Embedded System Challenge
The 2009 NYU-Poly Embedded System Challenge (ESC)
is a competition open to all students. The focus
is on defending chips against malicious
modification during manufacturing.
You are a chip designer and you have a new chip
called Beta that is almost ready for production.
You need to send the design to a factory to have
them fabricate your chips. The problem is, you
don't fully trust the factory. Maybe they will
insert a trojan in your chip. The challenge is to
to harden your chip with extra logic that will
allow you to detect and/or disable trojans.
The 2009 Embedded System Challenge
The 2009 ESC has three phases:
Participation in the qualification phase is required. Finalists
also compete in the hardening phase, the attack phase, or both.
Qualification : Submit a plan.
Describe in two pages how you can embed extra
logic in a design so you can detect malicious
modifications during fabrication. Be specific.
The ten most promising proposals will be
selected as finalists. The ten finalists will have
a Xilinx FPGA development board shipped to them
along with the HDL code to be used in the
hardening and attack phases.
Harden a chip.
We will provide HDL code for Beta, a vulnerable
reference design of a crypto system. Beta will
resemble the Alpha design from the
2008 CSAW Embedded Systems
Challenge with the addition of a
Harden the design against trojans by adding
internal JTAG-accessible probing features so you
can detect and/or disable trojans in the chip
before it is exposed to sensitive mission data.
Submit the following to the ESC:
Make the minimum set of changes necessary to add
your test structures. Do not obfuscate the code.
You can assume that the test vectors that you provide
will be applied to the chip each time it is powered up.
- hardened HDL code (this will be distributed to all ESC competitors)
- test vectors (these will not be distributed)
Attack hardened chips.
Attack as many of the hardened designs from the
previous phase as possible by embedding
one trojan in their design. That
trojan should not be detected by their test
structures and should have the
malicious function of leaking key or plaintext.
For each design that you trojaned, submit the HDL
and .bit file. We will load the .bit file onto
the FPGA and apply the test vectors supplied by
your opponent who hardened the chip. We will
If the test vectors produce the same result for
your trojaned version as for the untrojaned
version, we consider your trojan undetected. We
define a successful attack to be one that passes
all three checks listed above.
- basic system functionality,
- trojan functionality, and that
- the test vectors produce the same response
with your trojans as without your trojans.
Judging will be based on competition score and on
the report that is submitted.
Each attempted attack involves an attacking team that tries
to insert a trojan, and a defending team, who provided
the hardened chip that is being attacked.
- For each successful attack, the attacking team gains
one point and defending team loses one point.
- For each unsuccessful attack, the attacking team loses one
point and the defending team gains two points.
Your report will be read by the judges and evaluated on the
basis of clarity, detail, and insight.
|August 22nd: ||Contest description posted, registration opens.
|September 13th: ||Qualification plans due.
|September 14th: ||List of finalists posted.
|September 15th: ||Boards mailed out with reference design.
|October 6th:||Hardened designs submitted to ESC.
|October 7th: ||Hardened designs posted.
|November 1st: ||Submission of bitfiles of trojaned designs.
|November 4th: ||Submission of reports.
|November 12th: ||CSAW Awards Day
One representative from each finalist team will be given a travel
grant up to $500 to present and/or demo their work and to attend
the award ceremony. Additionally, the following prizes will be
- 1st place : $500
- 2nd place : $250
- 3rd place : $100
Q1: What development tools can I use?
A1: The FPGA board is compatible with Xilinx's free ISE development system,
Q2: Which phases of the ESC are optional?
A2: You can skip the defense phase or skip the attack phase. However,
you can potentially get more points if you compete in both.
Q3: When the attacker places trojans in the hardened reference design,
will they see all of the test structures put there by the defender?
A3: Yes, they will see the test structures but they will not know the
Q4: At what level will the trojan insertion take place?
A4: Trojan insertion will take place at the RTL HDL level.
Q5: Are any non-JTAG methods of trojan detection acceptable
(power analysis, thermal, electromagnetic)?
A5: The only interface between the tester and the chip is via
the provided JTAG TAP.
Please visit the
CSAW registration page
to register for the this event.
CJ Clark, President and CEO of Intellitech Corporation
CJ has been the elected chairperson of the
IEEE 1149.1 JTAG working group from 1996 to
present. He has been active in other IEEE
working groups such as IEEE 1149.4, 1149.6,
1532, P1149.7, P1581 and P1687. He has
presented at International Test Conference,
TECS (Testing Embedded Cores-Based Systems)
Workshop, the Board Test Workshop, Ottawa
Test Workshop, VLSI Test Symposium and HOST
CJ serves on the University of New Hampshire
College of Engineering and Physical Science
(CEPS) Advisory Board. He also serves on the
UNH Department of Electrical Engineering
Advisory Board. He has twice been the
invited speaker for the USPTO patent
examiner education program and frequent
speaker at the IEEE lecture series on FPGAs.
He is co-inventor on four US patent related
to scan-based test, two Canadian, one
Taiwanese patent with others pending
world-wide. His first job in test was in
1978 with Plantronics/Wilcom.
Ben Epstein, PhD Consultant to DARPA TRUST In ICs Program
Clifford Wang, PhD Division Chief, Computing Sciences; Program Manager, Information Assurance, US Army Research Office
If you have any questions about the contest, feel free to e-mail firstname.lastname@example.org.
Also, please join us on IRC. The network is Freenode. The channel is #esc09.
The CSAW 2008 Embedded challenge was judged by:
Lok Kwong Yang, from Air Force Research Labs, Rome.
- Arnold Kravitz, Vice President, Advanced Technology, L-3 Communication Systems-East
- Jared Verba, Idaho National Laboratory
CSAW 2008 Embedded Challenge Winners
|Iowa State University
||Team ISU (1st)
||Team SESVT (HM 1)
|University of Arkansas
|Rochester Institute of Technology
|Rensselaer Polytechnic Institute
||RPI Electronics Club (3rd)
|University of Illinois
|Carnegie Mellon University
|Polytechnic Instiute of NYU
|Polytechnic Instiute of NYU
||Drop Tables (HM 2)