| [Actux] FPGA reverse-engineering challenge @ Hackito Ergo Sum |
[ Thread Index |
Date Index
| More lists.tuxfamily.org/actux Archives
]
- To: actux@xxxxxxxxxxxxxxxxxxx
- Subject: [Actux] FPGA reverse-engineering challenge @ Hackito Ergo Sum
- From: Sébastien Bourdeauducq <sebastien.bourdeauducq@xxxxxxxxxxxx>
- Date: Thu, 1 Apr 2010 20:32:55 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:from:organization:to :subject:date:user-agent:mime-version:content-type :content-transfer-encoding:message-id; bh=IVUDqtk3chBYy4E2+MIGb4kLBNdEMoaBaEV0DpGhPt8=; b=h+3ut/o4pCfSvsEsHf7w1UNg3vOzwmRU/Em+EW7TIWfJhA5EebVGbOTPgnzC9YrgCj 176Om8IyIYrWaO65uRhEL3yJOZrApUamls5/wXl4K7kkKZEq4OsdJLrEZ/BD0Hxe3eez p6SAZin7ZxNjmDictuOkOvFqXd5Ao+9v2rzjo=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:from:organization:to:subject:date:user-agent:mime-version :content-type:content-transfer-encoding:message-id; b=tbL6U7ZjX84/8VO+eDYTXbV/9m7t5TnVeui7Srln57eSwj9SZswbKoFJ19NXN8cPv4 SMqw9n0JenG16ZaB0T4qqE6Xfri15HrwAjEx46iZYllw+msQxakr4vCI85i8TOoaaumf 2fCZJeZTB9D360tlLRYy9DDRT8EeYj6LSqW4w=
- Organization: lekernel
FPGA reverse-engineering challenge
==================================
Hackito Ergo Sum - Paris, April 8-10 2010
http://www.hackitoergosum.org
SRAM-based FPGAs are often touted as being "secure", in the sense that a
design for which only the programming file ("bitstream") is available cannot
be analyzed [1]. Many security features are built on this assumption: anti-
cloning protections for hardware, evaluation versions of FPGA designs (IP
cores) that stop working after a few hours, ...
This security relies on the fact that the bitstream format, despite being
unencrypted, is largely undocumented and proprietary and even assuming perfect
understanding of the format, recovering a design's netlist from the
information contained in the bitstream solely is a daunting task.
Many security researchers believe that security through obscurity does not
work. Could FPGAs prove them wrong? Could obscurity be, for once, an effective
means to achieve security? In this case, what would prevent an attacker with
knowledge gained from the FPGA manufacturer from injecting malicious code into
your sensitive bitstreams without fear of being discovered?
In a world where concerns about hardware security are growing (two years ago,
the DARPA launched a challenge where people were supposed to discover
malicious insertions made into chips [2]), we will challenge these questions
at Hackito Ergo Sum.
You are given bitstreams implementing security features, and your role is to
break them. Even though they are significantly simpler than the security
systems commonly found in the industry, the basic technique should be
essentially the same especially for the last levels of difficulty. The very
last one is close to what a real system would look like!
In the first levels, you have more information than the bitstream only, in
order to ease your job and give you an insight about what needs to be done in
the next levels. Furthermore, there will be a workshop at the beginning of the
conference to get you acquainted with some FPGA tools.
THE WORKSHOP
A hands-on workshop will be given at the beginning of HES and shortly after
the challenge begins. It will revolve around three subjects:
1/ logic design crash course.
2/ how an FPGA works internally.
3/ how to build a FPGA system-on-chip and how to connect a new peripheral
(such as the security device) to an on-chip bus.
This workshop is merely a digest of the previous workshops at /tmp/lab [4]
[5].
LEVELS
There are 6 levels of increasing difficulty. They will be announced at the
same time as the files for the challenge are posted.
RULES
* Complete files for the challenge will be posted to my blog [9] on April 8th,
10:00 local time.
* Mail the answer(s) to the level(s) you have solved to seb AT tmplab DOT org
before April 10th, 18:00 local time.
* You can work alone or in teams.
* You have to explain how you found the answer(s).
* Breaking into my computer is cheating and gets you disqualified. Don't do
it.
* If you do not want to waste time fixing libraries, installing virtual
machines, downloading multi-GB files, etc., install Xilinx ISE Webpack before
coming and make sure that it works (it rarely does the first time), including
the fpga_editor command.
* All bitstreams can be tested on the cheap Avnet Spartan 3A Evaluation Kit
[3], making the challenge accessible to everybody. A comprehensive list of
commands to perform various operations on this kit is given in [7].
* Some kits are available for lending during the conference, in exchange for a
deposit of 70 euros which will be given back to you when you return the kit in
good working condition.
REFERENCES
[1] http://www.cl.cam.ac.uk/~sd410/papers/fpga_security.pdf
[2] http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-
switch
[3] http://www.xilinx.com/products/devkits/aes_sp3a_eval400_avnet.htm
[4] http://lekernel.net/blog/?p=668
[5] http://lekernel.net/blog/?p=429
[6] http://www.milkymist.org
[7]
http://www.milkymist.org/wiki/index.php?title=Installing_the_Spartan_3A_evaluation_kit_mini-
port
[8] http://www.ulogic.org
[9] http://lekernel.net/blog
---
---
Liste Actux, http://www.actux.fr