Remote Dynamic Clock Reconfiguration Based Attacks on Internet of Things Applications

Many Internet of Things (IoT) applications can potentially benefit from the remote Dynamic Partial Reconfiguration (DPR) capabilities of modern Field Programmable Gate Arrays (FPGAs). Such capabilities enable changes in the circuit mapped on the FPGA, for modification or enhancement of functionality offered by the FPGA without taking it offline, via remote communications over a network. However, the use of remote DPR can result in security threats with catastrophic consequences. In this paper, we design two Hardware Trojan Horse attacks that exploit the remote DPR capability of the FPGA, on an encryption circuit and a true random number generator circuit, respectively. In particular, these attacks target the clock signal management circuitry on the FPGA to disrupt functionality. We substantiate the threat by demonstrating successful remote attacks via transfer of malicious bitstreams to a Virtex-5 FPGA, thereby embedding the HTH. Finally, we propose plausible countermeasures to prevent such attacks.

[1]  Sylvain Guilley,et al.  Practical Setup Time Violation Attacks on AES , 2008, 2008 Seventh European Dependable Computing Conference.

[2]  Debdeep Mukhopadhyay,et al.  A PUF-Enabled Secure Architecture for FPGA-Based IoT Applications , 2015, IEEE Transactions on Multi-Scale Computing Systems.

[3]  Debdeep Mukhopadhyay,et al.  Differential Fault Analysis of the Advanced Encryption Standard Using a Single Fault , 2011, WISTP.

[4]  Debdeep Mukhopadhyay,et al.  A Novel Attack on a FPGA based True Random Number Generator , 2015, WESS.

[5]  Kenji Toda,et al.  Bitstream Protection in Dynamic Partial Reconfiguration Systems Using Authenticated Encryption , 2013, IEICE Trans. Inf. Syst..

[6]  Peter Friess,et al.  Internet of Things: Converging Technologies for Smart Environments and Integrated Ecosystems , 2013 .

[7]  Debdeep Mukhopadhyay,et al.  Fault attack on AES via hardware Trojan insertion by dynamic partial reconfiguration of FPGA over ethernet , 2014, WESS '14.

[8]  Chris Edwards,et al.  Growing pains for deep learning , 2015, Commun. ACM.

[9]  H. Fatih Ugurdag,et al.  Achieving modular dynamic partial reconfiguration with a difference-based flow (abstract only) , 2013, FPGA '13.

[10]  Ken Eguro,et al.  SIRC: An Extensible Reconfigurable Computing Communication API , 2010, 2010 18th IEEE Annual International Symposium on Field-Programmable Custom Computing Machines.

[11]  Elaine B. Barker,et al.  A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications , 2000 .

[12]  Keshab K. Parhi,et al.  True Random Number Generator circuits based on single- and multi-phase beat frequency detection , 2014, Proceedings of the IEEE 2014 Custom Integrated Circuits Conference.

[13]  David Naccache,et al.  The Sorcerer's Apprentice Guide to Fault Attacks , 2006, Proceedings of the IEEE.

[14]  Debdeep Mukhopadhyay,et al.  Partial bitstream protection for low-cost FPGAs with physical unclonable function, obfuscation, and dynamic partial self reconfiguration , 2013, Comput. Electr. Eng..

[15]  Junko Takahashi,et al.  Practical Fault Attack on a Cryptographic LSI with ISO/IEC 18033-3 Block Ciphers , 2009, 2009 Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC).