A Comprehensive FPGA Reverse Engineering Tool-Chain: From Bitstream to RTL Code

As recently studied, field-programmable gate arrays (FPGAs) suffer from growing Hardware Trojan (HT) attacks, and many techniques, e.g., register-transfer level (RTL) code-based analyzing, have been presented to detect HTs on FPGAs. However, for most of the FPGA end users, they can only obtain bitstream, rather than the RTL code. Therefore, we present a new FPGA reverse engineering tool-chain. It can precisely transform the FPGA bitstream to an RTL code and therefore assists in HT detection. In detail, we first construct an integrated database involving the FPGA architecture information and the bitstream mapping information. Then, we build two tools, namely, bitstream reversal tool (BRT) and netlist reversal tool (NRT). They can be combined together to retrieve the RTL code from the FPGA bitstream in moderate time. To demonstrate the effectiveness of our tool-chain, we evaluate it qualitatively and quantitatively by using two benchmarks (ISCAS'85 and ISCAS'89) and three real applications (8051 core, 68HC08, and AES). Our tool-chain is comprehensive since it covers all the reverse engineering stages, from bitstream to netlist and from netlist to code, without any support from other tools. Moreover, it rebuilds the netlist with a 100% correct rate and retrieves RTL code, which is exactly, functionally equivalent to the original one for all our benchmarks. To the best of our knowledge, it is the first tool that can perform integrated, precise reverse engineering for FPGAs, paving the way for the netlist-/code-based HT detection.