Recently, an insoluble hardware vulnerability was discovered in Xilinx’s programmable logic products that could enable an attacker to crack bitstream encryption, clone intellectual property, modify functionality and even implant hardware Trojans.
The details of the attacks on the Xilinx 7 series arrays and the Virtex-6 field programmable port (FPGA) were discussed in an article entitled Unbreakable Silicon : A team of scientists from the Horst Hertz Institute for IT Security and the Max Planck Institute for Cyber Security and Privacy has achieved a complete breakthrough in bitstream encryption on the Xilinx 7 Series FPGA.
According to the researchers, we are using a structural error that churns the decoded bit stream into pieces. The attack uses the FPGA as a decoding oracle, while only access to the configuration interface is required. The attack does not require any complex tools and can be carried out remotely, depending on the target system.
The results will be presented at the USENIX Safety Symposium later in the year. Researchers said they discovered a Xilinx deficiency on the 24th day. September 2019 in private. In response, the semiconductor giant set up a design office to identify the weak points.
The complexity of this attack is similar to the known and proven attacks by data protection authorities on these devices and therefore does not weaken their protective position, as he indicated in his warning.
Using CBC mode to encrypt and decrypt any block
FPGAs are programmable integrated circuits that can be reconfigured on-site according to the required application or functionality. Because of their high flexibility, FPGAs are widely used in the development of 5G mobile networks, consumer electronics, data centers, aerospace and automotive applications,
It should be noted that Xilinx and Intel (through the acquisition of Altera) dominate the FPGA market, with Xilinx alone accounting for almost 50 % of the market share.
Because FPGA projects are encoded in bitstreams, hardware vulnerabilities of this magnitude can have serious consequences, according to researchers.
Unlike other known side-channel and probe attacks on Xilinx and Altera FPGAs, the new low-cost attack aims to retrieve and manipulate the bitstream using a configuration interface (e.g. SelectMAP or JTAG) to read data from the device’s FPGA.
The feedback function is used to check that the structure is loaded correctly into the device. But in an effort to protect the design, the bitstream is encrypted (AES-256 in CBC mode) to prevent reverse reading on all external ports.
The attack developed by the researchers is designed to manipulate the encrypted bitstream so that the decrypted configuration data is redirected to the MultiBoot Start Address Register (WBSTAR or Warm Boot Start Address), which allows switching between frames for remote on-the-fly updates and downloading a backup bitstream known to be well-designed on the FPGA device.
However, since these components are stored in the flash memory, the contents of the register are not erased by the reset. As a result, the confidentiality of the bit stream can be affected as follows:
- Create a malicious bitstream and a readable bitstream. A malicious bitstream uses the vulnerability in CBC encryption mode to modify the command in the bitstream that writes data to the WBSTAR configuration register.
- Download a malicious bitstream to an FPGA device.
- The automatic reset of FLASE is due to the changes made to the bitstream in step (1), but does not reset the contents of the WBSTAR as it is used for MultiBoot and Fallback.
- Read the contents of the WBSTAR register using a readable bitstream.
- Manually restart the FPGA to repeat the above steps and restore the entire bitstream as 32-bit words.
In summary, we can say that the FPGA, when downloaded with an encryption key, deciphers the encrypted bitstream and writes it into a configuration register that can be read by an attacker, the researchers explained.
That is why the FPGA is used as a decoding oracle. The fact that only individual 32-bit words can be opened with each iteration determines the decryption time of the entire bitstream: In our experiments we can detect the complete Kintex-7 XC7K160T bitstream in e.g. 3 hours and 42 minutes.
In the second type of attack, the FPGA can be used to encrypt a random bitstream – again using the basic CBC mode – and generate a valid Message Authentication Tag (HMAC), affecting the authenticity of the bitstream.
According to the researchers, booby trap attacks occur when the header data of the encrypted bitstream is interpreted prior to verification, allowing the malicious bitstream to operate on the logical structure of the FPGA.
Shortcomings cannot be corrected
Since the attacks are based on protocol errors, the researchers found that any non-trivial changes to the security protocol would be impossible without a redesign of the FPGA hardware and are currently unavailable for the 7 Series and Virtex-6 devices.
In addition to recommending that hardware developers subject the input data to cryptographic verification and use a switchable bitstream encryption mechanism – both already installed on Xilinx Zynq-7000, UltraScale and UltraScale+ devices – a number of countermeasures were proposed, such as implementing blackout schemes or installing patches on the circuit board to use the FPGA Revision Select pins to prevent the data from being read from the WBSTAR registry.
We consider this a serious attack because (ironically) there is no way to repair the silicon, which is the underlying cryptographic protocol, the researchers concluded. We note that the Series 7 has a significant market share for FPGAs, making it even more difficult, if not impossible, to replace these devices.