Abstract. This paper is a short summary of the first real world de-
tection of a backdoor in a military grade FPGA. Using an innovative
patented technique we were able to detect and analyse in the first doc-
umented case of its kind, a backdoor inserted into the Actel/Microsemi
ProASIC3 chips for accessing FPGA configuration. The backdoor was
found amongst additional JTAG functionality and exists on the silicon
itself, it was not present in any firmware loaded onto the chip. Using
Pipeline Emission Analysis (PEA), our pioneered technique, we were
able to extract the secret key to activate the backdoor, as well as other
security keys such as the AES and the Passkey. This way an attacker
can extract all the configuration data from the chip, reprogram crypto
and access keys, modify low-level silicon features, access unencrypted
configuration bitstream or permanently damage the device. Clearly this
means the device is wide open to intellectual property (IP) theft, fraud,
re-programming as well as reverse engineering of the design which allows
the introduction of a new backdoor or Trojan. Most concerning, it is
not possible to patch the backdoor in chips already deployed, meaning
those using this family of chips have to accept the fact they can be easily
compromised or will have to be physically replaced after a redesign of
the silicon itself.
https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf
tection of a backdoor in a military grade FPGA. Using an innovative
patented technique we were able to detect and analyse in the first doc-
umented case of its kind, a backdoor inserted into the Actel/Microsemi
ProASIC3 chips for accessing FPGA configuration. The backdoor was
found amongst additional JTAG functionality and exists on the silicon
itself, it was not present in any firmware loaded onto the chip. Using
Pipeline Emission Analysis (PEA), our pioneered technique, we were
able to extract the secret key to activate the backdoor, as well as other
security keys such as the AES and the Passkey. This way an attacker
can extract all the configuration data from the chip, reprogram crypto
and access keys, modify low-level silicon features, access unencrypted
configuration bitstream or permanently damage the device. Clearly this
means the device is wide open to intellectual property (IP) theft, fraud,
re-programming as well as reverse engineering of the design which allows
the introduction of a new backdoor or Trojan. Most concerning, it is
not possible to patch the backdoor in chips already deployed, meaning
those using this family of chips have to accept the fact they can be easily
compromised or will have to be physically replaced after a redesign of
the silicon itself.
https://www.cl.cam.ac.uk/~sps32/ches2012-backdoor.pdf