PUFBind: PUF-Enabled Lightweight Program Binary Authentication for FPGA-based Embedded Systems

TL;DR

This paper introduces PUFBind, a lightweight, hardware-software co-designed method using Physical Unclonable Functions to authenticate program binaries on FPGA-based embedded systems, enhancing security without hardware modifications.

Contribution

It presents a novel PUF-based binary authentication scheme that is platform-agnostic, low-overhead, and operates in a bare-metal environment without modifying hardware or binaries.

Findings

Successful prototype implementation on PicoBlaze microcontroller

Comparable hardware resource footprint to existing solutions

Effective runtime binary authentication demonstrated

Abstract

Field Programmable Gate Array (FPGA)-based embedded systems have become mainstream in the last decade, often in security-sensitive applications. However, even with an authenticated hardware platform, compromised software can severely jeopardize the overall system security, making hardware protection insufficient if the software itself is malicious. In this paper, we propose a novel low-overhead hardware-software co-design solution that utilizes Physical Unclonable Functions (PUFs) to ensure the authenticity of program binaries for microprocessors/microcontrollers mapped on the FPGA. Our technique binds a program binary to a specific target FPGA through a PUF signature, performs runtime authentication for the program binary, and allows execution of the binary only after successful authentication. The proposed scheme is platform-agnostic and capable of operating in a "bare metal'' mode (no system software requirement) for maximum flexibility. Our scheme also does not require any modification of the original hardware design or program binary. We demonstrate a successful prototype implementation using the open-source PicoBlaze microcontroller on AMD/Xilinx FPGA, comparing its hardware resource footprint and performance with other existing solutions of a similar nature.