Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏...
Transcript of Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏...
![Page 1: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/1.jpg)
No Place to Hide: Contactless Probing of Secret Data on FPGAs
Heiko Lohrke, Shahin Tajik, Christian Boit, and Jean-Pierre Seifert
August 17, CHES 2016
1
![Page 2: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/2.jpg)
FPGA and SoC Security๏ Programming the
application design once into the NVM in a safe environment
๏ The bitstream can be loaded in the field (adversarial environment)
๏ Threats: Cloning/Building, Reverse Engineering, Tampering, Spoofing
FPGANVMBitstream
011010100101
Application Design
![Page 3: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/3.jpg)
Bitstream Encryption
NVMEncryptedbitstream
011010100101
Red Key JTAG
Red Key
BBRAM or eFuse
Design
FPGA
AES Encryptor
AES Decryptor
Bitstream
![Page 4: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/4.jpg)
Attacks against Red Key๏ Non-invasive attacks: Differential Power Analysis (DPA)
• Solutions: Asymmetric authentication, Key rolling, DPA-resistant decryption cores (hard & soft IP cores)
๏ Semi-invasive attacks: Scanning Electron Microscopy (SEM)
• Solutions: Physically Unclonable Functions (hard & soft IP cores)
๏ No Countermeasures for the FPGA backside yet!
4
![Page 5: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/5.jpg)
Protecting Key from Tampering
NVMorRoT
Encryptedbitstream
011010100101
Red Key JTAG
Black Key
Bitstream
FPGAPUF
AES EncryptorDesign AES
Decryptor
![Page 6: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/6.jpg)
Our Proposed Attack: Optical Contactless Probing
Laser
Beam
Splitter
Objective
Lens
DUT
FrontsideBacksideActive Area
Detector
๏ Changes of absorption coefficient and refractive index of device in active area by electrical field and current.
๏ Laser Voltage Probing (LVP): Optical beam intensity altered by reflection >> probing of electrical signal on the node
๏ Laser Voltage Imaging (LVI): Feeding the reflected signal to a detector with a narrow band frequency filter >> detecting node switching with this frequency
6
![Page 7: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/7.jpg)
Experimental Setup
๏ DUT: Altera Cyclone IV FPGA (60 nm)
๏ Laser wavelength: 1.3 !m
๏ PoC Red Key calculation
๏ Soft PUF: Ring-oscillator PUF
๏ Optical Setup: HAMAMATSU PHEMOS 1000
7
![Page 8: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/8.jpg)
Red Key extraction with LVI (1)
PUF KeyRegs
Black Key
Regs
Red KeyRegs
⨁
128
128
128SET128
SET128
SET128
8
![Page 9: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/9.jpg)
Red Key extraction with LVI (2)
![Page 10: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/10.jpg)
Red Key extraction with LVP (1)
Black KeyReg
Black KeyReg
Black KeyReg
…
PUF KeyReg
PUF KeyReg
PUF KeyReg
Red KeyReg
Red KeyReg
Red KeyReg
⨁…
…
CLK
CLK
CLK
127 126 0
127 126 0
127 126 0
10
![Page 11: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/11.jpg)
Red Key extraction with LVP (2)
![Page 12: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/12.jpg)
RO-PUF Characterization with LVI
12
![Page 13: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/13.jpg)
Localization of Registers๏ FSBL not encrypted: IP cores
configurations can be intercepted and analyzed in a similar device
๏ FSBL encrypted: DPA against the hard decryption core to extract the FSBL
๏ DPA not possible: Gaining access to the IP cores by insider or being a potential customers.
๏ Hard PUFs: Reverse-engineering of ASIC to localize the registers
13
![Page 14: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/14.jpg)
Countermeasures
๏ Silicon light sensors cannot be used if the laser laser beam has a longer wavelength than the silicon band gap!
๏ Possible algorithmic countermeasure: Randomization of the reset states of the registers
14
![Page 15: Contactless Probing of Secret Data on FPGAs...Optical Contactless Probing er r e s T a e e r ๏ Changes of absorption coeffi efractive index of device in ent. ๏ VP): ed by obing](https://reader035.fdocuments.us/reader035/viewer/2022081615/5fd787745fe89677173b3ff0/html5/thumbnails/15.jpg)
Conclusion๏ Replacing the eFuses or BBRAMS with controlled PUFs
does not raise the security level of the key storage as high as one would expected in the first place.
๏ Controlled PUFs can be attacked
๏ Much less time is required for optical contactless probing of different signals than FIB microprobing
๏ Future generations of FPGAs remain vulnerable to contactless probing, if the vendors do not implement proper protections or countermeasures
15