Secure development processes for software have formed, developed, and matured in the past decade to the point where there are well defined categories of security bugs and proven methods to find them. Secure hardware development, on the other hand, is essentially undefined at this point. Most developers of integrated circuits do no hardware security validation, or are secretive about their methods and findings.
This talk will document some pre- and post- silicon validation techniques by applying them to various open-source core designs. It will present a number of examples of actual Verilog security vulnerabilities along with the vulnerable code, and present methods of resolving them. It will conclude by generalizing several hardware security bug categories.