FSM Security Knowledge Graph
- FSKG is a curated, directed, and labeled knowledge graph that encodes security vulnerabilities, mitigations, and FSM code patterns for secure hardware design.
- It leverages a formal schema to map vulnerabilities, states, transitions, and checks, ensuring actionable security insights and deterministic prompt augmentation for LLMs.
- The graph enables programmatic retrieval of security knowledge, enhancing automated verification and mitigation in SoC designs while reducing LLM-generated vulnerabilities.
The FSM Security Knowledge Graph (FSKG) is a curated, directed, and labeled knowledge graph that systematizes security vulnerabilities, mitigations, and code patterns relevant to finite state machines (FSMs) in hardware design, particularly for use in automated secure Verilog code generation via LLMs. FSKG serves as a structured intermediary layer that encodes security-centric domain knowledge and programmatically injects design-time security constraints into LLM prompt construction, addressing the persistent issue of security vulnerabilities in LLM-generated hardware control logic for systems-on-chip (SoC) (Hu et al., 18 Aug 2025).
1. Formal Structure and Schema of FSKG
FSKG is defined mathematically as a tuple , incorporating a finite set of nodes , directed labeled edges , relation types , node types assigned via , and a labeling function . The schema consists of the following node and relation types:
- Node Types:
- Vulnerability (attributes: id—e.g., CWE-362, severity , description)
- State (attributes: name, isProtected , resetValue)
- Transition (attributes: fromState, toState, condition)
- Mitigation (attributes: pattern, applicability)
- Check (attributes: testName, requiredPrecondition)
- Example (attributes: codeSnippet, isGoodExample)
- Edge (Relation) Types:
- hasType (Node Type)
- triggers (Vulnerability 0 Vulnerability)
- mitigates (Mitigation 1 Vulnerability)
- requiresCheck (Vulnerability 2 Check)
- hasConsequence (Vulnerability 3 textual node)
- goodExample, badExample (Vulnerability 4 Example)
- suggestion (Vulnerability 5 Mitigation)
- confirmPositive/confirmNegative (Vulnerability 6 Example)
Each edge can carry additional metadata (e.g., confidence 7, precondition as a Boolean formula). The FSKG is manually curated for internal consistency and to avoid conflicting definitions.
2. Node and Relation Semantics
Node attributes are designed to encode actionable security information:
- Vulnerability nodes encapsulate threats, identified by CWE IDs, with severity and textual description.
- Mitigation nodes provide code-level patterns suitable for automating defense mechanisms, always attached with those patterns.
- State and Transition nodes abstract FSM elements with security-relevant flags (e.g., isProtected).
- Check nodes reference formal design-time or runtime tests required for vulnerability mitigation.
- Example nodes deliver minimal code snippets, labeled by effectiveness (goodExample/badExample).
Edge semantics specify both logical relations ("mitigates," "triggers") and process constraints ("requiresCheck," "suggestion"), enabling traceable mapping from abstract vulnerability to concrete code pattern and design check.
3. Automated Vulnerability Mapping and Knowledge Retrieval
FSKG supports programmatic extraction of all security knowledge relevant to a given set of flagged vulnerabilities post-requirements analysis. For a requirements-driven set 8, FSKG enables subgraph retrieval 9, where 0 returns the induced subgraph accessible within two hops via specific relations such as requiresCheck, suggestion, goodExample, and badExample.
Pseudocode for subgraph retrieval formally specifies this as:
7
This structure enables comprehensive knowledge harvesting relevant to a specific vulnerability, mapping each flagged risk to required checks, mitigation patterns, and empirical code illustrations, all retrieved from within the curated knowledge space.
4. Prompt Integration for Secure Code Generation
Knowledge retrieved from FSKG is split into code-centric (mitigation patterns and examples, 1) and reporting-oriented items (2). Automated prompt assembly for LLM-driven Verilog code generation interleaves three components:
- User's functional requirement 3.
- FSM architectural outline 4 (e.g., few-shot code templates).
- Security pattern list 5.
The assembled LLM prompt explicitly instructs the model to apply and document relevant mitigations: 8 This structured prompt composition draws directly on FSKG knowledge to align LLM code generation with security best practices associated with user-specified requirements (Hu et al., 18 Aug 2025).
5. Illustrative Example: Race-Condition Vulnerability
To concretely demonstrate FSKG’s operation, consider the case where a pre-analysis pipeline identifies a ‘RaceCondition’ vulnerability (CWE-362). FSKG retrieval yields the following triples:
- (RaceCondition, requiresCheck, CheckSequentialArbiter)
- (RaceCondition, suggestion, ArbiterLockPattern)
- (ArbiterLockPattern, mitigates, RaceCondition)
- (RaceCondition, goodExample, ExampleNode)
Corresponding node attributes include:
- ArbiterLockPattern.pattern: “Use a one-hot grant register with handshake.”
- ExampleNode.codeSnippet:
always @(posedge clk) if (grant_lock==0) begin … end
This information is injected into 6 and embedded in the LLM prompt, resulting in code with explicit, commented race-condition mitigations.
6. Security Curation and Validation Principles
Underlying FSKG construction is rigorous manual curation to enforce a coherent, non-redundant vocabulary of vulnerabilities (e.g., CWE series), mitigation mechanisms, and code exemplars. Each vulnerability node captures unique, disjoint entities, all mitigation patterns are reviewed for applicability, and the overall structure is routinely validated for consistency. This ensures that design-time knowledge retrieval for code generation is deterministic and verifiable.
7. Significance, Applications, and Implications
FSKG, as integrated in SecFSM, operationalizes security-by-construction in LLM-driven FSM code generation. By programmatically extracting, contextualizing, and enforcing tailored mitigations based on vulnerability analysis, FSKG directly addresses the known limitations of neural code synthesis in security-critical hardware domains. A plausible implication is the broader applicability of this paradigm to other domains where code synthesis faces systemic security gaps. Empirically, SecFSM achieves a 21/25 pass rate on a benchmark of 25 security test cases, demonstrating the practical impact of FSKG-guided prompt augmentation (Hu et al., 18 Aug 2025).