Interdiction in Practice -- Hardware Trojan Against a High-Security USB
  Flash Drive by Swierczynski, Pawel et al.
Noname manuscript No.
(will be inserted by the editor)
Interdiction in Practice – Hardware Trojan Against a
High-Security USB Flash Drive
Pawel Swierczynski1, Marc Fyrbiak1, Philipp Koppe1, Amir Moradi1,
Christof Paar1,2 IEEE Fellow
Received: date / Accepted: date
Abstract As part of the revelations about the NSA
activities, the notion of interdiction has become known
to the public: the interception of deliveries to manipu-
late hardware in a way that backdoors are introduced.
Manipulations can occur on the firmware or at hard-
ware level. With respect to hardware, FPGAs are par-
ticular interesting targets as they can be altered by
manipulating the corresponding bitstream which con-
figures the device. In this paper, we demonstrate the
first successful real-world FPGA hardware Trojan in-
sertion into a commercial product. On the target de-
vice, a FIPS-140-2 level 2 certified USB flash drive from
Kingston, the user data is encrypted using AES-256 in
XTS mode, and the encryption/decryption is processed
by an off-the-shelf SRAM-based FPGA. Our investiga-
tion required two reverse-engineering steps, related to
the proprietary FPGA bitstream and to the firmware
of the underlying ARM CPU. In our Trojan insertion
scenario the targeted USB flash drive is intercepted be-
fore being delivered to the victim. The physical Tro-
jan insertion requires the manipulation of the SPI flash
memory content, which contains the FPGA bitstream
as well as the ARM CPU code. The FPGA bitstream
manipulation alters the exploited AES-256 algorithm in
a way that it turns into a linear function which can be
broken with 32 known plaintext-ciphertext pairs. After
the manipulated USB flash drive has been used by the
victim, the attacker is able to obtain all user data from
the ciphertexts. Our work indeed highlights the security
risks and especially the practical relevance of bitstream
modification attacks that became realistic due to FPGA
bitstream manipulations.
1Horst Go¨rtz Institut for IT-Security, Ruhr-Universita¨t
Bochum, Germany
2University of Massachusetts Amherst, USA
Keywords hardware Trojan, · real world attack, ·
FPGA security, · AES
1 Introduction
In this section we provide an overview of our research
and related previous works in the area of hardware Tro-
jans and Field Programmable Gate Array (FPGA) se-
curity.
1.1 Motivation
As a part of the revelations by Edward Snowden, it be-
came known that the National Security Agency (NSA)
allegedly intercepts communication equipment during
shipment in order to install backdoors [28]. For instance,
Glenn Greenwald claims that firmware modifications
have been made in Cisco routers [12,27,18]. Related
attacks can also be launched in “weaker” settings, for
instance, by an adversary who replaces existing equip-
ment with one that is backdoor-equipped or by exploit-
ing reprogramming / updatability features to implant a
backdoor. Other related attacks are hardware Trojans
installed by OEMs. It can be argued that such attacks
are particular worrisome because the entire arsenal of
security mechanism available to us, ranging from cryp-
tographic primitives over protocols to sophisticated ac-
cess control and anti-malware measures, can be inval-
idated if the underlying hardware is manipulated in a
targeted way. Despite the extensive public discussions
about alleged manipulations by British, US, and other
intelligence agencies, the technical details and feasibil-
ities of the required manipulations are very much un-
clear. Even in the research literature most hardware
Trojans are implemented on high level (e.g., King et al.
ar
X
iv
:1
91
0.
00
94
7v
1 
 [c
s.C
R]
  1
 O
ct 
20
19
2 Pawel Swierczynski et al.
[16]) and thus assume an attacker at the system design
phase [15,24].
1.2 Contribution
The goal of the contribution at hand is to provide a case
study on how a commercial product, which supposedly
provides high security, can be weakened by meaningful
low-level manipulations of an existing FPGA design. To
the best of our knowledge, this is the first time that it is
being demonstrated that a bitstream modification of an
FPGA can have severe impacts on the system security
of a real-world product. We manipulated the unknown
and proprietary Xilinx FPGA bitstream of a FIPS-140-
2 level 2 certified device. This required several steps
including the bitstream file format reverse-engineering,
Intellectual Property (IP) core analysis, and a mean-
ingful modification of the hardware configuration.
Our target device is a Data Traveler 5000, an overall
FIPS-140-2 level 2 certified1 Universal Serial Bus (USB)
flash drive from Kingston. It utilizes a Xilinx FPGA for
high-speed encryption and decryption of the stored user
data. As indicated before, we implant a hardware Tro-
jan through manipulating the proprietary bitstream of
the FPGA resulting in a maliciously altered Advanced
Encryption Standard (AES)-256 IP core that is suscep-
tible to cryptanalysis.
By the underlying adversary model it is assumed
that the adversary can provide a manipulated USB
flash drive to the victim. For accessing the (seemingly
strongly encrypted) user data, the adversary can obtain
the device by stealing it from the victim. Alternatively,
it is also imaginable that a covert, remote channel can
be implanted in the target system. Due to our manip-
ulations, the adversary can easily recover all data from
the flash drive. It seems highly likely that the attack
remains undetected, because the cryptographic layer is
entirely hidden from the user. Similar attacks are possi-
ble in all settings where encryption and decryption are
performed by the same entity, e.g., hard disk encryption
or encryption in the cloud.
1.3 Related Work
Two lines of research, which have been treated mainly
separately so far, are particularly relevant to our con-
tribution, i.e., FPGA security and hardware Trojans.
FPGAs are reprogrammable hardware devices which
are used in a wide spectrum of applications, e.g., net-
work routers, data centers, automotive systems as well
1 Many categories even fulfill the qualitative security level
3, cf. [4]
as consumer electronics and security systems. In 2010
more than 4 billion devices were shipped world-wide [19].
Surprisingly many of these applications are security
sensitive, thus modifications of designs exhibit a cru-
cial threat to real-world systems. Despite the large body
of FPGA security research over the past two decades,
cf. [10], the issue of maliciously manipulating a com-
mercial and proprietary third-party FPGA design —
with the goal of implanting a Trojan that weakens the
system security of a commercial high-security device —
has never been addressed to the best of our knowledge.
SRAM-based FPGAs, for which the configuration bit-
stream is stored in external (flash) memory, dominate
the industry. Due to its volatility, SRAM-based FPGAs
have to be re-configured at every power-up. Hence, in
a scenario where an adversary can make changes to the
external memory chip, the insertion of hardware Tro-
jans becomes a possible attack vector. It is known for
long time that an FPGA bitstream manipulation is ap-
plicable, but the complexity of maliciously altering the
given hardware resources of a third-party FPGA con-
figuration has not been addressed in practice. However,
from an attacker’s point of view, the malicious manip-
ulation of a third-party FPGA bitstream offers several
practical hurdles that must be overcome. Amongst the
main problems is the proprietary bitstream format that
obfuscates the encoding of the FPGA configuration:
there is no support for parsing the bitstream file to a
human-readable netlist, i.e., the internal FPGA config-
uration cannot be explored. However, previous works
have shown that Xilinx’ proprietary bitstream file for-
mat can be reverse-engineered back to the netlist rep-
resentation up to a certain extent [26,7,30]. In general,
it seems to be a safe assumption that a determined
attacker can reverse-engineer all (or at least the rele-
vant) parts of the netlist from a given third-party bit-
stream. As the next crucial steps, the adversary must
detect and manipulate the hardware design. To the
best of our knowledge, the only publicly reported de-
tection and malicious manipulation of cryptographic al-
gorithms targeting a third-party bitstream is by Swier-
czynski et al. [29], which is also the basis of our work.
The related work by Chakraborty et al. [8] demon-
strated the accelerated aging process of an FPGA by
merging a ring-oscillator circuitry into an existing bit-
stream. Furthermore, the presented attack cannot change
the existing parts (described as “Type 1 Trojan” in
their work, e.g., the relevant parts of a cryptographic al-
gorithm or access control mechanism) and hence is not
applicable to undermine the system security of our tar-
geted device. Thus, we cover and demonstrate the the-
oretically described “Type 2 Trojan” defined by Chark-
aborty et al. [8]. Such Trojans are able to alter the ex-
Interdiction in Practice – Hardware Trojan Against a High-Security USB Flash Drive 3
isting hardware resources and expectedly require more
analysis of the design.
Another related work was done by Aldaya et al. [5].
The authors demonstrated a key recovery attack for all
AES key sizes by tampering T-boxes which are stored
in the Block-Ram (BRAM) of Xilinx FPGAs. It is a
ciphertext-only attack and it was demonstrated that
various previously proposed FPGA-based AES imple-
mentations are vulnerable to their proposed method.
One other practical hurdle for injecting a Trojan
into an FPGA bitstream is an encrypted bitstream that
ensures the integrity and confidentially of a design. The
two market leaders Xilinx and Altera both provide bit-
stream encryption schemes to prevent IP theft and the
manipulation of the proprietary bitstream. Neverthe-
less, it has been shown that those encryption schemes
can be broken by means of side-channel analysis. Once
these attacks are pre-engineered, this countermeasure
can be broken in approximately less than one day, cf.
the works of Moradi et al. [23,21,22]. In these attacks,
the power consumption can be exploited during the en-
cryption/decryption process to reveal the cryptographic
keys under which the bitstream is encrypted. Subse-
quently, the bitstream can be decrypted, modified, and
re-encrypted. Thus, current bitstream encryption mech-
anisms only provide low additional security against a
determined adversary and would not hinder us to per-
form our presented bitstream modification attack for
the most available FPGA device families.
Another relevant strand of research is the hardware
Trojan. Malicious hardware manipulations, aka Tro-
jans, have come in the spotlight of the scientific com-
munity after a report by the US DoD in 2005 [3]. A gen-
eral taxonomy for Trojan insertion, functionality, and
activation was introduced by Karri et al. [15]. Besides
theoretical descriptions of hardware Trojans, the ma-
jority of research focused on the detection of malicious
circuits. An overview of hardware Trojan detection ap-
proaches and their inherent problem of coverage is pre-
sented by Narasimhan et al. [24]. There are only very
few research reports that address the design and imple-
mentation aspects of hardware Trojans. Most hardware
Trojans (FPGAs and ASICs) from the academic litera-
ture are implemented using high-level (register transfer
level) tools and hence assume a different, and consider-
ably stronger attacker model — namely Trojan inser-
tion during system design — compared to our low-level
Trojan insertion.
In the area of hardware Trojans, FPGAs constitute
an interesting special case because an attacker can ac-
complish a hardware modification by altering the de-
ployed bitstream prior to the FPGA power-up. The bit-
stream contains the configuration rules for programmable
logic components and programmable interconnections.
One can agree that it is arguable whether FPGA Tro-
jans are “true” hardware Trojans. On the other hand,
the bitstream controls the configuration of all hardware
elements inside the FPGA, and attacks as shown in this
paper lead to an actual change of the hardware configu-
ration. Thus, even though they represent a corner case,
we believe it is justified to classify FPGA Trojans as
hardware Trojans.
It should be noted that our strategy is considerably
different when compared to the BadUSB attack pre-
sented by Nohl et al. [25]. In our settings we needed
to bypass the security mechanisms of a protected and
special-purpose high-security USB flash drive to be able
to alter the existing cryptographic circuitry of a pro-
prietary third-party FPGA design. Compared to our
contribution, the BadUSB attack mainly targets the
reprogramming of unprotected low-cost USB peripher-
als that can distribute software-based malware, e.g., by
emulating a keyboard device. Hence, the BadUSB at-
tack is not related to the given and less explored threats
of FPGA hardware Trojans.
2 Proceeding of Inserting an FPGA Trojan
In the following we assume that the attacker is able to
intercept a device during the shipping delivery before it
arrives at the actual end user. As indicated before, this
is not an imaginary scenario as according to the Edward
Snowden documents it is known as interdiction [28].
Subsequently, we present a method of how to explore
third-party FPGA bitstreams.
2.1 Attack Scenario: Interdiction
The process of interdiction is illustrated by Fig. 1. Or-
dered products (e.g., an USB flash drive) of an end
user are secretly intercepted by an intelligence service
during the shipment. The target device is modified or
replaced by a malicious version, e.g., one with a back-
door. The compromised device is then delivered to the
end user. Intelligence agencies can subsequently exploit
the firmware or hardware manipulation.
According to the Snowden revelations, hardware Tro-
jans are placed, e.g., in monitor or keyboard cables with
hidden wireless transmitters, allowing for video and key
logging [28]. Also, it can be assumed that a Personal
Computer (PC) malware can be distributed with the
help of a compromised firmware of an embedded device
as recently demonstrated by Nohl et al. [25]. This can
4 Pawel Swierczynski et al.
have severe impacts such as an unwanted secret remote
access by a malicious third party or decryption of user
data on physical access.
Normal Shipment
Intercepted Shipment
Order
End 
User
Fig. 1: Interdiction attack conducted by intelligence ser-
vices
It is relatively easy to alter the firmware of micro con-
trollers, ARM CPUs, or other similar platforms if no
read-out protection is given or no self-tests are utilized.
In contrast, altering hardware such as an Applica-
tion Specific Integrated Circuit (ASIC) is a highly com-
plex procedure. Recently, Becker et al. [6] demonstrated
how a malicious factory can insert a hardware Trojan
by changing the dopant polarity of existing transistors
in an ASIC. However, this requires a different and con-
siderably stronger attacker scenario than the one shown
in Fig. 1, because the modification takes place during
the manufacturing process. This is a time-consuming,
difficult, and expensive task and therefore less practical.
On the contrary, at first glance, attacking an FPGA
also seems to be similarly challenging because the bit-
stream file is proprietary and no tools are publicly avail-
able that convert the bitstream back to a netlist (for
a recent scientific work see [9]). However, the recent
work [29] has shown that a bitstream modification at-
tack may indeed be successfully conducted with real-
istic efforts depending on the realization of the FPGA
design.
In our case we conducted the scenario of Fig. 1 by
manipulating the bitstream of an FPGA contained in a
high-security USB flash drive that utilizes strong cryp-
tography to protect user data. After the manipulated
USB flash drive has been forwarded to and utilized for
a certain amount of time by the end user, the attacker
is able to obtain all user data.
2.2 Attack Scenario: Exploitation and
Reconfigurability
We want to highlight that interdiction is not the only
realistic scenario for implanting an FPGA hardware
Trojan. Modern embedded systems provide a remote
firmware update mechanism to allow changes and im-
provements after the development phase. Such func-
tionality exhibits an attractive target for an attacker
to undermine the system security by means of exploits
or logical flaws in the update mechanism. Thus, an at-
tacker may remotely implant an FPGA hardware Tro-
jan. To sum up, in several settings an attacker must not
necessarily have physical access to the target device.
2.3 Exploring Third-Party FPGA Designs
One major hurdle of altering third-party FPGA designs
is due to the proprietary bitstream file. Without any
knowledge of the bitstream encoding, an adversary can-
not analyze a third-party FPGA bitstream as the hard-
ware configuration remains a black box for him/her.
Therefore, the adversary is not able to replace the con-
figuration of any hardware components in a meaningful
way. Thus, the first important prerequisite is to learn
the configuration from the proprietary bitstream. As
mentioned above, previous works [26,7,30] have shown
that the bitstream encoding of several Xilinx FPGAs
can be (partially) reverse-engineered. Once the mean-
ing of the bitstream encoding is revealed, an attacker
can translate the bitstream to a human-readable netlist
that serves for further analysis. This netlist contains all
information of how Configurable Logic Blocks (CLBs),
Input Output Blocks (IOBs), Digital Signal Process-
ings (DSPs), or BRAMs are configured and intercon-
nected.
The second challenging hurdle is the detection of
(combinatorial) logic within a large and complex cir-
cuitry. The detection is conducted at a very low level
since the circuitry can be build by thousands of Look-
up tables (LUTs) or Flip Flops (FFs), etc., which are
interconnected by millions of wires along the FPGA
grid. As long as it is unclear to the adversary how all
those low-level elements (LUTs, FFs, wires, etc.) con-
struct a circuitry and as long as he/she has no access to
more information (e.g., the corresponding VHDL file),
it is unlikely that he/she can successfully detect and re-
place parts of the logic. During a profiling phase, which
only needs to be conducted once per FPGA device, the
adversary creates and observes different variants of how
specific functions are commonly synthesized, placed,
and routed in the target FPGA grid (low-level device
description).
Interdiction in Practice – Hardware Trojan Against a High-Security USB Flash Drive 5
Place and route
Create bitstream
and learn 
bitstream encoding
Create circuitry 
(high-level)
Improve
detection
methods
Extracting bitstream information
Observe 
configuration
(low-level)
Detection and maniuplation
Apply
detection
methods
3rd-party
bitstream
n
o
 s
u
cc
es
s
 success
Replace 
logic
read
writeModified 
3rd-party
bitstream
1
2
3
4
Fig. 2: Strategy of partially replacing an FPGA config-
uration
Once this investigation is conducted, the adversary knows
how to detect specific circuitry from a given hardware
configuration. If the relevant bitstream encoding part
is unknown to the adversary, he/she can learn the bit-
stream encoding of a reference circuitry by creating and
comparing the corresponding bitstreams of all possible
configurations. This strategy is illustrated in Fig. 2.
Once pre-engineered, the attack itself can be con-
ducted within approximately one day. Hence, FPGAs
should not be used as security device or trust anchor in
a commercial product unless the bitstream integrity is
not ensured.
3 Real-World Target Device
To demonstrate our FPGA Trojan insertion, we se-
lected the Kingston DataTraveler 5000 [17] as the tar-
get, which is a publicly available commercial USB flash
drive with strong focus on data security. This target
device is overall FIPS-140-2 level 2 certified [4]. It uses
Suite B [2] cryptographic algorithms, in particular AES-
256, SHA-384, and Elliptic Curve Cryptography (ECC).
All user data on our targeted USB drive is protected
by an AES-256 in XEX-based Tweaked-codebook with
ciphertext Stealing (XTS) mode. A PC software estab-
lishes a secured communication channel to the USB
flash drive and enforces strong user passwords.
Due to the FIPS-140 level 2 certification, the device
has to fulfill certain requirements of tamper resistance
on the physical, hardware and software levels as well
as on detecting physical alterations. The Printed Cir-
cuit Board (PCB) of the Kingston DataTraveler 5000
is protected with a titanium-coated, stainless-steel cas-
ing and is surrounded by epoxy resin to prevent the
undesired access to its internal hardware components.
3.1 Initial Steps and Authentication Process
When plugging the USB flash drive into a USB port for
the first time, an unprotected partition drive is mounted
making the vendor’s PC software available to the user.
Meanwhile, in the background, this software is copied
(only once) to a temporary path from which it is always
executed, c.f., the upper part of Fig. 6.
In an initial step, the end user needs to set a pass-
word. Afterwards, the user must be authenticated to the
device using the previously-set password. This means
that the key materials must be somewhere securely stored,
which is commonly a multiple-hashed and salted pass-
word.
On every successful user authentication (mainly per-
formed by the ARM CPU and the PC software), the
protected partition drive is mounted allowing access to
the user data. Any data written to the unlocked parti-
tion is encrypted with AES by the Xilinx FPGA and
the corresponding ciphertexts are written into the sec-
tors of the micro SD card as indicated in Fig. 6.
When unplugging the USB flash drive and for the
case that an adversary has stolen this device, he/she
is not able to access the user data without the knowl-
edge of the corresponding password. According to [17],
after 10 wrong password attempts, the user data is irre-
vocably erased to prevent an attacker from conducting
successful brute-force attempts.
3.2 Physical Attack — Revealing the FPGA Bitstream
To conduct an FPGA hardware Trojan insertion, we
need to have access to the bitstream. Thus, in the first
step we were able to remove the epoxy resin. Indeed,
this procedure was much easier than expected. We lo-
cally heated up the epoxy resin to 200◦C (by a hot-air
soldering station) turning it to a soft cover and removed
the desired parts by means of a sharp instrument, e.g.,
a tiny screwdriver (see Fig. 3).
By soldering out all the components, exploring the
double-sided PCB and tracing the wires, we detected
that an ARM CPU configures the Xilinx FPGA through
an 8-bit bus. We also identified certain points on the
PCB by which we can access each bit of the afore-
mentioned configuration bus. Therefore, we partially
6 Pawel Swierczynski et al.
Fig. 3: Epoxy removal of
Kingston DT 5000 with
screwdriver
Fig. 4: Eavesdrop-
ping the bitstream of
Kingston DT 5000 with
opened case
removed the epoxy resin of another operating identi-
cal target (USB flash drive) to access these points and
then monitored this 8-bit bus during the power-up (by
plugging the target into a PC USB port) and recorded
the bitstream sent by the ARM CPU, cf., Fig. 4. Note
that SRAM-based FPGAs must be configured at each
power-up. By repeating the same process on several
power-ups as well as on other identical targets, we could
confirm the validity of the revealed bitstream and its
consistency for all targets. We should emphasize that
the header of the bitstream identified the type and the
part number of the underlying FPGA matched with the
soldered-out component.
We also identified an Serial Peripheral Interface Bus
(SPI) flash amongst the components of the PCB. As we
have soldered out all the components, we could easily
read out the content of the SPI flash. Since such com-
ponents are commonly used as standalone non-volatile
memory, no read-out protection is usually integrated.
At first glance it became clear that the SPI flash con-
tains the main ARM firmware (2nd ARM image). We
also found another image (1st ARM image) initializing
the necessary peripherals of the microcontroller. Fur-
thermore, we identified that the bitstream, which we
have revealed by monitoring the configuration bus, has
been stored in the SPI flash, cf., Fig. 5.
Motivated by these findings we continued to analyze
all other components of the USB flash drive and thus
describe our results in the following.
3.3 Overview and Component Details
Based on our accomplishments described above, we could
identify the following main components placed on the
double-sided PCB:
Unused
0xFF ... FF
Unencrypted
FPGA Bitstream
Testvectors
Security Header Fields
2nd ARM Image
Unused
0xFF ... FF
1st ARM Image
0xFFFFF
0x6FA00
0x2A400
0x28B78
0x2A200
0x10000
0x048C0
0x00000
Fig. 5: Address space layout of the SPI flash
– NXP LPC3131 with embedded ARM926EJ-S CPU
operating at 180 MHz
– Xilinx Spartan-3E (XC3S500E) FPGA
– HSM from SPYRUS (Rosetta Micro Series II) pro-
viding ECDH, DSA, RSA, DES, 3-DES, AES, SHA-
1, etc.
– 2 GB Transcend Micro SD card (larger versions also
available)
– 1 MB (AT26DF081A) SPI flash
We revealed the layout of the circuit through reverse-
engineering. The whole circuit is depicted in Fig. 6. This
step was conducted by tracing the data buses of the
PCB and by decompiling the PC software as well as
the identified ARM firmware. Both executables were de-
compiled with Hex-Rays [1]. The resulting source code
served for further reverse-engineering.
The main task of the identified ARM CPU (master
device) is to handle the user authentication, while the
Xilinx FPGA (slave device) is mainly responsible for
the user data encryption and decryption. It should be
noted that the FPGA is also partially involved in the
authentication process and exhibits our main target for
manipulation. We could not confirm the key storage
location, but we assume that the key materials are se-
curely stored in the Hardware Security Module (HSM),
c.f., Fig. 6. As we demonstrate in this paper, we need
neither any access to the key materials nor any knowl-
edge of the key derivation function to be able to decrypt
sensitive user data.
As stated before, both images (ARM CPU code and
FPGA bitstream) were discovered in the SPI flash that
are loaded and executed during the power-up of the
USB flash drive.
Interdiction in Practice – Hardware Trojan Against a High-Security USB Flash Drive 7
FPGA
device
ARM
ProcessorSPI flash
PCB
ARM code
FPGA 
bitstream
Micro SD
Card (2GB)
1 MB
HSM
Configuration Encrypt/Decrypt
SPI
r/w
Self-
tests
Secure 
USB
channel
PC Software
DLL file
encrypted
User
Password
AES
AES
AES
Fig. 6: Overview of revealed circuit of our target device
3.4 Unlinking FPGA Trojan from the Authentication
Process
During our FPGA Trojan insertion, we identified sev-
eral AES cores, as shown in Fig. 6:
1. AES core in the PC Software: used during user au-
thentication.
2. AES core in the ARM code: used during user au-
thentication.
3. AES core in the FPGA: used during user authenti-
cation (partially) as well as for encrypting user data
at high speed (main purpose).
If only the functionality of the FPGA AES core is ma-
nipulated, the target device would not operate properly
anymore because all three AES cores need to be consis-
tent due to the identified authentication dependencies.
To be more precise, all three AES cores are involved in
the same authentication process.
As our goal is to insert a hardware Trojan by manip-
ulating the AES core of the FPGA, we first needed to
unlink the dependency (of the AES cores) between the
ARM CPU and the Xilinx FPGA, cf., Fig. 7. Therefore,
we eliminated this dependency by altering parts of the
ARM firmware, but we realized that any modification
is detected by an integrity check. We identified several
self-tests that are conducted – by the ARM CPU – on
every power-up of the USB flash drive.
Further analyses revealed the presence of test-vectors.
They are used to validate the correctness of the uti-
lized cryptography within the system. The utilized self-
tests are explained in Section 6.1 in more detail. In
Section 6.2, we demonstrate how to disable them and
how to unlink the aforementioned dependencies.
To sum up, our intended attack is performed using
the following steps:
1. Identify and disable the self-tests,
2. Unlink the AES dependency between the ARM and
FPGA, and
3. Patch (reprogram) the FPGA bitstream meaning-
fully.
Fig. 7 and Fig. 8 illustrate the impact of these steps.
As can be seen, canceling the dependency allows us to
alter the AES core and add an FPGA Trojan. The de-
DLL
FPGA
ARM
AES
AES
AES
User
data
DLL
FPGA
Trojan
ARM
AES
AES
AES
User
data
Fig. 7: User authentica-
tion (dashed) and user
data (solid) dependen-
cies before modification
DLL
FPGA
ARM
AES
AES
AES
User
data
DLL
FPGA
Trojan
ARM
AES
AES
AES
User
data
Fig. 8: User authentica-
tion (dashed) and data
(solid) dependencies af-
ter modification
tails of how we could successfully alter the FPGA bit-
stream to realize a hardware Trojan are presented in
Section 4. Below, we discuss why modifying a bitstream
is more elegant for planting an FPGA Trojan than re-
placing the whole bitstream.
3.5 Modifying Bitstream vs. Replacing Whole
Bitstream
We want to pinpoint that replacing the complete FPGA
design to insert a Trojan does not necessarily mean that
an attack is less complicated to be performed. Replac-
ing the whole FPGA bitstream by a completely new
design is a more challenging task. The attacker would
need to further reverse-engineer and fully understand
the whole FPGA environment (ARM code, data buses,
protocols, etc.) and re-implement all functions to en-
sure the system’s compatibility. It even turned out to
be the easier and faster approach, since we were able
to modify this third-party IP core without the need to
reverse-engineer or modify any part of the routing.
Thus, we only focus on detecting and replacing the
relevant parts of the utilized FPGA design. By doing so,
we secretly insert a stealth FPGA Trojan that turns the
AES encryption and decryption modules into certain
compatible weak functions, c.f., Section 5.
3.6 Manipulation – Master vs. Slave
To be fair, on one hand the Kingston DataTraveler 5000
is not the best target device to demonstrate an FPGA
8 Pawel Swierczynski et al.
hardware Trojan insertion because the embedded ARM
CPU acts as the master device containing all control
logic. The FPGA is merely used as an accelerator for
cryptographic algorithms. In order to preserve the func-
tionality of the USB flash drive with an active FPGA
hardware Trojan the ARM CPU firmware – as previ-
ously explained – has to be customized too, i.e., the
integrity check of the ARM CPU code needs to be dis-
abled (explained in Section 6). At this point, the at-
tacker can alter the firmware to not encrypt the user
data at all, turning the device into a non-secure drive
accessible to everyone. As another option, the attacker
can secretly store the encryption key which would result
in a conventional software-based embedded Trojan.
On the other hand, there are solutions which contain
only an FPGA used as the master device [11]. Conven-
tional software-based embedded Trojans are not appli-
cable in those systems. Our attack is a proof of concept
that FPGA hardware Trojans are practical threats for
the FPGA-based systems where no software Trojan can
be inserted. Our attack also highlights the necessity of
embedded countermeasures on such systems to detect
and defeat FPGA hardware Trojans.
4 Building the FPGA Trojan
In this section, we present the information which can
be extracted from the given bitstream file followed by
our conducted modification on the AES-256 core. The
impact of this modification – considering the utilized
XTS mode of operation – is described in Section 5.
4.1 Analysis of the Extracted Bitstream
Based on the method presented in Section 2, we could
dump and analyze the initial memory configuration of
each block RAM of the extracted bitstream. The Spartan-
3E FPGA contains up to 20 block RAMs. We figured
out that only 10 out of 20 block RAMs are used by the
extracted FPGA design. We observed that the block
RAMs are organized in a byte-wise manner fitting well
to the structure of the AES state.
Our analysis revealed the presence of multiple in-
stances of certain precomputed substitution tables. Af-
ter investigating the extracted data in more detail, we
obtained a structure for each table. We refer to the four
identified tables whose details are depicted in Table 1.
Each substitution table stores 256 entries that can be
accessed using the input x ∈ {0, 1, ..., 255}. Our anal-
ysis revealed that the following precomputed substitu-
tion tables are stored in several block RAMs:
T˜ (x) = 01 ◦ S(x)||01 ◦ S−1(x)||02 ◦ S(x)||03 ◦ S(x)
MC−1(x) = 09 ◦ x||11 ◦ x||13 ◦ x||14 ◦ x
S(x) = S(x)
S−1(x) = S−1(x)
Detected tables Identified block RAM Data
000: S(00)||S−1(00)||02 ◦ S(00)||03 ◦ S(00)
16 T˜ (x) instances 001: S(01)||S−1(01)||02 ◦ S(01)||03 ◦ S(01)
(1024 bytes each) . . .
0FF: S(FF)||S−1(FF)||02 ◦ S(FF)||03 ◦ S(FF)
000: 09 ◦ 00||11 ◦ 00||13 ◦ 00||14 ◦ 00
16 MC−1(x) instances 001: 09 ◦ 01||11 ◦ 01||13 ◦ 01||14 ◦ 01
(1024 bytes each) . . .
0FF: 09 ◦ FF||11 ◦ FF||13 ◦ FF||14 ◦ FF
000: S(00)
4 S(x) instances 001: S(01)
(256 bytes each) . . .
0FF: S(FF)
000: S−1(00)
4 S−1(x) instances 001: S−1(01)
(256 bytes each) . . .
0FF: S−1(FF)
Table 1: Identified substitution tables stored in block
RAM
In other words, we identified the tables which realize
the inverse MixColumns transformation MC−1(·), the
SubBytes S(·) and inverse SubBytes S−1(·). However,
T˜ (·) is not equivalent to any T-box (T0, . . . , T3), cf., [14],
but exhibits a very similar structure: one entry includes
the S-box, the inverse S-box, and the S-box multiplied
by two and three (02 ◦ S(·) and 03 ◦ S(·)). In par-
ticular T˜ (·) combines the SubBytes and MixColumns
transformations, and thus has the same purpose as one
T-box, but one remarkable difference is the storage of
the inverse S-box S−1(·). Note that all four T-boxes
T0, . . . , T3 can be easily derived from T˜ .
4.2 Modifying the Third-Party FPGA Design
Our main goal is to replace all AES S-boxes to the
identity function, cf., Section 5. For this purpose, we
have to replace all identified look-up table instances of
Table 1. We need to replace all S-box values such that
S(x) := x and the inverse S-box to S−1(x) := x. This
is essential in order to synchronize the encryption and
decryption functions. Hence, it leads to the following
precomputation rules for x ∈ {0, 1, ..., 255}:
T˜ (x) = 01 ◦ x||01 ◦ x||02 ◦ x||03 ◦ x
MC−1(x) = 09 ◦ x||11 ◦ x||13 ◦ x||14 ◦ x
S(x) = x
S−1(x) = x
Interdiction in Practice – Hardware Trojan Against a High-Security USB Flash Drive 9
Note that the modifications must be applied on all de-
tected instances of the look-up tables in the bitstream
file, c.f., Table 1.
In the next step we updated the SPI flash with this
new malicious bitstream and powered up the USB flash
drive by plugging it into the PC. We could observe that
the FPGA modification is successful as the encryption
and decryption still work. This is true only when all
instances of the relevant substitution tables (S-box and
its inverse) are modified appropriately.
From now on we consider that the malicious AES
core is running on the FPGA. Hence, in the next sec-
tion, we explain in the next section how this Trojan in-
sertion can be exploited even though a complex mode
of operation (AES-256 in XTS mode) is used by our
altered FPGA design.
5 XTS-AES Manipulation and Plaintext
Recovery
In this section the cryptographic block cipher mode of
operation XTS is presented. As already indicated in
the previous sections, our target device uses a sector-
based disk encryption of user data. Subsequently, the
modification of the underlying AES is described. We
also express how this malicious modification can be ex-
ploited to recover sensitive user data encrypted by the
weakened XTS-AES mode.
The tweakable block cipher XTS-AES is standard-
ized in IEEE 1619-2007 [13] and used by several disk-
encryption tools, e.g., TrueCrypt and dm-crypt as well
as commercial devices like our targeted USB flash drive.
Before describing the details of the algorithm, general
remarks regarding the memory organization are given
in the following.
Each sector (usually 512 bytes of memory) is as-
signed consecutively to a number, called tweak and de-
noted by i in the following, starting from an arbitrary
non-negative integer. Also, each data unit (128-bit in
case of XTS-AES) in a sector is sequentially numbered,
starting from zero and denoted by j. This pair (i, j) is
used for encryption and decryption of each data unit’s
content. In general, XTS-AES uses two keys (k1, k2).
The first key k1 is used for the plaintext encryption
and the second key k2 for the tweak encryption. The
XTS-AES encryption diagram is depicted in Fig. 9. Af-
ter the tweak encryption, the output is multiplied by
αj in the Galois field GF(2128), where α is a primitive
element, e.g., α = x and j is the data unit position in
the sector i. This result is then XOR-ed before and af-
ter encryption of the plaintext block p. The encryption
of one 16-byte plaintext can be described as
c = (AESk2(i)⊗ αj)⊕AESk1(AESk2(i)⊗ αj ⊕ p),
while the decryption is computed as follows
p = (AESk2(i)⊗ αj)⊕AES−1k1 (AESk2(i)⊗ αj ⊕ c).
AES ENC
⊗
AES ENC
⊕
⊕
k2
i αj p
k1
c
Fig. 9: XTS-AES encryption block digram overview
In the following we present the impact of our FPGA
bitstream manipulations (expressed in Section 4.2) on
the AES in XTS mode.
5.1 AES SubBytes Layer Manipulation
To understand the impacts of manipulation of the AES
algorithm, the internal transformations are briefly de-
scribed in this section.
Brief Recap of AES AES is based on the symmetric
block cipher Rijndael. Its operations consist of four trans-
formations, which all operate on a block size of 128 bits.
The state is arranged in a 4×4 matrix consisting of ele-
ments in GF(28). Furthermore, AES supports three key
sizes (128, 192 and 256 bits) corresponding to a different
number of rounds (10, 12, and 14, respectively) denoted
by Nr. The AES encryption diagram is depicted on the
left side of Fig. 10. In the following we present how to
turn the AES cryptosystem into a weak block cipher
whose plaintexts can be easily recovered from phony
ciphertexts.
SubBytes Layer Manipulation The SubBytes transfor-
mation is amongst the most important part of the AES
algorithm. It adds non-linearity to the cipher state. We
intend to cancel the SubBytes layer as this makes the
whole encryption scheme vulnerable to cryptanalysis.
10 Pawel Swierczynski et al.
The corresponding AES SubBytes manipulation is an
extension of the recent work [29]. The manipulation im-
pacts are shortly described for the XTS-AES mode.
The main idea behind the SubBytes modification
is to transform the AES into a linear function. Having
altered the normal and inverse AES S-box to the iden-
tity function, the whole algorithm can be expressed as a
linear equation. Hence, we updated all identified S-box
and inverse S-box instances in the FPGA bitstream to
the identity function S(x) = x. Due to the linearity of
ShiftRows SR(·) and MixColumns MC(·), the modified
AES (denoted by A˜ES) can be described as follows:
A˜ESk(p) = SR(MC(· · ·MC(SR(p) · · · )
⊕ (k˜0 ⊕ k˜1 ⊕ k˜2 ⊕ ...⊕ k˜Nr )
:= MS(p)⊕ K˜.
The impact of this alteration is illustrated by Fig. 10.
The plaintext p is processed by several MixColumns
and ShiftRows transformations, Nr − 1 and Nr times
respectively. This round-dependent process is denoted
by MS(·). The constant K˜ represents the XOR sum
of the round keys which have also been preprocessed
by certain number of the MixColumns and ShiftRows
transformations.
p
AddRoundKey
ShiftRows
MixColumns
AddRoundKey
ShiftRows
AddRoundKey
c
N
r
-
1
p
AddRoundKey
SubBytes
ShiftRows
MixColumns
AddRoundKey
SubBytes
ShiftRows
AddRoundKey
c
N
r
-
1
Fig. 10: Comparison between AES (left) and modified
A˜ES (right)
Therefore, with only one known plaintext-ciphertext
pair (p, A˜ESk(p)), the constant K˜ can be determined.
Thus, all further phony ciphertexts, that are encrypted
by A˜ESk, can be decrypted without any knowledge
about the actual key. For more detailed information
we refer the interested reader to the work of Swierczyn-
ski et al. [29]. In the following, we extend this approach
to the XTS mode.
5.2 Manipulation Impact for XTS-AES
With the presented AES SubBytes manipulation, an
XTS-AES ciphertext can be described as a linear equa-
tion too:
c = (A˜ESk2(i)⊗ αj)⊕ A˜ESk1((A˜ESk2(i)⊗ αj)⊕ p)
= (MS(i)⊕ K˜2)⊗ αj ⊕MS((MS(i)⊕ K˜2)⊗ αj ⊕ p)⊕ K˜1
= (MS(i)⊗ αj)⊕MS(MS(i)⊗ αj)︸ ︷︷ ︸
TWi,j
⊕MS(p)
⊕ (K˜2 ⊗ αj)⊕MS(K˜2 ⊗ αj)⊕ K˜1︸ ︷︷ ︸
CKj
(1)
Note that MS(·) is a linear function, and thus the tweak
part TWi,j , the plaintext-related part MS(p), and the
key-related part CKj could be separated. Every plain-
text p is encrypted in this way by the FPGA hardware
Trojan of our target device.
5.3 Plaintext Recovery of Encrypted XTS-AES
Ciphertexts
To recover the plaintexts from the weakly encrypted
XTS-AES ciphertexts, the attacker has to obtain two
sets of information:
– 32 plaintext-ciphertext pairs (pi, ci), i ∈ {0, ..., 31}
of one sector (512-byte wide), and
– knowledge about the tweak values i and the data
unit position j of the ciphertexts within a sector.
Due to the combination of the data unit’s position j
and the key k2 (through Galois field multiplication by
αj), each position j in a sector has its own constant key-
related part CKj . Further, CKj is constant for every
sector of the memory as it is independent of i. Hence,
the attack requires only all 32 plaintext-ciphertext pairs
of one arbitrary sector to generate all CKj values. To
obtain the tweak values TWi,j , the attacker needs to
obtain the starting value of i identifying the first sector
(as explained before, i indicates the sector number and
starts from an arbitrary non-negative integer). Gener-
ally, this can be achieved through reverse-engineering
(ARM code), cf., Section 6.
With this data the attacker can compute the tweak
and the key-related parts of Eq. (1). Afterwards, by
inverting the MS(·) function the plaintexts p can be
revealed. MS−1(·) can be determined by applying the
inverse MixColumns and inverse ShiftRows transforma-
tions (dependent on the underlying AES key size).
It is worth mentioning that the produced ciphertext
still appears to be random for a victim, who visually
inspects the phony ciphertexts from the micro SD card.
Interdiction in Practice – Hardware Trojan Against a High-Security USB Flash Drive 11
Therefore, the victim cannot observe any unencrypted
data as it would be the case if the FPGA is simply
bypassed.
6 ARM code modification
In this section we briefly describe the cryptographic
self-tests and ARM firmware modifications essential to
enable the above presented FPGA hardware Trojan in-
sertion.
6.1 Utilized Self-tests
When we reverse-engineered the ARM code using the
tool IDA Pro, we were able to identify several functions
that check the integrity of the ARM firmware and con-
sistency of several cryptographic functions. Every exe-
cuted self-test must return a specific integer indicating
whether the test passed or not. If any self-test fails, the
target device switches to an error state.
The corresponding test-vectors used by the self-tests
are stored in the SPI flash. Table 2 provides an overview
of all self-tests and the integrity checks. Besides, we also
Self-test function Utilized parameter of self-test
AES-256 (CBC) Key K = 0x2B2B...2B (16 Bytes)
IV = 0x3C3C...3C (16 Bytes)
Input x = 0x1111...11 (32 Bytes)
AES-256 (XTS) Key K1 = 0x2021...3F (32 Bytes)
Key K2 = 0x4041...5F (32 Bytes)
Tweak = 0xA2566E3D7EC48F3B
Input x = 0xF0F1...FF (16 Bytes)
SHA-{224,256,384,512} Input x = ”abc”
Integrity check Input
SHA-384 Main ARM firmware
Table 2: Identified self-tests and firmware integrity
check
identified several relevant security header fields that are
processed by the ARM CPU.
Field Name Offset Byte size Value
Header Signature 0x00 4 0x11223344
FPGA signature 0x04 16 ”SPYRUS HYDRA2005”
Bitstream length 0x14 4 0x45600
SHA-384 hash of 2nd image 0x1D0 48 SHA-384(2nd image)
Table 3: Security Header Fields
The ARM CPU expects to receive a specific signature
(during power-up of the system) from the Xilinx FPGA
to ensure that it operates correctly after the configura-
tion process. Also, the bitstream length is coded in the
header such that the ARM CPU knows the amount of
configuration bytes. Lastly, a SHA-384 hash value, cal-
culated over the main ARM firmware, is appended to
ensure the program code integrity.
6.2 Disabling Self-tests to Modify ARM Code and
FPGA Bitstream
Preliminary tests have shown that even minor code
changes, which do not influence the behavior of the
firmware, cause the USB flash drive to enter the error
state and halt during power-up. It was concluded that
there exists an implemented self-test at least checking
the integrity of the code. Thus, it became a mandatory
prerequisite to find and deactivate such a test. The re-
sponsible code was identified due to its obvious struc-
ture and function calls.
In addition to the firmware integrity, the correct
functionality of several cryptographic algorithms is tested:
the AES, ECC and Secure Hash Algorithm (SHA) in
the ARM code and the AES inside the FPGA. The in-
dividual checks are performed in dedicated functions
invoked by the main self-test function, and their corre-
sponding return values are verified. Finally, the self-test
succeeds only in case all individual checks are passed.
In order to disable the self-test the code was patched
in a way that the function always returns zero, which
is the integer representation for success. Hence, arbi-
trary firmware modifications and changes to the cryp-
tographic algorithms can be applied after this patch.
6.3 Separating Key Derivation and FPGA AES
IP-Core
As explained in the previous sections, cf., Fig. 7, there is
a software AES implementation executed by the ARM
CPU and a considerably faster hardware AES instance
inside the FPGA. They are both capable of ECB, CBC
and XTS operation modes. The software AES is mainly
used for self-tests and the hardware AES for key deriva-
tion as well as encryption and decryption of the user
data stored on the USB flash drive. The key derivation
requires the establishment of a secure communication
channel between the PC software and the USB flash
drive. The FPGA hardware Trojan weakens the AES
IP-core making it incompatible to the standard AES,
cf., Section 5. Thus, the initialization of the commu-
nication channel fails and the USB flash drive goes to
an error state. To avoid such a situation the firmware
has to be changed in such a way that only the original
software AES is used during the key derivation and the
12 Pawel Swierczynski et al.
secure channel establishment (instead of the modified
hardware AES inside the FPGA).
The ARM code internally uses a unified AES API.
Four parameters are passed to its AES instance con-
structor routine. They hand over the key, the key length,
the mode of operation and a flag indicating whether
the ARM CPU or the FPGA is selected for the actual
computations. The creation of all the AES instances,
which are related to the key derivation as well as se-
cure channel establishment, had to be patched. Con-
sequently all corresponding AES encryptions and de-
cryptions are computed by the ARM CPU instead of
the FPGA. In total the parameters of 12 AES instance
constructor calls have been patched to eliminate the
AES dependency between the ARM and FPGA.
6.4 Recording XTS-AES Parameters
In order to recover all user data from the USB flash
drive we need several values for the attack, cf., Sec-
tion 5: 32 plaintext-ciphertext pairs of the same sector,
the sector number and the initial tweak value. The lat-
ter parameter is hard-coded in the firmware and was
obtained by static analysis. The plaintext-ciphertext
pairs are acquired at runtime during normal opera-
tion of the USB flash drive. In the ARM code there
is a highly-speed-optimized function which reads data
from the embedded SD card, sends them to the FPGA
for decryption and finally copies the plaintexts from
the FPGA to the USB endpoint so that the computer
receives the requested data. This function was inter-
cepted at several positions in a way that the plaintext-
ciphertext pairs and the initial sector number could be
obtained. They are then written (only once) in the em-
bedded SPI flash from where they can be read out by
an attacker to launch the cryptographic attack.
As explained in Section 5, having this information
is essential to decrypt the phony ciphertexts due to
the underlying XTS mode. We practically verified the
plaintext recovery of the weakly encrypted ciphertexts
stored on the SD card of our target device.
7 Summary
In this section we summarize the security problems of
our investigated target device and further outline which
security barriers might be inserted by the vendor to
improve the security of the analyzed USB flash drive.
As previously stated, during our analysis we found
a HSM from SPYRUS that is directly connected to the
Xilinx FPGA over a single-bit bus. According to [20] it
provides certain cryptographic primitives and serves as
secure storage device, e.g., for secret (symmetric) keys.
We suggest to include the following security measure:
during the power-up of the USB flash drive, the FPGA
should validate its AES implementation using the AES
core provided by the HSM. It should be extremely chal-
lenging for an attacker to alter the AES core of the HSM
as its internal functionality is realized by an ASIC. The
HSM should decide whether the USB flash drive con-
tinues (no alteration detected) or switches to an error
state (alteration detected).
To further raise the bar for an attacker, the FPGA
design should include built-in self-tests for the S-box
configuration as well as for the whole AES core. To
be more precise, it is recommended to include several
test vectors in the FPGA firmware so the FPGA can
validate its consistency. Probably, the built-in self-tests
do not hinder a more powerful attacker who can dis-
able them, but the reverse-engineering efforts are sig-
nificantly increased and require a more powerful ad-
versary. Since in our attack scenario we exploited the
content of the block RAMs, it is also important to as-
sure its integrity. Their initial content can be encrypted
with an appropriate mode of operation: a built-in cir-
cuitry in the FPGA design might (during the FPGA
power-up) decrypt the block RAM’s contents and up-
date them with the corresponding decrypted data. By
doing so, an attacker cannot replace the highly impor-
tant S-boxes in a meaningful way, which can have severe
security implications as demonstrated in this work.
More importantly, all self-tests (including those we
found) should be performed by the HSM. Therefore,
the HSM should verify the integrity of the ARM code.
Further, the bitstream of the FPGA must be protected
(not stored in plain in the SPI flash) and its integrity
must be verified e.g., by the HSM. This should prevent
any modification attempt on the ARM code as well as
on the bitstream, making a firmware modification at-
tack extremely difficult. We should emphasize that an
attacker is able to turn the device into a malicious one
that can infect the target computer with malicious soft-
ware, as shown by Nohl et al. [25].
8 Conclusions
In this paper we demonstrated the first practical real-
world FPGA Trojan insertion into a high-security com-
mercial product to weaken the overall system security.
We reverse-engineered a third-party FPGA bitstream
to a certain extent and replaced parts of the FPGA
logic in a meaningful manner on the lowest level. In par-
ticular, we significantly weakened the embedded XTS-
AES-256 core and successfully canceled its strong cryp-
tographic properties making the whole system vulnera-
Interdiction in Practice – Hardware Trojan Against a High-Security USB Flash Drive 13
ble to cryptanalysis. Our work is a proof of concept that
an FPGA can also be one of several weak points of a
seemingly protected system. It is important to ensure
the integrity of the FPGA bitstream even though its file
format is proprietary. This is especially critical in appli-
cations where the FPGA acts as master device. Future
work must deal with counterfeiting bitstream modifica-
tion attacks by developing appropriate countermeasures
that have to be implemented within an FPGA design.
Acknowledgment
The authors would like to thank Kai Stawikowski and
Georg T. Becker for their fruitful comments and help
regarding this project.
Part of the research was conducted at the University
of Massachusetts Amherst. This work was partially sup-
ported through NSF grants CNS-1318497, CNS-1421352,
and ERC grant 695022. It has been also partially sup-
ported by the Bosch Research Foundation.
References
1. Hex-Rays SA. http://www.hex-rays.com
2. Suite B Cryptography (2001). URL https://www.nsa.
gov/ia/programs/suiteb_cryptography/
3. Report of the defense science board task force on high
performance microchip supply. http://www.acq.osd.
mil/dsb/reports/ADA435563.pdf? (2005)
4. DataTraveler 5000 FIPS 140-2 Level 2 certification
(2010). URL http://csrc.nist.gov/groups/STM/cmvp/
documents/140-1/140crt/140crt1316.pdf
5. A. C. Aldaya, A. J. C. Sarmiento, S. Sa´nchez-Solano:
AES T-Box tampering attack. Journal of Crypto-
graphic Engineering pp. 1–18 (2015). DOI 10.1007/
s13389-015-0103-4. URL http://dx.doi.org/10.1007/
s13389-015-0103-4
6. Becker, G.T., Regazzoni, F., Paar, C., Burleson, W.P.:
Stealthy Dopant-Level Hardware Trojans. In: Crypto-
graphic Hardware and Embedded Systems - CHES 2013
- 15th International Workshop, Santa Barbara, CA, USA,
August 20-23, 2013. Proceedings, pp. 197–214 (2013)
7. Benz, F., Seffrin, A., Huss, S.: Bil: A tool-chain for
bitstream reverse-engineering. In: Field Programmable
Logic and Applications (FPL), 2012 22nd International
Conference on, pp. 735–738 (2012). DOI 10.1109/FPL.
2012.6339165
8. Chakraborty, R., Saha, I., Palchaudhuri, A., Naik, G.:
Hardware Trojan Insertion by Direct Modification of
FPGA Configuration Bitstream. Design Test, IEEE
30(2), 45–54 (2013)
9. Ding, Z., Wu, Q., Zhang, Y., Zhu, L.: Deriving an NCD
file from an FPGA bitstream: Methodology, architecture
and evaluation. Microprocessors and Microsystems - Em-
bedded Hardware Design 37(3), 299–312 (2013)
10. Drimer, S.: Security for volatile FPGAs. Technical Re-
port UCAM-CLTR-763, University of Cambridge, Com-
puter Laboratory (2009)
11. Eisenbarth, T., Gu¨neysu, T., Paar, C., Sadeghi, A.,
Schellekens, D., Wolf, M.: Reconfigurable trusted com-
puting in hardware. In: Workshop on Scalable Trusted
Computing, STC 2007, pp. 15–20. ACM (2007)
12. Greenwald, G.: No Place to Hide: Edward Snowden, the
NSA and the Surveillance State. Metropolitan Books
(2014)
13. IEEE Std 1619-2007: IEEE Standard for Cryptographic
Protection of Data on Block-Oriented Storage Devices
pp. c1–32 (2008)
14. Kakarlapudi, B., Alabur, N.: FPGA Implementations
of S-box vs. T-box iterative architectures of AES
URL http://teal.gmu.edu/courses/ECE746/project/
reports_2008/AES_T-box_report.pdf
15. Karri, R., Rajendran, J., Rosenfeld, K.: Trojan Taxon-
omy. In: M. Tehranipoor, C. Wang (eds.) Introduction
to Hardware Security and Trust. Springer-Verlag (2012)
16. King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang,
W., Zhou, Y.: Designing and implementing malicious
hardware. In: Proceedings of the 1st Usenix Work-
shop on Large-Scale Exploits and Emergent Threats,
LEET’08, pp. 5:1–5:8. USENIX Association, Berkeley,
CA, USA (2008). URL http://dl.acm.org/citation.
cfm?id=1387709.1387714
17. Kingston Technology: Protect sensitive data with FIPS
140-2 Level 2 validation and 100 per cent privacy. URL
http://www.kingston.com/datasheets/dt5000_en.pdf
18. Macri, G.: Leaked Photos Show NSA Hardware In-
terception And Bug-Planting Workstation (2014).
http://dailycaller.com/2014/05/15/leaked-photos-
show-nsa-hardware-interception-and-bug-planting-
workstation/
19. McGrath, D.: Analyst: Altera to catch Xilinx in 2012.
EE Times (2011)
20. Micro, R.: ENSURING TRUST IN CYBERSPACE.
URL http://www.spyrus.com/company/literature/
SPYRUSdatasheets/DSRosettaMicroSeriesII.pdf
21. Moradi, A., Barenghi, A., Kasper, T., Paar, C.: On
the vulnerability of FPGA bitstream encryption against
power analysis attacks: extracting keys from Xilinx
Virtex-II FPGAs. In: ACM Conference on Computer
and Communications Security, pp. 111–124 (2011)
22. Moradi, A., Kasper, M., Paar, C.: Black-box side-channel
attacks highlight the importance of countermeasures - an
analysis of the Xilinx Virtex-4 and Virtex-5 bitstream
encryption mechanism. In: The Cryptographers’ Track
at the RSA Conference, pp. 1–18 (2012)
23. Moradi, A., Oswald, D., Paar, C., Swierczynski, P.: Side-
channel Attacks on the Bitstream Encryption Mechanism
of Altera Stratix II: Facilitating Black-box Analysis Us-
ing Software Reverse-engineering. In: Proceedings of the
ACM/SIGDA International Symposium on Field Pro-
grammable Gate Arrays, FPGA ’13, pp. 91–100. ACM,
New York, NY, USA (2013)
24. Narasimhan, S., Bhunia, S.: Hardware Trojan Detec-
tion. In: M. Tehranipoor, C. Wang (eds.) Introduction
to Hardware Security and Trust. Springer-Verlag (2012)
25. Nohl, K., Kriler, S., Lell, J.: BadUSB - On accessories
that turn evil. BlackHat (2014). URL https://srlabs.
de/badusb/
26. Rannaud, E´.: From the bitstream to the netlist. In: Pro-
ceedings of the 16th International ACM/SIGDA Sympo-
sium on Field Programmable Gate Arrays, pp. 264–264
(2008)
27. Snyder, B.: Snowden: The NSA planted
backdoors in Cisco products (2014).
14 Pawel Swierczynski et al.
http://www.infoworld.com/article/2608141/internet-
privacy/snowden–the-nsa-planted-backdoors-in-cisco-
products.html
28. SPIEGEL Staff: Inside TAO: Documents
Reveal Top NSA Hacking Unit (2013).
http://www.spiegel.de/international/world/the-
nsa-uses-powerful-toolbox-in-effort-to-spy-on-global-
networks-a-940969.html
29. Swierczynski, P., Fyrbiak, M., Koppe, P., Paar, C.:
FPGA Trojans Through Detecting and Weakening of
Cryptographic Primitives. Computer-Aided Design of
Integrated Circuits and Systems, IEEE Transactions on
34(8), 1236–1249 (2015). DOI 10.1109/TCAD.2015.
2399455
30. Ziener, D., Assmus, S., Teich, J.: Identifying fpga ip-
cores based on lookup table content analysis. In: Field
Programmable Logic and Applications, 2006. FPL ’06.
International Conference on, pp. 1–6 (2006). DOI
10.1109/FPL.2006.311255
