Reading between the dies: cross-SLR covert channels on multi-tenant cloud FPGAs

Field-Programmable Gate Arrays (FPGAs) are becoming increasingly available via commercial cloud providers, which currently allocate devices on a per-user basis. As the underlying hardware is often underutilized, several proposals for multi-tenant use of FPGA resources have been brought forth, along with some initial work on security attacks in this setting. Simultaneously, high-end FPGAs are being produced with 2.5D integration of multiple distinct dies, called Super Logic Regions (SLRs), onto the same chip. Although one might expect that physical separation of logic onto separate dies could prevent multi-tenant attacks, this paper demonstrates for the first time that cross-SLR information leaks based on sensing voltage changes within the FPGA chip are possible, without physical access to or modification of the boards. The cross-SLR covert channel is characterized analytically and experimentally on five Xilinx Virtex UltraScale+ FPGAs, both locally and on the Amazon and Huawei clouds. Several configurations of the source transmitters and the sink receivers are tested, including their locations, types, and sizes. The power-based channel is shown to have a bandwidth upwards of 4.6 Mbps and accuracy of over 97.6%. Consequently, as physical separation of tenants onto separate dies (SLRs) is an insufficient countermeasure against information leaks, hardware-level architectural improvements are necessary to make secure multi-tenant FPGAs on shared clouds a reality.