Cryptology ePrint Archive: Report 2015/441

FIDES: Enhancing Trust in Reconfigurable Based Hardware Systems

Devu Manikantan Shila and Vivek Venugopalan and Cameron D Patterson

Abstract: Extensive use of third party IP cores (e.g., HDL, netlist) and open source tools in the FPGA application design and development process in conjunction with the inadequate bitstream protection measures have raised crucial security concerns in the past for reconfigurable hardware systems. Designing high fidelity and secure methodologies for FPGAs are still infancy and in particular, there are almost no concrete methods/techniques that can ensure trust in FPGA applications not entirely designed and/or developed in a trusted environment. This work strongly suggests the need for an anomaly detection capability within the FPGAs that can continuously monitor the behavior of the underlying FPGA IP cores and the communication activities of IP cores with other IP cores or peripherals for any abnormalities. To capture this need, we propose a technique called FIDelity Enhancing Security (FIDES) methodology for FPGAs that uses a combination of access control policies and behavior learning techniques for anomaly detection.

FIDES essentially comprises of two components: (i) {\em Trusted Wrappers}, a layer of monitors with sensing capabilities distributed across the FPGA fabric; these wrappers embed the output of each IP core $i$ with a tag $\tau_i$ according to the pre-defined security policy $\Pi$ and also verifies the embeddings of each input to the IP core to detect any violation of policies. The use of tagging and tracking enables us to capture the normal interactions of each IP core with its environment (e.g., other IP cores, memory, OS or I/O ports). {\em Trusted Wrappers} also monitors the statistical properties exhibited by each IP core module on execution such as power consumption, number of clock cycles and timing variations to detect any anomalous operations; (ii) a {\em Trusted Anchor} that monitors the communication between the IP cores and the peripherals with regard to the centralized security policies $\Psi$ as well as the statistical properties produced by the peripherals. We target FIDES architecture on a Xilinx Zynq 7020 device implemented with a red-black system comprising of sensitive and non-sensitive IP cores. Our results show that FIDES implementation leads to only 1-2\% overhead in terms of the logic resources per wrapper and incurs minimal latency per wrapper for tag verification and embedding. On the other hand, as compared to the baseline implementation, when all the communications within the system are routed to the Trusted Anchor for centralized policy checking and verification, a latency of 1.5X clock cycles is observed; this clearly manifests the advantage of using distributed wrappers as opposed to centralized policy checking.

Category / Keywords: implementation / Design; Security and Trust; Hardware Trojans; FPGAs

Date: received 7 May 2015, last revised 25 May 2015

Contact author: vivek at vivekvenugopal net

Available format(s): PDF | BibTeX Citation

Version: 20150525:145231 (All versions of this report)

Short URL: ia.cr/2015/441

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]