P2_22: Reverse Engineering Methodology for FPGA Firmware
Topic Areas: Design Reverse Engineering, FPGA Trojans, Where’s Waldo
Principal investigator: Dr. J. M. Emmert, University of Cincinnati
Co-Principal investigator(s): Dr. Nicola Bezzo, Dr. James H. Lambert and Dr. Zachary Collier, University of Virginia
Co-Principal investigator(s): Dr. Ranga Vemuri, University of Cincinnati
PI Email
Abstract:
This project will develop methods for reverse engineering (RE) Field Programmable Gate Array
(FPGA) programming bitstreams and Cyber Physical Systems (CPSs) to detect and protect
against Trojan circuits found in 3rd part intellectual property (IP). This work builds on the work
accomplished in the phase-I and II efforts, and will focus on: A) adding additional capability for
RE FPGA programming bit-streams; B) extraction of Register Transfer Level (RTL) models from
FPGAS look-up-table (LUT) netlists; and C) run time detection, localization, and mitigation for
CPSs under cyber-attack.
A) This effort is focused on continuing to advance the abstract capabilities developed to create a
connected graph of LUTs in the form of a structural Verilog netlist from the bitstream used to
configure the FPGA. The netlist controls the configured structure, and thus the functional
configuration, of each active configurable element in the FPGA. The dominant configurable
elements in a typical FPGA LUTs, but other types of elements may also admit configuration. The
netlist exposes the interconnections among the configurable elements along with connections to
input and output terminal devices. A complete and accurate netlist exposes the entire logic circuit
implemented on the FPGA. In addition, where the abstract approach fails, a more specific
approach will be added to provide a more complete solution.
B) The overall process of reversing engineering RTL models from LUT netlists (which are in turn
extracted from bit-streams) starts with control flip-flips, that are separated from data flip-flops. By tracing the fan-in cones of control flip-flops, control logic is extracted. Functionality of this logic is expressed as one or more finite-state machines. Simultaneously, the data flip-flops are grouped into word-level registers, counters and shift-registers. Using these anchors, word-level operators are extracted. Following overlap resolution, the word-level structures are assembled into the datapath unit. Finally, the controller and datapath are integrated, and the extracted RTL design
will be formally verified for correctness against the LUT netlist.
C) While most of the literature on CPS security is primarily concerned with either 1) detecting and
protecting the CPS against sensor, communication attacks or 2) detecting attacks on the low and
high-level controller; in this work we focus on developing techniques to detect and reconfigure a
system in which an attack is not detected at design time. The overall goal here is threefold: 1) to
develop methods for run-time detection of any inconsistent behavior of the plant and estimate
where and what the attack’s intent is, 2) in the case that the attack is on the low level, detect what part of the controller is affected, and 3) reconfigure and replan to continue operation and maintain safety. Ultimately the objective of the work is to develop and investigate a generalizable, standardized framework and methodology to RE FPGA bitstreams and CPSs for the purpose of detecting
and/or mitigating Trojan circuits or malicious activity found in 3rd party IP.