FPGA Vulnerability Analysis Tools
Navy STTR 2019.A - Topic N19A-T018
ONR - Mr. Steve Sullivan - steven.sullivan@navy.mil
Opens: January 8, 2019 - Closes: February 6, 2019 (8:00 PM ET)


TITLE: FPGA Vulnerability Analysis Tools


TECHNOLOGY AREA(S): Air Platform, Electronics, Ground/Sea Vehicles

ACQUISITION PROGRAM: INP is Total Platform Cyber Protection (TPCP)

OBJECTIVE: Produce algorithms that can identify vulnerabilities in software for Field-programmable Gate Arrays (FPGAs). The focus is the analysis of software at the various stages of synthesis and not the actual hardware (i.e., Altera or Xilinx) on which the code is implemented.

DESCRIPTION: FPGAs are becoming more prominent in technology. They have become just as favorable as Application Specific Integrated Circuits (ASICs) in some applications and are even showing up in some computer server technology for the enterprise. FPGAs also play a vital role in Naval systems for their real-time processing and ability to be upgraded with new software.

As opposed to standard Internet connected computing hardware, FPGAs have received minimal research and development (R&D) for cyber protection. Most of the work t for FPGA security thus far has been in the vein of protecting the intellectual property (IP) aspect from theft and physical reverse engineering efforts. This does not address operational vulnerabilities due to how the code is structured and executes based on inputs and state conditions. Due to the acceleration of cyber-warfare and hacking, this is problematic.

The development and deployment of code for FPGAs goes through a different set of synthesis tools than what typical computing users are familiar with for application development. This presents a lack of familiarity from the mainstream cybersecurity community. Another issue is the potential source of vulnerabilities that comes from purchased 3rd party IP cores. There are little to no tools available for evaluating FPGA code for cyber vulnerabilities.

From an ideal perspective, the Navy would like vulnerability analysis conducted on the bitstream as it resides on the physical device; however, the Navy realizes that there may be complications due to encryption and access. With that in mind, the Navy is requesting proposals that present approaches for analyzing the FPGA code as close to in situ (or on device) as possible. The Navy will be open to opportunities to analyze the code throughout the synthesis process chain. Preference will be closer to the deployed application on the board but awardees must convince the Navy that their approaches has a reasonable likelihood of success.

There will be no Government-furnished equipment (GFE) provided for this effort. Awardees must provide their own hardware and code for experimentation. Proposers must have experience in the FPGA domain to be competitive.

PHASE I: Develop a concept and methodology to automatically identify potential cyber vulnerabilities in the FPGA code at the level(s) under study. Ensure that the algorithm can locate and identify the portion of the code that is vulnerable and also provide a brief explanation as to why it is vulnerable and a proposed remediation description. Provide a limited proof-of-concept application to demonstrate the viability of the approach. Develop a Phase II prototype plan.

PHASE II: Develop the prototype into a fully functioning software toolset for identifying and tagging cyber vulnerabilities within the FPGA code. Provide a graphical user interface (GUI) that allows the user easy identification of the vulnerability, its significance, and a description for remediation. Demonstrate and evaluate the efficacy of the tools on FPGA codes of varying complexity as selected by the awardee.

PHASE III DUAL USE APPLICATIONS: Work with the Navy to integrate the tool into current cyber assessment processes. Many test and evaluation teams require more automated and more frequent assessment of the cybersecurity posture of weapons systems and hull, mechanical, and electrical (HM&E) systems. The Office of Naval Research (ONR) will facilitate interactions with Naval Sea Systems Command (NAVSEA), Naval Air Systems Command (NAVAIR), and Space and Naval Warfare Systems Command (SPAWAR) to apply the tool to Navy's cyber-physical systems.  The R&D conducted here would be equally useful in the commercial sector in any application where FGPAs are implemented.


1. Kastner, R. and Huffmire, T. “Threats and challenges in reconfigurable hardware security.” California University San Diego La Jolla, Department of Computer Science and Engineering, 2008 Jul. http://www.dtic.mil/docs/citations/ADA511928

2. Trimberger, Stephen M., and Moore, Jason J. "FPGA security: Motivations, features, and applications." Proceedings of the IEEE 102.8 (2014): 1248-1265. https://ieeexplore.ieee.org/document/6849432/

KEYWORDS: FPGA; Synthesis; Vulnerability; Cybersecurity; Scanning; 3rd Party IP Cores; Intellectual Property; IP



These Navy Topics are part of the overall DoD 2019.A STTR BAA. The DoD issued its 2019.1 BAA STTR pre-release on November 28, 2018, which opens to receive proposals on January 8, 2019, and closes February 6, 2019 at 8:00 PM ET.

Between November 28, 2018 and January 7, 2019 you may communicate directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2019
when DoD begins accepting proposals for this BAA.
However, until January 23, 2019, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.

Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.

Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.

Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at sbirhelp@bytecubed.com