Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Stealing Maggie's Secrets -- On the Challenges of IP Theft Through FPGA Reverse Engineering

Simon Klix, Nils Albartus, Julian Speith, Paul Staat, Alice Verstege, Annika Wilde, Daniel Lammers, Jörn Langheinrich, Christian Kison, Sebastian Sester-Wehle, Daniel Holcomb, Christof Paar

TL;DR

This work reverse engineering the proprietary signal-processing algorithm implemented on a Lattice iCE40 FPGA found inside iPhone 7 generates novel insights into the actual efforts required to commit FPGA IP theft and the challenges an attacker faces on the way.

Abstract

Intellectual Property (IP) theft is a cause of major financial and reputational damage, reportedly in the range of hundreds of billions of dollars annually in the U.S. alone. Field Programmable Gate Arrays (FPGAs) are particularly exposed to IP theft, because their configuration file contains the IP in a proprietary format that can be mapped to a gate-level netlist with moderate effort. Despite this threat, the scientific understanding of this issue lacks behind reality, thereby preventing an in-depth assessment of IP theft from FPGAs in academia. We address this discrepancy through a real-world case study on a Lattice iCE40 FPGA found inside iPhone 7. Apple refers to this FPGA as Maggie. By reverse engineering the proprietary signal-processing algorithm implemented on Maggie, we generate novel insights into the actual efforts required to commit FPGA IP theft and the challenges an attacker faces on the way. Informed by our case study, we then introduce generalized netlist reverse engineering techniques that drastically reduce the required manual effort and are applicable across a diverse spectrum of FPGA implementations and architectures. We evaluate these techniques on six benchmarks that are representative of different FPGA applications and have been synthesized for Xilinx and Lattice FPGAs, as well as in an end-to-end white-box case study. Finally, we provide a comprehensive open-source tool suite of netlist reverse engineering techniques to foster future research, enable the community to perform realistic threat assessments, and facilitate the evaluation of novel countermeasures.

Stealing Maggie's Secrets -- On the Challenges of IP Theft Through FPGA Reverse Engineering

TL;DR

This work reverse engineering the proprietary signal-processing algorithm implemented on a Lattice iCE40 FPGA found inside iPhone 7 generates novel insights into the actual efforts required to commit FPGA IP theft and the challenges an attacker faces on the way.

Abstract

Intellectual Property (IP) theft is a cause of major financial and reputational damage, reportedly in the range of hundreds of billions of dollars annually in the U.S. alone. Field Programmable Gate Arrays (FPGAs) are particularly exposed to IP theft, because their configuration file contains the IP in a proprietary format that can be mapped to a gate-level netlist with moderate effort. Despite this threat, the scientific understanding of this issue lacks behind reality, thereby preventing an in-depth assessment of IP theft from FPGAs in academia. We address this discrepancy through a real-world case study on a Lattice iCE40 FPGA found inside iPhone 7. Apple refers to this FPGA as Maggie. By reverse engineering the proprietary signal-processing algorithm implemented on Maggie, we generate novel insights into the actual efforts required to commit FPGA IP theft and the challenges an attacker faces on the way. Informed by our case study, we then introduce generalized netlist reverse engineering techniques that drastically reduce the required manual effort and are applicable across a diverse spectrum of FPGA implementations and architectures. We evaluate these techniques on six benchmarks that are representative of different FPGA applications and have been synthesized for Xilinx and Lattice FPGAs, as well as in an end-to-end white-box case study. Finally, we provide a comprehensive open-source tool suite of netlist reverse engineering techniques to foster future research, enable the community to perform realistic threat assessments, and facilitate the evaluation of novel countermeasures.
Paper Structure (32 sections, 15 figures, 4 tables)

This paper contains 32 sections, 15 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Attacker Model & Challenges
  3. Attacker Model
  4. Netlist Reverse Engineering Terminology
  5. Challenges of Netlist Reverse Engineering
  6. Case Study on iPhone 7
  7. Step 1: Netlist Recovery
  8. Step 2: Word-Level Reconstruction
  9. Step 3: Algorithmic Recovery
  10. Step 4: High-Level Sense-Making
  11. Deriving Generalized Techniques
  12. Netlist Pre-Processing
  13. Arithmetic Structures
  14. Data Path
  15. Bit Order
  16. ...and 17 more sections

Figures (15)

  • Figure 1: Maggie as part of the Taptic Engine controller.
  • Figure 2: Overview of our case study on iPhone 7.
  • Figure 3: Netlist Preparation Overview.
  • Figure 4: Structure of a $3$-bit counter with reset constructed from a carry chain on a Lattice iCE40 FPGA.
  • Figure 5: The recovery of word-level MUX allows for the analysis of separate independent data paths.
  • ...and 10 more figures