skip to main content
research-article

Leakier Wires: Exploiting FPGA Long Wires for Covert- and Side-channel Attacks

Published:23 August 2019Publication History
Skip Abstract Section

Abstract

In complex FPGA designs, implementations of algorithms and protocols from third-party sources are common. However, the monolithic nature of FPGAs means that all sub-circuits share common on-chip infrastructure, such as routing resources. This presents an attack vector for all FPGAs that contain designs from multiple vendors, especially for FPGAs used in multi-tenant cloud environments, or integrated into multi-core processors. In this article, we show that “long” routing wires present a new source of information leakage on FPGAs, by influencing the delay of adjacent long wires. We show that the effect is measurable for both static and dynamic signals and that it can be detected using small on-board circuits. We characterize the channel in detail and show that it is measurable even when multiple competing circuits (including multiple long-wire transmitters) are present and can be replicated on different generations and families of Xilinx devices (Virtex 5, Virtex 6, Artix 7, and Spartan 7). We exploit the leakage to create a covert channel with 6kbps of bandwidth and 99.9% accuracy, and a side channel, which can recover signals kept constant for only 1.3sμs, with an accuracy of more than 98.4%. Finally, we propose countermeasures to reduce the impact of this leakage.1

References

  1. Waleed K. Al-Assadi and Sindhu Kakarla. 2008. A BIST technique for crosstalk noise detection in FPGAs. In Proceedings of the IEEE International Symposium on Defect and Fault Tolerance of VLSI Systems. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Jason H. Anderson and Farid N. Najm. 2004. Interconnect capacitance estimation for FPGAs. In Proceedings of the Asia and South Pacific Design Automation Conference (ASP-DAC’04). Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Johannes Bauer, Sebastian Schinzel, Felix Freiling, and Andreas Dewald. 2016. Information leakage behind the curtain: Abusing anti-EMI features for covert communication. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’16).Google ScholarGoogle ScholarCross RefCross Ref
  4. Pierre Bayon, Lilian Bossuet, Alain Aubert, Viktor Fischer, François Poucheret, Bruno Robisson, and Philippe Maurine. 2012. Contactless electromagnetic active attack on ring oscillator-based true random number generator. In Proceedings of the International Workshop on Constructive Side-channel Analysis and Secure Design (COSADE’12). Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Georg T. Becker, Markus Kasper, Amir Moradi, and Christof Paar. 2010. Side-channel-based watermarks for integrated circuits. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’10).Google ScholarGoogle ScholarCross RefCross Ref
  6. Eduardo Boemo and Sergio López-Buedo. 1997. Thermal monitoring on FPGAs using ring-oscillators. In Proceedings of the International Workshop on Field-Programmable Logic and Applications (FPL’97). Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Rajat S. Chakraborty, Indrasish Saha, Ayan Palchaudhuri, and Gowtham K. Naik. 2013. Hardware Trojan insertion by direct modification of FPGA configuration bitstream. IEEE Design Test 30, 2 (Apr. 2013), 45--54.Google ScholarGoogle ScholarCross RefCross Ref
  8. Thomas De Cnudde, Begül Bilgin, Benedikt Gierlichs, Ventzislav Nikov, Svetla Nikova, and Vincent Rijmen. 2017. Does coupling affect the security of masked implementations? In Proceedings of the International Workshop on Constructive Side-channel Analysis and Secure Design (COSADE’17).Google ScholarGoogle ScholarCross RefCross Ref
  9. Martin Gag, Tim Wegner, Ansgar Waschki, and Dirk Timmermann. 2012. Temperature and on-chip crosstalk measurement using ring oscillators in FPGA. In Proceedings of the IEEE International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS’12).Google ScholarGoogle ScholarCross RefCross Ref
  10. Ilias Giechaskiel, Kasper B. Rasmussen, and Ken Eguro. 2018. Leaky wires: Information leakage and covert communication between FPGA long wires. In Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS’18). Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Ali Hajimiri, Sotirios Limotyrakis, and Thomas H. Lee. 1999. Jitter and phase noise in ring oscillators. IEEE J. Solid-State Circ. 34, 6 (June 1999), 790--804.Google ScholarGoogle ScholarCross RefCross Ref
  12. Ted Huffmire, Brett Brotherton, Timothy Sherwood, Ryan Kastner, Timothy Levin, Thuy D. Nguyen, and Cynthia Irvine. 2008. Managing security in FPGA-based embedded systems. IEEE Design Test Comput. 25, 6 (Nov. 2008), 590--598. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Taras Iakymchuk, Maciej Nikodem, and Krzysztof Kępa. 2011. Temperature-based covert channel in FPGA systems. In Proceedings of the International Workshop on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC’11).Google ScholarGoogle ScholarCross RefCross Ref
  14. Vincent Immler, Robert Specht, and Florian Unterstein. 2017. Your rails cannot hide from localized EM: How dual-rail logic fails on FPGAs. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems (CHES’17).Google ScholarGoogle ScholarCross RefCross Ref
  15. Shane Kelly, Xuehui Zhang, Mohammed Tehranipoor, and Andrew Ferraiuolo. 2015. Detecting Hardware Trojans using on-chip sensors in an ASIC design. J. Electron. Test.: Theory Appl. 31, 1 (Feb. 2015), 11--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Sebastian Korf, Dario Cozzi, Markus Koester, Jens Hagemeyer, Mario Porrmann, Ulrich Rückert, and Marco D. Santambrogio. 2011. Automatic HDL-based generation of homogeneous hard macros for FPGAs. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’11). Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Christian Krieg, Clifford Wolf, and Axel Jantsch. 2016. Malicious LUT: A stealthy FPGA Trojan injected and triggered by the design flow. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design (ICCAD’16). Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Christopher Lavin, Brent Nelson, and Brad Hutchings. 2013. Impact of hard macro size on FPGA clock rate and place/route time. In Proceedings of the International Conference on Field Programmable Logic and Applications (FPL’13).Google ScholarGoogle ScholarCross RefCross Ref
  19. Christopher Lavin, Marc Padilla, Subhrashankha Ghosh, Brent Nelson, Brad Hutchings, and Michael Wirthlin. 2010. Using hard macros to reduce FPGA compilation time. In Proceedings of the International Conference on Field Programmable Logic and Applications (FPL’10). Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Christopher Lavin, Marc Padilla, Jaren Lamprecht, Philip Lundrigan, Brent Nelson, and Brad Hutchings. 2011. HMFlow: Accelerating FPGA compilation with hard macros for rapid prototyping. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’11). Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Maxime Lecomte, Jacques J. A. Fournier, and Philippe Maurine. 2015. Thoroughly analyzing the use of ring oscillators for on-chip Hardware Trojan detection. In Proceedings of the International Conference on ReConFigurable Computing and FPGAs (ReConFig’15).Google ScholarGoogle ScholarCross RefCross Ref
  22. Lang Lin, Markus Kasper, Tim Güneysu, Christof Paar, and Wayne Burleson. 2009. Trojan side channels: Lightweight Hardware Trojans through side-channel engineering. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’09). Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Abhranil Maiti, Jeff Casarona, Luke McHale, and Patrick Schaumont. 2010. A large scale characterization of RO-PUF. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’10).Google ScholarGoogle ScholarCross RefCross Ref
  24. A. Theodore Markettos and Simon W. Moore. 2009. The frequency injection attack on ring-oscillator-based true random number generators. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’09). Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Dominik Merli, Frederic Stumpf, and Claudia Eckert. 2010. Improving the quality of ring oscillator PUFs on FPGAs. In Proceedings of the Workshop on Embedded Systems Security (WESS’10). Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Amir Moradi. 2014. Side-channel leakage through static power. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’14). Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Chethan Ramesh, Shivukumar B. Patil, Siva N. Dhanuskodi, George Provelengios, Sébastien Pillement, Daniel Holcomb, and Russell Tessier. 2018. FPGA side-channel attacks without physical access. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’18).Google ScholarGoogle ScholarCross RefCross Ref
  28. Yajun Ran and Malgorzata Marek-Sadowska. 2003. Crosstalk noise in FPGAs. In Proceedings of the Design Automation Conference (DAC’03). Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Ettus Research. 2016. N200/N210. Retrieved from https://kb.ettus.com/N200/N210.Google ScholarGoogle Scholar
  30. Ettus Research. 2018. The USRP Hardware Driver FPGA Repository. Retrieved from https://github.com/EttusResearch/fpga.Google ScholarGoogle Scholar
  31. Peter Samarin, Kerstin Lemke-Rust, and Christof Paar. 2016. IP core protection using voltage-controlled side-channel receivers. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’16).Google ScholarGoogle ScholarCross RefCross Ref
  32. Devu Manikantan Shila, Vivek Venugopalan, and Cameron D. Patterson. 2015. Unraveling the security puzzle: A distributed framework to build trust in FPGAs. In Proceedings of the International Conference on Network and System Security (NSS’15).Google ScholarGoogle Scholar
  33. Jack R. Smith and Sebastian T. Ventrone. 2011. Multi-processor Chip with Shared FPGA Execution Unit and a Design Structure Thereof. Retrieved from https://www.google.com/patents/US20110307661. U.S. Patent Appl. No. 12/796,990.Google ScholarGoogle Scholar
  34. Chauchin Su, Yue-Tsang Chen, Mu-Jeng Huang, Gen-Nan Chen, and Chung-Len Lee. 2000. All digital built-in delay and crosstalk measurement for on-chip buses. In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’00). Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Ji Sun, Ray Bittner, and Ken Eguro. 2011. FPGA side-channel receivers. In Proceedings of the ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA’11). Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Mohammad Tehranipoor and Farinaz Koushanfar. 2010. A survey of Hardware Trojan taxonomy and detection. IEEE Design Test Comput. 27, 1 (Jan. 2010), 10--25. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Steve Trimberger and Steve McNeil. 2017. Security of FPGAs in data centers. In Proceedings of the IEEE International Verification and Security Workshop (IVSW’17).Google ScholarGoogle ScholarCross RefCross Ref
  38. Ihor Vasyltsov, Eduard Hambardzumyan, Young-Sik Kim, and Bohdan Karpinskyy. 2008. Fast digital TRNG based on metastable ring oscillator. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’08). Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Steven J. E. Wilton. 2001. A crosstalk-aware timing-driven router for FPGAs. In Proceedings of the ACM/SIGDA International Symposium Field Programmable Gate Arrays (FPGA’01). Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Xuehui Zhang and Mohammad Tehranipoor. 2011. RON: An on-chip ring oscillator network for Hardware Trojan detection. In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’11).Google ScholarGoogle Scholar
  41. Mark Zhao and G. Edward Suh. 2018. FPGA-based remote power side-channel attacks. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle Scholar
  42. Kenneth M. Zick and John P. Hayes. 2012. Low-cost sensing with ring oscillator arrays for healthier reconfigurable systems. ACM Trans. Reconfig. Technol. Syst. 5, 1 (Mar. 2012), 1--26. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Daniel Ziener, Florian Baueregger, and Jürgen Teich. 2010. Using the power side channel of FPGAs for communication. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’10). Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Leakier Wires: Exploiting FPGA Long Wires for Covert- and Side-channel Attacks

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Reconfigurable Technology and Systems
          ACM Transactions on Reconfigurable Technology and Systems  Volume 12, Issue 3
          Special Section on Security in FPGAs and Regular Articles
          September 2019
          150 pages
          ISSN:1936-7406
          EISSN:1936-7414
          DOI:10.1145/3357092
          • Editor:
          • Deming Chen
          Issue’s Table of Contents

          Copyright © 2019 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 23 August 2019
          • Accepted: 1 March 2019
          • Revised: 1 February 2019
          • Received: 1 September 2018
          Published in trets Volume 12, Issue 3

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        HTML Format

        View this article in HTML Format .

        View HTML Format
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!