Theses

Die Embedded Security Gruppe bietet nach individueller Rücksprache weiter Bachelor- und Masterarbeiten mit Themenschwerpunkten FPGA Security, Hardware Reverse Engineering sowie Physical-Layer Security an. Vorkenntnisse im Bereich Kryptographie, algorithmische oder VHDL Grundlagen oder Drahtloskommunikation sind erwünscht, jedoch nicht zwangsläufig nötig.

Anfragen zu Abschlussarbeiten sind an die Kontakt-Emailadresse emsec+BA_MA@rub.de zu richten. Wir bitten um ein kurzes Anschreiben (einige Worte zur eigenen Person, Stärken/Schwächen, Motivation,…) sowie einen aktuellen Notenspiegel.

Open positions (BA/MA/SHK/WHB) on FPGA Security

FPGAs are reconfigurable devices used in all sorts of security-relevant applications. Hence, securing their boot process and loading their configuration — the so-called bitstream — is of utmost importance for a secure system. Internally, the bitstream configures all basic elements like LUTs and FFs and the routing between them. For most commercially available FPGAs, the bitstream encoding and its security features are proprietary.

Our latest research discovered several flaws in the bitstream protection of Xilinx FPGAs [1, 2, 3]. To foster our research, we are looking for your support and would like to welcome you to our team as a WHK/SHK or as part of a BA/MA thesis. Please feel free to contact us (Felix Hahn or Maik Ender) to discuss these topics, whatever your course or stage of study is.

Potential projects on FPGA security can be clustered in the following two general topics: fuzzing of FPGA configuration engines and general bitstream security.

[1] https://www.youtube.com/watch?v=IBhOKS9Cdms
[2] https://ieeexplore.ieee.org/document/9786118
[3] https://tches.iacr.org/index.php/TCHES/article/view/11435

 

Fuzzing FPGA Configuration Engines

While fuzzing is a well-established technique in the software domain, it is not well-explored on hardware. Your objective would be to work with our fuzzing framework, ConFuzz [1], or explore new techniques on devices from vendors other than Xilinx.

[1] https://github.com/emsec/ConFuzz

  • LLM-guided Configuration Engine Fuzzing
    We want to explore the possibilities of training an LLM with the structure of bitstreams [1, 2, 3, 4]. The goal is to use the LLM to generate suitable bitstreams for our fuzzing framework, ConFuzz. Additionally, we want to explore using NLP to process the available documentation and further improve test case generation.
    [1] https://arxiv.org/abs/2404.16297
    [2] http://arxiv.org/abs/2406.07714
    [3] https://www.ndss-symposium.org/ndss-paper/large-language-model-guided-protocol-fuzzing/
    [4] https://www.usenix.org/conference/usenixsecurity23/presentation/wang-dawei/
  • Fuzzing with side channels
    You would use power side channels or other state-of-the-art techniques to enhance our view into the configuration engine’s state.
  • Advanced analysis methods/better GUI
    The data acquisition phase during our fuzzing campaign and the subsequent analysis should be enhanced by connecting it to a database and building an improved web interface.
  • PCAP fuzzing on Zynq Ultrascale(+)
    Explore the possibility of porting our fuzzing framework, ConFuzz, directly to the ARM processor on a Zynq FPGA to enhance the fuzzing speed.
  • Automated fuzzing and/or automated recovery of the state machine
    Currently, we use manual analysis techniques for fuzzing results. Your task would be to optimize and automate this using state-of-the-art fuzzing techniques.
  • Fuzzing the Xilinx JTAG Controller
    The JTAG controller has some advanced security features, which might be exploitable to attack the bitstream security.

 

Reverse Engineering & Securing Bitstreams

The vendor’s tools are a one-way street, as they generate only the bitstream from the netlist (an intermediate product in synthesizing hardware — we will guide you through the jungle of hardware ;)). Thus, these tools do not provide any way back from a given bitstream to netlist, but with our work [1] and open-source projects [2, 3], we can understand the bitstream format for certain FPGAs pretty well. However, these methods should be developed further and applied to other vendors. Advanced questions can be raised after understanding the bitstream format, such as how can we formally verify the bitstream encryption?

[1] https://dl.acm.org/doi/10.1145/3287624.3288742
[2] https://f4pga.readthedocs.io/projects/prjxray/en/latest/
[3] https://fpga-interchange-schema.readthedocs.io/index.html