pith. sign in

arxiv: 2605.08984 · v1 · submitted 2026-05-09 · 💻 cs.CR · cs.ET

Hardware-Accelerated Line-Rate Bitstream Screening for Secure FPGA Reconfiguration

Rye Stahle-Smith , Carter Antley , Jason D. Bakos , Rasha Karakchi This is my paper

Pith reviewed 2026-05-12 01:46 UTC · model grok-4.3

classification 💻 cs.CR cs.ET
keywords FPGA securitybitstream screeninganomaly detectionhardware accelerationprogrammable logicreconfigurable computingfeature extractionmachine learning
0
0 comments X

The pith

BLADEI detects anomalous FPGA bitstreams from raw data and accelerates screening to line rate via programmable logic.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces BLADEI, a framework for screening FPGA configuration bitstreams for abnormalities directly from the raw data without source code, netlists, or vendor tools. It applies a hybrid architecture of multi-scale byte-sequence learning with compact statistical representations to flag anomalous configurations. Evaluation across 1,383 bitstreams produces a macro F1-score of 0.91. The authors identify a preprocessing wall in which software feature extraction consumes 92 percent of the 16.4-second latency while inference takes only 1.4 seconds. They address the bottleneck by designing a streaming hardware engine in the FPGA programmable logic that reduces feature-extraction latency to the millisecond range.

Core claim

BLADEI combines multi-scale byte-sequence learning with compact statistical representations to detect anomalous configurations directly from raw bitstreams. On a Xilinx PYNQ-Z1 implementation it achieves a macro F1-score of 0.91 across 1,383 bitstreams. Systems-level measurements show software-based feature extraction accounts for 92 percent of the total 16.4-second latency. A programmable-logic streaming engine is proposed that reduces feature-extraction latency to the millisecond range and thereby enables line-rate screening prior to FPGA configuration.

What carries the argument

The hybrid architecture of multi-scale byte-sequence learning combined with compact statistical representations for anomaly detection, together with the programmable-logic streaming engine for hardware-accelerated feature extraction.

If this is right

  • Bitstream screening can be enforced prior to configuration in dynamic just-in-time reconfiguration workflows.
  • Hardware acceleration removes the dominant software preprocessing latency barrier.
  • The framework supports end-to-end cloud-to-edge pipelines without requiring trusted design artifacts.
  • Bitstream-level checks become feasible as a first-class security primitive for multi-tenant reconfigurable systems.
  • High detection performance is retained while achieving low-latency operation suitable for line-rate use.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The millisecond latency reduction could support screening in higher-frequency reconfiguration scenarios beyond the tested platform.
  • Similar streaming-engine techniques might generalize to configuration screening for other reconfigurable hardware types.
  • Integration with existing FPGA management flows could enable automated security enforcement at deployment time.
  • Expanding the bitstream dataset would allow testing robustness against evolving configuration threats.

Load-bearing premise

The 1,383 bitstreams used for training and testing contain representative examples of both normal and malicious configurations that will appear in real deployments.

What would settle it

Running the PL-based streaming engine on live FPGA reconfiguration traffic and confirming whether feature-extraction latency reaches the millisecond range while maintaining the reported detection accuracy on previously unseen bitstreams.

Figures

Figures reproduced from arXiv: 2605.08984 by Carter Antley, Jason D. Bakos, Rasha Karakchi, Rye Stahle-Smith.

Figure 1
Figure 1. Figure 1: Training and deployment workflow of BLADEI. The offline phase [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Runtime screening pipeline on the PYNQ-Z1 platform. Incoming [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: The proposed system integrates a streaming Byte-Statistics Engine [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
read the original abstract

As Field-Programmable Gate Arrays (FPGAs) scale in multi-tenant cloud and edge-AI environments, the configuration bitstream has become a critical, yet opaque, security boundary. Existing hardware Trojan detection methods often rely on trusted design artifacts or computationally intensive reverse-engineering, introducing prohibitive latencies in dynamic, "just-in-time" reconfiguration workflows. This paper presents BLADEI (Bitstream-Level Abnormality Detection for Embedded Inference), a bitstream-level security framework designed for deployment-time screening of FPGA configurations without requiring source code, netlists, or vendor-specific tooling. BLADEI introduces a hybrid architecture that combines multi-scale byte-sequence learning with compact statistical representations to detect anomalous configurations directly from raw bitstreams. We implement the framework on a Xilinx PYNQ-Z1 system, demonstrating an end-to-end cloud-to-edge pipeline that enforces security prior to FPGA configuration. Evaluating across 1,383 bitstreams, BLADEI achieves a macro F1-score of 0.91. However, our systems-level characterization reveals a "preprocessing wall": software-based feature extraction accounts for 92% of the total 16.4-second latency, while model inference requires only 1.4 seconds. To address this bottleneck, we propose a streaming hardware-accelerated feature extraction engine designed for the FPGA programmable logic (PL). The evaluation shows that PL-based streaming engine can reduce feature-extraction latency to the millisecond range. This work positions bitstream-level screening as a first-class primitive and demonstrates that hardware-accelerated preprocessing is the key enabler for securing next-generation reconfigurable custom computing machines at line rate.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. The manuscript presents BLADEI, a bitstream-level anomaly detection framework for FPGAs that combines multi-scale byte-sequence learning with compact statistical representations to screen configurations without source code, netlists, or vendor tools. Implemented on a Xilinx PYNQ-Z1, it reports a macro F1-score of 0.91 across 1,383 bitstreams and identifies a preprocessing bottleneck (92% of 16.4 s latency in software feature extraction). The authors propose and evaluate a PL-based streaming hardware accelerator to reduce feature-extraction latency to the millisecond range, positioning bitstream screening as a deployable primitive for secure multi-tenant reconfiguration.

Significance. If the evaluation methodology is sound and the dataset representative, the work could meaningfully advance practical FPGA security by demonstrating source-independent, low-latency detection at reconfiguration time. The systems-level characterization of the preprocessing wall and the concrete hardware acceleration proposal constitute a tangible contribution to making bitstream screening viable in cloud/edge settings. The absence of dataset and evaluation details, however, prevents a full assessment of whether the 0.91 F1-score generalizes to realistic malicious configurations.

major comments (1)
  1. [Evaluation] The central performance claim (macro F1-score of 0.91) rests on evaluation across 1,383 bitstreams, yet the manuscript supplies no information on bitstream provenance, construction of malicious examples (e.g., Trojan insertion, bit-flip, or IP tampering), labeling procedure, train/test split, cross-validation, or statistical significance. This omission is load-bearing because the reported detection performance cannot be interpreted without evidence that the malicious class reflects threats that would appear in actual multi-tenant deployments.
minor comments (2)
  1. [Abstract] The abstract and introduction refer to 'multi-scale byte-sequence learning' without specifying the scales, feature definitions, or the exact learning algorithm; a brief description or reference to the method would improve clarity.
  2. [Systems-level characterization] The latency breakdown (92% preprocessing, 1.4 s inference) is presented without error bars or multiple runs; reporting variability would strengthen the systems characterization.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for the constructive review and for acknowledging the potential systems-level contribution of hardware-accelerated bitstream screening. We agree that additional evaluation details are required for proper interpretation of the reported results and will incorporate them in the revised manuscript.

read point-by-point responses

  1. Referee: [Evaluation] The central performance claim (macro F1-score of 0.91) rests on evaluation across 1,383 bitstreams, yet the manuscript supplies no information on bitstream provenance, construction of malicious examples (e.g., Trojan insertion, bit-flip, or IP tampering), labeling procedure, train/test split, cross-validation, or statistical significance. This omission is load-bearing because the reported detection performance cannot be interpreted without evidence that the malicious class reflects threats that would appear in actual multi-tenant deployments.

    Authors: We agree that the manuscript currently provides insufficient detail on dataset construction and evaluation methodology, which limits assessment of the 0.91 macro F1-score. In the revised version we will add a dedicated subsection that specifies: (1) the provenance and collection process for the 1,383 bitstreams; (2) the exact techniques used to synthesize malicious configurations, including Trojan insertion, bit-flip, and IP-tampering methods; (3) the labeling procedure; (4) the train/test split ratios together with any cross-validation scheme; and (5) the statistical significance tests applied. These additions will clarify how the malicious class corresponds to realistic multi-tenant threats and will allow readers to evaluate generalizability. revision: yes

Circularity Check

0 steps flagged

No significant circularity; purely empirical evaluation

full rationale

The paper presents BLADEI as an empirical framework for bitstream anomaly detection, reporting a measured macro F1-score of 0.91 on a fixed collection of 1,383 bitstreams plus latency numbers from a PYNQ-Z1 implementation. No equations, derivations, fitted parameters, or first-principles predictions appear in the provided text. The central claims are direct experimental outcomes (classification performance and hardware timing) rather than any quantity that reduces to its own inputs by construction. Self-citations, if present, are not load-bearing for any derivation because none exists. The representativeness concern raised by the skeptic is a question of external validity, not circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review; no equations, parameters, or postulated entities are described.

pith-pipeline@v0.9.0 · 5607 in / 1114 out tokens · 35396 ms · 2026-05-12T01:46:40.530828+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

25 extracted references · 25 canonical work pages

  1. [1]

    Maxfield,The Design Warrior’s Guide to FPGAs: Devices, Tools and Flows

    C. Maxfield,The Design Warrior’s Guide to FPGAs: Devices, Tools and Flows. Elsevier, 2004

    work page 2004

  2. [2]

    Wolf,FPGA-Based System Design

    W. Wolf,FPGA-Based System Design. Pearson, 2004

    work page 2004

  3. [3]

    It’s an FPGA!

    P. Alfkeet al., “It’s an FPGA!”IEEE Solid-State Circuits Magazine, vol. 3, no. 4, pp. 15–20, 2011

    work page 2011

  4. [4]

    Napoly: A non-deterministic automata processor overlay,

    R. Karakchi and J. D. Bakos, “Napoly: A non-deterministic automata processor overlay,”ACM Transactions on Reconfigurable Technology and Systems, vol. 16, no. 3, pp. 1–25, 2023

    work page 2023

  5. [5]

    A dynamically recon- figurable automata processor overlay,

    R. Karakchi, L. O. Richards, and J. D. Bakos, “A dynamically recon- figurable automata processor overlay,” in2017 International Conference on Reconfigurable Computing and FPGAs (ReConFig). IEEE, 2017, pp. 1–8

    work page 2017

  6. [6]

    Design and validation for fpga trust,

    S. Mal-Sarkaret al., “Design and validation for fpga trust,”IEEE Transactions on Multi-Scale Computing Systems, vol. 2, no. 3, pp. 186– 198, 2016

    work page 2016

  7. [7]

    Stealthy hardware trojans on fpgas,

    C. Marchand and J. Francq, “Stealthy hardware trojans on fpgas,”IET Computers & Digital Techniques, vol. 8, no. 6, pp. 246–255, 2014

    work page 2014

  8. [8]

    Hardware trojan insertion by bitstream modification,

    R. S. Chakrabortyet al., “Hardware trojan insertion by bitstream modification,”IEEE Design & Test, vol. 30, no. 2, pp. 45–54, 2013

    work page 2013

  9. [9]

    Bil: A tool-chain for bitstream reverse-engineering,

    F. Benz, A. Seffrin, and S. A. Huss, “Bil: A tool-chain for bitstream reverse-engineering,” inProceedings of the IEEE International Confer- ence on Field Programmable Logic and Applications (FPL). IEEE, 2012, pp. 735–738

    work page 2012

  10. [10]

    Malicious lut: Stealthy fpga trojan,

    C. Krieg, C. Wolf, and A. Jantsch, “Malicious lut: Stealthy fpga trojan,” inICCAD, 2016

    work page 2016

  11. [11]

    Feint: Automated trojan insertion framework,

    V . R. Surabhiet al., “Feint: Automated trojan insertion framework,” Information, vol. 15, no. 7, p. 395, 2024

    work page 2024

  12. [12]

    Reflections on trusting trusthub,

    C. Krieg, “Reflections on trusting trusthub,” inICCAD, 2023

    work page 2023

  13. [13]

    Multi-tenant cloud fpga: Security, trust, and privacy,

    M. K. Ahmedet al., “Multi-tenant cloud fpga: Security, trust, and privacy,”ACM Transactions on Reconfigurable Technology and Systems, vol. 18, no. 2, 2025

    work page 2025

  14. [14]

    Learning malicious circuits in fpga bitstreams,

    R. Elnaggaret al., “Learning malicious circuits in fpga bitstreams,”IEEE TCAD, vol. 42, no. 3, pp. 726–739, 2022

    work page 2022

  15. [15]

    Machine learning for hardware security: Opportunities and risks,

    R. Elnaggar and K. Chakrabarty, “Machine learning for hardware security: Opportunities and risks,”Journal of Electronic Testing, vol. 34, no. 2, pp. 183–201, 2018

    work page 2018

  16. [16]

    Golden-free unsupervised ml for trojan detection,

    A. Ghimireet al., “Golden-free unsupervised ml for trojan detection,” JETC, vol. 21, no. 3, 2025

    work page 2025

  17. [17]

    A bitstream reverse engineering tool for fpga hardware trojan detection,

    J. Yoon, Y . Seo, J. Jang, M. Cho, J. Kim, H. Kim, and T. Kwon, “A bitstream reverse engineering tool for fpga hardware trojan detection,” inProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’18. New York, NY , USA: Association for Computing Machinery, 2018, pp. 2318–2320. [Online]. Available: https://doi.org/...

    work page doi:10.1145/3243734.3278487 2018

  18. [18]

    Poster: Towards reverse engineering fpga bitstreams for hardware trojan detec- tion,

    Y . Seo, J. Yoon, J. Jang, M. Cho, H.-K. Kim, and T. Kwon, “Poster: Towards reverse engineering fpga bitstreams for hardware trojan detec- tion,” inProceedings of the Network and Distributed System Security Symposium (NDSS). Internet Society, 2018, pp. 18–21

    work page 2018

  19. [19]

    Real-Time ML-Based Defense Against Malicious Payload in Reconfigurable Embedded Systems,

    R. Stahle-Smith and R. Karakchi, “Real-Time ML-Based Defense Against Malicious Payload in Reconfigurable Embedded Systems,” in Proceedings of the International Conference for High Performance Computing, Networking, Storage and Analysis (SC25), 2025

    work page 2025

  20. [20]

    Dynamic fpga reconfiguration for embedded ai,

    J. Boudjadaret al., “Dynamic fpga reconfiguration for embedded ai,” Future Generation Computer Systems, vol. 169, p. 107777, 2025

    work page 2025

  21. [21]

    Hardware trojan attacks on fpga-based cnn accelerators,

    J. Houet al., “Hardware trojan attacks on fpga-based cnn accelerators,” Micromachines, vol. 15, no. 1, p. 149, 2024

    work page 2024

  22. [22]

    Security of sram-based fpgas in the era of ai,

    J. Zhouet al., “Security of sram-based fpgas in the era of ai,”Journal of Low Power Electronics and Applications, vol. 15, no. 4, p. 66, 2025

    work page 2025

  23. [23]

    PYNQ™: Python Productivity for Zynq,

    AMD, “PYNQ™: Python Productivity for Zynq,” https://www.pynq.io, 2024, accessed: Aug. 4, 2025

    work page 2024

  24. [24]

    PYNQ-Torch: a framework to develop PyTorch accelerators on the PYNQ platform,

    M. V ohra and S. Fasciani, “PYNQ-Torch: a framework to develop PyTorch accelerators on the PYNQ platform,” inProceedings of 2019 IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2019). IEEE, 2019

    work page 2019

  25. [25]

    PYNQ BLADEI,

    Bread2002, “PYNQ BLADEI,” 2025, GitHub Repository. [Online]. Available: https://github.com/Karakchi-Research/PYNQ BLADEI/

    work page 2025