Abstract
Extensive use of third party IP cores (e.g., HDL, netlist) and open source tools in the FPGA application design and development process in conjunction with the inadequate bitstream protection measures have raised crucial security concerns in the past for reconfigurable hardware systems. Designing high fidelity and secure methodologies for FPGAs are still infancy and in particular, there are almost no concrete methods/techniques that can ensure trust in FPGA applications not entirely designed and/or developed in a trusted environment. This work strongly suggests the need for an anomaly detection capability within the FPGAs that can continuously monitor the behavior of the underlying FPGA IP cores and the communication activities of IP cores with other IP cores or peripherals for any abnormalities. To capture this need, we propose a technique called FIDelity Enhancing Security (FIDES) methodology for FPGAs that uses a combination of access control policies and behavior learning techniques for anomaly detection.
FIDES essentially comprises of two components: (i) Trusted Wrappers, a layer of monitors with sensing capabilities distributed across the FPGA fabric; these wrappers embed the output of each IP core i with a tag \(\tau _i\) according to the pre-defined security policy \(\varPi \) and also verifies the embeddings of each input to the IP core to detect any violation of policies. The use of tagging and tracking enables us to capture the normal interactions of each IP core with its environment (e.g., other IP cores, memory, OS or I/O ports). Trusted Wrappers also monitors the statistical properties exhibited by each IP core module on execution such as power consumption, number of clock cycles and timing variations to detect any anomalous operations; (ii) a Trusted Anchor that monitors the communication between the IP cores and the peripherals with regard to the centralized security policies \(\varPsi \) as well as the statistical properties produced by the peripherals. To thwart an adversary from tampering or disabling the proposed security components during the deployment stage, our architecture generates a secure bitstream blob consisting of the IP cores, Trusted Wrappers and Trusted Anchor, secured using public key cryptography. We implemented FIDES architecture on a Xilinx Zynq 7020 device running a red-black system comprising of sensitive and non-sensitive IP cores. Our results show that the FIDES implementation leads to only 1-2% overhead in terms of the logic resources per wrapper and incurs minimal latency per wrapper for tag verification and embedding. On the other hand, as compared to the baseline implementation, when all the communications within the system are routed to the Trusted Anchor for centralized policy checking and verification, a latency of 1.5X clock cycles is observed; this clearly manifests the advantage of using distributed wrappers as opposed to centralized policy checking.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abramovici, M., Bradley, P.: Integrated circuit security: new threats and solutions. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, p. 55. ACM (2009)
Adee, S.: The Hunt For The Kill Switch. IEEE Spectrum 45(5), 34–39 (2008)
Bilzor, M., Huffmire, T., Irvine, C., Levin, T.: Security checkers: detecting processor malicious inclusions at runtime. In: 2011 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 34–39. IEEE (2011)
Chakraborty, R., Bhunia, S.: Security against hardware Trojan through a novel application of design obfuscation. In: IEEE/ACM International Conference on Computer-Aided Design - Digest of Technical Papers, ICCAD 2009, pp. 113–116 (2009)
Chakraborty, R., Saha, I., Palchaudhuri, A., Naik, G.: Hardware Trojan Insertion by Direct Modification of FPGA Configuration Bitstream. IEEE Design Test 30(2), 45–54 (2013)
Defense Advanced Research Projects Agency (DARPA), Microsystems Technology Office/MTO Broad Agency Announcement,: Supply chain hardware integrity for electronics defense (SHIELD) (2014)
Farag, M.M., Lerner, L.W., Patterson, C.D.: Interacting with hardware Trojans over a network. In: 2012 IEEE International Symposium on Hardware-Oriented Security and Trust (HOST), pp. 69–74. IEEE (2012)
Gebotys, C.H.: Security in embedded devices. Springer Science & Business Media (2009)
Haider, S.K., Jin, C., Ahmad, M., Shila, D.M., Khan, O., van Dijk, M.: HaTCh: Hardware Trojan Catcher. Cryptology ePrint Archive, Report 2014/943 (2014). http://eprint.iacr.org
Hicks, M., Finnicum, M., King, S.T., Martin, M., Smith, J.M.: Overcoming an untrusted computing base: detecting and removing malicious hardware automatically. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 159–172. IEEE (2010)
Huffmire, T., Brotherton, B., Wang, G., Sherwood, T., Kastner, R., Levin, T., Nguyen, T., Irvine, C.: Moats and drawbridges: an isolation primitive for reconfigurable hardware based systems. In: IEEE Symposium on Security and Privacy, SP 2007, pp. 281–295, May 2007
Huffmire, T., Levin, T., Nguyen, T., Irvine, C., Brotherton, B., Wang, G., Sherwood, T., Kastner, R.: Security primitives for reconfigurable hardware-based systems. ACM Transactions on Reconfigurable Technology and Systems (TRETS) 3(2), 10 (2010)
Huffmire, T., Prasad, S., Sherwood, T., Kastner, R.: Policy-driven memory protection for reconfigurable hardware. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 461–478. Springer, Heidelberg (2006)
Huffmire, T., Sherwood, T., Kastner, R., Levin, T.: Enforcing memory policy specifications in reconfigurable hardware. Computers & Security 27(5), 197–215 (2008)
Intelligence Advanced Research Projects Activity (IARPA): Trusted Integrated Chips (TIC) Program Broad Agency Announcement 11–09 (2011)
Jin, Y., Makris, Y.: Hardware Trojans in Wireless Cryptographic ICs. IEEE Design Test of Computers 27(1), 26–35 (2010)
King, S.T., Tucek, J., Cozzie, A., Grier, C., Jiang, W., Zhou, Y.: Designing and implementing malicious hardware. LEET 8, 1–8 (2008)
Lamberti, J., Manikantan Shila, D., Venugopal, V.: xDEFENSE: an extended DEFENSE for mitigating next generation intrusions (abstract only). In: Proceedings of the 2014 ACM/SIGDA International Symposium on Field-programmable Gate Arrays, FPGA 2014, pp. 253–253. ACM, New York (2014)
Myers, A.C., Liskov, B.: A decentralized model for information flow control, vol. 31. ACM (1997)
Shila, D.M., Venugopal, V.: Design, implementation and security analysis of hardware Trojan threats in FPGA. In: 2014 IEEE International Conference on Communications (ICC), pp. 719–724, June 2014
Skorobogatov, S., Woods, C.: Breakthrough silicon scanning discovers backdoor in military chip. In: Prouff, E., Schaumont, P. (eds.) CHES 2012. LNCS, vol. 7428, pp. 23–40. Springer, Heidelberg (2012)
Tehranipoor, M., Koushanfar, F.: A survey of hardware trojan taxonomy and detection. IEEE Design Test of Computers 27(1), 10–25 (2010)
Waksman, A., Suozzo, M., Sethumadhavan, S.: FANCI: identification of stealthy malicious logic using boolean functional analysis. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, pp. 697–708. ACM (2013)
Xilinx Inc.: LogiCORE IP AXI Interconnect v2.1 Product Guide (2014)
Zhang, J., Yuan, F., Wei, L., Sun, Z., Xu, Q.: VeriTrust: verification for hardware trust. In: Proceedings of the 50th Annual Design Automation Conference, p. 61. ACM (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Shila, D.M., Venugopalan, V., Patterson, C.D. (2015). Unraveling the Security Puzzle: A Distributed Framework to Build Trust in FPGAs. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-25645-0_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25644-3
Online ISBN: 978-3-319-25645-0
eBook Packages: Computer ScienceComputer Science (R0)