Slashdot Mirror
FPGA Bitstream Security Broken
NumberField writes "Researchers in Germany released a pair of papers documenting severe power analysis vulnerabilities in the bitstream encryption of multiple Xilinx FPGAs. The problem exposes products using FPGAs to cloning, hardware Trojan insertion, and reverse engineering. Unfortunately, there is no easy downloadable fix, as hardware changes are required. These papers are also a reminder that differential power analysis (DPA) remains a potent threat to unprotected hardware devices. On the FPGA front, only Actel seems to be tackling the DPA issue so far, although their FPGAs are much smaller than Xilinx's."
As transistors switch they create little glitches in the power supply, or rather they consume a little more or less current than at the previous steady state (where steady state may be nanoseconds long). By correctly interpreting the changes in current consumption the encryption key can be read.
For the car analogy (this is slashdot after all) think of it as monitoring fuel flow to extrapolate acceleration, speed and distance.
An FPGA is sort of like a PROM except that instead of memory circuits you program logic circuits into it.
If this hack allows people to reverse-engineer the chip, they can basically dump its logic diagram, which means that they could copy it. As I understand it, it's normally pretty hard to reverse-engineer a microchip, so this is a pretty significant breakthrough.
Is this the good kind of security breach, which enables end users to do new things with their FPGAs? Or the bad kind, that enables attackers to do malicious things with others FPGAs? Or both?
This attack is only useful when an FPGA is programmed by a third-party manufacturer using a canned encrypted bitstream provided by someone else. This is the case for many products nominally made by US, Japanese, or Taiwanese firms but actually built in China. The attack allows someone with access to the encrypted bitstream to recover the unencrypted bitstream, from which they can potentially reverse-engineer the device and make changes.
An end user, who has only the programmed FPGA, can't do anything with this attack.
For background, here's a short note on where this technology is used.
There is only so much you can do. We put a fair amount of power supply filtering around FPGAs because of the switching noise, but the cost in board space and materials to make the switching undetectable would be astronomical. As HW engineers we're always asked to cram a little more in that space, and "do you really need that many capacitors?"
The company I work for (and the reason I'm posting anonymously) uses a bunch of FPGAs per board with man-years of code invested into them, and we usually use Xilinx parts. It's relatively trivial to get the bitstreams from our systems which hasn't bothered us since they're encrypted (or I guess they used to be).
Yet another idiot who doesn't understand the simple fact that the 'obvious' test is applied BEFORE the patent is public. Of course it is 'obvious' AFTER the patent is public. If you asked 100 people working in the field how to "defend against DPA and other side-channel attacks" BEFORE the patent (or anything using the patent, or any papers based on the patent, etc) was public, what percentage of them would have come up with the EXACT SAME WAY (not 'general concepts', the exact methods used) that CR did? It had better be very close to 100% if you are going to claim 'obvious'. If you ask these same 100 people AFTER the patent is public, 99 of them will claim that the CR method is 'obvious'.