by marco maggioni mmaggi3@uic

46
Techniques for Fully Integrated Embedding of Design and Verification Logic for Trusted FPGA Circuits by Marco Maggioni [email protected] Thesis committee: Advisor and chair : Shantanu Dutt Other members : Marco Santambrogio, Jon Solworth UIC Thesis Defense: December, 12

Upload: vina

Post on 06-Jan-2016

42 views

Category:

Documents


1 download

DESCRIPTION

Techniques for Fully Integrated Embedding of Design and Verification Logic for Trusted FPGA Circuits. UIC Thesis Defense: December, 12. by Marco Maggioni [email protected]. Thesis committee: Advisor and chair : Shantanu Dutt Other members : Marco Santambrogio, Jon Solworth. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: by Marco Maggioni mmaggi3@uic

Techniques for Fully Integrated Embedding of Design and Verification

Logic for Trusted FPGA Circuits

by

Marco Maggioni

[email protected]

Thesis committee:

Advisor and chair : Shantanu Dutt

Other members : Marco Santambrogio, Jon Solworth

UIC Thesis Defense: December, 12

Page 2: by Marco Maggioni mmaggi3@uic

2

Rationale and InnovationRationale and Innovation

Problem statementTrusted FPGA Design : ensuring that the design process produces a final product that performs only the designed functionality and no more.

Innovative contributionFully Integrated Embedding : approach in which the trusted FPGA is deployed as a monolithic design containing self-checking circuit

Page 3: by Marco Maggioni mmaggi3@uic

3

AimsAims

Efficient implementation of a Fully Integrated Embedded Trusted FPGA Design

Adaptation of the two level randomized 2D ECC structure proposed by a previous work

Reduction the hardware overhead necessary to implement the on-chip functionality based self-checking phase

Page 4: by Marco Maggioni mmaggi3@uic

4

OutlineOutline

Introduction

Background

FIE Trusted FPGA Architecture

Proposed Solution

Experimental Results

Concluding remarks and future work

Page 5: by Marco Maggioni mmaggi3@uic

5

OutlineOutline

Introduction

Background

FIE Trusted FPGA Architecture

Proposed Solution

Experimental Results

Concluding remarks and future work

Page 6: by Marco Maggioni mmaggi3@uic

6

FPGAFPGA

FPGA technologyJoin HW performance with SW flexibilityCost efficient for low volume specific product

Sensitive commercial applicationsSensitive government & military applications

Definition Trusted FPGA Design

It is an FPGA-based deployed application in which the functionality currently implemented is exactly what designed and no moreIt implies a trusted design workflow to secure a relative untrusted process

Page 7: by Marco Maggioni mmaggi3@uic

7

TamperingTampering

Tampering a FPGA circuit It is a modification of some CLBs Can be also logic insertion in the not-occupied CLBs

Possible attack points in a COTS process

Page 8: by Marco Maggioni mmaggi3@uic

8

FPGA integrated FPGA integrated countermeasurescountermeasures

The current FPGAs devices offers some security feature

Bitstream Encoding and EncryptingProtect the Intellectual Property of the application

Bitstream SignatureProtect the IP cores integrity

Not enough to tackle all the shown weaknessIt is necessary a trust-checking technique

Functionality basedOn chipCapable to detect added logic

Page 9: by Marco Maggioni mmaggi3@uic

9

This Thesis is about...This Thesis is about...

We will present a completely integrated approach...

Add self-checking circuits besides the original design

Basic problem in its architectureBased on multiplexers implemented on FPGA logic

Really expensive in term of area– A 2:1 mux is implemented with an entire k-LUT

Page 10: by Marco Maggioni mmaggi3@uic

10

This Thesis is about...This Thesis is about...

We will propose...An architectural modification to the self-checking structureSome algorithmic approaches to reduce the hardware overhead due to multiplexers

Page 11: by Marco Maggioni mmaggi3@uic

11

What's next...What's next...

Introduction

BackgroundS. Dutt and L. Li, “Trust-Based Design and Check of FPGA Circuits Using Two-Level Randomized ECC Structures, accepted (subject to minor revisions), ACM Transaction on Reconfigurable Technology and Systems (TRETS), Special Issue on Security in Reconfigurable Systems Design , 2008.

FIE Trusted FPGA Architecture

Proposed Solution

Experimental Results

Concluding remarks and future work

Page 12: by Marco Maggioni mmaggi3@uic

12

ECC parity codeECC parity code

ECC parity schema is a well known technique for errors detection

Organize data in Parity Groups (PG)Rows and columns

Based on information redundancyA parity bit c for each PG

Even (XOR) or odd (XNOR) parity

Possible masking4 tamper placed in a 2x2 subarray

Page 13: by Marco Maggioni mmaggi3@uic

13

BackgroundBackground

The cited article provides a complete technique for trusted FPGA design

On ChipThe deployed design is capable to start a self-checking phase in which each tamper is detected

Functionality basedAn Error Correction Code is applied to all the CLBs outputs and so we detect functionality changes

Test Pattern Generator and Output Response Analyzer

Added components used to stimulate each possible input combination and to verify it

Two level randomizationMakes the masking virtually impossible (low probability)

Page 14: by Marco Maggioni mmaggi3@uic

14

2D ECC parity code on FPGA 2D ECC parity code on FPGA arrayarray

Basic idea...We impose the same ECC schema on the reconfigurable elements of the FPGA...

This means...Parity Groups composed by CLBs outputsAdd a TPG in way to stimulate all the CLB functionality with an exaustive set of test vectors Ii

Add a parity function for each PG in way to check if the parity of the other elements is not modifiedAdd a ORA in way to produce a Parity Vector (case even PV = [0 0 ... 0]) that is the parity of PG for each test vector Ii

Fail or passes depending if the PV is the expected one (case even is zero vector)

Page 15: by Marco Maggioni mmaggi3@uic

15

2D ECC parity code on FPGA 2D ECC parity code on FPGA arrayarray

Overall architecture...

Each tamper is detected as functionality change2D code covers also the unused CLB

this prevent added logics insertion

Page 16: by Marco Maggioni mmaggi3@uic

16

Randomized Parity GroupsRandomized Parity Groups

2D rows and columns PG placement It is easily defeated by masking

Solution : randomize the PGs composition

Page 17: by Marco Maggioni mmaggi3@uic

17

Randomized PolarityRandomized Polarity

2D ECC schema doesn't cover the TPG and ORATrivial tampering

Change TPG in way to supply a certain test vectorChange ORA in way to show always an even parity

For each test vector and each PG, we randomly choose the expected parity as even or odd

Example of expected PV = [0 1 0 0 1 .... 1 1 0]Each inserted tamper doesn't know the polarities, so it is very difficult that it corresponds to the correct one for each PG

Page 18: by Marco Maggioni mmaggi3@uic

18

Trusted FPGA Design WorkflowTrusted FPGA Design Workflow

Page 19: by Marco Maggioni mmaggi3@uic

19

Implementative ApproachesImplementative Approaches

Non Integrated Embedding (NIE)TPG, ORA and parity function are loaded and routed dynamically onto the FPGA at the trust-checking phase

Partially Integrated Embedding (PIE)TPG, ORA and parity functions are already placed and the trust-checking phase corresponds to a re-routing

Fully Integrated Embedding (FIE)TPG, multiple ORAs and parity functions are already placed and routed onto the FPGA. This tecnique requires a considerable amount of overhead.

Page 20: by Marco Maggioni mmaggi3@uic

20

What's next...What's next...

Introduction

Background

FIE Trusted FPGA ArchitectureBasic structure and multiplexers overheadCones based architecture

Proposed Solution

Experimental Results

Concluding remarks and future work

Page 21: by Marco Maggioni mmaggi3@uic

21

FIE Trusted FPGA ArchitectureFIE Trusted FPGA Architecture

Consider as basic functional element the FPGA slice...

Page 22: by Marco Maggioni mmaggi3@uic

22

Reference FPGA architectureReference FPGA architecture

Virtex 4 family slice

Roughly, it containstwo 4-LUTtwo flip flop16 inputs11 outputs

Page 23: by Marco Maggioni mmaggi3@uic

23

Multiplexer OverheadMultiplexer Overhead

Roughly, each slice uses 7 inputsEach 2:1 multiplexers is implemented with a LUT

This leads immediatly to an overhead of 350% respect to the circuit size

In fact, we have that...

Page 24: by Marco Maggioni mmaggi3@uic

24

Cones structureCones structure

Basic ideaInstead to verify each single slice, we consider a larger subcircuit composed by a slices subset

Cones Subcircuits which structure follows a certain shape (many inputs flow in a single output)

Goal of cones structureAvoid the use of multiplexers for internal connection

Trade off– Covering vs Complexity

Page 25: by Marco Maggioni mmaggi3@uic

25

Cones structureCones structure

• Example of multiplexers covering usign a cone...

Page 26: by Marco Maggioni mmaggi3@uic

26

Cone Based Parity GroupsCone Based Parity Groups

• Now, a PG is composed by cones outputs...

Page 27: by Marco Maggioni mmaggi3@uic

27

Cone Based Trusted FPGA workflowCone Based Trusted FPGA workflow

Page 28: by Marco Maggioni mmaggi3@uic

28

What's next...What's next...

• Introduction

• Background

• FIE Trusted FPGA Architecture

• Proposed Solution– Cone constraints– Algorithmic approaches for cones generation

• Experimental Results

• Concluding remarks and future work

Page 29: by Marco Maggioni mmaggi3@uic

29

Cone ConstraintsCone Constraints

• Cone constraints to consider in the cone construction...– Multi Fan Out

• Each cone output depends by a subset of inputs... the number of needed TPG lines is the largest cardinality

– TPG size• Imposed parameter for which we stop cone expansion

– Sequential constraint• We compose cone subcircuit in way to preserve the

combinatorial testability... no 2 sequential elements on the same internal path

– Non overlapping• Considering the multi fan-outs structure, two

overlapping cones can be covered by a single cone

Page 30: by Marco Maggioni mmaggi3@uic

30

Approaches for cone Approaches for cone generationgeneration

• We introduce an architectural modify– Input multiplexers vs Net multiplexers

• This leads to immediate improvements...

Page 31: by Marco Maggioni mmaggi3@uic

31

Cone generation algorithmCone generation algorithm

• Two phases– Seed selection and cone expansion

• Based on random seed– More difficult to reverse enginering the cone

architecture

Page 32: by Marco Maggioni mmaggi3@uic

32

Fan based approach Fan based approach

• Moves set...• Single slice insertions• Selected on the cone boundary• Respect constraints

• Metric...• S := slice, N’:= slice’s nets connected to cone• POC := points of connection• rankn := net’s cone POC / total net’s POC

Page 33: by Marco Maggioni mmaggi3@uic

33

Net Driven approach Net Driven approach

• Move...• Slices subset insertion• Covers an exposed net• Respects constraints

• Metric...• mn := move related with net n

• N := nets added by move mn

• Internal(N) :=nets that after the move have all internal POC

Page 34: by Marco Maggioni mmaggi3@uic

34

Net Driven Look-ahead Net Driven Look-ahead approach approach

• Move• Look-ahead for 2nd level• Covers two exposed net

• Same metric...

• Variation with combinations...• Enrich the moves set with the combination of the best

3 set (in term of metric) for each 1st level net

Page 35: by Marco Maggioni mmaggi3@uic

35

What's next...What's next...

• Introduction

• Background

• FIE Trusted FPGA Architecture

• Proposed Solution

• Experimental Results– Algorithmic approaches– Simulation of a cones PG

• Concluding remarks and future work

Page 36: by Marco Maggioni mmaggi3@uic

36

Results for algorithmic Results for algorithmic approaches approaches

• Benchmarks ITC'99– Provided by CAD group of Politecnico di Torino

• Platform– Mac OSX, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb

RAM

• Experimental purpose...– Show multiplexers overhead for each algorithmic

approach besides the solution quality improvement– Estimate the total overhead (considering TPG,ORAs

and check logic) associated to each solution

Page 37: by Marco Maggioni mmaggi3@uic

37

Results for algorithmic Results for algorithmic approaches approaches

• Fan based approach...

• Net driven approach...

Page 38: by Marco Maggioni mmaggi3@uic

38

Results for algorithmic Results for algorithmic approaches approaches

• Net driven look-ahead approach...

• Net driven look-ahead with combinations approach...

Page 39: by Marco Maggioni mmaggi3@uic

39

Results for algorithmic Results for algorithmic approaches approaches

• Comparative results…

Page 40: by Marco Maggioni mmaggi3@uic

40

Simulation of a cones Parity Simulation of a cones Parity Group Group

• Benchmark b14 ITC'99– Generation of 5 cones with an arbitrary approach– Behavioural simulation of the cone PG– Insertion of 25 different tampers (logic/seq/int)

• Platform– Windows XP, iMac, Intel Core 2 Duo, 2.66 Ghz, 2 Gb

RAM– Xilinx ISE 10.1

• Experimental purpose...– Show the correctness of the cone structure used in

the PG trust-checking

Page 41: by Marco Maggioni mmaggi3@uic

41

Simulation of a cones Parity Simulation of a cones Parity GroupGroup

• Simulation schematic...

Page 42: by Marco Maggioni mmaggi3@uic

42

Simulation of a cones Parity Simulation of a cones Parity GroupGroup

• Without tamper insertion...

• With tamper insertion (Pd=100%)...

Page 43: by Marco Maggioni mmaggi3@uic

43

What's next...What's next...

• Introduction

• Background

• FIE Trusted FPGA Architecture

• Proposed Solution

• Experimental Results

• Concluding remarks and future work

Page 44: by Marco Maggioni mmaggi3@uic

44

Future WorkFuture Work

• Develop an automatized CAD tools to produce concrete trusted FPGA design

• Algorithmic enhancements for cone generations– Check logic awareness– Clever seed placement

• Different ECC schemes

• Integration of routing tamper techniques

Page 45: by Marco Maggioni mmaggi3@uic

45

Concluding RemarksConcluding Remarks

• Achieved results...– Active contribute in the emerging research on trust-

checking mechanisms to detect intentional and unintentional tampers

– Area efficient implementation of a Fully Integrated Embedded Trusted FPGA Design obtained with• Architectural modify usign cones• Algorithmic approaches for cones generation

Page 46: by Marco Maggioni mmaggi3@uic

46

QuestionsQuestions