Handbook of FPGA Design Security

From Bluetooth transceivers to the NASA Mars Rover, FPGAs have become one of the mainstays of embedded system design. By merging properties of hardware and software, reconfigurable devices provide an attractive tradeoff between the performance of application-specific hardware and the programmability of CPUs. Although this flexibility allows developers to quickly prototype and deploy embedded systems with performance close to ASICs, this programmability can also be exploited to disrupt critical functionality, eavesdrop on encrypted communication, or even destroy a chip. Creating systems which are both efficient and flexible, yet fundamentally sound from a security point of view, is an exceedingly challenging endeavor for both researchers and practitioners. All too often the security aspects of a reconfigurable design are not addressed until far too late in the design process, resulting in systems that are protected only by their obscurity. This chapter presents an overview of Field Programmable Gate Array (FPGA) technologies from the viewpoint of security, specifically how and why these devices have grown in importance over the last decade to become one of the most trusted and critical elements of modern computer systems. This chapter also discusses their changing role from a platform for prototyping to a deployable solution, the architecture of a modern FPGA, the security ramifications of their increased use, and some of the lessons from the security community that may be applicable in this domain.

To understand the principles needed to manage security in FPGA designs, this chapter presents lessons learned from the development of high assurance systems. These principles include risk assessment, threat models, policy enforcement, lifecycle management, assessment criteria, configuration control, and development environments.

This chapter explains the security issues related to the programmability of FPGAs. FPGAs have the ability to change part or all of their configuration during runtime in the field. This chapter also explains how to prevent attackers from exploiting these features.

This chapter describes a memory access policy language (Huffmire et al., Proceedings of the European Symposium on Research in Computer Security (ESORICS), Hamburg, Germany, September 2006), based on formal regular languages, and demonstrates how this language can express classical security policies, including isolation, controlled sharing, and Chinese wall. This chapter also describes a policy compiler (Huffmire et al., Proceedings of the European Symposium on Research in Computer Security (ESORICS), Hamburg, Germany, September 2006) that translates an access policy expressed in this language into a synthesizeable hardware module.

This chapter describes moats and drawbridges (Huffmire et al., Proceedings of the 2007 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2007), a method for separating multiple cores on a single reconfigurable chip. Moats provide logical isolation by placing cores into distinct areas of the chip in a verifiable manner. Drawbridges use interconnect tracing to statically verify that only legal connections between system elements are allowed and that interfaces carrying sensitive data have not been tapped or routed to other cores or I/O pads. To facilitate legal communication between cores, two alternative communication architectures are compared.

This chapter describes a design example that incorporates the security primitives from the earlier chapters. This embedded system is connected to two separate networks that require encryption. It consists of two processor cores and a shared AES encryption core, all on the same device. Further details about a similar system can be found in  Huffmire et al. (ACM Transact. Des. Automat. Electron. Syst. (TODAES) 13(3):44, 2008).

This chapter considers forward looking problems, including trustworthy tools, formal verification of hardware designs, configuration management, languages, physical attacks, design theft, and securing the entire manufacturing supply chain.