Abstract
In complex FPGA designs, implementations of algorithms and protocols from third-party sources are common. However, the monolithic nature of FPGAs means that all sub-circuits share common on-chip infrastructure, such as routing resources. This presents an attack vector for all FPGAs that contain designs from multiple vendors, especially for FPGAs used in multi-tenant cloud environments, or integrated into multi-core processors. In this article, we show that “long” routing wires present a new source of information leakage on FPGAs, by influencing the delay of adjacent long wires. We show that the effect is measurable for both static and dynamic signals and that it can be detected using small on-board circuits. We characterize the channel in detail and show that it is measurable even when multiple competing circuits (including multiple long-wire transmitters) are present and can be replicated on different generations and families of Xilinx devices (Virtex 5, Virtex 6, Artix 7, and Spartan 7). We exploit the leakage to create a covert channel with 6kbps of bandwidth and 99.9% accuracy, and a side channel, which can recover signals kept constant for only 1.3sμs, with an accuracy of more than 98.4%. Finally, we propose countermeasures to reduce the impact of this leakage.1
- Waleed K. Al-Assadi and Sindhu Kakarla. 2008. A BIST technique for crosstalk noise detection in FPGAs. In Proceedings of the IEEE International Symposium on Defect and Fault Tolerance of VLSI Systems. Google Scholar
Digital Library
- Jason H. Anderson and Farid N. Najm. 2004. Interconnect capacitance estimation for FPGAs. In Proceedings of the Asia and South Pacific Design Automation Conference (ASP-DAC’04). Google Scholar
Digital Library
- Johannes Bauer, Sebastian Schinzel, Felix Freiling, and Andreas Dewald. 2016. Information leakage behind the curtain: Abusing anti-EMI features for covert communication. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’16).Google Scholar
Cross Ref
- Pierre Bayon, Lilian Bossuet, Alain Aubert, Viktor Fischer, François Poucheret, Bruno Robisson, and Philippe Maurine. 2012. Contactless electromagnetic active attack on ring oscillator-based true random number generator. In Proceedings of the International Workshop on Constructive Side-channel Analysis and Secure Design (COSADE’12). Google Scholar
Digital Library
- Georg T. Becker, Markus Kasper, Amir Moradi, and Christof Paar. 2010. Side-channel-based watermarks for integrated circuits. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’10).Google Scholar
Cross Ref
- Eduardo Boemo and Sergio López-Buedo. 1997. Thermal monitoring on FPGAs using ring-oscillators. In Proceedings of the International Workshop on Field-Programmable Logic and Applications (FPL’97). Google Scholar
Digital Library
- Rajat S. Chakraborty, Indrasish Saha, Ayan Palchaudhuri, and Gowtham K. Naik. 2013. Hardware Trojan insertion by direct modification of FPGA configuration bitstream. IEEE Design Test 30, 2 (Apr. 2013), 45--54.Google Scholar
Cross Ref
- Thomas De Cnudde, Begül Bilgin, Benedikt Gierlichs, Ventzislav Nikov, Svetla Nikova, and Vincent Rijmen. 2017. Does coupling affect the security of masked implementations? In Proceedings of the International Workshop on Constructive Side-channel Analysis and Secure Design (COSADE’17).Google Scholar
Cross Ref
- Martin Gag, Tim Wegner, Ansgar Waschki, and Dirk Timmermann. 2012. Temperature and on-chip crosstalk measurement using ring oscillators in FPGA. In Proceedings of the IEEE International Symposium on Design and Diagnostics of Electronic Circuits and Systems (DDECS’12).Google Scholar
Cross Ref
- Ilias Giechaskiel, Kasper B. Rasmussen, and Ken Eguro. 2018. Leaky wires: Information leakage and covert communication between FPGA long wires. In Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS’18). Google Scholar
Digital Library
- Ali Hajimiri, Sotirios Limotyrakis, and Thomas H. Lee. 1999. Jitter and phase noise in ring oscillators. IEEE J. Solid-State Circ. 34, 6 (June 1999), 790--804.Google Scholar
Cross Ref
- Ted Huffmire, Brett Brotherton, Timothy Sherwood, Ryan Kastner, Timothy Levin, Thuy D. Nguyen, and Cynthia Irvine. 2008. Managing security in FPGA-based embedded systems. IEEE Design Test Comput. 25, 6 (Nov. 2008), 590--598. Google Scholar
Digital Library
- Taras Iakymchuk, Maciej Nikodem, and Krzysztof Kępa. 2011. Temperature-based covert channel in FPGA systems. In Proceedings of the International Workshop on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC’11).Google Scholar
Cross Ref
- Vincent Immler, Robert Specht, and Florian Unterstein. 2017. Your rails cannot hide from localized EM: How dual-rail logic fails on FPGAs. In Proceedings of the International Conference on Cryptographic Hardware and Embedded Systems (CHES’17).Google Scholar
Cross Ref
- Shane Kelly, Xuehui Zhang, Mohammed Tehranipoor, and Andrew Ferraiuolo. 2015. Detecting Hardware Trojans using on-chip sensors in an ASIC design. J. Electron. Test.: Theory Appl. 31, 1 (Feb. 2015), 11--26. Google Scholar
Digital Library
- Sebastian Korf, Dario Cozzi, Markus Koester, Jens Hagemeyer, Mario Porrmann, Ulrich Rückert, and Marco D. Santambrogio. 2011. Automatic HDL-based generation of homogeneous hard macros for FPGAs. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’11). Google Scholar
Digital Library
- Christian Krieg, Clifford Wolf, and Axel Jantsch. 2016. Malicious LUT: A stealthy FPGA Trojan injected and triggered by the design flow. In Proceedings of the IEEE/ACM International Conference on Computer-Aided Design (ICCAD’16). Google Scholar
Digital Library
- Christopher Lavin, Brent Nelson, and Brad Hutchings. 2013. Impact of hard macro size on FPGA clock rate and place/route time. In Proceedings of the International Conference on Field Programmable Logic and Applications (FPL’13).Google Scholar
Cross Ref
- Christopher Lavin, Marc Padilla, Subhrashankha Ghosh, Brent Nelson, Brad Hutchings, and Michael Wirthlin. 2010. Using hard macros to reduce FPGA compilation time. In Proceedings of the International Conference on Field Programmable Logic and Applications (FPL’10). Google Scholar
Digital Library
- Christopher Lavin, Marc Padilla, Jaren Lamprecht, Philip Lundrigan, Brent Nelson, and Brad Hutchings. 2011. HMFlow: Accelerating FPGA compilation with hard macros for rapid prototyping. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’11). Google Scholar
Digital Library
- Maxime Lecomte, Jacques J. A. Fournier, and Philippe Maurine. 2015. Thoroughly analyzing the use of ring oscillators for on-chip Hardware Trojan detection. In Proceedings of the International Conference on ReConFigurable Computing and FPGAs (ReConFig’15).Google Scholar
Cross Ref
- Lang Lin, Markus Kasper, Tim Güneysu, Christof Paar, and Wayne Burleson. 2009. Trojan side channels: Lightweight Hardware Trojans through side-channel engineering. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’09). Google Scholar
Digital Library
- Abhranil Maiti, Jeff Casarona, Luke McHale, and Patrick Schaumont. 2010. A large scale characterization of RO-PUF. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’10).Google Scholar
Cross Ref
- A. Theodore Markettos and Simon W. Moore. 2009. The frequency injection attack on ring-oscillator-based true random number generators. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’09). Google Scholar
Digital Library
- Dominik Merli, Frederic Stumpf, and Claudia Eckert. 2010. Improving the quality of ring oscillator PUFs on FPGAs. In Proceedings of the Workshop on Embedded Systems Security (WESS’10). Google Scholar
Digital Library
- Amir Moradi. 2014. Side-channel leakage through static power. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’14). Google Scholar
Digital Library
- Chethan Ramesh, Shivukumar B. Patil, Siva N. Dhanuskodi, George Provelengios, Sébastien Pillement, Daniel Holcomb, and Russell Tessier. 2018. FPGA side-channel attacks without physical access. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’18).Google Scholar
Cross Ref
- Yajun Ran and Malgorzata Marek-Sadowska. 2003. Crosstalk noise in FPGAs. In Proceedings of the Design Automation Conference (DAC’03). Google Scholar
Digital Library
- Ettus Research. 2016. N200/N210. Retrieved from https://kb.ettus.com/N200/N210.Google Scholar
- Ettus Research. 2018. The USRP Hardware Driver FPGA Repository. Retrieved from https://github.com/EttusResearch/fpga.Google Scholar
- Peter Samarin, Kerstin Lemke-Rust, and Christof Paar. 2016. IP core protection using voltage-controlled side-channel receivers. In Proceedings of the IEEE International Symposium on Hardware-Oriented Security and Trust (HOST’16).Google Scholar
Cross Ref
- Devu Manikantan Shila, Vivek Venugopalan, and Cameron D. Patterson. 2015. Unraveling the security puzzle: A distributed framework to build trust in FPGAs. In Proceedings of the International Conference on Network and System Security (NSS’15).Google Scholar
- Jack R. Smith and Sebastian T. Ventrone. 2011. Multi-processor Chip with Shared FPGA Execution Unit and a Design Structure Thereof. Retrieved from https://www.google.com/patents/US20110307661. U.S. Patent Appl. No. 12/796,990.Google Scholar
- Chauchin Su, Yue-Tsang Chen, Mu-Jeng Huang, Gen-Nan Chen, and Chung-Len Lee. 2000. All digital built-in delay and crosstalk measurement for on-chip buses. In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’00). Google Scholar
Digital Library
- Ji Sun, Ray Bittner, and Ken Eguro. 2011. FPGA side-channel receivers. In Proceedings of the ACM/SIGDA International Symposium on Field-Programmable Gate Arrays (FPGA’11). Google Scholar
Digital Library
- Mohammad Tehranipoor and Farinaz Koushanfar. 2010. A survey of Hardware Trojan taxonomy and detection. IEEE Design Test Comput. 27, 1 (Jan. 2010), 10--25. Google Scholar
Digital Library
- Steve Trimberger and Steve McNeil. 2017. Security of FPGAs in data centers. In Proceedings of the IEEE International Verification and Security Workshop (IVSW’17).Google Scholar
Cross Ref
- Ihor Vasyltsov, Eduard Hambardzumyan, Young-Sik Kim, and Bohdan Karpinskyy. 2008. Fast digital TRNG based on metastable ring oscillator. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’08). Google Scholar
Digital Library
- Steven J. E. Wilton. 2001. A crosstalk-aware timing-driven router for FPGAs. In Proceedings of the ACM/SIGDA International Symposium Field Programmable Gate Arrays (FPGA’01). Google Scholar
Digital Library
- Xuehui Zhang and Mohammad Tehranipoor. 2011. RON: An on-chip ring oscillator network for Hardware Trojan detection. In Proceedings of the Design, Automation and Test in Europe Conference and Exhibition (DATE’11).Google Scholar
- Mark Zhao and G. Edward Suh. 2018. FPGA-based remote power side-channel attacks. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
- Kenneth M. Zick and John P. Hayes. 2012. Low-cost sensing with ring oscillator arrays for healthier reconfigurable systems. ACM Trans. Reconfig. Technol. Syst. 5, 1 (Mar. 2012), 1--26. Google Scholar
Digital Library
- Daniel Ziener, Florian Baueregger, and Jürgen Teich. 2010. Using the power side channel of FPGAs for communication. In Proceedings of the IEEE International Symposium on Field-Programmable Custom Computing Machines (FCCM’10). Google Scholar
Digital Library
Index Terms
Leakier Wires: Exploiting FPGA Long Wires for Covert- and Side-channel Attacks
Recommendations
Leaky Wires: Information Leakage and Covert Communication Between FPGA Long Wires
ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications SecurityField-Programmable Gate Arrays (FPGAs) are integrated circuits that implement reconfigurable hardware. They are used in modern systems, creating specialized, highly-optimized integrated circuits without the need to design and manufacture dedicated ...
Information leakage from FPGA routing and logic elements
ICCAD '20: Proceedings of the 39th International Conference on Computer-Aided DesignInformation leakage in FPGAs poses a danger whenever multiple users share the reconfigurable fabric, for example in multi-tenant Cloud FPGAs, or whenever a potentially malicious IP module is synthesized within a single user's design on an FPGA. In such ...
Characterization of Long Wire Data Leakage in Deep Submicron FPGAs
FPGA '19: Proceedings of the 2019 ACM/SIGDA International Symposium on Field-Programmable Gate ArraysThe simultaneous use of FPGAs by multiple tenants has recently been shown to potentially expose sensitive information without the victim's knowledge. For example, neighboring long wires in SRAM-based FPGAs have been shown to allow for clandestine data ...






Comments