The mobile application market is rapidly growing and changing, offering always brand new software to install in increasingly powerful devices. Mobile devices become pervasive and more heterogeneous, embedding latest technologies such as multicore architectures, special-purpose circuits and reconfigurable logic. In a future mobile market scenario reconfigurable systems are employed to provide high-speed functionalities to assist execution of applications. However, new security concerns are introduced. In particular, protecting the Intellectual Property of the exchanged soft IP cores is a serious concern. The available techniques for preserving integrity, confidentiality and authenticity suffer from the limitation of heavily relying onto the system designer. In this paper we propose two different protocols suitable for the secure deployment of soft IP cores in FPGA-based mobile heterogeneous systems where multiple independent actors are involved: a simple scenario requiring trust relationship between entities, and a more complex scenario where no trust relationship exists through adoption of the Direct Anonymous Attestation protocol. Finally, we provide a prototype implementation of the proposed architectures.
INTRODUCTION
The current mobile application market is constantly changing due to the presence of new devices and platforms which emerge quite frequently [1] . The changes affect the business environment creating a demand but also an opportunity for the rapid introduction of new technological solutions. Players in the growing business landscape cannot ignore this opportunity, since mobile technology will eventually have a role in most digital products and services.
Several well-known companies participate in this scenario: the first to define the market was Apple which launched, in 2007, the iPhone and later, in 2008, its distribution platform App Store. Subsequently, other players and device manufacturers joined the mobile application market with their devices, operating systems and software distribution platforms. Currently, the distribution of mobile applications spans over 300 application stores worldwide, including device manufacturers, platform providers, mobile operators. Well-known examples are Google Play Store (previously known as Android Market), Apple App Store, Windows Phone Store, Opera Mobile Store, etc. [2] . Sales, finalized through a payment gateway, and downloads of mobile apps are skyrocketing too. According to a recent survey by iResearch, in 2018, global mobile app revenues amounted to over 365 billion U.S. dollars. In 2023, mobile apps are projected to generate more than 935 billion U.S. dollars in revenues via paid downloads from app stores and in-app advertising [3] .
Several motivations are at the base of the continuous growth of this phenomenon. Certainly, the hardware improvement is the key factor that keeps pushing applications toward new levels of pervasiveness, which allows an ever increasing computational power of mobile platforms. Second, heterogeneous computing has been the leading technology that allowed moving towards new generations of mobile devices. For example, combining multi-core processors with Graphics Processing Units (GPUs) and other types of hardware accelerators is having a huge impact on device performance. Therefore, System-on-Chip developers are increasingly looking at alternative architectural solutions to increase the computational power, while optimizing additional parameters such as power consumption.
In this landscape, reconfigurable computing is a promising solution. As shown in [4] , [5] , programmable system platforms embedding Field-Programmable Gate-Arrays (FPGAs) might be a valuable solution where frequent and remote upgrades are necessary, thus also for embedded applications. Moreover, some FPGA-based systems provide Dynamic Partial Re-configuration (DPR), which allows the run-time update of selected portions of an FPGA without disrupting the rest of the system. DPR allows the creation of new application scenarios [6] , [7] , [8] and it has already been used in the mobile application market [9] , [10] , [11] . Hardware vendors are responsible for manufacturing the FPGA devices and sell them to their customers or retailers. In FPGAs it is possible to (re)configure logic resources by controlling the interconnection among different logic gates. The hardware logic blocks implementing specific functions compose an Intellectual Property (IP) soft IP core. A soft IP core is an independent and reusable module that can be instantiated in the reconfigurable fabric. One or more soft IP cores are described by a bitstream file, which configures the FPGA (or just a portion, if DPR is supported). The project of a soft IP core is defined by the system designer. The exploitation of reconfigurable hardware enables a new mobile application scenario, where a reconfigurable device can be programmed at run-time to assist the execution of a software application by means of application-specific computational cores. The applications can employ hardware capabilities on-demand using ad-hoc computational resources optimized for the various system's aspects (e.g., power consumption of the whole system). Mobile applications like games, audio/video processing, secure communications are good candidates to benefit from providing application-specific hardware acceleration cores deployed together with the software application.
However, this new application paradigm opens up concerns in the security domain. As an example, an adversary that is able to intercept a bitstream of an hardware Intellectual Property can try to extract sensitive information or steal the property, thus leading to IP infringements. Also disclosure to the public domain or unauthorized sales to earn unfair profit are possible, thus violating the confidentiality of the hardware block. Considering the hardware, an attacker may also produce intentional alterations to the hardware block by injecting malicious code that may either corrupt the correct behavior of the software application or compromise the whole end-users system, e.g., by introducing security flaws which could later be exploited.
Therefore, the hardware description of soft IP cores should never be sent across unprotected network links. FPGA manufacturers have already provided techniques, such as bitstream encryption and authentication, which try to address these issues. Indeed, they fit a simple scenario where the application developer and designer is the only entity entrusted to produce reconfigurable hardware descriptions to be delivered to a remote system. Certainly, they don't fit the current very dynamic and heterogeneous scenario of the mobile application market. Moreover, these methods may require an excessive involvement and trust in the manufacturers, which usually embed secrets in their hardware that can eventually be exploited. Even worse, it requires to trust the whole manufacturers' supply chain as well, which has become an issue with the delocalization of the production.
In this work, we tackle a much more challenging and realistic situation that involves several independent parties participating in the development and distribution of applications to be executed on heterogeneous mobile platforms embedding an FPGA as reconfigurable hardware. These parties include: the end users, the application stores, the software providers and the reconfigurable hardware vendors. In this scenario, a single reconfigurable hardware resource can be shared by several applications from different vendors with guarantees on the integrity and confidentiality of the provided hardware cores.
This paper extends a preliminary published work by adding tightening security requirements and developing a more complex scenario that avoids trust relationships among the involved entities [12] . This paper addresses the security threats introduced by two types of adversaries: (i) remote adversaries acting on the communication channels between the application providers and the devices (Man-in-the-Middle), and (ii) local adversaries with physical access to the system (Man-at-the-End).
We describe the security services for the envisioned infrastructure by taking into account three aspects: (i) the hardware resources and the system architecture to implement the required security primitives, (ii) the high-level software infrastructure needed to implement the required communication protocols, and (iii) the high-level entrusting policies required among the involved entities.
Instead of resorting to ad-hoc technology to tackle the adversaries and the security issues, we exploit the idea of another mainstream initiative, i.e., the Direct Anonymous Attestation (DAA) protocol [13] . Currently, the DAA protocol has been standardized by the Trusted Computing Group (TCG) [14] and it is supported in ad-hoc chips like the Trusted Platform Module (TPM). Even if we do not necessarily propose the use of TCG-specified TPM chips, we follow the progresses in this field employing reconfigurable hardware to achieve the same features. This also means that there will be more people researching for flaws, as the impact of attacks becomes greater thus also the impact of publication of such attacks is more likely to reach a higher visibility.
The remainder of this paper is organized as follows: Section 2 defines the assumptions and the security requirements to be satisfied, as well as the roles of the actors playing in the two scenarios here considered. Section 3 provides an overview of the previous works carried out in the perspective of the security requirements. In Section 4, we detail the protocol to securely transfer the bitstream. We discuss, in Section 5, the internal architecture of the employed device, providing details for the software implementation of the considered players. In Section 6, we analyze the security of the protocols considering their security requirements against possible attacks. Finally, Section 7, concludes the paper.
ASSUMPTIONS, MODELS AND REQUIREMENTS
This section presents our model by describing the involved actors and the security and functional requirements to be satisfied. Moreover, it characterizes the two scenarios we assume in this paper, which depict very common situations for the deployment of mobile applications.
The application is the object to be securely exchanged among all involved parties. As shown in Fig. 1 , in this paper we consider applications composed of two portions: (i) the executable code (SW), and (ii) an FPGA Bitstream file (BS).
The application is executed on the End User Device, which embeds a general purpose CPU executing the SW and a FPGA-based Hardware Acceleration Platform (HAP). HAP contains the reconfigurable logic, i.e., the FPGA, and a microcontroller used to securely load and store a bitstream.
The bitstream describes one or more soft IP cores that complement the application (e.g., required to improve its performance). These soft IP cores are dynamically configured in the FPGA every time the application is executed.
Actors
We model the considered scenarios following a common scheme for application deployment for the mobile applica- We consider three main types of actors: (i) the software providers, (ii) the hardware vendors, and (iii) the end users.
The Software Provider (SWP) is the entity that develops applications and sells them through several Application Stores (STORE) to reach a high number of potential customers.
The Hardware Vendor (HWV) is the entity responsible for designing and selling the Hardware Acceleration Platform (HAP) used by the applications to load the BS and it implements the soft IP cores developed and sold by SWPs. The Hardware Acceleration Platforms considered in this paper are microprocessor-based Systems on Chips (SoCs) embedding state-of-the-art FPGAs featuring DPR and bitstream encryption mechanisms. The HWV has full knowledge of the hardware it produces, including secrets and security mechanisms it embeds (e.g., cryptographic keys). We assume that each hardware vendor has a publicly accessible service (e.g., a web server) used to offer services to the software providers and to the end users (e.g., prove hardware product authenticity, send firmware updates, etc.). It also provides publicly available information (e.g., list of hardware capabilities, APIs, list of known compromised devices).
The End User (EU) is the customer. The EU may be interested in buying applications that have been developed by different SWPs. He/she owns an End User Device (e.g., smartphones, tablets, PDAs, etc.) that embeds the HAP. The End User Device and HAP are two separate execution environments, therefore, they are considered as two separate entities in our scenarios. However, the HAP does not directly access the network, all communications with the external world are mediated by the End User Device.
Together with the above three main actors, two more players are involved in the scenario we have considered in this paper. The STORE acts as an interface between EUs and SWPs by collecting and making available to the EUs software applications developed by different SWPs. Every STORE has a publicly accessible service (e.g., a web server) and is connected to one or many payment gateways to allow customers to buy the software they want to purchase. Each STORE knows the identity of its users.
Finally, the Payment Gateway (PG) offers payment services for software application purchases (e.g., using credit cards), interfacing with SWPs and with EUs.
Security requirements
The high-level security objective of an SWP is to preserve its intellectual property. Moreover, an SWP aims at securing its applications, by preserving their authenticity, integrity and confidentiality. The EUs require to only execute authentic versions of the software they have bought.
We solely consider the security aspects of the hardware cores, while ensuring authenticity and integrity of executable code is out of the scope of this paper. Interested readers may refer to the literature on this field for a better understanding of available methodologies for software protection [15] , [16] , [17] , [18] .
The security requirements to be fulfilled in order to guarantee the authenticity and the intellectual property of all hardware cores deployed are the following ones:
• Bitstream confidentiality: no other players but the SWP itself must be able to read a bitstream in an intelligible form (e.g., if the application bitstream files are encrypted, the bitstream should not be available in plaintext). Every SWP does not trust neither other SWPs nor the Applications Stores used for distributing applications. Moreover, the SWP does not trust the EUs, even those who have legitimately bought its application.
We have considered two scenarios in this paper. The first one (named Simple Scenario and presented in Section 4.1) considers a case where a trust relationship exists between the SWP and the HWVs (i.e., HWVs might read the bitstream in plaintext) because of legal contracts or Non Disclosure Agreements (NDAs). The second scenario, which tighten the confidentiality (named Full Scenario and presented in Section 4.2), relaxes this assumption, avoiding every trust relationship among all the parties involved. • Bitstream integrity and authenticity: corrupted bitstream files must not be delivered to the EUs, or used to configure the FPGA. The types of corruption to avoid are both accidental (e.g., transmission errors) and deriving from intentional malicious alterations. Moreover, the EUs must be ensured that the bitstream files they are loading in their HAP are genuine, that is, they have actually been developed by the SWP. • Legitimate End User: only users who bought a legitimate copy of the software must be able to use the related bitstream files to configure the FPGA available in the HAP to assist the execution of the related software application. Nevertheless, in no case end users are allowed to access the bitstream in plaintext. • Legitimate HAP: only owners of legitimate HAP can run applications into a user platform and load a BS into the FPGA. • Need-to-know restrictions: only the parties that actually need a sensitive information must have access to it. This is of great importance especially for information concerning the EUs (e.g., the applications that they buy). This requirement is related to the privacy, however the need-to-know is subjective, thus it cannot be considered a privacy statement. If any of these requirements is not met, the security of a bitstream is undermined and an adversary would be able to either read the bitstream and start reverse engineering or compromise the bitstream authenticity and integrity to inject malicious features, e.g., by opening security backdoors.
Attack model
We consider two type of attacks: IP attacks and integrity attacks.
When a IP attack is performed, an adversary tries to get access to an intelligible version of a bitstream. This attacks can be performed either on the HAP by tampering with external memory devices or over the network links the application traverses during their deployment. This type of attack aims at violating the confidentiality of the bitstream in order to make illegal copies of the soft IP cores.
When an integrity attack is performed, an adversary tries to compromise the integrity of a bitstream. This type of attack has two motivations: (1) a remote adversary may want to compromise the bitstream integrity to prevent the correct execution of the related software application (Denial of Service), (2) a malicious user may want to replace a bitstream file with a previous version (downgrade), for example to avoid security updates.
In this paper we do not consider physical attacks that aim at damaging the HAP or make it not operable (i.e., hardware Denial Of Service attacks).
Adversary model and security assumptions
The attacks just described can be carried out by a malicious attacker. We consider two types of adversaries trying to break the requirements introduced in Section 2.2; remote and local adversaries. We assume that both local and remote adversaries are knowledgeable attackers. They have considerable knowledge of the system and device they are attacking and they own high technical skills. Moreover, they have access to sophisticated tools and instruments [19] . Nonetheless, they are associated to different threat models.
A remote adversary controls every possible network link involved in the proposed scenarios, i.e., he/she can perform Man-In-The-Middle (MITM) attacks. A Remote adversary uses techniques to intercept and understand the content of the messages exchanged between two arbitrary networking nodes. Once the attacker modifies the flow of messages, he can also make changes, delete and create completely new fake messages impersonating one of the communicating parties.
A local adversary is a malicious EU who has physical access to and full control of a End User Device. That is, he/she can perform Man-At-The-End (MATE) attacks. Local adversaries have no restriction on the tools and techniques to reverse-engineer and then to tamper with the application (e.g., debuggers, emulators). Thus the application cannot be trusted to store/embed secret data or routines. System libraries and general purpose libraries could be controlled by local adversaries, along with the operating system. In this case, to reach their goals attackers can use and alter system calls, the input/output subsystem, the network stack, the memory management subsystem and possibly others techniques. Therefore, the communication with the HAP mediated by software and drivers can be compromised by these adversaries, thus the data exchanged can be altered even if they are transmitted via secure channels that are safe against MITM attacks. The attacker also controls the platform hardware. Every memory location can be read and written, including the processor registers. The attacker also controls the program storage medium, as a consequence he can read and change any of the stored bits at any time. This means that nothing can be considered secure in the user's environment.
The only part of the user's platform that we will consider secure is the HAP, the stored information and the routines executed within the HAP are considered confidential. Indeed, we assume that, even if the HAP may be placed in an hostile environment, the reconfigurable hardware and the security blocks surrounding it are resistant to physical attacks (e.g., decamping the chip, side-channel attacks, etc.).
Finally, we assume that the local adversaries have no interest in performing Denial of Service attacks against their platforms and including HAP (e.g., by repeatedly sending invalid bitstreams to block its functioning).
Competing firms are potential local adversaries, since they can invest non-negligible resources trying to compro-mise the security requirements.
Moreover, we assume that attackers all work under the infeasibility hypothesis. The infeasibility is associated to the derived computational cost, impossible to sustain for an attacker, in order to decipher the secret information needed by cryptographic algorithms or to invert digest algorithms. In practice, attackers are unable to solve exponential problems of proper size in useful time.
Eventually, when we state that two peers communicate with a k-secure channel, we indicate that the peers perform strong authentication and agree on a symmetric key k that can then be used with data integrity and authentication algorithms and symmetric encryption algorithms to secure the exchanged data.
RELATED WORKS
Security concerns from the previously introduced model of software distribution are considered in this section. A general overview of the feasible attacks against FPGAs, as well as a description of security issues and open problems regarding system security of FPGAs is provided by Wollinger et al. in [20] . Security features, such as anti-tampering and data protection techniques, are described in [21] . In [22] , the authors define an FPGA threat model and evaluate how the security features offered by most FPGA vendors address the threats.
Bitstream Confidentiality
Guaranteeing bitstream confidentiality implies to protect from eavesdropping performed by external sources such as attackers or competitors. In this way, the information exchanged has to be maintained secure in the sense that it is not disclosed to unauthorized third parties. To maintain the confidentiality it is sufficient to encrypt the data.
Nowadays, bitstream confidentiality can be achieved resorting to the integrated bitstream encryption mechanisms offered by most FPGA manufacturers. These techniques allow to assist system designers in the protection of the secrecy of their IP cores, preventing the product to be cloned or reverse engineered.
The bitstream encryption operation is based on symmetric cryptography, i.e., the key used to encrypt the information is the same used during the decryption. The encryption key is generated by the system designer at design time and stored inside the FPGA. The device decrypts the incoming bitstream during the configuration phase. The FPGA stores the encryption key internally in a devoted memory, which could be backed-up by a battery (e.g., BBRAM -Battery backed RAM) in order to maintain its content or a nonvolatile one-time-programmable memory. The memory storing the key is designed to prevent physical attacks. However, the encrypted bitstream configures the entire device. To decrypt partial bitstreams, system designers should build their own decryption engine requiring additional logic, thus reducing the usable area.
Bitstream encryption is an effective solution to protect designer's IP against cloning or reverse engineering and IP disclosure [23] . However, in some cases encryption may not provide sufficient security, as reported in [24] , [25] .
Another approach to protect IP cores against piracy and reverse engineering can be obtained through obfuscation. The authors of [26] leverage FPGA dark silicon to obfuscate the functionality of the design. Other works discuss techniques to consider for bitstream confidentiality as well as authentication [27] , [28] .
Bitstream Integrity and Authenticity
Since encryption alone does not protect the bitstream from modifications, integrity aims to ensure that the data exchanged does not undergo to modifications carried by unauthorized third parties across the network links during the transfer. Moreover, it provides assurance also from unintended modifications that might corrupt the data due to errors, e.g., transmission errors. If the integrity is maintained, also the system receiving the bitstream preserves its integrity.
Error control against data corruption can be accomplished with error-detection techniques, such as checksums and Cyclic Redundancy Checks (CRC). To confirm that the configuration data stored in an FPGA device is correct, most vendors offer dedicated hardware for CRC features. However, CRCs are not suitable to protect against intentional malicious alteration of data [29] since employ reversible functions. Moreover, they are vulnerable to collision attacks, thus they do not guarantee adequate security levels.
Hashing is another method commonly used to validate the integrity of information using a one-way function, i.e., infeasible to invert. The fixed-length output of a cryptographic hash function, called message digest or simply hash, can be thought of as the fingerprint of the input bitstream, offering strong collision resistance. Cryptographic hashing primitives have been employed in [27] , [30] , [31] . Message digest, however, does not authenticate the source. To verify the origin of the bitstream, the secret key shared between the vendor and the device can be combined together with a cryptographic hash function to generate a Hash-based Message Authentication Code (HMAC). In [31] different authenticated encryption schemes have been evaluated and the dual-pass Counter with CBC-MAC (CCM) has been identified as the best option by lowest area footprint. However, Dual-pass authenticated encryption algorithms separate authentication and encryption procedures and therefore require significant overhead. Usually, authentication and confidentiality aspects are considered together, as proposed in [27] , [32] .
In presence of DPR, specific solutions to security problems, as well as safety [8] , have also been discussed in literature. In [33] a flexible security system based on bitstream encryption is proposed. While using FPGAs DPR, designers can freely choose encryption/decryption algorithms implemented as reconfigurable modules. In [34] authors developed a secure DPR system based on encryption of partial bit-streams with AES-GCM cipher. AES-GCM is an authenticated encryption cipher which guarantees both the confidentiality and the authenticity of a message. In [35] is shown an improvement of the security of DPR in FPGAs re-encrypting a remotely received bitstream with a unique random key, while providing low area overhead and a high reconfiguration throughput.
IP Licensing and Activation
Providing confidentiality, integrity and authenticity of a bitstream protects the end-user device from malicious attackers. However, the intellectual property is left unshielded from piracy, which could damage the related business model of an application. IP theft introduces problems with design rights associated to the soft IP cores. Encryption and obfuscation are strong tools to ensure security, but they cannot protect the IP in every stage of the life cycle. Several works addresses these challenges [36] , [37] , [38] . Enforcing IP security can be achieved resorting to solutions from a related area, i.e., trusted computing. In particular, the Trusted Platform Module (TPM) is a microcontroller used to authenticate a target platform, enabling several cryptographic features [39] . The TPM is embedded in and interacts with the target platform, providing cryptographic primitives for secure key generation and storage, random number generation and remote attestation. In literature, different methods of activation and licensing for IP cores protection have been employed: in [40] a new scheme to track and control the licensed designs is presented, adopting public-key cryptograpy and symmetric encryption as well. The authors of [41] propose an IP protection mechanism to restrict IP execution only on specific FPGA devices, limiting unauthorized copies and integration of the IPs. This solution, together with [37] , enforces a pay-per-device licensing scheme for system developers, instead of purchasing unlimited IP licenses. Finally, a recent work [42] provides a remote licensing and activation mechanism, guaranteeing anonymity for the end users.
Open Challenges and contributions
The analyzed solutions bring several improvements related to the confidentiality, integrity and authenticity of a bitstream. However, the key employed for cryptographic operations is defined at design time and it is a secret shared between the system designer and the target device. The system designer is therefore the only entity entrusted to provide new or updated bitstreams for a specific device. From this, it follows the limitation that software providers cannot generate bitstreams to assist their applications without relying onto the system designer. To the best of our knowledge, the available solutions are unable to fit the security requirements introduced in Section 2.
Our previous work proposed a simple architecture able to overcome this limitation. However, as will be described in Section 4.1, existing agreements between the software providers and the hardware vendors are necessary. The hardware vendors must be able to access the bitstream in plaintext, requiring a trust relationship with the respective software provider. This paper moves forward by presenting a new scenario, described in Section 4.2, where the trust relationship among every of the involved parties is no longer required. Moreover, the users are able to gain additional privacy, limiting the identity disclosure to only software application stores.
In both cases, the confidentiality, integrity and authenticity of the bitstream exchanged (whether it is a new application or an update for an already-installed one) across the network links is maintained.
PROTOCOLS AND SECURE INFORMATION EX-CHANGE
This section introduces our solution for the secure reconfigurable computing model presented in Section 2. In particular, we will introduce and analyze the information exchange and the required protocols that will be used to identify the required hardware structures. Two cases will be analyzed: 1) a simple scenario fulfilling a reduced set of security requirements but exploiting minimum hardware facilities, and 2) a complex scenario featuring trusted computing hardware fulfilling the full set of security requirements of Section 2.
In both scenarios, the target of the protocol is to define the operations to deploy a mobile application, composed of the software and its hardware counterpart, on the End User Device. However, the transfer among the involved parties has to be secured with respect to the considerations introduced in Section 2 and overcoming the limitations discussed in Section 3.4.
Case 1: Simple Scenario
In this scenario, a simplified version of the protocol is presented. This protocol satisfies a reduced set of security requirements, but benefits from simplicity and reduced hardware requirements. Fig. 3 shows a possible workflow for the deployment and execution of an application onto a device embedding reconfigurable computing resources.
In this simple scenario, we assume that there is a trust relationship between the SWP and the HWV. Moreover, together with the security requirements and assumptions presented in Section 2, the following realistic functional assumptions are considered:
• The EU is able to access the store (i.e., he has an account on the STORE); • The EU has a credit card or any another equivalent payment system compatible with the store; • The STORE has existing agreements with one or more payment systems; • The HAP is identified by a unique code (e.g., serial number), defined here as id HAP and stores a secret cryptographic key (K HAP ), both known by the HWV.
The key is not accessible from the outside of the HAP; • all involved entities are able to create secure channels (e.g., through SSL/TLS protocols) satisfying confidentiality, data integrity and authentication, and peer authentication using an agreed symmetric key; • the SWP knows the HAP manufacturers (i.e., HWVs)
and can access to their services.
The following protocol presents the steps to be performed in order to buy an application and securely obtain the associated bitstream (see Fig. 3 ). notifies the STORE if the payment transaction terminates successfully. The STORE starts the procedure to obtain the requested BS to send to the client. The actual steps performed may change depending on the information exchanged between the STORE and the PG, thus this is not reported in Fig. 3 . 2) (The EU sends the STORE its data) The first interaction reported in Fig. 3 involves the EU and the STORE.
The EU sends (from its device platform) the information needed to identify its HAP, i.e., id HAP . Since the communication involves sensitive data, the End User Device and the STORE use a secure channel that ensures confidentiality, data integrity and authentication by means of an agreed symmetric key K CS 1 . The freshness is guaranteed by using a random number r C . In Fig. 3 , the symbols r indicate random numbers. The STORE then sends back an acknowledgement to the Client in the secure channel 2 .
3) (The STORE notifies the SWP) The second interaction reports the STORE that notifies the SWP that a new customer bought the application (thus also its BS). The STORE forwards information about the HAP of the 1. To simplify the presentation, we indicate that K CS is used both for symmetric encryption and to compute a Message Authentication Code (MAC), even if K CS is better used as a master key to derive different keys (as actually done by TLS). Also note that an authenticated encryption primitive could have been used instead of a MAC.
2. The acknowledgments are sent to confirm the correct data receipt after all the interactions. Nonetheless, they are not explicitly reported in the text to ease the reading. client who bought the software. Again, the communication involves sensitive data (the id HAP ) thus the STORE and the SWP communicate by using a secure channel that ensures confidentiality, data integrity and authentication by means of an agreed symmetric key K SS . 4) (The SWP sends the BS to the HWV) The SWP sends the BS of the purchased application and the id HAP that bought it. Also in this case, the communication involves sensitive data (BS, id HAP ) thus the SWP and the HWV communicate by using a secure channel that ensures confidentiality, data integrity and authentication by means of an agreed symmetric key K SH . 5) (The HWV prepares the BS for the client's HAP) After receiving the data, the HWV ciphers the BS with the HAP key and sends back to SWP the ciphered bitstream {BS} KHAP . In this case, the confidentiality of the secure channel is not needed, only the integrity and authentication. However, the already established secure channel could be used again. 6) (The SWP forwards the encrypted BS to the STORE) the SWP sends back to the STORE the ciphered bitstream {BS} KHAP via the available secure communication channel. 7) (The BS ready to be downloaded by the EU from the STORE) Finally, the STORE makes available to the EU, e.g., through the user account, both the executable code SW and the ciphered bitstream {BS} KHAP .
The EU is then ready to install the application on its device. After the installation, every time the user starts the application the reconfiguration of the HAP will be triggered. Within the HAP the BS will be decrypted, thanks to the embedded controller that uses the HAP key K HAP , and loaded onto the reconfigurable logic. It is worth noting that the proposed infrastructure can also be used to deliver updates to the BS, while updates to the executable code can simply be downloaded by the STORE through the usual methods. When the SWP updates the BS, e.g., because of a new version release or bug fixes, a reduced version of the previous protocol can be used: 1) the current version of the application initiates the communication with SWP to check for available updates. 2) If a new update is available, the client sends its id HAP to the SWP (thus bypassing the STORE) through a secure channel that ensures confidentiality, data integrity and authentication by means of an agreed symmetric key K CS . The SWP checks if the client corresponds to a valid customer 3 .
3) The SWP connects to the HWV via a secure channel and sends to the HWV the BS and the id HAP , encrypted with an agreed symmetric key K SH ; 4) The HWV ciphers the BS using the HAP key K HAP , and sends back to the SWP the ciphered bitstream {BS} KHAP . In this case, a secure channel is not needed however, the already established can be used; 5) finally, the SWP sends back to the EU the updated application, which includes the updated ciphered bitstream {BS} KHAP . Note that the simple scenario describes a communication protocol for the exchange of the bitstream among several parties that can be easily implemented with network nodes and a suitable End User Device.
Case 2: Advanced scenario
The simple scenario presented in Section 4.1 ensures confidentiality, data integrity and authentication among the involved parties. However, it requires a trust relationship between the SWP and the HWV, which might already exists due to legal contracts. Nonetheless, it may be a limitation. Moreover, this protocol does not minimize the disseminated information. For instance, the HWV is aware of each BS application the EU purchases.
In the simple scenario, the EU is able to obtain an application for its device, while the SWP achieves a secure transfer of its IP. However, there is no assurance for the SWP that its IP will not be loaded and executed in compromised hardware, which could ease the porting of attacks. Additionally, the EU privacy could be undermined (and the "need to know" requirement as well), since the other parties may collect information about the software bought by the user from any developer. Instead, in the scenario presented here, either the EU is able to preserve anonymity and the SWP may only sell his application to users that own legitimate hardware. On the one hand, the full scenario drops the assumption that there exists a trust relationship between the SWP and the HWV. On the other hand, it requires that the HAP offers more sophisticated features that are usually available at dedicated secure hardware. Indeed, the protocol implemented in the full scenario relies on the execution of the Direct Anonymous Attestation (DAA) protocol to guarantee all the security requirements in Section 2.2.
The DAA Protocol
The Direct Anonymous Attestation protocol has been designed to allow a verifier to check that a signature has been originated by a legitimate platform by means of a deterministic verification algorithm [13] . Signatures can be used to convince a verifier about the integrity of the platform, that is, signatures allow achieving platform attestation. Signatures made with the DAA protocol are anonymous, that is, they do not leak any information about the signer, unless the signer wants a subset of signatures to be linked. By using the DAA protocol it is also possible to detect the so-called rogue platforms, so that the signatures obtained by means of compromised keys can be revoked. The manufacturer of the secure chips providing the DAA protocol can thus maintain a list of the compromised platforms.
The DAA protocol is independent of the public key authentication schemes, thus, different types of keys can be embedded in the secure hardware platform.
Different versions of the DAA protocol have been presented in the last years since the publication of the first version. Some of them were provably secure under assumptions that do not guarantee the claimed security properties in the real world, for some other schemes, there exist known attacks to compromise them [43] , [44] , [45] , [46] . However, recently, two forms of DAA have been presented that have been formally proved against threats models that are not considered weak [47] , [48] .
The DAA protocol has been standardized by the Trusted Computing Group (TCG) and is available in the Trusted Platform Module (TPM) since the version 1.2 4 . Later, in 2013, the TPM v2.0 has been developed and provided with the most efficient of the published DAA protocol versions. The same version of the DAA protocol has also been inserted in the Intel processors as Enhanced Privacy ID (EPID) algorithm, which has been standardized as ISO/IEC 20008-1:2013 5 and 20009-1:2013 6 .
Three roles are involved in the execution of the DAA protocol:
1) the DAA Issuer is the entity that manufactures the secure hardware platform. The DAA Issuer knows all the secrets the secure hardware platform stores. 2) The DAA Signer is the secure hardware platform that produces the signatures used for attestation purposes. The DAA Signer entity is composed of two parts, the secure hardware platform and a Host, the set of all the software components that interfaces with the secure hardware platform (e.g., the computer system where the secure hardware platform is available, including the OS and all the drivers that allow accessing the hardware). Finally, 4 . However, the version of the DAA protocol implemented in the TPM v1.2 is no longer considered secure. 5. https://www.iso.org/standard/57018.html 6. https://www.iso.org/standard/57079.html 3) the DAA Verifier is any external party (e.g., a service provider) that is interested in verifying the integrity of the secure hardware platform. To achieve signature anonymity, the DAA protocol introduces two more features:
• a counter, which is a value used to generate multiple DAA keys from a single secret, and • the basename: an optional value used to allow verifiers to link multiple DAA signatures signed under the same DAA key. Basenames can be considered pseudonyms and are obtained by means of a secure function computed on the secret of the secure hardware platform.
To abstract from the DAA protocol implementations (and their present and future flaws) and to make our result more general, we assume in this paper that the system uses the most secure and efficient DAA protocol version, which will expose the primitives presented below.
• The DAA Setup is the procedure that a secure hardware platform performs to indicate its host and then to the DAA Issuer whether or not it is corrupted. • The DAA Join is the procedure that a host performs, together with the secure hardware platform, to obtain the DAA Credentials (which can be seen as an anonymous public key certificate) and becomes part of the group of certified or attested secure hardware platforms. • The DAA Sign/DAA Verify are the two procedures that the secure hardware platform and the host use to convince a verifier that the secure hardware platform is certified and the host has previously joined the group. These signatures are generated from a DAA Credential obtained after the join. This procedure is a form of remote attestation. Nevertheless, the same primitives could also be used to actually sign messages. The DAA protocol ensures several security properties. They have been formally defined in previous works [47] , [48] and are reported in this paper in an informal way:
• Completeness: signatures from a valid basename of a honest platforms are accepted as valid by the verifiers. • Correctness of Link: signatures created with the same basename by the same honest platform are correctly linked. • Unforgeability: no adversary can create a signature that is recognized by the verifiers as a valid signature of a honest platform, regardless of the basename he used. • Anonymity: signatures of the same honest platform that use different basenames (or no basename at all) are not linked by any adversary. In other words, the adversary cannot tell if they are applied by the same honest platforms o by different honest platforms. • Non-frameability: no adversary can create signatures with a given basename that links to a signature created by an honest platform.
Functional assumptions for the advanced scenario
The following functional assumptions have been considered for the full scenario:
• The EU is able to access the store (i.e., has an account on the STORE); • The EU has a credit card or any another equivalent payment system accepted by the store;
• The STORE has previous agreements with one or more payment systems; • The HAP owns valid DAA credentials and is able to run the Setup, Join, and Sign DAA methods; • The SWPs know the HAP manufacturers (i.e., the HWVs) and can access their DAA Issuer services; • (optionally) the STORE trusts the information obtained by the HWVs through their services (e.g., the information about its compromised HAPs). • (optionally) the involved entities are able to create secure channels (e.g., through SSL/TLS protocols) satisfying confidentiality, data integrity and authentication, and peer authentication using an agreed symmetric key. It is worth noting that the functional assumptions just mentioned are quite similar to the ones presented in 4.1. However, in this scenario, some entities offer special functionalities and play specific roles with respect to the context of the DAA protocol here employed:
• The HAP plays the role of the secure hardware platform; • The End User Device plays the role of the host where the secure hardware is attached; • The HWV plays the role of DAA Issuer (i.e., the TPM manufacturer), thus it maintains the rogue oracle; • The SWP plays the role of DAA Verifier (i.e., it wants to authenticate the HAP) • optionally, also the STORE can play the role of the verifier (i.e., if it wants to authenticate the HAPs)
Workflow
In the full scenario, before deploying an application onto a device embedding reconfigurable computing resources, the HAP executes the DAA-Join protocol in order to be recognized as a trustworthy device by the HWV. The target of this phase is to prove to the DAA Issuer that the secure hardware platform is trustworthy (setup) and to obtain valid DAA credentials (join). Fig. 4 shows the workflow for the application deployment 7 .
The steps to buy a new application in the full scenario are the following ones (see Fig. 4 ).
1) (The EU buys the application) the EU browses the STORE and decides to buy an application, composed by a SW and a BS parts, developed by a SWP. The STORE redirects the user on the PG to complete the application purchase. If the payment transaction terminates successfully, the PG informs the STORE.
The STORE starts the procedure to send to the EU the requested BS. 2) (The STORE notifies SWP of a new customer) the STORE notifies the SWP that a new customer intend to buy the application (thus he needs the related BS).
Since the communication does not involves sensitive data, the STORE and the SWP may also avoid using a secure channel.
7. Note that, to avoid making a too complex diagram, we have omitted all the authentication and integrity checks as well as the acknowledgements since they have been already presented in the simple scenario (and because they represent standard mutual authentication schemes that use random numbers [49] 3) (The EU sends the SWP its data) During this interaction, the EU sends the information needed to identify its HAP, i.e., the DAA Credentials issued by the HWV (the DAA Issuer) when the DAA-Join was performed. Since the communication includes sensitive data (such as the credit card number for the purchase and the id HAP ), the End User Device and the STORE will use a secure channel that ensures confidentiality, data integrity and authentication. 4) (HAP authentication and optional key exchange) the SWP verifies that the customer owns a genuine HAP by executing the DAA-Verify protocol. To know whether the HAP is rogue, the SWP connects to the HWV services to query the "rogue oracle". If the verification fails, i.e., the DAA Credentials correspond to a HAP that is not genuine or they have been marked as rogue, the protocol is stopped by the SWP. Some management policies will establish how to deal with these cases (e.g., ask installation on another platform or simply stop the purchase). If the verification is successful then the payment is finalized. We assume that the interactions between the HAP and the SWP by means of the DAA protocol allow the exchange of a public key used by the SWP to encrypt the data, which will be decrypted only inside the HAP. In case the RSA-DAA protocol is used, based on the strong RSA assumption, the DAA Credential already conveys a certified public key k HAP,pub . In case other public schemes are used, like the ones based on the qSDH and the LSRW assumptions or the ECDAA, we assume the HAP is able to generate an RSA key pair and, via the DAA Sign, it can send the SWP the signed public key k HAP,pub . 5) (The SWP sends the EU the encrypted bitstream) the SWP generates a new symmetric key, the session key K s , ciphers it using the received k HAP,pub , then it ciphers the bitstream with K S . Finally, it sends both the {K s } k HAP,pub and {BS} Ks to the STORE 8 . 6) (The EU downloads the application from the STORE) finally, the STORE makes available for download to EU from his account both the software SW, and the enveloped data structure including {K s } k HAP,pub and {BS} Ks . The EU is then ready to install the application on its End User Device.
As for the simple scenario, the EU is then ready to install the application on its device. Every time the End User starts the application, the HAP is reconfigured with the soft IP core conveyed with the bitstream. Within the HAP the BS will be decrypted thanks to the embedded controller that deciphers the session key k s from {K s } K HAP,pub by using the corresponding key K HAP,pri .
HARDWARE ARCHITECTURE AND IMPLEMENTA-TION
In this section we present our proof-of-concept for the secure bitstream transfer protocol, detailing the proposed hardware architecture. We consider the End User Device as a heterogeneous mobile device composed of the host platform and the Hardware Acceleration Platform, as shown in Fig. 5 .
Architecture
The host platform integrates hardware peripherals common for mobile computing devices, such as computational cores (e.g., microprocessors, GPUs, etc.), sensors (e.g., gyroscope, accelerometers, proximity sensors, light sensors, etc.), display or screen, memory and storage (e.g., embedded memory, RAM, SD card, etc.) and network adapters for connectivity features. The HAP is embedded into the mobile device. Within the HAP, there is the reconfigurable resource, i.e., the FPGA. The HAP embeds also a microcontroller 8 . The data sent in this interaction can also be wrapped in a single enveloped data structure, e.g., the PKCS#7 enveloped data. offering cryptographic functionalities, such as key generations, and to securely load the bitstreams of the applications installed onto the FPGA.
Interconnections
The class of mobile devices is often characterized with components enabling two different types of connections, i.e., wired and wireless. Network adapters and antenna of the End User Device enable external connectivity towards an internet connection, which is necessary for the user to browse application stores and to download the SW and BS of the applications to be installed. Internal connections depend on the actual hardware architecture of the End User Device. Among the components of the EU device, the data path of the bitstream spans from the storage medium to the FPGA within the HAP. In order to permanently store an application, the host microcontroller is connected to the storage medium. The hardware description of applications is loaded onto the FPGA with a link between the host and the HAP. Eventually, when the FPGA has to be programmed the bitstream is moved to the HAP where the controller decrypts the hardware configuration and sends it to the FPGA.
Implementation details
To simulate our architecture, we separated the host from the HAP of the End User Device. The host device is emulated with a normal laptop/desktop PC connected to the internet, running the client software. The HAP is connected to the host PC with a USB cable. For prototyping the HAP, we employed a particular chip, i.e., SEcube™ [50] .
SEcube™ is a heterogeneous system-on-chip, embedding three components interconnected within the same package: a microcontroller, an FPGA and a SmartCard. The microcontroller is a 32-bit low-power ARM Cortex-M4 processor performing the necessary operations to communicate with the host, through USB and SDIO interface. To securely program the FPGA, the microcontroller is connected to the FPGA through a 16-bit wide bus. The reconfigurable hardware is a Lattice MachXO2-7000 low-power FPGA. The SmartCard is Certified Common Criteria CC EAL5+. The host is connected to the storage medium, i.e., a microSD card, which is accessible also from the microcontroller of the HAP. The storage medium is employed to store the bitstream of the applications downloaded. Although the BS on the storage medium can be accesible from outside, it is stored encrypted to avoid confidentiality breaches. The bitstream is decrypted only within the HAP, which is considered a trusted area. The other involved parties STORE, SWP and HWV are represented with other PCs connected in a network. Each entity executes an application to communicate with the other network nodes and serves the respective clients according to the protocols disccussed in Section 4.
Software stack
The software executed on the bare metal of the HAP device is the open source firmware of the SEcube™ SDK. It provides a high-security abstraction layer through API functions, ranging from encryption and decryption utilities to cryptographic keys management for the keys embedded in the HAP, as well as interfaces for secure communication with the host platform. To implement the functionalities required for the DAA protocol of Section 4.2, we adopted the MIRACL Crypto SDK [51] . The MIRACL SDK is a C/C++ library providing optimized implementations for security primitives (e.g., elliptic curve cryptography -ECC), tailored for constrained environments, such as embedded systems and mobile devices.
Among the applications running on the host side of the End User Device, the counterpart of the APIs are used to communicate with the HAP. Also, the host device runs the client market application, which is able to connect to the services offered by the Software Application Stores. The server applications of the STORE, SWP and HWV resides in the same PC, working as separate asynchronous processes. The services of these entities have been emulated as Python3 applications. For the client/server architecture and asynchronous communication functionalities we employed the asyncio module. The communication among these processes, running on the same physical machine, flows through different port numbers of the communication sockets on the same IP address. Every message sent is encrypted and signed to guarantee integrity, confidentiality and authenticity. When reaching the destination, the signature of the message is checked against malicious alterations. When the download of the bitstream is completed, the application running on the End User Device triggers the mechanism for loading the bitstream onto the FPGA. The HAP firmware retrieves the encrypted data from the storage medium and check its integrity and authenticity. Finally, the bitstream is decrypted and the plaintext configuration is loaded onto the FPGA by the microcontroller equipped onto the HAP.
SECURITY ANALYSIS
From Section 2.3, we see two types of attackers to counteract: man-in-the-middle (MITM) and man-at-the-end (MATE) attackers. The implicit assumption in an MITM scenario is that both the endpoints are trusted entities. However, this assumption is no longer valid in the case where also MATE attackers are interested in obtaining the bitstream. Indeed, MATE attacks are more challenging to prevent. However, all the security relevant operations are performed in the HAP, which we assume is a trusted device that cannot be attacked by our adversaries.
It is worth remarking that the proofs of the security of these solutions hold under the infeasibility hypothesis. That is, we assume the use of state-of-the-art secure cryptographic algorithms with proper key lengths. For instance, currently, a 256-bit security is required from symmetric encryption, that is, the best attack should be a brute force attack on a 2 256 size key space, i.e., using AES256 guarantees an appropriate level of security. Furthermore, at least 80-bit of security is required for the digest algorithms, for instance SHA-256 is currently a valid choice.
Moreover, we recall that when two communicating peers A and B share a symmetric key k:
• (confidentiality) only A and B are able decrypt messages encrypted with k; • (symmetric integrity and authentication) if A receives a message and a MAC computed by using k, A deducts that the message and the MAC were generated by B and no one changed the original message, analogous considerations are valid when B receives messages and MACs A.
Simple Scenario
MITM attacks performed by remote adversaries represent a standard security problem in computer networks and there are provably secure solutions to protect against these attacks: the channel protection techniques. In fact, MITM attacks can be neutralized by using strong peer authentication mechanisms to avoid impersonation, symmetric data integrity and authentication techniques to avoid the message forging and alteration, and symmetric data encryption to ensure confidentiality of exchanged data. The techniques we adopted in the simple scenario protocol ensure data confidentiality by using symmetric encryption algorithms (e.g., AES), and symmetric data integrity and authentication algorithms (i.e., a keyed digest or HMAC using a cryptographic hash function) used in the a "challenge-response (keyed) one-way functions authentication protocol" [49] . These are well-known approaches that are provably secure under the infeasibility assumption.
The first step of the protocol for bitstream IP protection specified in Section 4.1 represents a typical e-commerce scenario very widespread nowadays, where a user is assumed to have a credit card, a TLS-enabled browser installed in his environment, and an account on the application store of the platform. The store relies on payment services that should adhere to the Payment Card Industry Data Security Standard (PCI DSS) to work in the financial world [52] . Indeed, the PCI DSS imposes high security requirements for merchants and payment servers that store, process or transmit payment cardholder data when implementing a robust payment card data security process.
By analysing the protocol, we derive that the id HAP is only readable by the EU, the STORE, the SWP, and the HWV. In fact, the HAP identifier is encrypted with the key shared between the client browser and the STORE, then the STORE encrypts it with the key shared with the SWP. Finally, id HAP is again encrypted with the key shared with HWV and it is sent to the HWV. MITM attackers cannot read the HAP identifier if strong encryption algorithms are used. Additionally, impersonation attacks are impossible as the sent messages allow symmetric authentication of the party. Furthermore, the data authentication and integrity mechanisms used by the presented protocol (i.e., HMAC or an authenticated encryption algorithm) prevent that modifications to exchanged messages are not detected. Therefore, the only remaining attacks are the DoS attacks, which we have excluded as it is not among our goals (and not easy to prevent in all cases).
Even more important, the BS is read in clear only by the SWP and the HWV. In fact, the bitstream is encrypted with the key shared between the SWP and the HWV. Then, the HWV encrypts the BS by using the secret key K HAP , shared with the HAP of the End User Device. Therefore, no one but the HAP with the identifier exchanged during the protocol is able to load and use it. The received bitstream is stored in an encrypted form until it is moved to the HAP decrypted and loaded onto the FPGA, while the software application is usually downloaded in plaintext, since other software protection techniques are displaced to protect the intellectual property, if needed. Therefore, MITM and MATE attacks that aim at reading the bitstream in intelligible way are avoided.
These considerations prove that only the EUs that bought the software are able to use the corresponding BS. Moreover, even the end users are not able to read the plaintext of the bitstream.
Note that the confidentiality of id HAP and the integrity and authentication of all messages could be achieved if, instead of an ad-hoc protocol as in Fig. 3 , general purpose channel protection mechanisms are used. Even better, these channels usually also provide protection from reply attacks and filtering, by numbering exchanged packets or by storing the last packets. The most widespread ones are the TLS protocol [53] , which works at the transport layer of the ISO/OSI stack, or the IPsec protocol [54] , which works at network layer, and other application layer methods, usually message protection techniques (e.g., WS-Security). In our case the TLS approach is the preferred one, which better integrates with a web-based scenario that is very frequent in the e-commerce scenarios. Indeed, it does not require additional software or any previous knowledge of the other communicating party but limited modifications of the services or the availability of an ad hoc API.
On the other hand, there is no alternative than the explicit encryption with K FPGA to protect the confidentiality of the bitstream.
Advanced Scenario
The advanced scenario falls in the same common ecommerce use case. We propose an alternative use of DAA protocol in a more general context than the TCG related ones. The only difference is that the user is required to perform a DAA Setup to initialize the HAP and a DAA Join before running the protocol to generate and issue new DAA credentials of the FPGA. From the functional point of view, DAA-related operations are only available in experimental settings and have not yet reached a large audience, thus not to current customers. However, they do not pose significant challenges for future EUs, also because they can be mostly automated and their complexity can be properly hidden to end users.
Indeed, after buying the software, the client is redirected towards the SWP and he is asked to perform a DAA Sign to attest the integrity of its HAP. Only the SWP knows the session key K s , which is then ciphered with the public key received by HAP. Therefore, K s will only be available inside the HAP, in the trusted part of the protocol entities. This in turn allows satisfying the "Bitstream confidentiality", "Bitstream integrity and authenticity" and "Legitimate End User" requirements. To complete the integrity verification the SWP will contact the "rogue oracle", that is, the entity knowing the IDs of the compromised HAP. The HWV is the best (and only, to date) candidate to maintain this list.
Note that the generation of an RSA key pair whose public component has to be signed with the DAA Credentials and then sent Software Provider, is currently not implemented in the TPM chips. However, it is not against the TPM and DAA specifications, as DAA Sign can be both used for remote attestation and data signature purposes. Therefore, from the functional point of view, the operation we require poses integration issues with current TPM chips but it is not a problem for possible future versions of the TPM nor for the secure hardware (FPGA) we are considering for this paper, as they are fully reconfigurable.
Therefore, in this scenario the only entity that knows the BS is the SWP, because the HAP can only load and use it internally. Thus, when following this approach the "Need to know" principle of the BS is better ensured as it guarantees that the minimum number of entities know the BS in an intelligible form. Indeed, as the HAP of the End User is the only entity that knows the private component of the public key sent to the SWP, only the HAP of the legitimate buyer can use the BS, thus ensuring the "Legitimate End User".
Additionally, by using the DAA Sign and DAA Verify operations and the remote verification using the rogue oracle, the SWP is able to sell its products to buyers whose HAP is not compromised, thus proving the "Legitimate HAP" requirement.
Therefore, we can conclude that the security of the advanced scenario only depends on the correctness and security of the DAA protocol. We assume that the DAA protocol used is correct and secure. Given the level of interest in this protocol and the effort put by the TCG and the researchers in the field, this is currently a reasonable assumption and it will become even more acceptable also in the near future. Indeed, as discussed in Section 4.2.1, the recent progresses and publications give positive hints on the fact that the DAA development is converging to a form that is both secure and not too demanding from the computational point of view [47] , [48] .
The idea of using the DAA protocol has major consequences to the impact of the work presented here. Indeed, the use of a well-known protocol guarantees a bigger control on the strength of the secure mechanisms. Moreover, there will be more people researching for flaws, as the impact of attacks becomes very high thus also the impact of publication of such attacks is more likely to reach a higher visibility. Also reactions of the involved parties to potential flaws would have much more support. The TCG is also increasingly working to increase anonimity and improve users's privacy. In our opinion this is a major trend that is worth joining.
We reach at the same time a strong protocol that guarantees a better level of user privacy (i.e., used data and hardware identifiers) and minor exposition of the company IP (soft IP core are only read by developers and used by secure hardware).
Therefore, even if we do not necessarily propose the use of TCG-specified TPM chips, we follow the progresses in this field and re-implement in reconfigurable hardware the same features.
Another good reason to join a mainstream initiative, is a greater level of control on the whole supply chain of the trusted hardware device, being they TPMs of FPGA-based devices. Indeed, since nothing can be done if the HWV inserts backdoors in the produced devices, we have to resort to a trusted supply chain.
Together with simple backdoors to access the content of the HAP to download the IP cores that need to be protected, other attacks against the whole End User Platform can be leveraged by holes in the security of the supposedly trusted device.
As a simple instance of potential attacks, instead of generating a new RSA key pair inside the HAP, the HWV can generate and inject a certain number of RSA key pairs to choose from (or DAA Credentials if RSA-DAA is used). Therefore, the HWV would have access to all bitstreams encrypted with those public keys.
Physical Attacks
Physical attacks represent another type of possible attacks performed directly on the End User Device. In this case, an attacker aiming at finding the symmetric encryption key must be necessarily a MATE owning the device of interest. We distinguish the case of non-invasive physical attacks from invasive physical attacks.
Non-invasive attacks can be partitioned in attacks where the device is purposely stressed, i.e., active, and attacks where there is no interaction with it, i.e., passive. In both cases, the destruction of the device is not necessary. However they generally require a longer time to be accomplished. Brute-force attacks have already been excluded under the infeasibility hypothesis. Side-channel attacks can still be employed, however they are not always possible and require specialized equipment. The SEcube™ chip adopted for the prototype is secure against the differential power analysis attack as shown in [55] . Timing attacks can be neutralized resorting to constant-time implementation of the bitstream decryption and other security primitives.
Invasive physical attacks destroy the device and require sophisticated and expensive equipment, knowledgeable attackers, and possibly long time to be carried out.
In our scenarios, a physical attack might target the Host platform, the HAP or the storage medium. Any attack to the Host or the storage medium is neutralized with the encryption algorithm, since these parts of the end user platform are considered not trusted. Accessing these peripheral will give to the attacker the possibility to find the ciphertext of the bitstream. But the data must still be deciphered, by reversing the key. The HAP is in fact the critical element, since the bitstream is deciphered within this device through the key stored here. Local adversaries should first bypass any external protection to reach the internal circuitry.
If we suppose that an invasive physical attack is successful, only a single device is compromised. Every device stores a unique serial number and the cryptographic key relative to the specific device. In this way, an attacker wanting to inject vulnerabilities or malicious hardware must repeat the attack on other HAPs. This means that also other devices should be compromised in the same way, leading to higher costs to spread the attack. Also, the effort to exploit the attack is linear with the number of device to compromise.
Nonetheless, if the attack is successful, the target IP stored onto the device is compromised by only compromising a single device. Indeed, when the bitstream is available to the attacker, it can be decrypted and its description might not remain confidential, but could be disclosed to the public. Moreover, this security breach gives the possibility to the attacker to recover also the id HAP of the compromised device. By knowing this information, an attacker could also obtain any other bitstream previously bought for that specific device.
Note that if a TPM chip supports the DAA protocol features, this chip is protected by design against side-channel (timing information, power consumption, electromagnetic leaks) and physical attacks. Additionally, as it uses cryptographic operations it must comply the FIPS 140-2 standard.
The TPMs available on the market provide memory curtaining and protected execution to avoid that the MATE reads the stored secrets. Therefore, the only way to read the secrets is physically tampering with the chip. To the best of authors' knowledge, the only successful physical attack is the one presented at the Black Hat conference 2010 [56] . At cost of six months and 200,000$, Tarnovsky tampered the internal circuitry of an Infineon TPM of the SLE 66PE family of contactless interface microcontrollers to get the secrets. The attack required to dissolve the outer shell with chemicals and remove the layers of mesh wiring to access the chip's bus to read the secrets by tapping the communications channels using small needles. The attack was defined by the author "not easy to duplicate" and the Trusted Computing Group that issued the TPM specifications, a bit more optimistically, "exceedingly difficult to replicate in a real-world environment".
Some other attacks to the TPM are known in literature that are not important for us. The reset attack, is a method to reset the TPM without resetting the entire system. In this way the known-good hashes can be stored in the TPM circumventing the "extend-only" functionality that does not allow to overwrite values in the TPM registers. This attack is mounted against TPM family 1.1 using a vulnerability of the Low Pin Count (LPC) bus that allows to reset all the attached devices. From the family 1.2 this attack is no longer possible.
Another reset attack is presented in [57] , however the authors already contributed together with manufactures with a patch to solve the vulnerabilities.
A recent side channel attack on TPM 2.0 devices is presented in [58] , where the authors are able to recover 256bit private keys for ECDSA signatures Intel firmware-based TPM as well as a hardware TPM. The attack exploits timing information leakage and allows key recovery in less than two minutes. Also in these case, the vulnerabilities have been solved.
CONCLUSION
This work addresses the protection of soft IP cores to be deployed in the context of mobile heterogeneous systems.
We provide an architecture for a secure transfer of a soft IP core bitstream from a generic software developer to an end user owning a device equipped with reconfigurable logic, considering a common real-world scenario of mobile application market.
The provided protocol details the deployment for two scenarios, considering first a minimum set of security requirements, then an advanced scenario fulfilling tighter security properties.
We guarante that only legitimate users purchasing a legitimate copy of an application are enabled to use it. During the deployment, we are able to maintain the confidentiality of the intellectual property. Also, the integrity of the data transferred is preserved to guarantee that no alteration, whether malicious or not, has been performed. Compliance to these requirements protects from MITM attackers. We considered the threat of MATE attackers as well. Finally we also provided a prototype implementation of the whole architecture, employing a system-on-chip as heterogeneous system to work together with a host device (e.g., a PC, or a mobile device).
