Hardware Support for Trustworthy Systems Ted Huffmire ACACES 2012 Fiuggi, Italy

Disclaimer The views presented in this course are those of the speaker and do not necessarily reflect the views of the United States Department of Defense.

Lecture 2 Overview Reconfigurable Security Reconfigurable hardware is widely used due to growing non-recurring engineering (NRE) cost for ASICs

Field Programmable Gate Arrays Design of high-performance systems ASIC chips have been used traditionally Need something in between CPU and ASIC

Field Programmable Gate Arrays Raises interesting security questions Set of security primitives Examples of FPGA systems

FPGA Chip Reconfigurable Hardware SDRAM (off-chip) DRAM Reference Monitor Crypto Core CPU Core AES μPμP μPμP

Tradeoffs Software vs. Hardware ASIC performance comes at a high NRE cost Design, Verification Fabrication, Packaging, Test Security CPU ASIC FPGA General-PurposeApplication-Specific

Motivation Ideal: Performance approaching ASIC, cost approaching CPU Problem: Embedded systems designers need security primitives Opportunities: – Spatial mapping of apps to device – Build primitives in reconfigurable hardware

Outline Motivation and Background Security Primitives for FPGAs – Logical isolation – Interconnect tracing – Secure communication architecture – Configuration scrubbing

Motivation and Background Security Primitives for FPGAs – Logical isolation – Interconnect tracing – Secure communication architecture – Configuration scrubbing

Protection on Embedded Systems Separation Kernels DRAM app1 app3 app2 kernel Reconfigurable Protection DRAM app1 app2 app3 Reference Monitor Physical Software SpatialTemporal

FPGA Systems SDRAM (off-chip) DRAM FPGA chip μPμP μPμP μPμP μPμP SRAM Block BRAM FPGA Fabric

FPGA Applications Mem FPGA App1 App2

FPGA Fabric Switchbox CLB A B Out

Mixed Trust Cores Multiple cores on one chip Cores are provided by third parties Sophisticated software tools developed by third parties

Mixed Trust Cores Entanglement

Mixed Trust Tool Chains

Logical Isolation Motivation Security Primitives for FPGAs – Logical isolation – Interconnect tracing – Secure communication architecture – Configuration scrubbing

Moats Goal: Physical isolation of cores Opportunity: Divide computation spatially Exploit spatial nature of FPGAs to provide isolation

FPGA Chip Moats SDRAM (off-chip) DRAM Reference Monitor Crypto Core CPU Core AES

Moats

Methodology Tradeoff between area and performance Use VPR to synthesize 20 largest MCNC benchmark circuits on different routing configurations

Effective Utilization A Dead areas for moats (Depends on # Cores) B Inflation due to restricted routing (~10%) C Useful logic with no inflation (unrestricted routing) U Eff =C/(A+B+C) 100%

Moat Tradeoffs Dead Space Inflation Useful Logic Moat Size = 2 Dead Space Inflation Useful Logic Moat Size = 1 Dead Space Useful Logic Moat Size = 6 Inflation

Effective Utilization

Interconnect Tracing Motivation Security Primitives for FPGAs – Logical isolation – Interconnect tracing – Secure communication architecture – Configuration scrubbing

Drawbridges Goal: Ensure that only specified communication is established between cores Opportunity: Spatial isolation Specify legal connections Statically verify these connections

FPGA Chip Interconnect Tracing SDRAM (off-chip) DRAM Reference Monitor Crypto Core CPU Core AES μPμP μPμP X X

Jbits Interface Jbits is a java software interface from Xilinx It provides abstract methods for – Reading bitstreams – Modifying bitstreams – Creating bitstreams Allows us to obtain the information we need to trace the routes from the actual bitstream

How Route Tracer Works Initialization – Parse Input file to get all modules, pins, and connections – Obtain list of search pins for incoming and outgoing connections – Trace all connections from input pins – Trace all connections leaving modules – Reverse Trace to ensure that there are no invalid connections entering the modules

Route Tracing Algorithm RouteTree trace(pin, module) { add pin to routeTree for all sinks of wire this pin is on { if sink is connected to pin if sink has already been search return if sink is in another module check if connection is valid return add sink to list of searched pins trace(sink, module) }

Route Tracing SMCLBSMCLB SMCLBSMCLB SMCLB SMCLB SMCLBSMCLB SMCLBSMCLB SM CLBSMCLB SMCLBSMCLB SMCLB SMCLB SMCLBSMCLB SMCLBSMCLB SM

Example Input file # denotes a comment # first declare the device type #D device D XC2V6000 FF1517 #N moudules pins connections N #M modulename xmin xmax # ymin ymax M MB M MB M MB M MB #P pinname in/out P B25 rst #Reset P C36 in #rs_232_rx_pin P J30 out #rs_232_tx_pin P C8 in #rs_232_rx2_pin P C9 out #rs_232_tx2_pin #C source destination width C B25 MB1 1 C C36 MB1 1 C MB1 J30 1 C B25 MB2 1 C MB1 MB2 32 C MB2 MB1 32 C B25 MB3 1 C MB3 C9 1 C C8 MB3 1 C B25 MB4 1 C MB4 MB3 32 C MB3 MB4 32

Output from Route Tracer. Found Valid connection:MB1 to MB2 CLB.S6BEG5[57][33]. [CLB.S6END5[51][33]].. CLB.S6BEG5[51][33]... [CLB.S6END5[45][33]].... CLB.S6BEG3[45][33]..... [CLB.S6END3[39][33]] CLB.S2BEG3[39][33] [CLB.S2END3[37][33]] CLB.S2BEG1[37][33] [CLB.S2END_S1[34][33]] Found Valid connection:MB3 to MB4 CLB.OMUX0[58][58]. CLB.LV12[58][58].. [CLB.LV18[28][58]] Found Valid connection:MB3 to C9. Design Successfully verified!

Partial Reconfiguration Route Tracing SMCLBSMCLB SMCLBSMCLB SMCLB SMCLB SMCLBSMCLB SMCLBSMCLB SM CLBSMCLB SMCLBSMCLB SMCLB SMCLB SMCLBSMCLB SMCLBSMCLB SM This is our partially reconfigurable area Input Pin Output Pin

Moats 1.0 Example four-core design, moat size = 2

Moats 2.0 Subset of connections that must be traced

Secure Communication Architecture Motivation Security Primitives for FPGAs – Logical isolation – Interconnect tracing – Secure communication architecture – Configuration scrubbing

Secure Communication Architecture Goal: Secure communication between cores on shared bus Opportunity: Programmability of FPGAs Shared memory bus with time division access

MnM3M2M1 Communication Architecture M1M2M3Mn Arbiter BRAM Block...

FPGA Chip Communication Architecture SDRAM (off-chip) DRAM Arbiter/Reference Monitor Crypto Core CPU Core AES μPμP μPμP

Configuration Scrubbing Motivation Security Primitives for FPGAs – Logical isolation – Interconnect tracing – Secure communication architecture – Configuration scrubbing

Configuration Scrubbing Goal: Allow FPGA to change its configuration securely at run-time Opportunity: Use partial reconfiguration to properly erase prior core ’ s logic Use ICAP interface with an embedded core Bitstream decryption is prohibited when using partial reconfiguration

CPU Core μPμP AES Crypto Core Scrubbing Example SDRAM (off-chip) DRAM FPGA Chip CPU Core μPμP μPμP

Lecture 2 Reading [Conference Version] Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems – ber= [Journal Version] Security Primitives for Reconfigurable Hardware-Based Systems –

Lecture 2 Reading Reconfigurable Hardware Security – Trusted Design in FPGAs – Security on FPGAs: State-of-the-Art Implementations and Attacks – Security for Volatile FPGAs pdf

Lecture 2 Reading Reconfigurable Hardware Security – Reconfigurable Computing: The Theory and Practice of FPGA-Based Computing Hauck/isbn / – FPGA-Based Single Chip Cryptographic Solution – Of Gates and Wires ber=

Lecture 2 Reading Handbook of FPGA Design Security – Security Trends for FPGAs –