Cyber Security Awareness Week 2009

Embedded System Challenge

The 2009 NYU-Poly Embedded System Challenge (ESC) is a competition open to all students. The focus is on defending chips against malicious modification during manufacturing.


You are a chip designer and you have a new chip called Beta that is almost ready for production. You need to send the design to a factory to have them fabricate your chips. The problem is, you don't fully trust the factory. Maybe they will insert a trojan in your chip. The challenge is to to harden your chip with extra logic that will allow you to detect and/or disable trojans.

The 2009 Embedded System Challenge

The 2009 ESC has three phases: Participation in the qualification phase is required. Finalists also compete in the hardening phase, the attack phase, or both.

Qualification : Submit a plan.

Describe in two pages how you can embed extra logic in a design so you can detect malicious modifications during fabrication. Be specific. The ten most promising proposals will be selected as finalists. The ten finalists will have a Xilinx FPGA development board shipped to them along with the HDL code to be used in the hardening and attack phases.

Harden a chip.

We will provide HDL code for Beta, a vulnerable reference design of a crypto system. Beta will resemble the Alpha design from the 2008 CSAW Embedded Systems Challenge with the addition of a JTAG TAP. Harden the design against trojans by adding internal JTAG-accessible probing features so you can detect and/or disable trojans in the chip before it is exposed to sensitive mission data. Submit the following to the ESC: Make the minimum set of changes necessary to add your test structures. Do not obfuscate the code. You can assume that the test vectors that you provide will be applied to the chip each time it is powered up.

Attack hardened chips.

Attack as many of the hardened designs from the previous phase as possible by embedding one trojan in their design. That trojan should not be detected by their test structures and should have the malicious function of leaking key or plaintext. For each design that you trojaned, submit the HDL and .bit file. We will load the .bit file onto the FPGA and apply the test vectors supplied by your opponent who hardened the chip. We will verify: If the test vectors produce the same result for your trojaned version as for the untrojaned version, we consider your trojan undetected. We define a successful attack to be one that passes all three checks listed above.


Judging will be based on competition score and on the report that is submitted.

Competition score

Each attempted attack involves an attacking team that tries to insert a trojan, and a defending team, who provided the hardened chip that is being attacked.

Report score

Your report will be read by the judges and evaluated on the basis of clarity, detail, and insight.


August 22nd: Contest description posted, registration opens.
September 13th: Qualification plans due.
September 14th: List of finalists posted.
September 15th: Boards mailed out with reference design.
October 6th:Hardened designs submitted to ESC.
October 7th: Hardened designs posted.
November 1st: Submission of bitfiles of trojaned designs.
November 4th: Submission of reports.
November 12th: CSAW Awards Day


One representative from each finalist team will be given a travel grant up to $500 to present and/or demo their work and to attend the award ceremony. Additionally, the following prizes will be awarded:


Q1: What development tools can I use?
A1: The FPGA board is compatible with Xilinx's free ISE development system, ISE Webpack.

Q2: Which phases of the ESC are optional?
A2: You can skip the defense phase or skip the attack phase. However, you can potentially get more points if you compete in both.

Q3: When the attacker places trojans in the hardened reference design, will they see all of the test structures put there by the defender?
A3: Yes, they will see the test structures but they will not know the test vectors.

Q4: At what level will the trojan insertion take place?
A4: Trojan insertion will take place at the RTL HDL level.

Q5: Are any non-JTAG methods of trojan detection acceptable (power analysis, thermal, electromagnetic)?
A5: The only interface between the tester and the chip is via the provided JTAG TAP.


Please visit the CSAW registration page to register for the this event.




If you have any questions about the contest, feel free to e-mail

Also, please join us on IRC. The network is Freenode. The channel is #esc09.

The CSAW 2008 Embedded challenge was judged by:

CSAW 2008 Embedded Challenge Winners

University/School Team Lead Team Name Report
Iowa State University Michael Steffen Team ISU (1st) iowa_state.pdf
Virginia Tech Zhimin Chen Team SESVT (HM 1) vt.pdf
University of Arkansas Anish Philip N/A uofa.pdf
Rochester Institute of Technology Robert Ghilduta Tropicana rit.pdf
Yale University Yier Jin TRELA (2nd) yale.pdf
Rensselaer Polytechnic Institute Alex Radocea RPI Electronics Club (3rd) rpi.pdf
Hofstra University Davis Roman N/A
University of Illinois Matthew Hicks N/A uofi.pdf
Cooper Union Deian Stefan N/A cooper.pdf
Carnegie Mellon University Joseph Ceirante N/A cmu.pdf
Polytechnic Instiute of NYU Karthik Gulurshivaram N/A poly_team1.pdf
Polytechnic Instiute of NYU Alex Kozak Drop Tables (HM 2) poly_team2.pdf