Skip to main content

FPGA-Based Remote Power Side-Channel Attacks

This post introduces a power side-channel attack on FPGAs and cloud computing.
Field Programmable Gate Arrays (FPGAs) have been widely adopted as hardware accelerators, as it allows end users to customize their own integrated circuits for specific tasks. Cloud computing vendors such as Amazon lease FPGAs to customers, since FPGAs can be virtualized and shared among users. This results in the fact that circuits belonging to multiple users may co-resides on one physical FPGA, which makes side-channel attacks possible.
However, even if circuits from different users co-resides on the same FPGA board, they are physically partitioned with a “fence” made of unused configurable logic blocks. This prohibits one malicious user to directly steal secrets from victim’s circuit on the same FPGA. A noticeable observation is, a common power supply is shared with all circuits on the same FPGA.  The activities of one single circuit will be reflected in the voltage from the power supply and can be sensed by other circuits. [1] introduced a novel method which takes advantage of this fact and conducts a side-channel attack on RSA encryption process.


In the thread model, the adversary has no physical proximity to a target system and cannot measure its physical properties. However, the adversary is allowed to control the behavior of part of the logic gates on that same FPGA where the victim system resides.
Heavy computation task generally leads to high switching activities of CMOS. High switching activities lead to transient voltage drops of the power supply of the FPGA. In other words, if one of the circuits reside on the FPGA has intensive computation tasks, the result will be a voltage drop of the power supply. This voltage drop can be observed by other circuits, and this fact may be utilized by an adversary.

In order to gather voltage data, an adversary can put a Ring Oscillator on the system. A ring oscillator generates a square wave, whose frequency is determined by the latency of logic gates. Generally, the higher the latency, the lower the frequency. The gate latency is affected by the applied voltage. In other words, the frequency is inversely proportional to the applied voltage. 

A counter is connected to the output of the RO and is incremented by the rising edges. Another counter is triggered by the system clock, whose frequency is known to the adversary. The values of two counters are compared occasionally to derive the average frequency of the RO in one period.
Till now, the adversary can observe the change of voltage in the power supply in a given time range. A case study is presented to illustrate how to conduct a side-channel attack.
Encrypting a message using RSA requires the computation of a large modular exponentiation, which is computationally expensive due to the large operands, and inefficient to be performed in CPU. A practical approach is to design a hardware accelerator using FPGA to implements the square-and-multiply algorithm, as shown in the following figure.

In the above figure, d represents the secret key. There are two multipliers presented. If ith bit of d is 1, both two multipliers will work. If ith bit of d is 0, one multiplier will be idle. Thus, the value of ith bit of d can be inferred by observing the voltage drop. By repeating this process, an adversary can get the entire secret key.


The novelty of this paper is that it introduced a power side-channel vulnerability that beneath the integration of cloud computing and FPGA. It is particularly important as it does not require an adversary to have physical proximity to the victim system, which is practical as the prevalence of cloud computing nowadays.

Comments

Post a Comment

Popular posts from this blog

Angr: A Multi-Architecture Binary Analysis Toolkit

This blog is quoted from several angr blogs and documentations, click  here  and  here . angr is a multi-architecture binary analysis toolkit, with the capability to perform dynamic symbolic execution (like Mayhem, KLEE, etc.) and various static analyses on binaries. We've tried to make using angr as pain-free as possible - our goal is to create a user-friendly binary analysis suite, allowing a user to simply start up iPython and easily perform intensive binary analyses with a couple of commands. That being said, binary analysis is complex, which makes angr complex. This documentation is an attempt to help out with that, providing narrative explanation and exploration of angr and its design. Several challenges must be overcome to programmatically analyze a binary. They are, roughly: Loading a binary into the analysis program. Translating a binary into an intermediate representation (IR). Performing the actual analysis. This could be: A partial or full-program static
Post a Comment
Read more

Information Side Channel

By Elaine Cole and Jarek Millburg An information side channel can be used to gain information about the system or data that it processes. A side-channel attack identifies a physical or micro-architectural signal that leaks such desired information and monitors and analyzes that signal as the system operates. While there are many different types of information side channels and even more ways to maliciously exploit them, this blog explores a recent publication that leverages information side channels within IoT devices to aid crime scene investigators in real-time. In this blog, we provide an overview of the general attack procedure, and explore two of the many forms of side channel attacks. Side Channel Attack General Procedure While there are many different forms of side channels, at a high level, a side channel attack requires the following: 1. identify a side channel:  The attacker must first identify  a physical or micro-architectural signal that leaks desired
Post a Comment
Read more

Introduction to SGX and potential attack method

The Overview of SGX What is the SGX? With more and more attack on systems and bigger danger inside the internet. We get a new technology which named The Security Guard Extensions (The SGX). Actually the SGX aimed to separate the whole applications to two parts: secure part and unsecure part. The secure part named enclave. Which is stored in protected memory. Between the enclave and application, there is an interface is implemented. Which is consists of e-calls and o-calls. The e-calls are inside the enclave for calling to the unsecured code. The o-calls are located in the unsecured code for collecting data inside the enclave. The enclave is totally protected which means any access from external are not allowed. Only when the untrusted part of application call the trusted function then the code inside the enclave can see the data. When it returns, the enclave data are still stays in safe memory. figure.1 Actually while the application’s host in pr
Post a Comment
Read more