TITLE: FPGA Vulnerability Analysis Tools
TECHNOLOGY AREA(S): Air
Platform, Electronics, Ground/Sea Vehicles
ACQUISITION PROGRAM: INP is
Total Platform Cyber Protection (TPCP)
OBJECTIVE: Produce algorithms
that can identify vulnerabilities in software for Field-programmable Gate
Arrays (FPGAs). The focus is the analysis of software at the various stages of
synthesis and not the actual hardware (i.e., Altera or Xilinx) on which the
code is implemented.
DESCRIPTION: FPGAs are
becoming more prominent in technology. They have become just as favorable as
Application Specific Integrated Circuits (ASICs) in some applications and are
even showing up in some computer server technology for the enterprise. FPGAs
also play a vital role in Naval systems for their real-time processing and
ability to be upgraded with new software.
As opposed to standard Internet connected computing hardware, FPGAs have
received minimal research and development (R&D) for cyber protection. Most
of the work t for FPGA security thus far has been in the vein of protecting the
intellectual property (IP) aspect from theft and physical reverse engineering
efforts. This does not address operational vulnerabilities due to how the code
is structured and executes based on inputs and state conditions. Due to the
acceleration of cyber-warfare and hacking, this is problematic.
The development and deployment of code for FPGAs goes through a different set
of synthesis tools than what typical computing users are familiar with for
application development. This presents a lack of familiarity from the
mainstream cybersecurity community. Another issue is the potential source of
vulnerabilities that comes from purchased 3rd party IP cores. There are little
to no tools available for evaluating FPGA code for cyber vulnerabilities.
From an ideal perspective, the Navy would like vulnerability analysis conducted
on the bitstream as it resides on the physical device; however, the Navy
realizes that there may be complications due to encryption and access. With
that in mind, the Navy is requesting proposals that present approaches for
analyzing the FPGA code as close to in situ (or on device) as possible. The
Navy will be open to opportunities to analyze the code throughout the synthesis
process chain. Preference will be closer to the deployed application on the
board but awardees must convince the Navy that their approaches has a
reasonable likelihood of success.
There will be no Government-furnished equipment (GFE) provided for this effort.
Awardees must provide their own hardware and code for experimentation.
Proposers must have experience in the FPGA domain to be competitive.
PHASE I: Develop a concept
and methodology to automatically identify potential cyber vulnerabilities in
the FPGA code at the level(s) under study. Ensure that the algorithm can locate
and identify the portion of the code that is vulnerable and also provide a
brief explanation as to why it is vulnerable and a proposed remediation
description. Provide a limited proof-of-concept application to demonstrate the
viability of the approach. Develop a Phase II prototype plan.
PHASE II: Develop the
prototype into a fully functioning software toolset for identifying and tagging
cyber vulnerabilities within the FPGA code. Provide a graphical user interface
(GUI) that allows the user easy identification of the vulnerability, its
significance, and a description for remediation. Demonstrate and evaluate the
efficacy of the tools on FPGA codes of varying complexity as selected by the
PHASE III DUAL USE
APPLICATIONS: Work with the Navy to integrate the tool into current cyber
assessment processes. Many test and evaluation teams require more automated and
more frequent assessment of the cybersecurity posture of weapons systems and
hull, mechanical, and electrical (HM&E) systems. The Office of Naval
Research (ONR) will facilitate interactions with Naval Sea Systems Command
(NAVSEA), Naval Air Systems Command (NAVAIR), and Space and Naval Warfare
Systems Command (SPAWAR) to apply the tool to Navy's cyber-physical systems.
The R&D conducted here would be equally useful in the commercial sector in
any application where FGPAs are implemented.
1. Kastner, R. and Huffmire,
T. “Threats and challenges in reconfigurable hardware security.” California
University San Diego La Jolla, Department of Computer Science and Engineering,
2008 Jul. http://www.dtic.mil/docs/citations/ADA511928
2. Trimberger, Stephen M.,
and Moore, Jason J. "FPGA security: Motivations, features, and
applications." Proceedings of the IEEE 102.8 (2014): 1248-1265.
KEYWORDS: FPGA; Synthesis;
Vulnerability; Cybersecurity; Scanning; 3rd Party IP Cores; Intellectual
** TOPIC NOTICE **
These Navy Topics are part of the overall DoD 2019.A STTR BAA. The DoD issued its 2019.1 BAA STTR pre-release on November 28, 2018, which opens to receive proposals on January 8, 2019, and closes February 6, 2019 at 8:00 PM ET.
Between November 28, 2018 and January 7, 2019 you may communicate directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2019 when DoD begins accepting proposals for this BAA.
However, until January 23, 2019, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.
Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.
Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.
Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at firstname.lastname@example.org