FPGA Vulnerability Analysis Tools ($72,000)

Primary Awardee: Bluerisc Inc.

Subcontract: University of Missouri Kansas City 

Objective: Produce algorithms that can identify vulnerabilities in software for Field-programmable Gate Arrays (FPGAs). The focus is the analysis of software at the various stages of synthesis and not the actual hardware (i.e., Altera or Xilinx) on which the code is implemented.

Description: FPGAs are becoming more prominent in technology. They have become just as favorable as Application Specific Integrated Circuits (ASICs) in some applications and are even showing up in some computer server technology for the enterprise. FPGAs also play a vital role in Naval systems for their real-time processing and ability to be upgraded with new software.

As opposed to standard Internet connected computing hardware, FPGAs have received minimal research and development (R&D) for cyber protection. Most of the work for FPGA security thus far has been in the vein of protecting the intellectual property (IP) aspect from theft and physical reverse engineering efforts. This does not address operational vulnerabilities due to how the code is structured and executes based on inputs and state conditions. Due to the acceleration of cyber-warfare and hacking, this is problematic.

From an ideal perspective, the Navy would like vulnerability analysis conducted on the bitstream as it resides on the physical device; however, the Navy realizes that there may be complications due to encryption and access. With that in mind, the Navy is requesting proposals that present approaches for analyzing the FPGA code as close to in situ (or on device) as possible. The Navy will be open to opportunities to analyze the code throughout the synthesis process chain. Preference will be closer to the deployed application on the board but awardees must convince the Navy that their approaches has a reasonable likelihood of success.

PHASE I (9 months): UMKC will develop a concept and methodology to automatically identify potential cyber vulnerabilities in the FPGA code at the level(s) under study. Ensure that the algorithm can locate and identify the portion of the code that is vulnerable and also provide a brief explanation as to why it is vulnerable and a proposed remediation description. Provide a limited proof-of-concept application to demonstrate the viability of the approach. Develop a Phase II prototype plan.