Measuring Long Wire Leakage with Ring Oscillators in Cloud FPGAs - PowerPoint PPT Presentation

Measuring Long Wire Leakage with Ring Oscillators in Cloud FPGAs Ilias Giechaskiel Kasper B. Rasmussen Jakub Szefer 9 September 2019 †‡ † ‡ † University of Oxford ‡ Yale University

Cloud FPGAs FPGAs now offered by cloud providers What about malicious designs? 1 → Virtex UltraScale+ on Alibaba, Amazon , Huawei → Kintex UltraScale on Baidu, Tencent → Intel Arria 10 on Alibaba, OVH → Hide physical aspects (DRAM, PCIe, Clock, . . . ) → Prohibit combinatorial loops (e.g., ring oscillators)

Latch-Based RO Latches are level-sensitive, so they act as buffers: when the gate G is active, the output Q mirrors the input D . 2

Flip-Flop-Based RO For a fmip-fmop-based buffer, use a Flip-Flop with Asynchronous Preset PRE : when PRE is high, the output Q is also high. When the clock C rises, Q mirrors the input D . 3

Long Wire Leakage Earlier work: Virtex 5 & 6, Artix & Spartan 7 covert channels This work: Virtex UltraScale+ leakage (on the cloud!) 4

Latch-Based Results Experiments with 1 Local, 8 Amazon, 2 Huawei FPGAs 5 LD (fs) Super Logic Region 8 Latch Per-Long Delay Di ff erence Δ d L 0 1 2 6 4 2 AWS 0 AWS 1 AWS 2 AWS 3 AWS 4 AWS 5 AWS 6 AWS 7 Huawei 0 Huawei 1 VCU118 FPGA Board → ∆ d LD L > 0 = ⇒ leakage detectable on all FPGAs → Process variations between FPGAs → Variations within FPGAs (between Super Logic Regions)

Flip-Flop-Based Results Estimates with Flip-Flop ROs are very close:: Same with Lookup-Table ROs (all within 10%) 6 FF (fs) Super Logic Region 8 Reg. Per-Long Delay Difference Δ d L 0 1 2 6 4 2 AWS 0 AWS 1 AWS 2 AWS 3 AWS 4 AWS 5 AWS 6 AWS 7 Huawei 0 Huawei 1 VCU118 FPGA Board

Conclusions combinatorial loop restrictions generations, but still leak information about their state Amazon, and Huawei FPGAs revealed process variations 7 → Latch-based and fmip-fmop-based ROs can overcome → Virtex UltraScale+ FPGA long wires different from earlier → The three RO designs provide identical leakage estimates → Comparison among 33 super logic regions in local, → Questions? ilias.giechaskiel@cs.ox.ac.uk

Super Logic Regions

Routing Example

Virtex UltraScale+ Leakage Example 7,238,000 Transmitted Value 1 0 7,237,500 Ring Oscillator Count c i 7,237,000 7,236,500 7,236,000 7,235,500 0 200 400 600 800 1,000 1,200 1,400 Sample i

Virtex UltraScale+ Leakage Characterization Femtosecond-scale change in delay is proportional to the overlap between the receiver and the transmitter × 10 − 14 6 Number of RO Longs v r Absolute Delay Difference ∆ d RO ( s ) 1 4 7 5 2 5 8 3 6 9 4 3 2 1 0 0 1 2 3 4 5 6 7 8 9 Number of Buffer Longs v t

Flip-Flop- and Lookup-Table-Based Ratios Super Logic Region Ring Oscillator Per−Long Delay Ratio 1.10 0 1 2 1.05 ∆ d L FDPE ∆ d L LUT Flip−Flop: LUT: ∆ d L LD ∆ d L LD 1.00 0.95 0.90 0.85 AWS 0 AWS 1 AWS 2 AWS 3 AWS 4 AWS 5 AWS 6 AWS 7 Huawei 0 Huawei 1 VCU118 Huawei 0 Huawei 1 VCU118 FPGA Board

Property 12 2 2 2 VLONG s/CLB VLONG Bidirectional? 0 1 1 2 Virtex 5 VLONG Taps 18 Node Size (nm) 18 VLONG Length 16 28 40 65 16 Virtex 6 Series 7 Virtex US+ � � � × 2 × 8

Metrics RO RO RO C 1 C 0 RO 2 f CLK n (2) RO RO (3) (1) RO RO C 1 2 RO RO − C 0 ∆ RC = C 1 � 1 � RO − f 0 = f 1 ∆ d RO = 1 − 1 f 0 f 1 2 f 0 RO f 1 ∆ d L = ∆ d RO RO − C 0 = 1 n · C CLK · C 1

Relative Count Difference × 10 − 5 3 . 5 # Receiver Longs v r Relative Count Difference ∆ RC 1 4 7 3 . 0 2 5 8 3 6 9 2 . 5 2 . 0 1 . 5 1 . 0 0 . 5 0 . 0 0 1 2 3 4 5 6 7 8 9 Number of Transmitter Longs v t

Countermeasures users and potentially-malicious cores. bitstreams, including prohibiting combinatorial loops, latches, and non-shell clocks. response to detected malicious designs. → Routing Restrictions: Enforce physical isolation between → Design Rule Checks: Place restrictions on the generated → Runtime Protections: Gate clocks and clear the FPGA in