Reverse Engineering the Configuration on FPGA Chips and Countermeasures

Field Programmable Gate Array (FPGA) [1] which can be programmed many times according to the specific
requirement by using a Hardware Description Language (HDL) [2] is an Integrated Circuit (IC) with large number of
gates. FPGAs can be used in any application where Application Specific Integrated Circuits (ASIC) [3] can be used
and have the ability to implement any logical function that an ASIC could perform. FPGAs contain programmable
logic components called logic blocks and the interconnections can be programmed such that the blocks can be wired
together in order to evaluate a logic function such as very complex combinational functions as well as very simple
logic gates such as AND, XOR and NOT.

FPGAs processors can be divided into 4 categories according to the way in which their configuration files are stored
[4].

1. SRAM-based FPGAs
2. SRAM-based FPGAs with an internal flash memory
3. Flash-based FPGAs
4. Antifuse-based FPGAs

SRAM based FPGAs store configurations in the SRAM and are volatile and must be programmed at the power up
each time and there are 2 basic types of programming a SRAM based FPGA processor. 1. Master mode, where the
FPGA reads the configuration data from an external source, example a flash storage which is a non-volatile medium.
2. Slave Mode, FPGA is configured by an external device such a processor, using a dedicated interface or via a
boundary-scan (JTAG) [5] interface. SRAM-based FPGAs with an internal flash memory eliminate the need for a
separate power source to hold the configurations or a separate nonvolatile memory to store the configurations. Flash-
based FPGAs do not use a SRAM as the primary storage but a Flash memory which requires only a small amount of
power than SRAM based FPGA. Antifuse-based FPGAs can be programmed only once but a very small amount of
power is consumed compared to SRAM based FPGAs when they are operated.

SRAM based FPGAs read the configuration file which is called bit stream, at the power up. Copying the
preprogrammed bit stream to another FPGA makes the target to behave as precisely as the original one, resulting clear
violations of copy rights and Intellectual Properties (IP). Usually the bit stream is encrypted for security using AES
(Advanced Encryption Standard) [6] or DES (Data Encryption Standard) [7] and is considered as proprietary to the
vendor. Also as a security precaution the decryption key is stored in a volatile memory and battery powered. Xilinx
Virtex II Pro devices follow the mentioned precaution which enables those to provide FIPS level 4 security, which is
the highest. If DES or AES, which are symmetric algorithms, is used then both encryption and decryption keys are
same. Since SRAM based FPGAs are predicted to be vulnerable to crypto analysis but considered safe since no proof
of vulnerabilities had been reported until 2011 January. A side channel [8] is some amount of information which is a
byproduct of the physical implementation of a system and can be used to deduce the secret key especially in a crypto
system. But recently attempts have been made to either recover the secret key which can be used to decrypt the bit
stream or to deduce the original unencrypted bit stream. In 2008 Xilinx which is a famous FPGA manufacture
announced, NSA (National Security Agency) and Xilinx verified the design and the cryptographic functions of Xilinx
Virtex 4 FPGA processors [9]. But Moradi et al. [10] demonstrated an attack of recovering the secret key of Xilinx
Virtex 4, Virtex 5, and Spartan 6 processors bit stream encryption using power analysis. Power dissipation of a
CMOS device mostly depends on the ongoing switching activities. It is possible to exploit the relation of what is being
happened in the inside of the CMOS device by analyzing the power consumption.

In differential power analysis it is assumed that the values of the measurement set and the hypothesis set are normally
distributed random variables with mean and standard deviation , where is the mean power consumption of the circuit
for a precise key value at a specific time instant. First the power lines of the FPGA chip is connected to an
oscilloscope which has around 20 GS/s sample rate. Then the FPGA is configured to use a known secret key at the
power up, the power traces are being recorded and repeats for nearly 50,000 times. Then the FPGA which has the
secret key is fixed on the test bed and power trace at the power up is drawn. Using the correlation theory the traces of
known keys and for the unknown key is correlated and for the information processed the secret key can be reduced by
6 bit at a time.

In the purposed research, first we will propose and investigate the countermeasures for vulnerable SRAM based FPGA
processors. Moradi et al. demonstrated the attack using a FPGA chip which uses a byte stream encrypted by DES. No
evidence on trying the attack for byte streams, those are encrypted by AES, which is the FIPS standard to encrypt
federal government as well as military data.
References:
[1] Wikipedia, Field-programmable Field Array, http://en.wikipedia.org/wiki/Field-programmable_gate_array
[2] Wikipedia, Hardware Description Language, http://en.wikipedia.org/wiki/Hardware_description_language
[3] Wikipedia, Application-specific integrated circuit, http://en.wikipedia.org/wiki/Application-
specific_integrated_circuit
[4] Core-technologies, FPGA Architectures Overview, http://www.1-core.com/library/digital/fpga-architecture/
[5] Wikipedia, Joint Test Action Group, http://en.wikipedia.org/wiki/Joint_Test_Action_Group
[6] National Institute of Standards and technology, Announcing the ADVANCED ENCRYPTION STANDARD (AES),
http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf, Processing Standards Publication 197, November 26, 2001
[7] Wikipedia, Data Encryption Standard (DES), http://en.wikipedia.org/wiki/Data_Encryption_Standard
[8] Wikipedia, Side channel attack, http://en.wikipedia.org/wiki/Side_channel_attack
[9] Xilinx, Xilinx Press Release # 0713, http://www.xilinx.com/prs_rls/2007/end_markets/0713_v4nsa.htm, 2007
[10] Amir Moradi, Alessandro Barenghi, Timo Kasper, Christof Paar, On the Vulnerability of FPGA Bitstream
Encryption against Power Analysis Attacks, 8th ACM conference on Computer and Communications Security, 2011
[11] Eprint.iacr.org, On the Portability of Side-Channel Attacks, http://eprint.iacr.org/2011/391.pdf