We present an algorithm capable of defeating SRAM FPGA design obfuscation methods based on hardware opaque predicates. This is achieved by ensuring the full controllability of each instantiated look-up table input via iterative bitstream modifications. Unlike many previous deobfuscation approaches, the presented method does not require the possession of a netlist. It is applied directly to the FPGA bitstream. The feasibility of our approach is verified on the example of an obfuscated SNOW 3G design implemented in a Xilinx Artix-7 FPGA.
QC 20220926
Part of proceedings: ISBN 978-1-6654-6706-3