Tunable FPGA Bitstream Obfuscation with Boolean Satisfiability Attack Countermeasure

Field Programmable Gate Arrays (FPGAs) are seeing a surge in usage in many emerging application domains, where the in-field reconfigurability is an attractive characteristic for diverse applications with dynamic design requirements, such as cloud computing, automotive, IoT, and aerospace. The security of the FPGA configuration file, or bitstream, is critical, especially for devices with long in-field lifetimes, where attackers may attempt to extract valuable Intellectual Property (IP) from within. In this article, we propose a tunable obfuscation approach that protects IP from typical bitstream attacks while enabling designers to trade off security with acceptable overhead. We also consider two potential attacks on this protection mechanism: Boolean SAT Attacks on the obfuscation and removal attacks on the protection circuitry. The obfuscation and SAT countermeasure are integrated in a custom CAD framework within a commercial FPGA toolflow and together provide mathematically strong protection against common bitstream attacks. Further, we quantify the difficulty of a removal attack on the protection circuitry through pattern matching and direct bitstream manipulation. The average area, power, and delay overhead for obfuscation with 95% mismatch probability are 18%, 16%, and 8%, respectively, for small combinational circuits, and 1%, 2%, and 5% for larger arithmetic modules.