1 / 46

by Marco Maggioni mmaggi3@uic

Techniques for Fully Integrated Embedding of Design and Verification Logic for Trusted FPGA Circuits. UIC Thesis Defense: December, 12. by Marco Maggioni mmaggi3@uic.edu. Thesis committee: Advisor and chair : Shantanu Dutt Other members : Marco Santambrogio, Jon Solworth.

vina
Download Presentation

by Marco Maggioni mmaggi3@uic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Techniques for Fully Integrated Embedding of Design and Verification Logic for Trusted FPGA Circuits UIC Thesis Defense: December, 12 by Marco Maggioni mmaggi3@uic.edu Thesis committee: Advisor and chair : Shantanu Dutt Other members : Marco Santambrogio, Jon Solworth

  2. Rationale and Innovation Problem statement Trusted FPGA Design : ensuring that the design process produces a final product that performs only the designed functionality and no more. Innovative contribution Fully Integrated Embedding : approach in which the trusted FPGA is deployed as a monolithic design containing self-checking circuit

  3. Aims Efficient implementation of a Fully Integrated Embedded Trusted FPGA Design Adaptation of the two level randomized 2D ECC structure proposed by a previous work Reduction the hardware overhead necessary to implement the on-chip functionality based self-checking phase

  4. Outline Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work

  5. Outline Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work

  6. FPGA FPGA technology Join HW performance with SW flexibility Cost efficient for low volume specific product Sensitive commercial applications Sensitive government & military applications Definition Trusted FPGA Design It is an FPGA-based deployed application in which the functionality currently implemented is exactly what designed and no more It implies a trusted design workflow to secure a relative untrusted process

  7. Tampering Tampering a FPGA circuit It is a modification of some CLBs Can be also logic insertion in the not-occupied CLBs Possible attack points in a COTS process

  8. FPGA integrated countermeasures The current FPGAs devices offers some security feature Bitstream Encoding and Encrypting Protect the Intellectual Property of the application Bitstream Signature Protect the IP cores integrity Not enough to tackle all the shown weakness It is necessary a trust-checking technique Functionality based On chip Capable to detect added logic

  9. This Thesis is about... We will present a completely integrated approach... Add self-checking circuits besides the original design Basic problem in its architecture Based on multiplexers implemented on FPGA logic Really expensive in term of area A 2:1 mux is implemented with an entire k-LUT

  10. This Thesis is about... We will propose... An architectural modification to the self-checking structure Some algorithmic approaches to reduce the hardware overhead due to multiplexers

  11. What's next... Introduction Background S. Dutt and L. Li, “Trust-Based Design and Check of FPGA Circuits Using Two-Level Randomized ECC Structures, accepted (subject to minor revisions), ACM Transaction on Reconfigurable Technology and Systems (TRETS), Special Issue on Security in Reconfigurable Systems Design , 2008. FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work

  12. ECC parity code ECC parity schema is a well known technique for errors detection Organize data in Parity Groups (PG) Rows and columns Based on information redundancy A parity bit c for each PG Even (XOR) or odd (XNOR) parity Possible masking 4 tamper placed in a 2x2 subarray

  13. Background The cited article provides a complete technique for trusted FPGA design On Chip The deployed design is capable to start a self-checking phase in which each tamper is detected Functionality based An Error Correction Code is applied to all the CLBs outputs and so we detect functionality changes Test Pattern Generator and Output Response Analyzer Added components used to stimulate each possible input combination and to verify it Two level randomization Makes the masking virtually impossible (low probability)

  14. 2D ECC parity code on FPGA array Basic idea... We impose the same ECC schema on the reconfigurable elements of the FPGA... This means... Parity Groups composed by CLBs outputs Add a TPG in way to stimulate all the CLB functionality with an exaustive set of test vectors Ii Add a parity function for each PG in way to check if the parity of the other elements is not modified Add a ORA in way to produce a Parity Vector (case even PV = [0 0 ... 0]) that is the parity of PG for each test vector Ii Fail or passes depending if the PV is the expected one (case even is zero vector)

  15. 2D ECC parity code on FPGA array Overall architecture... Each tamper is detected as functionality change 2D code covers also the unused CLB this prevent added logics insertion

  16. Randomized Parity Groups 2D rows and columns PG placement It is easily defeated by masking Solution : randomize the PGs composition

  17. Randomized Polarity 2D ECC schema doesn't cover the TPG and ORA Trivial tampering Change TPG in way to supply a certain test vector Change ORA in way to show always an even parity For each test vector and each PG, we randomly choose the expected parity as even or odd Example of expected PV = [0 1 0 0 1 .... 1 1 0] Each inserted tamper doesn't know the polarities, so it is very difficult that it corresponds to the correct one for each PG

  18. Trusted FPGA Design Workflow

  19. Implementative Approaches Non Integrated Embedding (NIE) TPG, ORA and parity function are loaded and routed dynamically onto the FPGA at the trust-checking phase Partially Integrated Embedding (PIE) TPG, ORA and parity functions are already placed and the trust-checking phase corresponds to a re-routing Fully Integrated Embedding (FIE) TPG, multiple ORAs and parity functions are already placed and routed onto the FPGA. This tecnique requires a considerable amount of overhead.

  20. What's next... Introduction Background FIE Trusted FPGA Architecture Basic structure and multiplexers overhead Cones based architecture Proposed Solution Experimental Results Concluding remarks and future work

  21. FIE Trusted FPGA Architecture Consider as basic functional element the FPGA slice...

  22. Reference FPGA architecture Virtex 4 family slice Roughly, it contains two 4-LUT two flip flop 16 inputs 11 outputs

  23. Multiplexer Overhead Roughly, each slice uses 7 inputs Each 2:1 multiplexers is implemented with a LUT This leads immediatly to an overhead of 350% respect to the circuit size In fact, we have that...

  24. Cones structure Basic idea Instead to verify each single slice, we consider a larger subcircuit composed by a slices subset Cones Subcircuits which structure follows a certain shape (many inputs flow in a single output) Goal of cones structure Avoid the use of multiplexers for internal connection Trade off Covering vs Complexity

  25. Cones structure Example of multiplexers covering usign a cone...

  26. Cone Based Parity Groups Now, a PG is composed by cones outputs...

  27. Cone Based Trusted FPGA workflow

  28. What's next... Introduction Background FIE Trusted FPGA Architecture Proposed Solution Cone constraints Algorithmic approaches for cones generation Experimental Results Concluding remarks and future work

  29. Cone Constraints Cone constraints to consider in the cone construction... Multi Fan Out Each cone output depends by a subset of inputs... the number of needed TPG lines is the largest cardinality TPG size Imposed parameter for which we stop cone expansion Sequential constraint We compose cone subcircuit in way to preserve the combinatorial testability... no 2 sequential elements on the same internal path Non overlapping Considering the multi fan-outs structure, two overlapping cones can be covered by a single cone

  30. Approaches for cone generation We introduce an architectural modify Input multiplexers vs Net multiplexers This leads to immediate improvements...

  31. Cone generation algorithm Two phases Seed selection and cone expansion Based on random seed More difficult to reverse enginering the cone architecture

  32. Fan based approach Moves set... Single slice insertions Selected on the cone boundary Respect constraints Metric... S := slice, N’:= slice’s nets connected to cone POC := points of connection rankn := net’s cone POC / total net’s POC

  33. Net Driven approach Move... Slices subset insertion Covers an exposed net Respects constraints Metric... mn := move related with net n N := nets added by move mn Internal(N) :=nets that after the move have all internal POC

  34. Net Driven Look-ahead approach Move Look-ahead for 2nd level Covers two exposed net Same metric... Variation with combinations... Enrich the moves set with the combination of the best 3 set (in term of metric) for each 1st level net

  35. What's next... Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Algorithmic approaches Simulation of a cones PG Concluding remarks and future work

  36. Results for algorithmic approaches Benchmarks ITC'99 Provided by CAD group of Politecnico di Torino Platform Mac OSX, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb RAM Experimental purpose... Show multiplexers overhead for each algorithmic approach besides the solution quality improvement Estimate the total overhead (considering TPG,ORAs and check logic) associated to each solution

  37. Results for algorithmic approaches Fan based approach... Net driven approach...

  38. Results for algorithmic approaches Net driven look-ahead approach... Net driven look-ahead with combinations approach...

  39. Results for algorithmic approaches Comparative results…

  40. Simulation of a cones Parity Group Benchmark b14 ITC'99 Generation of 5 cones with an arbitrary approach Behavioural simulation of the cone PG Insertion of 25 different tampers (logic/seq/int) Platform Windows XP, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb RAM Xilinx ISE 10.1 Experimental purpose... Show the correctness of the cone structure used in the PG trust-checking

  41. Simulation of a cones Parity Group Simulation schematic...

  42. Simulation of a cones Parity Group • Without tamper insertion... • With tamper insertion (Pd=100%)...

  43. What's next... Introduction Background FIE Trusted FPGA Architecture Proposed Solution Experimental Results Concluding remarks and future work

  44. Future Work Develop an automatized CAD tools to produce concrete trusted FPGA design Algorithmic enhancements for cone generations Check logic awareness Clever seed placement Different ECC schemes Integration of routing tamper techniques

  45. Concluding Remarks Achieved results... Active contribute in the emerging research on trust-checking mechanisms to detect intentional and unintentional tampers Area efficient implementation of a Fully Integrated Embedded Trusted FPGA Design obtained with Architectural modify usign cones Algorithmic approaches for cones generation

  46. Questions

More Related