

# FPGAhammer: Remote Voltage Fault Attacks on Shared FPGAs, suitable for DFA on AES

Jonas Krautter, Dennis R.E. Gnad, Mehdi B. Tahoori | 10.09.2018

INSTITUTE OF COMPUTER ENGINEERING - CHAIR OF DEPENDABLE NANO COMPUTING



J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Motivation



• More resources per FPGA  $\Rightarrow$  **Multi-user** environments:

- Amazon, Microsoft and introduce FPGA usage in cloud computing
- System-on-Chip (SoC) variants, tightly coupled FPGA based systems (Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...)
- Accelerators deployed to partitions through partial reconfiguration
  - $\Rightarrow$  Multi-tenant FPGAs

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Motivation



- More resources per FPGA  $\Rightarrow$  **Multi-user** environments:
  - Amazon, Microsoft and introduce FPGA usage in cloud computing
  - System-on-Chip (SoC) variants, tightly coupled FPGA based systems (Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...)
  - Accelerators deployed to partitions through partial reconfiguration ⇒ Multi-tenant FPGAs
- New attack scenarios:

....

- Passive on-chip side-channels<sup>1</sup>
- Denial-of-Service<sup>2</sup>
- This work: Fault attacks

<sup>&</sup>lt;sup>1</sup> Schellenberg et al., "An Inside Job: Remote Power Analysis Attacks on FPGAs", DATE 2018

<sup>&</sup>lt;sup>2</sup>Gnad et al., "Voltage drop-based fault attacks on FPGAs using valid bitstreams", FPL 2017

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Motivation



- More resources per FPGA  $\Rightarrow$  **Multi-user** environments:
  - Amazon, Microsoft and introduce FPGA usage in cloud computing
  - System-on-Chip (SoC) variants, tightly coupled FPGA based systems (Xilinx PYNQ, Intel Xeon FPGA, Intel/Altera-SoCs...)
  - Accelerators deployed to partitions through partial reconfiguration ⇒ Multi-tenant FPGAs
- New attack scenarios:
  - Passive on-chip side-channels<sup>1</sup>
  - Denial-of-Service<sup>2</sup>
  - This work: Fault attacks

• ...

Proof-of-Concept work: Successful DFA on AES

<sup>&</sup>lt;sup>1</sup> Schellenberg et al., "An Inside Job: Remote Power Analysis Attacks on FPGAs", DATE 2018

<sup>&</sup>lt;sup>2</sup>Gnad et al., "Voltage drop-based fault attacks on FPGAs using valid bitstreams", FPL 2017



#### ■ Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN)





- Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN)
- Attacker and victim design logically isolated



- Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN)
- Attacker and victim design logically isolated
- Victim software process has a public interface



- Shared FPGA fabric ⇒ Shared Power Distribution Network (PDN)
- Attacker and victim design logically isolated
- Victim software process has a public interface
- Chosen-Plaintext Attack scenario



Outline

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Fault Injection and Analysis



4 Results



2





J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Outline

1 Background

Fault Injection and Analysis

Experimental Setup

4 Results







J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Power Distribution Network (PDN)



- Interconnections from the voltage regulator down to logic elements
- Model: RLC-mesh (Resistive, Inductive and Capacitive elements)



J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Power Distribution Network (PDN)



- Interconnections from the voltage regulator down to logic elements
- Model: RLC-mesh (Resistive, Inductive and Capacitive elements)



• Law of Inductance:  $V_{drop} = I \cdot R + L \cdot \frac{dI}{dt}$ 

J. Krautter, D.R.E. Gnad and M.B. Tahoori



- Interconnections from the voltage regulator down to logic elements
- Model: RLC-mesh (Resistive, Inductive and Capacitive elements)



- Law of Inductance:  $V_{drop} = I \cdot R + L \cdot \frac{dI}{dt}$
- High current variation  $\Rightarrow$  Power supply voltage variation

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Power Distribution Network (PDN)



- Interconnections from the voltage regulator down to logic elements
- Model: RLC-mesh (Resistive, Inductive and Capacitive elements)



- Law of Inductance:  $V_{drop} = I \cdot R + L \cdot \frac{dI}{dt}$
- High current variation  $\Rightarrow$  Power supply voltage variation
- Lower supply voltage ⇒ **Timing faults**

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Malicious Logic**





 Logic element to cause high current variation<sup>2</sup>: Ring Oscillators (ROs)

<sup>&</sup>lt;sup>2</sup>Gnad et al., "Voltage drop-based fault attacks on FPGAs using valid bitstreams", FPL 2017



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Malicious Logic**





 Logic element to cause high current variation<sup>2</sup>: Ring Oscillators (ROs)

• Oscillation  $\Rightarrow$  Gate switching  $\Rightarrow$  Current variation  $\Rightarrow$  Voltage drop

<sup>&</sup>lt;sup>2</sup>Gnad et al., "Voltage drop-based fault attacks on FPGAs using valid bitstreams", FPL 2017

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Malicious Logic





 Logic element to cause high current variation<sup>2</sup>: Ring Oscillators (ROs)

- Oscillation  $\Rightarrow$  Gate switching  $\Rightarrow$  Current variation  $\Rightarrow$  Voltage drop
- RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)

<sup>&</sup>lt;sup>2</sup>Gnad et al., "Voltage drop-based fault attacks on FPGAs using valid bitstreams", FPL 2017

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Malicious Logic**





 Logic element to cause high current variation<sup>2</sup>: Ring Oscillators (ROs)

- Oscillation  $\Rightarrow$  Gate switching  $\Rightarrow$  Current variation  $\Rightarrow$  Voltage drop
- RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)
- ightarrow ightarrow Calibration of fault injection parameters required



<sup>2</sup>Gnad et al., "Voltage drop-based fault attacks on FPGAs using valid bitstreams", FPL 2017

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Malicious Logic**





 Logic element to cause high current variation<sup>2</sup>: Ring Oscillators (ROs)

- Oscillation  $\Rightarrow$  Gate switching  $\Rightarrow$  Current variation  $\Rightarrow$  Voltage drop
- RO-grid must be toggled in a very specific way (freq, duty-cycle, delay)
- ightarrow ightarrow Calibration of fault injection parameters required



<sup>2</sup>Gnad et al., "Voltage drop-based fault attacks on FPGAs using valid bitstreams", FPL 2017



Outline

J. Krautter, D.R.E. Gnad and M.B. Tahoori

2 Fault Injection and Analysis

Experimental Setup

4 Results







J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Fault Injection and Analysis**

Differential Fault Analysis on AES<sup>3</sup>

<sup>3</sup> Piret et al., "A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad", CHES 2003

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Fault Injection and Analysis**



- Original scheme: Single-byte faults before 8th round
  - $\Rightarrow$  All output bytes faulty



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Fault Injection and Analysis**

- Differential Fault Analysis on AES<sup>3</sup>
- Original scheme: Single-byte faults before 8th round
  - $\Rightarrow$  All output bytes faulty
- Injection requires high precision
  - $\Rightarrow$  Fault injection before 9th round



<sup>3</sup> Piret et al., "A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad", CHES 2003



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Fault Injection and Analysis

- Differential Fault Analysis on AES<sup>3</sup>
- Original scheme: Single-byte faults before 8th round
  - $\Rightarrow$  All output bytes faulty
- Injection requires high precision
  - $\Rightarrow$  Fault injection before 9th round



Successful injection can be verified



<sup>&</sup>lt;sup>3</sup>Piret et al., "A Differential Fault Attack Technique against SPN Structures, with Application to the AES and Khazad", CHES 2003

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Fault Injection and Analysis**



 Attacker issues encryption request to get correct ciphertext



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Fault Injection and Analysis**



 Attacker issues encryption request to get correct ciphertext

 Attacker issues encryption requests while activating RO grid



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Fault Injection and Analysis**



- Attacker issues encryption request to get correct ciphertext
- Attacker issues encryption requests while activating RO grid
- Fault injection is calibrated until desired faults appear



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Fault Injection and Analysis**



- Attacker issues encryption request to get correct ciphertext
- Attacker issues encryption requests while activating RO grid
- Fault injection is calibrated until desired faults appear
- Calibration is done only once for a specific board



J. Krautter, D.R.E. Gnad and M.B. Tahoori

Outline

Background

Fault Injection and Analysis



4 Results







J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Experimental Setup**





- FPGA boards: 3× Terasic DE1-SoC, 1× Terasic DE0-Nano-SoC
  - 3 boards of the same type
  - 2 different boards
    - $\Rightarrow$  Show generality of attack
- Cyclone V FPGA and ARM Cortex-A9 on one chip
- Linux environment on ARM Cortex-A9

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Experimental Setup**



- ARM CPU RO grid
- FPGA boards: 3× Terasic DE1-SoC, 1× Terasic DE0-Nano-SoC
  - 3 boards of the same type
  - 2 different boards
    - $\Rightarrow$  Show generality of attack
- Cyclone V FPGA and ARM Cortex-A9 on one chip
- Linux environment on ARM Cortex-A9
- Entire threat model in one SoC:
  - Attacker and victim software on ARM core
  - Respective IP cores on FPGA fabric

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### **Experimental Setup**





- FPGA boards: 3× Terasic DE1-SoC, 1× Terasic DE0-Nano-SoC
  - 3 boards of the same type
  - 2 different boards
    - $\Rightarrow$  Show generality of attack
- Cyclone V FPGA and ARM Cortex-A9 on one chip
- Linux environment on ARM Cortex-A9
- Entire threat model in one SoC:
  - Attacker and victim software on ARM core
  - Respective IP cores on FPGA fabric
- Fault injection on SoC, Key recovery on PC

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Outline

Background

Fault Injection and Analysis



#### 4 Results







J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Fault Injection Rate vs #RO





#### Experiments on DE1-SoC, design fully constrained

J. Krautter, D.R.E. Gnad and M.B. Tahoori





- Experiments on DE1-SoC, design fully constrained
- Evaluate usable (for DFA) faults and total amount of faults

J. Krautter, D.R.E. Gnad and M.B. Tahoori





- Experiments on DE1-SoC, design fully constrained
- Evaluate usable (for DFA) faults and total amount of faults
- Injection rate increases with amount of ROs

J. Krautter, D.R.E. Gnad and M.B. Tahoori





- Experiments on DE1-SoC, design fully constrained
- Evaluate usable (for DFA) faults and total amount of faults
- Injection rate increases with amount of ROs
- Injection accuracy decreases after a certain amount

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Fault Injection Rate vs #RO



 Extended experiments: 3 different boards



J. Krautter, D.R.E. Gnad and M.B. Tahoori



- Extended experiments: 3 different boards
- All boards vulnerable, Calibration finds params



J. Krautter, D.R.E. Gnad and M.B. Tahoori



- Extended experiments: 3 different boards
- All boards vulnerable, Calibration finds params
- Process variation ⇒ Different optimal #RO



J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Key Recovery on 5000 random keys





#### Experiments on DE1-SoC with best fault injection configuration

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Key Recovery on 5000 random keys





#### Experiments on DE1-SoC with best fault injection configuration

Majority of 5000 keys can be recovered

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Key Recovery on 5000 random keys





#### Experiments on DE1-SoC with best fault injection configuration

- Majority of 5000 keys can be recovered
- Unrecovered keys due to multi-byte faults

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Outline

Background

Fault Injection and Analysis

Experimental Setup

4 Results







J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### **Discussion and Future Work**



• Attack on fully constrained design on DE1-SoC with < 50% resources

J. Krautter, D.R.E. Gnad and M.B. Tahoori



- Attack on fully constrained design on DE1-SoC with < 50% resources
- Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
  - $\Rightarrow$  Not all devices are equally vulnerable

J. Krautter, D.R.E. Gnad and M.B. Tahoori



- Attack on fully constrained design on DE1-SoC with < 50% resources</p>
- Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
  - $\Rightarrow$  Not all devices are equally vulnerable
- Alternatives to using ROs may exist

J. Krautter, D.R.E. Gnad and M.B. Tahoori



- Attack on fully constrained design on DE1-SoC with < 50% resources
- Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
  - $\Rightarrow$  Not all devices are equally vulnerable
- Alternatives to using ROs may exist
- Attack may be extended to hard cores (ARM SoC)

J. Krautter, D.R.E. Gnad and M.B. Tahoori



- Attack on fully constrained design on DE1-SoC with < 50% resources
- Smaller DE0-Nano-SoC: Fully constrained design not vulnerable
  - $\Rightarrow$  Not all devices are equally vulnerable
- Alternatives to using ROs may exist
- Attack may be extended to hard cores (ARM SoC)
- Possible mitigation:
  - Internal sensors
  - Bitstream checking
  - Voltage islands

J. Krautter, D.R.E. Gnad and M.B. Tahoori

Outline

Background

Fault Injection and Analysis

Experimental Setup

4 Results







J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Conclusion

• High precision fault injection on shared FPGAs is possible



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Conclusion

• High precision fault injection on shared FPGAs is possible

• Logical isolation is not enough to prevent manipulation



J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Conclusion



- High precision fault injection on shared FPGAs is possible
- Logical isolation is not enough to prevent manipulation
- Threat model must be considered for FPGA multi-user environments

J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Conclusion



- High precision fault injection on shared FPGAs is possible
- Logical isolation is not enough to prevent manipulation
- Threat model must be considered for FPGA multi-user environments
- Mitigation may require new/modified hardware

J. Krautter, D.R.E. Gnad and M.B. Tahoori

## Thank you for your attention!

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Additional Slides – Complete Scan Flow





J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Additional Slides – Slack Dependent Analysis





J. Krautter, D.R.E. Gnad and M.B. Tahoori

### Additional Slides – Slack Dependent Analysis



J. Krautter, D.R.E. Gnad and M.B. Tahoori

Σ

#### **Additional Slides – Injection Process**



- Externally measured FPGA supply voltage V<sub>CC</sub> during fault injection
- AES reset logic signal (active low)
- RO grid activation signal

J. Krautter, D.R.E. Gnad and M.B. Tahoori

#### Additional Slides – RO Floorplan





J. Krautter, D.R.E. Gnad and M.B. Tahoori



#### Additional Slides – Adder Test Design

