ReCoFused partial reconfiguration for secure moving-target countermeasures on FPGAs

Abstract

Partial reconfiguration is a versatile technique to modify the functionality of field programmable gate arrays (FPGAs) at run time. When performing partial reconfiguration a dedicated intellectual property (IP) component of the FPGA vendor, i.e., the partial reconfiguration controller (PRC), among a wide range of IP components has to be used. While ensuring the functional safety of FPGA designs is well understood, ensuring hardware security still remains challenging. This applies in particular to reconfiguration-based countermeasures which are intensively used to create a moving target for an attacker. Reconfiguration-based countermeasures against side-channel attacks or differential power analysis (DPA) attacks were implemented. However, from the system security perspective, the above mentioned PRC is a critical component as was noticed by many papers before. In this work, we extend a previously proposed safety mechanism which creates a container around an IP, to encapsulate and thereby to protect and observe the PRC of a FPGA. The proposed encapsulation scheme results in an architecture comprising so-called ReCoFuses (RCFs), each capturing a specific protective goal which have to be fulfilled at any time during PRC operation. The terminology follows the classical electric installation including a fuse box. In our scheme we employ formal verification to guarantee the correctness in detecting a security violation. Only after successful verification, the RCFs are integrated into the ReCoFuse Container. Experimental results demonstrate the advantage of our approach by preventing attacks on the PRC of a system secured by partial reconfiguration.