Extended Abstract: Covert Channels and Data Exfiltration from FPGAs

Abstract

In complex FPGA designs, implementations of algorithms and protocols from third-party sources are common. However, the monolithic nature of FPGAs means that all subcircuits share common on-chip infrastructure, such as routing resources. This presents an attack vector for all FPGAs that contain designs from multiple vendors, especially for FPGAs used in multi-tenant cloud environments, or integrated into multi-core processors: hardware imperfections can be used to infer high-level state and break security guarantees. In this paper, we demonstrate how “long” routing wires present can be used to for covert communication between disconnected cores, or by a malicious core to exfiltrate secrets. The information leakage is measurable for both static and dynamic signals, and that it can be detected using small on-board circuits. In our prototype we achieved 6 kbps bandwidth and 99.9% accuracy, and a side channel which can recover signals kept constant for only 128 cycles, with an accuracy of more than 98.4%.