Search for: All records

We describe a fast, abstract method for reverse engineering (RE) field programmable gate array (FPGA) look-up-tables (LUTs). Our method has direct applications to hardware (HW) metering and FPGA fingerprinting, and our approach allows easy portability and application to most L UT based FPGAs. Unlike conventional RE methodologies that rely on vendor specific code (like Xilinx XDL), tools, configuration files, components, etc., our methodology is not dependent on any specific FPGA or FPGA computer aided design (CAD) tool. We use generic hardware description language (HDL) code based on specially connected CASE statements to program the L UTs on a target FPGA. Our specially connected CASE statements allow us to guide placement of L UT functions on successive synthesis runs. This enables us to quickly determine which bits in the FPGA 's configuration file match to FPGA L UT bits. After we know which bits are L UT bits, we can go further and match specific LUT bits to specific bits in the configuration file, thereby creating a one-to-one mapping between every L UT memory cell and its matching bit in the configuration file. In this paper we present our CASE statement functions for performing one-to-one mapping of all FPGA L UT memory cell bits to specific configuration file bits. We have successfully applied our methods to several 7000 series Xilinx and Intel (Altera) FPGAs. 

Reverse engineering (RE) is a widespread practice within engineering, and it is particularly relevant for discovering maliciousfunctionality in digital hardware components. In this paper, we discuss bitstream or firmware RE for field programable gate arrays (FPGAs). A bitstream establishes the configuration of the FPGA device fabric. Complete knowledge of both the physical device fabric and a specific bitstream should be sufficient to determine the complete configuration of the programmed FPGA. However, a significant challenge to bitstream RE arises because information about the FPGA fabric and interpretation of the bitstream is typically incomplete. The uncertainties limit the confidence in the correctness of any configuration determined through the RE process. This paper identifies representative sources of uncertainty in bitstream RE of FPGA devices. 

One approach to mitigate side-channel attacks (SCAs) is to use clockless, asynchronous digital logic. To simplify this process, we propose a unique asynchronous FPGA based on a new THx2 programmable threshold cell. At a minimum, FPGAs require a programmable logic cell that can implement a complete set of logic so that it can be connected through the programmable interconnect network to form any digital system. To meet that criteria, we take advantage of CMOS transistors to implement a programmable THx2 threshold cell capable of performing both TH12 and TH22 asynchronous operations. Our complete sixteen transistor FPGA cell includes eight transistors to implement the base THx2 threshold operation, three transistors to switch between the TH12 and TH22 modes, and five memory cell transistors for mode storage. Our unique minimal transistor, programmable THx2 implementation enables formation of a complete set of asynchronous threshold gates and a complete set of standard combinational logic functions. The symmetric nature of the FPGA cell, in regard to the number of transistors (eight NMOS and eight PMOS), makes it ideal for a four row by four column transistor grid with a nearly square, easily array-able layout. It should be noted our THx2 cell is highly compact and suitable for implementing a clockless, asynchronous FPGA.