Characterization of Long Wire Data Leakage in Deep Submicron FPGAs

Provelengios, George; Ramesh, Chethan; Patil, Shivukumar B.; Eguro, Ken; Tessier, Russell; Holcomb, Daniel

doi:10.1145/3289602.3293923

Cited by 29 publications

(20 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We primarily investigate how to exploit information leakage for covert communication, and focus on multi-tenant cloud FPGAs, which have attracted the interest of the security community [10]- [13], [28], [29], [47]. However, our system model is equally applicable to covert communication between potentially outsourced untrusted third-party Intellectual Property (IP) cores [11], [12], [17], [18], and System-on-Chip (SoC) FPGAs [5], [11], [12], [32], [47], for instance those found in Intel Xeon CPUs with integrated FPGAs [20], Xilinx Zynq UltraScale+ MPSoC FPGAs with hard ARM processors [42], or Microsemi FPGAs with soft RISC-V processors [26].…”

Section: System and Adversary Modelmentioning

confidence: 99%

“…For example, Giechaskiel et al identified a crosstalk effect in Xilinx FPGAs due to long-wire capacitive coupling [11], [12], and used it to create a 6 kbps covert channel. The same phenomenon was then investigated for Intel devices [28], [29], where it was shown that the long-wire leakage can also be used to conduct Differential Power Analysis (DPA) on an AES core, and extract its key. These attacks were performed locally, and with logical, but not physical isolation, unlike our fast (4.6 Mbps) cloud-based covert channel, which operates under assumptions of physical isolation of logic to separate SLRs.…”

Section: B Remote Fpga Attacksmentioning

confidence: 99%

“…Although isolation is often proposed as a step to mitigate potential information leakage [11]- [13], [28], [37], several attacks have been successful, despite physical separation of the adversarial and victim logic [24], [25], [30], [47]. One limitation of these attacks is that they target low-end FPGA devices, where physical isolation is not strong: the transmitting and receiving circuits share the same FPGA die, and, in some cases, even the same clock regions and resources [25], [47].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Reading Between the Dies: Cross-SLR Covert Channels on Multi-Tenant Cloud FPGAs

Giechaskiel

Rasmussen

Szefer

2019

2019 IEEE 37th International Conference on Computer Design (ICCD)

View full text Add to dashboard Cite

Field-Programmable Gate Arrays (FPGAs) are becoming increasingly available via commercial cloud providers, which currently allocate devices on a per-user basis. As the underlying hardware is often underutilized, several proposals for multi-tenant use of FPGA resources have been brought forth, along with some initial work on security attacks in this setting. Simultaneously, high-end FPGAs are being produced with 2.5D integration of multiple distinct dies, called Super Logic Regions (SLRs), onto the same chip. Although one might expect that physical separation of logic onto separate dies could prevent multitenant attacks, this paper demonstrates for the first time that cross-SLR information leaks based on sensing voltage changes within the FPGA chip are possible, without physical access to or modification of the boards. The cross-SLR covert channel is characterized analytically and experimentally on five Xilinx Virtex UltraScale+ FPGAs, both locally and on the Amazon and Huawei clouds. Several configurations of the source transmitters and the sink receivers are tested, including their locations, types, and sizes. The power-based channel is shown to have a bandwidth upwards of 4.6 Mbps and accuracy of over 97.6%. Consequently, as physical separation of tenants onto separate dies (SLRs) is an insufficient countermeasure against information leaks, hardware-level architectural improvements are necessary to make secure multi-tenant FPGAs on shared clouds a reality.

show abstract

Section: System and Adversary Modelmentioning

confidence: 99%

Section: B Remote Fpga Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Reading Between the Dies: Cross-SLR Covert Channels on Multi-Tenant Cloud FPGAs

Giechaskiel

Rasmussen

Szefer

2019

2019 IEEE 37th International Conference on Computer Design (ICCD)

View full text Add to dashboard Cite

show abstract

“…It is known that interconnect crosstalk inside an FPGA can affect signal delays [24]. Provelengios et al recently examined long wire coupling on various types of wires across three FPGAs implemented in technology nodes ranging from 60 to 20 nm (Cyclone IV, Stratix V, Arria 10), and demonstrated that information leakage exists in all of them [25]. These unintentional transmissions pose new risks for multi-user scenarios, including FPGA/CPU hybrids and cloud infrastructures offering FPGA solutions.…”

Section: Crosstalk Coupling Channelmentioning

confidence: 99%

Physical Side-Channel Attacks and Covert Communication on FPGAs: A Survey

Mirzargar

Stojilović

2019

2019 29th International Conference on Field Programmable Logic and Applications (FPL)

View full text Add to dashboard Cite

Field-programmable gate arrays (FPGAs) are, like CPUs, susceptible to side-channel information leakage and covert communication. The malleability of FPGAs enables users to create and control physical effects, and sense and measure the consequences. With FPGAs becoming integrated into the cloud, a range of hardware-and software-based attacks may be waiting to be discovered. In this survey, we focus on physical channels used for side-channel attacks or covert communication. Physical channels are those that exist due to the physical properties of FPGAs, for example: power consumption, temperature, or electromagnetic emission. We include the most recent demonstrations of malicious or unintended use of physical channels in remote and/or shared FPGAs, propose taxonomies, compare the efficiency and feasibility of the attacks, and discuss challenges in preventing them. Index Terms-covert communication, crosstalk, electromagnetism, FPGA, power, side-channel attacks, temperature • a survey of the recently shown physical side-and covertcommunication channels in shared and/or remote FPGAs, • a comprehensive list of FPGA devices and platforms that have been successfully attacked or used to perform covert communication, and • a discussion, based on qualitative and quantitative data, about the threat that the FPGA physical channels pose.

show abstract

“…All that it takes is for an FPGA Trojan to enable a ring oscillator, which has to be conveniently routed so that one of the wires between two ring-oscillator stages is neighboring the victim signal. To validate if the threat of a crosstalk attacks is real, Provelengios et al examined long wire coupling on various types of wires across three FPGAs in technology nodes from 60 to 20 nm (Cyclone IV, Stratix V, Arria 10); their findings were affirmative [8].…”

Section: Introductionmentioning

confidence: 99%

Closing Leaks

Seifoori

Mirzargar

Stojilović

2020

Proceedings of the 2020 ACM/SIGDA International Symposium on Field-Programmable Gate Arrays

View full text Add to dashboard Cite

This paper presents an extension to PathFinder FPGA routing algorithm, which enables it to deliver FPGA designs free from risks of crosstalk attacks. Crosstalk side-channel attacks are a real threat in large designs assembled from various IPs, where some IPs are provided by trusted and some by untrusted sources. It suffices that a ring-oscillator based sensor is conveniently routed next to a signal that carries secret information (for instance, a cryptographic key), for this information to possibly get leaked. To address this security concern, we apply several different strategies and evaluate them on benchmark circuits from Verilog-to-Routing tool suite. Our experiments show that, for a quite conservative scenario where 10-20% of all design nets are carrying sensitive information, the crosstalk-attack-aware router ensures that no information leaks at a very small penalty: 1.58-7.69% increase in minimum routing channel width and 0.12-1.18% increase in critical path delay, on average. In comparison, in an AES-128 cryptographic core, less than 5% of nets carry the key or the intermediate state values of interest to an attacker, making it highly likely that the overhead for obtaining a secure design is, in practice, even smaller. CCS CONCEPTS • Security and privacy → Side-channel analysis and countermeasures; • Hardware → Reconfigurable logic and FPGAs.

show abstract

Characterization of Long Wire Data Leakage in Deep Submicron FPGAs

Cited by 29 publications

References 5 publications

Reading Between the Dies: Cross-SLR Covert Channels on Multi-Tenant Cloud FPGAs

Reading Between the Dies: Cross-SLR Covert Channels on Multi-Tenant Cloud FPGAs

Physical Side-Channel Attacks and Covert Communication on FPGAs: A Survey

Closing Leaks

Contact Info

Product

Resources

About