<<

FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES

Jonas Krautter, Dennis R.E. Gnad, Mehdi B. Tahoori | 10.09.2018

INSTITUTE OF COMPUTER ENGINEERING – CHAIR OF DEPENDABLE NANO COMPUTING

KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft www.kit.edu New attack scenarios: Passive on-chip side-channels1 Denial-of-Service2 This work: Fault attacks ... Proof-of-Concept work: Successful DFA on AES

1Schellenberg et al., ”An Inside Job: Remote Attacks on FPGAs”, DATE 2018 2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

FPGAhammer: Motivation Remote Voltage Fault Attacks on Shared FPGAs More resources per FPGA ⇒ Multi-user environments:

J. Krautter, D.R.E. Gnad Amazon, Microsoft and introduce FPGA usage in cloud computing and M.B. Tahoori System-on-Chip (SoC) variants, tightly coupled FPGA based systems (Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...) Accelerators deployed to partitions through partial reconfiguration ⇒ Multi-tenant FPGAs

KIT – The Research University in the Helmholtz Association, 10.09.2018 2/26 Proof-of-Concept work: Successful DFA on AES

FPGAhammer: Motivation Remote Voltage Fault Attacks on Shared FPGAs More resources per FPGA ⇒ Multi-user environments:

J. Krautter, D.R.E. Gnad Amazon, Microsoft and introduce FPGA usage in cloud computing and M.B. Tahoori System-on-Chip (SoC) variants, tightly coupled FPGA based systems (Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...) Accelerators deployed to partitions through partial reconfiguration ⇒ Multi-tenant FPGAs New attack scenarios: Passive on-chip side-channels1 Denial-of-Service2 This work: Fault attacks ...

1Schellenberg et al., ”An Inside Job: Remote Power Analysis Attacks on FPGAs”, DATE 2018 2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

KIT – The Research University in the Helmholtz Association, 10.09.2018 2/26 FPGAhammer: Motivation Remote Voltage Fault Attacks on Shared FPGAs More resources per FPGA ⇒ Multi-user environments:

J. Krautter, D.R.E. Gnad Amazon, Microsoft and introduce FPGA usage in cloud computing and M.B. Tahoori System-on-Chip (SoC) variants, tightly coupled FPGA based systems (Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...) Accelerators deployed to partitions through partial reconfiguration ⇒ Multi-tenant FPGAs New attack scenarios: Passive on-chip side-channels1 Denial-of-Service2 This work: Fault attacks ... Proof-of-Concept work: Successful DFA on AES

1Schellenberg et al., ”An Inside Job: Remote Power Analysis Attacks on FPGAs”, DATE 2018 2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

KIT – The Research University in the Helmholtz Association, 10.09.2018 2/26 Attacker and victim design logically isolated Victim software process has a public interface Chosen- Attack scenario

FPGAhammer: Threat model Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN)

KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26 Victim software process has a public interface Chosen-Plaintext Attack scenario

FPGAhammer: Threat model Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN) Attacker and victim design logically isolated

KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26 Chosen-Plaintext Attack scenario

FPGAhammer: Threat model Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN) Attacker and victim design logically isolated Victim software process has a public interface

KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26 FPGAhammer: Threat model Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN) Attacker and victim design logically isolated Victim software process has a public interface Chosen-Plaintext Attack scenario

KIT – The Research University in the Helmholtz Association, 10.09.2018 3/26 FPGAhammer: Outline Remote Voltage Fault Attacks on Shared FPGAs 1 Background J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 Fault Injection and Analysis

3 Experimental Setup

4 Results

5 Discussion and Future Work

6 Conclusion

KIT – The Research University in the Helmholtz Association, 10.09.2018 4/26 FPGAhammer: Outline Remote Voltage Fault Attacks on Shared FPGAs 1 Background J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 Fault Injection and Analysis

3 Experimental Setup

4 Results

5 Discussion and Future Work

6 Conclusion

KIT – The Research University in the Helmholtz Association, 10.09.2018 5/26 dI Law of Inductance: Vdrop = I · R + L · dt High current variation ⇒ Power supply voltage variation Lower supply voltage ⇒ Timing faults

FPGAhammer: Power Distribution Network (PDN) Remote Voltage Fault Attacks on Shared FPGAs Interconnections from the voltage regulator down to logic elements

J. Krautter, D.R.E. Gnad Model: RLC-mesh (Resistive, Inductive and Capacitive elements) and M.B. Tahoori

KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26 High current variation ⇒ Power supply voltage variation Lower supply voltage ⇒ Timing faults

FPGAhammer: Power Distribution Network (PDN) Remote Voltage Fault Attacks on Shared FPGAs Interconnections from the voltage regulator down to logic elements

J. Krautter, D.R.E. Gnad Model: RLC-mesh (Resistive, Inductive and Capacitive elements) and M.B. Tahoori

dI Law of Inductance: Vdrop = I · R + L · dt

KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26 Lower supply voltage ⇒ Timing faults

FPGAhammer: Power Distribution Network (PDN) Remote Voltage Fault Attacks on Shared FPGAs Interconnections from the voltage regulator down to logic elements

J. Krautter, D.R.E. Gnad Model: RLC-mesh (Resistive, Inductive and Capacitive elements) and M.B. Tahoori

dI Law of Inductance: Vdrop = I · R + L · dt High current variation ⇒ Power supply voltage variation

KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26 FPGAhammer: Power Distribution Network (PDN) Remote Voltage Fault Attacks on Shared FPGAs Interconnections from the voltage regulator down to logic elements

J. Krautter, D.R.E. Gnad Model: RLC-mesh (Resistive, Inductive and Capacitive elements) and M.B. Tahoori

dI Law of Inductance: Vdrop = I · R + L · dt High current variation ⇒ Power supply voltage variation Lower supply voltage ⇒ Timing faults

KIT – The Research University in the Helmholtz Association, 10.09.2018 6/26 Oscillation ⇒ Gate switching ⇒ Current variation ⇒ Voltage drop RO-grid must be toggled in a very specific way (freq, duty-cycle, delay) ⇒ Calibration of fault injection parameters required

FPGAhammer: Malicious Logic Remote Voltage Fault Attacks on Shared FPGAs Logic element to cause high current variation2: J. Krautter, D.R.E. Gnad Ring Oscillators (ROs) and M.B. Tahoori

2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26 RO-grid must be toggled in a very specific way (freq, duty-cycle, delay) ⇒ Calibration of fault injection parameters required

FPGAhammer: Malicious Logic Remote Voltage Fault Attacks on Shared FPGAs Logic element to cause high current variation2: J. Krautter, D.R.E. Gnad Ring Oscillators (ROs) and M.B. Tahoori

Oscillation ⇒ Gate switching ⇒ Current variation ⇒ Voltage drop

2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26 ⇒ Calibration of fault injection parameters required

FPGAhammer: Malicious Logic Remote Voltage Fault Attacks on Shared FPGAs Logic element to cause high current variation2: J. Krautter, D.R.E. Gnad Ring Oscillators (ROs) and M.B. Tahoori

Oscillation ⇒ Gate switching ⇒ Current variation ⇒ Voltage drop RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)

2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26 FPGAhammer: Malicious Logic Remote Voltage Fault Attacks on Shared FPGAs Logic element to cause high current variation2: J. Krautter, D.R.E. Gnad Ring Oscillators (ROs) and M.B. Tahoori

Oscillation ⇒ Gate switching ⇒ Current variation ⇒ Voltage drop RO-grid must be toggled in a very specific way (freq, duty-cycle, delay) ⇒ Calibration of fault injection parameters required

1.20

1.15 VCC max recommended )

V 1.10 (

C 1.05 C VCC min recommended V 1.00

0.95 0 5 10 15 20 Time (s)

FPGA supply voltage VCC during frequency scan

2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26 FPGAhammer: Malicious Logic Remote Voltage Fault Attacks on Shared FPGAs Logic element to cause high current variation2: J. Krautter, D.R.E. Gnad Ring Oscillators (ROs) and M.B. Tahoori

Oscillation ⇒ Gate switching ⇒ Current variation ⇒ Voltage drop RO-grid must be toggled in a very specific way (freq, duty-cycle, delay) ⇒ Calibration of fault injection parameters required

1.20

1.15 VCC max recommended )

V 1.10 (

C 1.05 C VCC min recommended V 1.00 Toggle frequency decrease 0.95 0 5 10 15 20 Time (s)

FPGA supply voltage VCC during frequency scan

2Gnad et al., ”Voltage drop-based fault attacks on FPGAs using valid bitstreams”, FPL 2017

KIT – The Research University in the Helmholtz Association, 10.09.2018 7/26 FPGAhammer: Outline Remote Voltage Fault Attacks on Shared FPGAs 1 Background J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 Fault Injection and Analysis

3 Experimental Setup

4 Results

5 Discussion and Future Work

6 Conclusion

KIT – The Research University in the Helmholtz Association, 10.09.2018 8/26 Original scheme: Single-byte faults before 8th round ⇒ All output bytes faulty Injection requires high precision ⇒ Fault injection before 9th round

Successful injection can be verified

FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Differential Fault Analysis on AES3

J. Krautter, D.R.E. Gnad and M.B. Tahoori

3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003

KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26 Injection requires high precision ⇒ Fault injection before 9th round

Successful injection can be verified

FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Differential Fault Analysis on AES3

J. Krautter, D.R.E. Gnad Original scheme: Single-byte faults before 8th round and M.B. Tahoori ⇒ All output bytes faulty

3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003

KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26 Successful injection can be verified

FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Differential Fault Analysis on AES3

J. Krautter, D.R.E. Gnad Original scheme: Single-byte faults before 8th round and M.B. Tahoori ⇒ All output bytes faulty Injection requires high precision ⇒ Fault injection before 9th round

3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003

KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26 FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Differential Fault Analysis on AES3

J. Krautter, D.R.E. Gnad Original scheme: Single-byte faults before 8th round and M.B. Tahoori ⇒ All output bytes faulty Injection requires high precision ⇒ Fault injection before 9th round

Successful injection can be verified

3Piret et al., ”A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad”, CHES 2003

KIT – The Research University in the Helmholtz Association, 10.09.2018 9/26 Attacker issues requests while activating RO grid

Fault injection is calibrated until desired faults appear

Calibration is done only once for a specific board

FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Attacker issues encryption request J. Krautter, D.R.E. Gnad and M.B. Tahoori to get correct

KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26 Fault injection is calibrated until desired faults appear

Calibration is done only once for a specific board

FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Attacker issues encryption request J. Krautter, D.R.E. Gnad and M.B. Tahoori to get correct ciphertext

Attacker issues encryption requests while activating RO grid

KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26 Calibration is done only once for a specific board

FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Attacker issues encryption request J. Krautter, D.R.E. Gnad and M.B. Tahoori to get correct ciphertext

Attacker issues encryption requests while activating RO grid

Fault injection is calibrated until desired faults appear

KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26 FPGAhammer: Fault Injection and Analysis Remote Voltage Fault Attacks on Shared FPGAs Attacker issues encryption request J. Krautter, D.R.E. Gnad and M.B. Tahoori to get correct ciphertext

Attacker issues encryption requests while activating RO grid

Fault injection is calibrated until desired faults appear

Calibration is done only once for a specific board

KIT – The Research University in the Helmholtz Association, 10.09.2018 10/26 FPGAhammer: Outline Remote Voltage Fault Attacks on Shared FPGAs 1 Background J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 Fault Injection and Analysis

3 Experimental Setup

4 Results

5 Discussion and Future Work

6 Conclusion

KIT – The Research University in the Helmholtz Association, 10.09.2018 11/26 Entire threat model in one SoC: Attacker and victim software on ARM core Respective IP cores on FPGA fabric Fault injection on SoC, recovery on PC

FPGAhammer: Experimental Setup Remote Voltage Fault Attacks on Shared FPGAs FPGA boards: 3× Terasic DE1-SoC,

J. Krautter, D.R.E. Gnad ARM CPU 1× Terasic DE0-Nano-SoC and M.B. Tahoori 3 boards of the same type 2 different boards RO grid ⇒ Show generality of attack Cyclone V FPGA and ARM Cortex-A9 on one chip Linux environment on ARM Cortex-A9

AES

KIT – The Research University in the Helmholtz Association, 10.09.2018 12/26 Fault injection on SoC, Key recovery on PC

FPGAhammer: Experimental Setup Remote Voltage Fault Attacks on Shared FPGAs FPGA boards: 3× Terasic DE1-SoC,

J. Krautter, D.R.E. Gnad ARM CPU 1× Terasic DE0-Nano-SoC and M.B. Tahoori 3 boards of the same type 2 different boards RO grid ⇒ Show generality of attack Cyclone V FPGA and ARM Cortex-A9 on one chip Linux environment on ARM Cortex-A9 Entire threat model in one SoC: Attacker and victim software on ARM core AES Respective IP cores on FPGA fabric

KIT – The Research University in the Helmholtz Association, 10.09.2018 12/26 FPGAhammer: Experimental Setup Remote Voltage Fault Attacks on Shared FPGAs FPGA boards: 3× Terasic DE1-SoC,

J. Krautter, D.R.E. Gnad ARM CPU 1× Terasic DE0-Nano-SoC and M.B. Tahoori 3 boards of the same type 2 different boards RO grid ⇒ Show generality of attack Cyclone V FPGA and ARM Cortex-A9 on one chip Linux environment on ARM Cortex-A9 Entire threat model in one SoC: Attacker and victim software on ARM core AES Respective IP cores on FPGA fabric Fault injection on SoC, Key recovery on PC

KIT – The Research University in the Helmholtz Association, 10.09.2018 12/26 FPGAhammer: Outline Remote Voltage Fault Attacks on Shared FPGAs 1 Background J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 Fault Injection and Analysis

3 Experimental Setup

4 Results

5 Discussion and Future Work

6 Conclusion

KIT – The Research University in the Helmholtz Association, 10.09.2018 13/26 Evaluate usable (for DFA) faults and total amount of faults Injection rate increases with amount of ROs Injection accuracy decreases after a certain amount

FPGAhammer: Fault Injection Rate vs #RO Remote Voltage Fault Attacks on

Shared FPGAs 105

J. Krautter, D.R.E. Gnad 104 and M.B. Tahoori DE1-SoC-A 103

102

101

100 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

#faults per million requests Logic utilization by attacker design (% of total LUTs)

Measured total amount of faults Ftot

Measured amount of usable faults FDFA

Experiments on DE1-SoC, design fully constrained

KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26 Injection rate increases with amount of ROs Injection accuracy decreases after a certain amount

FPGAhammer: Fault Injection Rate vs #RO Remote Voltage Fault Attacks on

Shared FPGAs 105

J. Krautter, D.R.E. Gnad 104 and M.B. Tahoori DE1-SoC-A 103

102

101

100 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

#faults per million requests Logic utilization by attacker design (% of total LUTs)

Measured total amount of faults Ftot

Measured amount of usable faults FDFA

Experiments on DE1-SoC, design fully constrained Evaluate usable (for DFA) faults and total amount of faults

KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26 Injection accuracy decreases after a certain amount

FPGAhammer: Fault Injection Rate vs #RO Remote Voltage Fault Attacks on

Shared FPGAs 105

J. Krautter, D.R.E. Gnad 104 and M.B. Tahoori DE1-SoC-A 103

102

101

100 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

#faults per million requests Logic utilization by attacker design (% of total LUTs)

Measured total amount of faults Ftot

Measured amount of usable faults FDFA

Experiments on DE1-SoC, design fully constrained Evaluate usable (for DFA) faults and total amount of faults Injection rate increases with amount of ROs

KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26 FPGAhammer: Fault Injection Rate vs #RO Remote Voltage Fault Attacks on

Shared FPGAs 105

J. Krautter, D.R.E. Gnad 104 and M.B. Tahoori DE1-SoC-A 103

102

101

100 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50

#faults per million requests Logic utilization by attacker design (% of total LUTs)

Measured total amount of faults Ftot

Measured amount of usable faults FDFA

Experiments on DE1-SoC, design fully constrained Evaluate usable (for DFA) faults and total amount of faults Injection rate increases with amount of ROs Injection accuracy decreases after a certain amount

KIT – The Research University in the Helmholtz Association, 10.09.2018 14/26 All boards vulnerable, Calibration finds params

Process variation ⇒ Different optimal #RO

FPGAhammer: Fault Injection Rate vs #RO Remote Voltage Fault Attacks on

Shared FPGAs 105

104 J. Krautter, D.R.E. Gnad DE1-SoC-A and M.B. Tahoori 103 Extended experiments: 102 3 different boards 101

100 105

104 DE1-SoC-B 103

102

101

100 105 #faults per million requests

104 DE1-SoC-C 103

102

101

100 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 Logic utilization by attacker design (% of total LUTs)

KIT – The Research University in the Helmholtz Association, 10.09.2018 15/26 Process variation ⇒ Different optimal #RO

FPGAhammer: Fault Injection Rate vs #RO Remote Voltage Fault Attacks on

Shared FPGAs 105

104 J. Krautter, D.R.E. Gnad DE1-SoC-A and M.B. Tahoori 103 Extended experiments: 102 3 different boards 101

100 105

104 DE1-SoC-B All boards vulnerable, 103 Calibration finds params 102

101

100 105 #faults per million requests

104 DE1-SoC-C 103

102

101

100 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 Logic utilization by attacker design (% of total LUTs)

KIT – The Research University in the Helmholtz Association, 10.09.2018 15/26 FPGAhammer: Fault Injection Rate vs #RO Remote Voltage Fault Attacks on

Shared FPGAs 105

104 J. Krautter, D.R.E. Gnad DE1-SoC-A and M.B. Tahoori 103 Extended experiments: 102 3 different boards 101

100 105

104 DE1-SoC-B All boards vulnerable, 103 Calibration finds params 102

101

100 105 #faults per million requests

104 Process variation ⇒ DE1-SoC-C 103 Different optimal #RO

102

101

100 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 Logic utilization by attacker design (% of total LUTs)

KIT – The Research University in the Helmholtz Association, 10.09.2018 15/26 Majority of 5000 keys can be recovered Unrecovered keys due to multi-byte faults

FPGAhammer: Key Recovery on 5000 random keys Remote Voltage Fault Attacks on Shared FPGAs 105 95.7% DE1-SoC-A 87.9% DE1-SoC-B 4 95.6% 10 2.0% DE1-SoC-C J. Krautter, D.R.E. Gnad 2.2% 8.7% and M.B. Tahoori 103 2.9% 1.9% 2.6% 0.0% 2 0.1% 0.5% #keys 10 0.1% 0.2% 0.0% 0.1% 0.1% 101 0.1%

100 Recovered keys 2 4 232 233 264 Amount of key candidates remaining for each key

Experiments on DE1-SoC with best fault injection configuration

KIT – The Research University in the Helmholtz Association, 10.09.2018 16/26 Unrecovered keys due to multi-byte faults

FPGAhammer: Key Recovery on 5000 random keys Remote Voltage Fault Attacks on Shared FPGAs 105 95.7% DE1-SoC-A 87.9% DE1-SoC-B 4 95.6% 10 2.0% DE1-SoC-C J. Krautter, D.R.E. Gnad 2.2% 8.7% and M.B. Tahoori 103 2.9% 1.9% 2.6% 0.0% 2 0.1% 0.5% #keys 10 0.1% 0.2% 0.0% 0.1% 0.1% 101 0.1%

100 Recovered keys 2 4 232 233 264 Amount of key candidates remaining for each key

Experiments on DE1-SoC with best fault injection configuration Majority of 5000 keys can be recovered

KIT – The Research University in the Helmholtz Association, 10.09.2018 16/26 FPGAhammer: Key Recovery on 5000 random keys Remote Voltage Fault Attacks on Shared FPGAs 105 95.7% DE1-SoC-A 87.9% DE1-SoC-B 4 95.6% 10 2.0% DE1-SoC-C J. Krautter, D.R.E. Gnad 2.2% 8.7% and M.B. Tahoori 103 2.9% 1.9% 2.6% 0.0% 2 0.1% 0.5% #keys 10 0.1% 0.2% 0.0% 0.1% 0.1% 101 0.1%

100 Recovered keys 2 4 232 233 264 Amount of key candidates remaining for each key

Experiments on DE1-SoC with best fault injection configuration Majority of 5000 keys can be recovered Unrecovered keys due to multi-byte faults

KIT – The Research University in the Helmholtz Association, 10.09.2018 16/26 FPGAhammer: Outline Remote Voltage Fault Attacks on Shared FPGAs 1 Background J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 Fault Injection and Analysis

3 Experimental Setup

4 Results

5 Discussion and Future Work

6 Conclusion

KIT – The Research University in the Helmholtz Association, 10.09.2018 17/26 Smaller DE0-Nano-SoC: Fully constrained design not vulnerable ⇒ Not all devices are equally vulnerable Alternatives to using ROs may exist Attack may be extended to hard cores (ARM SoC) Possible mitigation: Internal sensors Bitstream checking Voltage islands

FPGAhammer: Discussion and Future Work Remote Voltage Fault Attacks on Shared FPGAs Attack on fully constrained design on DE1-SoC with < 50% resources

J. Krautter, D.R.E. Gnad and M.B. Tahoori

KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26 Alternatives to using ROs may exist Attack may be extended to hard cores (ARM SoC) Possible mitigation: Internal sensors Bitstream checking Voltage islands

FPGAhammer: Discussion and Future Work Remote Voltage Fault Attacks on Shared FPGAs Attack on fully constrained design on DE1-SoC with < 50% resources

J. Krautter, D.R.E. Gnad Smaller DE0-Nano-SoC: Fully constrained design not vulnerable and M.B. Tahoori ⇒ Not all devices are equally vulnerable

KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26 Attack may be extended to hard cores (ARM SoC) Possible mitigation: Internal sensors Bitstream checking Voltage islands

FPGAhammer: Discussion and Future Work Remote Voltage Fault Attacks on Shared FPGAs Attack on fully constrained design on DE1-SoC with < 50% resources

J. Krautter, D.R.E. Gnad Smaller DE0-Nano-SoC: Fully constrained design not vulnerable and M.B. Tahoori ⇒ Not all devices are equally vulnerable Alternatives to using ROs may exist

KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26 Possible mitigation: Internal sensors Bitstream checking Voltage islands

FPGAhammer: Discussion and Future Work Remote Voltage Fault Attacks on Shared FPGAs Attack on fully constrained design on DE1-SoC with < 50% resources

J. Krautter, D.R.E. Gnad Smaller DE0-Nano-SoC: Fully constrained design not vulnerable and M.B. Tahoori ⇒ Not all devices are equally vulnerable Alternatives to using ROs may exist Attack may be extended to hard cores (ARM SoC)

KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26 FPGAhammer: Discussion and Future Work Remote Voltage Fault Attacks on Shared FPGAs Attack on fully constrained design on DE1-SoC with < 50% resources

J. Krautter, D.R.E. Gnad Smaller DE0-Nano-SoC: Fully constrained design not vulnerable and M.B. Tahoori ⇒ Not all devices are equally vulnerable Alternatives to using ROs may exist Attack may be extended to hard cores (ARM SoC) Possible mitigation: Internal sensors Bitstream checking Voltage islands

KIT – The Research University in the Helmholtz Association, 10.09.2018 18/26 FPGAhammer: Outline Remote Voltage Fault Attacks on Shared FPGAs 1 Background J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 Fault Injection and Analysis

3 Experimental Setup

4 Results

5 Discussion and Future Work

6 Conclusion

KIT – The Research University in the Helmholtz Association, 10.09.2018 19/26 Logical isolation is not enough to prevent manipulation Threat model must be considered for FPGA multi-user environments Mitigation may require new/modified hardware

FPGAhammer: Conclusion Remote Voltage Fault Attacks on Shared FPGAs High precision fault injection on shared FPGAs is possible

J. Krautter, D.R.E. Gnad and M.B. Tahoori

KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26 Threat model must be considered for FPGA multi-user environments Mitigation may require new/modified hardware

FPGAhammer: Conclusion Remote Voltage Fault Attacks on Shared FPGAs High precision fault injection on shared FPGAs is possible

J. Krautter, D.R.E. Gnad Logical isolation is not enough to prevent manipulation and M.B. Tahoori

KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26 Mitigation may require new/modified hardware

FPGAhammer: Conclusion Remote Voltage Fault Attacks on Shared FPGAs High precision fault injection on shared FPGAs is possible

J. Krautter, D.R.E. Gnad Logical isolation is not enough to prevent manipulation and M.B. Tahoori Threat model must be considered for FPGA multi-user environments

KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26 FPGAhammer: Conclusion Remote Voltage Fault Attacks on Shared FPGAs High precision fault injection on shared FPGAs is possible

J. Krautter, D.R.E. Gnad Logical isolation is not enough to prevent manipulation and M.B. Tahoori Threat model must be considered for FPGA multi-user environments Mitigation may require new/modified hardware

KIT – The Research University in the Helmholtz Association, 10.09.2018 20/26 FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Thank you for your attention!

KIT – The Research University in the Helmholtz Association, 10.09.2018 21/26 FPGAhammer: Additional Slides – Complete Scan Flow Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

KIT – The Research University in the Helmholtz Association, 10.09.2018 22/26 FPGAhammer: Additional Slides – Slack Dependent Remote Voltage Analysis Fault Attacks on Shared FPGAs 105 3 J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 104 1

103 0 Reference worst-case setup slack on DE1-SoC for fOP = 111 MHz

1 slack (ns) 102 2

101 3

#faults per million requests 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160

AES clock frequency fop (MHz) Reported worst-case setup slack Reported best-case setup slack

KIT – The Research University in the Helmholtz Association, 10.09.2018 23/26 FPGAhammer: Additional Slides – Slack Dependent Remote Voltage Analysis Fault Attacks on Shared FPGAs 105 3 J. Krautter, D.R.E. Gnad and M.B. Tahoori 2 104 1

103 0 Reference worst-case setup slack on DE1-SoC for fOP = 111 MHz

1 slack (ns) 102 2

101 3

#faults per million requests 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160

AES clock frequency fop (MHz)

Measured amount of usable faults FDFA Reported worst-case setup slack

Measured total amount of faults Ftot Reported best-case setup slack

KIT – The Research University in the Helmholtz Association, 10.09.2018 23/26 FPGAhammer: Additional Slides – Injection Process Remote Voltage

Fault Attacks on 1.20 Shared FPGAs 1.15 VCC max recommended )

J. Krautter, D.R.E. Gnad V 1.10 (

and M.B. Tahoori C C 1.05 VCC min recommended V 1.00 RO activation toggles VCC fluctuation 0.95 1 AES encryption starts

aes_rst_n 0

1

ro_ena 0 0.0 0.5 1.0 1.5 2.0 Time (µs)

Externally measured FPGA supply voltage VCC during fault injection AES reset logic signal (active low) RO grid activation signal

KIT – The Research University in the Helmholtz Association, 10.09.2018 24/26 FPGAhammer: Additional Slides – RO Floorplan Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori Virtual Pins ROs

KIT – The Research University in the Helmholtz Association, 10.09.2018 25/26 FPGAhammer: Additional Slides – Adder Test Design Remote Voltage Fault Attacks on Shared FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

KIT – The Research University in the Helmholtz Association, 10.09.2018 26/26