EUROPE

MUNICH, GERMANY DECEMBER 6 - 7, 2022

## A Reconfigurable Interface Architecture to Protect System IP

Dr. Arshad Riazuddin and Dr. Shoab A. Khan Center for Advanced Research in Engineering



# Problem

- Information leakage through physical interface
- Such an attack can be intelligent or brute force
- This information can be used to decipher the Intellectual Property (IP) of the system
- How to solve this problem?





# Example System







# **Proposed Solution**

- How do we protect IP of a system?
  - Make the interconnect behavior change over time
- An "on the fly" reconfigurable interface
- The architecture allows
  - Change of interface architecture
  - Interface can be changed at a variable rate
- Supports Standards and Proprietary Interfaces
- Independent of any ASIC/FPGA architecture





# System with Reconfigurable Interface (RI)







# Reconfigurable Interface Architecture

- Reconfigurable Interface
  - Programmable Sequencer
  - R/T Data Module

SYSTEMS INITIATIVE

• Variable Interface Change







# Sequencer Architecture

- Sequencer consists of
  - Controller
  - Program Memory
  - Timer
  - Interface Registers





# Sequencer OPCODES

| Opcode                            | Description                                                                                |
|-----------------------------------|--------------------------------------------------------------------------------------------|
| No Operation (NOP)                | No Operation                                                                               |
| Sample Flag (SAMPF)               | Wait for an input flag to be equal to a particular value, before going to next instruction |
| Compare Flag<br>(CMPF)            | Compare the flag, before going to next instruction                                         |
| Jump<br>Unconditionally<br>(JUMP) | Jump unconditionally to the address specified in the control word                          |
| Jump Conditionally<br>(JUMPC)     | Jump conditionally to the address specified in the control word                            |





# Sequencer Control Word

| Bits  | Description                                                                               |
|-------|-------------------------------------------------------------------------------------------|
| 31:29 | Opcode                                                                                    |
| 28:21 | Jump address used in jump instruction                                                     |
| 20:0  | Wait for conditional flags which are used to move to the next instruction in the sequence |





# Description of Flags in Sequencer

#### Direction of Flag Flag Bit Description F20 **Receiver Shift Enable** Input F19 Sequencer Busy Output F18 Output Interrupt Request F17 Output Load Timer F16 Input Clock Pulse Clock Generator Enable F15 Output F14 Transmitter Enable Output F13 **Receiver Enable** Output F12 **Terminal Counter Timer** Input F11 Transmitter Shift Done Input F10 **Receiver Shift Done** Input Transmitter Shift Enable F09 Input F08 Output Serial Data Output Enable F07 Output Serial Data Input Enable F06 Output Serial Clock Output Enable Serial Chip Select F05 Output Transmitter Shift Register Empty/Receiver Shift Register Full F04 Input Valid Start Bit F03 Input F02 Output Interface Select Bit 2 F01 Output Interface Select Bit 1 Interface Select Bit 0 F00 Output







## Timer







# Program Memory







## Interface Registers







# R/T Data Module







# Variable Interface Change

- Sequencer allows us to encode different interfaces
- How to hop between the various interfaces
  - To protect IP disclosure through hardware snooping
- A mechanism has been developed
  - Variable Interface Change
- Mechanism allows





# Variable Interface Change (2)







# LFSR Transaction Word

| Bits  | Description                                                                                                                                                      |
|-------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 63:56 | RI Bus interface code                                                                                                                                            |
| 55:53 | Reserved                                                                                                                                                         |
| 52:32 | Programmable I/F Parameters                                                                                                                                      |
| 31:24 | Frame generation frequency. The frequency of the frame generation, e.g. for ASP. The frame generation depends on the word width of the interface.                |
| 23:8  | RI interface frequency. The frequency at which the RI interface is running. It is some multiple of the clock frequency at which the entire RI module is running. |
| 7:0   | Delay between back to back transaction                                                                                                                           |





#### SPI Write Code Flow



Start Pulse comes from the interface registers. This makes the sequencer address go to the start of the SPI microcode routine.

Wait for Clock Pulse from clock generator in order to align the control and data signals properly with the SPI clock.

Address & Data Phase of SPI

Send out the address location over the SPI data bus, followed by the data. When all the data bits have been shifted out this phase is done. The size of this field is programmable through the interface registers.





## SPI Write Micro-Code

|                                                       | Mem.<br>Addr. | Opcode | Jump<br>Addr. |   |             |             |   |   |             |             |                                    |                   | FLA               | GS                  |   |   |             |             |             |                         |                         |       |                      |
|-------------------------------------------------------|---------------|--------|---------------|---|-------------|-------------|---|---|-------------|-------------|------------------------------------|-------------------|-------------------|---------------------|---|---|-------------|-------------|-------------|-------------------------|-------------------------|-------|----------------------|
|                                                       |               |        |               | 2 | F<br>1<br>9 | F<br>1<br>8 | 1 | 1 | F<br>1<br>5 | F<br>1<br>4 | F   I<br>1   <sup>-</sup><br>3   2 | = F<br>1 1<br>2 1 | = F<br>  ^<br>  ( | F   F<br>  0<br>  9 |   |   | F<br>0<br>6 | F<br>0<br>5 | F<br>0<br>4 | F    <br>0   0<br>3   2 | F   F<br>D   0<br>2   1 | F F 0 |                      |
| Start of routine                                      | 0x90          | NOP    | 0x0           | 0 | 1           | 0           | 0 | 0 | 0           | 0           | 0 (                                | ) (               | ) (               | ) ()                | 0 | 1 | 0           | 0           | 0           | 0 (                     | ) 1                     | 1     | ► SPI Interface Code |
| Wait and Compare for Clock Pulse                      | 0x91          | CMPF   | 0x0           | 0 | 1           | 0           | 0 | 1 | 1           | 0           | 0 (                                | ) (               | ) (               | ) 0                 | 1 | 1 | 0           | 0           | 0           | 0 (                     | ) 1                     | 1     |                      |
| Wait and Compare for Transmit Shift Register Done     | 0x92          | CMPF   | 0x0           | 0 | 1           | 0           | 0 | 0 | 1           | 1           | 0 0                                | ) 1               | (                 | ) 0                 | 1 | 1 | 0           | 1           | 0           | 0 0                     | ) 1                     | 1     |                      |
| Jump to address0x0 and wait for trigger of next cycle | 0x93          | JUMP   | 0x0           | 0 | 1           | 1           | 0 | 0 | 1           | 0           | 1 (                                | ) (               | ) (               | 0 0                 | 1 | 1 | 0           | 1           | 0           | 0 0                     | ) 1                     | 1     |                      |



## SPI Write Cycle







## SPI Read Code Flow



Start Pulse comes from the interface registers. This makes the sequencer address go to the start of the SPI microcode routine

Wait for Clock Pulse from clock generator in order to align the control and data signals properly with the SPI clock.

> Address Phase of SPI Send out the address location over the SPI data bus. When all the data bits have been shifted out this phase is done. The size of this field is programmable through the interface registers.

Read Data Phase of SPI Receive the data from the SPI

Receive the data from the SPI slave. Once the Receive shift register is full from the requested data this phase is done. The size of this field is programmable through the interface registers.





## SPI Read Micro-Code

|                                                       | Mem.<br>Addr. | Opcode | Jump<br>Addr. |   |   |   |        |                |                |   |   | FI | LAG    | s |        |        |   |   |   |            |   |   |                      |
|-------------------------------------------------------|---------------|--------|---------------|---|---|---|--------|----------------|----------------|---|---|----|--------|---|--------|--------|---|---|---|------------|---|---|----------------------|
|                                                       |               |        |               | F | F | F | F      | FF             | F              | F | F | F  | F      | F | F      | F      | F | F | F | FF         | F | F |                      |
|                                                       |               |        |               | 2 | 9 | 1 | 1<br>7 | 1   1<br>6   4 | 1   1<br>5   4 | 1 |   |    | 1<br>0 |   | 0<br>8 | 0<br>7 |   | 5 | 0 | 0 0<br>3 2 | - | 0 |                      |
| Start of routine                                      | 0xC0          | NOP    | 0x0           | 0 | 1 | 0 |        |                |                | 0 | - | 0  |        |   |        |        | 0 | 0 | 0 | 0 O        | 1 | 1 | ► SPI Interface Code |
| Wait and Compare for Clock Pulse                      | 0xC1          | CMPF   | 0x0           | 0 | 1 | 0 | 0      | 1              | 1 0            | 0 | 0 | 0  | 0      | 0 | 1      | 1      | 0 | 0 | 0 | 0 0        | 1 | 1 |                      |
| Wait and Compare for Transmit Shift Register Done     | 0xC2          | CMPF   | 0x0           | 0 | 1 | 0 | 0      | 0              | 1 1            | 0 | 0 | 1  | 0      | 0 | 1      | 1      | 0 | 1 | 0 | 0 0        | 1 | 1 |                      |
| Wait and Compare for Receive Shift Register Done      | 0xC3          | CMPF   | 0x0           | 0 | 1 | 0 | 0      | 0              | 1 0            | 1 | 0 | 0  | 1      | 0 | 1      | 1      | 0 | 1 | 0 | 0 C        | 1 | 1 |                      |
| Wait and Compare for Clock Pulse                      | 0xC4          | CMPF   | 0x0           | 0 | 1 | 0 | 0      | 1              | 1 0            | 0 | 0 | 0  | 0      | 0 | 1      | 1      | 1 | 1 | 0 | 0 0        | 1 | 1 |                      |
| Jump to address0x0 and wait for trigger of next cycle | 0xC5          | JUMP   | 0x0           | 0 | 1 | 1 | 0      | 0 0            | 0 C            | 0 | 0 | 0  | 0      | 0 | 1      | 1      | 1 | 0 | 0 | 0 0        | 1 | 1 |                      |





SPI Read Cycle







# UART Transmitter Code Flow







#### UART Transmitter Micro Code







## UART Transmitter

| 이 것은 것은 것은 것은 것은 것은 것을 가지 않는 것이 같이 많이 있는 것을 같이 가지 않는 것을 가지 않는 것이 있다. 이 나는 것이 같이 나는 것이 같이 있는 것이 없다. |                |      |                                         |    | 1 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |  |
|----------------------------------------------------------------------------------------------------|----------------|------|-----------------------------------------|----|---|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|
|                                                                                                    | )1CMP1<br>)163 | цефи | 1 C C C C C C C C C C C C C C C C C C C |    |   | and the second se |  |
|                                                                                                    |                |      |                                         | 11 |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |  |





## Combination SPI and ASP

| {Chip Pins}     |         |         | []     | []     | []     | []       |        |         | [] | <b>[</b> |
|-----------------|---------|---------|--------|--------|--------|----------|--------|---------|----|----------|
|                 | +       |         |        |        |        |          | · ·    |         | [] |          |
| spi_ськ         | ากกกกกก | nnnnnnn |        |        |        |          |        |         | 1  |          |
|                 |         |         |        |        |        |          |        | · · · · |    | <u> </u> |
|                 |         |         |        |        |        |          |        |         |    | <b></b>  |
| SPI_SOMI        |         |         |        |        |        |          | ·      | ·       |    | [        |
| UART_RX         |         |         |        |        |        |          | ·      |         | 1  | [        |
| UART_TX         |         |         |        |        |        |          | ·      |         | 1  | [        |
|                 | †       |         |        |        |        |          |        |         |    | Ĺ        |
|                 | †       |         | huuuuu | innunu | innnnn | linnnnnn | innnnn | innnnn  |    | huu      |
| ASP_DATAI       | †       |         |        |        |        |          |        |         |    | <u> </u> |
|                 | †       |         |        |        |        | ·        |        |         |    |          |
| disp_opcodeCMPI |         | t       |        |        |        | (см      | Pl     |         |    |          |
| ram_addr_inc    |         | , t     |        |        |        |          |        |         |    |          |
|                 |         |         |        |        |        |          |        |         |    |          |





## Conclusion

- A novel on the fly reconfigurable interface was presented
  - Which can be used to guard against IP leakage through eavesdropping on physical connections in a system or integrated circuit
- A second contribution of our concept is that the reconfiguration is independent of any underlying FPGA technologies





## Questions

• Any Questions?



