zhu20powerscout

Abstract

The growing complexity of modern electronic systems often leads to the design of more sophisticated power delivery networks (PDNs). Similar to other system-level shared resources, the on-board PDN unintentionally introduces side channels across design layers and voltage domains, despite the fact that PDNs are not part of the functional design. Recent work have demonstrated that exploitation of the side channel can compromise the system security (i.e. information leakage and fault injection). In this work, we systematically investigate the PDN-based side channel as well as the countermeasures. To facilitate our goal, we develop PowerScout, a security-oriented PDN simulation framework that unifies the modeling of different PDN-based side-channel attacks. PowerScout performs fast nodal analysis of complex PDNs at the system level to quantitatively evaluate the severity of side-channel vulnerabilities. With the support of PowerScout, for the first time, we validate PDN side-channel attacks in literature through simulation results. Further, we are able to quantitatively measure the security impact of PDN parameters and configurations. For example, towards information leakage, removing near-chip capacitors can increase intra-chip information leakage by a maximum of 23.23dB at mid-frequency and inter-chip leakage by an average of 31.68dB at mid- and high-frequencies. Similarly, the optimal toggling frequency and duty cycle are derived to achieve fault injection attacks with higher success rate and more precise control.

Introduction

• Modern electronic systems are becoming increasingly complex, also growing is the sophistication of the PDNs in these systems, in order to supply multiple voltage domains and satisfy their distinctive requirements.

• Nonetheless, as a shared resource, PDNs create many pathways for unintended interactions and expose a system to various side-channel attacks.

Remote side-channel and fault injection attacks

Recent works have shown that many such vulnerabilities can be exploited remotely, making them especially potent security threats to modern electronic devices with ubiquitous connectivity.

• For example, in information leakage attacks, hackers can implement malicious voltmeters on FPGAs to steal sensitive information without physical access to the target systems.

• PDN-based side channel can also be utilized to induce supply glitches (e.g., by implementing a power virus) in victim modules for DoS attacks or differential fault analysis (DFA) on cloud FPGAs.

Previous work and the goal of this work

PDN modeling and simulation tools have been widely investigated mainly to estimate PDN characteristics. Existing tools tend to focus on the trade-off among performance, efficiency, and supply noise. They lack essential capabilities to perform specific side-channel vulnerability analysis.

In this work, we propose PowerScout—a unified PDN modeling framework that is able to perform thorough side-channel vulnerability analysis by simulating a complete PDN system across multiple design layers (i.e., chip, package, board) and voltage domains.

Background

Power Delivery Network

Power Delivery Network (PDN) contains board-level VRMs, interconnects from the VRMs to the pads on the chip, on-chip power grids to distribute power locally on the die, and decoupling capacitors along various stages of the PDN as well.

In a system, there are many devices with different voltage supply and power distribution requirements, hence multiple voltage domains are created, each with its own VRMs to drive local supply voltages.

These VRMs form a tree structure where upper nodes have higher voltages. Between the hierarchical VRMs and chips is the board-level passive distribution network containing PCB wire lines, PCB planes, and board-level decoupling capacitors. Via the package-level sockets, pins, and C4 pads, power is supplied to the microelectronic chip, where a multi-layer metal mesh forms the power grid that locally delivers power to each module inside the chip. Decoupling capacitors are implemented on both the package and die to further mitigate supply noise.

PDN-Based Side-Channel Attacks

Information leakage exploits the deterministic relationship between the switching activities of digital circuits and their dynamic currents. The induced supply voltage fluctuations can further propagate to other modules connected to the same PDN.

Recent works suggest implementing malicious on-chip voltmeters, such as ring oscillators (ROs) [5] or time-to-digital converters (TDCs) [6], [7], to perform remote side-channel analysis in multi-tenant FPGAs. Similarly, the PDNs can also be used as a medium for covert channel communications. The attackers may implement dedicated oscillating cells (e.g., LFSR [14]) as transmitters to generate information-modulated currents. The receivers can be modules that are sensitive to supply voltages.

Security-Oriented PDN Modeling

PowerScout Framework

In PowerScout, the induced voltage fluctuation v(t) is computed by invoking the SPICE-level simulator, which performs numerical nodal analysis that can be expressed in a simplified form as:

where i(t ) is the current consumption of the module; A, B, and C are the state-space matrices of the PDN.

Where F^-1 is the inverse Fourier operator, and Z(f) and I(f) are the spectra of the PDN impedance and current consumption, respectively.

PDN Model Construction

Passive RLC Network Model:

• The board-level supply wireline is modeled as an inductor and a resistor, whose parameters depend on its length, width, and metal material characteristics.

• The PCB planes use the planar model with lumped capacitor and resistor, since the distributed effect is minimal at this scale.

• For the board-level capacitors, we model the characteristics of each capacitor. The frequency response of a single real capacitor is a band-pass filter instead of an ideal low-pass filter due to the parasitic effects.

• For the chip-level PDN, we use the widely accepted package and die models [13]. The package is modeled as an RLC network, and the C4 bumps are modeled as parallel RL pairs that connect the grid to the package.

• The on-chip grid (i.e., the die model) is represented as an RL network.

• The on-chip capacitance is evenly distributed between the VDD and GND grids.

Active Voltage Regulator Model:

In previous works and industrial models, VRMs are typically modeled as a fixed voltage source or a fixed voltage regulator in series connected to the equivalent inductor, capacitor, and resistor. But this kind of model is not suitable for security-oriented PDN modeling since it ignores the interactions between different voltage domains. In PowerScout, we model the bi-directional interactions of different VRM topologies, including low-dropout regulators (LDOs), buck converters, and switched-capacitor converters.

Information Leakage Attack Evaluation

PowerScout Configuration

The parameters of the PCB, package, and die model are listed in Table I.

The authors record power traces from both intra- and inter-chip observation points and perform CPA attacks.

The information strength is defined as the amplitude of the voltage fluctuations induced by the unit information source current.

Note that noise is not included in the general analysis since we focus on the worst case for the defender side.

Validation for the information leakage attack prediction by comparing prediction results with real-world experiments from prior work [6], [7] is presented:

As the number of power traces increases, the correlation coefficient of the correct key guess becomes distinguish from other guesses. After multiple tests, we find that removing the capacitors near FPGAs can significantly reduce the number of needed traces.

PowerScout Results and Discussion

Near-Chip Capacitors:

The values of board-level capacitors cover a wide range and can be split into two groups: distant large capacitors and near-chip small capacitors. As mentioned before, removing the near-chip capacitors can significantly increase the information leakage.

Figure 4 enables comparison of the information strengths of the two PDN configurations. The upper part shows that changes in intra-chip information leakage, where the information strength at mid-frequency increases as much as 23.23dB when near-chip capacitors are removed. From Equation 2, this removal can increase the induced voltage fluctuation for a given information source, and thus increase the information leakage at this frequency. However, due to the C4 bump parasitic inductance, near-chip capacitors have
relatively small effects at high frequency.

For inter-chip information leakage, as shown in Figure 4 (b), near-chip capacitors significantly increase information strength at both mid and high frequencies by an average of 31.68dB. Thus, near-chip capacitors play an important role in information leakage, although they account for only a minor portion of the gross capacitance.

By considering the effects of both distributed on-board capacitors and the on-chip power grid, PowerScout
achieves high accuracy and fidelity in its simulation of the PDN subsystem.

Lumped element: The physical size of the element is negligibly small when compared to the wavelength of the electromagnetic wave propagation.

Distributed element: The physical size of the element is comparable to the wavelength of the electromagnetic wave propagation.