谢谢Avrum,
我当地的FAE目前正在寻找可用于代替data2mem的脚本。
如果他提出了什么,我会用它。
我不是太有希望了。
为什么逆向工程比特流很难?
我知道以前做过。
后来被Xilinx收购的Neocad对整个比特流(早期部件)进行了逆向工程,并制作了自己的工具。
我只想改变块ram初始化,这应该比较容易。
块rams应该很容易在比特流中定位。
Data2mem允许选择的明文攻击。
我可以自动化一个进程,该进程使用data2mem来更改每个块ram中的每个位,并比较前后比特流。
CRC对基本了解代数的攻击者没有安全性,并且也很容易在比特流中定位。
我实际上认为,破解比特流的工作量要比将源代码修改为多路复用器的FPGA源代码要少一个数量级,这可以写入块内存。
其中一些工作在200MHz以上并且已经使用两个端口。
我还考虑过使用JTAG(或ICAP),但是基于比比特流黑客更多的工作而拒绝它。
还有其他考虑因素(我不会在公共论坛中讨论)使我不想更改现有的FPGA源代码。
我确实认为比特流黑客是解决这个问题的好方法。
问候,
艾伦
以上来自于谷歌翻译
以下为原文
Thanks Avrum,
My local FAE is currently looking for scripts that could be used in place of data2mem. If he comes up with something, I'll use it. I'm not too hopeful though.
Why is reverse engineering the bitstream hard? I know it has been done before. Neocad, who were later bought by Xilinx, reverse engineered the entire bitstream (of earlier generation parts) and made their own tools. I only want to alter block ram initialisation, which should be easy in comparison.
The block rams should be simple to locate in the bitstream. Data2mem allows a chosen plaintext attack. I can automate a process which uses data2mem to change each bit in each block ram, and compares the before and after bitstreams.
A CRC provides no security against an attacker who has a basic understanding of algebra, and should also be easy to locate in the bitstream.
I actually think it's about an order of magnitude less work to hack the bitstream than to modify the FPGA source code to mux in an extra port that can write into the block rams. Some of these work at over 200MHz and already use both ports.
I had also considered the use of JTAG (or ICAP), but rejected it on the basis of being more work than bitstream hacking.
There are other considerations (that I won't discuss in a public forum) that make me not want to change the existing FPGA source code. I really do think that bitstream hacking is a good solution for this problem.
Regards,
Allan
谢谢Avrum,
我当地的FAE目前正在寻找可用于代替data2mem的脚本。
如果他提出了什么,我会用它。
我不是太有希望了。
为什么逆向工程比特流很难?
我知道以前做过。
后来被Xilinx收购的Neocad对整个比特流(早期部件)进行了逆向工程,并制作了自己的工具。
我只想改变块ram初始化,这应该比较容易。
块rams应该很容易在比特流中定位。
Data2mem允许选择的明文攻击。
我可以自动化一个进程,该进程使用data2mem来更改每个块ram中的每个位,并比较前后比特流。
CRC对基本了解代数的攻击者没有安全性,并且也很容易在比特流中定位。
我实际上认为,破解比特流的工作量要比将源代码修改为多路复用器的FPGA源代码要少一个数量级,这可以写入块内存。
其中一些工作在200MHz以上并且已经使用两个端口。
我还考虑过使用JTAG(或ICAP),但是基于比比特流黑客更多的工作而拒绝它。
还有其他考虑因素(我不会在公共论坛中讨论)使我不想更改现有的FPGA源代码。
我确实认为比特流黑客是解决这个问题的好方法。
问候,
艾伦
以上来自于谷歌翻译
以下为原文
Thanks Avrum,
My local FAE is currently looking for scripts that could be used in place of data2mem. If he comes up with something, I'll use it. I'm not too hopeful though.
Why is reverse engineering the bitstream hard? I know it has been done before. Neocad, who were later bought by Xilinx, reverse engineered the entire bitstream (of earlier generation parts) and made their own tools. I only want to alter block ram initialisation, which should be easy in comparison.
The block rams should be simple to locate in the bitstream. Data2mem allows a chosen plaintext attack. I can automate a process which uses data2mem to change each bit in each block ram, and compares the before and after bitstreams.
A CRC provides no security against an attacker who has a basic understanding of algebra, and should also be easy to locate in the bitstream.
I actually think it's about an order of magnitude less work to hack the bitstream than to modify the FPGA source code to mux in an extra port that can write into the block rams. Some of these work at over 200MHz and already use both ports.
I had also considered the use of JTAG (or ICAP), but rejected it on the basis of being more work than bitstream hacking.
There are other considerations (that I won't discuss in a public forum) that make me not want to change the existing FPGA source code. I really do think that bitstream hacking is a good solution for this problem.
Regards,
Allan
举报
