by marco maggioni mmaggi3@uic
DESCRIPTION
Techniques for Fully Integrated Embedding of Design and Verification Logic for Trusted FPGA Circuits. UIC Thesis Defense: December, 12. by Marco Maggioni [email protected]. Thesis committee: Advisor and chair : Shantanu Dutt Other members : Marco Santambrogio, Jon Solworth. - PowerPoint PPT PresentationTRANSCRIPT
Techniques for Fully Integrated Embedding of Design and Verification
Logic for Trusted FPGA Circuits
by
Marco Maggioni
Thesis committee:
Advisor and chair : Shantanu Dutt
Other members : Marco Santambrogio, Jon Solworth
UIC Thesis Defense: December, 12
2
Rationale and InnovationRationale and Innovation
Problem statementTrusted FPGA Design : ensuring that the design process produces a final product that performs only the designed functionality and no more.
Innovative contributionFully Integrated Embedding : approach in which the trusted FPGA is deployed as a monolithic design containing self-checking circuit
3
AimsAims
Efficient implementation of a Fully Integrated Embedded Trusted FPGA Design
Adaptation of the two level randomized 2D ECC structure proposed by a previous work
Reduction the hardware overhead necessary to implement the on-chip functionality based self-checking phase
4
OutlineOutline
Introduction
Background
FIE Trusted FPGA Architecture
Proposed Solution
Experimental Results
Concluding remarks and future work
5
OutlineOutline
Introduction
Background
FIE Trusted FPGA Architecture
Proposed Solution
Experimental Results
Concluding remarks and future work
6
FPGAFPGA
FPGA technologyJoin HW performance with SW flexibilityCost efficient for low volume specific product
Sensitive commercial applicationsSensitive government & military applications
Definition Trusted FPGA Design
It is an FPGA-based deployed application in which the functionality currently implemented is exactly what designed and no moreIt implies a trusted design workflow to secure a relative untrusted process
7
TamperingTampering
Tampering a FPGA circuit It is a modification of some CLBs Can be also logic insertion in the not-occupied CLBs
Possible attack points in a COTS process
8
FPGA integrated FPGA integrated countermeasurescountermeasures
The current FPGAs devices offers some security feature
Bitstream Encoding and EncryptingProtect the Intellectual Property of the application
Bitstream SignatureProtect the IP cores integrity
Not enough to tackle all the shown weaknessIt is necessary a trust-checking technique
Functionality basedOn chipCapable to detect added logic
9
This Thesis is about...This Thesis is about...
We will present a completely integrated approach...
Add self-checking circuits besides the original design
Basic problem in its architectureBased on multiplexers implemented on FPGA logic
Really expensive in term of area– A 2:1 mux is implemented with an entire k-LUT
10
This Thesis is about...This Thesis is about...
We will propose...An architectural modification to the self-checking structureSome algorithmic approaches to reduce the hardware overhead due to multiplexers
11
What's next...What's next...
Introduction
BackgroundS. Dutt and L. Li, “Trust-Based Design and Check of FPGA Circuits Using Two-Level Randomized ECC Structures, accepted (subject to minor revisions), ACM Transaction on Reconfigurable Technology and Systems (TRETS), Special Issue on Security in Reconfigurable Systems Design , 2008.
FIE Trusted FPGA Architecture
Proposed Solution
Experimental Results
Concluding remarks and future work
12
ECC parity codeECC parity code
ECC parity schema is a well known technique for errors detection
Organize data in Parity Groups (PG)Rows and columns
Based on information redundancyA parity bit c for each PG
Even (XOR) or odd (XNOR) parity
Possible masking4 tamper placed in a 2x2 subarray
13
BackgroundBackground
The cited article provides a complete technique for trusted FPGA design
On ChipThe deployed design is capable to start a self-checking phase in which each tamper is detected
Functionality basedAn Error Correction Code is applied to all the CLBs outputs and so we detect functionality changes
Test Pattern Generator and Output Response Analyzer
Added components used to stimulate each possible input combination and to verify it
Two level randomizationMakes the masking virtually impossible (low probability)
14
2D ECC parity code on FPGA 2D ECC parity code on FPGA arrayarray
Basic idea...We impose the same ECC schema on the reconfigurable elements of the FPGA...
This means...Parity Groups composed by CLBs outputsAdd a TPG in way to stimulate all the CLB functionality with an exaustive set of test vectors Ii
Add a parity function for each PG in way to check if the parity of the other elements is not modifiedAdd a ORA in way to produce a Parity Vector (case even PV = [0 0 ... 0]) that is the parity of PG for each test vector Ii
Fail or passes depending if the PV is the expected one (case even is zero vector)
15
2D ECC parity code on FPGA 2D ECC parity code on FPGA arrayarray
Overall architecture...
Each tamper is detected as functionality change2D code covers also the unused CLB
this prevent added logics insertion
16
Randomized Parity GroupsRandomized Parity Groups
2D rows and columns PG placement It is easily defeated by masking
Solution : randomize the PGs composition
17
Randomized PolarityRandomized Polarity
2D ECC schema doesn't cover the TPG and ORATrivial tampering
Change TPG in way to supply a certain test vectorChange ORA in way to show always an even parity
For each test vector and each PG, we randomly choose the expected parity as even or odd
Example of expected PV = [0 1 0 0 1 .... 1 1 0]Each inserted tamper doesn't know the polarities, so it is very difficult that it corresponds to the correct one for each PG
18
Trusted FPGA Design WorkflowTrusted FPGA Design Workflow
19
Implementative ApproachesImplementative Approaches
Non Integrated Embedding (NIE)TPG, ORA and parity function are loaded and routed dynamically onto the FPGA at the trust-checking phase
Partially Integrated Embedding (PIE)TPG, ORA and parity functions are already placed and the trust-checking phase corresponds to a re-routing
Fully Integrated Embedding (FIE)TPG, multiple ORAs and parity functions are already placed and routed onto the FPGA. This tecnique requires a considerable amount of overhead.
20
What's next...What's next...
Introduction
Background
FIE Trusted FPGA ArchitectureBasic structure and multiplexers overheadCones based architecture
Proposed Solution
Experimental Results
Concluding remarks and future work
21
FIE Trusted FPGA ArchitectureFIE Trusted FPGA Architecture
Consider as basic functional element the FPGA slice...
22
Reference FPGA architectureReference FPGA architecture
Virtex 4 family slice
Roughly, it containstwo 4-LUTtwo flip flop16 inputs11 outputs
23
Multiplexer OverheadMultiplexer Overhead
Roughly, each slice uses 7 inputsEach 2:1 multiplexers is implemented with a LUT
This leads immediatly to an overhead of 350% respect to the circuit size
In fact, we have that...
24
Cones structureCones structure
Basic ideaInstead to verify each single slice, we consider a larger subcircuit composed by a slices subset
Cones Subcircuits which structure follows a certain shape (many inputs flow in a single output)
Goal of cones structureAvoid the use of multiplexers for internal connection
Trade off– Covering vs Complexity
25
Cones structureCones structure
• Example of multiplexers covering usign a cone...
26
Cone Based Parity GroupsCone Based Parity Groups
• Now, a PG is composed by cones outputs...
27
Cone Based Trusted FPGA workflowCone Based Trusted FPGA workflow
28
What's next...What's next...
• Introduction
• Background
• FIE Trusted FPGA Architecture
• Proposed Solution– Cone constraints– Algorithmic approaches for cones generation
• Experimental Results
• Concluding remarks and future work
29
Cone ConstraintsCone Constraints
• Cone constraints to consider in the cone construction...– Multi Fan Out
• Each cone output depends by a subset of inputs... the number of needed TPG lines is the largest cardinality
– TPG size• Imposed parameter for which we stop cone expansion
– Sequential constraint• We compose cone subcircuit in way to preserve the
combinatorial testability... no 2 sequential elements on the same internal path
– Non overlapping• Considering the multi fan-outs structure, two
overlapping cones can be covered by a single cone
30
Approaches for cone Approaches for cone generationgeneration
• We introduce an architectural modify– Input multiplexers vs Net multiplexers
• This leads to immediate improvements...
31
Cone generation algorithmCone generation algorithm
• Two phases– Seed selection and cone expansion
• Based on random seed– More difficult to reverse enginering the cone
architecture
32
Fan based approach Fan based approach
• Moves set...• Single slice insertions• Selected on the cone boundary• Respect constraints
• Metric...• S := slice, N’:= slice’s nets connected to cone• POC := points of connection• rankn := net’s cone POC / total net’s POC
33
Net Driven approach Net Driven approach
• Move...• Slices subset insertion• Covers an exposed net• Respects constraints
• Metric...• mn := move related with net n
• N := nets added by move mn
• Internal(N) :=nets that after the move have all internal POC
34
Net Driven Look-ahead Net Driven Look-ahead approach approach
• Move• Look-ahead for 2nd level• Covers two exposed net
• Same metric...
• Variation with combinations...• Enrich the moves set with the combination of the best
3 set (in term of metric) for each 1st level net
35
What's next...What's next...
• Introduction
• Background
• FIE Trusted FPGA Architecture
• Proposed Solution
• Experimental Results– Algorithmic approaches– Simulation of a cones PG
• Concluding remarks and future work
36
Results for algorithmic Results for algorithmic approaches approaches
• Benchmarks ITC'99– Provided by CAD group of Politecnico di Torino
• Platform– Mac OSX, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb
RAM
• Experimental purpose...– Show multiplexers overhead for each algorithmic
approach besides the solution quality improvement– Estimate the total overhead (considering TPG,ORAs
and check logic) associated to each solution
37
Results for algorithmic Results for algorithmic approaches approaches
• Fan based approach...
• Net driven approach...
38
Results for algorithmic Results for algorithmic approaches approaches
• Net driven look-ahead approach...
• Net driven look-ahead with combinations approach...
39
Results for algorithmic Results for algorithmic approaches approaches
• Comparative results…
40
Simulation of a cones Parity Simulation of a cones Parity Group Group
• Benchmark b14 ITC'99– Generation of 5 cones with an arbitrary approach– Behavioural simulation of the cone PG– Insertion of 25 different tampers (logic/seq/int)
• Platform– Windows XP, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb
RAM– Xilinx ISE 10.1
• Experimental purpose...– Show the correctness of the cone structure used in
the PG trust-checking
41
Simulation of a cones Parity Simulation of a cones Parity GroupGroup
• Simulation schematic...
42
Simulation of a cones Parity Simulation of a cones Parity GroupGroup
• Without tamper insertion...
• With tamper insertion (Pd=100%)...
43
What's next...What's next...
• Introduction
• Background
• FIE Trusted FPGA Architecture
• Proposed Solution
• Experimental Results
• Concluding remarks and future work
44
Future WorkFuture Work
• Develop an automatized CAD tools to produce concrete trusted FPGA design
• Algorithmic enhancements for cone generations– Check logic awareness– Clever seed placement
• Different ECC schemes
• Integration of routing tamper techniques
45
Concluding RemarksConcluding Remarks
• Achieved results...– Active contribute in the emerging research on trust-
checking mechanisms to detect intentional and unintentional tampers
– Area efficient implementation of a Fully Integrated Embedded Trusted FPGA Design obtained with• Architectural modify usign cones• Algorithmic approaches for cones generation
46
QuestionsQuestions