Multi Look-up Table FPGA Reverse Engineering with Bitstream Extraction and Multiple PIP/PLP Matching

Owing to the recognition of the fieldprogrammable gate array (FPGA) as a key component of Internet of Things (IoT) devices, there has been exponential growth in the demand for FPGAs. Along with this increased demand, FPGA security issues have also drawn significant attention. An attacker can extract bitstream, the configuration data stored in FPGAs, and manipulate it to insert a malicious circuit (e.g., Trojan attack). To prevent such attacks, it is essential to identify their root cause and implement countermeasures. In this study, we target Xilinx FPGAs, which provides two FPGA design software, Integrated Software Environment (ISE) design suite and Vivado design suite, depending on the FPGA family. While FPGA reverse engineering has been studied extensively using ISE, little work has been done on Vivado environment. No research has been conducted on the reverse engineering of programmable interconnect points (PIPs), which is essential for reverse engineering of complete circuit. In this study, we propose an FPGA reverse engineering method using the latest Vivado design suite environment FPGAs to extract complete circuits by combining both logic data from programmable logic points and signal connectivity data from PIPs extracted from the bitstream. We performed reverse engineering of 3-bit adder circuit targeting an ARTIX-7 family chip, using Verilog and Vivado design suite. It was confirmed that the logic recovered from bitstream is identical to the actual 3-bit adder circuit, verifying 100% recovery rate of the proposed reverse engineering method.