Project Name: Open-Source tools for Reverse-engineering the FPGA bit-stream to HDL ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ Project Area: FPGAs ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ Target: Military? NSA? ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ People Needs and Allocation: This is a significant project ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ Skills: Programming, FPGA architecture, Graph Theory ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ Description: The goal of this work is to create open-source tools that take the bit-stream used to program an FPGA and reverse engineer it to HDL. The major aspects of this work are the creation of tools for reverse engineering low-level hardware (FPGAs being the first target). The first step is to use the open source flow and reconstruct. However, the only time vtr has had a bitstream output was in the GILES work, so we would need to add an output bitstream (this should be configurable in different ways to test out the restructuring algorithms later C - a tool to create bitstream outputs from a connectivity graph configurable in the bit ordering and copying of data...might do after A). In this case, we have the connectivity graph of the architecture (A - a tool to make connectivity graphs from architecture details). The second assumption we can make is we have the bit file and organization of how it maps to the connection graph (B - a tool to map bit program to graph). From the graph we first construct a level 1 logic system (D - level 1 netlist of LUT gates, Arithmetic Functions, Carry chains, Shift Registers, Registers, Memories, PIs and POs) and see if we can infer what they do (levelize to compartmentalize, FSM identification (one-hot assumption and not for ASIC?), number representation?)). What if this tool has hints of what pins are connected to (audio codec chip, GPIO, protocol PID)? From this higher level representation, can we convert into HDL form (E - no hierarchy just seperated units?) Is there higher level transformations? The next step is for a general architecture. Can the CAD flow for that tool be used to create the understanding of A and B tools? How many runs? How is the tool used in an automated framework? Can we reverse logic optimization? Can we see attack structures and backdoors on the chip? Secondary possibilities: - This would be a good project and building ground for a training program at Miami on reverse engineering and security skills for students - This might be useful in getting traces in HDL from low-level information to attach the two (we have problems because of ABC in Odin-II in the vtr flow) Concerns for Canadian working on this work: The solution around this is to build the open source tool on academic flows. This trains students who then can go behind secure doors and continue development of the tools for real FPGAs. I as PI can be a consultant at that point without access to the secret development. ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ References: - BIL: A TOOL-CHAIN FOR BITSTREAM REVERSE-ENGINEERINGFlorian Benz, André Seffrin, and Sorin A. Huss - Recent Advances in FPGA Reverse EngineeringHoyoung Yu1, Hansol Lee2, Sangil Lee2, Youngmin Kim1,*and Hyung-Min Lee - The State-of-the-Art in IC Reverse EngineeringRandy Torrance and Dick James - Ang Li and David Wentzlaff, "PRGA: An Open-source Framework for Building and Using Custom FPGAs", 2019 Workshop on Open Source Design Automation (OSDA '19), March 2019, Florence, Italy. (http://parallel.princeton.edu/pubs.html) - ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------------------ Resources: