Extended Abstract: Covert Channels and Data Exfiltration From FPGAs

Ilias Giechaskiel1, Ken Eguro2 and Kasper Rasmussen3
1Independent Researcher United Kingdom
ilias.giechaskiel@gmail.com
2Microsoft Research Redmond, WA, USA
eguro@microsoft.com
3University of Oxford Oxford, United Kingdom
kasper.rasmussen@cs.ox.ac.uk

ABSTRACT


In complex FPGA designs, implementations of algorithms and protocols from third-party sources are common. However, the monolithic nature of FPGAs means that all subcircuits share common on-chip infrastructure, such as routing resources. This presents an attack vector for all FPGAs that contain designs from multiple vendors, especially for FPGAs used in multi-tenant cloud environments, or integrated into multi-core processors: hardware imperfections can be used to infer high-level state and break security guarantees. In this paper, we demonstrate how “long” routing wires present can be used to for covert communication between disconnected cores, or by a malicious core to exfiltrate secrets. The information leakage is measurable for both static and dynamic signals, and that it can be detected using small on-board circuits. In our prototype we achieved 6 kbps bandwidth and 99.9% accuracy, and a side channel which can recover signals kept constant for only 128 cycles, with an accuracy of more than 98.4%.



Full Text (PDF)