Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Anti-Tamper FPGA

advertisement 
Anti-tamper JTAG FPGA
Secure Hardware: What are the BIG challenges?
CJ Clark is the president and CEO of Intellitech Corp
Corp..
He was the elected chairperson of the IEEE 1149.
1149.1 JTAG working
group from 1996 to 2002
2002.. He has been active in other IEEE 1149.
1149.x
working groups and has presented at
International Test
Conference, TECS (Testing Embedded CoresCores-Based Systems)
W k h
Workshop,
th
the Board
B d T
Testt Workshop,
W k h
Ott
Ottawa T
Testt Workshop
W k h and
d
VLSI Test Symposium
Symposium..
CJ serves on the University of New Hampshire College of
Engineering and Physical Science (CEPS) Advisory Board.
Board. He also
serves on the UNH Department of Electrical Engineering Advisory
Board.
Board. He is co
co--inventor on three US patent related to scan
scan--based
test, two Canadian, one Taiwanese patent with others pending
world--wide
world
wide..
His first job in test was in 1978 with
Wilcom..
Plantronics
Plantronics//Wilcom
cclarkATintellitechdotcom
HOST 2009 1
JTAG Security
Anti-tamper JTAG FPGA
JTAG Hack – 169,000 results
HOST 2009 2
JTAG Security
Anti-tamper JTAG FPGA
Hacking Encouraged by Legit Biz
HOST 2009 3
JTAG Security
Anti-tamper JTAG FPGA
PCB Design Exposed
Andrew Huang – Hacking the Xbox
HOST 2009 4
JTAG Security
Anti-tamper JTAG FPGA
FPGAs and tools make it easier
Andrew Huang –
Hacking the Xbox
Small PCB with
FPGA is designed
to match traces on
XBOX. Once in
place, it is used to
snoop
HyperTransport
Bus
HOST 2009 5
JTAG Security
Anti-tamper JTAG FPGA
JTAG friend or foe?
Sophisticated
Company
With
No security
Experience?
Or
Intentionally
making
It easier?
HOST 2009 6
JTAG Security
Anti-tamper JTAG FPGA
DFT Standards – also give access
1149.1
1 – Test
T
Access
A
Port
P
&B
Boundary
d
S
Scan S
Standard
d d
•IEEE 1149
Layered
y
on top
p of the 4 pin
p IC access of 1149.1:
•IEEE 1149.6 - Boundary Scan for AC coupled nets
•IEEE 1149.4 – Boundary Scan for Mixed Signal
•IEEE 1532 - FPGA configuration over 1149
1149.1
1
•IEEE P1687 - Internal Instrument access w/ 1149.1
•IEEE ????? - A-Toggle Study Group
St d G
Group
•IEEE ????? - SERDES BIST Study
IEEE P1149.7 – 2 Wire lowlow-cost 1149.1
IEEE 1500 - SoC & Core test standard
IEEE P1581 - Static Interconnect for memories
Is it practical to shut JTAG off? (such as IMX32)
HOST 2009 7
JTAG Security
Anti-tamper JTAG FPGA
Cloning – doesn’t need JTAG
HOST 2009 8
JTAG Security
Anti-tamper JTAG FPGA
Future?
HOST 2009 9
JTAG Security
Anti-tamper JTAG FPGA
Trojan Bitstreams
Need protection:
Non-authenticated
Nonbitstream loaded
through JTAG into flash
Military
Telecomm
Gaming
Voting
Consumer
FLASH
J
T
A
G
Plain
Text
Trojan
Comm Design
Comm.
Inserted with
backdoor
Backdoor
Plain Text
Cipher
Text
Key
FPGA accepts
Unencrypted
FPGA
Design despite
P
Presence
off AES k
key
HOST 2009 10
JTAG Security
Anti-tamper JTAG FPGA
AES Security to the rescue?
Xilinx Virtex 4/5
RAM based key – battery backed
Use JTAG to program key
256
56 bit
b keyy
Accepts bitstreams unencrypted
Keys exposed to CM
Alt
Altera
St ti III
Stratix
RAM or ROM
II – ROM based
Need network blaster to program key
256 bit key
Accepts bitstreams unencrypted
Keys
y exposed
p
to CM
Battery
Good for protection of IP
No pre
pre--programming IC
Assumes attacker is not loading a trojan bitstream
Not available in Spartans and Cyclones
Battery/Key programmed PER FPGA
HOST 2009 11
JTAG Security
Anti-tamper JTAG FPGA
Alternate Security
Security initiated by FPGA
Common key
Maxim
Key
Design
Enable
SHA1
DS28E01
1-wire
SHA1
Key
USER
DESIGN
FPGA
PROM
Program both FPGA
and prepre-program Maxim
Device with 64 bit
SHA1 Key
Some logistics for
manufacturing required
for OBP over 11-wire
- keys exposed to CM
Trojan in PROM
- PROM/FLASH open to
nonnon-authenticated
bitstream
JTAG
JTAG
HOST 2009 12
JTAG Security
Anti-tamper JTAG FPGA
Trojan/Hack proof FPGA Config
-Random data generated by FPGA
-SystemBIST Reads via JTAG
-Generates Hash
-Hash Written via JTAG
- Good matching Hash enables user logic
-2nd ‘OK’ Hash Read via JTAG
- SystemBIST
S t BIST clears
l
FPGA on b
bad
dh
hash
h
JTAG
Common
key
Altera
Xilinx
Hash IP
With
JTAG
Access
Hash IP
With
JTAG
Access
Key not exposed to CM
HOST 2009 13
JTAG Security
Anti-tamper JTAG FPGA
Biggest Challenge?
1) Convincing Hardware Designers
th t d
that
despite
it size/expertise
i /
ti
off
company and engineer, Security
i
issues
should
h ld be
b lleft
ft tto security
it
experts!
2) PCB/System Level security
-
Enabling JTAG w/o compromise
- Reducing snoop of system
HOST 2009 14
JTAG Security
Anti-tamper JTAG FPGA
Anti--Tamper Basics
Anti
-Ground planes on
Both sides of PCB
- Use blind vias under BGA packages to hide trace,
prevent probing except with BGA removal
-Blacktop/Remark
p
parts ((0.50p
(0.50-$1.00 ea from Intellitech))
-Conformal coat
-Consider lockable JTAG gateway devices
such as Intellitech Scan Ring Linker
-A
Anti
Antiti-tamper
t
FPGA C
Config
fi via
i SystemBIST
S t
BIST
-JTAG – shut off or run continuously, integrated with
System mission?
HOST 2009 15
JTAG Security
Anti-tamper JTAG FPGA
Further Reading
Using the Design Security Feature in Stratix II and Stratix II GX
Devices, Altera Corporation, July 2008.
http://www.altera.com/literature/an/an341.pdf
Trusted Design in FPGAs, Steve Trimberger, Xilinx, Design
Automation Conference, 2007
http://videos.dac.com/44th/papers/1_2.pdf
Authentication of FPGA Bitstreams:
Why and How, Saar Drimer, ARC 2007
http://www.springerlink.com/content/t71pqn4g7565w806/
A CodeCode-less BIST Processor for Embedded Test and in
in--system
configuration of Boards and Systems, CJ Clark, Intellitech Corp,
Mike Ricchetti, ATI Research, ITC 2004,
http://www.intellitech.com/pdf/itc04sb.pdf
Design Security in Stratix III FPGAs, Altera Corporation
http://www.altera.com/products/devices/stratix-fpgas/stratix
http://www.altera.com/products/devices/stratixfpgas/stratix-iii/overview/architecture/st3--design
iii/overview/architecture/st3
design--security.html
Secure Update Mechanism for Remote Update of
FPGA--Based System, Benoît Badrignans1,2, Reouven Elbaz3 and
FPGA
Lionel Torres. SEIS 2008,
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/iel5/4569831/4577
669/04577703.pdf?temp=x
HOST 2009 16
JTAG Security
Anti-tamper JTAG FPGA
Further Reading
Physical
Ph i l Unclonable
U l
bl Functions
F
ti
ffor D
Device
i
Authentication and Secret Key Generation
G. Edward Suh, Srinivas Devadas
http://videos.dac.com/44th/papers/1_3.pdf
http://videos dac com/44th/papers/1 3 pdf
Xilinx® FPGA IFF Copy Protection with 11-Wire SHA
SHA--1
Secure Memories, Maxim,
http://www.maxim--ic.com/appnotes.cfm/an_pk/3826
http://www.maxim
An FPGA Design Security Solution Using a Secure
Memory Device, Altera,
http://www.altera.com/literature/wp/wp--01033.pdf
http://www.altera.com/literature/wp/wp
Altera
Alt
C
Configuration
fi
ti
H
Handbook
db k
http://www.altera.com/literature/lit--config.jsp
http://www.altera.com/literature/lit
Xilinx VirtexVirtex-5 FPGA User Guide
http://www xilinx com/support/documentation/user gui
http://www.xilinx.com/support/documentation/user_gui
des/ug190.pdf
HOST 2009 17
JTAG Security
Related documents
Program it to the board
Program it to the board
Student name : 鍾錦任 Student ID : 4A22C007 Homework one
Student name : 鍾錦任 Student ID : 4A22C007 Homework one
Project D1427: Controller for programming FPGA using USB
Project D1427: Controller for programming FPGA using USB
JTAGMaster Programmer (A4).cdr
JTAGMaster Programmer (A4).cdr
Download
advertisement