Trojans Modifying Soft-Processor Instruction Sequences Embedded in FPGA Bitstreams

  • Authors:
    Ismail San (UC/Santa Barbara), Nicole Fern (UC/Santa Barbara), Cetin Koc (UC/Santa Barbara), K.T. Tim Cheng (UC/Santa Barbara)
    Publication ID:
    P091210
    Publication Type:
    Paper
    Received Date:
    30-Jun-2017
    Last Edit Date:
    30-Jun-2017
    Research:
    2634.001 (University of California/Santa Barbara)

Abstract

Reconfigurable platforms such as FPGAs and CPLDs are used to implement flexible and lightweight embedded systems often using soft-processors and a fixed instruction sequence stored in block memories. The bitstream format is proprietary for most vendors, however, in this work we demonstrate how to identify and extract block memory contents within the bitstream, allowing an adversary to learn and possibly modify the fixed instruction sequence. Manipulating the instruction sequence by inserting a Trojan in the bitstream as opposed to in the RTL code allows an adversary to bypass many verification steps. Moreover, the proposed Trojans only add extra instructions to the sequence to leak secret information, and do not change the original program behavior, making them virtually impossible to detect using functional tests. We present a case study where a Trojan is injected into a MIPS AES encryption program to leak internal state information by adding extra instructions from the available ones without changing the original program behavior.

4819 Emperor Blvd, Suite 300 Durham, NC 27703 Voice: (919) 941-9400 Fax: (919) 941-9450