Introduction to HAL

HAL [/hel/] is a comprehensive netlist reverse engineering and manipulation framework. Virtually all available research on netlist analysis operates on a graph-based representation of the netlist under inspection. At its core, HAL provides exactly that: A framework to parse netlists of arbitrary sources, e.g., FPGAs or ASICs, into a graph-based netlist representation and to provide the necessary built-in tools for traversal and analysis of the included gates and nets.

Our vision is that HAL becomes the hardware reverse engineering equivalent of tools like IDA Pro or Ghidra. With HAL, we want to establish a common ground for researchers and analysts alike to improve reproducibility of results and take care of general tasks such as project management, netlist parsing, or netlist traversal. HAL offers

• High performance thanks to the optimized C++ core
• Flexibility through built-in Python bindings
• Modularity via a C++ plugin system
• Stability is ensured via a rich test suite

HAL is actively developed by the Embedded Security group of the Max Planck Institute for Security and Privacy. Apart from multiple research projects, it is also used in our university lecture on hardware reverse engineering.

GUI

While the core functionality of HAL resides within the so called HAL core and is available only via the C++ and Python APIs, the GUI provides an easy interface for users to interact with the netlist. It provides a graphical representation of the netlist enabling the user to navigate through the sea-of-gates or even manipulate it during investigation. Providing a set of widgets, it gives access to all kinds of information about the netlist and its components. Additionally, it provides access to the Python API via an embedded Python editor and a respective shell.

Python Bindings

The Python API provides easy access to most of the core functionalities from within the GUI and the integrated Python shell. It presents the user with a powerful tool to run small experiments on the netlist for which the C++ Plugin system emerges to be too cumbersome.

Plugin System

HAL facilitates customization by providing a sophisticated plugin interface that allows to extend its functionality using plugins written in C++. Via the plugin system, the developer has full access to HAL's rich C++ API providing access to all components of its internal netlist representation. Furthermore, Python bindings for plugin functionality can easily be deployed to be used within the GUI or from the build-in Python shell. By default, HAL comes with a set of plugins that have been developed at our research group and enrich HAL's capabilities.

Shipped Plugins

• GUI: A feature-rich GUI allowing for visual netlist inspection and interactive analysis
  • Native integration of a Python shell with access to the HAL Python bindings
  • Isolation of specific gates or modules for clutter-free inspection
  • Interactive traversal of netlists
  • Detailed widgets with information on all aspects of the inspected netlist
• Netlist Simulator: A simulator for arbitrary parts of a loaded netlist
• Dataflow Analysis: Our dataflow analysis plugin DANA that recovers high-level registers in an unstructured netlist
• Graph Algorithms: igraph integration for direct access to common algorithms from graph-theory
• Python Shell: A command-line plugin to spawn a Python shell preloaded with the HAL Python bindings
• VHDL & Verilog Parsers: Support for parsing VHDL and Verilog files as netlist input formats
• Liberty Parser: Reads liberty gate libraries for use within HAL
• Verilog Writer: Writes a (potentially modified) netlist to a Verilog file
• Gate Libraries: Popular gate libraries such as Xilinx UNISIM, Nangate (15nm and 45nm), and Lattice iCE.

Additional Ressources

This wiki provides an overview of HAL and its most important applications. It presents small code snippets written using the Python API to teach the underlying concepts. Additionally, a detailed description of the APIs can be found here:

• C++ API documentation
• Python API documentation

Note that we also have a set of modern state-of-the-art benchmark circuits for the evaluation of netlist reverse engineering techniques available in a seperate repository.