Insights into the mind of a trojan designer

Ender, Maik; Swierczynski, Pawel; Wallat, Sebastian; Wilhelm, Matthias; Knopp, Paul Martin; Paar, Christof

doi:10.1145/3287624.3288742

Cited by 26 publications

(10 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Since Xilinx ISE Design Suite has continued to be widely used to support various types of low cost FPGA chips, reverse engineering using Xilinx ISE Design Suite is as important as using Xilinx Vivado. Since reverse engineering tries to extract the Previously, many studies about reverse engineering [14][15][16][17][18][19][20][21][22][23] have tried to recreate the original design after extracting the bitstream from the external memory while transferring it from a nonvolatile memory. Xilinx supports two integrated development environment-Xilinx ISE Design Suite and Vivado-to synthesize, simulate, and program FPGA chips.…”

Section: Init[0]mentioning

confidence: 99%

“…More precisely, reverse engineering can detect malicious modification by comparing the regenerated design form bitstream and the original netlist. Many previous researches, including [19,20], have discussed this security issues and concerns.…”

Section: Init[0]mentioning

confidence: 99%

“…Previously, many studies about reverse engineering [14][15][16][17][18][19][20][21][22][23] have tried to recreate the original design after extracting the bitstream from the external memory while transferring it from a nonvolatile memory. Xilinx supports two integrated development environment-Xilinx ISE Design Suite and Vivado-to synthesize, simulate, and program FPGA chips.…”

Section: Introductionmentioning

confidence: 99%

“…Xilinx ISE Design Suite supports low-cost FPGA chips, including Spratan-6 and Virtex-6, as well as their previous families, and Xilinx Vivado supports high-performance FPGA chips, including state-of-the-art Virtex-7, Kintex-7, and Artiex-7. Most previous studies have focused on recovering bitstreams generated from Xilinx ISE Design Suite according to [14][15][16][17][18][19][20][21], and recent studies in [22,23] have started to investigate recovering bitstream generated from Xilinx Vivado. Since Xilinx ISE Design Suite has continued to be widely used to support various types of low cost FPGA chips, reverse engineering using Xilinx ISE Design Suite is as important as using Xilinx Vivado.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Fast Logic Function Extraction of LUT from Bitstream in Xilinx FPGA

Choi

Yoo

2020

Electronics

View full text Add to dashboard Cite

This paper presents a fast method to extract logic functions of look-up tables (LUTs) from a bitstream in Xilinx FPGAs. In general, FPGAs utilize LUTs as a primary resource to realize a logic function, and a typical N-input LUT comprises 2N 1-bit SRAM and N – 1 multiplexers. Whereas the previous research demands 2N exhaustive processing to find a mapping rule between an LUT and a bitstream, the proposed method decreases the processing to 2N by eliminating unnecessary processing. Experimental results show that the proposed method can reduce reversing time by more than 57% and 85% for Xilinx Spartan-3 and Virtex-5 compared to the previous exhaustive algorithm. It is noticeable that the reduction time becomes more significant as a commercial Xilinx FPGA tends to include a more tremendous number of LUTs.

show abstract

Section: Init[0]mentioning

confidence: 99%

Section: Init[0]mentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Fast Logic Function Extraction of LUT from Bitstream in Xilinx FPGA

Choi

Yoo

2020

Electronics

View full text Add to dashboard Cite

show abstract

“…Examples of the former include Project X-Ray (SymbiFlow Team, 2019), that focusses on documenting the Xilinx ® 7-Series FPGA architecture to develop a Verilog to bitstream toolchain, and EXTRA, an integrated environment for developing and programming reconfigurable architectures (Ciobanu et al, 2018). Security investigations are mostly centred around injecting malicious bits into the bitstream (Ender et al, 2019;Swierczynski, Becker, Moradi, & Paar, 2018), weakening/breaking bitstream encryption (Celebucki, Graham, & Gunawardena, 2018;Swierczynski, Fyrbiak, Koppe, & Paar, 2015), and extracting the design from the device (Ding, Wu, Zhang, & Zhu, https://doi.org/10.18489/sacj.v31i1.620 2013). An excellent source covering the current state of reverse engineering of FPGA bitstreams, including those from other vendors, can be found in (Yu, Lee, Lee, Kim, & Lee, 2018).…”

Section: Manipulating Fpga Resourcesmentioning

confidence: 99%

Parsing and analysis of a Xilinx FPGA bitstream for generating new hardware by direct bit manipulation in real-time

Roux

Schoor

Vuuren

2019

SACJ

View full text Add to dashboard Cite

Despite the many advantages run-time reconfiguration of FPGAs brings to the table, its usage is mostly limited to quasi-static applications. This is either due to the throughput of the reconfiguration process, or the time required to create new hardware. In order to optimise the former, the literature proposes a block RAM (BRAM)-based architecture in which a new configuration is stored in localised memory and reconfiguration is facilitated by a controller implemented in the FPGA fabric. The limitation of this architecture is that only a subset of configurations can be stored. When new hardware is required, the slow synthesis process (or a part thereof) has to be repeated for each new configuration. Various third-party tools aim to mitigate this overhead, but since the bitstream is shrouded in obscurity, all rely on a layer of abstraction that make them unusable in real-time. To address this issue, this paper presents a novel method to parse and analyse a Xilinx® FPGA bitstream to extract certain characteristics. It is shown how these characteristics could be used to design and implement a bitstream specialiser, capable of taking a bitstream and modifying the configuration bits of lookup tables in real-time.

show abstract