Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

FLARE: Fault Attack Leveraging Address Reconfiguration Exploits in Multi-Tenant FPGAs

Jayeeta Chaudhuri, Hassan Nassar, Dennis R. E. Gnad, Jorg Henkel, Mehdi B. Tahoori, Krishnendu Chakrabarty

TL;DR

FLARE addresses a critical risk in multi-tenant FPGAs by targeting the partial reconfiguration process rather than runtime behavior. It injects faults into the bitstream's configuration address ('select' field) during reconfiguration using precisely timed power-wasters, redirecting bitstreams to incorrect PRRs and enabling DoS or faulty computation across tenants. The approach is demonstrated on a Xilinx Pynq-Z1 with two case studies (Adder and AES), showing rapid, multi-tenant disruption and evasion of CRC-based detection, outperforming prior runtime fault attacks in both speed and stealth. The work highlights a practical vulnerability in reconfiguration managers and motivates enhanced protections for the RM and partial reconfiguration flows in cloud FPGA environments.

Abstract

Modern FPGAs are increasingly supporting multi-tenancy to enable dynamic reconfiguration of user modules. While multi-tenant FPGAs improve utilization and flexibility, this paradigm introduces critical security threats. In this paper, we present FLARE, a fault attack that exploits vulnerabilities in the partial reconfiguration process, specifically while a user bitstream is being uploaded to the FPGA by a reconfiguration manager. Unlike traditional fault attacks that operate during module runtime, FLARE injects faults in the bitstream during its reconfiguration, altering the configuration address and redirecting it to unintended partial reconfigurable regions (PRRs). This enables the overwriting of pre-configured co-tenant modules, disrupting their functionality. FLARE leverages power-wasters that activate briefly during the reconfiguration process, making the attack stealthy and more challenging to detect with existing countermeasures. Experimental results on a Xilinx Pynq FPGA demonstrate the effectiveness of FLARE in compromising multiple user bitstreams during the reconfiguration process.

FLARE: Fault Attack Leveraging Address Reconfiguration Exploits in Multi-Tenant FPGAs

TL;DR

FLARE addresses a critical risk in multi-tenant FPGAs by targeting the partial reconfiguration process rather than runtime behavior. It injects faults into the bitstream's configuration address ('select' field) during reconfiguration using precisely timed power-wasters, redirecting bitstreams to incorrect PRRs and enabling DoS or faulty computation across tenants. The approach is demonstrated on a Xilinx Pynq-Z1 with two case studies (Adder and AES), showing rapid, multi-tenant disruption and evasion of CRC-based detection, outperforming prior runtime fault attacks in both speed and stealth. The work highlights a practical vulnerability in reconfiguration managers and motivates enhanced protections for the RM and partial reconfiguration flows in cloud FPGA environments.

Abstract

Modern FPGAs are increasingly supporting multi-tenancy to enable dynamic reconfiguration of user modules. While multi-tenant FPGAs improve utilization and flexibility, this paradigm introduces critical security threats. In this paper, we present FLARE, a fault attack that exploits vulnerabilities in the partial reconfiguration process, specifically while a user bitstream is being uploaded to the FPGA by a reconfiguration manager. Unlike traditional fault attacks that operate during module runtime, FLARE injects faults in the bitstream during its reconfiguration, altering the configuration address and redirecting it to unintended partial reconfigurable regions (PRRs). This enables the overwriting of pre-configured co-tenant modules, disrupting their functionality. FLARE leverages power-wasters that activate briefly during the reconfiguration process, making the attack stealthy and more challenging to detect with existing countermeasures. Experimental results on a Xilinx Pynq FPGA demonstrate the effectiveness of FLARE in compromising multiple user bitstreams during the reconfiguration process.

Paper Structure

This paper contains 18 sections, 7 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Prior Work and Motivation
  3. Prior Fault Attacks on Multi-Tenant FPGAs
  4. Fault Attack Countermeasures
  5. Threat Model
  6. Fault Attack Targeting Reconfiguration Address Manipulation
  7. Fault Injection Using Power-Wasters
  8. Proposed Fault Attack Methodology
  9. Attack Setup
  10. Case Study 1: Adder
  11. Case Study 2: AES
  12. Experimental Results
  13. Experimental Setup
  14. Fault Attack Analysis on Adders
  15. Fault Attack Analysis on AES
  16. ...and 3 more sections

Figures (7)

  • Figure 1: Proposed attack setup of FLARE (Adder$_0$: benign module configured in address PRR-tenant$_2$. Due to fault-injection, an user bitstream is redirected to PRR-tenant$_2$ instead of its intended address PRR-tenant$_1$).
  • Figure 2: Structure of a Xilinx partial bitstream (the target region for attack is highlighted in red).
  • Figure 3: Pseudocode for partial reconfiguration of bitstreams on the FPGA via CoRQ.
  • Figure 4: Floorplan of the attack setup incorporating adder modules on Pynq-Z1 FPGA (PE: Priority encoder).
  • Figure 5: Distribution of the number of fails in the adder modules for (a) RO and (b) Self-clocked RO (PE 1 and PE 2 refer to priority encoders $p_1$ and $p_2$, respectively).
  • ...and 2 more figures