No Place to Hide: Contactless Probing of Secret Data on FPGAs

Heiko Lohrke, Shahin Tajik, Christian Boit, and Jean-Pierre Seifert

August 17, CHES 2016

1

FPGA and SoC Security๏ Programming the

application design once into the NVM in a safe environment

๏ The bitstream can be loaded in the field (adversarial environment)

๏ Threats: Cloning/Building, Reverse Engineering, Tampering, Spoofing

FPGANVMBitstream

011010100101

Application Design

Bitstream Encryption

NVMEncryptedbitstream

011010100101

Red Key JTAG

Red Key

BBRAM or eFuse

Design

FPGA

AES Encryptor

AES Decryptor

Bitstream

Attacks against Red Key๏ Non-invasive attacks: Differential Power Analysis (DPA)

• Solutions: Asymmetric authentication, Key rolling, DPA-resistant decryption cores (hard & soft IP cores)

๏ Semi-invasive attacks: Scanning Electron Microscopy (SEM)

• Solutions: Physically Unclonable Functions (hard & soft IP cores)

๏ No Countermeasures for the FPGA backside yet!

4

Protecting Key from Tampering

NVMorRoT

Encryptedbitstream

011010100101

Red Key JTAG

Black Key

Bitstream

FPGAPUF

AES EncryptorDesign AES

Decryptor

Our Proposed Attack: Optical Contactless Probing

Laser

Beam

Splitter

Objective

Lens

DUT

FrontsideBacksideActive Area

Detector

๏ Changes of absorption coefficient and refractive index of device in active area by electrical field and current.

๏ Laser Voltage Probing (LVP): Optical beam intensity altered by reflection >> probing of electrical signal on the node

๏ Laser Voltage Imaging (LVI): Feeding the reflected signal to a detector with a narrow band frequency filter >> detecting node switching with this frequency

6

Experimental Setup

๏ DUT: Altera Cyclone IV FPGA (60 nm)

๏ Laser wavelength: 1.3 !m

๏ PoC Red Key calculation

๏ Soft PUF: Ring-oscillator PUF

๏ Optical Setup: HAMAMATSU PHEMOS 1000

7

Red Key extraction with LVI (1)

PUF KeyRegs

Black Key

Regs

Red KeyRegs

⨁

128

128

128SET128

SET128

SET128

8

Red Key extraction with LVI (2)

Red Key extraction with LVP (1)

Black KeyReg

Black KeyReg

Black KeyReg

…

PUF KeyReg

PUF KeyReg

PUF KeyReg

Red KeyReg

Red KeyReg

Red KeyReg

⨁…

…

CLK

CLK

CLK

127 126 0

127 126 0

127 126 0

10

Red Key extraction with LVP (2)

RO-PUF Characterization with LVI

12

Localization of Registers๏ FSBL not encrypted: IP cores

configurations can be intercepted and analyzed in a similar device

๏ FSBL encrypted: DPA against the hard decryption core to extract the FSBL

๏ DPA not possible: Gaining access to the IP cores by insider or being a potential customers.

๏ Hard PUFs: Reverse-engineering of ASIC to localize the registers

13

Countermeasures

๏ Silicon light sensors cannot be used if the laser laser beam has a longer wavelength than the silicon band gap!

๏ Possible algorithmic countermeasure: Randomization of the reset states of the registers

14

Conclusion๏ Replacing the eFuses or BBRAMS with controlled PUFs

does not raise the security level of the key storage as high as one would expected in the first place.

๏ Controlled PUFs can be attacked

๏ Much less time is required for optical contactless probing of different signals than FIB microprobing

๏ Future generations of FPGAs remain vulnerable to contactless probing, if the vendors do not implement proper protections or countermeasures

15