FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs ... · ”An Inside Job: Remote Power...
Transcript of FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs ... · ”An Inside Job: Remote Power...
INSTITUTE OF COMPUTER ENGINEERING – CHAIR OF DEPENDABLE NANO COMPUTING
FPGAhammer: Remote Voltage Fault Attacks onShared FPGAs, suitable for DFA on AES
Jonas Krautter, Dennis R.E. Gnad, Mehdi B. Tahoori | 10.09.2018
KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft www.kit.edu
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Motivation
More resources per FPGA⇒ Multi-user environments:Amazon, Microsoft and introduce FPGA usage in cloud computingSystem-on-Chip (SoC) variants, tightly coupled FPGA based systems(Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...)Accelerators deployed to partitions through partial reconfiguration⇒ Multi-tenant FPGAs
New attack scenarios:
Passive on-chip side-channels1
Denial-of-Service2
This work: Fault attacks...
Proof-of-Concept work: Successful DFA on AES
1Schellenberg et al., ”An Inside Job: Remote Power Analysis Attacks on FPGAs”, DATE 20182Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 2/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Motivation
More resources per FPGA⇒ Multi-user environments:Amazon, Microsoft and introduce FPGA usage in cloud computingSystem-on-Chip (SoC) variants, tightly coupled FPGA based systems(Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...)Accelerators deployed to partitions through partial reconfiguration⇒ Multi-tenant FPGAs
New attack scenarios:
Passive on-chip side-channels1
Denial-of-Service2
This work: Fault attacks...
Proof-of-Concept work: Successful DFA on AES
1Schellenberg et al., ”An Inside Job: Remote Power Analysis Attacks on FPGAs”, DATE 20182Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 2/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Motivation
More resources per FPGA⇒ Multi-user environments:Amazon, Microsoft and introduce FPGA usage in cloud computingSystem-on-Chip (SoC) variants, tightly coupled FPGA based systems(Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...)Accelerators deployed to partitions through partial reconfiguration⇒ Multi-tenant FPGAs
New attack scenarios:
Passive on-chip side-channels1
Denial-of-Service2
This work: Fault attacks...
Proof-of-Concept work: Successful DFA on AES
1Schellenberg et al., ”An Inside Job: Remote Power Analysis Attacks on FPGAs”, DATE 20182Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 2/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Threat model
Shared FPGA fabric⇒ Shared Power Distribution Network (PDN)
Attacker and victim design logically isolated
Victim software process has a public interface
Chosen-Plaintext Attack scenario
KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Threat model
Shared FPGA fabric⇒ Shared Power Distribution Network (PDN)
Attacker and victim design logically isolated
Victim software process has a public interface
Chosen-Plaintext Attack scenario
KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Threat model
Shared FPGA fabric⇒ Shared Power Distribution Network (PDN)
Attacker and victim design logically isolated
Victim software process has a public interface
Chosen-Plaintext Attack scenario
KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Threat model
Shared FPGA fabric⇒ Shared Power Distribution Network (PDN)
Attacker and victim design logically isolated
Victim software process has a public interface
Chosen-Plaintext Attack scenario
KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Outline
1 Background
2 Fault Injection and Analysis
3 Experimental Setup
4 Results
5 Discussion and Future Work
6 Conclusion
KIT – The Research University in the Helmholtz Association, 10.09.2018 4/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Outline
1 Background
2 Fault Injection and Analysis
3 Experimental Setup
4 Results
5 Discussion and Future Work
6 Conclusion
KIT – The Research University in the Helmholtz Association, 10.09.2018 5/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Power Distribution Network (PDN)
Interconnections from the voltage regulator down to logic elements
Model: RLC-mesh (Resistive, Inductive and Capacitive elements)
Law of Inductance: Vdrop = I · R + L · dIdt
High current variation⇒ Power supply voltage variation
Lower supply voltage⇒ Timing faults
KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Power Distribution Network (PDN)
Interconnections from the voltage regulator down to logic elements
Model: RLC-mesh (Resistive, Inductive and Capacitive elements)
Law of Inductance: Vdrop = I · R + L · dIdt
High current variation⇒ Power supply voltage variation
Lower supply voltage⇒ Timing faults
KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Power Distribution Network (PDN)
Interconnections from the voltage regulator down to logic elements
Model: RLC-mesh (Resistive, Inductive and Capacitive elements)
Law of Inductance: Vdrop = I · R + L · dIdt
High current variation⇒ Power supply voltage variation
Lower supply voltage⇒ Timing faults
KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Power Distribution Network (PDN)
Interconnections from the voltage regulator down to logic elements
Model: RLC-mesh (Resistive, Inductive and Capacitive elements)
Law of Inductance: Vdrop = I · R + L · dIdt
High current variation⇒ Power supply voltage variation
Lower supply voltage⇒ Timing faults
KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Malicious Logic
Logic element to cause high current variation2:Ring Oscillators (ROs)
Oscillation⇒ Gate switching⇒ Current variation⇒ Voltage drop
RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)
⇒ Calibration of fault injection parameters required
2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Malicious Logic
Logic element to cause high current variation2:Ring Oscillators (ROs)
Oscillation⇒ Gate switching⇒ Current variation⇒ Voltage drop
RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)
⇒ Calibration of fault injection parameters required
2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Malicious Logic
Logic element to cause high current variation2:Ring Oscillators (ROs)
Oscillation⇒ Gate switching⇒ Current variation⇒ Voltage drop
RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)
⇒ Calibration of fault injection parameters required
2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Malicious Logic
Logic element to cause high current variation2:Ring Oscillators (ROs)
Oscillation⇒ Gate switching⇒ Current variation⇒ Voltage drop
RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)
⇒ Calibration of fault injection parameters required
0 5 10 15 20
Time (s)
0.95
1.00
1.05
1.10
1.15
1.20
VCC (
V)
VCC min recommended
VCC max recommended
FPGA supply voltage VCC during frequency scan
2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Malicious Logic
Logic element to cause high current variation2:Ring Oscillators (ROs)
Oscillation⇒ Gate switching⇒ Current variation⇒ Voltage drop
RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)
⇒ Calibration of fault injection parameters required
0 5 10 15 20
Time (s)
0.95
1.00
1.05
1.10
1.15
1.20
VCC (
V)
VCC min recommended
VCC max recommended
Toggle frequency decrease
FPGA supply voltage VCC during frequency scan
2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017
KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Outline
1 Background
2 Fault Injection and Analysis
3 Experimental Setup
4 Results
5 Discussion and Future Work
6 Conclusion
KIT – The Research University in the Helmholtz Association, 10.09.2018 8/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Differential Fault Analysis on AES3
Original scheme: Single-byte faults before 8th round
⇒ All output bytes faulty
Injection requires high precision
⇒ Fault injection before 9th round
Successful injection can be verified
3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003
KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Differential Fault Analysis on AES3
Original scheme: Single-byte faults before 8th round
⇒ All output bytes faulty
Injection requires high precision
⇒ Fault injection before 9th round
Successful injection can be verified
3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003
KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Differential Fault Analysis on AES3
Original scheme: Single-byte faults before 8th round
⇒ All output bytes faulty
Injection requires high precision
⇒ Fault injection before 9th round
Successful injection can be verified
3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003
KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Differential Fault Analysis on AES3
Original scheme: Single-byte faults before 8th round
⇒ All output bytes faulty
Injection requires high precision
⇒ Fault injection before 9th round
Successful injection can be verified
3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003
KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Attacker issues encryption requestto get correct ciphertext
Attacker issues encryptionrequests while activating RO grid
Fault injection is calibrated untildesired faults appear
Calibration is done only once for aspecific board
KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Attacker issues encryption requestto get correct ciphertext
Attacker issues encryptionrequests while activating RO grid
Fault injection is calibrated untildesired faults appear
Calibration is done only once for aspecific board
KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Attacker issues encryption requestto get correct ciphertext
Attacker issues encryptionrequests while activating RO grid
Fault injection is calibrated untildesired faults appear
Calibration is done only once for aspecific board
KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection and Analysis
Attacker issues encryption requestto get correct ciphertext
Attacker issues encryptionrequests while activating RO grid
Fault injection is calibrated untildesired faults appear
Calibration is done only once for aspecific board
KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Outline
1 Background
2 Fault Injection and Analysis
3 Experimental Setup
4 Results
5 Discussion and Future Work
6 Conclusion
KIT – The Research University in the Helmholtz Association, 10.09.2018 11/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Experimental Setup
RO grid
AES
AR
M C
PU
FPGA boards: 3× Terasic DE1-SoC,1× Terasic DE0-Nano-SoC
3 boards of the same type2 different boards⇒ Show generality of attack
Cyclone V FPGA and ARM Cortex-A9 on one chip
Linux environment on ARM Cortex-A9
Entire threat model in one SoC:Attacker and victim software on ARM coreRespective IP cores on FPGA fabric
Fault injection on SoC, Key recovery on PC
KIT – The Research University in the Helmholtz Association, 10.09.2018 12/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Experimental Setup
RO grid
AES
AR
M C
PU
FPGA boards: 3× Terasic DE1-SoC,1× Terasic DE0-Nano-SoC
3 boards of the same type2 different boards⇒ Show generality of attack
Cyclone V FPGA and ARM Cortex-A9 on one chip
Linux environment on ARM Cortex-A9Entire threat model in one SoC:
Attacker and victim software on ARM coreRespective IP cores on FPGA fabric
Fault injection on SoC, Key recovery on PC
KIT – The Research University in the Helmholtz Association, 10.09.2018 12/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Experimental Setup
RO grid
AES
AR
M C
PU
FPGA boards: 3× Terasic DE1-SoC,1× Terasic DE0-Nano-SoC
3 boards of the same type2 different boards⇒ Show generality of attack
Cyclone V FPGA and ARM Cortex-A9 on one chip
Linux environment on ARM Cortex-A9Entire threat model in one SoC:
Attacker and victim software on ARM coreRespective IP cores on FPGA fabric
Fault injection on SoC, Key recovery on PC
KIT – The Research University in the Helmholtz Association, 10.09.2018 12/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Outline
1 Background
2 Fault Injection and Analysis
3 Experimental Setup
4 Results
5 Discussion and Future Work
6 Conclusion
KIT – The Research University in the Helmholtz Association, 10.09.2018 13/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection Rate vs #RO
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Logic utilization by attacker design (% of total LUTs)
100
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
DE1-SoC-A
Measured total amount of faults FtotMeasured amount of usable faults FDFA
Experiments on DE1-SoC, design fully constrained
Evaluate usable (for DFA) faults and total amount of faults
Injection rate increases with amount of ROs
Injection accuracy decreases after a certain amount
KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection Rate vs #RO
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Logic utilization by attacker design (% of total LUTs)
100
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
DE1-SoC-A
Measured total amount of faults FtotMeasured amount of usable faults FDFA
Experiments on DE1-SoC, design fully constrained
Evaluate usable (for DFA) faults and total amount of faults
Injection rate increases with amount of ROs
Injection accuracy decreases after a certain amount
KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection Rate vs #RO
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Logic utilization by attacker design (% of total LUTs)
100
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
DE1-SoC-A
Measured total amount of faults FtotMeasured amount of usable faults FDFA
Experiments on DE1-SoC, design fully constrained
Evaluate usable (for DFA) faults and total amount of faults
Injection rate increases with amount of ROs
Injection accuracy decreases after a certain amount
KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection Rate vs #RO
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Logic utilization by attacker design (% of total LUTs)
100
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
DE1-SoC-A
Measured total amount of faults FtotMeasured amount of usable faults FDFA
Experiments on DE1-SoC, design fully constrained
Evaluate usable (for DFA) faults and total amount of faults
Injection rate increases with amount of ROs
Injection accuracy decreases after a certain amount
KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection Rate vs #RO
100
101
102
103
104
105
DE1-SoC-A
100
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
DE1-SoC-B
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Logic utilization by attacker design (% of total LUTs)
100
101
102
103
104
105
DE1-SoC-C
Extended experiments:3 different boards
All boards vulnerable,Calibration finds params
Process variation⇒Different optimal #RO
KIT – The Research University in the Helmholtz Association, 10.09.2018 15/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection Rate vs #RO
100
101
102
103
104
105
DE1-SoC-A
100
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
DE1-SoC-B
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Logic utilization by attacker design (% of total LUTs)
100
101
102
103
104
105
DE1-SoC-C
Extended experiments:3 different boards
All boards vulnerable,Calibration finds params
Process variation⇒Different optimal #RO
KIT – The Research University in the Helmholtz Association, 10.09.2018 15/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Fault Injection Rate vs #RO
100
101
102
103
104
105
DE1-SoC-A
100
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
DE1-SoC-B
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
Logic utilization by attacker design (% of total LUTs)
100
101
102
103
104
105
DE1-SoC-C
Extended experiments:3 different boards
All boards vulnerable,Calibration finds params
Process variation⇒Different optimal #RO
KIT – The Research University in the Helmholtz Association, 10.09.2018 15/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Key Recovery on 5000 random keys
Recovered keys 2 4 232 233 264
Amount of key candidates remaining for each key100
101
102
103
104
105
#key
s
95.6%
2.6%
0.1%
1.9%
0.1%0.0%
87.9%
2.9%
0.1%
8.7%
0.2%0.5%
95.7%
2.2%
0.1%
2.0%
0.1%0.0%
DE1-SoC-ADE1-SoC-BDE1-SoC-C
Experiments on DE1-SoC with best fault injection configuration
Majority of 5000 keys can be recovered
Unrecovered keys due to multi-byte faults
KIT – The Research University in the Helmholtz Association, 10.09.2018 16/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Key Recovery on 5000 random keys
Recovered keys 2 4 232 233 264
Amount of key candidates remaining for each key100
101
102
103
104
105
#key
s
95.6%
2.6%
0.1%
1.9%
0.1%0.0%
87.9%
2.9%
0.1%
8.7%
0.2%0.5%
95.7%
2.2%
0.1%
2.0%
0.1%0.0%
DE1-SoC-ADE1-SoC-BDE1-SoC-C
Experiments on DE1-SoC with best fault injection configuration
Majority of 5000 keys can be recovered
Unrecovered keys due to multi-byte faults
KIT – The Research University in the Helmholtz Association, 10.09.2018 16/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Key Recovery on 5000 random keys
Recovered keys 2 4 232 233 264
Amount of key candidates remaining for each key100
101
102
103
104
105
#key
s
95.6%
2.6%
0.1%
1.9%
0.1%0.0%
87.9%
2.9%
0.1%
8.7%
0.2%0.5%
95.7%
2.2%
0.1%
2.0%
0.1%0.0%
DE1-SoC-ADE1-SoC-BDE1-SoC-C
Experiments on DE1-SoC with best fault injection configuration
Majority of 5000 keys can be recovered
Unrecovered keys due to multi-byte faults
KIT – The Research University in the Helmholtz Association, 10.09.2018 16/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Outline
1 Background
2 Fault Injection and Analysis
3 Experimental Setup
4 Results
5 Discussion and Future Work
6 Conclusion
KIT – The Research University in the Helmholtz Association, 10.09.2018 17/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Discussion and Future Work
Attack on fully constrained design on DE1-SoC with < 50% resources
Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
⇒ Not all devices are equally vulnerable
Alternatives to using ROs may exist
Attack may be extended to hard cores (ARM SoC)Possible mitigation:
Internal sensorsBitstream checkingVoltage islands
KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Discussion and Future Work
Attack on fully constrained design on DE1-SoC with < 50% resources
Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
⇒ Not all devices are equally vulnerable
Alternatives to using ROs may exist
Attack may be extended to hard cores (ARM SoC)Possible mitigation:
Internal sensorsBitstream checkingVoltage islands
KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Discussion and Future Work
Attack on fully constrained design on DE1-SoC with < 50% resources
Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
⇒ Not all devices are equally vulnerable
Alternatives to using ROs may exist
Attack may be extended to hard cores (ARM SoC)Possible mitigation:
Internal sensorsBitstream checkingVoltage islands
KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Discussion and Future Work
Attack on fully constrained design on DE1-SoC with < 50% resources
Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
⇒ Not all devices are equally vulnerable
Alternatives to using ROs may exist
Attack may be extended to hard cores (ARM SoC)
Possible mitigation:Internal sensorsBitstream checkingVoltage islands
KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Discussion and Future Work
Attack on fully constrained design on DE1-SoC with < 50% resources
Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
⇒ Not all devices are equally vulnerable
Alternatives to using ROs may exist
Attack may be extended to hard cores (ARM SoC)Possible mitigation:
Internal sensorsBitstream checkingVoltage islands
KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Outline
1 Background
2 Fault Injection and Analysis
3 Experimental Setup
4 Results
5 Discussion and Future Work
6 Conclusion
KIT – The Research University in the Helmholtz Association, 10.09.2018 19/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Conclusion
High precision fault injection on shared FPGAs is possible
Logical isolation is not enough to prevent manipulation
Threat model must be considered for FPGA multi-user environments
Mitigation may require new/modified hardware
KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Conclusion
High precision fault injection on shared FPGAs is possible
Logical isolation is not enough to prevent manipulation
Threat model must be considered for FPGA multi-user environments
Mitigation may require new/modified hardware
KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Conclusion
High precision fault injection on shared FPGAs is possible
Logical isolation is not enough to prevent manipulation
Threat model must be considered for FPGA multi-user environments
Mitigation may require new/modified hardware
KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Conclusion
High precision fault injection on shared FPGAs is possible
Logical isolation is not enough to prevent manipulation
Threat model must be considered for FPGA multi-user environments
Mitigation may require new/modified hardware
KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Thank you for your attention!
KIT – The Research University in the Helmholtz Association, 10.09.2018 21/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Additional Slides – Complete Scan Flow
KIT – The Research University in the Helmholtz Association, 10.09.2018 22/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Additional Slides – Slack DependentAnalysis
3
2
1
0
1
2
3
slack
(ns)
Reported worst-case setup slack
Reported best-case setup slack
142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
AES clock frequency fop (MHz)
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
Reference worst-case setup slack on DE1-SoC for fOP = 111 MHz
KIT – The Research University in the Helmholtz Association, 10.09.2018 23/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Additional Slides – Slack DependentAnalysis
3
2
1
0
1
2
3
slack
(ns)
Measured amount of usable faults FDFAMeasured total amount of faults Ftot
Reported worst-case setup slack
Reported best-case setup slack
142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
AES clock frequency fop (MHz)
101
102
103
104
105
#fa
ult
s per
mill
ion r
equest
s
Reference worst-case setup slack on DE1-SoC for fOP = 111 MHz
KIT – The Research University in the Helmholtz Association, 10.09.2018 23/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Additional Slides – Injection Process
0.95
1.00
1.05
1.10
1.15
1.20
VCC (
V)
VCC min recommended
VCC max recommended
RO activationtoggles VCC fluctuation
0
1aes_
rst_
nAES encryption starts
0.0 0.5 1.0 1.5 2.0
Time (µs)
0
1
ro_e
na
Externally measured FPGA supply voltage VCC during fault injection
AES reset logic signal (active low)
RO grid activation signal
KIT – The Research University in the Helmholtz Association, 10.09.2018 24/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Additional Slides – RO Floorplan
RO
s
Virtu
al P
ins
KIT – The Research University in the Helmholtz Association, 10.09.2018 25/26
FPGAhammer:Remote VoltageFault Attacks onShared FPGAs
J. Krautter, D.R.E. Gnadand M.B. Tahoori
Additional Slides – Adder Test Design
KIT – The Research University in the Helmholtz Association, 10.09.2018 26/26