Manual authoring of SystemVerilog assertions (SVAs) for SoC security verification is labor-intensive, error-prone, and current LLM-based approaches generate vacuous or incomplete assertions lacking formal verification feedback. Method: This paper proposes the first automated security property generation framework integrating large language models (LLMs) with retrieval-augmented generation (RAG). It precisely extracts semantic specifications from design documentation, employs iterative prompt engineering to suppress vacuity, and tightly couples commercial EDA tools to establish a coverage-driven, closed-loop workflow—enabling automated assertion generation, formal verification, and iterative refinement. Contribution/Results: Evaluated on multiple open-source SoCs, the framework achieves an average formal coverage of 88% and uncovers five previously unreported security vulnerabilities in OpenTitan, significantly improving both the efficiency and reliability of security verification.

Ensuring the security of modern System-on-Chip (SoC) designs poses significant challenges due to increasing complexity and distributed assets across the intellectual property (IP) blocks. Formal property verification (FPV) provides the capability to model and validate design behaviors through security properties with model checkers; however, current practices require significant manual efforts to create such properties, making them time-consuming, costly, and error-prone. The emergence of Large Language Models (LLMs) has showcased remarkable proficiency across diverse domains, including HDL code generation and verification tasks. Current LLM-based techniques often produce vacuous assertions and lack efficient prompt generation, comprehensive verification, and bug detection. This paper presents LASA, a novel framework that leverages LLMs and retrieval-augmented generation (RAG) to produce non-vacuous security properties and SystemVerilog Assertions (SVA) from design specifications and related documentation for bus-based SoC designs. LASA integrates commercial EDA tool for FPV to generate coverage metrics and iteratively refines prompts through a feedback loop to enhance coverage. The effectiveness of LASA is validated through various open-source SoC designs, demonstrating high coverage values with an average of ~88%, denoting comprehensive verification through efficient generation of security properties and SVAs. LASA also demonstrates bug detection capabilities, identifying five unique bugs in the buggy OpenTitan SoC from Hack@DAC'24 competition.