Managing Securities in FPGA-Based Embedded Systems

Presenters:Rajeev Verma

Pratheep Joe Siluvai Iruthayaraj

Why FPGA?● Better performance.

○ Large number of bit level operations can be performed.○ shifting, permutations are achieved ny just wiring.○ extreme level of parallelism ○ low overheads

● Rapid time to market● Flexible● Truth tables or Lookup tables are used for hw acceleration.● Applications

○ Face recognition systems, wireless networks, cryptographic applications, supercomputers and many security applications.

Reconfigurable systems

● Cryptographic algorithms are generally implemented on FPGA

● Encryption devices require strong isolation to segregate plaintext(red) from ciphertext(black).

● Unencrypted data should be unavailable for black network.

System Design!

● Shared resources in system○ Shared DRAM, shared bus and

shared AES encryption core.

● Domain-1○ MicroBlaze0, RS-232, Distinct

memory portion● Domain-2

○ MicroBlaze1, an Ethernet interface, another distinct partition of memory

Applications need separation of data

● Aviation field.○ Uses Commercial off-the-shelf (COTS) FPGA components.○ Sensitive and non-sensitive data is processed in same device. ○ This isolation of the sensitive and non-sensitive data is achieved in

modern FPGAs ● Intelligent video surveillance

○ FPGA provides deep computation pipelining and isolation.○ Rely on 3 cores

■ Video interface for decoding■ Encryption mechanism for processing the video■ Network interface for sending data.

FPGA System Flow

● Cores can be generated by hand or by software like Xilinx Embedded Development Kit (EDK).

● Bitstream is the final code that goes to the core.

Reconfigurable Security Problems

● Design-tool subversion● Composition● Trusted Foundries● Bitstream protection

Design-tool subversion

● Malicious design could destroy FPGA because of short circuit.● Trusted tools should be used to develop trusted cores.● Xilinx provide signed cores.

Composition problem

● As final design, we can trust the design as much as the least-trusted design path.● Systems can be composed on

○ Device level■ one or more IP cores resides on single chip

○ Board level■ one or more chips on a single board

○ Network level■ Multiple boards are connected through network

● Now, it is possible to copy the hardware from existing products.● Protected IP could be a solution. ● a separate chip for each core can be used which can provide security advantage

Security issues with COTS

● COTS : Commercial off-the-shelf

● Manufacturer should not insert unintended functionalities into FPGA.

● All cores should be flawless so that attacker can’t exploit.

● Security flaws should not exist in running software or the compiler.

● Embedded device depends on other parts of larger nw should not be malicious.

Trusted-Foundry Problem and Bitstream Protection

● Trusted-Foundry Problem○ ASIC is having problem of IP theft.○ FPGA provide important security benefit over ASIC in this issue.

● Bitstream Protection○ Securely Bitstream uploading is essential to avoid the IP-theft○ These theft impacts the “Bottom Line”○ Some FPGA’s can remotely updated in the field.

■ Requires secure channel and authentication.

Reconfigurable security solutions

● Life-cycle management○ Configuration management stores software with version numbers.○ Any new version is thoroughly tested before assignment of new version.○ Control on development environment and tools can support accountability.○ Alternative is to build a custom set of trusted tools for security critical HW. ○ A critical function of life-cycle protection ensure that o/p is not malicious.

● Secure Architecture ○ FPGA provides self-protected security mechanism at a low cost.○ Examples

■ Memory Protection■ Spatial Isolation■ Tags■ Secure Communication

Secure Architecture

● Memory Protection○ Reference monitor is well known method for legal sharing of memory.○ Reference monitor possesses

■ Self-protecting■ Enforcement mechanisms cannot be bypassed.■ Correct and complete.

● Spatial Isolation○ Control on layout function provide spatial isolation in

FPGA.

Secure Architecture cont..

● Tags○ Ability to track information and its transformation as it flows through

the system.○ Tag is metadata that can be attached to each piece of system data.○ Tag can be used in FPGA at different granularity.

● Secure Communication○ Cores need to share data so can’t be isolated.○ Currently FPGA system use

■ Shared Memory■ Direct connection■ Shared Bus

Future Work

● Multicore Systems○ Chip multiprocessors running multiple threads○ SoCs with multiple single-purpose cores on single ASIC.○ New techniques are needed to mediate secure, efficient communication of

multi core system.

● Integration of security primitives.○ If computing units are shared among security domains then temporal scheme

might be required.○ Spatial schemes, temporal scheme or tags should be designed which can meet

security requirement and minimize overhead.

Future Work

● Reconfigurable Updates○ Latest FPGA are capable of changing configuration on runtime.○ These dynamic systems need more communication between core.○ Cores state can be changed from executing to updated.○ These are complicated systems and require new primitives for security.

● Channels and information leakage○ Core are isolated still need communication through covert channel which can

be insecure.○ Another attack can be side channel attack. E.g Power-analysis attack.

Conclusion

● A Successful approach must combine life-cycle management and a coherent security architecture.

● Designing any trustworthy complex system is challenging.

● Hardware security is getting more and more important.

Questions??

Thanks!