RESEARCH INSIGHTS – Hardware Design: FPGA Security Risks
Total Page:16
File Type:pdf, Size:1020Kb
RESEARCH INSIGHTS Hardware Design: FPGA Security Risks www.nccgroup.trust CONTENTS Author 3 Introduction 4 FPGA History 6 FPGA Development 10 FPGA Security Assessment 12 Conclusion 17 Glossary 18 References & Further Reading 19 NCC Group Research Insights 2 All Rights Reserved. © NCC Group 2015 AUTHOR DUNCAN HURWOOD Duncan is a senior consultant at NCC Group, specialising in telecom, embedded systems and application review. He has over 18 years’ experience within the telecom and security industry performing almost every role within the software development cycle from design and development to integration and product release testing. A dedicated security assessor since 2010, his consultancy experience includes multiple technologies, languages and platforms from web and mobile applications, to consumer devices and high-end telecom hardware. NCC Group Research Insights 3 All Rights Reserved. © NCC Group 2015 GLOSSARY AES Advanced encryption standard, a cryptography OTP One time programmable, allowing write once cipher only ASIC Application-specific integrated circuit, non- PCB Printed circuit board programmable hardware logic chip PLA Programmable logic array, forerunner of FPGA Bitfile Binary instruction file used to program FPGAs technology CLB Configurable logic block, an internal part of an PUF Physically unclonable function FPGA POWF Physical one-way function CPLD Complex programmable logic device PSoC Programmable system on chip, an FPGA and EEPROM Electronically erasable programmable read- other hardware on a single chip only memory SoC System on chip, a non-programmable logic chip eFuse A system to allow one-time writing of data with additional hardware Flash Non-volatile memory SRAM Static RAM, volatile memory storage FPGA Field programmable gate array SystemVerilog HDL programming language, extension of Verilog from 2002 onwards HDL Hardware description language, such as Verilog or VHDL Verilog HDL programming language, developed in the 1980s and 1990s, with C-like syntax JTAG Standard test access port on a device (IEEE 1149.1 – 1990) VHDL HDL programming language, developed from the 1980s, based on ADA NVRAM Non-volatile RAM, retaining value after power loss NCC Group Research Insights 18 All Rights Reserved. © NCC Group 2015 INTRODUCTION This document provides an introduction to the use of FPGAs. The paper examines the process of developing configuration FPGA stands for field-programmable gate array. An FPGA is a binaries for FPGA devices and the potential security problems that logic device whose function can be changed while the device is could be encountered. It assumes no prior knowledge of FPGA in place within its working environment, allowing the hardware technology. processing of a system to be altered by an external configuration The information in this paper is useful for anyone who works loading process. Configuration bitstreams for FPGAs can be used with embedded devices, software and hardware developers or to change the logical processing of input data, and so alter the producers who may want to understand the potential security risks functionality of a device. of using FPGAs within their devices. The most common uses of FPGAs are areas within automotive, medical, factory equipment and defence equipment that required rapid concurrent processing. NCC Group Research Insights 4 All Rights Reserved. © NCC Group 2015 FPGA History The direct antecedents of FGPAs were the programmable The key step in the development of modern FPGAs was logic array (PLA) chips of the late 1970s which allowed the the invention of reliable non-volatile electronically erasable programming, though usually not the reprogramming, of a set of programmable read-only memory (EEPROM), and its derivative AND and OR gates into the equivalent of a state machine. The flash memory, in the early 1980s. The use of NAND flash development of the technology encompassed several strands, memory provided a reliable and quick storage system for FPGA including the concurrent, but initially quite distinct, development configuration files and made it feasible to load behavioural logic of programmable array logic (PAL) chips, which themselves onto FPGA chips during system start-up. diversified into complex programmable logic devices (CPLDs). With the separation of logical behaviour storage from the chip carrying out the operations, the ability to alter the programming Top-of-the range modern of the device in the field became feasible. Consequently the appearance of non-volatile RAM (NVRAM) in proximity to FPGA FPGA chips have kept chips in order to store the FPGA configuration file is expected. pace with processor As FPGAs have evolved, the simplicity of the design has been evolution and can be far complicated by the development of programmable system-on-chip (PSoC) families, where processors, non-volatile memory, timing more effective compared to sources, and connecting buses are all present alongside the microprocessors. FPGA. The configuration file for the FPGA can be loaded directly onto these chips, without the need for an external NVRAM device. Many PSoC devices have pre-configured libraries of available FPGA devices initially differed from CPLD through the use of functions and allow quicker initial development, but using such on-board static random-access memory (SRAM). This volatile devices incurs the cost of reduced flexibility. storage system is used as a short-cut, providing the result of logic operations as data in a look-up table. Multiple data operations are combined in a series of complex logic blocks (CLB). The results of As FPGAs have evolved, the CLB operations are routed via switch blocks to chip outputs or the simplicity of the design as inputs to additional CLB operations. Therefore the complexity of the processing within FPGAs is limited by the number of logical has been complicated operations on a chip, usually determined by the semiconductor by the development of technology, measured since the late 1980s in nanometre size. programmable system-on- Chip complexity has expanded both by increased density of logical operation, approximately following Moore’s Law since 1965, and chip (PSoC) families. physically, as additional layers can be added horizontally to chip design. The result is that top-of-the range modern FPGA chips ASICs are related to FPGAs and often mentioned alongside them. have kept pace with processor evolution and can be far more An ASIC (application-specific integrated circuit) can perform the effective compared to microprocessors when reliable concurrent same function as an FPGA, but it is not reprogrammable. Instead, or low latency operations are required. the circuit design is fixed during manufacture. NCC Group Research Insights 6 All Rights Reserved. © NCC Group 2015 Because of this, ASICs may share logical security flaws with Initial solutions were to use one-time programmable (OTP) FPGAs FPGA devices, but not issues related to reprogramming. ASICs without on board SDRAM, but subsequently several companies, often require a great deal of investment to design correctly (using such as Microsemi [1] and Xilinx [2], developed radiation-tolerant FPGAs as prototypes within that process) but will run at a much FPGAs, specifically for use in non-terrestrial or vulnerable lower power and are therefore suitable for mass-production use locations. within smaller devices. In each case FPGAs will be used where multiple simultaneous inputs must be dealt with inside a limited time or where a strictly An ASIC (application- defined latency must be adhered to. While this need can be specific integrated circuit) addressed with a microcontroller running a real-time operating system, the advantages gained by parallel processing of signals can perform the same can produce timing and precision advantages for FPGAs. function as an FPGA, but it FPGAs have also found increasing use within four recent growth is not reprogrammable. areas: • Automotive, where increasing numbers of monitor points Note that the use of ASICs requires that a design has been require simultaneous processing under extremely time-limited exhaustively proven to function correctly, and therefore the conditions. As vehicles continue to increase the areas in resources needed to develop them are significantly greater. The which autonomous controls can back up or supplant human cost of each iteration of ASIC design can be very large, depending decisions, vehicle data processing must take account of all on the number of layers within the chip, with each layer requiring inputs at the same time. A sequential review of data may not a separate mask to specify the connections on the chip precisely. produce the correct result in the short window of opportunity. This means that ASICs are only economical when used within • Medical, where the electronic devices within the devices with a large volume of sales. armamentarium are often not produced in the numbers required to make ASIC development feasible. Medical applications using FPGAs are particularly focused on image Use of FPGAs processing. As FPGAs are logic processing units there is no set application • Data communication, both in data centres and where wired for which they are used. Unlike a CPU or microprocessor, which communication requires rapid processing of simultaneous processes instructions through a sequential list, an FPGA will signals. process instructions in parallel and therefore will be capable of handling multiple concurrent inputs simultaneously. Uses for this • Cryptography, especially during the Bitcoin mania,