Securing FPGA Accelerators at the Electrical Level for Multi-tenant Platforms

Document Version
Accepted author manuscript

Link to publication record in Manchester Research Explorer

Citation for published version (APA):
La, T., Mätas, K., Pham, K., & Koch, D. (in press). Securing FPGA Accelerators at the Electrical Level for Multi-tenant Platforms. In 30th International Conference on Field-Programmable Logic and Applications (FPL)

Published in:
30th International Conference on Field-Programmable Logic and Applications (FPL)

Citing this paper
Please note that where the full-text provided on Manchester Research Explorer is the Author Accepted Manuscript or Proof version this may differ from the final Published version. If citing, it is advised that you check and use the publisher's definitive version.

General rights
Copyright and moral rights for the publications made accessible in the Research Explorer are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

Takedown policy
If you believe that this document breaches copyright please refer to the University of Manchester’s Takedown Procedures [http://man.ac.uk/04Y6B0] or contact uml.scholarlycommunications@manchester.ac.uk providing relevant details, so we can investigate your claim.
Securing FPGA Accelerators at the Electrical Level for Multi-tenant Platforms

Tuan Minh La, Kaspar Matas, Khoa Dang Pham, and Dirk Koch
The University of Manchester, UK
{tuan.la, kaspar.matas, khoa.pham, dirk.koch}@manchester.ac.uk

Abstract—As FPGAs are now offered on the cloud, this exposes many potential security issues. This PhD project investigates current security issues and challenges when deploying FPGAs in the cloud as well as using FPGAs in a multi-tenancy scenario. By addressing practical threats, and most importantly, proposing feasible countermeasures, this paper shows preliminary results on protecting FPGAs for multi-tenant scenarios.

Index Terms—FPGA, reconfigurable computing, FPGA hardware security

I. INTRODUCTION

FPGAs are widely offered in cloud data centers (e.g., [1]), and there is consequently a strong need to investigate FPGA hardware security. As in a cloud service scenario, anybody can access an FPGA. This may enable an attacker to cause potential harm to the FPGA equipment [2] (see Figure 1).

In order to prevent potential malicious designs being deployed on an FPGA instance, cloud service providers commonly demand uploading netlists in order to run design rule checks (DRCs). Tests include static timing analysis and detecting Combinatorial feedback paths. These violations are currently used for FPGA attacks [2]. For example, DRC LUTLP* in the Xilinx tools indicates a LUT-based combinational loop, and if not mitigated, this may create race conditions or free-running oscillators which can be used to leak information or environmental parameters of a system. Additionally, accepting netlists only ensures that generated bitstreams are not corrupted through any post-processing step. As a last defense, power monitoring can be used to warn or stop potential malicious activities (e.g., through clock gating if the supply power consumption reaches a critical level [3]).

DRCs provided by the FPGA vendors are insufficient for security, as shown with several examples of malicious FPGA designs that can be deployed on AWS instances in Figure 2. However, monitoring is passive as it only detects malicious circuits after it is deployed.

The next section will survey current security issues of using FPGAs in the cloud and solutions to mitigate those. This work not only aims to provide the base for future multi-tenancy scenarios but also to move FPGA usage from the present FPGA-enabled Acceleration-as-a-Service (AaaS) offerings [1] to full FPGA-as-a-Service (FaaS) offerings [4], [5], where users may upload own bitstream.

II. CLOUD FPGA SECURITY THREATS

Cloud computing is not an uncommon target for abuse of security flaws. Amazon Elastic Cloud Computing (EC2) has a record of security (e.g., [6]). Moreover, hardware flaws threatening cloud infrastructures include rowhammer [7] attacks on DDR memory or Spectre [8] and Meltdown [9] which are exploiting side channels hidden through speculative execution.

The recent trend of cloud service providers to offer FPGAs has stimulated significant research in hardware security. Interestingly, virtually all recently published attacks on FPGAs use oscillators in some way. Oscillators help to precisely measure system states [10] as well as a circuit drawing excessive waste power (also known as power-hammering) [11].

Through wasting power, some malicious designs cause voltage drops through high-frequency switching activity. One of the easiest ways to generate high switching activity is through ring oscillators. A ring oscillator usually consists of an odd number of NOT gates. Our measurements in [12] show frequencies of ring-oscillators close to 6GHz, which is much faster than any real-world FPGA design would ever toggle. This is a primary reason why Amazon prohibits combinatorial loops in user designs [13]. However, there have been papers published showing ring oscillator designs that bypass the Xilinx vendor Design Rule Checking (DRC) [14], and the ring oscillators shown in Figure 2 are currently deployable on Amazon. They use 1) transparent latches, 2) asynchronous sets/resets, 3) FPGA primitives not considered for detecting combinational feedback loops (e.g., carry-chain logic, cascading multiplexers in Xilinx FPGA slices (F7MUX or F8MUX), or DSP blocks) [12], or 4) glitch amplification effects.

Glitches can be amplified through XOR gates [15], which has the property that any change at the input causes a change at the output. Therefore by adjusting routing delays, it is possible to physically implement an oscillator where the same source of a toggle flip-flop is routed to an XOR with different delays to create glitches that, in turn, are fed back to the toggle flip-flop for creating self-oscillation (Figure 2d).

We experimentally deployed all these oscillators on AWS F1 instances and can confirm that they can bypass DRCs and run as expected. AWS has a protection mechanism built in their shell (the static system of their instance that never changes) that gates the system clocks whenever a user exceeds their...
power or temperature envelope. However, by replacing the system clock by a ring-oscillator, we had been able to bypass this protection mechanism.

III. PROPOSED MITIGATION MECHANISM

Vendors suggest monitoring the FPGA in order to detect voltage drops and high current. However, this approach has the disadvantage that an attack is flagged after it happened. In order to prevent power-hammering and other kinds of attacks in the first place, it is better to enhance the vendor DRC checks to detect malicious designs before deployment. A first work proposing this approach [16], showed that ring oscillators could be detected directly in bitstreams for Lattice FPGAs. In [12] and [17], we introduced the open-source FPGA virus-scanner framework FPGADefender which allows checking for malicious constructs at the bitstream level [18] (see Figure 3) for all UltraScale+ FPGAs from the vendor Xilinx. With this in place, it would not be necessary to upload netlists to Amazon AWS (and with this exposing IP). Currently, FPGADefender virus scanner checks include:

- **Combinatorial Feedback Loop Detector.**
- **Fanout Detection.**
- **Disallowed Port Detection.**
- **Disallowed Path Detection.**
- **Short Circuit Detection.**

These detectors generate numerical scores that describe the maliciousness of a design, with a low score indicating a relatively benign design and a high score meaning the design employs many problematic components. These scores are then combined to produce a final score, which can then be used by the runtime system to decide if the design should be loaded.

IV. CONCLUSIONS

In conclusion, this PhD project continues exploring security issues on FPGAs. Alternative oscillators have been reported recently, but cloud service providers and vendor companies have not made any updates to mitigate these threats. This allows various remote attacks at the electrical level, which eventually can crash (or damage) the FPGA or the entire instance. Like DRC checks, our FPGADefender scanner is a proactive approach to protect an FPGA before any bitstream loading process.

With this work, we want to contribute to the currently very active research on FPGA hardware security in order to understand threat scenarios better and for providing mitigation mechanisms. While there is more research needed, we firmly believe that multi-tenancy as well as FPGA-as-a-Service can be accepted from a security point of view, and that bitstream scanning is the key technology to allow this.

ACKNOWLEDGEMENT

This work is kindly supported by the UK National Cyber Security Centre through the project fFAS (grant agreement 4212204/RFA 15971). We also thank the Xilinx University Program for providing tools and boards.

REFERENCES