MARVEL: Multi-Agent RTL Vulnerability Extraction using Large Language Models
#MARVEL #Multi-Agent Systems #Large Language Models #Hardware Security #RTL Verification #Vulnerability Detection #OpenTitan #Security Framework
📌 Key Takeaways
- MARVEL is a multi-agent LLM framework for hardware security verification
- The system mimics a designer's cognitive process for finding security vulnerabilities
- It consists of a supervisor agent and multiple specialized executor agents
- Testing found 19 valid security vulnerabilities among 51 reported issues
📖 Full Retelling
Researchers Luca Collini, Baleegh Ahmad, Joey Ah-kiow, and Ramesh Karri introduced MARVEL, a multi-agent Large Language Model framework designed to extract security vulnerabilities from Register Transfer Level (RTL) code, in their paper submitted to arXiv on May 17, 2025 and revised on February 23, 2026, addressing the challenging and time-consuming nature of hardware security verification. The framework represents a significant advancement in the field by creating a unified approach to decision-making, tool use, and reasoning that mimics the cognitive process of a designer searching for security vulnerabilities in RTL code. MARVEL operates through a sophisticated architecture featuring a supervisor agent that establishes security policies for system-on-chips based on documentation, while delegating specific validation tasks to specialized executor agents. Each executor agent employs different strategies and may utilize various tools including formal verification, linters, simulation tests, LLM-based detection schemes, and static analysis to identify potential security bugs in hardware designs. The researchers tested their approach on a known buggy System-on-Chip based on OpenTitan from the Hack@DATE competition, demonstrating both the effectiveness and limitations of their multi-agent system. The testing revealed that of the 51 issues reported by MARVEL, 19 were confirmed valid security vulnerabilities, 14 were concrete warnings, and 18 were hallucinated reports, highlighting the system's capability while also showing areas for improvement in reducing false positives.
🏷️ Themes
Artificial Intelligence, Hardware Security, Multi-Agent Systems
Entity Intersection Graph
No entity connections available yet for this article.
Original Source
--> Computer Science > Cryptography and Security arXiv:2505.11963 [Submitted on 17 May 2025 ( v1 ), last revised 23 Feb 2026 (this version, v3)] Title: MARVEL: Multi-Agent RTL Vulnerability Extraction using Large Language Models Authors: Luca Collini , Baleegh Ahmad , Joey Ah-kiow , Ramesh Karri View a PDF of the paper titled MARVEL: Multi-Agent RTL Vulnerability Extraction using Large Language Models, by Luca Collini and 3 other authors View PDF HTML Abstract: Hardware security verification is a challenging and time-consuming task. Design engineers may use formal verification, linting, and functional simulation tests, coupled with analysis and a deep understanding of the hardware design being inspected. Large Language Models have been used to assist during this task, either directly or in conjunction with existing tools. We improve the state of the art by proposing MARVEL, a multi-agent LLM framework for a unified approach to decision-making, tool use, and reasoning. MARVEL mimics the cognitive process of a designer looking for security vulnerabilities in RTL code. It consists of a supervisor agent that devises the security policy of the system-on-chips using its security documentation. It delegates tasks to validate the security policy to individual executor agents. Each executor agent carries out its assigned task using a particular strategy. Each executor agent may use one or more tools to identify potential security bugs in the design and send the results back to the supervisor agent for further analysis and confirmation. MARVEL includes executor agents that leverage formal tools, linters, simulation tests, LLM-based detection schemes, and static analysis-based checks. We test our approach on a known buggy SoC based on OpenTitan from the Hack@DATE competition. We find that of the 51 issues reported by MARVEL, 19 are valid security vulnerabilities, 14 are concrete warnings, and 18 are hallucinated reports. Comments: Submitted for Peer Review Subjects: Cryptograp...
Read full article at source