BitFREE: On Significant Speedup and Security Applications of FPGA Bitstream Format Reverse Engineering

FPGAs have been widely deployed in critical applications ranging from consumer electronics to spacecraft while the mainstream vendors refuse to disclose the details of their configuration bitstream format for security considerations but obstruct benign applications at the same time. Despite several bitstream reverse engineering solutions being proposed to reconstruct the bitstream formats, the state-of-the-art techniques typically require at least days to partially retrieve the architecture-specific bitstream format for a single (small) FPGA model. In this paper, we propose our BitFREE methodology which targets the most market-dominating Xilinx devices to reverse engineer the majority of bitstream formats of all models in different FPGA families at the time in the order of minutes by utilizing the correlation between FPGA architecture and the configuration memory map to decompose the configuration frames into more fine-grained segments for intelligent parallel analysis instead of directly analyzing entire bitstreams serially like other works. We demonstrate the high accuracy of BitFREE by recovering the information precisely from bitstreams of covered FPGA models. Also, we introduce two security applications of BitFREE, i.e., routing-level bitstream tampering and malicious ring oscillator circuitry detection, to shed light on the broad usage of bitstream reverse engineering in the hardware security domain.