DETECTION METHOD OF THE PROBABLE INTEGRITY VIOLATION AREAS IN FPGA-BASED SAFETY-CRITICAL SYSTEMS

: The features of integrity monitoring of FPGA-based safety-critical systems are considered. Hardware Trojans are distinguished as one of the most dangerous types of malicious integrity violation of FPGA-based systems. The study has proved that Hardware Trojans can be implanted into the system (or system project) during its planned modification. In particular, it happens when the integrity monitoring, based on the hash sum usage, does not operate. Before running the integrity monitoring, one should ensure that Hardware Trojans were not implanted. Authors proposed the method for detecting the hardware Trojans location in the space of FPGA-based components of safety-critical systems. The method is based on the analysis of addressing to the values of calculated LUT units for these components in the normal and emergency modes of system operation. The hardware module for addressing the registration in accordance with the proposed method is implemented.


INTRODUCTION
The computer hardware is increasingly being developed owing to the computer-aided design (CAD). The modern CAD systems, which provide the computer hardware design, include highperformance subsystems of simulation. At present, however the designed computer hardware complexity has achieved the level, when the used simulation subsystems are losing their efficiency. The traditional method of simulation using the software models for computer hardware components has following disadvantages: a) the excessive complexity of created models; b) large computational complexity of simulation; c) big durability of simulation process.
Taking into consideration all these arguments, we have concluded that increasing the paradigm of traditional software models by developing the hardware models on the basis of high operational efficiency of the modern CAD systems is promising today. For FPGA a hardware model is a subcircuit placed on a chip with target project. Such kind of a subcircuit can: a) obtain the information from necessary points of the main circuit; b) perform the processing of this information according to the simulation purposes; c) support the process of transferring the simulation results in a CAD system. Such approach performance is achieved because both the model and simulation object are functioning in the similar FPGA chip environment, which is native for both of them.
The hardware model is a project different from a target one but identical with it in implemented functions, and this permits to analyze a process of their (implemented functions) calculation. For a number of applications, the hardware models have some advantages in both designing and using as compared to software models.
In the given paper, a method of creating a hardware model is proposed. It provides the functional analysis of FPGA-project for detecting the hardware Trojans location in FPGA-project.
The chips FPGA are greatly used as a base for building computer systems that control high-risk technical objects. The computer systems of such kind are customary called safety-critical ones [1], [2]. The selection of FPGA for safety-critical systems building is argued by the following factors [3][4][5]: a) the possibility to modify the system functions by reprogramming; b) the higher productive indicators. The first of the factors enable performing the functional system optimization without long-term switching off [6]. This simplifies the processes: updating the system functions; repairing the faults detected during the process of exploitation; optimization of individual system functions (or modules).
One of the important primary attributes of the safety-critical systems dependability is an integrityan ability of the system to exclude the unintended modification of system and services provided by it [7,8]. Since the chips FPGA are program-driven devices, their operation modification is made by changing their program code. That is why the program code (at the stage of system operation) or project descriptions translated in the program code (at the stage of system design) are the basic system integrity medium. Thus, program code integrity of FPGA-based components ensures reliability of systems consisting of different components.

RELATED WORKS
For safety-critical systems a hidden malicious implantation of hardware Trojans into them (systems) is the most dangerous type of integrity violation [9,10]. For FPGA-based systems the hardware Trojans are the fragments of malicious program code secretly implanted into the system. These fragments create a subcircuit, which runs the Trojan and provides its malicious functioning in FPGA space. The hardware Trojans functioning is characterized by the activation engine (trigger) and malicious function (payload). The program code of hardware Trojan consists of two parts [11]: a part that programs the activation subcircuit and the one that sets a malicious Trojan function.
The activation subcircuit can potentially analyze the input system signals and the ones, which are present in the internal system points. The basic purpose of the subcircuit activation is to alert about running of the malicious Trojan function when a certain event occurs. The activation event can possess both a combinational nature (some set combination of input and internal signals of the system) and a sequential one (the fact of passing the sequence of set states). The complexity of the hardware Trojan detection in the system is caused by the low probability of its (Trojan) activation in testing the system [12][13][14]. A subject implanting the hardware Trojan into the system is interested in the absence of any Trojan manifestation up to the moment of its activation.
The subcircuit of malicious Trojan function provision can lead to a fault in operating the system and organize the leakage of confidential information that is processed by the system [15].
The hardware Trojan implantation into the FPGA-based system can occur both at the stage of the system exploitation and design. Yet at the stage of system design the Trojan is implanted into a project-fragment of high-level description (HDL and/or circuit-base description), which is translated into the FPGA program code in the end [16].
The integrity of the project of the FPGA-base system is usually provided by obtaining the hash sum [17,18] for individual project files or the entire project [19]. Herein the hash sums (helping to carry out the integrity monitoring) are attached to the corresponding project files and as well as embedded into the project structure [20]. At the stage of system exploitation, the program code integrity of FPGAbased system can be provided either with the individual hash-sum file or by embedding hash immediately in the program code in the form of digital watermark [21,22]. The hardware Trojan implantation into the FPGA-based system project violates this project integrity. The Trojan implantation into the functioning system program code violates similarly its integrity. The Trojan implantation into the project (system) which is under monitoring violates the integrity and consequently leads to the detection of the facts of implantation.
The possible way of evasion of the integrity monitoring (realized with the help of hash sum or checksum for sof or pof configuration files of FPGA) is the usage of the life cycle vulnerability of FPGA-based components of safety-critical systems. To analyze the life cycle of systems of such kinds a great number of models have been developed, for example, V-model of the life cycle of safety-related systems (Standard IEC 61508) [23] and the adaptation of this model to FPGA-systems [24]. The model, which determines the links between FPGA design stages and FPGA-project verification stages (and the products of development participate in the forming of these links) is also known [25]. In [26] a model of the integrity life cycle of FPGA-based systems is offered. The analysis of these models shows that there are two types of stages in the FPGA-based system life cycle: a) stable stages during which the system (project) modification is not performed and the system (project) itself is under the integrity monitoring; b) system (project) modification stages during which the legal system (project) modification is carried out wherefore the integrity monitoring is temporarily suspended.
In Fig. 1 the indicative stages of the life cycle are shown: stable stages are alternated with modification stages. The transition into modification stage requires the pause of the integrity monitoring process (time moments Mstop). The next transition into the stable stage requires hash-sum recalculation and restarting the integrity monitoring (time moments Mstart). At the time moments when the integrity monitoring is not realized the illegal modifications of the system (e.g., hardware Trojans implantation) are possible along with the legal ones. In order to prevent the illegal modification before monitoring the system (project), validation should be performed [27][28][29] (time moments V), which guarantees that unintended modification has not been included. The process of the hardware Trojan detection (during validation) is complicated due to the following features. First, hardware Trojan is disguised as hardware resources providing the basic function of the system. Secondly, Trojan is created to complicate its detection in the process of testing the system. Lastly, Trojan does not manifest itself in the process of the system exploitation up to the moment of activation.
The goal of the given paper is to improve the process of the probable area detection of hardware Trojan location (performed in validating the system before starting the integrity monitoring) in the space of FPGA-based components of safety-critical systems using the analysis of addressing to the LUT unit values of these components.

METHOD OF ANALYSIS OF ADDRESSING TO THE LUT UNIT VALUES
The offered method we consider to be the one, which performs the preliminary processing of information of FPGA-based system functioning. The method is based on embedding a circuit, which registers addressing to LUT unit (elementary calculating unit of FPGA) [30,31] values, in the space of chip FPGA. This circuit allows to register and extract the information of addressing to addresses of calculating LUT units from FPGA during the system functioning.
We suppose that the information of addressing to the LUT unit addresses can be used to detect the probable hardware Trojans location areas in chip FPGA space. We proceed from the following considerations. The safety-critical systems are designed for functioning in the two modes: normal and emergency. However there is a contradiction: on the one hand the main function of these systems is to provide the safety in emergency mode, on the other hand these systems function in the normal mode the most part of their life cycle [32,33]. Wherein the sets of input codewords for safety-critical systems are essentially different both in normal and emergency modes. This can be explained with the peculiarities of informational interaction between high-risk objects and safety-critical systems serving them. Hardware Trojans can potentially manifest their malicious functions both in the normal mode and emergency one. However, we consider the scenario of attack on the system when Trojan manifests itself only in the emergency mode of system operation to be probable and the most dangerous. Within the framework of this scenario the Trojan preserves the visibility of system integrity and does not disturb its correct functioning in the normal mode (most of the time of safety-critical system functioning). However, in extremely dangerous conditions Trojan behaves in the way which obstructs the system to function correct. This Trojan functioning scenario we suppose to be the most advantageous for an initiator of attack on the safety-critical system.
The matter is that the input data nature is sufficiently different for the normal and emergency modes [34,35]. Under these conditions the presence of calculating LUT unit activeness statistics gives the possibility to analyze changes in dynamics of participation of these units in computational process (in each of the modes of FPGA-based safety-critical system operation) [26]. The statistics of addressing to the individual LUT unit addresses gives more detailed information of the unit functioning in the two modes in different sets of codewords. The information about which LUT units are active in each of the modes and which addresses of these units are used in each of the modes, is sufficient for the hardware Trojans detection methods. The basic idea of the offered method is the research of addressing to the LUT unit addresses on the input data distinct for the normal mode. Herein the LUT unit addresses, for which such addressing is not made, form set of addresses referred to the system functioning in the emergency mode. We consider such receiving the sets of addresses providing the system functioning in different modes of its operation as useful for future methods under more exact hardware Trojans location determination.
The addressing registration circuit is embedded in the researched FPGA-project (Fig. 2) within the framework of the proposed method as well as it is used for addressing the analysis to the LUT unit addresses. The circuit consists of similar fragments connected to inputs of each of the analyzed LUT units of the project. Each of these fragments is assigned to the individual LUT unit and designed for addressing registration to this unit addresses. A fragment consists of a decoder and shift register, which is able to input the data in parallel format. The register transfers in the mode of parallel data input at value 1 of signal L and in the shift mode at value 0 of signal L. The register feature is as followseach of the bits of this register obtaining value 1 does not change it any more.
The addressing registration to the LUT unit addresses occurs at value 1 of the input signal Load/Shift. In addressing to some address of LUT unit Adri = a3a2a1a0 this address is sent to the decoder input. The decoder produces value 1 at its input i, which corresponds to input address Adri. The register on rising edge CLK receives value 1 from the decoder to put in bit i. With the help of this action the registration of addressing to LUT unit with address i is performed. In keeping the addressing registration procedure, the bit i of the register does not change and remains in value 1. On finishing the register procedure, the input signal Load/Shift is set in value 0. This leads to transferring the register to the shift mode. On each rising edge of the clock CLK the register data shift to the most significant bits occurs. Herein the next most significant bit shifts out of output SO.

Figure 2 -Circuit of addressing registration to the LUT unit addresses
A circuit of the register, which provides the functioning necessary for addressing registration, is proposed (Fig. 3)

Figure 3 -Register subcircuit for registration circuits of addressing to LUT units
The proposed method is a sequence of stages leading to receiving the information about addressing to the LUT unit addresses during the researched system functioning. Stage 1. The number N of LUT units used in FPGA-based system is indicated. Stage 2. HDL-description of the registration circuit of addressing (Fig. 2) to the LUT unit addresses is formed. Herein the circuit contains N fragments of addressing registration. Stage 3. By means of CAD the synthesis of circuit formed at stage 2 is carried out. Stage 4. The amount of hardware resources of chip FPGA, which are not unincluded in the analyzed circuit, is indicated.
Stage 5. If the amount of free resources is not enough for placement of the circuit formed at stage 3 the number of circuit fragments decreases (in this case the method is not applied to the FPGA-system as a whole but gradually to individual subsets of its LUT units) and the return to stage 2 occurs. Otherwise the returning to stage 6 is executed. Stage 6. Placement and routing of the circuit formed at stage 3 are carried out.
Stage 7. Connection of the placed circuit to the LUT unit inputs and the chip FPGA outputs is carried out (manually or with the help of special software).
Stage 8. Configurating the chip or preparing the project model for simulation is carried out.
Stage 9. The system is transferred in the mode of addressing registration to LUT units. The input data distinct for the normal system mode are sent to the system inputs (the real one or in the simulation mode). Herein the addressing registration circuit performs the accumulation of information about addressing to the specific LUT unit addresses in its registers.
Stage 10. On completing the addressing registration process the system is transferred in information extraction mode. In binary codeword extracted out of the system each of the bits is assigned to the specific address of the specific analyzed LUT unit. The presence of value 1 in a bit demonstrates addressing to the address corresponding to this bit.

CASE STUDIES
The proposed method was implemented in the form of software application. It (application) is an add-on for CAD Intel (Altera) Quartus [36]. This software application performs the following basic actions: a) extracts from FPGA-project the detailed information of placement of its elementary units, program codes of these units and the links between units; b) places the addressing registration circuit in FPGA-project; c) prepares the obtained FPGAproject model and transfers it to simulation system / performs the chip FPGA configurating; d) extracts the information about registered addressing out of simulation system. By means of the developed software application an experiment has been carried out. This experiment was performed to obtain statistics of addressing to the individual LUT unit addresses.
As an experimental material the five FPGA-projects were used. Target chips for these projects were FPGA Intel (Altera) Cyclone II-IV [37]. Each of these projects contains in its content a safety-critical system, in which a Trojan circuit was implanted. Each of the experimental safety-critical systems is a control system for a certain hypothetical high-risk technical object. Moreover, each of the systems has different complexity algorithms for forming control signals depending on the input signals of the system. Due to the difference in these algorithms, the total number of LUT units of a project is different (from 196 to 843). Trojan circuits, which were implanted into experimental projects, used combinations (both parallel and sequential) of input values typical of emergency mode as an activating event. The action of the implanted Trojans was to block critical links in the circuits of experimental systems.
The data typical for the normal system mode is sent at the input of systems, which participate in the experiment. Wherein the activeness of addressing to the LUT unit addresses is registered. In the course of the experiment the following is detected (Table 1): NLUTthe total number of LUT units in the project; NAdr1the number of LUT units at the inputs of which the only address takes place during the experiment; NAdrMthe number of LUT units at the inputs if which more than one address took place during the experiment. Column Result contains information of correlation of the implanted Trojan circuit and LUT unit set NAdr1 (the fact demonstrating that LUT unit set NAdr1 covers the Trojan circuit completely or partially. In Table 1 one can see that in all the projects a hardware Trojan circuit completely or partially consists of LUT units including set NAdr1. A number of LUT units in set NAdr1 (potentially probable area of Trojan location) is significantly less that the total number of LUT units. The information of such type (Table 1) adds the data of the LUT unit activeness obtained in accordance with a method which is offered in [26]. In total the information of the LUT unit activeness and statistics of addressing to their addresses gives the possibility to increase the Trojan search efficiency in starting the integrity monitoring on account of sufficient reduction of search area. With all the variety of the cases, the experiments confirmed the possibility of using the proposed method to reduce the search area in the Trojans detecting process.

CONCLUSION
An approach offered in the paper we take as the one of hardware model creation for analyzing the FPGA-project functioning for the purpose of probable area detection of hardware Trojans location in FPGA-project. The simulation problem, which is caused by the obtained hardware model, can be certainly solved with the help of traditional approaches due to software simulation. Softwarebased environment of target circuit functioning should be reproduced and the process of simulation be provided in this environment. This procedure is extremely difficult to be carried out and unformalized. But, the offered method is a strictly formalized sequence of operations which can be executed in automated mode.
We are positioning the proposed method as a base for hardware Trojans detection in the system which components are developed on FPGA. This method can be applied to the verification procedure before starting the system integrity monitoring. The method allows us to form two LUT unit address subsets: the subset providing the system functioning in the normal mode and the one providing its functioning in the emergency mode. Such formation of two subsets is based on the substantial difference of the input data nature intended for the two modes of safety-critical system functioning.
The offered method is not considered to be selfsufficient. It only performs the information preprocessing of FPGA-based system, namely registers addressing to the LUT unit addresses at input data distinct for the different system operation modes. The method presents the base information about location of possible integrity violation areas. This information is used in methods which can be run after the proposed method and perform more detailed procedure of localization. Therefore, we can conclude that there is the necessity to continue the research devoted to developing the methods, which use the results of the proposed method as initial data.