Remote Side-Channel Attacks on Heterogeneous SoC

  • Joseph GravellierEmail author
  • Jean-Max Dutertre
  • Yannick Teglia
  • Philippe Loubet Moundi
  • Francis Olivier
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11833)


Thanks to their performance and flexibility, FPGAs are increasingly adopted for hardware acceleration on various platforms such as system on chip and cloud datacenters. Their use for commercial and industrial purposes raises concern about potential hardware security threats. By getting access to the FPGA fabric, an attacker could implement malicious logic to perform remote hardware attacks. Recently, several papers demonstrated that FPGA can be used to eavesdrop or disturb the activity of resources located within and outside the chip. In a complex SoC that contains a processor and a FPGA within the same die, we experimentally demonstrate that FPGA-based voltage sensors can eavesdrop computations running on the CPU and that advanced side-channel attacks can be conducted remotely to retrieve the secret key of a symmetric crypto-algorithm.


SoC Remote attacks FPGA Time-to-digital converter Voltage sensing Side-channel attacks 


  1. 1.
    Tang, A., Sethumadhavan, S., Stolfo, S.: CLKSCREW: exposing the perils of security-oblivious energy management. In: 26th USENIX Security Symposium (2017)Google Scholar
  2. 2.
    Kim, Y., et al.: Flipping bits in memory without accessing them. ACM SIGARCH 42(3), 361–372 (2014)CrossRefGoogle Scholar
  3. 3.
    Kocher, P., et al.: Spectre attacks: exploiting speculative execution, January 2018Google Scholar
  4. 4.
    Lipp, M., et al.: Meltdown. CoRR, abs/1801.0, January 2018Google Scholar
  5. 5.
    Van Bulck, J., et al.: FORESHADOW: extracting the keys to the intel SGX kingdom with transient out-of-order execution. In: USENIX Security Symposium (2018)Google Scholar
  6. 6.
    Pellerin, D.: FPGA accelerated computing using AWS F1 instances (2017)Google Scholar
  7. 7.
    Alibaba Cloud ECS: Deep Dive into Alibaba Cloud F3 FPGA as a Service Instances (2018)Google Scholar
  8. 8.
    Schellenberg, F., Gnad, D.R.E., Moradi, A., Tahoori, M.B.: An inside job: remote power analysis attacks on FPGAs. In: Design, Automation & Test in Europe Conference & Exhibition. IEEE (2018)Google Scholar
  9. 9.
    Krautter, J., Gnad, D.R.E., Tahoori, M.B.: FPGAhammer : remote voltage fault attacks on shared FPGAs, suitable for DFA on AES. IACR Trans. Cryptograph. Hardware Embed. Syst. 14, 44–68 (2018)Google Scholar
  10. 10.
    Chen, F., et al.: Enabling FPGAs in the cloud. In: ACM Computing Frontiers (2014)Google Scholar
  11. 11.
    Gnad, D.R.E., Oboril, F., Tahoori, M.B.: Voltage drop-based fault attacks on FPGAs using valid bitstreams. In: 2017 27th International Conference on Field Programmable Logic and Applications, FPL 2017 (2017)Google Scholar
  12. 12.
    Zhao, M., Suh, G.E.: FPGA-based remote power side-channel attacks. In: IEEE Symposium on Security and Privacy (2018)Google Scholar
  13. 13.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: CRYPTO 1996 (1996)CrossRefGoogle Scholar
  14. 14.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). Scholar
  15. 15.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). Scholar
  16. 16.
    Dutertre, J.-M., Robisson, B., Tria, A., Zussa, L.: Investigation of timing constraints violation as a fault injection means. In: Design of Circuits and Integrated Systems (2012)Google Scholar
  17. 17.
    Zick, K.M., Hayes, J.P.: Low-cost sensing with ring oscillator arrays for healthier reconfigurable systems. ACM Trans. Reconfigurable Technol. Syst. 5(1), 1–26 (2012)CrossRefGoogle Scholar
  18. 18.
    Gnad, D.R.E., Oboril, F., Kiamehr, S., Tahoori, M.B.: An experimental evaluation and analysis of transient voltage fluctuations in FPGAs. IEEE Trans. Very Large Scale Integr. Syst. 26(10), 1817–1830 (2018)CrossRefGoogle Scholar
  19. 19.
    Schellenberg, F., Gnad, D.R.E., Moradi, A., Tahoori, M.B.: Remote inter-chip power analysis side-channel attacks at board-level. In: Proceedings of the International Conference on Computer-Aided Design (2018)Google Scholar
  20. 20.
    Ueno, M., Hashimoto, M., Onoye, T.: Real-time on-chip supply voltage sensor and its application to trace-based timing error localization. In: International On-Line Testing Symposium (IOLTS). IEEE, July 2015Google Scholar
  21. 21.
    Zick, K.M., Srivastav, M., Zhang, W., French, M.: Sensing nanosecond-scale voltage attacks and natural transients in FPGAs. In: ACM/SIGDA (2013)Google Scholar
  22. 22.
    Kokke: Tiny AES in C (2018)Google Scholar
  23. 23.
    OpenSSL: OpenSSL AES (2002)Google Scholar
  24. 24.
    Mestiri, H., Benhadjyoussef, N., Machhout, M., Tourki, R.: A comparative study of power consumption models for CPA attack. Int. J. Comput. Netw. Inf. Secur. 5(3), 25 (2013)Google Scholar
  25. 25.
    Daemen, J., Rijmen, V.: The Rijndael Block Cipher (1999)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Mines Saint-Etienne, CEA-Tech, Centre CMPGardanneFrance
  2. 2.ThalesLa CiotatFrance

Personalised recommendations