Die Embedded Security Gruppe bietet nach individueller Rücksprache weiter Bachelor- und Masterarbeiten mit Themenschwerpunkten FPGA Security, Hardware Reverse Engineering sowie Physical-Layer Security an. Vorkenntnisse im Bereich Kryptographie, algorithmische oder VHDL Grundlagen oder Drahtloskommunikation sind erwünscht, jedoch nicht zwangsläufig nötig.

Anfragen zu Abschlussarbeiten sind an die Kontakt-Emailadresse emsec+BA_MA@rub.de zu richten. Wir bitten um ein kurzes Anschreiben (einige Worte zur eigenen Person, Stärken/Schwächen, Motivation,…) sowie einen aktuellen Notenspiegel.

Open positions (BA/MA/SHK/WHB) on FPGA Security

FPGAs are reconfigurable devices used in all sorts of security-relevant applications. Hence, securing their boot process and loading their configuration — the so-called bitstream — is of utmost importance for a secure system. Internally, the bitstream configures all basic elements like LUTs and FFs and the routing between them. For most commercially available FPGAs, the bitstream encoding and its security features are proprietary.

Our latest research discovered several flaws in the bitstream protection of Xilinx FPGAs [1, 2, 3]. To foster our research, we are looking for your support and would like to welcome you to our team as a WHK/SHK or as part of a BA/MA thesis. Please feel free to contact us (Felix Hahn or Maik Ender) to discuss these topics, whatever your course or stage of study is.

Potential projects on FPGA security can be clustered in the following two general topics: fuzzing of FPGA configuration engines and general bitstream security.

[1] https://www.youtube.com/watch?v=IBhOKS9Cdms
[2] https://ieeexplore.ieee.org/document/9786118
[3] https://arxiv.org/pdf/2402.09845.pdf


Fuzzing FPGA Configuration Engines

Fuzzing is a well-established technique in the software domain, while not well explored on hardware. Your objection would be to work with our fuzzing framework, ConFuzz [4], or explore new techniques on devices from vendors other than Xilinx.

[4] https://github.com/emsec/ConFuzz

  • Fuzzing with side channels
    You would use power side channels or other state-of-the-art techniques to enhance our view into the configuration engine’s state.
  • Advanced analysis methods / better GUI
    The data acquisition phase during our fuzzing campaign and the subsequent analysis should be enhanced by connecting it to a database and building an improved web interface.
  • Automated fuzzing and/or automated recovery of the state machine
    Currently, we use manual analysis techniques for fuzzing results. Your task would be to optimize and automate this using state-of-the-art fuzzing techniques.
  • Fuzzing the Xilinx JTAG Controller
    The JTAG controller has some advanced security features, which might be exploitable to attack the bitstream security.


Reverse Engineering & Securing Bitstreams

The vendor’s tools are a one-way street as they generate only the bitstream from the netlist (an intermediate product in synthesizing hardware — we will guide you through the jungle of hardware ;)). Thus, these tools do not provide any way back from a given bitstream to netlist, but with our work [5] and open-source projects [6], we can understand the bitstream format for certain FPGAs pretty well. However, these methods should be developed further and applied to other vendors. Advanced questions can be raised after understanding the bitstream format, like how can we formally verify the bitstream encryption, etc.

[5] https://dl.acm.org/doi/10.1145/3287624.3288742
[6] https://f4pga.readthedocs.io/projects/prjxray/en/latest/

  • Bitstream format reverse engineering (SHK/WHK)
    Our current methods should be developed further to understand the bitstream format better. You will continue to develop our existing tools and methods in a project with our research colleagues from UMass Amherst.
  • Bitstream format reversing of further vendors and FPGA families (BA/MA)
    Besides our current framework for reverse engineering bitstreams, other vendors and families are of interest. You would develop a technique to reverse bitstreams using state-of-the-art methods.
  • Software reverse engineering in FPGA security
    Software is used all over the FPGA life cycle. A better understanding of this cycle is necessary for comprehensive security analysis. Therefore, your reverse engineering skills would help us to delve deeper into this cycle.
  • Verifiable Bitstream Protection
    Formal methods proved to be effective in preventing architectural and protocol flaws in the first place. Your task would be formally verifying an (open source) bitstream protection engine (in HDL).
  • Analysing Xilinx Zynq Security Features
    Xilinx Zynq SoCs combine an FPGA with an ARM CPU. Its boot process is different from that of traditional FPGAs. A dedicated CPU core manages the security and configuration of all Zynqs. Your task would be to analyze the security of the boot process. For example, CVE-2021-44850 [7] would be a good starting point for the topic.
[7] https://blog.ropcha.in/part-4-zynq-cve-2021-44850.html