A Research On Critical Techniques Of FPGA Reverse Engineering

FPGA(Field Programmable Gate Array)is widely used in various domains,such as aerospace and high performance computing.Hence,its security attracts the attention from both academics and industries.Nowadays,FPGA suffers from growing Hardware Trojan(HT)attacks and many techniques,e.g.RTL code/netlist-based analyzing,have been proposed to detect HTs on FPGAs.However,for most of the FPGA end users,they can only obtain bitstream rather than RTL code.To address the dilemma,we perform researches on critical techniques of FPGA reverse engineering and present a comprehensive FPGA reverse engineering in the thesis.The tool-chain can precisely convert bitstream to RTL code,paving the way for netlist/code-based hardware Trojans detection.In this paper,our main contributions are threefold:1)FPGA Reverse Engineering Tool-chain Design and ImplementationTo achieve the goal of FPGA reverse engineering,we design and implement an FPGA reverse engineering tool-chain,involving three tools,namely,library generator,bitstream reversal tool and netlist reversal tool.Our library generator can obtain the proprietary bitstream mapping information through thorough black-box testing to construct a exhaustive database,supporting the forthcoming reversing operations.Bistream reversal tool analyzes and processes bitstream data based on the information in the database,recovering netlist from bitstream.Netlist reversal tool can transform netlist to RTL code.In this way,our tool-chain can finish the complete reverse engineering,i.e.,bitstream-to-netlist and netlist-to-code.2)Evaluation of Our FPGA Reverse Engineering Tool-chainWe evaluate our tool-chain qualitatively and quantitatively.In qualitative evaluation,we compare our tool-chain with existing re-engineering tools.Through the comparison,we found that our tool-chain is more comprehensive than others since we cover all reversing stages,i.e.,bitstream-to-netlist and netlist-to-code.In quantitative evaluation,we perform reverse engineering on bitstreams of 13 benchmarks and obtain the netlist with 100% correct rate.In addition,in netlist reversing experiments,our recovered RTL code passes the formal verification with the original code,illustrating the recovered one is functionally equivalent to the original one.3)FPGA Reverse Engineering Applications: HT Detection and InsertionAfter demonstrating the effectiveness of our tool-chain,we select a Trojan-infected design and recover the netlist and code from its bitstream.Then we use two HT detection techniques,COTD(Controllability and Observability for hardware Trojan Detection)and CA(Coverage Analysis),to check the recovered files respectively.The experimental results reveal that the malicious logics can be identified successfully in this working flow.Moreover,we present a reverse engineering-based method for HT insertion and design two new Network-on-Chip(NoC)HTs which can be implanted in recovered RTL code.