IP tag technology identifies stolen FPGA designs, tracks the security leak

Today more military equipment than ever before is built using FPGAs to implement logic functions. There are sound economic arguments behind this, but it brings along a new possibility for design theft, which was not an issue when ASICs were widely used. This military attraction to FPGAs is spurred on because FPGAs are standard devices that offer the fastest time to market, and at the same time eliminate the steeply escalating costs associated with ASIC technology.

The “blank” FPGA devices supplied by the vendors are programmed by the user with a configuration file that, in effect, holds the complete logical design for the chip. This is unlike an ASIC where the sensitive design data never leaves the factory. Another worrying trend for FPGAs and other semiconductors is the “pollution” of the supply chain with counterfeit products (see Sidebar 1).

Additionally, the vast majority of FPGAs that ship today store their configuration in volatile SRAM memory and are programmed at power-on by an external bitstream loaded from a memory on the board. It is trivial for an enemy to intercept and copy these bitstreams, as shown in Figure 1. They can then produce cloned devices, “reverse engineer” the logic, or tamper with them to uncover information about the internal design. Bitstreams can optionally be encrypted, but the technique cannot be used on all devices. A few FPGAs allow the bitstream to be loaded at the factory and then maintained by a battery backup. This provides tamper resistance because the configuration is lost once the device or battery is removed. Outside of these exceptions lies the majority of devices shipping today, including the lower-cost families.

Figure 1: Since most FPGAs are programmed at power-on by an external bitstream loaded from board memory, it is trivial for an enemy to intercept and copy these bitstreams.

Sidebar 1: A growing concern in the semiconductor industry is the rise in the number of counterfeit devices of all types finding their way into the market.

However, a new IP tag has been developed by encryption specialists to help in the fight against these crimes. Their work on FPGA-based crypto products highlighted the issue of design protection and was the catalyst for the new product. These technologists realized that cloned chips that included sensitive designs such as their Advanced Encryption Standard (AES) crypto cores might be copied, and the source of the security leakage would be untraceable.

The IP tag’s concept is to add an ownership tag to a design in such a way that unauthorized people cannot detect the presence of a tag or disable it. The tag takes the form of a small logic IP core that is added to the design and occupies an area of 200-300 slices (Xilinx Spartan-3). The IP includes several crypto techniques to prevent “reverse engineering” as well as other schemes designed to mask it from tampering. The tag includes one or more unique 64-bit codes. Tags are included at the design stage (regardless of whether the configuration file will be encrypted or not). The tag becomes part of the whole design and is downloaded into the device to form a marker that identifies the originator of the IP. The ingenuity comes from the method used to signal its presence. An overview is presented pertaining to how the IP tag operates and its advantages over RF and electrical signaling in monitoring system status.

The tag in operation

The tag works by modulating the power dissipation of the host device in a predefined way. Tiny thermal signals propagate through the chip package. The level of the power ‚Äúsurge‚Äù is selected to provide a package temperature rise of around 0.1 ¬∞C. As an example, the additional dissipation will be set to 5 mW for a device with a total consumption of 150 mW. The thermal transients are, therefore, well below the device self-heating, yet detectable in a reasonable time of around three minutes by sophisticated DSP techniques. The tag defaults to turn-off 15 minutes after power-on. This has two effects: First, it eliminates the small incremental power consumption; second, it complicates detection by an enemy because power has to be cycled.

This relatively simple method of signaling can be detected in a working system by semi-skilled workers. With surface-mounted packages, it is often difficult to make electrical connection to device pins for diagnostic purposes, but this is not required with the tag. No dedicated package pins or test points are needed, just access to the top of the device. Detection is achieved by applying a thermocouple onto the package and inputting the readings from the data logger into the Algotronix software, which is used to detect and identify the valid codes. Only authorized codes will be detected by the software, as illustrated in Figure 2, so outputs that the user is not validated to detect will remain hidden.

Figure 2: Only authorized codes will be detected by the Algotronix IP tag software, so that outputs that a user is not validated to detect will remain hidden. (click graphic to zoom by 1.5x)

There are different ways to narrow down and isolate the source of a cloned design. If every piece of equipment is shipped with tags that carry the same code (such as a “manufacturer’s watermark”), then detecting one of them from unauthorized equipment identifies the overall source. A refinement is to tag equipment shipped to different end users with their own identification codes to narrow the search down to the customer level. Ultimately every piece of equipment could carry its own unique code to give positive identification of the leak. This has the added benefit of doubling up as an electronic serial number and FPGA revision label.

Signaling system status using the tag

The technology has additional uses, because different codes in a multicoded tag can be assigned individual meanings. A different system status condition can be assigned to each code in the tag. For example, code #1 might signal the normal status, while code #2 could signify that an internal overflow has occurred in a mathematical section of the system, and code #3 flags that an internal status or error has been detected. This signaling does not interrupt normal operation and does not require access to device pins or even electrical connection. The detection of any one unique code from a device will identify the source of the design, so the initial objective of watermarking and tracking is still achieved.

Though RF tags and electrical signaling serve as traditional methods of signaling system status, the IP tag’s thermal approach provides more advantages. Electrical signaling using EMI or power rail techniques is affected by extraneous noise on the board and external sources such as radio waves. Electrical signaling has one further major drawback because it is not acceptable for high-security systems. This is because attackers gain knowledge of the system performance by so-called “side attacks.” The tag avoids this.

Not only that, interrogating the device via the JTAG port requires dedicated pins. RF tags require inductors and antennas that are conspicuous and incompatible with FPGA implementations. All of these methods would be quicker than thermal signaling and could potentially be detected without needing access to the package lid. However, experimentation showed that the disadvantages of thermal signaling were more than offset by the benefits of a test that requires the use of simple low-cost detection equipment by semi-skilled operators.

IP tags address FPGA counterfeit designs

DesignTag has been developed by Algotronix Ltd., an encryption specialist based in Edinburgh, and the tag has been recognized in the UK by both the Institution of Engineering and Technology (IET) and National Microelectronics Institute (NMI) as groundbreaking technology. These IP tags address FPGA counterfeit designs from a new direction and supplement existing safeguards and processes. The low-cost tag is difficult for an attacker to find and disable, and yet it is easy to identify by authorized users who need no knowledge about the function of the device under test. Its system signaling capabilities also surpass that of RF tags and electrical signaling. CS

Paul Dillien is founder of the high-technology marketing consultancy company High Tech Marketing. He has worked in the semiconductor industry for more than 30 years, including fulfilling various sales and marketing roles working for Xilinx, Plessey, and Ferranti. He can be contacted at paul@high-tech-marketing.co.uk.

High Tech Marketing +44-7786-234904 www.high-tech-marketing.co.uk