-
Evaluating Vulnerability of Chiplet-Based Systems to Contactless Probing Techniques
Authors:
Aleksa Deric,
Kyle Mitard,
Shahin Tajik,
Daniel Holcomb
Abstract:
Driven by a need for ever increasing chip performance and inclusion of innovative features, a growing number of semiconductor companies are opting for all-inclusive System-on-Chip (SoC) architectures. Although Moore's Law has been able to keep up with the demand for more complex logic, manufacturing large dies still poses a challenge. Increasingly the solution adopted to minimize the impact of sil…
▽ More
Driven by a need for ever increasing chip performance and inclusion of innovative features, a growing number of semiconductor companies are opting for all-inclusive System-on-Chip (SoC) architectures. Although Moore's Law has been able to keep up with the demand for more complex logic, manufacturing large dies still poses a challenge. Increasingly the solution adopted to minimize the impact of silicon defects on manufacturing yield has been to split a design into multiple smaller dies called chiplets which are then brought together on a silicon interposer. Advanced 2.5D and 3D packaging techniques that enable this kind of integration also promise increased power efficiency and opportunities for heterogeneous integration.
However, despite their advantages, chiplets are not without issues. Apart from manufacturing challenges that come with new packaging techniques, disaggregating a design into multiple logically and physically separate dies introduces new threats, including the possibility of tampering with and probing exposed data lines. In this paper we evaluate the exposure of chiplets to probing by applying laser contactless probing techniques to a chiplet-based AMD/Xilinx VU9P FPGA. First, we identify and map interposer wire drivers and show that probing them is easier compared to probing internal nodes. Lastly, we demonstrate that delay-based sensors, which can be used to protect against physical probes, are insufficient to protect against laser probing as the delay change due to laser probing is only 0.792ps even at 100\% laser power.
△ Less
Submitted 23 May, 2024;
originally announced May 2024.
-
Resurrection Attack: Defeating Xilinx MPU's Memory Protection
Authors:
Bharadwaj Madabhushi,
Chandra Sekhar Mummidi,
Sandip Kundu,
Daniel Holcomb
Abstract:
Memory protection units (MPUs) are hardware-assisted security features that are commonly used in embedded processors such as the ARM 940T, Infineon TC1775, and Xilinx Zynq. MPUs partition the memory statically, and set individual protection attributes for each partition. MPUs typically define two protection domains: user mode and supervisor mode. Normally, this is sufficient for protecting the ker…
▽ More
Memory protection units (MPUs) are hardware-assisted security features that are commonly used in embedded processors such as the ARM 940T, Infineon TC1775, and Xilinx Zynq. MPUs partition the memory statically, and set individual protection attributes for each partition. MPUs typically define two protection domains: user mode and supervisor mode. Normally, this is sufficient for protecting the kernel and applications. However, we have discovered a way to access a process memory due to a vulnerability in Xilinx MPU (XMPU) implementation that we call Resurrection Attack. We find that XMPU security policy protects user memory from unauthorized access when the user is active. However, when a user's session is terminated, the contents of the memory region of the terminated process are not cleared. An attacker can exploit this vulnerability by gaining access to the memory region after it has been reassigned. The attacker can read the data from the previous user's memory region, thereby compromising the confidentiality. To prevent the Resurrection Attack, the memory region of a terminated process must be cleared. However, this is not the case in the XMPU implementation, which allows our attack to succeed. The Resurrection Attack is a serious security flaw that could be exploited to steal sensitive data or gain unauthorized access to a system. It is important for users of Xilinx FPGAs to be aware of this vulnerability until this flaw is addressed.
△ Less
Submitted 22 May, 2024;
originally announced May 2024.
-
Memory Scra** Attack on Xilinx FPGAs: Private Data Extraction from Terminated Processes
Authors:
Bharadwaj Madabhushi,
Sandip Kundu,
Daniel Holcomb
Abstract:
FPGA-based hardware accelerators are becoming increasingly popular due to their versatility, customizability, energy efficiency, constant latency, and scalability. FPGAs can be tailored to specific algorithms, enabling efficient hardware implementations that effectively leverage algorithm parallelism. This can lead to significant performance improvements over CPUs and GPUs, particularly for highly…
▽ More
FPGA-based hardware accelerators are becoming increasingly popular due to their versatility, customizability, energy efficiency, constant latency, and scalability. FPGAs can be tailored to specific algorithms, enabling efficient hardware implementations that effectively leverage algorithm parallelism. This can lead to significant performance improvements over CPUs and GPUs, particularly for highly parallel applications. For example, a recent study found that Stratix 10 FPGAs can achieve up to 90\% of the performance of a TitanX Pascal GPU while consuming less than 50\% of the power. This makes FPGAs an attractive choice for accelerating machine learning (ML) workloads. However, our research finds privacy and security vulnerabilities in existing ** attack (MSA). This paper makes two main contributions. The first contribution is an attack methodology of using the Xilinx debugger from a different user space. We find that we are able to access process IDs, virtual address spaces, and pagemaps of one user from a different user space because of lack of adequate process isolation. The second contribution is a methodology for characterizing terminated processes and accessing their private data. We illustrate this on Xilinx ML application library.
△ Less
Submitted 22 May, 2024;
originally announced May 2024.
-
Stealing Maggie's Secrets -- On the Challenges of IP Theft Through FPGA Reverse Engineering
Authors:
Simon Klix,
Nils Albartus,
Julian Speith,
Paul Staat,
Alice Verstege,
Annika Wilde,
Daniel Lammers,
Jörn Langheinrich,
Christian Kison,
Sebastian Sester-Wehle,
Daniel Holcomb,
Christof Paar
Abstract:
Intellectual Property (IP) theft is a cause of major financial and reputational damage, reportedly in the range of hundreds of billions of dollars annually in the U.S. alone. Field Programmable Gate Arrays (FPGAs) are particularly exposed to IP theft, because their configuration file contains the IP in a proprietary format that can be mapped to a gate-level netlist with moderate effort. Despite th…
▽ More
Intellectual Property (IP) theft is a cause of major financial and reputational damage, reportedly in the range of hundreds of billions of dollars annually in the U.S. alone. Field Programmable Gate Arrays (FPGAs) are particularly exposed to IP theft, because their configuration file contains the IP in a proprietary format that can be mapped to a gate-level netlist with moderate effort. Despite this threat, the scientific understanding of this issue lacks behind reality, thereby preventing an in-depth assessment of IP theft from FPGAs in academia. We address this discrepancy through a real-world case study on a Lattice iCE40 FPGA found inside iPhone 7. Apple refers to this FPGA as Maggie. By reverse engineering the proprietary signal-processing algorithm implemented on Maggie, we generate novel insights into the actual efforts required to commit FPGA IP theft and the challenges an attacker faces on the way. Informed by our case study, we then introduce generalized netlist reverse engineering techniques that drastically reduce the required manual effort and are applicable across a diverse spectrum of FPGA implementations and architectures. We evaluate these techniques on six benchmarks that are representative of different FPGA applications and have been synthesized for Xilinx and Lattice FPGAs, as well as in an end-to-end white-box case study. Finally, we provide a comprehensive open-source tool suite of netlist reverse engineering techniques to foster future research, enable the community to perform realistic threat assessments, and facilitate the evaluation of novel countermeasures.
△ Less
Submitted 1 July, 2024; v1 submitted 11 December, 2023;
originally announced December 2023.
-
Power Side-Channel Attacks on BNN Accelerators in Remote FPGAs
Authors:
Shayan Moini,
Shanquan Tian,
Jakub Szefer,
Daniel Holcomb,
Russell Tessier
Abstract:
To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive info…
▽ More
To lower cost and increase the utilization of Cloud Field-Programmable Gate Arrays (FPGAs), researchers have recently been exploring the concept of multi-tenant FPGAs, where multiple independent users simultaneously share the same remote FPGA. Despite its benefits, multi-tenancy opens up the possibility of malicious users co-locating on the same FPGA as a victim user, and extracting sensitive information. This issue becomes especially serious when the user is running a machine learning algorithm that is processing sensitive or private information. To demonstrate the dangers, this paper presents a remote, power-based side-channel attack on a deep neural network accelerator running in a variety of Xilinx FPGAs and also on Cloud FPGAs using Amazon Web Services (AWS) F1 instances. This work in particular shows how to remotely obtain voltage estimates as a deep neural network inference circuit executes, and how the information can be used to recover the inputs to the neural network. The attack is demonstrated with a binarized convolutional neural network used to recognize handwriting images from the MNIST handwritten digit database. With the use of precise time-to-digital converters for remote voltage estimation, the MNIST inputs can be successfully recovered with a maximum normalized cross-correlation of 79% between the input image and the recovered image on local FPGA boards and 72% on AWS F1 instances. The attack requires no physical access nor modifications to the FPGA hardware.
△ Less
Submitted 17 April, 2021; v1 submitted 15 November, 2020;
originally announced November 2020.
-
Physical Design Obfuscation of Hardware: A Comprehensive Investigation of Device- and Logic-Level Techniques
Authors:
Arunkumar Vijayakumar,
Vinay C. Patil,
Daniel E. Holcomb,
Christof Paar,
Sandip Kundu
Abstract:
The threat of hardware reverse engineering is a growing concern for a large number of applications. A main defense strategy against reverse engineering is hardware obfuscation. In this paper, we investigate physical obfuscation techniques, which perform alterations of circuit elements that are difficult or impossible for an adversary to observe. The examples of such stealthy manipulations are chan…
▽ More
The threat of hardware reverse engineering is a growing concern for a large number of applications. A main defense strategy against reverse engineering is hardware obfuscation. In this paper, we investigate physical obfuscation techniques, which perform alterations of circuit elements that are difficult or impossible for an adversary to observe. The examples of such stealthy manipulations are changes in the do** concentrations or dielectric manipulations. An attacker will, thus, extract a netlist, which does not correspond to the logic function of the device-under-attack. This approach of camouflaging has garnered recent attention in the literature. In this paper, we expound on this promising direction to conduct a systematic end-to-end study of the VLSI design process to find multiple ways to obfuscate a circuit for hardware security. This paper makes three major contributions. First, we provide a categorization of the available physical obfuscation techniques as it pertains to various design stages. There is a large and multidimensional design space for introducing obfuscated elements and mechanisms, and the proposed taxonomy is helpful for a systematic treatment. Second, we provide a review of the methods that have been proposed or in use. Third, we present recent and new device and logic-level techniques for design obfuscation. For each technique considered, we discuss feasibility of the approach and assess likelihood of its detection. Then we turn our focus to open research questions, and conclude with suggestions for future research directions.
△ Less
Submitted 2 October, 2019;
originally announced October 2019.
-
Temperature-Based Hardware Trojan For Ring-Oscillator-Based TRNGs
Authors:
Samaneh Ghandali,
Daniel Holcomb,
Christof Paar
Abstract:
True random number generators (TRNGs) are essential components of cryptographic designs, which are used to generate private keys for encryption and authentication, and are used in masking countermeasures. In this work, we present a mechanism to design a stealthy parametric hardware Trojan for a ring oscillator based TRNG architecture proposed by Yang et al. at ISSCC 2014. Once the Trojan is trigge…
▽ More
True random number generators (TRNGs) are essential components of cryptographic designs, which are used to generate private keys for encryption and authentication, and are used in masking countermeasures. In this work, we present a mechanism to design a stealthy parametric hardware Trojan for a ring oscillator based TRNG architecture proposed by Yang et al. at ISSCC 2014. Once the Trojan is triggered the malicious TRNG generates predictable non-random outputs. Such a Trojan does not require any additional logic (even a single gate) and is purely based on subtle manipulations on the sub-transistor level. The underlying concept is to disable the entropy source at high temperature to trigger the Trojan, while ensuring that Trojan-infected TRNG works correctly under normal conditions. We show how an attack can be performed with the Trojan-infected TRNG design in which the attacker uses a stochastic Markov Chain model to predict its reduced-entropy outputs.
△ Less
Submitted 22 September, 2019;
originally announced October 2019.
-
Algorithmic Obfuscation over GF($2^m$)
Authors:
Cunxi Yu,
Daniel Holcomb
Abstract:
Galois Field arithmetic blocks are the key components in many security applications, such as Elliptic Curve Cryptography (ECC) and the S-Boxes of the Advanced Encryption Standard (AES) cipher. This paper introduces a novel hardware intellectual property (IP) protection technique by obfuscating arithmetic functions over Galois Field (GF), specifically, focusing on obfuscation of GF multiplication t…
▽ More
Galois Field arithmetic blocks are the key components in many security applications, such as Elliptic Curve Cryptography (ECC) and the S-Boxes of the Advanced Encryption Standard (AES) cipher. This paper introduces a novel hardware intellectual property (IP) protection technique by obfuscating arithmetic functions over Galois Field (GF), specifically, focusing on obfuscation of GF multiplication that underpins complex GF arithmetic and elliptic curve point arithmetic functions. Obfuscating GF multiplication circuits is important because the choice of irreducible polynomials in GF multiplication has the great impact on the performance of the hardware designs, and because the significant effort is spent on finding an optimum irreducible polynomial for a given field, which can provide one company a competitive advantage over another.
△ Less
Submitted 17 September, 2018;
originally announced September 2018.
-
Privacy Leakages in Approximate Adders
Authors:
Shahrzad Keshavarz,
Daniel Holcomb
Abstract:
Approximate computing has recently emerged as a promising method to meet the low power requirements of digital designs. The erroneous outputs produced in approximate computing can be partially a function of each chip's process variation. We show that, in such schemes, the erroneous outputs produced on each chip instance can reveal the identity of the chip that performed the computation, possibly j…
▽ More
Approximate computing has recently emerged as a promising method to meet the low power requirements of digital designs. The erroneous outputs produced in approximate computing can be partially a function of each chip's process variation. We show that, in such schemes, the erroneous outputs produced on each chip instance can reveal the identity of the chip that performed the computation, possibly jeopardizing user privacy. In this work, we perform simulation experiments on 32-bit Ripple Carry Adders, Carry Lookahead Adders, and Han-Carlson Adders running at over-scaled operating points. Our results show that identification is possible, we contrast the identifiability of each type of adder, and we quantify how success of identification varies with the extent of over-scaling and noise. Our results are the first to show that approximate digital computations may compromise privacy. Designers of future approximate computing systems should be aware of the possible privacy leakages and decide whether mitigation is warranted in their application.
△ Less
Submitted 24 February, 2018;
originally announced February 2018.
-
SAT-based Reverse Engineering of Gate-Level Schematics using Fault Injection and Probing
Authors:
Shahrzad Keshavarz,
Falk Schellenberg,
Bastian Richter,
Christof Paar,
Daniel Holcomb
Abstract:
Gate camouflaging is a known security enhancement technique that tries to thwart reverse engineering by hiding the functions of gates or the connections between them. A number of works on SAT-based attacks have shown that it is often possible to reverse engineer a circuit function by combining a camouflaged circuit model and the ability to have oracle access to the obfuscated combinational circuit…
▽ More
Gate camouflaging is a known security enhancement technique that tries to thwart reverse engineering by hiding the functions of gates or the connections between them. A number of works on SAT-based attacks have shown that it is often possible to reverse engineer a circuit function by combining a camouflaged circuit model and the ability to have oracle access to the obfuscated combinational circuit. Especially in small circuits it is easy to reverse engineer the circuit function in this way, but SAT-based reverse engineering techniques provide no guarantees of recovering a circuit that is gate-by-gate equivalent to the original design. In this work we show that an attacker who does not know gate functions or connections of an aggressively camouflaged circuit cannot learn the correct gate-level schematic even if able to control inputs and probe all combinational nodes of the circuit. We then present a stronger attack that extends SAT-based reverse engineering with fault analysis to allow an attacker to recover the correct gate-level schematic. We analyze our reverse engineering approach on an S-Box circuit.
△ Less
Submitted 24 February, 2018;
originally announced February 2018.
-
Threshold-based Obfuscated Keys with Quantifiable Security against Invasive Readout
Authors:
Shahrzad Keshavarz,
Daniel Holcomb
Abstract:
Advances in reverse engineering make it challenging to deploy any on-chip information in a way that is hidden from a determined attacker. A variety of techniques have been proposed for design obfuscation including look-alike cells in which functionality is determined by hard to observe mechanisms including dummy vias or transistor threshold voltages. Threshold-based obfuscation is especially promi…
▽ More
Advances in reverse engineering make it challenging to deploy any on-chip information in a way that is hidden from a determined attacker. A variety of techniques have been proposed for design obfuscation including look-alike cells in which functionality is determined by hard to observe mechanisms including dummy vias or transistor threshold voltages. Threshold-based obfuscation is especially promising because threshold voltages cannot be observed optically and require more sophisticated measurements by the attacker. In this work, we demonstrate the effectiveness of a methodology that applies threshold-defined behavior to memory cells, in combination with error correcting codes to achieve a high degree of protection against invasive reverse engineering. The combination of error correction and small threshold manipulations is significant because it makes the attacker's job harder without compromising the reliability of the obfuscated key. We present analysis to quantify key reliability of our approach, and its resistance to reverse engineering attacks that seek to extract the key through imperfect measurement of transistor threshold voltages. The security analysis and cost metrics we provide allow designers to make a quantifiable tradeoff between cost and security. We find that the combination of small threshold offsets and stronger error correcting codes are advantageous when security is the primary objective.
△ Less
Submitted 25 October, 2017; v1 submitted 23 August, 2017;
originally announced August 2017.
-
Design Automation for Obfuscated Circuits with Multiple Viable Functions
Authors:
Shahrzad Keshavarz,
Christof Paar,
Daniel Holcomb
Abstract:
Gate camouflaging is a technique for obfuscating the function of a circuit against reverse engineering attacks. However, if an adversary has pre-existing knowledge about the set of functions that are viable for an application, random camouflaging of gates will not obfuscate the function well. In this case, the adversary can target their search, and only needs to decide whether each of the viable f…
▽ More
Gate camouflaging is a technique for obfuscating the function of a circuit against reverse engineering attacks. However, if an adversary has pre-existing knowledge about the set of functions that are viable for an application, random camouflaging of gates will not obfuscate the function well. In this case, the adversary can target their search, and only needs to decide whether each of the viable functions could be implemented by the circuit.
In this work, we propose a method for using camouflaged cells to obfuscate a design that has a known set of viable functions. The circuit produced by this method ensures that an adversary will not be able to rule out any viable functions unless she is able to uncover the gate functions of the camouflaged cells. Our method comprises iterated synthesis within an overall optimization loop to combine the viable functions, followed by technology map** to deploy camouflaged cells while maintaining the plausibility of all viable functions. We evaluate our technique on cryptographic S-box functions and show that, relative to a baseline approach, it achieves up to 38\% area reduction in PRESENT-style S-Boxes and 48\% in DES S-boxes.
△ Less
Submitted 1 March, 2017;
originally announced March 2017.
-
Reverse Engineering of Irreducible Polynomials in GF(2^m) Arithmetic
Authors:
Cunxi Yu,
Daniel Holcomb,
Maciej Ciesielski
Abstract:
Current techniques for formally verifying circuits implemented in Galois field (GF) arithmetic are limited to those with a known irreducible polynomial P(x). This paper presents a computer algebra based technique that extracts the irreducible polynomial P(x) used in the implementation of a multiplier in GF(2^m). The method is based on first extracting a unique polynomial in Galois field of each ou…
▽ More
Current techniques for formally verifying circuits implemented in Galois field (GF) arithmetic are limited to those with a known irreducible polynomial P(x). This paper presents a computer algebra based technique that extracts the irreducible polynomial P(x) used in the implementation of a multiplier in GF(2^m). The method is based on first extracting a unique polynomial in Galois field of each output bit independently. P(x) is then obtained by analyzing the algebraic expression in GF(2^m) of each output bit. We demonstrate that this method is able to reverse engineer the irreducible polynomial of an n-bit GF multiplier in n threads. Experiments were performed on Mastrovito and Montgomery multipliers with different P (x), including NIST-recommended polynomials and optimal polynomials for different microprocessor architectures.
△ Less
Submitted 14 December, 2016;
originally announced December 2016.