LLMs Show Promise In Secure IC Design

The introduction of large language models into the EDA flow could significantly the time, effort, and cost of designing secure chips and systems, but they also could open the door to more sophisticated attacks.

It’s still early days for the use of LLMs in chip and system design. The technology is just beginning to be implemented, and there are numerous technical challenges that must be overcome before the full potential of LLMs can be harnessed. Still, it appears they will play a significant role in the future for securing chips and systems.

“We have a lot of tools in which we’re incorporating AI technology,” Mike Borza, a Synopsys scientist. “LLMs are one part of that technology, but not the entire story. A lot of the optimization tools that are around incorporate machine learning and then deploy inference engines around that. That’s been a very effective set of tools for us. LLMs are just emerging as an interesting tool. They’ve been found mostly in the design realm, and present ways to capture both local knowledge and, in some cases, global knowledge.”

The rise of LLMs coincides with growing focus on securing systems, which includes hardware as well as software. In the past, much of effort was spent on software because it was easier to attack remotely. But as hardware and software become increasingly intertwine, and knowledge about side-channel attacks widens, that mindset is changing. Rahul Kande, a Ph.D. student at Texas A&M University’s Secure and Trustworthy Hardware Lab, believes LLMs can help bridge the knowledge gap between hardware and software security.

“A lot of semiconductor engineers didn’t have awareness about hardware security. They were mostly focusing on functional verification, making sure that the chip works as intended,” Kande said. “The question that we are asking at my research group is, ‘Yes, you can use LLMs for generating Verilog code, but what about the security aspects of the chip? And is it a good thing from a security perspective, or is it a bad thing?’”

LLMs act as a bridge, and they serve as excellent educational tools. The downside is they also provide new ways to identify and exploit vulnerabilities.

LLMs as an educational tool
When OpenAI’s ChatGPT launched in November 2022, many people were amazed at the ease with which it was able to generate responses to queries. This is very much the role LLMs are currently posed to play within EDA design flows, according to Alexander Petr, a senior director at Keysight EDA. Currently, Petr said his experience with EDA LLMs has been restricted to a few chatbot-type applications, where engineers can ask a question and get advice on a design issue, though he warned that such tools are subject to “various degrees of quality.”

Kande’s fascination with incorporating LLMs into hardware security came about while working on his Ph.D., which originally focused on applying a software approach called fuzzing and applying it to hardware. The process involved making many decisions on which inputs to test, which can affect how quickly vulnerabilities are found. He and his colleagues began applying LLMs to the process to speed it up. The programs generate inputs and also act as a monitor of the hardware, alerting them to any detected vulnerabilities. They described the technique in a paper they presented at the 31st USENIX Security Symposium. While it has yet to gain widespread use, Kande hopes this will change.

Chatbots can act as a sort of virtual helpdesk for stuck engineers. “[EDA vendors are] trying to improve those chatbots and the information they supply to assist the designer in the algorithm signal of a C domain,” said Keysight’s Petr noting it likely will soon advance to co-pilot type applications. “We won’t just ask how certain functionalities are executed. They actually will be executed for you. You can ask them to do simple things like, ‘Can you place this new element? Can you change the size of this new element? Can you run the simulation for me? Can you modify those configurations in my optimizer and my simulation? This is stuff where normally, as a designer you would need to go in and manually make the modifications. Those co-pilots are the next level up from a virtual assistant just telling you what to do. The co-pilots are able to execute it for you.”

That type of assistance could include the ability to automatically implement more security, in addition to improving metrics like functionality. But Petr noted he has yet to see security applications seriously discussed in this context.

“I would say the security aspects have not really surfaced yet because we’re still working on getting them to generate something that works,” Petr said. “Once you have that, then you will start improving the quality. That’s just the natural evolution of technologies. That’s where we are. It’s in the road maps, but not in the near term.”

Borza agreed that co-pilots are the likely next step. “This would be the first opportunity for both local knowledge and industry best practices to be captured in a single set of tools,” he said. “That’s a very interesting use of the technology, because you can sell a product that has this capability to learn, and allowing it to continue learning really allows local knowledge to be captured.”

Chandra Akella director of advanced technologies, electronic board systems at Siemens EDA, said significant research is underway today to find ways to better assist in the design of electronic systems.

“One promising approach involves enabling these models to comprehend electronic circuits as a distinct modality,” Akella said. “Today’s foundational models can extract knowledge from text, images, video, and audio to generate new content based on user prompts. The goal is to expand this capability, allowing the models to extract detailed insights from component datasheets and publicly available reference designs, enabling them to generate circuit designs based on user input more effectively.”

LLMs require a secure environment
As with any LLM, a hardware-security oriented program can only generate results as good as the data sets it’s trained with. Some valuable knowledge bases, such as the MITRE Corp.’s Common Weakness Enumeration, are broadly accessible, and APIs already are being developed to allow CWEs to be used in LLM-type tools.

However, if LLMs are being used for security purposes, those LLMs also need to be secure. One solution, proposed by Borza, is to only put the programs online at certain times, allowing them to refresh their training material from databases like CWE.

“You refresh a local copy, and then integrate that into the knowledge base of design techniques and actually known issues,” Borza said. “That is what CW really captures. It’s very broad. It captures risks and the things that have commonly been exploited across large numbers of products, and it has very general kinds of descriptions of those things. Putting that into a context of a specific chip design is part of the art of using that tool well.”

At Keysight, Petr said the objective is to build a tool that can be continuously used by their clients on-premises and within a secure environment. For some, that could mean a pivot away from the cloud. Others could go to even further extremes.

“Everyone needs to decide for themselves how safe cloud is for their specific use case, and different people have different security requirements,” he said. “For some, they just waive the concerns away and say, ‘It’s fine, it’s industry standard.’ Others want physical, air-gapped solutions with no internet connection whatsoever, meaning you can’t use fancy stuff like ChatGPT or OpenAI solutions because they require an internet connection to talk to another server.”

Because of the logistical issues that would come with IP sharing, Kande said it’s likely that every company that wishes to incorporate LLMs into their secure designs will have to dedicate resources to training their own models with their own IP.

“There is a possibility where, especially if the model is constantly learning, it learns using both the prompts that it gets and also its responses, so an attacker can probably reverse engineer and extract information out of it,” Kande said. “Wherever IP or proprietary design is involved, the companies are going to start using their own servers with the large language models running on them so that it’s a closed loop. They will start with a pre-trained model, but then once they start training it with their proprietary data, and once they start prompting it with their proprietary data, they will have a closed loop and the access will be limited to that company only.”

IP is only one of many concerns when it comes to training. If LLMs are to catch on in EDA, it’s unlikely they will be the popular models that have become so pervasive. LLMs like ChatGPT are trained on an astounding amount of data, but the data sets are generalized. There is no use in having a model used in chip design that can answer questions about the works of William Shakespeare. Rather, the LLMs will need to be custom made and trained for the industry to have any sort of applicable functionality.

“While some foundational models today exhibit a broad understanding of the electronics domain, they often lack the detailed, technical knowledge required to effectively support the design of complex electronic systems,” said Siemens’ Akella. “For instance, when asked how to design a DDR4 circuit, models like GPT4 (ChatGPT) can provide a high-level, generally accurate response. However, this information is often insufficient for directly translating into actionable steps or selecting specific components for various parts of the circuit. As a result, users may still rely on traditional methods to solve such problems.”

With advances comes risk
While there are numerous advantages to incorporating LLMs into security design, there are also some reasons to be wary. Security-conscious designers are in a constant arms race against attackers, where every new defense garners a new approach to offense.

“Something that is very important for us to note is that it’s not all good and happy when it comes to large language models,” Kande noted. “As hardware design verification engineers and security engineers, we must be wary about the large language models. They help us find vulnerabilities and they help us make the design more secure, but given the capabilities of large language models, they also can do bad things like, for example, helping an attacker plagiarize the code.”

One possible scenario Kande pointed to involves attackers feeding an LLM an input and asking it to generate a Verilog code that is functionally equivalent in order to bypass a plagiarism tool.

“You can make it construct some other attack vectors for inserting Trojans, or for finding faults in the design, or the attacker can just use the large language model to figure out what type of weaknesses are there in the hardware itself,” he continued. “The power that the large language model gives is not only with the designers and the verification engineers. It is also with the attackers.”

Kande also warned that because of the massive data sets involved in training LLMs, their use can lead to inadvertent vulnerabilities that are difficult to catch. It’s a problem that’s common to all use of LLMs in semiconductor design, and indeed their use in general. Since the rise in popularity of ChatGPT, much has been made of the program’s tendency to “hallucinate,” providing erroneous information in prompt responses.

“The new variable here is that some part of the code could be written by a large language model, and the type of mistakes that it makes may be different from the type of mistakes a human makes when he writes a Verilog code,” he explained. “The verification must take into account some very silly things that an engineer would likely never do, but the large language model might do, because you’re training it with such an enormous amount of data, and most of it comes from GitHub or other open-source sources. There’s a lot of bugs in that open-source code, so it might very well have been trained with a buggy code.”

Conclusion
Large language models are quickly being incorporated into a wide variety of tasks, spanning many industries, and EDA is no different. The AI tools have yet to gain widespread usage within EDA design, including security, but their rollout has begun.

Thus far, that has meant chatbots, for the most part, that designers can turn to for help finding solutions to the problems that pop up in the EDA process. With hardware security specialization still a relatively niche field, some experts see these chatbots as playing an important educational role for engineers. The chatbots also could be useful in the movement to shift left when it comes to implementing security into chip and system designs. But LLM-powered copilot programs remain a possibility, albeit one that is not on the immediate horizon.