HelpnetSecurity

A hardware security AI assistant that checks chips for hidden backdoors


Chip designers license blocks of circuitry from outside vendors and drop them into larger products. A single processor can carry components from a range of suppliers, each written by a company the buyer may never deal with directly. A malicious supplier can bury a hidden circuit in a working design, and that circuit can stay quiet until a specific input wakes it up.

Researchers at the University of Florida built a tool aimed at this problem. Called VeriChat, it works as a conversational assistant for hardware security engineers. The system answers technical questions about chip security and runs verification tools directly on a design file that a user uploads.

The trouble with confident answers

General chatbots such as ChatGPT and Gemini give confident answers that sometimes contain invented facts, and in hardware security a wrong answer can send an engineer down a costly path. The Florida team recorded one case where a widely used chatbot described three side-channel analysis frameworks, and one of the three was entirely fictional.

VeriChat approaches the gap with a retrieval-first design. Three agents pass work down a line. The first reads a user’s question and rewrites it for search. The second pulls matching passages from a curated library of 28,221 hardware security papers and from live web results. The third writes the answer using only that gathered evidence, and it declines to elaborate when the support runs thin.

A planted Trojan, uncovered in conversation

The part that sets the system apart is its link to verification tools. The team demonstrated it on a planted attack. They took an AES S-Box, a small building block used inside encryption hardware, and hid a Trojan inside it. The malicious circuit watches the data stream for one exact three-byte sequence, 0xDE, 0xAD, 0xBE. Once that sequence arrives, the circuit begins leaking the secret encryption key one bit at a time through a status light on the chip. The odds of the trigger firing by chance sit near six in a hundred million per cycle, low enough to slip through routine testing.

A user with no knowledge of the hidden circuit uncovers it across a short conversation. It opens with a plain question about supply chain risks and moves toward a request to inspect the file. VeriChat then runs a sequence of automated checks. A syntax pass confirms the code compiles. A synthesis pass counts the design’s memory elements and flags several extra ones that a plain S-Box would never need. A simulation feeds the design the exact trigger and watches the key leak out over eight cycles. A formal check produces a mathematical proof that the design can leak data it should keep private.

How it scored

The evaluation covered both the retrieval step and the finished answers. A group of experienced hardware security researchers wrote a benchmark of test questions, and across that set VeriChat pulled relevant supporting material far more often than a plain retrieval baseline. A blind review by a human expert scored its factual accuracy at 87.73 percent, well ahead of the next system in the comparison.

The team also tested whether the assistant would push back on false premises. They fed VeriChat and several commercial models a set of prompts built around invented technologies, including a fake anti-tamper method described as Metamaterial Resonance Shielding. VeriChat refused to go along with the fabrications 92 percent of the time, and the standalone commercial models accepted them far more often. The refusals trace back to one design choice: when the retrieval step finds no support for a claim, the system reports that it lacks the information.

What the demo leaves open

A few things are worth keeping in mind before reading too much into the demo. The Trojan came from the same team that ran the test. They designed it, planted it, and then found it, so the exercise shows the workflow doing its job on a known implant. An attack nobody has seen before is a harder test, and that one stays open.

The scoring has soft spots too. Some of it relies on other AI models acting as judges. One preference ranking even had GPT-4o pick the stronger of two answers, which is a bit like grading with the same kind of tool being graded. And that headline accuracy number cuts both ways. If close to one claim in eight still comes back wrong, an engineer has to check the work in a field where the authors themselves treat correctness as the whole point.

The wider draw is the supply chain question that keeps surfacing across security work. Buyers of hardware sit in much the same spot as buyers of software libraries, dependent on suppliers they cannot vet on their own. A tool that lets an engineer question a suspicious design in plain language, then run the checks that back up the conversation, points toward one way of narrowing that gap.

Demo: Prophet Agentic AI SOC Platform transforms alert triage and investigation



Source link