Abstract. This paper is a short summary of the first real world detection of a

backdoor in a military grade FPGA. Using an innovative patented technique we

were able to detect and analyse in the first documented case of its kind, a

backdoor inserted into the Actel/Microsemi ProASIC3 chips. The backdoor

was found to exist on the silicon itself, it was not present in any firmware

loaded onto the chip. Using Pipeline Emission Analysis (PEA), a technique

pioneered by our sponsor, we were able to extract the secret key to activate the

backdoor. This way an attacker can disable all the security on the chip,

reprogram crypto and access keys, modify low-level silicon features, access

unencrypted configuration bitstream or permanently damage the device.

Clearly this means the device is wide open to intellectual property theft, fraud,

re-programming as well as reverse engineering of the design which allows the

introduction of a new backdoor or Trojan. Most concerning, it is not possible to

patch the backdoor in chips already deployed, meaning those using this family

of chips have to accept the fact it can be easily compromised or it will have to

be physically replaced after a redesign of the silicon itself.

Keywords: Hardware Assurance; silicon scanning; side-channel analysis;

hardware Trojans and backdoors

Yikes.