Securing sensitive computer systems and circuitry is often a necessity. When intercepted and otherwise compromised, the systems and circuitry can be decoded (reverse engineered) to provide others with sensitive information. A way to mitigate such risks is to use a relatively new set of technologies, inclusively known as “anti-tamper.” Anti-tamper (AT) is defined as the systems engineering activities that are intended to prevent or delay exploitation of essential or critical technologies. The use of AT protective techniques varies depending on the technology being protected. For example, one area of technology vulnerability is in the electronics of a weapon system, where there are many critical technologies that can be compromised. Such techniques are used to delay reverse engineering and exploitation of critical algorithms, thereby slowing an adversary as much as possible in compromising U.S. technologies when they fall under enemy control.
According to the Department of Defense (DoD), an essential or critical technology is one that “if compromised would degrade combat effectiveness, shorten the expected combat-effective life of the system, or significantly alter program direction.” In a scenario as shown in FIG. 1, if an unmanned aerial vehicle (UAV) 100 were to crash in enemy territory, then there is potential that the enemy could retrieve electronics that may contain very critical technology, such as the Operational Flight Plan (OFP). If the enemy where capable of reverse engineering the electronics to retrieve the OFP, it could force undesirable changes to tactics and concepts of operations (CONOPS), premature retirement of a weapons system, or major system design changes to regain some level of effectiveness. This in turn can result in serious damage to national security, endanger the warfighter, as well as result in expensive alternatives to remedy the situation, such as altering the OFP on all the remaining UAVs in a fleet. Thus, state-of-the-art technology of a critical nature typically requires more sophisticated AT applications. Some examples of AT techniques include software encryption, integrated circuit protective coatings, and hardware access denial systems.
Recent United States (U.S.) policy has encouraged the sale or transfer of certain military equipment to allied and friendly foreign governments. Increasingly, the equipment contains the latest in U.S. technological advances. Whereas in the past, where U.S. policy was relatively reluctant to permit such sales, the current cost-conscious environment motivates the leveraging of reduced unit prices that is afforded by increased production quantities. Additionally, the DoD is seeking increased foreign participation in acquisition programs from the requirements definition phase through production, fielding, and life-cycle management. While these efforts have the potential to enhance interoperability, increase standardization, reduce unit costs, and strengthen U.S. industry, they also risk making critical U.S. technologies vulnerable to possible exploitation. Thus, the goal of AT is to both inhibit exploitation and develop countermeasures against critical U.S. technologies.
A common AT technique is using a field-programmable gate array (FPGA). FPGA has an on-chip decryption tool that can be enabled to make the configuration bitstream secure. For example, a Xilinx user can encrypt the bitstream using Xilinx software. Xilinx is logic software that is produced by Xilinx, Inc., located at 2100 Logic Drive, San Jose, Calif. 95124. After encrypting the bitstream, the chip then performs the reverse operation, decrypting the incoming bitstream and internally recreating the intended configuration. However, the Differential Power Analysis (DPA) process described in literature reference no. 1 (which is a common method used to reverse engineer the key) could compromise the key, thus making the encrypted bitstream insecure and the embedded finite state machine (FSM) logic design accessible by an adversary.
Therefore, what is needed is a new technique to delay reverse-engineering and exploitation of automotive electronics, weapon system electronics, as well as commercial and other sensitive electronic systems. Thus, a continuing need exists for an anti-tamper system that (1) provides an additional means to protect an FSM design in the FPGA if the encrypted bitstream was compromised; (2) can generate different configuration bitstreams for each FPGA based on the same FSM design; and (3) hides part of the FSM design in the parasitics without explicit exposure by the configuration bitstreams.