P6_21: Reverse Engineering Methodology for FPGA Firmware
Topic Areas: Design Reverse Engineering, FPGA Trojans, Where’s Waldo
Principal investigator: Dr. J. M. Emmert, University of Cincinnati
Principal investigator: Dr. Ronald Williams, University of Virginia
Co-Principal investigator(s): Dr. James H. Lambert and Dr. Zachary Collier, University of Virginia
Co-Principal investigator(s): Dr. Ranga Vemuri and Dr. Carla Purdy, University of Cincinnati
This work builds on the work accomplished in the phase-I effort, and will focus on: A) adding additional capability to the programming bit-stream reverse engineering (RE) and B) using graph-based clustering; partitioning; equivalence and model checking; and formal verification to perform higher, component level design RE. The current project phase is focused on determining the netlist resulting in an FPGA from the bitstream used to configure the FPGA. The netlist controls the configured structure, and thus the functional configuration, of each active configurable element in the FPGA. The dominant configurable elements in a typical FPGA are look-up tables (LUTs), but other types of elements may also admit configuration. In addition, the netlist exposes the interconnections among the configurable elements along with connections to input and output terminal devices. A complete and accurate netlist exposes the entire logic circuit implemented on the FPGA.
The primary objective of the phase-I proposal was to develop and investigate a generalizable, standardized framework and methodology to RE field programmable gate array (FPGA) bitstreams for the purpose of detecting Trojan circuits found in 3rd party intellectual property (IP). In phase-I, we developed a logic-to-bitstream mapping flow that is at a higher level of abstraction than existing methods. It is based on HDL code that is device independent (it does not use any device specific components like look-up-table declarations), and it does not require use of tool specific files (like configuration files). In its current form, it maps FPGA logic and logic functions to specific bits in the programming bit file. In phase-II, the capability will be extended to include other configuration bits like interconnect switch-box programming bits.
Knowledge of the netlist alone does not convey complete understanding of the functions that the logic circuit can perform. This understanding of device functions requires that the netlist be organized to expose a higher-level structure that can be better interpreted than the flat interconnection of low-level digital elements. Phase-II of the project will also focus on the organization of the netlist into higher-level functions that can then be evaluated to expose anomalous structures that may be malicious hardware.