Fault Attacks on SRAM-based FPGAs: Analysis of Laser-induced Faults in a Virtex-II
←
→
Transcription du contenu de la page
Si votre navigateur ne rend pas la page correctement, lisez s'il vous plaît le contenu de la page ci-dessous
Fault Attacks on SRAM-based FPGAs:
Analysis of Laser-induced Faults in a Virtex-II
V. Maingot, J.B. Ferron, G. Canivet, R. Leveugle
TIMA Laboratory
Presented by G. Canivet
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble
Outline
• Introduction
• Experimental settings
• Results
• Conclusion & Perspectives
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 2Introduction
• Increasing use of systems requiring a high level of
Safety and/or Security (Pay-TV, Banking, car industry,
aeronautics …).
• Operate under harsh environment
– Ionizing radiations, particles …
– Intentional perturbations (fault-based attacks).
• Faults can modify:
– In ASICs: mainly processed Data.
– In SRAM-based FPGAs: both Processed Data and Function
Definition (configuration errors)
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 3Outline
• Introduction
• Experimental settings
• Results
• Conclusion & Perspectives
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 4ATLAS laser testing facility
• Pulsed laser facility of the IMS Lab
from University of Bordeaux
• Composed:
– 2 Ultra-short pulsed laser sources
– Several optical benches
– Complete set of instrumentation
• Pulses are focused on the DUT by
objectives
• Laser pulse energy is typically 1nJ.
• Characteristics for our campaigns
– Wavelength : 950ŋm
– Spot size : 5µm
– Maximum speed: 200µm/s
– Pulse repetition: 400Hz
– Multiple laser shots
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 5THESIC+ testbed and the DUT
• Testbed for Harsh Environment Studies on Integrated
Circuits
• Build around 2 FPGAs Ressources COM
– COM FPGA available FPGA
• Leon2 processor
• Communication
– Chipset FPGA
Chipset
• User Design DUT
FPGA
• Device Under Test
– Xilinx Virtex-II XC2V1000
– 0.15µm CMOS, 8-layer metal
– 896-pin flip-chip fine-pitch package
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 6SEFEA – ProD : bit-stream analysis tool
• Bit stream Analysis:
– Matrix Tile View: Matrix Frame View Schematic Tile View Matrix Tile View
• View of the configuration
memory as a tile array
(showing used tiles).
• Predicted criticality of each
configuration bit.
– Schematic Tile View:
• resources used in each CLB
tile (Interconnections,
registers & LUT).
– Matrix Frame View:
• matrix tile view with bits
grouped by frame.
• Comparison between 2
bit-streams:
– Used for fault effect analysis
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 7Campaign example
• 51 Experiments
• Each experiment: scan of a given area, multiple laser
shots
• Static campaign, several configuration bit-streams
• Goal: error activations, global view of possible
configuration modifications, demonstration of the
analysis tool capabilities
• Future extension: characterization of patterns obtained
after single shots
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 8Outline
• Introduction
• Experimental settings
• Results
• Conclusion & Perspectives
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 9Repartition of faulted bits
Average Number of faulted bits
70
60
50
40
Bits initially at 1
Bits initially at 0
30
20
10
0
CLB CLBIO GCLK IOB IOI BRAM BRAM I
Bits initially at 1 46,32 0 0 0 0 0 0,59
Bits initially at 0 12,4 0,39 0 0,02 0,02 36,57 3,66
• Most sensitive elements: • Faulted ‘1’ principally in CLBs:
– CLB & BRAM – ‘0’ value by default
– Most of the area of the – More elements configured in
FPGA CLBs (highest density of ‘1’ is in
CLB tiles)
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 10Repartition of faulted CLB bits
• More precise repartition Bit Type Total Logic Interco.Unknown
• 3 categories: Average
80.95 34.49 44.15 2.31
– Logic Config. (LUTs, User Number
memory..) Percent 58.75 25.02 32.03 1.68
– Interconnection Configuration
– Unknown (inaccessible by JBits)
• Flip-Flop contents defined by a single bit
• LUTs: Truth tables included in the bitstream
– Modification of the initial function
– No modification
• Interconnection:
– Single connection: between 1 and 3 configuration bits
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 11CLB interconnection structure
B1 B2 B3 B4 B5
• 90.3% of interconnections
defined by 2 bits XQ0
– 2 bits activated per connected
resource (single link) XQ1
OMUX 9
– Each bit defines the
YQ0
reachable sources
– Connected sources in the
YQ1
intersection of activated lists
• Bit OMux9(B1) : XQ0, XQ1
• In average: • Bit OMux9(B2) : YQ0, YQ1
– 9 bits / resource • Bit OMux9(B3) : XQ0
– 4 sources / bit • Bit OMux9(B4) : XQ1, YQ0
• Bit OMux9(B5) : YQ1
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 12CLB interconnection modifications
Connected wires Unconnected wires
• No initial connection:
– 86% no effect
– In average 3 bit-flips to create
• Existing connection:
…
…
…
– Connection maintained in more
than 50% of the cases (Added)
…
…
…
Modified Suppressed Added No effect No effect Created
– Effect depends on neighbor CLB
: CLB interconnection : CLB wire
Initial state Connected Unconnected
Effect on
Modified Suppressed Added No effect No effect Created
connection
Av num of mod.
7.1 20.4 29 0 1163.1 187.4
patterns
Percent 0.5% 1.5% 2.1% 0% 82.7% 13.3%
Av num of bit-
2.3 1.5 1.7 n/a 1.4 3.1
flips per pattern
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 13Average number of faulted bits per CLB
• Configuration bits: Value
Overall Bits at ‘1’ Bits at ‘0’
– Original Bit-stream Category
– Faulted Golden Bit-stream 1760 212.80 1547.20
• Density: Compare
Faulted bits 9.15 2.37 6.78
probabilities to flip a bit
• P(‘1’) ≥ 2.5 * P(‘0’) Bit flip Probability 0.52 1.11 0.44
• Higher probability to
suppress an interconnection
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 14Outline
• Introduction
• Experimental settings
• Results
• Conclusion & Perspectives
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 15Conclusion
• Quick overview of our fault effect analysis flow
• Results of preliminary analyses
– Modification of the functionality of the circuit
• Localisation of sensitive elements
• Classification of error patterns
• Insight of some effect
– Higher probability to flip a ‘1’ than a ‘0’
– Effect on CLB interconnections
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 16Perspectives
• Development of an accurate fault model
– Error patterns due to single laser shots
– Link with emulation-based fault injection techniques for
dependability evaluation at design time
– Functional characterization of bit-stream modifications
• Study of dynamic effects
• Development of efficient protections against faults
adapted to SRAM-based FPGAs
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 Grenoble 17Thank you for your attention
© 2006. Tous droits réservés.
Toute reproduction totale ou partielle sur quelque support que ce soit ou utilisation du contenu de ce document est interdite sans l’autorisation écrite préalable
All rights reserved. Any reproduction in whole or in part on any medium or use of the information contained herein is prohibited without the prior written consent
TIMA Laboratory, 46 Av. Felix Viallet – F 38031 GrenobleVous pouvez aussi lire
