Presentation on theme: "Techniques for Fully Integrated Embedding of Design and Verification Logic for Trusted FPGA Circuits by Marco Maggioni Thesis committee:"— Presentation transcript:
Techniques for Fully Integrated Embedding of Design and Verification Logic for Trusted FPGA Circuits by Marco Maggioni Thesis committee: Advisor and chair : Shantanu Dutt Other members : Marco Santambrogio, Jon Solworth UIC Thesis Defense: December, 12
2 Rationale and Innovation Problem statement Trusted FPGA Design : ensuring that the design process produces a final product that performs only the designed functionality and no more. Innovative contribution Fully Integrated Embedding : approach in which the trusted FPGA is deployed as a monolithic design containing self-checking circuit
3 Aims Efficient implementation of a Fully Integrated Embedded Trusted FPGA Design Adaptation of the two level randomized 2D ECC structure proposed by a previous work Reduction the hardware overhead necessary to implement the on-chip functionality based self-checking phase
4 Outline Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work
5 Outline Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work
6 FPGA FPGA technology Join HW performance with SW flexibility Cost efficient for low volume specific product Sensitive commercial applications Sensitive government & military applications Definition Trusted FPGA Design It is an FPGA-based deployed application in which the functionality currently implemented is exactly what designed and no more It implies a trusted design workflow to secure a relative untrusted process
7 Tampering Tampering a FPGA circuit It is a modification of some CLBs Can be also logic insertion in the not-occupied CLBs Possible attack points in a COTS process
8 FPGA integrated countermeasures The current FPGAs devices offers some security feature Bitstream Encoding and Encrypting Protect the Intellectual Property of the application Bitstream Signature Protect the IP cores integrity Not enough to tackle all the shown weakness It is necessary a trust-checking technique Functionality based On chip Capable to detect added logic
9 This Thesis is about... We will present a completely integrated approach... Add self-checking circuits besides the original design Basic problem in its architecture Based on multiplexers implemented on FPGA logic Really expensive in term of area –A 2:1 mux is implemented with an entire k-LUT
10 This Thesis is about... We will propose... An architectural modification to the self-checking structure Some algorithmic approaches to reduce the hardware overhead due to multiplexers
11 What's next... Introduction Background S. Dutt and L. Li, “Trust-Based Design and Check of FPGA Circuits Using Two-Level Randomized ECC Structures, accepted (subject to minor revisions), ACM Transaction on Reconfigurable Technology and Systems (TRETS), Special Issue on Security in Reconfigurable Systems Design, FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work
12 ECC parity code ECC parity schema is a well known technique for errors detection Organize data in Parity Groups (PG) Rows and columns Based on information redundancy A parity bit c for each PG Even (XOR) or odd (XNOR) parity Possible masking 4 tamper placed in a 2x2 subarray
13 Background The cited article provides a complete technique for trusted FPGA design On Chip The deployed design is capable to start a self-checking phase in which each tamper is detected Functionality based An Error Correction Code is applied to all the CLBs outputs and so we detect functionality changes Test Pattern Generator and Output Response Analyzer Added components used to stimulate each possible input combination and to verify it Two level randomization Makes the masking virtually impossible (low probability)
14 2D ECC parity code on FPGA array Basic idea... We impose the same ECC schema on the reconfigurable elements of the FPGA... This means... Parity Groups composed by CLBs outputs Add a TPG in way to stimulate all the CLB functionality with an exaustive set of test vectors I i Add a parity function for each PG in way to check if the parity of the other elements is not modified Add a ORA in way to produce a Parity Vector (case even PV = [ ]) that is the parity of PG for each test vector I i Fail or passes depending if the PV is the expected one (case even is zero vector)
15 2D ECC parity code on FPGA array Overall architecture... Each tamper is detected as functionality change 2D code covers also the unused CLB this prevent added logics insertion
16 Randomized Parity Groups 2D rows and columns PG placement It is easily defeated by masking Solution : randomize the PGs composition
17 Randomized Polarity 2D ECC schema doesn't cover the TPG and ORA Trivial tampering Change TPG in way to supply a certain test vector Change ORA in way to show always an even parity For each test vector and each PG, we randomly choose the expected parity as even or odd Example of expected PV = [ ] Each inserted tamper doesn't know the polarities, so it is very difficult that it corresponds to the correct one for each PG
18 Trusted FPGA Design Workflow
19 Implementative Approaches Non Integrated Embedding (NIE) TPG, ORA and parity function are loaded and routed dynamically onto the FPGA at the trust-checking phase Partially Integrated Embedding (PIE) TPG, ORA and parity functions are already placed and the trust-checking phase corresponds to a re-routing Fully Integrated Embedding (FIE) TPG, multiple ORAs and parity functions are already placed and routed onto the FPGA. This tecnique requires a considerable amount of overhead.
20 What's next... Introduction Background FIE Trusted FPGA Architecture Basic structure and multiplexers overhead Cones based architecture Proposed Solution Experimental Results Concluding remarks and future work
21 FIE Trusted FPGA Architecture Consider as basic functional element the FPGA slice...
22 Reference FPGA architecture Virtex 4 family slice Roughly, it contains two 4-LUT two flip flop 16 inputs 11 outputs
23 Multiplexer Overhead Roughly, each slice uses 7 inputs Each 2:1 multiplexers is implemented with a LUT This leads immediatly to an overhead of 350% respect to the circuit size In fact, we have that...
24 Cones structure Basic idea Instead to verify each single slice, we consider a larger subcircuit composed by a slices subset Cones Subcircuits which structure follows a certain shape (many inputs flow in a single output) Goal of cones structure Avoid the use of multiplexers for internal connection Trade off Covering vs Complexity
25 Cones structure Example of multiplexers covering usign a cone...
26 Cone Based Parity Groups Now, a PG is composed by cones outputs...
27 Cone Based Trusted FPGA workflow
28 What's next... Introduction Background FIE Trusted FPGA Architecture Proposed Solution Cone constraints Algorithmic approaches for cones generation Experimental Results Concluding remarks and future work
29 Cone Constraints Cone constraints to consider in the cone construction... Multi Fan Out Each cone output depends by a subset of inputs... the number of needed TPG lines is the largest cardinality TPG size Imposed parameter for which we stop cone expansion Sequential constraint We compose cone subcircuit in way to preserve the combinatorial testability... no 2 sequential elements on the same internal path Non overlapping Considering the multi fan-outs structure, two overlapping cones can be covered by a single cone
30 Approaches for cone generation We introduce an architectural modify Input multiplexers vs Net multiplexers This leads to immediate improvements...
31 Cone generation algorithm Two phases Seed selection and cone expansion Based on random seed More difficult to reverse enginering the cone architecture
32 Fan based approach Moves set... Single slice insertions Selected on the cone boundary Respect constraints Metric... S := slice, N’:= slice’s nets connected to cone POC := points of connection rank n := net’s cone POC / total net’s POC
33 Net Driven approach Move... Slices subset insertion Covers an exposed net Respects constraints Metric... m n := move related with net n N := nets added by move m n Internal(N) :=nets that after the move have all internal POC
34 Net Driven Look-ahead approach Move Look-ahead for 2 nd level Covers two exposed net Same metric... Variation with combinations... Enrich the moves set with the combination of the best 3 set (in term of metric) for each 1 st level net
35 What's next... Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Algorithmic approaches Simulation of a cones PG Concluding remarks and future work
36 Results for algorithmic approaches Benchmarks ITC'99 Provided by CAD group of Politecnico di Torino Platform Mac OSX, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb RAM Experimental purpose... Show multiplexers overhead for each algorithmic approach besides the solution quality improvement Estimate the total overhead (considering TPG,ORAs and check logic) associated to each solution
37 Results for algorithmic approaches Fan based approach... Net driven approach...
38 Results for algorithmic approaches Net driven look-ahead approach... Net driven look-ahead with combinations approach...
39 Results for algorithmic approaches Comparative results…
40 Simulation of a cones Parity Group Benchmark b14 ITC'99 Generation of 5 cones with an arbitrary approach Behavioural simulation of the cone PG Insertion of 25 different tampers (logic/seq/int) Platform Windows XP, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb RAM Xilinx ISE 10.1 Experimental purpose... Show the correctness of the cone structure used in the PG trust-checking
41 Simulation of a cones Parity Group Simulation schematic...
42 Simulation of a cones Parity Group Without tamper insertion... With tamper insertion (P d =100%)...
43 What's next... Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work
44 Future Work Develop an automatized CAD tools to produce concrete trusted FPGA design Algorithmic enhancements for cone generations Check logic awareness Clever seed placement Different ECC schemes Integration of routing tamper techniques
45 Concluding Remarks Achieved results... Active contribute in the emerging research on trust- checking mechanisms to detect intentional and unintentional tampers Area efficient implementation of a Fully Integrated Embedded Trusted FPGA Design obtained with Architectural modify usign cones Algorithmic approaches for cones generation