On the Malicious Potential of Xilinx’s Internal Configuration Access Port (ICAP)

2.1 Xilinx FPGAs

FPGAs in general are reconfigurable Integrated Circuits (ICs) that can be customized to implement a broad range of logic designs. FPGA logic includes Look-Up Tables (LUTs) that implement Boolean functions, Flip-Flops (FFs) , wires, and specialized elements, such as multipliers and Block-RAMs (BRAMs). Throughout the article, we use the term fabric to refer to the part of the FPGA that contains the user’s design, while the configuration engine is the FPGA component that configures the fabric via internal or external configuration access ports. The following background focuses primarily on Xilinx 7-Series & UltraScale(+) FPGAs.

2.1.1 FPGA Configuration.

FPGA configuration is performed by applying a bitstream—containing the FPGA’s design—to one of the configuration ports. Deployed in-field the bitstream is usually stored on an external non-volatile memory. The bitstream itself is a specific command sequence of 32-bit words, which are read and write commands to registers in the FPGA’s configuration engine. The bitstream can be used via both internal and external ports, i.e., JTAG, SPI, and ICAP. The main part of the bitstream configuration process is writing the fabric configuration data to the Frame Data Register (FDRI), configuring the basic elements of the FPGA, i.e., LUTs, FFs, and routing. The fabric is programmed in frames, which consist of 93 (UltraScale+), 101 (7-Series), or 123 (UltraScale) words. Each frame within the fabric can be addressed individually by a frame address. Upon configuration, this address must be provided in the Frame Address Register (FAR). Figure 1 shows a general system overview of the FPGA configuration engine [80, 81].

Fig. 1.

View Figure

2.2 Netlist Reverse Engineering

In some attack scenarios, an FPGA netlist is analyzed to gain design insights or find spots for Trojan insertion. A bitstream is effectively an alternative format of an FPGA design netlist, and converting the bitstream to a human-readable netlist format is possible [4]. After bitstream conversion, a flattened netlist containing no high-level or hierarchical information [2, 8, 27] is obtained. This netlist contains only logic gates and their interconnection. Netlists can be analyzed with (1) static analysis methods, in which the netlist is analyzed without information collected during execution, or (2) dynamic analysis methods that include simulation or on-chip debugging [68].

2.3 Hardware Trojans

Since the report on high-performance microchip supply in 2005 [19], the scientific community has substantially researched offensive and defensive aspects of unauthorized malicious hardware manipulations, a.k.a. hardware Trojans [27, 78]. Surreptitious manipulations can be inserted during various development phases (e.g., during the design phase by a malicious designer or during the globalized Integrated Circuit (IC) production phase) and comprise various trigger and payload designs. Numerous works focus on automated detection to counteract the risks of hardware Trojans, such as identifying trigger mechanisms or focusing on payload features [27]. Here, different static and dynamic analysis approaches have been proposed [16, 35, 63, 79, 92]. Powell et al. [43, 59] developed a framework that can statically detect pre-defined malicious circuitry in FPGA designs while other strategies [63] combine runtime detection strategies.

2.4 Related Work

In Bitman [58] and Byteman [47], the authors determined general knowledge of the FPGA bitstream format to allow them to reallocate, merge, and modify regions using this information. The tools operate at the bitstream level. Upon receiving one or more input bitstream(s), different operations, such as merging or reallocating entire blocks, can be applied. Currently, the tools are not based on bitstream databases, so targeted modifications must be crafted by hand. Notably, these modifications are directly applied to the bitstream itself, prior to FPGA initialization. The work focuses on improving the tooling and offering faster workflows rather than on security implications. Stolz et al. explored using low-level bitstream features for design obfuscation [68]. For example, they check for targeted low-level routing manipulation via ICAP as a safeguarding mechanism within their obfuscation scheme.

Additional previous work, such as thangrycat [37], has focused on malicious static manipulations to the bitstream. Modifications made by thangrycat were applied to the bitstream itself in a static form by pre-startup bitstream exchange. Fyrbiak et al. manipulated a LUT to leak a key of an FPGA used for encryption for a USB storage device [70]. Ender et al. [24] provided insights on how to conduct static bitstream manipulation to bypass a self-check in a cryptographic core.

This work focuses on novel runtime manipulations, in conjunction with an understanding of the bitstream format. Potential modifications are carried out during FPGA operation.

4.1 Extending the Vendor-Intended Reconfiguration Flow

Modern FPGAs provide partial dynamic reconfiguration capabilities, enabling the exchange of components within a programmed device. Support for this functionality is typically facilitated by the vendor’s computer-aided design (CAD) tool flow. Designers are required to define logic partitions that are targeted to specific regions (pBlocks) of the FPGA chip. This information is provided to the tool flow. Partitions may occupy the same region at different times (Figure 2).

A full bitstream containing the static partition (not changed after initial configuration) and partial bitstreams for the dynamic partition are created.

Fig. 2.

View Figure

If the bitstream format and frame content are understood, then the standard vendor tool flow can be extended. Since a bitstream consists of a series of commands, arbitrary command sequences to read or write specific sections of the FPGA fabric can be created. This capability can be used to derive novel primitives that are unsupported by the vendor flow and may be exploitable for malicious purposes. In the following, we introduce novel configuration options.

4.1.1 Create/Delete.

By using partial dynamic reconfiguration and bitstream format knowledge, circuits that were not part of the initial design can be created and placed anywhere in the FPGA, augmenting design functionality. Likewise, existing circuitry can be removed even if it was not defined as partially reconfigurable in the initial design flow. In Xilinx’s standard Vivado tool flow, only a predefined pBlock can be removed by creating and then loading an empty design for a partition. Figure 3 shows a comparison between the intended use of reconfigurable partitions compared to the novel extended flow.

Fig. 3.

View Figure

4.1.2 (Atomic) Modify.

Xilinx support for partial reconfiguration limits configuration writes to predefined pBlocks. However, with our approach, atomic modifications on single elements can be performed (see Figure 4). As a result, every FPGA basic element can be reconfigured, including the following examples.

• LUT Configuration. Manipulates a single LUT configuration to alter the Boolean function without affecting the surrounding circuitry.

• Routing Changes. Changes can include modifying an input wire or rerouting a wire completely or cutting connections at a route Programmable Interconnect Point (PIP), causing a signal output to take on a logic 1 value as a consequence. This approach can be used to patch certain values to always output a 1 without modifying the combinational circuit.

Fig. 4.

View Figure

Conducting Atomic Modifications. The smallest entity that can be replaced in an FPGA is a frame (see Section 2.1.2). However, a single frame may contain more than just a single LUT or PIP for routing, which means that replacing a frame might inadvertently alter unintended circuitry. To address this issue, one must first read the current frame content, apply the desired modifications, and then write the modified frame back. This approach ensures that no unwanted changes occur during the manipulation process.

Register Content Manipulation. While it is possible to perform targeted register value manipulation, this is not feasible in practice. To change the value, the FF.INIT value has to be changed in the bitstream. Normally this value is loaded when the FPGA is configured. However, a reset of the associated global set reset (GSR) can also reset the FFs to their initial values. Thus all elements in a region affected by the clock would be reset to their initial values, potentially destroying the current state. Thus, to the best of our knowledge, a targeted change to one FF is impractical.

Fig. 5.

View Figure

4.1.3 (Atomic) Read.

Access to the configuration port not only allows for the write of configuration but also a readout. Xilinx offers this feature to verify a current configuration. Here, we are also not restricted to any boundaries allowing us to perform targeted readouts (see Figure 5).

• (Sub-)Circuit Read Back. By reading specific frames, a subcircuit or even the entire design can be read back. The readback circuits can then be converted to a netlist for further analysis.

• Register/BRAM Content Readout. It is possible to read back current FF values or BRAM state. This approach enables register access without a visible connection in the netlist. The live readback is enabled by the capture feature offered by Xilinx, as described below.

Readback of Storage Elements. Xilinx devices provide a configuration readback capture feature, enabling live readout of internal Configurable Logic Block (CLB) registers, including FFs and BRAMs [73]. For 7-Series devices, the CAPTUREE2 primitive and/or the GCAPTURE command are required, while for UltraScale(+) devices, only the enabling of the capture bit in the CTL1 register is necessary. The bit location in the fabric can be determined in two ways: (1) by matching the value of the bit to the FF.INIT value in the bitstream database used for FF initialization or (2) by generating a logic localization file using vendor tools to define the exact position of the bit. The latter method can be employed to create a database for devices without an existing bitstream database by placing all FFs and retrieving their positions from the logic localization file. However, for 7-Series devices, activating capture mode overwrites the FF.INIT value, causing potential unintended states when a fabric reset/restore (GSR) is triggered for the region. UltraScale(+) devices do not face this issue, as the original FF.INIT value is restored after disabling capture mode.

Fig. 6.

View Figure

4.2 ICAP Prototyping Framework

We designed and implemented an ICAP prototyping framework to support our experiments Figure 6. The framework consists of two parts: (1) the hardware design, incorporating the ICAP to send commands to it and (2) the software that communicates via Universal Asynchronous Receiver Transmitter (UART) with our controller. Our framework is able to receive bitstreams, i.e., a sequence of commands¹ and send them to ICAP. The hardware sets the correct sequence for the ICAP control signals, enabling write and read functionality. Thus the framework allows for tests ranging from reads from and writes to all command registers to writes to all parts of the fabric.

5.1 Motivation

With recent advances in reverse engineering, a Trojan designer faces challenges that could lead to Trojan detection. In the following we discuss modern reverse engineering techniques and introduce our high-level idea to counter state-of-the-art detection methods furthering the need for improved detection.

5.1.1 The Threat of Netlist Reverse Engineering from a Malicious Designer Perspective.

From the perspective of a Trojan designer, advances in netlist reverse engineering are worrisome, as they allow Trojans to be identified more easily. A general overview is shown in Figure 7.

Fig. 7.

View Figure

With bitstream databases readily available for many FPGA devices, FPGA netlist reverse engineering can be conducted without the need for expensive equipment. An attacker must extract the netlist, which is often stored in external non-volatile memory, and convert it to a netlist. For ASICs, expensive equipment, extensive know-how from various research areas, and significant time are necessary to achieve netlist extraction. Thus we argue that ASIC reverse engineering is more possible for nation state actors or parties with extensive resources, while FPGA reverse engineering can generally be conducted in a basic research setting. Generally, an FPGA Trojan designer must consider netlist analysis an acute and realistic threat, which needs to be taken into account when designing a Trojan, and a countermeasure developer must be able to use it to their advantage.

Once the netlist has been recovered, an attacker can deploy various static and dynamic analysis techniques to analyze the sea-of-gates. A popular framework to support these analysis efforts is HAL—The Hardware Analyzer, which is available open source [25, 33]. Generally, we distinguish between dynamic and static analysis methods [68].

Static Analysis. Static analysis facilitates an examination of design functionality at the netlist level, without necessitating design execution. Here the community often distinguishes between functional and structural analysis methods [7, 8]. In structural analysis, the netlist can be interpreted as a directed graph, thus allowing the application of graph theory. This approach enables the reverse engineer to leverage detection algorithms to conduct tasks such as identifying the control path [14, 15, 26, 49, 50, 51] or performing data-path analysis [2, 44]. Most recently the use of Graph Neural Networks (GNNs) have gained attention as their applicability to netlist reverse engineering has yielded promising results [5]. In functional analysis, the underlying logic function is analyzed [8]. Here, tools like Satisfiability Modulo Theories (SMT) solvers often find usage, e.g., to match subcircuits against predefined models [28, 44].

Dynamic Analysis. Dynamic analysis enables a reverse engineer to monitor temporal chip behavior. This category of analysis encompasses various types, including simulation-based and on-chip methods [68]. Specifically, within the context of FPGAs, the Joint Test Action Group (JTAG) readout ports could be utilized to extract the current bitstream and ascertain the device’s state.

5.2 STRAT Design

We now detail the design of STRAT and its automated Trojan generation workflow from an attacker perspective. STRAT is build around the Project X-Ray database, thus supporting 7-Series devices [4].

Building Blocks. STRAT consists of three building blocks: (1) a software part to analyze the bitstream and generate a trojanized version (Section 5.2.1), (2) a hardware runtime fabric manipulation engine to dynamically reconfigure the Trojan into the design (Section 5.2.2), and (3) a hardware readout detection and response engine to detect external readbacks and respond with dynamic removal of the Trojan before the readback occurs (Section 5.2.3). An overview of STRAT’s hardware components is shown in Figure 8.

Fig. 8.

View Figure

Workflow. We first detail the workflow from a malicious designer’s perspective. For simplicity, we assume that the Trojan functionality is given at the netlist level, i.e., the malicious designer knows which gates and wires are targeted, see Section 5.3 for malicious designer case studies. Operation steps are as follows: (1) The malicious designer uses the bitstream analysis and delta generation software together with the current bitstream and Trojans FPGA Assembly (FASM) description to generate our so-called configuration delta memory file, i.e., the changes that are required to realize the Trojan functionality in the current bitstream, cf. Figure 9. The delta memory file is then patched into the memory of the runtime fabric manipulation engine by updating the bitstream via the Xilinx memory update tool. (2) Once the runtime fabric manipulation engine receives a signal to perform the dynamic reconfiguration to load the Trojan, it reads back the associated frames in the device via ICAP. It stores them in temporary memory (BRAM). (3) The configuration delta is applied to the retrieved frames during readback, and only specific words are changed. (4) The ICAP is then used to configure the malicious changes in the FPGA by writing back the manipulated frames from the temporary memory.

Fig. 9.

View Figure

Suppose the readout detection and response engine detects a readout attempt by the victim at runtime. In that case, the runtime fabric manipulation engine is triggered to revert the changes and re-generate the original configuration data that does not include the Trojan. We want to emphasize that we store the configuration delta as XOR bitmask to ease the reversion as an involution and simply re-use the same bitmasks for both adding and removing the Trojan, as in more detail discussed in Section 5.2.2.

5.3 Case-Study: Insert Key-Leakage Trojan in AES with STRAT

In this scenario, we consider a malicious designer who employs our framework to execute their nefarious objectives covertly. The motivation behind this action could be to establish a backdoor, facilitating unauthorized access or control over the system. To evade detection, the Trojan must be expertly concealed. Consequently, we explore how a malicious designer can leverage STRAT to discreetly embed a Trojan within a design. The design uses the ICAP for legitimate purposes, it might be an advanced ML core, network equipment circuit, or soft error mitigation IP core that is part of Xilinx’s IP core library. Hence the use of ICAP is not necessarily suspicious to the victim. Attackers can use our STRAT framework to insert hardware Trojans at runtime, thus evading advanced detection mechanisms. In the following, we conduct a case study that inserts a key-leakage Trojan into an AES core.

Attack Outline. In this attack we modify the SBox output of the round function to always output zero. The flow of the last AES round is depicted in Figure 10.

Fig. 10.

View Figure

With the modified SBox generating zeros as output, the result of the Byte Substitution layer is zero. In ShiftRows the positions of the bits are only shifted, thus the output is not changed. As a consequence, in the last round we are able to retrieve the last round key (rk) as the ciphertext. With the Trojan inside the ciphertext is computed as follows: \(\begin{align*} \rm{C}\small{\text{IPHERTEXT}} &= rk_{last} \oplus {\rm{S}\small{\text{HIFT}}}{\rm{R}\small{\text{OWS}}}_{lastRound} \\ \rm{C}\small{\text{IPHERTEXT}} &= rk_{last} \oplus {\color {red}{000...000}} \\ \rm{C}\small{\text{IPHERTEXT}} &= rk_{last} \end{align*}\)

Once the last round key has been retrieved, the key schedule can simply be reverted, as it is a static function, with only the main key as input. Thus, given any round key, the input key can be calculated.

Trojan Design. We use an AES-128 design optimized for space by implementing an SBox lookup in quarter rounds, i.e., four SBoxes enabling a 32-bit lookup in one cycle [67]. Our Trojan manipulates the SBox output of a round function to always output zero, ensuring that the ciphertext corresponds to the last round key, which can then be analyzed to obtain the input key. As a malicious designer, there are two ways to achieve this result, which are illustrated in Figure 11:

• Cut PIPs managing the SBox output so that the LUT input signals are consistently set to a constant ‘1’.

• Set the LUT’s configuration string to always output ‘0’.

Fig. 11.

View Figure

To minimize manipulations, we implemented a buffer LUT after each SBox bit, thus requiring the modification of only one LUT. This approach ensures that the SBox output does not spread throughout the remainder of the design, as it could be employed in multiple locations.

Numerous potential triggers for Trojan deployment exist, such as activation based on a specific plaintext input or deployment after a certain number of encryptions. Using our manipulation framework, the trigger condition circuit can also be configured at runtime. For the sake of simplicity, in our proof-of-concept implementation, we trigger the Trojan via a simple button push.

Trojan Implementation. Depending on the placement, multiple frames may require manipulation. In our example design, we extracted the 32 LUT locations for manipulation using a Tcl script within Vivado applied to the generated netlist. Note that if one opts to cut the PIPs, then the respective PIPs must be carefully selected, as pseudo-PIPs are often employed on routes, which are not configurable but static. Once the correct locations are extracted, the corresponding FASM file for the 32 SBox buffer output LUTs is created (as mentioned earlier, the AES implementation uses quarter-round states for the SBox lookup). From here, the flow to generate the manipulation ROM, described in Section 5.2.2, is followed.

Evaluation. Our proof-of-concept implementation successfully triggered and removed the Trojan when the readout detection was activated within 0.194 ms (19,404 cycles at 100 MHz). This is below the minimum measured readout time we observed for our framework via JTAG. Generally, this time frame heavily depends on the placement and number of LUT changes.

Once the Trojan has been triggered, the attacker must start an encryption and can extract the main key by calculating the key schedule in reverse with the last round key received as ciphertext.

5.4 Discussion

We now briefly discuss the design of STRAT in the context of the vendor’s partial reconfiguration flow and the readout detection strategies for other readback FPGA interfaces.

On Vendor Partial Reconfiguration Flows. While our framework can be built using the standard vendor partial reconfiguration flow from a high-level perspective, our framework provides various advantages by using the introduced atomic primitives in Section 4.1. In particular, the vendor flow generates a (large) partial bitstreams for a predetermined pBlock From a malicious designers point of view, the vendor flow has major downsides: (1) the stored partial bitstream can be extracted, easily converted to a netlist, and then analyzed with static analysis techniques to detect a Trojan, and (2) the partial bitstream covers a much larger area, taking up unnecessary space and restricting a larger portion of the design due to the minimum size of the pBlock In our case, first our readout protection must be circumvented and then the atomic modifications must be carefully mapped to the original design to identify malicious changes. Note that such analysis can be further complicated by additionally encoding and decoding the configuration delta, so that only encoded configuration delta data resides in memory.

On SelectMAP Readout. Similarly to JTAG, the SelectMAP configuration interface can be used for readback. But as the I/O ports of the SelectMAP interface are shared with common FPGA I/Os, the SelectMAP is usually deactivated and used as standard I/O ports after the initial configuration. If these I/Os are configured to remain as the SelectMAP interface, then the ICAP is disabled, as both features are mutually exclusive. In our setting this results in the fact that our Trojan can never be observed via SelectMAP at runtime because either the SelectMAP is deactivated or the ICAP is deactivated and our Trojan cannot be configured.

On ICAP Readout Detection and Response. In case ICAP is used as a readback mechanism by an analyst as well, e.g., to validate the integrity of their configuration at runtime, a malicious designer can simply re-route the wires from ICAP to an attacker-controlled hardware simulated ICAP interface that plays back the original configuration without the Trojan.

6.1 Scenario: ICAP in (Multi-Tenant) Cloud FPGAs

As modern FPGAs contain millions of LUTs and storage elements, not all users may require the full capacity of a single FPGA device. The simultaneous sharing of FPGA resources among multiple tenants provides significant advantages, particularly in cloud environments where individual tenants may not need dedicated access to all FPGA hardware. Thus, resources could be effectively shared. Since commercial FPGAs contain a single on-chip power distribution network (PDN), malicious tenants can monitor or manipulate on-FPGA voltage values. For example, voltage sensors crafted from FPGA logic are used as a side-channel [30, 66, 94] to detect details of the victim tenant’s computation, e.g., an encryption core [64]. In the latter case, the attacker deliberately wastes substantial power [61], causing the on-FPGA voltage to drop. This effect can induce faults in the victim tenant [31, 60] or cause an FPGA crash [62]. Thus, FPGA multi-tenancy is currently not supported by commercial cloud vendors, such as Amazon AWS [6] and Microsoft Azure [52] due to security concerns. However, several schemes [39, 40, 45, 62], have been proposed to counter the aforementioned attacks and multi-user co-tenancy is likely in the future [38]. Also, the use of intellectual property cores and the presence of the cloud provider shell already serves as a form of multi-tenancy in cloud FPGAs.

In this scenario, we explore a new, previously-unexplored risk for multi-tenant cloud FPGAs. While there are currently no commercial services available that allow for the purchase of multi-tenant clouds instances, significant research has been performed in the area. In the following we consider a cloud scenario, with multiple tenants sharing an FPGA that is managed by a shell from the cloud provider. We assume that a malicious participant has access to the ICAP interface. Our demonstration will highlight the potential for victim bitstream readback and espionage activities by this malicious entity through ICAP access. This investigation underscores the inherent security vulnerability of exposing ICAP to tenants, emphasizing the importance of robust access control in future multi-tenancy service offerings.

6.1.1 High-Level Idea.

Although a number of proposed implementation approaches exist, the physical layouts of multi-tenant FPGAs are similar. Different regions of the FPGA are typically assigned to distinct tenants. A management engine or shell [11] establishes external communication by implementing interfaces that enable data transmission to and from the assigned partitions. Tenants are physically isolated from one another, without any connections between them. Figure 12 presents a high-level overview.

Fig. 12.

View Figure

If a malicious tenant can instantiate an ICAP interface, then it poses a risk to all other tenants, including the cloud provider, as an attacker can create/read/update/delete circuits of other tenants based on our primitives discussed in Section 4.1. In the multi-tenant setting, the following attacks are particularly concerning:

• Design Readout. The attacker can read the proprietary circuit of another tenant and analyze it after converting the recovered bitstream to its gate-level netlist.

• Design Manipulation. Once a suitable target in the circuit has been identified, i.e., by means of reverse-engineering, it can be manipulated without the other tenant knowing.

• Register Readout. As an alternative to manipulating, the attacker can access current register values in the victim circuit to leak sensitive information, such as cryptographic key material.

7.1 Dispersed Security Recommendations in Official User Guides.

Before we address documentation details, we emphasize the challenge of dispersing consistent security documentation, cf. the Xilinx FPGA Security Design Hub [18]. The amount of documentation is not the deciding factor in creating complexity. Rather document inter-dependencies and cross-references between old and new documents yield challenges in clarifying assumptions and implementation details.

For instance, this issue is apparent in the documentation for the Starbleed attack [22, 23]. Older specialized security user guides, such as Reference [90] originall published in 2015, do not mention the 2020 and 2022 Starbleed attacks. Even comprehensive user guides such as Reference [80] and Reference [87], which have been updated since the attack’s publication, do not mention it. Starbleed is only referenced in the Design Advisory 73541 [85], which is linked only in the Xilinx Design Advisory Master Answer Record [83]. However, to the best of our knowledge, none of the relevant documents from the Security Hub link to these design advisory documents.

7.2 ICAP in a Dynamically Reconfigurable Region.

According to the Xilinx Vivado Dynamic Function eXchange User Guide [82] “[...] the configuration components (such as BSCAN , STARTUP , ICAP , and FRAME ECC) must remain in the static portion of the design” [82, p. 11]. While this statement is correct for 7-Series FPGAs, i.e., that include the ICAPE2 primitive, this statement is not correct for UltraScale(+) FPGAs featuring the ICAPE3 primitive. To this end, we implemented an ICAPE3 primitive in a dynamic portion of the design on a VCU118 FPGA. A design rule check error is generated if an ICAPE2 primitive on a 7-Series FPGA is instantiated, whereas no error is generated for UltraScale(+) FPGAs using ICAPE3 . Hence, an ICAPE3 primitive can be instantiated in a dynamic region. We tested this by creating a partial bitstream, that we configured after initial configuration via JTAG, which contains our ICAP prototyping framework. The framework was operating as normal. To the best of our knowledge, this capability is not mentioned in the user guides. Configuring another ICAP via ICAP, however, can cause undefined behavior, as this is probably the reason, why Xilinx generally rules out the possibility of ICAP in partial reconfiguration.

7.3 Disabling Readback and Reconfiguration.

Xilinx provides numerous bitstream generation options, among others BITSTREAM.READBACK. SECURITY . The definition in user guide [88] states:

Specifies whether to disable Readback and Reconfiguration. Specifying Security Level1 disables Readback. Specifying Security Level2 disables Readback and Reconfiguration. [88, p. 316]

Based on this statement, one may assume that readback and/or reconfiguration cannot be performed from any port when this option is enabled. However, Xilinx application note [91] contradicts this statement:

Partial bitstreams can be delivered unencrypted to the ICAP, or encrypted (with the same AES key) to any configuration port, so long as the latter has not been explicitly forbidden by the designer. Setting Security Level2 [...] prevents partial reconfiguration over external configuration ports. [91, p. 13]

In addition, Xilinx application note [1] states that the feature is insecure—only bitstream encryption ensures readout prevention:

A Vivado tools security option via a particular control bit in the bitstream provides a soft means of enabling and disabling readback. This bit can be changed during configuration. Therefore, readback disable is easy to defeat for devices that are not using an encrypted or authenticated bitstream. [1, p. 17]

The attack that Xilinx briefly describes in application note [1] refers to the readout bit in the header of the bitstream file, to be more precise, the SBITS[1:0] bits in the control register 0 CTL0 can be set to disable a readout. An attacker is indeed able to flip this bit in the bitstream and can then enable the readout feature. To this end, they search for the write to the CTL0 register in the bitstream header and change the two corresponding bits. Since the bitstream integrity is protected by a CRC32 checksum, the attacker adjusts or deactivates it. Note that this checksum is not a cryptographic checksum and can be calculated without any effort.

Thus, if bitstream encryption is not used, then Xilinx does not provide a safe way to circumvent readback and the BITSTREAM.READBACK.SECURITY option is rendered insecure, which is not mentioned in the main user guide [88], where the option itself is defined.

7.4 Case Study: Encrypted Bitstream Leakage

Conventionally, bitstream encryption serves as a deterrent against reverse engineering, manipulation, and unauthorized duplication. These bitstream protection schemes are predominantly instituted to safeguard Intellectual Property, achieved through the encryption and validation of configuration data, as discussed in Section 2.1.3.

However, in our considered scenario, we postulate the presence of a backdoor embedded by the attacker within a third party malicious IP core. Should an attacker successfully integrate their compromised design into a product that employs bitstream encryption, they can consequently expose the entire encrypted layout. In the context of cloud infrastructures, where a customer might have ICAP access, the provider may choose to encrypt the shell within the design. Yet, this encryption is rendered moot if an attacker gains access to the ICAP, leading to a full exposure of the design even with bitstream encryption activated.

While we recognize that Xilinx addresses this attack vector in their documentation [84], our intention is twofold: (1) to illustrate the execution of such an attack and (2) to delineate the scenarios where this attack poses a significant threat. Ultimately, this attack underscores our contention that designs incorporating ICAP present considerable trust challenges.

High-Level Idea . The intuition of this attack is based on the readout of the currently configured (decrypted) bitstream configuration data frame by frame. Note that upon FPGA start, the encrypted bitstream is decrypted and stored in plaintext in fabric. While all external ports can be secured when bitstream encryption is used, the internal ports, such as ICAP, have unrestricted access to the device.

Fig. 13.

View Figure

When using encrypted bitstreams, the design is decrypted on the fly when the FPGA is booted. Once the configuration is done, the design is stored in plaintext in fabric. With access to the ICAP, an attacker can readout the bitstream as they normally would (see Figure 13):

• Request frame(s) The readback command for one or more frames is issued, requesting the currently configured frame content.

• Retrieve frame(s). The ICAP primitive sends back the regarding frame content in an unencrypted manner to the controller.

• Leakage. The controller is then able to leak the unencrypted frame to the outside.

For a proof-of-concept, we implemented a design that includes ICAP access and enabled bitstream encryption for the entire design. Hence the design cannot be leaked by performing a readback on the external configuration interfaces.

Design and Implementation. . The attacker can readout the decrypted bitstream at runtime using our ICAP prototyping framework, see Figure 6, as the readback is not prohibited at the trusted ICAP port. The readback bitstream can then be converted back to a gate-level netlist (e.g., using project X-Ray tools) then to reverse engineering the FPGA design. To improve the attack and hide the malicious intent, the malicious designer can use STRAT as introduced in Section 5.

8.1 Dynamic Reconfiguration

Even though our analysis primarily focuses on Xilinx ICAP, our attack primitives can be applied through any port that accesses the internal configuration engine, see Figure 1.

Other Families and Vendors. . For example, on Xilinx Zynq devices, the ICAP is inaccessible after initialization and has to be enabled from the software first. However, these devices feature a Processor Configuration Access Port (PCAP) configuration port, so our proposed attack primitives can be entirely realized from software and do not require an additional malicious hardware design or IP core. Future research should examine the applicability of dynamic reconfiguration-based attacks for other FPGA vendors such as Intel Altera and Lattice. However, the bitstream configuration file format is still proprietary and open source documentation through reverse engineering is sparse to non-existent, challenging in-depth analysis.

Xilinx Security Considerations on ICAP. . Xilinx acknowledges that ICAP is a powerful tool and potentially dangerous [1]. While official documentation claims that ICAP is a trusted channel since only the user can instantiate it, our work highlights typical FPGA application scenarios where system designers may not have full control over the final configuration. Thus establishing trust in a design that uses ICAP is virtually impossible.

8.2 Security Implications

We demonstrated various severe security implications of ICAP in malicious hardware designs ranging from surreptitiously leaking cryptographic keys in third-party IP cores, leakage of allegedly encrypted bitstreams, and snooping on sensitive key material in multi-tenant FPGA cloud systems.

Insights on Attack Vectors . In this article, we investigate ICAP as an attack vector from the perspective of malicious designers and (multi-tenant) FPGA cloud systems. While malicious designers represent a significant threat in their own right, it is imperative to understand all potential attack vectors in detail. Such understanding serves a dual purpose: (1) It furnishes insights that can be instrumental in the design of sound defenses and proactive countermeasures and (2) it amplifies awareness, ensuring that stakeholders are well-informed about emerging attack threats, thereby fortifying the larger ecosystem against potential vulnerabilities.

On Detection of Dynamic Reconfiguration Trojans using ICAP. . As noted before, no static analysis technique can effectively detect our proposed hardware Trojans since we do not employ known partial bitstreams but rather a custom configuration format that can be flexibly adapted. However, dynamic analysis techniques are currently limited to both simulation and on-chip debugging: Simulation of dynamic reconfiguration is challenging to support since the entire FPGA fabric, including the configuration plane, has to be mimicked. On-chip debugging requires trust in the execution environment, i.e., that the readout mechanism works as intended and is not surreptitiously manipulated. However, our readout detection and response engine demonstrated how such trust could be significantly reduced.

On Security Documentation. . Based on the dispersion and inconsistency of security-related documentation across multiple user guides, application notes, and design advisories, we recommend enhancing and simplifying security documentation. This recommendation does not only hold for Xilinx themselves. Therefore, we advocate for the research (security) community to actively engage in such documentation approaches to enable users to fully understand the security features and potential vulnerabilities of all FPGAs to dynamic partial reconfiguration.

8.3 Mitigations

A straightforward approach to mitigate threats associated with the ICAP interface is to completely restrict its usage in user devices. However, this is not feasible for applications that rely on partial reconfiguration. In such cases, we propose an ICAP firewall that restricts and monitors access to the ICAP interface.

8.3.1 ICAP Firewall.

Instead of granting users direct access to the ICAP interface, a parameterized filtering system can be designed to mediate access. This ICAP firewall analyzes incoming commands and only allows access to a predefined fabric region.

Note that Xilinx offers a Security Monitor IP , which can be used to monitor partial reconfiguration [86]. However, exact functionality remains unclear, since most information seem to be available after signing an Non-Disclosure Agreement (NDA).

Design. . To limit access, users are only granted access to an ICAP firewall primitive managed by a shell. Access restrictions can be easily enforced by providing an address range based on FPGA frame coordinates. If the user wants to access the ICAP, they must go through the ICAP firewall (see Figure 14).

Fig. 14.

View Figure

The firewall could support frame-based read and write access. For example, if a user wants to re-configure the frame at address 0x01234567, then a potential command sequence could appear as follows: \(\begin{align*} & 0x00000001 && \text{read = $0x0$, write = $0x1$} \\ & 0x01234567 && \text{frame address} \\ & \text{frame content} && \text{frame content in case of write} \end{align*}\) The firewall would conduct checks on each incoming frame address. If the requested frame address is in the allowed frame region of the tenant, then the operation is executed. The ICAP firewall can than craft the exact ICAP command sequence to execute the request.

Generally, dynamic configuration would become slower, as normally frames can be written much quicker, since a special bitstream compression format is typically used by Xilinx.

Deployment. In a multi-tenant cloud environment, the cloud provider can employ such a firewall to limit user requests to their assigned frame regions. Similarly, when integrating third-party IP cores, designers can restrict access to the region where the IP core is placed. However, in a cloud scenario, a malicious tenant may still be able to configure malicious circuitry within their own region, e.g., drawing excessive power to harm the cloud provider. Identifying such requests is challenging since it requires an in-depth analysis of the dynamic reconfiguration changes at runtime, e.g., to detect that a reconfiguration change realizes a circuit that draws excessive power. One idea would be to integrate the FPGA virus scanner as introduced by La et al. [43]. However, this still presents a significant engineering effort and would probably exceed on-chip compute capabilities. The most secure way to address the issue is to disallow ICAP access.