Field Programmable Gate Arrays (FPGAs) are known for their reprogrammability that allows for post-manufacture circuitry changes. Nowadays, they are integral to a variety of systems including high-security applications such as aerospace and military systems. However, this reprogrammability also introduces significant security challenges, as bitstream manipulation can directly alter hardware circuits. Malicious manipulations may lead to leakage of secret data and the implementation of hardware Trojans. In this paper, we present a comprehensive framework for manipulating bitstreams with minimal reverse engineering, thereby exposing the potential risks associated with inadequate bitstream protection. Our methodology does not require a complete understanding of proprietary bitstream formats or a fully reverse-engineered target design. Instead, it enables precise modifications by inserting pre-synthesized circuits into existing bitstreams. This novel approach is demonstrated through a semi-automated framework consisting of five steps: (1) partial bitstream reverse engineering, (2) designing the modification, (3) placing and (4) routing the modification into the existing circuit, and (5) merging of the modification with the original bitstream. We validate our framework through four practical case studies on the OpenTitan design synthesized for Xilinx 7-Series FPGAs. While current protections such as bitstream authentication and encryption often fall short, our work highlights and discusses the urgency of developing effective countermeasures. We recommend using FPGAs as trust anchors only when bitstream manipulation attacks can be reliably excluded.

翻译：现场可编程门阵列（FPGA）以其可重编程性而闻名，允许在制造后修改电路。如今，它们已成为各类系统不可或缺的组成部分，包括航空航天和军事系统等高安全性应用。然而，这种可重编程性也带来了重大的安全挑战，因为比特流操作可以直接改变硬件电路。恶意操作可能导致秘密数据泄露和硬件木马的植入。在本文中，我们提出了一个全面的框架，能够在最小化逆向工程的情况下操作比特流，从而揭示与比特流保护不足相关的潜在风险。我们的方法无需完全理解专有的比特流格式或对目标设计进行完整的逆向工程，而是通过将预先合成的电路插入现有比特流中来实现精确修改。这种新颖的方法通过一个包含五个步骤的半自动化框架进行演示：(1) 部分比特流逆向工程，(2) 设计修改方案，(3) 将修改电路布局并 (4) 布线到现有电路中，以及 (5) 将修改与原始比特流合并。我们通过在针对Xilinx 7系列FPGA综合的OpenTitan设计上进行的四个实际案例研究验证了该框架。虽然当前的保护措施（如比特流认证和加密）往往存在不足，但我们的工作强调并讨论了开发有效对策的紧迫性。我们建议，只有在能够可靠排除比特流操作攻击的情况下，才将FPGA用作信任锚点。