MaliGNNoma: GNN-Based Malicious Circuit Classifier for Secure Cloud FPGAs

TL;DR

MaliGNNoma tackles the security of cloud FPGAs by detecting malicious netlist configurations before bitstream generation using graph neural networks on netlists converted to data-flow graphs. It demonstrates that GNNs (GCN/GIN) with a parameterized explainer (PGExplainer) can achieve state-of-the-art accuracy ($98.24\%$) and provide subgraph-level localization of malicious components, improving transparency for designers. The approach aligns with the cloud service provider workflow by operating on netlists rather than bitstreams and delivers an open-source dataset and codebase. The practical impact is a scalable, explainable first-line defense in multi-tenant FPGA deployments, reducing the risk of fault-injection and related attacks in secure cloud environments.

Abstract

The security of cloud field-programmable gate arrays (FPGAs) faces challenges from untrusted users attempting fault and side-channel attacks through malicious circuit configurations. Fault injection attacks can result in denial of service, disrupting functionality or leaking secret information. This threat is further amplified in multi-tenancy scenarios. Detecting such threats before loading onto the FPGA is crucial, but existing methods face difficulty identifying sophisticated attacks. We present MaliGNNoma, a machine learning-based solution that accurately identifies malicious FPGA configurations. Serving as a netlist scanning mechanism, it can be employed by cloud service providers as an initial security layer within a necessary multi-tiered security system. By leveraging the inherent graph representation of FPGA netlists, MaliGNNoma employs a graph neural network (GNN) to learn distinctive malicious features, surpassing current approaches. To enhance transparency, MaliGNNoma utilizes a parameterized explainer for the GNN, labeling the FPGA configuration and pinpointing the sub-circuit responsible for the malicious classification. Through extensive experimentation on the ZCU102 board with a Xilinx UltraScale+ FPGA, we validate the effectiveness of MaliGNNoma in detecting malicious configurations, including sophisticated attacks, such as those based on benign modules, like cryptography accelerators. MaliGNNoma achieves a classification accuracy and precision of 98.24% and 97.88%, respectively, surpassing state-of-the-art. We compare MaliGNNoma with five state-of-the-art scanning methods, revealing that not all attack vectors detected by MaliGNNoma are recognized by existing solutions, further emphasizing its effectiveness. Additionally, we make MaliGNNoma and its associated dataset publicly available.

Figures (7)

• Figure 1: Cloud FPGA with shared resources and open attack vectors. The threat model involves either a malicious user utilizing the entire FPGA or a malicious third-party IP provider, or in the context of multi-tenancy, a malicious co-tenant. Assuming the cloud provider is trustworthy, malicious entities can manipulate their designs intentionally, leading to fault-injection attacks.
• Figure 2: High-level view of our work: Identifying malicious FPGA configurations at the netlist-level using graph neural networks (GNNs).
• Figure 3: Multi-tiered defense system for securing cloud FPGAs. Defense mechanisms, highlighted in green, include netlist checking, access control, physical isolation, and runtime monitoring implemented by the CSP. Users can further enhance security with design-level defenses such as masking and active measures.
• Figure 4: Proposed MaliGNNoma methodology: Synthesized netlists are transformed into DFGs for training a GNN to separate malicious and benign samples. A GNN explanation tool identifies nodes contributing to malicious classification.
• Figure 5: 1 Example of malicious full-adder with a MUX-based RO connected to its input. 2 The DFG of a benign full-adder without the MUX-based RO. 3 The DFG with the MUX-based RO included. 3 Also illustrates the output of the GNN explainer, highlighting the malicious nodes in the DFG, which correspond to the MUX-based RO.