FPGA-Based Remote Power Side-Channel Attacks

The rapid adoption of heterogeneous computing has driven the integration of Field Programmable Gate Arrays (FPGAs) into cloud datacenters and flexible System-on-Chips (SoCs). This paper shows that the integrated FPGA introduces a new security vulnerability by enabling software-based power side-channel attacks without physical proximity to a target system. We first demonstrate that an on-chip power monitor can be built on a modern FPGA using ring oscillators (ROs), and characterize its ability to observe the power consumption of other modules on the FPGA or the SoC. Then, we show that the RO-based FPGA power monitor can be used for a successful power analysis attack on an RSA cryptomodule on the same FPGA. Additionally, we show that the FPGA-based power monitor can observe the power consumption of a CPU on the same SoC, and demonstrate that the FPGA-to-CPU power side-channel attack can break timing-channel protection for a RSA program running on a CPU. This work introduces and demonstrates remote power side-channel attacks using an FPGA, showing that the common assumption that power side-channel attacks require specialized equipment and physical access to the victim hardware is not true for systems with an integrated FPGA.

[1]  Dakshi Agrawal,et al.  The EM Side-Channel(s) , 2002, CHES.

[2]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[3]  Mehdi Baradaran Tahoori,et al.  Voltage drop-based fault attacks on FPGAs using valid bitstreams , 2017, 2017 27th International Conference on Field Programmable Logic and Applications (FPL).

[4]  Kris Gaj,et al.  A Configurable Ring-Oscillator-Based PUF for Xilinx FPGAs , 2011, 2011 14th Euromicro Conference on Digital System Design.

[5]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[6]  Rainer G. Spallek,et al.  RC3E: Reconfigurable Accelerators in Data Centres and Their Provision by Adapted Service Models , 2016, 2016 IEEE 9th International Conference on Cloud Computing (CLOUD).

[7]  John P. Hayes,et al.  Low-cost sensing with ring oscillator arrays for healthier reconfigurable systems , 2012, TRETS.

[8]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[9]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[10]  Sanjay Pant,et al.  Design and Analysis of Power Distribution Networks in VLSI Circuits. , 2008 .

[11]  Yu Zhang,et al.  Enabling FPGAs in the cloud , 2014, Conf. Computing Frontiers.

[12]  G. Edward Suh,et al.  Physical Unclonable Functions for Device Authentication and Secret Key Generation , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[13]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[14]  Yong Wang,et al.  SDA: Software-defined accelerator for large-scale DNN systems , 2014, 2014 IEEE Hot Chips 26 Symposium (HCS).

[15]  Stefan Mangard,et al.  Power analysis attacks - revealing the secrets of smart cards , 2007 .

[16]  Hari Angepat,et al.  Configurable Clouds , 2017, IEEE Micro.

[17]  Wayne Luk,et al.  Detecting power attacks on reconfigurable hardware , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[18]  Luis Parrilla,et al.  Ring oscillators as thermal sensors in FPGAs: Experiments in low voltage , 2010, 2010 VI Southern Programmable Logic Conference (SPL).

[19]  Ken Eguro,et al.  FPGA side-channel receivers , 2011, FPGA '11.

[20]  Mehdi Baradaran Tahoori,et al.  An inside job: Remote power analysis attacks on FPGAs , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[21]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[22]  Gang Wang,et al.  Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[23]  Daniel E. Holcomb,et al.  FPGA Side Channel Attacks without Physical Access , 2018, 2018 IEEE 26th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[24]  Paul C. Kocher,et al.  Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems , 1996, CRYPTO.

[25]  Markus Dürmuth,et al.  A Provably Secure and Efficient Countermeasure against Timing Attacks , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[26]  Giorgio Di Natale,et al.  Implementation and Analysis of Ring Oscillator Circuits on Xilinx FPGAs , 2017 .

[27]  Mehdi Baradaran Tahoori,et al.  Analysis of transient voltage fluctuations in FPGAs , 2016, 2016 International Conference on Field-Programmable Technology (FPT).

[28]  Jean-Jacques Quisquater,et al.  ElectroMagnetic Analysis (EMA): Measures and Counter-Measures for Smart Cards , 2001, E-smart.

[29]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[30]  David Andrews,et al.  Breeze computing: A just in time (JIT) approach for virtualizing FPGAs in the cloud , 2016, 2016 International Conference on ReConFigurable Computing and FPGAs (ReConFig).

[31]  Steven Trimberger,et al.  Security of FPGAs in data centers , 2017, 2017 IEEE 2nd International Verification and Security Workshop (IVSW).

[32]  Adi Shamir,et al.  Acoustic Cryptanalysis , 2017, Journal of Cryptology.

[33]  Meeta Srivastav,et al.  Sensing nanosecond-scale voltage attacks and natural transients in FPGAs , 2013, FPGA '13.

[34]  Tamzidul Hoque,et al.  Ring Oscillator Based Hardware Trojan Detection , 2015 .

[35]  Jean-Pierre Seifert,et al.  On the Power of Optical Contactless Probing: Attacking Bitstream Encryption of FPGAs , 2017, CCS.

[36]  Stefan Mangard,et al.  Power Analysis Attacks and Countermeasures , 2007, IEEE Design & Test of Computers.

[37]  Qiang Xu,et al.  Fine-grained characterization of process variation in FPGAs , 2010, 2010 International Conference on Field-Programmable Technology.

[38]  Vaughn Betz,et al.  Quantifying and mitigating the costs of FPGA virtualization , 2017, 2017 27th International Conference on Field Programmable Logic and Applications (FPL).

[39]  Kang G. Shin,et al.  Detecting energy-greedy anomalies and mobile malware variants , 2008, MobiSys '08.

[40]  Kizheppatt Vipin,et al.  Virtualized FPGA Accelerators for Efficient Cloud Computing , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[41]  Christian Plessl,et al.  Exploration of ring oscillator design space for temperature measurements on FPGAs , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[42]  Danfeng Zhang,et al.  Predictive mitigation of timing channels in interactive systems , 2011, CCS '11.

[43]  Christina Delimitrou,et al.  Bolt: I Know What You Did Last Summer... In The Cloud , 2017, ASPLOS.

[44]  Paul Chow,et al.  FPGAs in the Cloud: Booting Virtualized Hardware Accelerators with OpenStack , 2014, FCCM 2014.