 'sva/sec inst/                                                                          | assertion AES W FSM': Vars(1437) Nodes                                                                                                                       | s(17539)                                                                                                                                                     |                                                                                                                   |                                      |                          |                                      |      |  |  |
| -R- Assertion 'sva/sec inst/assertion                                                                         | -I- Checking assertion 'sva/sec inst/assertion AES ₩ FSM'<br>-R- Assertion 'sva/sec inst/assertion AES ₩ FSM' holds (checked in 01 min 26 sec, 4203 MB used) |                                                                                                                                                              |                                                                                                                   |                                      |                          |                                      |      |  |  |
| -I- Database 'aes_w_fsm' saved to '/                                                                          | home/zac/prospect-frontend-plugin/test                                                                                                                       | t/rtl/verilog/ae                                                                                                                                             | s_w_fsn/aes_w_fsn.                                                                                                | onespin'.                            |                          |                                      | A    |  |  |
|                                                                                                               |                                                                                                                                                              |                                                                                                                                                              |                                                                                                                   |                                      |                          | Litela Chaill Chail Marka Literatura |      |  |  |
|                                                                                                               |                                                                                                                                                              |                                                                                                                                                              |                                                                                                                   |                                      |                          | Hide Shell Shell Mode Interrupt      | Piep |  |  |





# **TVS Agenda**

11.00 Introductions

#### 11.05 TVS

- Safety and security in Hardware and Software
- Requirements Driven Test and Verification (RDTV)
- Using an ECC example and breaking it down into a test plan
- 11.20 OneSpin
- 11.55 Tortuga Logic
- 12.10 TVS
  - Analysing the results and signoff
  - Advantages of RDTV
- 12.25 Q&A (TVS, OneSpin, Tortuga Logic)





#### **Mapping Requirements to Verification Metrics**



**Relationships can be:** 

- Bi-directional
- Many-many

Metrics can be:

- From HW verification
- From Silicon validation
- From SW testing







#### Use a bi-directional mapping to track backwards

Use an SQL database to hold the mappings and results



## asureSIGN<sup>TM</sup> at the heart of HW/SW V&V



# **Supporting Hierarchical Verification**

- A requirement might be signed off at multiple levels of hierarchy during the hardware development
  - Block
  - Subsystem
  - SoC
  - System
    - Including Software
  - Post Silicon





#### asureSIGN Demo

Mapping the results to the test plan





# Retention of Verification Results (DO 254)

- Verification records should contain a clear correlation to the pass/fail criteria
  - These verification records should contain the author/reviewer, date, and any items used in the including their versions.
  - Any failures or issues found should be correlated to the standard that has been violated.
- Test results should be clearly linked to their associated tests and requirements
- Test Results should be reviewed to be sure that the actual and expect results are giving the correct results and that the tests are passing.





# **Requirements Driven Verification**

### Compliance to various safety standards

hardware and software (and systems)

#### Some advantages

- Identify test holes and test orphans
- Retention of verification results
  - Build historical perspective for more accurate predictions
- Better reporting of requirements status
- Risk-based testing
- Prioritisation and Risk Analysis
- Filtering Requirements based on Customers and releases
- Impact and conflict analysis









