Partial bitstream protection for low-cost FPGAs with physical unclonable function, obfuscation, and dynamic partial self reconfiguration

Due to copyright restrictions, the access to the full text of this article is only available via subscription.This paper proposes a technique based on Physical Unclonable Functions (PUFs), obfuscation, and Dynamic Partial Self Reconfiguration (DPSR) to protect partial FPGA configuration bitstreams from cloning and reverse engineering. With the aid of this technique, we are able to do the equivalent of partial bitstream encryption on low-cost FPGAs, which is only featured on high-end FPGAs. Low-cost FPGAs do not even have built-in support for encrypted (full) bitstreams. Through DPSR, our PUF implementation does not steal real estate from the encrypted design. We also present a new DPSR flow for Xilinx FPGAs, which is difference-based but still allows modular design. It works regardless of the amount of difference between Partial Reconfiguration (PR) modules and is called DPSR-LD, where LD stands for Large-Difference. DPSR-LD is an enabler especially for Spartan-6 FPGA family, as Xilinx currently supports PR on Spartan-6 only through the difference-based flow and only for small differences. Our DPSR-LD also includes a controller that interfaces to the ICAP and can process compressed bitstreams. It is called ICAP+ and occupies only 1% of Spartan-6 slices

Partial bitstream protection for low-cost FPGAs with physical unclonable function, obfuscation, and dynamic partial self reconfiguration

Due to copyright restrictions, the access to the full text of this article is only available via subscription.This paper proposes a technique based on Physical Unclonable Functions (PUFs), obfuscation, and Dynamic Partial Self Reconfiguration (DPSR) to protect partial FPGA configuration bitstreams from cloning and reverse engineering. With the aid of this technique, we are able to do the equivalent of partial bitstream encryption on low-cost FPGAs, which is only featured on high-end FPGAs. Low-cost FPGAs do not even have built-in support for encrypted (full) bitstreams. Through DPSR, our PUF implementation does not steal real estate from the encrypted design. We also present a new DPSR flow for Xilinx FPGAs, which is difference-based but still allows modular design. It works regardless of the amount of difference between Partial Reconfiguration (PR) modules and is called DPSR-LD, where LD stands for Large-Difference. DPSR-LD is an enabler especially for Spartan-6 FPGA family, as Xilinx currently supports PR on Spartan-6 only through the difference-based flow and only for small differences. Our DPSR-LD also includes a controller that interfaces to the ICAP and can process compressed bitstreams. It is called ICAP+ and occupies only 1% of Spartan-6 slices

Methods of Reverse Engineering a Bitstream for Field Programmable Gate Array Protection

Field Programmable Gate Arrays (FPGAs) are found in numerous industries including consumer electronics, automotive, military and aerospace, and critical infrastructure. The ability to be reprogrammed as well as large computational power and relatively low price make them a good fit for low-volume applications that cannot justify the Non-Recurring Engineering (NRE) costs associated with producing Application-Specific Integrated Circuits (ASICs). FPGAs however, have seen a variety of security issues stemming from the fact that their configuration files are not inherently protected. This research assesses the feasibility of reverse engineering the bitstream format for a previously unexplored FPGA, as well as the utilization of the knowledge gained during that process to create a bitstream parser and perform a bitstream modification attack. The reverse engineering process utilizes Tool Command Language (TCL) scripts to automate the modification of various configuration options and then synthesize the resulting bitstream. Various configuration options for Input/Output Blocks (IOBs) are mapped to their respective locations in the bitstream and the encoding format for the configuration of several Look-Up Tables (LUTs) is discovered. This information is then utilized to create a bitstream parser that takes a bitstream as an input and outputs configuration information for IOBs. Additionally, a bitstream modification attack is performed that changes the original design logic by modifying the bitstream directly to change the configuration values of a LUT. Both the parser and bitstream modification attack are shown to work validating the information gained through the reverse engineering process