Poster: Towards Reverse Engineering FPGA
Bitstreams for Hardware Trojan Detection
Yezee Seo
1
, Junghwan Yoon
1
, Jaedong Jang
1
, Mingi Cho
1
, Hoon-Kyu Kim
2
, and Taekyoung Kwon
1
1
Information Security Lab, Yonsei University, Seoul, 03722, Korea
2
Agency for Defense Development, Seoul, Korea
1
{seoyz0716, yjh1226, woehd91, imgc, taekyoung}@yonsei.ac.kr
2
hunk@add.re.kr
Abstract—FPGAs are field-programmable and reconfigurable
integrated circuits, aiming at both hardware and software advan-
tages. They recently tend to combine with microprocessors in the
form of all programmable SoCs. A security problem in FPGAs
is that the configuration data called a bitstream, which must be
loaded to circuits, is susceptible to both malicious fabrication
and modification attacks due to flexibility. That is, a hardware
Trojan can be loaded to the circuits. In this study, we consider a
reverse engineering of bitstreams promising for hardware Trojan
detection in a static manner because modern techniques relying
on dynamic signal analysis are not cost-effective nor precise. A
challenge is that the reverse engineering of bitstreams is not
relatively easy and that the detailed format of the bitstream is
proprietary to the FPGA vendors. As a preliminary study, we
design the general architecture of bitstream reverse engineering
for hardware Trojan detection in this respect, and present a
detailed method for reverse engineering the core resources of
FPGAs. We also discuss our on-going work and future directions.
I. INTRODUCTION
A field-programmable gate array (FPGA) is an integrated
circuit device that can be programmed and also be re-
programmed after manufacture to run many specific appli-
cations. It can also implement software processor cores and
combine with hardware processor cores. These reconfigurable
and general features of FPGAs allow designing an application
system more flexible, expecting both hardware performance
and software diversity in FPGAs. For the reasons, FPGAs
are already used in various application fields, such as crypto-
graphic core, multimedia processing, automotive, and military
systems, and the fields employing FPGAs are still growing.
The system loaded onto the FPGA is first programmed in
hardware description language (HDL), such as Verilog and
VHDL, and then the synthesized design is loaded onto the
FPGA device in the form of a bitstream. During the synthesis
process, various external IP cores might be employed mostly
in the way of protecting those IPs of the third party.
As the use of FPGAs magnificently increases, there are
many growing concerns about security of FPGAs because of
potential threats, such as hardware Trojan (HT), cloning, tam-
pering and denial of service attacks [8]. HT is a real malicious
threat because it can hide in hardware avoiding trivial dynamic
detection methods until launched, and if conditioned, perform
many kinds of malicious actions, such as information leakage
and unintentional malfunctions [4].
In FPGA-based systems, the HT could be inserted into
the FPGA design through many routes, e.g., outsourcing to
external vendor, using untrusted third-party IPs, and reconfig-
uring in the FPGA supply chain. To cope with these problems,
various methods for HT detection have been studied and also
applied. Interestingly, most of those approaches rely on logic
testing and side-channel analysis. Saying, they are dynamic
analysis methods to detect HT by observing the signals ob-
tained by specific device when HT is activated. Thus, there
remain limitations: logic testing is difficult to trigger HT, and
side-channel analysis is not easy to detect HT if the sensible
effect of HT is insignificant [2]. To overcome such limitations,
a detection method based on static analysis was also studied
but with a gate-level netlist given [6]. Such static analysis
methods have difficulty in detecting HT inserted directly into
the bitstreams through modification or manipulation of the
existing bitstreams. Therefore, to detect HT, it is necessary
to “reverse engineer” the bitstream to the gate-level netlist.
However, it is a challenging task to perform bitstream reverse
engineering (RE) because vendors are reluctant to disclose the
bitstream format and the design size and complexity of FPGAs
have significantly increased.
The previous studies of FPGA bitstream RE aim at bit-
stream format analysis and efficient reconfiguration. debit [5]
first introduced a correlation algorithm for bitstream RE by
analyzing the bitstream format of Virtex 2. BIL [1] extended
the previous work by employing as pre-knowledge the XDLRC
file which contains information about all resources in order
to evaluate the result of RE. Although BIL recovered partial
resources of specific tiles only, it showed a promising direction
for bitstream RE. bit2ncd [3] aimed at more complete RE
for efficient reconfiguration purposes although it was unclear
whether the logic implemented in each lookup table (LUT)
was correctly recovered. Unlike the previous RE studies, in
this paper, we are focused on hardware Trojan detection.
II. SYSTEM DESIGN
Given a bitstream file, we need to recover a netlist that re-
veals the actual FPGA circuit configuration. The configuration
resources are clearly divided into two parts: Programmable
Interconnect Point (PIP) that represents the connection in-
formation of FPGAs, and Programmable Logic Point (PLP)
that shows logic implementation such as clocks, multipliers,
registers, and LUTs. Thus, we need to recover them for HT
detection. Among various form of netlist, we consider a textual
format, such as XDL, to identify configurable functions and
finally use them for static analysis and HT detection. We adopt
a machine learning technique for HT detection in XDL level,