Since the Snowden revelations the fear of stealthy hardware manipulations is no longer regarded as far fetched. This fear is also reflected in the massive discussions sparked by last year's Bloomberg allegations on a supposed hardware spy implant on Supermicro serverboards or the recent USA ban on Huawei telecommunication equipment. Hardware reverse engineering (HRE) is a promising method to detect such manipulations or hidden backdoors. However, HRE is a highly complex and cumbersome task. It takes months of work as well as expensive equipment to even obtain the netlist of a chip, the equivalent to the binary in software reverse engineering (SRE). In contrast to SRE where various paid or open-source tools for binary analysis exist, e.g., IDA Pro or Ghidra, in HRE simply no tool for netlist analysis were available - neither commercial, nor free. To close this gap, researchers from the Ruhr University Bochum developed HAL, the first open-source netlist analysis framework. In this talk, we start with a basic introduction into the challenges of HRE. Then, we demonstrate the capabilities of HAL before giving a brief overview on our current research with HAL.
Hardware reverse engineering (HRE) is an important technique for analysts to understand the internals of a physical system. Use cases range from recovering interface specifications of old chips, over detection of malicious manipulations or patent infringements, to straight up counterfeiting. However, HRE is a notably complex and cumbersome task which consists of two phases: In the first phase the netlist, i.e., circuit description of a chip, has to be extracted from the physical device. Such a netlist is equivalent to the binary in software reverse engineering (SRE). In the second phase, the analyst then processes the netlist in order to understand (parts of) its functionality. However, obtaining a netlist from a chip can take several months and requires professional and costly equipment as well as expertise. Even with a recovered netlist, understanding its functionality is an enormously challenging task. This is partly due to the lack of proper tools for netlist analysis: While in SRE various commercial or open-source tools for binary analysis exist, e.g., IDA Pro or Ghidra, in HRE simply no tool for netlist analysis was available, neither commercial, nor free. To close this gap, researchers from the Embedded Security group of the Horst-Görtz Institute for IT-Security at the Ruhr University Bochum developed HAL, the first open-source netlist analysis framework. Inspired by the modularity of its SRE equivalents, HAL can be extended through optimized C++ plugins or directly used as a Python library, while at the same time offering a GUI for explorative and interactive analysis. The project is supposed to give hardware analysts a common platform for the development of new algorithms with a portable design, ultimately aiding both professionals in their daily work as well as researchers in their efforts to publish reproducible results. In this talk, we will first introduce the foundations and main challenges of HRE, before giving a live demonstration of HAL and some of its capabilities on selected case studies. We conclude the talk with a glimpse at our associated research at the university that spans both, technical research as well as cross-disciplinary work with psychologists. Our talk requires only minimum prior knowledge on digital hardware.
Speakers: Max Hoffmann