Abschlussarbeiten

Die Embedded Security Gruppe bietet nach individueller Rücksprache weiter Bachelor- und Masterarbeiten mit Themenschwerpunkten FPGA Security, Hardware Reverse Engineering sowie Physical-Layer Security an. Vorkenntnisse im Bereich Kryptographie, algorithmische oder VHDL Grundlagen oder Drahtloskommunikation sind erwünscht, jedoch nicht zwangsläufig nötig.

Anfragen zu Abschlussarbeiten sind an die Kontakt-Emailadresse emsec+BA_MA@rub.de zu richten. Wir bitten um ein kurzes Anschreiben (einige Worte zur eigenen Person, Stärken/Schwächen, Motivation,…) sowie einen aktuellen Notenspiegel.

Open positions (BA/MA/SHK/WHB) on FPGA Security

FPGAs are reconfigurable devices used in all sorts of security-relevant applications. Hence, securing their boot process and loading their configuration — the so-called bitstream — is of utmost importance for a secure system. Internally, the bitstream configures all basic elements like LUTs and FFs and the routing between them. For most commercially available FPGAs, the bitstream encoding and its security features are proprietary.

Our latest research discovered several flaws in the bitstream protection of Xilinx FPGAs [1, 2, 3]. To foster our research, we are looking for your support and would like to welcome you to our team as a WHK/SHK or as part of a BA/MA thesis. Please feel free to contact us (Felix Hahn or Maik Ender) to discuss these topics, whatever your course or stage of study is.

Potential projects on FPGA security can be clustered in the following two general topics: fuzzing of FPGA configuration engines and general bitstream security.

[1] https://www.youtube.com/watch?v=IBhOKS9Cdms
[2] https://ieeexplore.ieee.org/document/9786118
[3] https://tches.iacr.org/index.php/TCHES/article/view/11435

 

Fuzzing FPGA Configuration Engines

While fuzzing is a well-established technique in the software domain, it is not well-explored on hardware. Your objective would be to work with our fuzzing framework, ConFuzz [1], or explore new techniques on devices from vendors other than Xilinx.

[1] https://github.com/emsec/ConFuzz

  • LLM-guided Configuration Engine Fuzzing
    We want to explore the possibilities of training an LLM with the structure of bitstreams [1, 2, 3, 4]. The goal is to use the LLM to generate suitable bitstreams for our fuzzing framework, ConFuzz. Additionally, we want to explore using NLP to process the available documentation and further improve test case generation.
    [1] https://arxiv.org/abs/2404.16297
    [2] http://arxiv.org/abs/2406.07714
    [3] https://www.ndss-symposium.org/ndss-paper/large-language-model-guided-protocol-fuzzing/
    [4] https://www.usenix.org/conference/usenixsecurity23/presentation/wang-dawei/
  • Fuzzing with side channels
    You would use power side channels or other state-of-the-art techniques to enhance our view into the configuration engine’s state.
  • Advanced analysis methods/better GUI
    The data acquisition phase during our fuzzing campaign and the subsequent analysis should be enhanced by connecting it to a database and building an improved web interface.
  • PCAP fuzzing on Zynq Ultrascale(+)
    Explore the possibility of porting our fuzzing framework, ConFuzz, directly to the ARM processor on a Zynq FPGA to enhance the fuzzing speed.
  • Automated fuzzing and/or automated recovery of the state machine
    Currently, we use manual analysis techniques for fuzzing results. Your task would be to optimize and automate this using state-of-the-art fuzzing techniques.
  • Fuzzing the Xilinx JTAG Controller
    The JTAG controller has some advanced security features, which might be exploitable to attack the bitstream security.

 

Reverse Engineering & Securing Bitstreams

The vendor’s tools are a one-way street, as they generate only the bitstream from the netlist (an intermediate product in synthesizing hardware — we will guide you through the jungle of hardware ;)). Thus, these tools do not provide any way back from a given bitstream to netlist, but with our work [1] and open-source projects [2, 3], we can understand the bitstream format for certain FPGAs pretty well. However, these methods should be developed further and applied to other vendors. Advanced questions can be raised after understanding the bitstream format, such as how can we formally verify the bitstream encryption?

[1] https://dl.acm.org/doi/10.1145/3287624.3288742
[2] https://f4pga.readthedocs.io/projects/prjxray/en/latest/
[3] https://fpga-interchange-schema.readthedocs.io/index.html

Open positions (BA/MA/SHK/WHB) on Wireless Physical-Layer Security

We are permanently surrounded by radio waves, which form the backbone of modern wireless communication systems such as 4G, 5G, Wi-Fi, and Bluetooth. Radio waves interact with their propagation environment, allowing extraction of detailed information about the physical environment. With regard to security and privacy, such physical-layer information comes with both risks and opportunities. Physical-layer information is not protected by current cryptographic primitives which are geared towards digital information. For example, eavesdroppers can exploit Wi-Fi signals to detect motion [1] and monitor vital signs, potentially violating privacy of individuals. In the coming years, wireless communication systems will increasingly incorporate radar-like sensing capabilities, demanding novel security solutions to ensure confidentiality, integrity, and authenticity of wireless sensing information. More constructively, radio-wave propagation effects can be utilized to verify physical integrity and authenticity of computing systems and entire rooms: Our Anti-Tamper Radio (ATR) solution [2] is capable of detecting insertions of metallic needles with a diameter as small as 100 µm into a running 19″ server. In a recent study [3], we’ve demonstrated that complex radio-wave propagation effects allow to treat entire rooms as Physical Unclonable Functions (PUFs), enabling secure remote inspection in mutual distrust settings, such as nuclear arms control verification.

If this sounds interesting to you, please contact Paul Staat. We are looking for motivated students to join our team as WHK/SHK or as BA/MA thesis workers. Potential areas that you could focus on include, but are not limited to:

  • Security and privacy aspects of wireless systems with software-controlled metasurfaces / Reconfigurable Intelligent Surfaces (RISs)
  • Wi-Fi sensing using Channel State Information (CSI) and Beamforming Feedback Information (BFI)
  • Security of wireless distance measurements (Ultra Wideband (UWB) and phase-based ranging)
  • mmWave radar sensing
  • Physical tamper detection
  • Machine learning on physical-layer information
  • Channel reciprocity-based key generation
  • Wireless jamming attacks
  • Emission security

 

[1] https://arxiv.org/abs/2112.01967
[2] https://arxiv.org/abs/2112.09014
[3] https://www.nature.com/articles/s41467-023-42314-2