A newly revealed vulnerability in older Xilinx FPGAs can be exploited to simplify the process of extracting and decrypting encrypted bit streams used to configure chips.
In other words, it is now easier to produce clones of products that use these vulnerable Xilinx components. It's not really a terrifying security breach; it's more of an interesting hack that isn't supposed to be possible.
For the uninitiated, FPGAs – on-site programmable door matrices – are packed with internal circuits that you can organize and configure according to your needs: you can place an FPGA in a product that you manufacture, and configure it to direct readings sensors to a microprocessor, or control robotic motors, or network packet filter filters, or wireless signal processing, or control of other electronic devices in the system, or whatever, really.
You organize the internal building blocks of logic in an FPGA by writing code in a hardware design language, such as Verilog, and compiling it into a bitstream. This bit stream is usually stored in flash memory and read by the FPGA when powered on. It uses the bit sequence to configure and connect its internal circuits to perform the intended operation.
You probably don't want your bit stream to be easily copied, otherwise, someone could buy your FPGA powered product, extract the bit stream from the port matrix from flash memory and use it to configure a compatible FPGA in his own product to make a clone of your gadget. (In a push, they could also reverse engineer your FPGA design from the bitstream, although this is not very easy to do because the format of this data is not publicly documented by providers, generally.)
Cryptography to the rescue
There is a solution: you can encrypt your bitstream with AES-CBC and an encryption key, and burn this secret key in the FPGAs that you bought when they are placed in your product in your factory. You then store the encrypted bit stream in flash memory, the FPGA in the device reads it, decrypts the stream using the secret key you gave it and configures itself. If your rival tries to use the encrypted bitstream in compatible FPGAs purchased from the same supplier, this will not work because these FPGAs will not have the secret key.
Unfortunately for you, however, it is now easy to completely extract the decrypted version of this encrypted bitstream once it has been loaded by the gate array. This can be done by exploiting a vulnerability called Starbleed which is found in the older generation Xilinx Virtex-6 and 7-Series FPGAs.
Maik Ender and Amir Moradi, of the Horst Goertz Institute for IT Security of the Ruhr-University Bochum in Germany, as well as Christof Paar of the Max Planck Institute for Cyber Security and Privacy, also in Germany, discovered the hole and have it described in a published article [PDF] this month. There is no known mitigation or solution other than buying updated silicon.
The trio registered on a register called
WBSTAR within the FPGA: this register defines the memory address where the FPGA must start reading in its bit stream after a warm start, and is defined by the bit stream previously loaded from the memory. The idea being: you make the FPGA load a bit stream from a default location in memory, like in ROM, and this bit stream defines
WBSTAR to point to an updated bitstream in flash memory so that when the FPGA is restarted, it retrieves the updated bitstream from flash, thus allowing the chip to load securely in an updated configuration without bricking the system.
WBSTAR is not changed from one reset to another.
Here's the great touch: you take the encrypted bitstream and manipulate it just enough to make it write a 32-bit word of its post-decrypted state in
WBSTAR. This manipulated bit stream will cause the FPGA to reset, as it fails a cryptographic integrity check. Make sure the FPGA loads an unencrypted second bit stream that generates the value of
WBSTAR so you can read it and save it. Then you repeat the process over and over.
And voila, you can gradually disclose the decrypted content of the encrypted bitstream by writing repeatedly to
WBSTAR, reset and read
WBSTAR, reconstructing the plain text of the bit stream. Crucially,
WBSTAR is updated by the manipulated encrypted bitstream before the integrity check is carried out, which allows it to disclose data before triggering the reset.
The high-end Versal FPGA from Xilinx is like a designer handbag. If you have to ask for the price, you probably can't afford it
The time it takes to do all of this varies depending on the size of the bitstream, although the team estimates that it can take around four to ten hours for a full extraction to take place. Once done, you would have an unencrypted copy of the bit stream for this chip.
While it is possible that it is used to hijack someone's hardware – extract the decrypted bitstream, modify it, and then re-inject it into a device to change its operation – this scenario is unlikely. Realizing on the ground would take a long time. Honestly, if a bad guy had access to the device at this level for so long, there would be a hundred things worse than he could do without having to play with the FPGA.
In this sense, Starbleed does not make much sense as a security risk outside of a laboratory environment. If you are concerned that someone is using this to tamper with your FPGA-compatible equipment, do not do so.
Rather, it seems that the main exploitation of this bug is the theft of intellectual property.
Imagine, if you will, an unscrupulous device maker wants to create their own version of a rival's hardware. They obtained the equipment they wanted to rip off, took it to the lab for a day to extract the unencrypted bitstream via the Starbleed procedure, and then used it to configure the FPGAs in their own products. (Yes, it would be very illegal and result in a poor quality counterfeit kit. 你 想 说啥?)
It is not the first time that researchers have found a way to raise the bitstream of an FPGA chip, although Starbleed seems to be the easiest with long chalk. Previous studies have relied on techniques such as hitting the chips with near infrared light or lasers to discern the internal configuration.
Although not exactly simple in itself, Starbleed is relatively easy to perform in comparison, since it only needs a cable and a debug interface.
“In general, the adversary can be anyone with access to the JTAG or SelectMAP configuration interface, even remotely, and to the encrypted bit stream of the attacked device,” explained the trio of researchers. “Unlike lateral and probe attacks against bitstream encryption, no adequate equipment or expertise in electronic measurements is required.”
As you can imagine, Xilinx is not exactly thrilled to see boffins disclose a new method to hack their equipment, although the chip designer highlighted that when it comes to the risks of hacking in the real world, there is not much to fear.
The FPGA slinger worked with academics before the document went online, and it should be noted that the latest Xilinx 7nm FPGA models (as well as previous 16nm and 20nm generations) are not susceptible to this vulnerability. ®
Office 365 client-to-client migration tips