Abstract
This article presents a study of two types of on-chip FPGA voltage sensors based on ring oscillators (ROs) and time-to-digital converter (TDCs), respectively. It has previously been shown that these sensors are often used to extract side-channel information from FPGAs without physical access. The performance of the sensors is evaluated in the presence of circuits that deliberately waste power, resulting in localized voltage drops. The effects of FPGA power supply features and sensor sensitivity in detecting voltage drops in an FPGA power distribution network (PDN) are evaluated for Xilinx Artix-7, Zynq 7000, and Zynq UltraScale+ FPGAs. We show that both sensor types are able to detect supply voltage drops, and that their measurements are consistent with each other. Our findings show that TDC-based sensors are more sensitive and can detect voltage drops that are shorter in duration, while RO sensors are easier to implement because calibration is not required. Furthermore, we present a new time-interleaved TDC design that sweeps the sensor phase. The new sensor generates data that can reconstruct voltage transients on the order of tens of picoseconds.
- [1] . 2019. RAM-Jam: Remote temperature and voltage fault attack on FPGAs using memory collisions. In Workshop on Fault Diagnosis and Tolerance in Cryptography (FDTC’19). 48–55.Google Scholar
- [2] . 2014. The characterization and application of a low resource FPGA-based time to digital converter. Nuclear Instruments and Methods in Physics Research Section A: Accelerators, Spectrometers, Detectors and Associated Equipment 739 (2014), 75–82.Google Scholar
Cross Ref
- [3] . 2020. Neighbors from Hell: Voltage attacks against deep learning accelerators on multi-tenant FPGAs. In 2020 International Conference on Field-Programmable Technology (ICFPT’20). IEEE, 103–111.Google Scholar
Cross Ref
- [4] . [n. d.]. Zybo Z7 Reference Manual. https://reference.digilentinc.com/reference/programmable-logic/zybo-z7/reference-manual.Google Scholar
- [5] . 2020. C3APSULe: Cross-FPGA covert-channel attacks through power supply unit leakage. In Proceedings of the IEEE Symposium on Security and Privacy (S&P’20). 1728–1741.Google Scholar
Cross Ref
- [6] . 2019. Measuring long wire leakage with ring oscillators in cloud FPGAs. In International Conference on Field Programmable Logic and Applications (FPL’19). 45–50.Google Scholar
Cross Ref
- [7] . 2020. Are cloud FPGAs really vulnerable to power analysis attacks?. In Design, Automation & Test in Europe Conference & Exhibition (DATE’20). IEEE, 1007–1010.Google Scholar
Cross Ref
- [8] . 2019. Voltage-based covert channels in multi-tenant FPGAs.IACR Cryptol. ePrint Arch. 2019 (2019), 1394.Google Scholar
- [9] . 2016. Analysis of transient voltage fluctuations in FPGAs. In International Conference on Field-Programmable Technology. 12–19.Google Scholar
Cross Ref
- [10] . 2017. Voltage drop-based fault attacks on FPGAs using valid bitstreams. In 2017 27th International Conference on Field Programmable Logic and Applications (FPL’17). IEEE, 1–7.Google Scholar
Cross Ref
- [11] . 2018. Sharing, protection, and compatibility for reconfigurable fabric with AMORPHOS. In USENIX Symposium on Operating Systems Design and Implementation (OSDI’18). 107–127.Google Scholar
- [12] . 2019. Mitigating electrical-level attacks towards secure multi-tenant FPGAs in the cloud. ACM Transactions on Reconfigurable Technology and Systems (TRETS) 12, 3 (2019), 1–26.Google Scholar
Digital Library
- [13] . 2021. Remote and stealthy fault attacks on virtualized FPGAs. In Design, Automation & Test in Europe Conference & Exhibition (DATE’21). IEEE, 1632–1637.Google Scholar
Cross Ref
- [14] . 2020. FPGADefender: Malicious self-oscillator scanning for Xilinx UltraScale+ FPGAs. ACM Transactions on Reconfigurable Technology and Systems (TRETS) 13, 3 (2020), 1–31.Google Scholar
Digital Library
- [15] . 2020. Jitter-based adaptive true random number generation for FPGAs in the cloud. In International Conference on Field-Programmable Technology. 112–119.Google Scholar
Cross Ref
- [16] . 2020. Power-hammering through glitch amplification–attacks and mitigation. In IEEE 28th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM’20). 65–69.Google Scholar
- [17] . 2020. Understanding and comparing the capabilities of on-chip voltage sensors against remote power attacks on FPGAs. In IEEE 63rd International Midwest Symposium on Circuits and Systems (MWSCAS’20). 941–944.Google Scholar
- [18] . 1999. A high-resolution time interpolator based on a delay locked loop and an RC delay line. IEEE Journal of Solid-State Circuits 34, 10 (1999), 1360–1366.Google Scholar
Cross Ref
- [19] . 2014. Chipwhisperer: An open-source platform for hardware embedded security research. In International Workshop on Constructive Side-Channel Analysis and Secure Design. 243–260.Google Scholar
- [20] . 2019. Characterizing power distribution attacks in multi-user FPGA environments. In International Conference on Field Programmable Logic and Applications (FPL’19). 194–201.Google Scholar
Cross Ref
- [21] . 2020. Power distribution attacks in multitenant FPGAs. IEEE Transactions on Very Large Scale Integration (VLSI) Systems 28, 12 (2020), 2685–2698.Google Scholar
Digital Library
- [22] . 2020. Power wasting circuits for cloud FPGA attacks. In 30th International Conference on Field-Programmable Logic and Applications (FPL’20). IEEE, 231–235.Google Scholar
Cross Ref
- [23] . 2018. Remote inter-chip power analysis side-channel attacks at board-level. In International Conference on Computer-Aided Design. 1–7.Google Scholar
Digital Library
- [24] . 2019. Fast voltage transients on FPGAs: Impact and mitigation strategies. In 2019 IEEE 27th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM’19). IEEE, 271–279.Google Scholar
- [25] . 2006. A high-resolution time-to-digital converter implemented in field-programmable-gate-arrays. IEEE Transactions on Nuclear Science 53, 1 (2006), 236–241.Google Scholar
Cross Ref
- [26] . 2019. Oscillator without a combinatorial loop and its threat to FPGA in data centre. Electronics Letters 55, 11 (2019), 640–642.Google Scholar
Cross Ref
- [27] . 2019. Temporal thermal covert channels in cloud FPGAs. In ACM/SIGDA International Symposium on Field-Programmable Gate Arrays. 298–303.Google Scholar
- [28] Xilinx Corporation. 2018. ZCU104 User’s Guide. Xilinx Corporation.Google Scholar
- [29] . 2012. A high-resolution time-to-digital converter based on multi-phase clock implement in field-programmable-gate-array. In 2012 18th IEEE-NPSS Real Time Conference. IEEE, 1–4.Google Scholar
Cross Ref
- [30] . 2018. FPGA-based remote power side-channel attacks. In 2018 IEEE Symposium on Security and Privacy (SP’18). IEEE, 229–244.Google Scholar
- [31] . 2018. Frequency-domain power delivery network self-characterization in FPGAs for improved system reliability. IEEE Transactions on Industrial Electronics 65, 11 (2018), 8915–8924.Google Scholar
Cross Ref
- [32] . 2012. Low-cost sensing with ring oscillator arrays for healthier reconfigurable systems. ACM Transactions on Reconfigurable Technology and Systems 5, 1 (2012), 1–26.Google Scholar
Digital Library
- [33] . 2013. Sensing nanosecond-scale voltage attacks and natural transients in FPGAs. In ACM/SIGDA International Symposium on Field Programmable Gate Arrays. 101–104.Google Scholar
Index Terms
Voltage Sensor Implementations for Remote Power Attacks on FPGAs
Recommendations
A new design methodology for voltage-to-frequency converters (VFCs) circuits suitable for time-based analog-to-digital converters (T-ADCs)
Analog-to-digital converter (ADC) is one of the crucial blocks for the software defined radio applications that require higher resolution, and less power consumption; accordingly, time-based analog to digital converters (T-ADC) are introduced to make ...
A 1.1-mW 10-bit 50-MSample/s hybrid two-step ADC in 0.13-µm CMOS technology
This paper presents a hybrid two-step analog-to-digital converter (ADC) that employs a successive approximation register (SAR) ADC and a time-to-digital converter (TDC)-based ADC as coarse and fine converters, respectively. By exploiting the respective ...
Design of a three-stage ring-type voltage-controlled oscillator with a wide tuning range by controlling the current level in an embedded delay cell
This paper presents a new design for a three-stage voltage-controlled differential ring oscillator embedded with a delay cell for a wide tuning range from 59MHz to 2.96GHz by adjusting the current level in the delay cell. The ring oscillator consists of ...






Comments