- The paper introduces an AI/LLM-assisted workflow that automates asset identification, threat modeling, and test plan generation for hardware security verification.
- It demonstrates the effectiveness of these methods in a case study on NVIDIA’s Deep Learning Accelerator, identifying significant vulnerabilities and testing outcomes.
- The study highlights challenges such as ensuring LLM output reliability and achieving end-to-end automation in complex AI accelerator environments.
AI-Assisted Hardware Security Verification: A Survey of Methods and Case Study of AI Accelerators
Introduction
Hardware security verification remains an essential yet resource-intensive aspect of integrated circuit (IC) design, especially as modern hardware systems such as AI accelerators increase architectural complexity and expand the potential attack surface. The traditional methodology for hardware security verification is challenged by the proliferation of asset types, multidimensional threat models, and the integration of heterogeneous components. The recent integration of AI, and specifically LLMs, into this domain offers promising improvements in workflow automation, coverage, and efficiency. This work surveys the state of AI/LLM-assisted hardware security verification, covering the automation landscape from asset identification through threat modeling, test plan generation, simulation- and formal evidence generation, to countermeasure suggestion. Furthermore, the paper presents an empirical case study applying these techniques to the security assessment of the NVIDIA Deep Learning Accelerator (NVDLA), offering practical insights into the promise and limitations of AI-assisted assurance (2604.01572).
Survey of LLM-Assisted Security Verification
Asset Identification
Asset identification is foundational for constructing an effective security verification plan. Historically, hardware asset identification has relied heavily on manual inspection and prior knowledge, with standards such as SA-EDI and IEEE P3164 aiming for conceptual clarity but offering limited automation. As SoC topologies and IP-level complexities increase (especially with AI accelerators incorporating sensitive model parameters and intermediate state), the asset discovery process burdens scalability and reliability [hasan2026lassetllmassistedsecurityasset]. Recent work leverages LLM-based systems (e.g., LAsset) to automate the extraction and interpretation of asset sets based on design RTL, specifications, and context-aware reasoning, substantially reducing reliance on human expertise and enabling more comprehensive early-stage security analysis.
Threat Modeling
Threat modeling translates a set of assets into a taxonomy of potential adversarial actions, often leveraging frameworks such as CWE to map system components to known hardware weakness classes. Classical static analysis solutions, which leverage Verilog ASTs, are constrained by their rule-based nature and lack adaptability as design patterns evolve [ahmad2022don]. LLM-based approaches (e.g., DIVAS, LASHED, SV-LLM, ThreatLens) [paria2023divas, lashed2025, svllm2025, 11022932] enable more scalable threat identification by synthesizing specification knowledge, asset context, and structured vulnerability taxonomies. These frameworks demonstrate notable improvements in automating vulnerability analysis, CWE alignment, and property generation, but outstanding challenges remain in accurately reasoning about privilege separation, context completeness, and unwinding implicit flows in large, heterogeneous designs.
Test Plan Generation
The translation of threat models into executable test plans is a critical bottleneck in scalable security verification. Industry-standard flows rely on SystemVerilog/UVM and utilize coverage-directed and ATPG techniques; however, connecting high-level threats to low-level coverage targets has historically required significant manual specification and interpretation [ieee1800_2017, accellera_uvm]. Recent LLM-driven systems (e.g., ThreatLens, SV-LLM, LLM4DV) link natural language threat analysis directly to generation of test stimuli and coverage intent, reducing human input and bias [11022932, svllm2025, zhang2023llm4dv]. Additionally, accelerator-specific models (such as ChipNeMo and GPT4AIGChip) demonstrate that domain adaptation further improves efficacy and aligns test vectors with architectural nuances inherent in DNN accelerator security.
Simulation and formal verification—supported by assertion-based methodologies and model checking—are the final arbiters of correctness and security assurance [clarke1999, tiwari2009]. LLMs have been deployed for automated assertion generation (e.g., AutoSVA, LISA, AssertionLLM, STELLAR), reducing burdens on engineers and increasing semantic alignment with high-level specifications [orenesvera2021autosva, paul2025lisa, pulavarthi2025assertionllm, rajabi2025stellar]. Several works extend LLM integration into multi-stage verification workflows, including iterative proof generation and guided debugging (e.g., BugWhisperer, LASHED, MEIC), driving a shift toward tool-in-the-loop refinement cycles [11022958, lashed2025, meic2024]. However, ensuring that LLM-generated artifacts are both correct and non-hallucinatory, and that proofs are grounded in simulation or formal evidence, is a persistent concern.
Countermeasures and Automated Repair
The workflow apex is the synthesis of meaningful mitigations for identified vulnerabilities. LLM frameworks have been shown to generate plausible RTL bug patches and remediation advice, with benchmarks such as HWFixBench enabling systematic evaluation of such capabilities [10462177, fu2025hwfixbench]. The move toward closed-loop frameworks (e.g., LLM-Sec) anticipates highly automated engineering flows in which LLM ensembles not only diagnose but also patch design-time vulnerabilities, integrating continuous assurance directly into hardware development.
Open Challenges and Research Directions
Despite significant advances, the surveyed literature and emerging benchmarks [hardsecbench2025, li2025fixbenchrtl] reveal several key open research questions:
- End-to-End Automation: Establishing robust pipelines that span all verification stages (asset identification through countermeasure deployment), particularly in AI accelerator contexts, remains unresolved.
- Grounding and Hallucination: Ensuring that LLM outputs are consistently tied to simulation evidence, formal proofs, and cross-tool validation is essential for trust and adoption.
- Evaluation and Generalization: There is a need for high-fidelity benchmarks that capture the unique architectural and threat-space characteristics of AI accelerators and enable rigorous comparison of LLM-based pipelines.
- Privilege Reasoning and Scalability: Mapping privilege domains and unwinding cross-module attack scenarios in ultra-large SoCs exceeds the capacity of current LLM prompt design and context windows.
NVDLA Case Study
The paper operationalizes the surveyed methodologies via a case study analysis of the NVIDIA Deep Learning Accelerator (NVDLA), focusing on the NV_NVDLA_csb_master IP. This module offers a concrete context for access-control analysis; the evaluation pipeline applies automated LLM-guided asset extraction, CWE-based threat modeling, test vector synthesis, directed simulation, and mitigation suggestion.
Key findings include:
- The LLM-guided workflow identifies structural assets governing request acceptance and forwarding, mapping them to integrity- and availability-focused CWEs (notably CWE-1220: Insufficient Granularity of Access Control).
- Threat analysis confirms the absence of local privilege checks at the CSB ingress, permitting any requester reaching this boundary to access decoded sub-unit addresses.
- Simulation-directed testing, driven by LLM-generated tasks, demonstrates unconditional request acceptance and forwarding in 30/31 scenarios, validating a module-scoped vulnerability claim.
- Recommended mitigations focus on enforcing access control at the ingress boundary (either via privilege metadata or gating of acceptance signals), and emphasize the dependence on system-level trust assumptions for holistic assurance.
Implications and Future Directions
The convergence of LLM-based automation with the unique requirements of hardware security verification is accelerating the transition from ad hoc, expertise-driven methods to scalable, repeatable, evidence-backed pipelines. In the AI accelerator domain, where confidentiality, integrity, and availability concerns are entangled with evolving DNN-specific microarchitectures, these developments are especially relevant. However, robust adoption in high-assurance and safety-critical contexts will require continued progress in the following areas:
- Verification-Grounded AI: Strategies such as retrieval-augmented generation, explicit simulation hooks, and multi-agent verification architectures should be prioritized to mitigate hallucination and amplify explainability.
- Specification Mining and Domain Transfer: Enriching LLM pretraining and fine-tuning datasets with high-quality architectural and security specification corpora, especially from accelerator-rich open source projects, will enhance context awareness and semantic alignment.
- Integrated Evidence Feedback: Fully closing the loop—by feeding back coverage results, counterexample traces, and dataflow anomalies into LLM reasoning—will facilitate robust defense-in-depth security postures across the pre-silicon design lifecycle.
Conclusion
LLM-enabled automation offers substantial leverage in addressing the verification bottlenecks intrinsic to modern AI hardware platforms, particularly at the intersection of asset discovery, threat modeling, and coverage-aligned test generation. While the capabilities of current approaches are impressive, especially in case-by-case accelerator analyses such as NVDLA, practical adoption and trustworthiness at scale depend on validation against rigorous, simulation- and formal-grounded evidence, architectural awareness, and evaluation on challenging open benchmarks. The surveyed trajectory highlights clear progress but also defines a rich future agenda at the boundary of ML, EDA, and security engineering (2604.01572).