Highway to HAL: open-sourcing the first extendable gate-level netlist reverse engineering framework

Since hardware oftentimes serves as the root of trust in our modern interconnected world, malicious hardware manipulations constitute a ubiquitous threat in the context of the Internet of Things (IoT). Hardware reverse engineering is a prevalent technique to detect such manipulations. Over the last years, an active research community has significantly advanced the field of hardware reverse engineering. Notably, many open research questions regarding the extraction of functionally correct netlists from Field Programmable Gate Arrays (FPGAs) or Application Specific Integrated Circuits (ASICs) have been tackled. In order to facilitate further analysis of recovered netlists, a software framework is required, serving as the foundation for specialized algorithms. Currently, no such framework is publicly available. Therefore, we provide the first open-source gate-library agnostic framework for gate-level netlist analysis. In this positional paper, we demonstrate the workflow of our modular framework HAL on the basis of two case studies and provide profound insights on its technical foundations.

[1]  Jürgen Teich,et al.  Identifying FPGA IP-Cores Based on Lookup Table Content Analysis , 2006, 2006 International Conference on Field Programmable Logic and Applications.

[2]  Christof Paar,et al.  Hardware reverse engineering: Overview and open challenges , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[3]  Christof Paar,et al.  Teaching Hardware Reverse Engineering: Educational Guidelines and Practical Insights , 2018, 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE).

[4]  Farinaz Koushanfar,et al.  Active Hardware Metering for Intellectual Property Protection and Security , 2007, USENIX Security Symposium.

[5]  Sorin A. Huss,et al.  Bil: A tool-chain for bitstream reverse-engineering , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[6]  Delon Levi,et al.  JBits: Java based interface for reconfigurable computing , 1999 .

[7]  Qiang Wu,et al.  Deriving an NCD file from an FPGA bitstream: Methodology, architecture and evaluation , 2013, Microprocess. Microsystems.

[8]  Swarup Bhunia,et al.  HARPOON: An Obfuscation-Based SoC Design Methodology for Hardware Protection , 2009, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[9]  Christof Paar,et al.  On the Difficulty of FSM-based Hardware Obfuscation , 2018, IACR Trans. Cryptogr. Hardw. Embed. Syst..

[10]  Travis Meade,et al.  Gate-Level Netlist Reverse Engineering Tool Set for Functionality Recovery and Malicious Logic Detection , 2016 .

[11]  Christof Paar,et al.  HAL—The Missing Piece of the Puzzle for Hardware Reverse Engineering, Trojan Detection and Insertion , 2019, IEEE Transactions on Dependable and Secure Computing.

[12]  Dick James,et al.  The State-of-the-Art in IC Reverse Engineering , 2009, CHES.

[13]  Steffen Becker,et al.  Towards Cognitive Obfuscation: Impeding Hardware Reverse Engineering Based on Psychological Insights , 2019, 2019 24th Asia and South Pacific Design Automation Conference (ASP-DAC).

[14]  Christof Paar,et al.  Physical Security Evaluation of the Bitstream Encryption Mechanism of Altera Stratix II and Stratix III FPGAs , 2015, TRETS.

[15]  Michael S. Hsiao,et al.  Hardware Trojan Attacks: Threat Analysis and Countermeasures , 2014, Proceedings of the IEEE.

[16]  David Harris,et al.  CMOS VLSI Design: A Circuits and Systems Perspective , 2004 .

[17]  Mark Mohammad Tehranipoor,et al.  A Survey on Chip to System Reverse Engineering , 2016, JETC.

[18]  Qiaoyan Yu,et al.  Novel Dynamic State-Deflection Method for Gate-Level Design Obfuscation , 2018, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[19]  Michael Werner,et al.  Integrated Flow for Reverse Engineering of Nanoscale Technologies , 2019, 2019 24th Asia and South Pacific Design Automation Conference (ASP-DAC).

[20]  Jürgen Teich,et al.  Netlist-level IP protection by watermarking for LUT-based FPGAs , 2008, 2008 International Conference on Field-Programmable Technology.

[21]  Alessandro Barenghi,et al.  On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs , 2011, CCS '11.

[22]  Christof Paar,et al.  A look at the dark side of hardware reverse engineering - a case study , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[23]  Jean-Baptiste Note,et al.  From the bitstream to the netlist , 2008, FPGA '08.

[24]  Christof Paar,et al.  Black-Box Side-Channel Attacks Highlight the Importance of Countermeasures - An Analysis of the Xilinx Virtex-4 and Virtex-5 Bitstream Encryption Mechanism , 2012, CT-RSA.

[25]  Christof Paar,et al.  Side-channel attacks on the bitstream encryption mechanism of Altera Stratix II: facilitating black-box analysis using software reverse-engineering , 2013, FPGA '13.

[26]  Dirk Koch,et al.  BITMAN: A tool and API for FPGA bitstream manipulations , 2017, Design, Automation & Test in Europe Conference & Exhibition (DATE), 2017.

[27]  Christof Paar,et al.  Insights into the Mind of a Trojan Designer The Challenge to Integrate a Trojan into the Bitstream , 2019, 2019 24th Asia and South Pacific Design Automation Conference (ASP-DAC).

[28]  Robert E. Tarjan,et al.  Depth-First Search and Linear Graph Algorithms , 1972, SIAM J. Comput..

[29]  Amir Moradi,et al.  Improved Side-Channel Analysis Attacks on Xilinx Bitstream Encryption of 5, 6, and 7 Series , 2016, COSADE.