Voltage drop-based fault attacks on FPGAs using valid bitstreams

Due to the widespread use of FPGAs in many critical application domains, their security is of high concern. In recent systems, such as FPGAs in the Cloud or in Systems-on-Chip (SoCs), users can gain access, even remotely, to the reconfigurable fabric to implement custom accelerators. This access can expose new security vulnerabilities in the entire system through malicious use of the FPGA fabric. In the past, attacks on the power supply level required local access to the hardware. In this paper, we reveal a security vulnerability in FPGAs that allows a valid configuration to generate severe voltage fluctuations, which crashes the FPGA within a few microseconds. Moreover, the extent of this crash is so severe, that manual power-cycling is required to be able to access and use the system again. This vulnerability has been systematically exploited in two different generations of FPGAs, and a SoC containing an FPGA. Because this vulnerability can lead to severe security attacks in systems using FPGA-based accelerators, we also analyze its underlying mechanism, and discuss possibilities for mitigation.

[1]  Meeta Sharma Gupta,et al.  Understanding Voltage Variations in Chip Multiprocessors using a Distributed Power-Delivery Network , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[2]  Brian Butka,et al.  Simultaneous switching noise and safety critical airborne hardware , 2009, IEEE Southeastcon 2009.

[3]  Trevor Mudge,et al.  Razor: a low-power pipeline based on circuit-level timing speculation , 2003, Proceedings. 36th Annual IEEE/ACM International Symposium on Microarchitecture, 2003. MICRO-36..

[4]  Takeshi Sugawara,et al.  An on-chip glitchy-clock generator for testing fault injection attacks , 2011, Journal of Cryptographic Engineering.

[5]  Jean-Max Dutertre,et al.  Power supply glitch induced faults on FPGA: An in-depth analysis of the injection mechanism , 2013, 2013 IEEE 19th International On-Line Testing Symposium (IOLTS).

[6]  Sylvain Guilley,et al.  Electromagnetic Radiations of FPGAs: High Spatial Resolution Cartography and Attack on a Cryptographic Module , 2009, TRETS.

[7]  Jinyuan Wu,et al.  Several Key Issues on Implementing Delay Line Based TDCs Using FPGAs , 2009, IEEE Transactions on Nuclear Science.

[8]  Shidhartha Das,et al.  Modeling and characterization of the system-level Power Delivery Network for a dual-core ARM Cortex-A57 cluster in 28nm CMOS , 2015, 2015 IEEE/ACM International Symposium on Low Power Electronics and Design (ISLPED).

[9]  Eby G. Friedman,et al.  Scaling trends of on-chip power distribution noise , 2004 .

[10]  Resve A. Saleh,et al.  Power Supply Noise in SoCs: Metrics, Management, and Measurement , 2007, IEEE Design & Test of Computers.

[11]  John Freeman,et al.  From opencl to high-performance hardware on FPGAS , 2012, 22nd International Conference on Field Programmable Logic and Applications (FPL).

[12]  Sergei Skorobogatov,et al.  Breakthrough Silicon Scanning Discovers Backdoor in Military Chip , 2012, CHES.

[13]  Alessandro Barenghi,et al.  On the vulnerability of FPGA bitstream encryption against power analysis attacks: extracting keys from xilinx Virtex-II FPGAs , 2011, CCS '11.

[14]  Bart Preneel,et al.  Power-Analysis Attacks on an FPGA - First Experimental Results , 2003, CHES.

[15]  Mark Mohammad Tehranipoor,et al.  Trustworthy Hardware: Identifying and Classifying Hardware Trojans , 2010, Computer.

[16]  Andrey Bogdanov,et al.  Efficient and side-channel resistant authenticated encryption of FPGA bitstreams , 2012, 2012 International Conference on Reconfigurable Computing and FPGAs.

[17]  Mehdi Baradaran Tahoori,et al.  Analysis of transient voltage fluctuations in FPGAs , 2016, 2016 International Conference on Field-Programmable Technology (FPT).

[18]  John Wawrzynek,et al.  Bridging the GPGPU-FPGA efficiency gap , 2011, FPGA '11.

[19]  Meeta Srivastav,et al.  Sensing nanosecond-scale voltage attacks and natural transients in FPGAs , 2013, FPGA '13.

[20]  T. Rahal-Arabi,et al.  On-die droop detector for analog sensing of power supply noise , 2003, 2003 Symposium on VLSI Circuits. Digest of Technical Papers (IEEE Cat. No.03CH37408).

[21]  Bishop Brock,et al.  Active management of timing guardband to save energy in POWER7 , 2011, 2011 44th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[22]  Michael D. Smith,et al.  Voltage Smoothing: Characterizing and Mitigating Voltage Noise in Production Processors via Software-Guided Thread Scheduling , 2010, 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture.

[23]  E. Seevinck,et al.  Static-noise margin analysis of MOS SRAM cells , 1987 .

[24]  Mahmoud Ahmadian,et al.  A practical differential power analysis attack against an FPGA implementation of AES cryptosystem , 2010, 2010 International Conference on Information Society.

[25]  John D. Corbett The Xilinx Isolation Design Flow for Fault-Tolerant Systems , 2013 .

[26]  Rajat Subhra Chakraborty,et al.  Hardware Trojan Insertion by Direct Modification of FPGA Configuration Bitstream , 2013, IEEE Design & Test.

[27]  Maciej Nikodem,et al.  Temperature-based covert channel in FPGA systems , 2011, 6th International Workshop on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC).

[28]  Jonathan M. Smith,et al.  FPGA Viruses , 1999, FPL.