CHEST color logo
CHEST University logos image of a line

CHEST 2020 Research Project Abstracts

P2_22: Reverse Engineering Methodology for FPGA Firmware
Topic Areas: Design Reverse Engineering, FPGA Trojans, Where’s Waldo
Principal investigator: Dr. J. M. Emmert, University of Cincinnati
Co-Principal investigator(s): Dr. Nicola Bezzo, Dr. James H. Lambert and Dr. Zachary Collier, University of Virginia
Co-Principal investigator(s): Dr. Ranga Vemuri, University of Cincinnati
PI Email

This project will develop methods for reverse engineering (RE) Field Programmable Gate Array (FPGA) programming bitstreams and Cyber Physical Systems (CPSs) to detect and protect against Trojan circuits found in 3rd part intellectual property (IP). This work builds on the work accomplished in the phase-I and II efforts, and will focus on: A) adding additional capability for RE FPGA programming bit-streams; B) extraction of Register Transfer Level (RTL) models from FPGAS look-up-table (LUT) netlists; and C) run time detection, localization, and mitigation for CPSs under cyber-attack.

A) This effort is focused on continuing to advance the abstract capabilities developed to create a connected graph of LUTs in the form of a structural Verilog netlist from the bitstream used to configure the FPGA. The netlist controls the configured structure, and thus the functional configuration, of each active configurable element in the FPGA. The dominant configurable elements in a typical FPGA LUTs, but other types of elements may also admit configuration. The netlist exposes the interconnections among the configurable elements along with connections to input and output terminal devices. A complete and accurate netlist exposes the entire logic circuit implemented on the FPGA. In addition, where the abstract approach fails, a more specific approach will be added to provide a more complete solution.
B) The overall process of reversing engineering RTL models from LUT netlists (which are in turn extracted from bit-streams) starts with control flip-flips, that are separated from data flip-flops. By tracing the fan-in cones of control flip-flops, control logic is extracted. Functionality of this logic is expressed as one or more finite-state machines. Simultaneously, the data flip-flops are grouped into word-level registers, counters and shift-registers. Using these anchors, word-level operators are extracted. Following overlap resolution, the word-level structures are assembled into the datapath unit. Finally, the controller and datapath are integrated, and the extracted RTL design will be formally verified for correctness against the LUT netlist.
C) While most of the literature on CPS security is primarily concerned with either 1) detecting and protecting the CPS against sensor, communication attacks or 2) detecting attacks on the low and high-level controller; in this work we focus on developing techniques to detect and reconfigure a system in which an attack is not detected at design time. The overall goal here is threefold: 1) to develop methods for run-time detection of any inconsistent behavior of the plant and estimate where and what the attack’s intent is, 2) in the case that the attack is on the low level, detect what part of the controller is affected, and 3) reconfigure and replan to continue operation and maintain safety. Ultimately the objective of the work is to develop and investigate a generalizable, standardized framework and methodology to RE FPGA bitstreams and CPSs for the purpose of detecting and/or mitigating Trojan circuits or malicious activity found in 3rd party IP.