System-on-a-Chip (SoC) designers use third-party intellectual property (3PIP) cores and in-house IP cores to design SoCs. Trustworthiness of such SoCs is undermined by security bugs unintentionally introduced during integration of these IPs. Each SoC has its own defined usage scenario and corresponding security objectives. When exploited, a security weakness often results in compromise or bypass of at least one of the product security objectives. As it has been in the past attacks may lead to a system failure or deadlock , or create a side-channel to remotely access sensitive information (e.g., cryptographic keys), or gain privileged access to the system enabling them to bypass the security mechanisms in place and compromise the whole computing platform.
The goal of this competition is to develop practical and effective solutions and computer-aided tools to identify such vulnerabilities in buggy SoCs.
What is HACK@DAC?
Participating teams in this competition try to mimic the practices of a security team that is responsible for the security assurance of the system. Their objective is to identify the security vulnerabilities, assess their security impact, propose a mitigation, and report them. They are free to use any tools and techniques of their choosing. Participating teams can affiliated with either industry or academia.
The competition has four phases:
- Bug donation teams will provide a proposal on what bugs they can contribute. Selected proposers will work with the organization team to incorporate these bugs in an open-source SoC. They will also help develop specification details and the desired security properties.
- Participating teams will be given a “buggy” SoC design which they need to analyze to identify as many security vulnerabilities as possible, if not all. We will also provide specification detail and the desired security properties. Freedom to choose tools and techniques is intended to minimize the barrier of entry for teams. Bug donation teams will help the organizers in evaluating these submissions and selecting the finalists.
- A new open-source SoC will be chosen and bug donation teams will provide a new set of bugs. These teams will again work with the organization team to incorporate these bugs into the new SoC.
- At DAC, the participants need to compete in a live capture-the-flag competition. An SoC design with a new set of bugs will be provided. They need to apply their techniques (and any tools developed) on this new design. Bug donation teams will help the organizers in evaluating these submissions live and help select the winners.
What is Bug Donation?
To provide the buggy SoCs to the participating teams, we are collecting real-world bugs from leading players in the semiconductor industry and reproducing them by incorporating them in open-source SoC designs. This way, the competition will be more realistic and useful to the community in identifying tools and techniques in detecting security bugs. To overcome restrictions due to proprietary information, we implement the bugs within open-source designs. To this end, we are requesting companies to submit proposals on how they plan to donate the bugs to this competition, work with the organizers on implementing them, and evaluate the submissions with the organizers. The selected proposers will have access to all the known and unknown bugs submitted, direct interactions with the teams, and can identify the bottlenecks in the process.
Bug Proposal Format and Submission Guidelines
Each proposal should clearly describe the class/type of security bugs that are of interest to the participating company. The proposal should also describe why those bugs are of importance to the company and industry in general and how easy/difficult it is to detect them. The proposal should describe how these bugs can be incorporated in an open-source SoC design. Optional: Mention at least one open-source SoC where proposed bugs can be inserted.
- The proposal will be evaluated by the committee on the following metrics:
- Interest to the community: How important is the list of proposed bugs?
- Ease of detection: Does the proposed set of bugs cover the entire spectrum of difficulty (very easy to very hard)?
- Ease of exploitability: Does the exploit require physical access to the hardware or is it remotely exploitable (by means of software)?
- Feasibility: How feasible it is for the organizers to integrate these bugs in an open-source SoC?
- Page limit is two pages, 1 inch margin on all side, Times 12pt.
- Please email your proposals by December 15, 2018 11:59PM PT to firstname.lastname@example.org
- Please mention a contact author and the team. This is not an anonymous submission process.
Bug-donation and organization:
- Dec 15, 2018: Proposal submission deadline.
- Jan 1, 2019: Decision on proposals will be announced.
- Jan 15, 2019: Working with organizers will commence.
- Dec 1, 2018: Registration begins.
- Jan 15, 2019: Registration ends.
- March 1, 2019: Phase 1: Before DAC. A SoC design “alpha” (with security bugs embedded) will be provided. Participants have to identify the bugs and report them.
- May 1, 2019: Phase 1 ends and final submissions are due.
- May 5: Finalists are announced.
- June 2-6, 2019: At DAC, a SoC design “beta” (with security bugs embedded) will be provided. Participants have to identify the bugs within the given timeframe, and report the bugs.
You can contact the organizers via email at .
Venue & Travel
The Hack@DAC2019 will be held in Las Vegas in June 2019 and is co-located with the DAC 2019 conference.