Handbook of FPGA Design Security

neocent

Thepurposeofthisbookistoprovideapracticalapproachtomanagingsecurityin
FPGAdesignsforresearchersandpractitionersintheelectronicdesignautomation
(EDA)andFPGAcommunities,includingcorporations,industrialandgovernment
researchlabs,andacademics.Thisbookcombinestheoreticalunderpinningswith
apracticaldesignapproachandworkedexamplesforcombatingrealworldthreats.
ToaddressthespectrumoflifecycleandoperationalthreatsagainstFPGAsystems,
aholisticviewofFPGAsecurityispresented,fromformaltoplevelspecification
tolowlevelpolicyenforcementmechanisms,whichintegratesrecentadvancesin
thefieldsofcomputersecuritytheory,languages,compilers,andhardware.The
neteffectisadiversesetofstaticandruntimetechniquesthat,workingincoopera-
tion,facilitatethecompositionofrobust,dependable,andtrustworthysystemsusing
commoditycomponents.
Wewishtoacknowledgethemanypeoplewhohelpedusensurethesuccessof
ourworkonreconfigurablehardwaresecurity.Inparticular,wewishtothankAndrei
PaunandJasonSmithofLouisianaTechUniversityforprovidinguswithaLinux-
compatibleversionofGrail+.Wealsowishtothankthosewhogaveuscomments
ondraftsofthisbook,includingMarcoPlatzneroftheUniversityofPaderborn,and
AliIrturkandJasonObergoftheUniversityofCalifornia,SanDiego.Thisresearch
wasfundedinpartbyNationalScienceFoundationGrantCNS-0524771andNSF
CareerGrantCCF-0448654.
Monterey,CA,USATedHuffmire
CynthiaIrvine
ThuyD.Nguyen
TimothyLevin
LaJolla,CA,USARyanKastner
SantaBarbara,CA,USATimothySherwood
Contents
1IntroductionandMotivation .......................1
1.1TheGrowingRelianceonFPGAs ..................1
1.1.1FPGAsforAerospace. ...................2
1.1.2FPGAsforSupercomputing .................4
1.1.3FPGAsforVideoAnalysis.................5
1.1.4FPGAsforHigh-ThroughputCryptography ........5
1.1.5FPGAsforIntrusionDetectionandPrevention.......6
1.2FPGAArchitectures.........................6
1.2.1TheAttractivenessofReconfigurableHardware ......7
1.2.2TheInternalsofanFPGA..................8
1.2.3DesignFlow.........................13
1.3TheManyFacetsofFPGASecurity .................16
1.3.1SecurityIsHard .......................17
1.3.2ComplexityandAbstraction.................18
1.3.3BakedinVersusTackedon.................19
1.3.4SeparationofFPGACores .................20
1.4OrganizationofThisBook......................21
References. .............................22
2HighAssuranceSoftwareLessonsandTechniques ..........27
2.1Background .............................27
2.2MaliciousSoftware.........................27
2.2.1TrojanHorses........................28
2.2.2Subversion..........................29
2.3Assurance. .............................30
2.4CommensurateProtection......................31
2.4.1ThreatModel ........................32
2.5SecurityPolicyEnforcement. ...................34
2.5.1TypesofPolicies .......................34
2.5.2PolicyEnforcementMechanisms ..............39
2.5.3CompositionofTrustedComponents... .........50
ix

2.6AssuranceofPolicyEnforcement ..................51
2.6.1LifeCycleSupport... ...................52
2.6.2ConfigurationManagement .................55
2.6.3IndependentAssessment ...................56
2.6.4DynamicProgramAnalysis .................58
2.6.5TrustedDistribution.....................60
2.6.6TrustedRecovery......................61
2.6.7StaticAnalysisofProgramSpecifications. .........62
References. .............................65
3HardwareSecurityChallenges .....................71
3.1MaliciousHardware.........................71
3.1.1CategoriesofMaliciousHardware.............71
3.1.2FoundryTrust ........................72
3.1.3PhysicalAttacks .......................74
3.2CovertChannelDefinition... ...................75
3.2.1TheProcessAbstraction ...................76
3.2.2EquivalenceClasses.. ...................76
3.2.3FormalDefinition... ...................76
3.2.4Synchronization .......................77
3.2.5SharedResources... ...................77
3.2.6Requirements ........................77
3.2.7Bypass ............................78
3.3ExistingApproachestoLimitingCovertandSideChannelAttacks78
3.3.1SharedResourceMatrixMethodology.. .........78
3.3.2CacheInterference... ...................79
3.3.3FPGAMaskingSchemes ..................79
3.4DetectingandMitigatingCovertChannelsonFPGAs .......80
3.4.1DesignFlows........................80
3.4.2SpatialIsolation.......................80
3.4.3MemoryProtection.....................81
3.5PolicyStateasaCovertStorageChannel ..............81
3.5.1StatefulPolicies.......................81
3.5.2CovertChannelMechanism .................81
3.5.3EncodingSchemes... ...................82
3.5.4CovertStorageChannelDetection .............83
3.5.5CovertChannelMitigation .................83
References. .............................84
4FPGAUpdatesandProgrammability ..................87
4.1Introduction .............................87
4.2BitstreamEncryptionandAuthentication..............87
4.2.1KeyManagement... ...................88
4.2.2DefeatingBitstreamEncryption...............89
4.3RemoteUpdates ...........................90

4.3.1Authentication........................90
4.3.2TrustedRecovery......................91
4.4PartialReconfiguration .......................91
4.4.1ApplicationsofPartialReconfiguration.. .........91
4.4.2Hot-Swappablevs.Stop-the-World .............92
4.4.3InternalConfigurationAccessPort .............92
4.4.4DynamicSecurityandComplexity .............92
4.4.5ObjectReuse.........................93
4.4.6IntegrityVerification.....................94
References. .............................95
5MemoryProtectiononFPGAs .....................97
5.1Overview...............................97
5.2MemoryProtectiononFPGAs...................98
5.3PolicyDescriptionandSynthesis ..................99
5.3.1MemoryAccessPolicy ...................99
5.3.2HardwareSynthesis.. ...................102
5.4AHigher-LevelSpecificationLanguage ...............104
5.5ExamplePolicies...........................106
5.5.1ControlledSharing... ...................106
5.5.2AccessList ..........................108
5.5.3ChineseWall.........................109
5.5.4BellandLaPadulaConfidentialityModel. .........110
5.5.5HighWaterMark......................111
5.5.6BibaIntegrityModel.. ...................112
5.5.7Redaction ..........................113
5.6SystemArchitecture.........................116
5.7Evaluation..............................116
5.8UsingthePolicyCompiler......................117
5.9ConstructingMathematicallyPrecisePolicies............120
5.9.1CrossProductMethod. ...................120
5.9.2Examples...........................121
5.9.3MonotonicPolicyChanges .................123
5.9.4FormalAspectsofHybridPolicies .............124
5.10Summary...............................125
References. .............................125
6SpatialSeparationwithMoats ......................127
6.1Overview...............................127
6.2Separation. .............................128
6.3PhysicalIsolationwithMoats....................128
6.4ConstructingMoats.........................128
6.4.1TheGapMethod.......................129
6.4.2TheInspectionMethod...................130
6.4.3ComparingtheGapandInspectionMethods ........130

6.5SecureInterconnectwithDrawbridges ...............132
6.5.1DrawbridgesforDirectConnections... .........132
6.5.2RouteTracingwithPartialReconfiguration .........135
6.5.3DrawbridgesforSharedBusArchitectures .........135
6.6ProtectingtheReferenceMonitorwithMoats... .........137
References. .............................138
7PuttingItAllTogether:ADesignExample ...............139
7.1AMulti-CoreReconfigurableEmbeddedSystem. .........139
7.2On-ChipPeripheralBus .......................140
7.3AEScore...............................141
7.4LogicalIsolationCompartments...................141
7.5ReferenceMonitor ..........................141
7.6StatefulPolicy............................142
7.7SecureInterconnectScalability ...................145
7.8CovertChannels ...........................145
7.9IncorporatingMoatsandDrawbridges ...............146
7.10ImplementationandEvaluation...................147
7.11SoftwareInterface..........................148
7.12SecurityUsability ..........................148
7.13MoreExampleSecurityArchitectures ................148
7.13.1ClassesofDesigns......................148
7.13.2Topologies ..........................150
7.14Summary...............................151
References. .............................152
8Forward-LookingProblems .......................153
8.1TrustworthyTools..........................153
8.2FormalVerificationofSecureSystems ...............154
8.3SecurityUsability ..........................155
8.4HardwareTrust...........................155
8.5Languages. .............................155
8.6ConfigurationManagement.. ...................156
8.7SecuringtheSupplyChain.. ...................156
8.8PhysicalAttacksonFPGAs.. ...................157
8.9DesignTheftandFailureAnalysis.................157
8.10PartialReconfigurationandDynamicSecurity.. .........158
8.11ConcludingRemarks .........................158
References. .............................160
AComputerArchitectureFundamentals .................161
A.1WhatDoComputerArchitectsDoAllDay?............161
A.2TradeoffsBetweenCPUs,FPGAs,andASICs.. .........162
A.3ComputerArchitectureandComputerScience.. .........163
A.4ProgramAnalysis..........................164
A.4.1TheScienceofProcessorSimulation... .........164

jhshao

谢谢，下来看看

fixit

学习一下，谢谢！

qptom

thanks!

freeatworld

谢谢！！

chrisberlin

谢谢分享！

vikingg

谢谢分享

zlhrsy

看看先

manonroad

thanks

leonqin

谢谢分享