Spying on Your FPGA Neighbors

Amazon, Baidu, Microsoft, and other cloud providers now allow one to rent FPGAs and use them to implement powerful and efficient custom architectures for machine learning, video transcoding, encryption, networking, and other high throughput computations. Those FPGAs are large, and quite very expensive, which brings about the natural question: can we virtualize the FPGA across multiple users and maximize their usage? And more importantly, what are the security implications of two tenants sharing the same physical FPGA device?

In our DAC 2021 paper “Classifying Computations on Multi-Tenant FPGA“, we show that a co-tenant can implement a relatively simple circuit time-to-digital converter (TDC) on one part of the FPGA and use that to determine types of computation occurring on another part of the FPGA. The TDC measures small changes in how a signal propagates through a carry chain. If the co-tenant computation is using a lot of power, this creates a side channel via the power supply rail that will slow down the propagation of the signal in the carry chain. We show that his subtle information can be used to

This includes determining if there is another co-tenant, if that co-tenant is performing encryption, whether the co-tenant is utilizing a soft processor, and other questions that violate the confidentiality of the co-tenant. This a necessary precursor for performing attacks in a virtualized FPGA environment, where an attacker must identify a co-located core before performing an attack, or defending against them, where a provider recognizes malicious cores and terminates service

The work was a broad collaboration across several universities. It was lead by Dustin Richmond (UW post-doc) and includes Mustafa Gobulukoglu (UCSD BS/MS now at Northrop Grumman), Colin Drewes (UCSD BS/MS), and Bill Hunter (Georgia Tech Research Institute).