IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS, VOL. 11, NO. 2, JUNE 2021 415 Proof-Carrying Hardware-Based Information Flow Tracking in Analog/Mixed-Signal Designs Mohammad Mahdi Bidmeshki , Angelos Antonopoulos , Member, IEEE, and Yiorgos Makris , Senior Member, IEEE Abstract— Information flow tracking (IFT) is a widely used or untrusted data in computer systems. The main objective methodology for ensuring data confidentiality and/or integrity in of IFT is to ensure the confidentiality and/or the integrity of electronic systems and many such methods have been developed sensitive data, by verifying that they do not get contaminated at various software or hardware description levels. Among them, Proof-Carrying Hardware Intellectual Property (PCHIP) intro- by untrusted sources and/or they do not reach unauthorized duced an IFT methodology for digital hardware designs described sites. In its basic but fundamental form, IFT augments each in hardware description languages (HDLs). However, it is not only data element with sensitivity tags. Additionally, it defines the digital domain that suffers from the risk of inadvertent infor- rules (known as information flow policies) for propagating mation leakage. Indeed, analog signals originating from sources and manipulating these sensitivity tags in accordance with the of sensitive information such as biometric sensors, as well as analog circuit outputs could also carry confidential information. operations performed on their corresponding data elements, Moreover, analog circuits are equally susceptible as their digital and it restricts the usage of data with specific tags to authorized counterparts to malicious modifications, known as hardware sites. Initial IFT methodologies focused on software [1] while Trojans, which could introduce covert channels for leaking such considering hardware as the root of trust. Later efforts in confidential information. Furthermore, in analog/mixed-signal this domain sought to take advantage of hardware entities to circuits, such information leakage channels may cross the ana- log/digital or digital/analog interface, making their detection improve IFT performance [2]. Even more recently, such efforts even harder and, thereby, intensifying this security concern. have been further driven by the realization that hardware As a solution, we introduce a PCHIP-based methodology which vulnerabilities, introduced either through inadvertent errors or enables systematic formal evaluation of information flow policies through malicious tampering, can lead to major security risks in analog/mixed-signal designs. This solution can reason on [3]. As a result, several IFT-based methods [4]–[12] were analog designs described at the transistor-level or at the block- level, where an abstract model of the analog circuit is considered. introduced to evaluate and ensure the security of hardware Additionally, it can handle analog circuit models developed in at various abstraction levels. Verilog-A or Verilog-AMS, thereby enabling the use of circuit Existing hardware IFT methodologies are limited to designs models developed in these HDLs for IFT purposes. By integrating in the digital domain and lack support for any type of analog IFT across the digital and analog domains, the proposed solution computation. Yet, analog and mixed-signal designs are also is able to detect sensitive data leakage from the digital domain to the analog domain and vice-versa, without requiring any modi- susceptible to hardware attacks, whereby confidentiality and/or fication of the current analog/mixed-signal circuit design flow. integrity of sensitive data may be endangered. In fact, leaking secret information from the digital domain through system- Index Terms— Information flow tracking, analog/mixed-signal design, hardware trust, hardware Trojans, information leakage. atic modification of analog performances has already been successfully demonstrated in previous studies [13], wherein carrier frequency or transmission power manipulation in an I. INTRODUCTION RF transmitter was used to leak secret encryption key data. NFORMATION flow tracking (IFT) [1] is a methodology As mixed-signal IC designs become widespread due to the Ifor tracking the propagation and/or the usage of sensitive ubiquitousness of wireless technologies, such as Bluetooth and Wi-Fi, and as simple digital I/Os of the past are being substi- Manuscript received December 3, 2020; revised March 3, 2021; accepted tuted by high-speed links which extensively combine analog April 16, 2021. Date of publication April 22, 2021; date of current version June 14, 2021. This work was supported in part by the National Science Foun- and digital techniques for noise reduction or channel distortion dation (NSF) under Grant 1318860. This article was recommended by Guest compensation [14], this problem exacerbates. In addition, Editor J. M. Fung. (Corresponding author: Mohammad Mahdi Bidmeshki.) as mixed-signal designs become more complicated, adver- Mohammad Mahdi Bidmeshki and Yiorgos Makris are with the Depart- ment of Electrical and Computer Engineering, The University of Texas saries are afforded more opportunities for implanting such at Dallas, Richardson, TX 75080 USA (e-mail: [email protected]; malicious capabilities, which often require no more than a [email protected]). single transistor or capacitor [13], [15]. Furthermore, design Angelos Antonopoulos was with the Department of Electrical and Computer Engineering, The University of Texas at Dallas, Richardson, TX 75080 USA. errors in the analog/mixed-signal portion of a circuit, which as He is now with u-blox Athens S.A., 15125 Maroussi, Greece (e-mail: reported by the author in [16], account for approximately 20% [email protected]). of all bugs in the design cycle of modern microprocessors, Color versions of one or more figures in this article are available at https://doi.org/10.1109/JETCAS.2021.3075098. may also pose security threats. Therefore, developing an Digital Object Identifier 10.1109/JETCAS.2021.3075098 IFT approach which can handle analog/mixed-signal designs 2156-3357 © 2021 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information. Authorized licensed use limited to: Univ of Texas at Dallas. Downloaded on August 22,2021 at 23:20:11 UTC from IEEE Xplore. Restrictions apply. 416 IEEE JOURNAL ON EMERGING AND SELECTED TOPICS IN CIRCUITS AND SYSTEMS, VOL. 11, NO. 2, JUNE 2021 becomes paramount, as it can assist in revealing potential information leakage paths and, thereby, instilling trust in such designs. To this end, in this paper we introduce an IFT method- ology which is capable of seamlessly crossing the ana- log/digital boundary. More specifically, by extending the previously developed Proof-Carrying Hardware Intellectual Fig. 1. A Trojan which adds a transistor in the power amplifier to leak Property (PCHIP) method from the digital domain [9], [17], information by varying transmission power, along with its leakage path. [18] to the transistor-level, we create a unified framework for enforcing information flow policies in digital, analog, and mixed-signal designs. Furthermore, we introduce analog Such possible exploitation of the analog domain, along with IFT capabilities at a higher level of abstraction, namely the the potential existence of undetected design bugs, underline the block-level. Such capabilities are particularly important for need for a methodology that can track the flow of sensitive two reasons. First, they can increase accuracy, as the very information in a mixed-signal design as a whole. While there fine granularity of transistor-level IFT, in conjunction with the are plenty of techniques applicable in the digital part, to the conservativeness of the PCHIP-based method, makes it prone best of our knowledge, such a capability is lacking in the to false positives. Second, they can facilitate early security analog and mixed signal domain. This work seeks to fill this evaluation of designs, long before the detailed transistor-level gap and is considered as a first step toward establishing a implementation is made available. Additionally, we enhance framework capable of information flow tracking in digital, our PCHIP-based methodology to recognize analog constructs analog, and mixed-signal designs. used for modeling analog behavior in Verilog-A and Verilog- AMS. This enables designers to leverage analog circuit mod- III. RELATED WORK els, which are usually developed for design verification, for the Many IFT approaches have been introduced at various soft- purpose of IFT evaluation. We acknowledge that the accuracy ware or hardware description levels. In this section, we briefly of block-level IFT depends on the details accounted for in the review a handful of them and contrast them to the method block-level models. Nevertheless, transistor-level IFT can still proposed herein. be used for a more detailed evaluation of the design once the At the software level, static IFT methods enforce informa- transistor-level implementation is available. tion flow policies on a program at compile-time based on The rest of this paper is organized as follows. Section II logical inference and reasoning [19]. In contrast, dynamic IFT further motivates the need for IFT in mixed-signal designs schemes are applied during program execution and benefit by exploring an example. Section III reviews related work. from the availability of more detailed run-time information,