Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Stealing Maggie's Secrets -- On the Challenges of IP Theft Through FPGA Reverse Engineering (2312.06195v3)

Published 11 Dec 2023 in cs.CR

Abstract: Intellectual Property (IP) theft is a cause of major financial and reputational damage, reportedly in the range of hundreds of billions of dollars annually in the U.S. alone. Field Programmable Gate Arrays (FPGAs) are particularly exposed to IP theft, because their configuration file contains the IP in a proprietary format that can be mapped to a gate-level netlist with moderate effort. Despite this threat, the scientific understanding of this issue lacks behind reality, thereby preventing an in-depth assessment of IP theft from FPGAs in academia. We address this discrepancy through a real-world case study on a Lattice iCE40 FPGA found inside iPhone 7. Apple refers to this FPGA as Maggie. By reverse engineering the proprietary signal-processing algorithm implemented on Maggie, we generate novel insights into the actual efforts required to commit FPGA IP theft and the challenges an attacker faces on the way. Informed by our case study, we then introduce generalized netlist reverse engineering techniques that drastically reduce the required manual effort and are applicable across a diverse spectrum of FPGA implementations and architectures. We evaluate these techniques on six benchmarks that are representative of different FPGA applications and have been synthesized for Xilinx and Lattice FPGAs, as well as in an end-to-end white-box case study. Finally, we provide a comprehensive open-source tool suite of netlist reverse engineering techniques to foster future research, enable the community to perform realistic threat assessments, and facilitate the evaluation of novel countermeasures.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (68)
  1. Insider Monkey and Macrotrends “Ranking of the companies with the highest spending on research and development worldwide in 2022 (in billion U.S. dollars)”, 2022 URL: https://www.statista.com/statistics/265645/ranking-of-the-20-companies-with-the-highest-spending-on-research-and-development/
  2. Albert Zhichun Li “Intellectual Property Breaches Illustrate New Generation Of Security Threats” In Forbes, 2020 URL: https://www.forbes.com/sites/forbestechcouncil/2020/07/07/intellectual-property-breaches-illustrate-new-generation-of-security-threats/
  3. “Integrated flow for reverse engineering of nanoscale technologies” In Proceedings of the 24th Asia and South Pacific Design Automation Conference, ASPDAC 2019, Tokyo, Japan, January 21-24, 2019 ACM, 2019, pp. 82–89
  4. “Hardware reverse engineering: Overview and open challenges” In IEEE 2nd International Verification and Security Workshop, IVSW 2017, Thessaloniki, Greece, July 3-5, 2017 IEEE, 2017, pp. 88–94
  5. “A Survey on Chip to System Reverse Engineering” In JETC 13.1, 2016, pp. 6:1–6:34
  6. “The state-of-the-art in semiconductor reverse engineering” In Proceedings of the 48th Design Automation Conference, DAC 2011, San Diego, California, USA, June 5-10, 2011 ACM, 2011, pp. 333–338
  7. “The State-of-the-Art in IC Reverse Engineering” In Cryptographic Hardware and Embedded Systems - CHES 2009, 11th International Workshop, Lausanne, Switzerland, September 6-9, 2009, Proceedings 5747, Lecture Notes in Computer Science Springer, 2009, pp. 363–381
  8. “Insights into the mind of a trojan designer: the challenge to integrate a trojan into the bitstream” In Proceedings of the 24th Asia and South Pacific Design Automation Conference, ASPDAC 2019, Tokyo, Japan, January 21-24, 2019 ACM, 2019, pp. 112–119
  9. Daniel Ziener, Stefan Assmus and Jürgen Teich “Identifying FPGA IP-Cores Based on Lookup Table Content Analysis” In Proceedings of the 2006 International Conference on Field Programmable Logic and Applications (FPL), Madrid, Spain, August 28-30, 2006 IEEE, 2006, pp. 1–6
  10. “From the bitstream to the netlist” In Proceedings of the ACM/SIGDA 16th International Symposium on Field Programmable Gate Arrays, FPGA 2008, Monterey, California, USA, February 24-26, 2008 ACM, 2008, pp. 264
  11. Florian Benz, André Seffrin and Sorin A. Huss “Bil: A tool-chain for bitstream reverse-engineering” In 22nd International Conference on Field Programmable Logic and Applications (FPL), Oslo, Norway, August 29-31, 2012 IEEE, 2012, pp. 735–738
  12. “Deriving an NCD file from an FPGA bitstream: Methodology, architecture and evaluation” In Microprocess. Microsystems 37.3, 2013, pp. 299–312
  13. Khoa Dang Pham, Edson L. Horta and Dirk Koch “BITMAN: A tool and API for FPGA bitstream manipulations” In Design, Automation & Test in Europe Conference & Exhibition, DATE 2017, Lausanne, Switzerland, March 27-31, 2017 IEEE, 2017, pp. 894–897
  14. Jean-Baptiste Note “debit”, 2008 URL: https://github.com/djn3m0/debit
  15. Chips Alliance “Project X-Ray” URL: https://github.com/f4pga/prjxray
  16. “On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs” In Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 ACM, 2011, pp. 111–124
  17. Amir Moradi, Markus Kasper and Christof Paar “Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures - An Analysis of the Xilinx Virtex-4 and Virtex-5 Bitstream Encryption Mechanism” In Topics in Cryptology - CT-RSA 20W12 - The Cryptographers’ Track at the RSA Conference 2012, San Francisco, CA, USA, February 27 - March 2, 2012. Proceedings 7178, Lecture Notes in Computer Science Springer, 2012, pp. 1–18
  18. “Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series” In Constructive Side-Channel Analysis and Secure Design - 7th International Workshop, COSADE 2016, Graz, Austria, April 14-15, 2016, Revised Selected Papers 9689, Lecture Notes in Computer Science Springer, 2016, pp. 71–87
  19. “Physical Security Evaluation of the Bitstream Encryption Mechanism of Altera Stratix II and Stratix III FPGAs” In ACM Trans. Reconfigurable Technol. Syst. 7.4, 2015, pp. 34:1–34:23
  20. “On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs” In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017 ACM, 2017, pp. 1661–1674
  21. Maik Ender, Amir Moradi and Christof Paar “The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs” In 29th USENIX Security Symposium, USENIX Security 2020, August 12-14, 2020 USENIX Association, 2020, pp. 1803–1819
  22. “A Cautionary Note on Protecting Xilinx’ UltraScale(+) Bitstream Encryption and Authentication Engine” In 30th IEEE Annual International Symposium on Field-Programmable Custom Computing Machines, FCCM 2022, New York City, NY, USA, May 15-18, 2022 IEEE, 2022, pp. 1–9
  23. “A survey of algorithmic methods in IC reverse engineering” In J. Cryptogr. Eng. 11.3, 2021, pp. 299–315
  24. HAL “HAL – The Hardware Analyzer” URL: https://github.com/emsec/hal
  25. Domenic Forte, Swarup Bhunia and Mark M Tehranipoor “Hardware protection through obfuscation” Springer, 2017
  26. “AppSAT: Approximately deobfuscating integrated circuits” In 2017 IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2017, McLean, VA, USA, May 1-5, 2017 IEEE Computer Society, 2017, pp. 95–100
  27. John Martellaro “Thoughts About Apple’s Secret iPhone 7 Chip” In The Mac Observer, 2016 URL: https://www.macobserver.com/columns-opinions/editorial/apple-secret-iphone-7-chip/
  28. Aaron Tilley “This Mysterious Chip In The iPhone 7 Could Be Key To Apple’s AI Push” In Forbes, 2016 URL: https://www.forbes.com/sites/aarontilley/2016/10/17/iphone-7-fpga-chip-artificial-intelligence/?sh=6268ab013c69
  29. iFixit “iPhone 7 Teardown”, 2016 URL: https://de.ifixit.com/Teardown/iPhone+7+Teardown/67382
  30. Arman Hajati “Electronic Device Including Multi-Phase Driven Linear Haptic Actuator and Related Methods” United States PatentTrademark Office, 2021
  31. “Electronic Device Including Closed-Loop Controller for Haptic Actuator and Related Methods” United States PatentTrademark Office, 2018
  32. Chips Alliance “Project IceStorm” URL: https://github.com/YosysHQ/icestorm
  33. Chips Alliance “F4PGA” URL: https://f4pga.org
  34. “The Old Frontier of Reverse Engineering: Netlist Partitioning” In J. Hardware and Systems Security 2.3, 2018, pp. 201–213
  35. Travis Meade, Shaojie Zhang and Yier Jin “Netlist reverse engineering for high-level functionality reconstruction” In 21st Asia and South Pacific Design Automation Conference, ASP-DAC 2016, Macao, Macao, January 25-28, 2016 IEEE, 2016, pp. 655–660
  36. “RELIC-FUN: Logic Identification through Functional Signal Comparisons” In 57th ACM/IEEE Design Automation Conference, DAC 2020, San Francisco, CA, USA, July 20-24, 2020 IEEE, 2020, pp. 1–6
  37. Michaela Brunner, Johanna Baehr and Georg Sigl “Improving on State Register Identification in Sequential Hardware Reverse Engineering” In IEEE International Symposium on Hardware Oriented Security and Trust, HOST 2019, McLean, VA, USA, May 5-10, 2019 IEEE, 2019, pp. 151–160
  38. “On the Difficulty of FSM-based Hardware Obfuscation” In IACR Trans. Cryptogr. Hardw. Embed. Syst. 2018.3, 2018, pp. 293–330
  39. “A highly efficient method for extracting FSMs from flattened gate-level netlist” In International Symposium on Circuits and Systems (ISCAS 2010), May 30 - June 2, 2010, Paris, France IEEE, 2010, pp. 2610–2613
  40. “Toward a Human-Readable State Machine Extraction” In ACM Trans. Design Autom. Electr. Syst. 27.6, 2022, pp. 58:1–58:31
  41. Shaojie Zhang Travis Meade and Yier Jin “NETA: Netlist Analysis Toolset” URL: https://github.com/jinyier/neta
  42. “DANA Universal Dataflow Analysis for Gate-Level Netlist Reverse Engineering” In IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020.4, 2020, pp. 309–336
  43. “Functional integrated circuit analysis” In 2012 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2012, San Francisco, CA, USA, June 3-4, 2012 IEEE Computer Society, 2012, pp. 102–107
  44. Lattice Semiconductor “Lattice ICE Technology Library” URL: https://www.latticesemi.com/-/media/LatticeSemi/Documents/TechnicalBriefs/SBTICETechnologyLibrary201608.ashx?document_id=51982
  45. Alan V. Oppenheim and Ronald W. Schafer “Discrete-Time Signal Processing Third Edition” Pearson Education Limited, 2014
  46. “DC Blocker Algorithms [DSP Tips & Tricks]” In IEEE Signal Processing Magazine 25.2, 2008, pp. 132–134
  47. “Reverse Engineering Word-Level Models from Look-Up Table Netlists” In 24th International Symposium on Quality Electronic Design, ISQED 2023, San Francisco, CA, USA, April 5-7, 2023 IEEE, 2023, pp. 1–8
  48. “Defeating Cisco Trust Anchor: A Case-Study of Recent Advancements in Direct FPGA Bitstream Manipulation” In 13th USENIX Workshop on Offensive Technologies, WOOT 2019, Santa Clara, CA, USA, August 12-13, 2019 USENIX Association, 2019
  49. “Interdiction in practice - Hardware Trojan against a high-security USB flash drive” In J. Cryptogr. Eng. 7.3, 2017, pp. 199–211
  50. “FPGA Trojans Through Detecting and Weakening of Cryptographic Primitives” In IEEE Trans. on CAD of Integrated Circuits and Systems 34.8, 2015, pp. 1236–1249
  51. Giorgi Basiashvili, Zail Ul Abideen and Samuel Pagliarini “Obfuscating the Hierarchy of a Digital IP” In CoRR abs/2205.09892, 2022
  52. James B. Wendt and Miodrag Potkonjak “Hardware obfuscation using PUF-based logic” In The IEEE/ACM International Conference on Computer-Aided Design, ICCAD 2014, San Jose, CA, USA, November 3-6, 2014 IEEE, 2014, pp. 270–277
  53. “LifeLine for FPGA Protection: Obfuscated Cryptography for Real-World Security” In IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021.4, 2021, pp. 412–446
  54. Kenneth S. McElvain “Methods and apparatuses for automatic extraction of finite state machines”, 2001
  55. “Gate-level netlist reverse engineering for hardware security: Control logic register identification” In IEEE International Symposium on Circuits and Systems, ISCAS 2016, Montréal, QC, Canada, May 22-25, 2016 IEEE, 2016, pp. 1334–1337
  56. Subhajit Dutta Chowdhury, Kaixin Yang and Pierluigi Nuzzo “ReIGNN: State Register Identification Using Graph Neural Networks for Circuit Reverse Engineering” In IEEE/ACM International Conference On Computer Aided Design, ICCAD 2021, Munich, Germany, November 1-4, 2021 IEEE, 2021, pp. 1–9
  57. Wenchao Li, Zach Wasson and Sanjit A. Seshia “Reverse engineering circuits using behavioral pattern mining” In 2012 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2012, San Francisco, CA, USA, June 3-4, 2012 IEEE Computer Society, 2012, pp. 83–88
  58. “WordRev: Finding word-level structures in a sea of bit-level gates” In 2013 IEEE International Symposium on Hardware-Oriented Security and Trust, HOST 2013, Austin, TX, USA, June 2-3, 2013 IEEE Computer Society, 2013, pp. 67–74
  59. “Reverse engineering digital circuits using functional analysis” In Design, Automation and Test in Europe, DATE 13, Grenoble, France, March 18-22, 2013 EDA Consortium San Jose, CA, USA / ACM DL, 2013, pp. 1277–1280
  60. “Graph Similarity and its Applications to Hardware Security” In IEEE Trans. Computers 69.4, 2020, pp. 505–519
  61. “GNN-RE: Graph Neural Networks for Reverse Engineering of Gate-Level Netlists” In IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 41.8, 2022, pp. 2435–2448
  62. “Reverse Engineering of Cryptographic Cores by Structural Interpretation Through Graph Analysis” In 3rd IEEE International Verification and Security Workshop, IVSW 2018, Costa Brava, Spain, July 2-4, 2018 IEEE, 2018, pp. 13–18
  63. “GraphClusNet: A Hierarchical Graph Neural Network for Recovered Circuit Netlist Partitioning” In IEEE Trans. Artif. Intell. 4.5, 2023, pp. 1199–1213
  64. Wilson Snyder “verilator” URL: https://github.com/verilator/verilator
  65. “Robust control system design with a proportional integral observer” In International Journal of Control 50.1 Taylor & Francis, 1989, pp. 97–111
  66. George Ellis “Observers in control systems: a practical guide” Elsevier, 2002
  67. George Ellis “Control system design guide: using your computer to understand and diagnose feedback controllers” Butterworth-Heinemann, 2012
  68. “Servo performance improvement through iterative tuning feedforward controller with disturbance compensator” In International Journal of Machine Tools and Manufacture 117, 2017, pp. 1–10
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (12)
  1. Simon Klix (1 paper)
  2. Nils Albartus (5 papers)
  3. Julian Speith (5 papers)
  4. Paul Staat (12 papers)
  5. Alice Verstege (1 paper)
  6. Annika Wilde (3 papers)
  7. Daniel Lammers (1 paper)
  8. Jörn Langheinrich (1 paper)
  9. Christian Kison (4 papers)
  10. Daniel Holcomb (12 papers)
  11. Christof Paar (41 papers)
  12. Sebastian Sester-Wehle (1 paper)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets