An FPGA-Based Open-Source Hardware-Software Framework for Side-Channel Security Research

TL;DR

This paper addresses the vulnerability of IoT-class platforms to side-channel analysis by introducing JARVIS, an open-source FPGA-based hardware-software framework that combines a RISC-V IoT-style SoC with a dedicated debug subsystem, a DFS-based clock randomization feature, a TRNG, and FreeRTOS support to enable comprehensive SCA attacks and countermeasures. The framework supports an end-to-end flow from configuring the SoC and compiling target applications to simulating and prototyping on FPGA, collecting synchronized switching and power traces, and applying state-of-the-art SCA techniques (CPA, template, CNN) to locate leakage sources and evaluate defenses. Through an experimental evaluation on an Artix-7 CW305 board with AES-128, the authors demonstrate the effectiveness of countermeasures such as clock frequency randomization and chaff, while showing vulnerabilities of morphing under certain attacks and illustrating the open-source framework’s ability to benchmark diverse attacks and defenses. The work aims to accelerate SCA research by providing a complete, configurable, and observable platform, fostering adoption and enabling researchers to focus on developing and comparing countermeasures with minimal hardware setup overhead.

Abstract

Attacks based on side-channel analysis (SCA) pose a severe security threat to modern computing platforms, further exacerbated on IoT devices by their pervasiveness and handling of private and critical data. Designing SCA-resistant computing platforms requires a significant additional effort in the early stages of the IoT devices' life cycle, which is severely constrained by strict time-to-market deadlines and tight budgets. This manuscript introduces a hardware-software framework meant for SCA research on FPGA targets. It delivers an IoT-class system-on-chip (SoC) that includes a RISC-V CPU, provides observability and controllability through an ad-hoc debug infrastructure to facilitate SCA attacks and evaluate the platform's security, and streamlines the deployment of SCA countermeasures through dedicated hardware and software features such as a DFS actuator and FreeRTOS support. The open-source release of the framework includes the SoC, the scripts to configure the computing platform, compile a target application, and assess the SCA security, as well as a suite of state-of-the-art attacks and countermeasures. The goal is to foster its adoption and novel developments in the field, empowering designers and researchers to focus on studying SCA countermeasures and Attacks while relying on a sound and stable hardware-software platform as the foundation for their research.

Figures (6)

• Figure 1: High-level flow of the JARVIS framework.
• Figure 2: Hardware-software infrastructure that implements the JARVIS framework.
• Figure 3: Detailed microarchitecture of the debug subsystem, timer, and TRNG.
• Figure 4: Debug messages supported by the proposed framework: (a) structure and width of the debug messages, (b) encoding of the command field, (c) token types of the request messages. Legend: BTE burst type extension, W write enable (0: read, 1: write), CTI cycle type identifier (for burst mode), SEL select, TOKEN_TYPE request message type, Reserved reserved for future use, CPU_ID identifier for target local debug unit, A ack, E error; BTE, W, CTI, and SEL refer to Wishbone.
• Figure 5: Detailed microarchitecture of the DFS actuator.