Full details of the FPGA vulnerability
Latest update time:2020-04-24
Reads:
Source: The content is authorized to be reproduced from the public account " Lao Shi Tan Xin", author: Lao Shi, thank you.
In April this year, researchers from Germany disclosed a vulnerability called "StarBleed" that exists in all 7 series FPGAs of Xilinx, including Virtex, Kintex, Artix, and Spartan. Through this vulnerability, attackers
can break the encryption (confidentiality) and authentication (authenticity) of the FPGA configuration file at the same time, and thus can modify the logical functions implemented in the FPGA at will
.
What's more serious is that this vulnerability cannot be fixed by software patches. Once a chip is broken, it can only be fixed by replacing the chip.
The discoverer of the vulnerability informed Xilinx of the vulnerability in September 2019, and Xilinx acknowledged it the next day. According to Xilinx's previous financial report, the
7 series FPGA contributed 35% of the company's revenue
. These FPGAs are widely used in communication equipment, medical, military and aerospace and other fields, and many of these fields require the system to have high stability and security. Therefore, the major vulnerability that was exposed this time will undoubtedly have a greater negative impact on Xilinx and its customers.
In recent years, CPU vulnerabilities have been discovered from time to time. For example, in early 2018, almost all mainstream CPU manufacturers were found to have Meltdown and Spectre vulnerabilities in their CPU products. In contrast, FPGA vulnerability issues are not so "common". In this article, Lao Shi will deeply analyze the technical reasons for this vulnerability and summarize some feasible coping methods and preventive measures.
Main encryption methods of FPGA
With the widespread use of FPGAs in data centers, communication infrastructure, AI acceleration, medical equipment, edge computing and other fields, research on FPGA security has gradually become one of the hot topics in academia and industry in recent years.
Compared with CPU, ASIC and other chips, FPGA chip itself does not complete any logic functions. It only contains a large number of programmable logic arrays and several solidified IP cores. The realization of FPGA system functions basically depends entirely on the logic design of the developer. Since different designers can develop different system logics, the same FPGA chip can be widely used in many different industries. Generally speaking, an FPGA design is composed of many IPs, and these IPs are the most valuable part of the FPGA design.
In order to load the design into the FPGA for execution, the only way is through a so-called "bitstream" file, which is also commonly referred to as a system image in the industry. The system image is automatically generated by the FPGA design software. It contains all the information of the FPGA design, so it is the top priority of the FPGA encryption link.
Generally speaking,
there are two levels of protection for bitstream or system image files: encryption and authentication
.
Encryption refers to the use of a specific algorithm to process the bitstream file and convert it into ciphertext, making the content invisible to the outside world. In Xilinx's 7 series FPGA, the CBC-AES-256 algorithm is used for bitstream encryption.
Authentication refers to the identity verification of the encrypted bitstream file to prevent tampering and deletion
,
which is similar to the identity verification in our daily life. If the bitstream file is modified, it will inevitably lead to incorrect authentication results. If this bitstream is downloaded to the FPGA, it will be rejected due to identity verification failure, thus avoiding the possibility of being attacked. In Xilinx's 7 series FPGA, the HMAC (Hash-based Message Authentication Code) method based on SHA-256 is used for authentication.
It is conceivable that if the encryption process of the bitstream is cracked, the attacker can read all the information in the bitstream file, thereby performing reverse engineering, IP cracking, information collection, etc. If the authentication process is cracked, the attacker can modify the bitstream file at will, such as modifying system functions, injecting Trojans, etc. Therefore, these two protection methods are indispensable.
Unfortunately, the StarBleed vulnerability this time takes advantage of the shortcomings of these two protection methods, thereby completely cracking the encryption and authentication of the bitstream and achieving the purpose of fully controlling the bitstream and FPGA chip. It can be said that this vulnerability is extremely destructive and potentially harmful.
Specific attack method of StarBleed vulnerability
The entire attack process is divided into two parts: the first is to crack the encrypted bitstream file, and the second is to obtain the authentication key.
In order to crack the encrypted bitstream file, the attacker used a special configuration register WBSTAR in Xilinx FPGA. This register originally saved the starting address of FPGA MultiBoot function. When starting FPGA, the image file is found from the off-chip non-volatile memory by reading this register.
Therefore, when FPGA is reset, the content of this register will not be erased
.
The process of cracking the encrypted bitstream is divided into 5 steps.
In the first step, the attacker simply tampered with a legitimate bitstream file. Specifically, he needed to modify a 32-bit word in the bitstream and change it to a write operation to the WBSTAR register. The content written is the bitstream itself.
Although the bitstream is encrypted, the tampering process is not as difficult as imagined. Since the format and many contents of the bitstream file generated by Vivado are fixed, the attacker can compare different bitstream files to determine the location of the WBSTAR register operation command, and then modify it. Due to space limitations, the specific details of this part will not be repeated. You are welcome to communicate with Lao Shi further on Knowledge Planet or Weibo.
Bitstream data structure. The gray part is the encrypted content.
The second step is to load the tampered bitstream into the FPGA. At this point, the FPGA will decrypt the bitstream and write a 32-bit word into the WBSTAR register.
It is worth noting that what is written here is the decrypted bitstream content!
In the third step, after loading is completed, the verification fails because the bitstream has been modified, and a system reset is automatically triggered.
The fourth step is to use another unencrypted bitstream file to read the contents of the WBSTAR register. Due to the special nature of the WBSTAR register, its contents will not be cleared with a reset. Therefore, at this point, the attacker can use another unencrypted bitstream file to read the contents of this register and obtain the 32-bit content of the decrypted FPGA bitstream. This unencrypted bitstream file has been open sourced. Please scan the code at the end of the article to enter the Knowledge Planet to view it.
Step 5: Manually reset and then repeat the above steps until the entire bit stream is decrypted.
As can be seen,
the attacker took advantage of the above-mentioned flaw that the authentication process is later than the encryption and decryption process, and completed the complete decryption of the bit stream through the "ant moving" method
.
The most pitiful thing is that the FPGA itself has become a tool to assist in decryption. This also explains why this vulnerability can only be fixed by replacing the FPGA chip.
The table below summarizes the bitstream sizes for different 7-series FPGAs and how long it takes to decrypt them. Reading a 32-bit word takes about 7.9 milliseconds, so it will take about 3 hours and 42 minutes to crack a Kintex FPGA bitstream.
Next, we can crack the authentication process. This process is relatively simple. In fact, the HMAC key required for identity verification is stored in the bitstream file without any additional encryption. This is what is called "the answer is in the puzzle". So just read the complete bitstream and you can get a free HMAC key. With it, you can modify the content of the bitstream file at will and recalculate the identity verification. In addition, the attacker can even modify the HMAC key itself.
In summary, the StarBleed vulnerability exploits two major design flaws of Xilinx 7 series FPGAs:
1. Identity verification occurs after the decryption process
2. The key for identity verification is stored directly in the encrypted bitstream file without additional encryption
Through the StarBleed vulnerability, the attacker cracked the entire series of Xilinx 7-series FPGAs, including Kintex-7 on the SAKURA-X board, Artix-7 on the Basys3 board, etc. At the same time, the attacker also used the same principle to attack the 6-series FPGA, such as the Virtex-6 FPGA on the ML605 board, and also achieved incomplete cracking.
Defense methods
Since the StarBleed vulnerability directly exploits the design flaws of Xilinx 7 series FPGA chips, and the attack process is directly launched when the image file is loaded, it cannot be circumvented by using software patches or firmware upgrades. The only way to fix it is to replace the chip, which Xilinx officials have acknowledged to the researchers.
In fact, attackers cannot crack UltraScale or newer FPGA series using this method. This shows that the design flaws mentioned above have been fixed in the new FPGA architecture. For example, the bitstream file is authenticated first and then loaded.
Although there is no complete defense method other than replacing the chip, we can still use some design methods to increase the cost and complexity of cracking.
A common method is to add extra redundant logic to the design
.
These extra parts do not affect the logical function, but will greatly increase the complexity of the design, thereby increasing the time cost of cracking. For example, add a lot of useless states in the state machine, etc.
In addition, the configuration ports of the FPGA can be blocked during board design, such as the JTAG and SelectMAP ports used by researchers. In fact, there should be few exposed JTAG ports in mass-produced FPGA designs.
At the same time, researchers also thought about how to discover such design defects and loopholes as early as possible, and formal methods are a good solution.
Designers can build a formal model based on the chip design specifications and analyze and prove the model through methods such as satisfiability verification
.
Conclusion
FPGA security research is not a new topic. However, traditional FPGA attack methods require the use of additional physical devices or operations, which are far less practical than the StarBleed vulnerability that was exposed this time.
Once the FPGA is compromised, the attacker can arbitrarily read the data, IP content, etc. of the FPGA bitstream and perform reverse engineering. The attacker can also arbitrarily change the logical functions implemented by the FPGA, which may turn the system where the FPGA is located into a high-performance "zombie" for the attacker. Since FPGA can send data packets at a line speed of 40Gbps or even higher, it makes large-scale DDOS attacks "simple". In addition, the attacker can also significantly increase the chip temperature and perform irreversible physical damage to the system hardware through logical implementation, etc.
It can be said that the StarBleed vulnerability has sounded the alarm for the industry, and will also increase people's attention to FPGA security and guide future FPGA security designs.
(Note: This article only represents the author's personal views and has nothing to do with the unit where he works.)
*Disclaimer: This article is originally written by the author. The content of the article is the author's personal opinion. Semiconductor Industry Observer reprints it only to convey a different point of view. It does not mean that Semiconductor Industry Observer agrees or supports this point of view. If you have any objections, please contact Semiconductor Industry Observer.
Today is the 2289th issue of content shared by "Semiconductor Industry Observer" for you, welcome to follow.
Recommended Reading
★ Semiconductor opportunities and challenges in the eyes of 195 executives
Behind Taiwan's 68% annual growth in semiconductor equipment sales
Semiconductor Industry Observation
" The first vertical media in semiconductor industry "
Real-time professional original depth
Scan the QR code , reply to the keywords below, and read more
Flash memory|Huawei|Packaging and testing| Bluetooth |BYD |Wafer|Silicon|RF|TSMC
Reply
Submit your article
and read "How to become a member of "Semiconductor Industry Observer""
Reply Search and you can easily find other articles that interest you!
京公网安备 11010802033920号