Sunday, November 16, 2014

Protecting proprietary configuration (Verilog/VHDL) in an FPGA




Can a hacker read the proprietary configuration from the FPGA?
A real short answer is a yes and a no.

Obviously, VHDL/Verilog source files themselves can be the targets of attack. The concern is about the bitstream configuration.

The attacker can read either directly from the FPGA, or indirectly by reading the EEPROM device.
For example, a laptop connected with FPGA directly via JTAG interface. The hacker with access to the laptop remotely or locally will have access to the FPGA data. Imagine a case  with the configuration data stored from EEPROM. Even this case does not prevent hacker from accessing the FPGA/EEPROM JTAG port connected to a network node.

Said so, even if the hacker had a full bitstream from the FPGA, he/she will have a have hard time reverse engineering the software. This is especially true for FPGAs from vendors (and most of them) who balk at releasing their their architecture specifications regarding the bitstream. Moreover, bitstreams can be encrypted (for example IPs) on the disk and decrypted by FPGA. Note -even if the bitstream cannot be easily reverse engineered, it can possibly be reused.

A beautiful paper is written here about converting from bitstream to netlist.  Another paper here discusses vulnerability of FPGA Bitstream Encryption against power analysis attacks.

Altera discusses military anti-tampering solutions for its Stratix product lines here.

No comments:

Post a Comment