Evaluating, Exploiting, and Hiding Power Side-Channel Leakage of Remote FPGAs

The pervasive adoption of field-programmable gate arrays (FPGAs) in both cyber-physical systems and the cloud has raised many security issues. Being integrated circuits, FPGAs are susceptible to fault and power side-channel attacks, which require physical access to the victim device. However, recent work demonstrated that physical proximity is no longer required for these attacks, as FPGA logic can be misused to create on-chip voltage sensors or power-wasting circuits. The work in this thesis explores the impact of FPGA-based voltage sensors on FPGA security and shows that sensors create new opportunities to evaluate, exploit, and hide power side-channel leakage in remote FPGAs.In the first part of this thesis, we demonstrate that voltage sensors can increase power side-channel security. In the case of deployed and no longer accessible cyber-physical devices, we show that FPGA-based voltage sensors allow designers to evaluate the power side-channel leakage after deployment, ensuring constant power side-channel security monitoring. Our results, comparable to state-of-the-art measuring equipment, move the leakage evaluation boundary from controlled lab environments to the field, allowing future work to combine leakage evaluation with other security measures such as tamper detection.In the second part of the thesis, we focus on evaluating the security impact of FPGA-based voltage sensors on multitenant FPGAs, and show that voltage sensors can evaluate, exploit, and hide power side-channel leakage. We demonstrate that a remote attacker can mount both statistical (correlation power analysis) and machine learning based attacks with the voltage sensors, emphasizing the need to deploy countermeasures in multitenant FPGAs. The work in this thesis was the first to show a successful remote power analysis attack on cloud FPGA instances and the first to provide an instruction-level leakage analysis of soft-core CPUs in a shared FPGA scenario. Motivated by the exploits, this thesis proposes a novel hiding technique against remote power side-channel analysis attacks: active wire fences. Our results show that active wire fences outperform the state-of-the-art hiding techniques in shared FPGAs. In the last part of the thesis, we explore more efficient and stealthy techniques for sensing on-chip voltage. We present the first stealthy routing-based FPGA sensor that outperforms the state of the art in remote power analysis attacks. With our stealthy sensor architecture, we show that detecting sensor circuits is not a scalable solution for guaranteeing security. Finally, this thesis evaluates the impact of external factors, specifically temperature, on FPGA-based voltage sensors and the success of remote power side-channel attacks in multitenant FPGAs. Our work shows that, if ignored, temperature effects on voltage sensors can lead to misleading attack results.