Before Chips are Made: Hardening SoCs with Emulation

by

Author: Denis Avetisyan

As system-on-chip designs grow in complexity, pre-silicon security verification using hardware emulation is becoming essential to proactively identify vulnerabilities.

A robust security verification flow compiles hardware designs into an emulation platform where realistic workloads are executed, and internal signals are meticulously monitored and analyzed-using assertions, traces, and dedicated monitors-to proactively detect and address potential security vulnerabilities.
A robust security verification flow compiles hardware designs into an emulation platform where realistic workloads are executed, and internal signals are meticulously monitored and analyzed-using assertions, traces, and dedicated monitors-to proactively detect and address potential security vulnerabilities.

This review examines the challenges and opportunities of leveraging emulation for comprehensive SoC security testing, including fuzzing, fault injection, and information flow tracking.

Increasing complexity in modern System-on-Chip (SoC) designs, coupled with growing security threats, exposes limitations in traditional pre-silicon validation techniques. This paper, ‘Emulation-based System-on-Chip Security Verification: Challenges and Opportunities’, surveys the emerging role of hardware emulation in addressing these vulnerabilities by enabling realistic and scalable security testing. We demonstrate how emulation facilitates advanced techniques-including fuzzing, fault injection, and information flow tracking-to proactively identify security flaws before fabrication. Will these advancements in emulation-based verification ultimately establish a new paradigm for ensuring hardware security in an increasingly interconnected world?

The Escalating Complexity of Modern SoC Security

Contemporary Systems-on-Chip (SoCs) represent a monumental leap in microelectronic integration, yet this progress introduces escalating security challenges. These highly complex devices now incorporate billions of transistors and diverse functionalities – from application processors and graphics engines to dedicated AI accelerators and secure enclaves – all interconnected on a single die. This proliferation of features dramatically expands the potential attack surface, offering adversaries a multitude of entry points to exploit vulnerabilities. Traditional security measures, often designed for simpler architectures, struggle to comprehensively assess and mitigate risks within these intricate designs. The increasing sophistication of SoCs, while enabling remarkable capabilities, necessitates a fundamental shift towards proactive and holistic security validation methodologies to safeguard sensitive data and maintain system integrity against evolving threats.

The escalating intricacy of modern Systems-on-Chip (SoCs) presents a significant challenge to established security validation techniques. Historically, these methods relied on identifying and mitigating known vulnerabilities through simulation and testing, but the sheer scale of contemporary SoCs – incorporating billions of transistors and complex interconnects – renders exhaustive verification impractical. This creates a widening gap between design innovation and security assurance, as novel attack surfaces emerge faster than traditional methods can address them. Consequently, even seemingly robust designs can harbor subtle vulnerabilities exploitable through sophisticated attacks, potentially compromising sensitive data or enabling malicious control of the device. The limitations of current approaches necessitate the development of more efficient, automated, and comprehensive security verification strategies to keep pace with the ever-increasing complexity of SoC designs and protect against emerging threats.

The escalating sophistication of modern technology necessitates a fundamental shift towards proactive security verification within Systems-on-Chip (SoCs). As these integrated circuits become ubiquitous in critical infrastructure – from healthcare devices to automotive systems and financial networks – the potential consequences of successful exploitation grow exponentially. Robust verification isn’t simply about identifying known vulnerabilities; it demands a comprehensive approach capable of uncovering subtle design flaws and anticipating novel attack vectors. This requires moving beyond traditional testing methodologies to embrace formal verification techniques, advanced fuzzing, and rigorous threat modeling, all integrated throughout the design lifecycle. Ultimately, prioritizing comprehensive security verification is no longer a matter of best practice, but a critical imperative for safeguarding sensitive data, preserving system integrity, and maintaining public trust in an increasingly interconnected world.

Achieving scalable and automated security verification through emulation requires overcoming architectural and methodological challenges related to scaling, instrumentation density, and trace-buffer constraints.
Achieving scalable and automated security verification through emulation requires overcoming architectural and methodological challenges related to scaling, instrumentation density, and trace-buffer constraints.

Beyond Randomness: Intelligent Approaches to Automated Verification

Fuzzing is a dynamic software testing technique that involves providing a program with a wide range of invalid, unexpected, or random inputs to identify crashes, assertions, or other anomalies indicative of vulnerabilities. While highly effective at discovering bugs, traditional fuzzing approaches can suffer from limited code coverage due to their random nature. Many potential execution paths may remain untested as the fuzzer struggles to reach them with purely random inputs. This inefficiency stems from the lack of guidance in exploring the state space of the software, leading to redundant testing of already-covered areas and a slower rate of vulnerability discovery. Consequently, techniques to improve fuzzer direction and prioritize unexplored code paths are crucial for maximizing its effectiveness.

Coverage-guided fuzzing improves upon traditional fuzzing techniques by utilizing code coverage information to prioritize test cases that explore previously unexecuted code paths. This is typically achieved by instrumenting the target software to track which lines of code are executed during testing. Reinforcement learning (RL) further optimizes this process by training an agent to generate inputs that maximize code coverage or other defined reward functions. The RL agent learns from the feedback of each test case, iteratively improving its ability to discover new code paths and potentially uncover vulnerabilities that would be missed by purely random or coverage-agnostic fuzzing methods. This intelligent direction of testing efforts significantly increases the efficiency and effectiveness of vulnerability discovery.

Adversarial Input-Driven Campaigns and Perturbation-Driven Campaigns represent proactive SoC verification methodologies that complement fuzzing techniques. Adversarial campaigns utilize specifically crafted inputs designed to target known vulnerability classes or exploit potential weaknesses identified through static analysis. Perturbation-Driven Campaigns systematically introduce small, controlled modifications to valid inputs, observing the resulting system behavior for anomalies indicative of design flaws. Both approaches differ from purely random fuzzing by focusing testing efforts on areas most likely to reveal vulnerabilities, thereby increasing the efficiency of the verification process and providing higher confidence in the SoC’s robustness against malicious or unexpected inputs. These campaigns are often automated and integrated with coverage analysis tools to maximize the exploration of the design space.

Emulation-based fault-injection vulnerability discovery utilizes property binding, campaign planning, high-throughput emulation, and compact evidence to systematically identify and debug errors [48,49].
Emulation-based fault-injection vulnerability discovery utilizes property binding, campaign planning, high-throughput emulation, and compact evidence to systematically identify and debug errors [48,49].

Emulation-Based Security Verification: A Platform for Realistic Analysis

Emulation-Based Security Verification (ESV) facilitates the execution of firmware and operating system workloads at a significantly higher rate than traditional simulation methods. This high-throughput capability is achieved by utilizing hardware emulation, which models the System-on-Chip (SoC) behavior directly in hardware, allowing for near real-time execution. The ability to run workloads at production speeds is critical for realistic security assessments, enabling the identification of vulnerabilities that may not be apparent in slower, abstracted testing environments. This approach allows security analysts to observe system behavior under load, analyze performance characteristics during attacks, and validate the effectiveness of security mitigations in a practical context.

Hardware emulation, as utilized in Emulation-Based Security Verification (ESV), provides a more accurate representation of System-on-Chip (SoC) behavior than traditional software simulation. Simulation relies on abstract models and approximations, leading to discrepancies between the simulated environment and actual hardware execution. Emulation, conversely, utilizes a physical emulation engine to execute the firmware or operating system directly on a modeled hardware platform. This allows for cycle-accurate execution and the observation of real-world interactions, including timing-dependent behaviors and subtle hardware-specific effects that are often missed in simulation. The resulting fidelity is critical for comprehensive security assessments, particularly when evaluating vulnerabilities related to timing attacks, power analysis, or complex hardware interactions.

Gray-box instrumentation and white-box monitoring within the emulation-based security verification platform facilitate detailed analysis of system behavior by providing access to internal signals without requiring full source code visibility. This is achieved through SystemVerilog Assertions (SVA), which allow developers to define and verify security policies directly within the hardware description. SVA enables the creation of checkers that monitor critical signals and data flows, triggering alerts or halting execution upon policy violations. Gray-box techniques offer a balance between simulation and full black-box testing, allowing for targeted analysis of specific security concerns while maintaining realistic execution conditions. White-box monitoring provides complete visibility into the system’s internal state, supporting comprehensive security analysis and policy enforcement.

Security Monitors within the Emulation-Based Security Verification (ESV) platform operate as dedicated hardware or software components designed to observe and react to potentially malicious activity detected during firmware and operating system execution. These monitors implement pre-defined security policies and can trigger responses ranging from logging suspicious events to halting emulation and initiating forensic analysis. Functionality includes real-time threat detection based on observed system behavior, intrusion prevention through active intervention, and the ability to enforce access control policies. Integration with the emulation environment allows Security Monitors to access internal signals and states, providing a more comprehensive view than is possible with traditional security solutions and enabling faster, more accurate threat response.

This taxonomy categorizes emulation-based security verification (ESV) workflows based on stimulus generation, verification engine integration, and observability features, independently of the underlying emulation platform.
This taxonomy categorizes emulation-based security verification (ESV) workflows based on stimulus generation, verification engine integration, and observability features, independently of the underlying emulation platform.

Strengthening the System: Advanced Techniques for Comprehensive Security

Workload-driven system execution represents a significant advancement in security verification by moving beyond theoretical analysis to practical validation. Within a meticulously crafted emulation environment, realistic workloads – mirroring actual operational scenarios – are deployed and monitored. This allows engineers to assess security properties not under ideal conditions, but while the system is actively processing data and responding to stimuli, revealing vulnerabilities that static analysis might miss. By subjecting the system-on-chip (SoC) to these demanding tests, potential weaknesses in areas like memory management, data handling, and interrupt processing are exposed, ensuring a more robust and reliable design before deployment. The approach effectively bridges the gap between formal specifications and real-world performance.

Formal verification and Information Flow Tracking (IFT) represent a rigorous approach to security assurance, extending beyond traditional testing methods. These techniques employ mathematical proofs to demonstrate the correctness of a system’s design, guaranteeing that it behaves as intended under all possible conditions. Unlike simulations which can only reveal bugs with specific inputs, formal verification provides absolute certainty about the absence of certain errors. IFT specifically focuses on data security by tracing the flow of sensitive information through the system, identifying any unintended or unauthorized propagation – for example, preventing confidential data from leaking to untrusted components. This proactive detection, achieved through static analysis and formal modeling, is crucial for establishing trust in security-critical systems where vulnerabilities could have severe consequences, offering a level of assurance unattainable through empirical testing alone.

Fault injection campaigns represent a crucial stress test for modern Systems-on-Chip (SoCs), deliberately introducing errors – such as bit flips, voltage glitches, or clock skew – to evaluate the device’s robustness against malicious attacks and unexpected operational conditions. These campaigns go beyond typical functional verification by actively probing the error handling mechanisms embedded within the SoC’s hardware and software. By simulating a range of potential faults, researchers and engineers can identify vulnerabilities in error detection, correction, and recovery routines. The process reveals whether the SoC can gracefully degrade or if it succumbs to catastrophic failure, potentially exposing sensitive data or compromising system integrity. Ultimately, a thorough fault injection analysis informs the development of more resilient designs, enhancing security and reliability in increasingly complex electronic systems.

Embedded System Verification (ESV) establishes robust security through a deliberately layered approach, acknowledging that no single technique offers complete protection. Rather than relying on a solitary method, ESV synergistically combines workload-driven system execution – which tests security under real-world conditions – with the mathematical rigor of formal verification and information flow tracking. This is further reinforced by fault injection campaigns, designed to proactively uncover vulnerabilities in error handling. The result is a defense-in-depth strategy; if one layer fails, others remain to mitigate potential exploits, offering significantly enhanced resilience against a diverse spectrum of threats, from software bugs to sophisticated hardware attacks. This multi-faceted strategy ensures a more comprehensive and reliable security posture for complex embedded systems.

Through 2035, the hardware-assisted verification market is forecasted to grow, driven by increased adoption of emulation- and prototyping-based verification methodologies.
Through 2035, the hardware-assisted verification market is forecasted to grow, driven by increased adoption of emulation- and prototyping-based verification methodologies.

The pursuit of robust system-on-chip security necessitates a holistic approach, mirroring the interconnectedness of a living organism. This paper’s focus on emulation-based verification-leveraging fuzzing and fault injection-highlights the importance of understanding emergent behavior rather than solely relying on static analysis. As John McCarthy observed, “It is better to do a good job of a little than a poor job of a lot.” Applying this principle to SoC security means prioritizing comprehensive testing of critical functionalities before silicon fabrication, rather than attempting to address vulnerabilities post-deployment. Thorough pre-silicon validation, as detailed in the exploration of information flow tracking, ensures that structural integrity translates into secure operational behavior.

Beyond the Silicon Curtain

The pursuit of pre-silicon security verification, as highlighted by emulation-based approaches, reveals a fundamental truth: thoroughness is often mistaken for progress. While techniques like fuzzing and fault injection offer increasingly granular views of potential vulnerabilities, they operate within the confines of the testbench. If the system survives on duct tape – a patchwork of assumptions and limited scope – it’s probably overengineered, attempting to patch symptoms rather than address systemic flaws. The challenge isn’t simply to find more bugs, but to build a framework that anticipates classes of errors before they manifest.

Modularity, frequently touted as a panacea, presents a similar paradox. A neatly compartmentalized system, readily testable in isolation, is an illusion of control if the interfaces between modules are not rigorously scrutinized for information leakage or unexpected interactions. Information flow tracking, though promising, risks becoming a recursive problem; tracking the trackers introduces its own vulnerabilities. The real progress lies in shifting the focus from component-level testing to holistic system analysis, demanding formal methods capable of reasoning about emergent behavior.

Ultimately, the field needs to confront the uncomfortable reality that security isn’t a feature to be added, but a property that must be designed into the system from the outset. Emulation provides a valuable window into the pre-silicon world, but the clarity of that view depends on recognizing that a map is not the territory. The future lies not in more sophisticated testing tools, but in a deeper understanding of the structures that dictate behavior, and a willingness to embrace simplicity as the ultimate defense.

Original article: https://arxiv.org/pdf/2604.15073.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

See also:

2026-04-17 13:50