Abstract

Today, hardware implementations are the basis for many security applications, such as cryptographic ciphers. Such applications are realized using complex combinatorial logic circuits of substantial size. Therefore, understanding the gate-level implementation can be crucial for the attacker. However, Hardware Description Language (HDL) behavioral models and gate-level net list are seldom available for a particular design. Executing software directly on the device to assist in understanding the implementation is one potential solution. However, this may either be infeasible or completely impossible in practice as target devices may be incapable of executing code. Currently, few works have proposed forms of dynamic gate-level analysis of the actual hardware implementations. Moreover, current reverse-engineering techniques based on physical delayering and optical imaging cannot be applied to programmable logic. In this work we present the first dynamic emission analysis of a hardware implementation. This technique does not require any prior knowledge about the target device. Furthermore, it does not require code to be executed by the target. Hardware implementations consist of basic primitives that form the building blocks of complex hardware functions. By individually analyzing each primitive and correlating the corresponding optical images, the emission fingerprint of each primitive can be identified. As a result the hardware implementation of the device can be reconstructed. We present practical results for a common Complex Programmable Logic Device (CPLD). However, the same approach can be applied to hardware implementations in general.