Slashdot Mirror

← Back to Stories (view on slashdot.org)

FPGA Bitstream Security Broken

Posted by timothy on from the your-determined-foes-rub-their-hands-gleefully dept.

NumberField writes "Researchers in Germany released a pair of papers documenting severe power analysis vulnerabilities in the bitstream encryption of multiple Xilinx FPGAs. The problem exposes products using FPGAs to cloning, hardware Trojan insertion, and reverse engineering. Unfortunately, there is no easy downloadable fix, as hardware changes are required. These papers are also a reminder that differential power analysis (DPA) remains a potent threat to unprotected hardware devices. On the FPGA front, only Actel seems to be tackling the DPA issue so far, although their FPGAs are much smaller than Xilinx's."

90 comments

  1. Good or bad? by Hatta · · Score: 3, Interesting

    Is this the good kind of security breach, which enables end users to do new things with their FPGAs? Or the bad kind, that enables attackers to do malicious things with others FPGAs? Or both?

    --
    Give me Classic Slashdot or give me death!
    1. Re:Good or bad? by Anonymous Coward · · Score: 3, Informative

      If the encryption is cracked it can expose the core to reverse engineering as well as injecting malicious code. If the bitstream contains a soft processor and sw image it could really get interesting as it opens up another vector for getting malicious software onto the device in question.

    2. Re:Good or bad? by Anonymous Coward · · Score: 1

      Unless you're into industrial espionage or are Chinese (but I repeat myself), it's purely the bad kind.

    3. Re:Good or bad? by Maximum+Prophet · · Score: 1

      Mostly good. If the attacker can lay physical hands on your machine, most reasonable security people consider it compromised.

      This sounds like it makes it harder for manufacturers to TiVoize their products.

      --
      All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
    4. Re:Good or bad? by Anonymous Coward · · Score: 1

      Is this the good kind of security breach, which enables end users to do new things with their FPGAs? Or the bad kind, that enables attackers to do malicious things with others FPGAs? Or both?

      Both.

      FPGAs are used for a lot of stuff, so on the one hand, it could be used to decrypt media after purchasing it... but they're also used by hardware which transmits information most people want to be secure (as an example, many modern Gas/Electric meters use FPGAs to transmit encrypted usage information back to the utility for billing and use analysis. I think most people would agree that this data should be encrypted in transit, and this means that it can't be trusted 100%).

      The big issue is that this does require physical proximity, which means that MOST outcomes are going to be people hacking their own hardware, but even that could lead to issues - right now home Gas/Electric meters are trusted because the FPGA is strongly tamperproof and their encryption is thus secure. The first case of modification would lead to some fairly signifigant changes in the way utilities in many US cities work.

    5. Re:Good or bad? by Andy+Dodd · · Score: 3, Informative

      There's nothing about the Xilinx bitstream encryption that prevents you from loading in an unencrypted bitstream, or a new bitstream with a new key.

      Unfortunately it means that it's easier to compromise/clone/tamper with FPGA designs. FPGA cloning/tampering has been a big problem for Cisco as I understand it (counterfeit Cisco products).

      --
      retrorocket.o not found, launch anyway?
    6. Re:Good or bad? by Animats · · Score: 4, Informative

      Is this the good kind of security breach, which enables end users to do new things with their FPGAs? Or the bad kind, that enables attackers to do malicious things with others FPGAs? Or both?

      This attack is only useful when an FPGA is programmed by a third-party manufacturer using a canned encrypted bitstream provided by someone else. This is the case for many products nominally made by US, Japanese, or Taiwanese firms but actually built in China. The attack allows someone with access to the encrypted bitstream to recover the unencrypted bitstream, from which they can potentially reverse-engineer the device and make changes.

      An end user, who has only the programmed FPGA, can't do anything with this attack.

      For background, here's a short note on where this technology is used.

    7. Re:Good or bad? by Anonymous Coward · · Score: 1

      You are supplying full designs files: schematic, gerber file, firmware and FPGA loads to the contract manufacturer so that they can make legit products for you. What if someone at the factory decided to simply copy that data to a Flash drive and sell it to someone else? No amount of encryption is going to do you any good against that level of attack.

    8. Re:Good or bad? by Anonymous Coward · · Score: 0

      These folks are talking about Xilinx Virtex-II FPGAs. Virtex FPGAs (as most Xilinx FPGAs) are programmed via a external a memory/source (like a flash/prom or MPU) every time you cycle power to the FPGA. All the attacker has to do is monitor the applicable current and have enough time to hack it.

    9. Re:Good or bad? by harrkev · · Score: 3, Insightful

      Also, if you SELL products with FPGAs in them, it makes it harder to make a profit if somebody decides to reverse-engineer your stuff. Really, all this is good for is cracking into a design that somebody else made. Once you GET the actual bitstream, there are really two things that you can do with it...

      1) Make copies of the FPGA. Boards are not that hard to reverse-engineer, so you could copy somebody else's design completely.

      2) Reverse engineer the code. However, you will NOT have anything that would help you do this, like net names or hierarchies. This will make actual reverse-engineering in order to change something or learn something very challenging.

      This doe NOT make FPGAs any more useful, since you can easily download free development software from every FPGA vendor and put whatever you want on there. Really, the only thing that you CAN'T do with the free software is stuff related to licensed IP (processor cores, various controllers for things like Ethernet, SATA, etc.). While you COULD pull that out of an encrypted bitstream, using it without any sort of documentation or the configuration wizards would be very challenging and, 9 times out of 10, it is just easier to pony up the money to license the cores in the first place.

      --
      "-1 Troll" is the apparently the same as "-1 I disagree with you."
    10. Re:Good or bad? by Anonymous Coward · · Score: 0

      Mostly good. If the attacker can lay physical hands on your machine, most reasonable security people consider it compromised.

      By hands, do you mean human hands? Do robot hands qualify? What if the hand only has two fingers on it? What if instead of a hand, I use a long long wire connected to your memory bus? What if instead of the bus I move that wire over to say, near the NIC somewhere? Still compromised by convention? What if I point to the cable plugged into the NIC and say "See that? That's my wire." My wire happens to be over 1000 km long, and it takes a few stops at some routers, but I still have a wire to your box.

      The weird black-and-white distinction people make between network access and "physical access" (as if there's some way of accessing something that's not physical -- what is it, emotional access? telepathy?) is kind of dumb. That's the kind of closed-minded thinking that leads people into believing they've "secured" something.

    11. Re:Good or bad? by Anonymous Coward · · Score: 0

      Xilinx FPGAs are loaded from a serial rom upon power up. Being able to decode someone's rom and modify it is really bad fro security.

    12. Re:Good or bad? by Anonymous Coward · · Score: 0

      Mostly good. If the attacker can lay physical hands on your machine, most reasonable security people consider it compromised.

      By hands, do you mean human hands? Do robot hands qualify? What if the hand only has two fingers on it? What if instead of a hand, I use a long long wire connected to your memory bus? What if instead of the bus I move that wire over to say, near the NIC somewhere? Still compromised by convention? What if I point to the cable plugged into the NIC and say "See that? That's my wire." My wire happens to be over 1000 km long, and it takes a few stops at some routers, but I still have a wire to your box.

      The point is that it's entirely possible to secure a machine against being compromised via network access (to the very extreme case of removing it from any network) but physical access means game over. You don't have to move wires around because you can do anything you want to it, up to and including setting it on fire.

    13. Re:Good or bad? by Luckyo · · Score: 1

      Erm, USA is the hands down #1 in industrial espionage. Have no doubt about that, ever. If you do, look at what USA did to Russia during cold war. Things like the biggest pipeline explosion in the world caused by industrial espionage.

    14. Re:Good or bad? by Anonymous Coward · · Score: 0

      The pipeline explosion was due to Soviet industrial espionage which the USA caught and used for sabotage by feeding the Soviets bad software. Hardly a good example for US-led industrial espionage.

    15. Re:Good or bad? by Nrrqshrr · · Score: 1

      o hi! am year 2011, where the cold war ended and china is the copy/paste factory of the world. with love. xoxoxo kthxbye.

    16. Re:Good or bad? by Anonymous Coward · · Score: 1

      You are supplying full designs files: schematic, gerber file, firmware and FPGA loads to the contract manufacturer so that they can make legit products for you.

      ...and it's well known that the same manufacturers are building Cisco replicas *cough* huawei *cough*
      Not surprisingly they even have the same bugs.

    17. Re:Good or bad? by shoehornjob · · Score: 1

      LMAO now we're not just behind in manufacturing and test scores, we also trail behind what once was a third world country in espionage. Great. We're all going to hell.

      --
      "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
    18. Re:Good or bad? by chrb · · Score: 1

      An end user, who has only the programmed FPGA, can't do anything with this attack.

      Not really. According the TFA, the majority of deployed systems utilise external memory for the bitstream, so an end user will be able to easily extract the bitstream. Also, many devices are now updatable via the internet - so the bitstream is accessible via web (or via satellite/cable, for Pay TV).

      "One of the disadvantages of FPGAs, especially with respect to custom hardware such as ASICs, is that an attacker who has access to the bitstream can clone the system and extract the intellectual property of the design. Note that the bitstream is in the vast majority of systems stored externally to the FPGA in a dedicated configuration memory and is from there loaded into the FPGA on every power-up or reset — an adversary wire-tapping the relevant data signals can hence easily monitor the bitstream. The main answer of the industry for protecting the design is a security feature called bitstream encryption."

    19. Re:Good or bad? by Anonymous Coward · · Score: 0

      These folks are talking about Xilinx Virtex-II FPGAs. Virtex FPGAs (as most Xilinx FPGAs) are programmed via a external a memory/source (like a flash/prom or MPU) every time you cycle power to the FPGA. All the attacker has to do is monitor the applicable current and have enough time to hack it.

      And that will get him an ENCRYPTED bitfile.
      The papers are talking about recovering encryption keys and decrypting the bitfiles.

    20. Re:Good or bad? by jp102235 · · Score: 1

      you could also modify the bitstream and release malicious code into a STB. another thing: sometimes these STB's are more 'trusted' because the engrs assume that the bitstream/designs in the FPGA are secure. Its a great place to put a trojan, monitor packets, etc. this is not a good thing. It will mean more expensive hardware in the future.

      --
      jp
    21. Re:Good or bad? by chrb · · Score: 2

      there are really two things that you can do with it... 2) Reverse engineer the code. However, you will NOT have anything that would help you do this, like net names or hierarchies. This will make actual reverse-engineering in order to change something or learn something very challenging.

      I think you underestimate the difficulty of number 2. I know I guy who figured out the bitstream format of a particular FPGA type that he was using so that he could write his own synthesis tools for research. It took him a couple of months, but he did it. There are now published papers on this topic From the bitstream to the netlist, A library and platform for FPGA bitstream manipulation, so it should be somewhat easier. There was even a tool called "debit" that disassembled the bitstream back to FPGA tools format, but it got censored. This exploit is a big deal. Every system that uses Xilinx FPGAs is now vulnerable. If you can get the bitstream, then you can decrypt it, modify it, and deploy it onto real devices. Some possibilities:

      • Pay TV hacking. Modify the bitstream to dump out the video encryption keys.
      • Those secure encryption PCI cards and credit card payment terminals can be modified to dump data (keys, pin codes).
      • Network switches can be modified to allow eavesdropping.
      • Mess with safety critical systems in some way to induce failure.

        Basically, any system that used a Xilinx FPGA to perform some task, before this exploit the FPGA was considered tamperproof and therefore "safe" - it could be handed critical tasks and trusted to do them and not leak data. Now, someone with physical or remote access to the system can upload altered code and change the behaviour.. the functions of the FPGA can no longer be trusted. The only limitation is that you need physical access to at least one device in order to extract the symmetric signing key.

    22. Re:Good or bad? by chrb · · Score: 2

      I think you underestimate the difficulty of number 2.

      Should obviously be "overestimate"...

    23. Re:Good or bad? by Hatta · · Score: 1

      An end user, who has only the programmed FPGA, can't do anything with this attack.

      If I understand correctly, the end user isn't threatened by this attack either then. The only thing the end user has to worry about is potentially getting a cloned device.

      --
      Give me Classic Slashdot or give me death!
    24. Re:Good or bad? by Anonymous Coward · · Score: 0

      By watching the device current DURING the configuration process over and over again they can recover the encryption key and thus decrypt the bitstream. Once they have the decrypted bitstream they can reverse the configuration.

    25. Re:Good or bad? by Anonymous Coward · · Score: 0

      bzzzt! wrong.

      TFA talks about monitoring the FPGA configuration current to recover the encryption key. Once they have the key it is a simple matter to apply it to the configuration BITSTREAM (not the bit file!). The bit file (.bit) is what the .mcs programming file is generated from with using iMPACT. Once they decrypt the bitstream they can reverse the FPGA configuration.

    26. Re:Good or bad? by Luckyo · · Score: 1

      You really don't understand what industrial espionage is, do you?

    27. Re:Good or bad? by drolli · · Score: 1

      Well on one hand i would appreciate that you have the freedom to reprogram HW build by somebody else (e.g. Cisco). On the other hand the most prominent reason to do so i can imagine for that would be HW trojan insertion. (You would have to verify the flashs contents with cisco after you bought a router)....

    28. Re:Good or bad? by Luckyo · · Score: 1

      Sure, and that means that smart people in intelligence most likely already fed them a whole lot of long-term critical errors that will bloom when needed.

    29. Re:Good or bad? by Luckyo · · Score: 1

      Reply comment got cut: If you want a more recent example of just how good West in general and US in particular is at industrial espionage, look at Stuxnet-Natanz issue.

    30. Re:Good or bad? by Anonymous Coward · · Score: 0

      If you had known anything at all about FPGAs you had known that physical access in this case might mean "the ability to solder wires to the legs of a serial memory on the PCB"
      The bitstream encryption had one purpose alone; to make the firmware unreadable by everyone but the FPGA. It did not prevent uploading of new firmware by anyone else and unless the developers added something to make it possible to write the memory from the network then physical access is the only means to load new firmware.

    31. Re:Good or bad? by Man+On+Pink+Corner · · Score: 2

      Heck, a modern DSO will even decode the I2C bitstream for you. Even if it's encrypted, the data can still be copied.

      The Chinese have proven capable of cloning a whole goddamned Apple store, so I don't imagine a serial EEPROM is going to cause them too much grief. As a culture, they seem to be happy to invest amounts of money and effort to copy our stuff that could otherwise have been used to compete legitimately. Go figure...

    32. Re:Good or bad? by munozdj · · Score: 1

      There's nothing about the Xilinx bitstream encryption that prevents you from loading in an unencrypted bitstream, or a new bitstream with a new key.

      Unfortunately it means that it's easier to compromise/clone/tamper with FPGA designs. FPGA cloning/tampering has been a big problem for Cisco as I understand it (Huawei products).

      ftfy

      --
      Democracy: Crowdsourcing a country near you
    33. Re:Good or bad? by petermgreen · · Score: 1

      Afaict the silicon processes that make good high speed logic do not make good EEprom/flash and vice-versa. So high end processors and FPGAs tend to have little to no programable areas on the chip and rely on reading their code from a seperate device.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    34. Re:Good or bad? by Anonymous Coward · · Score: 0

      Cloned and modified, yes. Theoretically, it's possible to put some sort of malware in there, though obviously in typical FPGA applications there's not necessarily much an evil device can do.

    35. Re:Good or bad? by tibit · · Score: 1

      Bzzzt, no. The encrypted data is tied to each chip's unique identifier. Each of those EEPROMs is programmed with a unique image, AFAIK.

      --
      A successful API design takes a mixture of software design and pedagogy.
    36. Re:Good or bad? by ngg · · Score: 1

      This is true, but there isn't really any technical reason Xilinx (or any other FPGA manufacturer) can't ship a hybrid IC (one with multiple dies in the same package).

    37. Re:Good or bad? by jp102235 · · Score: 1

      help me out with that link to the fpga bitstream library at Berkeley, its giving me a 404-like response, surely it's not slash dotted.

      --
      jp
    38. Re:Good or bad? by Anonymous Coward · · Score: 0

      For point 1: nope, won't be that easy.

      So you have a bitstream. And an 'easy' copy of the PCB done and, then, had all the other ancilliary chips soldered-on... And then what? Have you heard of system integration? Product configuration? Q/A? A bitstream is only a tiny fraction of the complete product.

      Do you have any idea of the shear complexity of a Cisco router? You would still have to program all the e2proms, configure the zillion things (ever heard of laser tuning? or calibration? or even simpler: power supply turn-on sequence delays that needs to be programed from the JTAG chain after assembly). Getting the hardware built from the CAD files is the easy part. Putting the complete thing to usefull work in a system is what is difficult.

      Chances are there is a complete set of jigs, programs, testbeds, performance checks, config, etc that is required for any product that bears a big FPGA... These things are expensive, you need a product with huge margins (read complexity) to justify putting a chip worth a few thousand bucks in there.

      Of course, some contract manufacturer could also have access to all this plus all the training to assemble, configure and test... And that could be leaked as well. But my point is still valid: an FPGA bitstream is only a small fraction of the total product. So small that it is mostly irrelevant when considering the complete chain to produce a successfull clone.

      Think of it this way: any single tiny problem in one specific area can turn the product into a brick (or worse: think 50A draw on a 1.8 volt feed)... What are your chances of getting everything right, let alone on the first 10 passes? Production runs are never 100% right on the best products. Boards made with complex FPGAs have thousands of components! They all have a little thing here and there that needs fixing so that the board works. How are you going to fix these to get even to the first few stages of FPGA boot-up? Ah, I forgot the boot sequence. Don't even get me started on board specific micro-code that would run in a sw core in the corner of this little spartan here or the mac address that needs to get sent to those little chips there so that the debug console starts breathing some life...

      Good luck probing the pins on production boards as well to make sense of it all. You might get lucky and find a few termination resistors but what will you do with blind vias and other weird fanouts around those big column grid arrays... Trying to read anything meaningfull on a logic analyser will be a treat with the current limit of the power supply motorboating in and out!

      Probably would be as long as starting a new design from scratch. You might be able to reuse 70% of the BOM if you are lucky!

      For point 2: We agree. See of nands and ratsnets! Yummy!

    39. Re:Good or bad? by Man+On+Pink+Corner · · Score: 1

      That sounds like a real pain in the neck for manufacturing, but if that's how it works, I can see how it might slow down the cloners. Until now, anyway.

    40. Re:Good or bad? by JackDW · · Score: 1

      Actually the FPGA stores the AES key in battery-backed RAM. The AES key is therefore just as reprogrammable as the FPGA itself. In a typical application, every EEPROM is programmed with the same image, and every FPGA is programmed with the same key.

      To avoid allowing an untrusted manufacturer access to the AES key, you might decide to have the boards manufactured and populated in one place, and then sent to your main office for the final key-programming stage.

      --
      You're an immobile computer, remember?
    41. Re:Good or bad? by Barryke · · Score: 1

      No you are wrong. The sabotage was counter-intelligence, Soviets where spying an US-based company.

      --
      Hivemind harvest in progress..
    42. Re:Good or bad? by AmiMoJo · · Score: 1

      You have to understand that Chinese people don't consider copies to be inferior to the original, at least not automatically. And by "inferior" I mean both in terms of quality and desirability. My Chinese friends all love to chat about how all of their clothes are just copies of famous brands.

      It works pretty well. Someone who buys £5 jeans isn't going to pony up £100 for some designer ones just because you shut down the factory making copies.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    43. Re:Good or bad? by chrb · · Score: 1

      berkeley. Also see section 3 of this.

    44. Re:Good or bad? by jp102235 · · Score: 1

      and my advisor says slashdot is a waste of time. thanks for the links, they are immensely useful.

      --
      jp
    45. Re:Good or bad? by chrb · · Score: 1

      If you are actually doing research on bitstreams there's some more recent stuff - Florian Benz, his thesis is "Reverse Engineering the FPGA Bitstream Format" (not yet published?) and from the same research group Andreas Marinopoulos "Reverse Engineering of FPGA Netlists" 2010. Florian posted to some FPGA groups a few months ago saying he was wanting to publish his library as open source, but I didn't find it anywhere yet. I suspect if you emailed him he would provide you with a copy.

    46. Re:Good or bad? by jp102235 · · Score: 1

      yea, I am in this area, I'll see if I can a look at the manuscript, thanks! I am looking to make constructs on FPGA's that the EDA crapware won't allow, at least with some elegance / automation. Ive been forced to make my undergrad student use xilinx's "fpga editor" - although it works for what we are doing, it is tedious and not very repeatable or scriptable. why are these companies so fearful to release the specs on the bitstream / architecture?

      --
      jp
  2. Alright, someone help by Anonymous Coward · · Score: 1

    I like to think I'm pretty technical, but this article was fucking martian to me. Anyone care to translate? (Posting anon so I can mod-up helpful replies.)

    1. Re:Alright, someone help by Anonymous Coward · · Score: 4, Informative

      As transistors switch they create little glitches in the power supply, or rather they consume a little more or less current than at the previous steady state (where steady state may be nanoseconds long). By correctly interpreting the changes in current consumption the encryption key can be read.

      For the car analogy (this is slashdot after all) think of it as monitoring fuel flow to extrapolate acceleration, speed and distance.

    2. Re:Alright, someone help by Anonymous Coward · · Score: 5, Informative

      An FPGA is sort of like a PROM except that instead of memory circuits you program logic circuits into it.

      If this hack allows people to reverse-engineer the chip, they can basically dump its logic diagram, which means that they could copy it. As I understand it, it's normally pretty hard to reverse-engineer a microchip, so this is a pretty significant breakthrough.

    3. Re:Alright, someone help by Anonymous Coward · · Score: 0

      This hack has nothing to do with reverse engineering of the "chip". It only helps with recovering the encryption keys, and that will let you decrypt the bitstreams.
      It is very difficult to reverse engineer the bitsreams to recover the logic blocks/ IPs. But if you only intend to clone the design then you don't need to reverse engineer the bitfile if it is already un-encrypted. Just program the same bitfile to your own FPGA boards.

    4. Re:Alright, someone help by atrus · · Score: 1

      Note that most FPGAs (and all of Xilinx's) are SRAM based - the bitstream has to generally be loaded from an external memory IC at boot-time.

    5. Re:Alright, someone help by Laser+Dan · · Score: 2

      Note that most FPGAs (and all of Xilinx's) are SRAM based - the bitstream has to generally be loaded from an external memory IC at boot-time.

      Not true, the Xilinx Spartan-3AN can store the bitstream in internal flash memory.
      That is the only family with that feature though.

    6. Re:Alright, someone help by atrus · · Score: 1

      Technology progress leaves us all in the dust :)

  3. DPA protection is patented... by kbonin · · Score: 2

    An interesting blurb from the Actel linked page:

    Many of the fundamental techniques used to defend against DPA and other side-channel attacks are patented by Cryptography Research, Inc. ... One of CRI's businesses today is licensing this portfolio of very fundamental patents. Nearly all the secure microcontrollers used in smart cards, set-top boxes, SIM cards for GSM phones and Trusted Platform Modules (TPM) for personal computers are built under license to CRI, amounting to about 4.5 billion chips per year in total.

    Yet another critical set of concepts which should be obvious to anyone working in the field locked behind a paywall due to USPTO incompetence and/or malfeasance...

    1. Re:DPA protection is patented... by Anonymous Coward · · Score: 0

      That is only relevant, if you give a fuck about the mental delusion one could "own" information.
      And only criminals and their cattle would do that.

      So in reality, there is of course nothing stopping anyone. Unless you cave to extortion. But as anyone knows, if you have caved, they only know that they can definitely abuse you, and so will do it as early and as often as possible.

    2. Re:DPA protection is patented... by bws111 · · Score: 4, Insightful

      Yet another idiot who doesn't understand the simple fact that the 'obvious' test is applied BEFORE the patent is public. Of course it is 'obvious' AFTER the patent is public. If you asked 100 people working in the field how to "defend against DPA and other side-channel attacks" BEFORE the patent (or anything using the patent, or any papers based on the patent, etc) was public, what percentage of them would have come up with the EXACT SAME WAY (not 'general concepts', the exact methods used) that CR did? It had better be very close to 100% if you are going to claim 'obvious'. If you ask these same 100 people AFTER the patent is public, 99 of them will claim that the CR method is 'obvious'.

    3. Re:DPA protection is patented... by Anonymous Coward · · Score: 0

      Considering the CRI is the group that pretty much invented the DPA attack in the first place, I'm guessing a lot of their patents are not all that obvious.

  4. they would have to add additional circuitry... by mrflash818 · · Score: 2

    ...to try to keep the power consumption constant, therefore not giving hints, if I understand correctly.

    --
    Uh, Linux geek since 1999.
    1. Re:they would have to add additional circuitry... by Anonymous Coward · · Score: 4, Insightful

      There is only so much you can do. We put a fair amount of power supply filtering around FPGAs because of the switching noise, but the cost in board space and materials to make the switching undetectable would be astronomical. As HW engineers we're always asked to cram a little more in that space, and "do you really need that many capacitors?"

      The company I work for (and the reason I'm posting anonymously) uses a bunch of FPGAs per board with man-years of code invested into them, and we usually use Xilinx parts. It's relatively trivial to get the bitstreams from our systems which hasn't bothered us since they're encrypted (or I guess they used to be).

  5. vulnerable by alphatel · · Score: 1

    So maybe a little transistor meant to do one thing is not incredibly secure. But the Russians are going to start writing malicious code that waits for FPGA users to visit hacking urls and then download exploits to their servers?

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    1. Re:vulnerable by Anonymous Coward · · Score: 0

      So maybe a little transistor meant to do one thing is not incredibly secure. But the Russians are going to start writing malicious code that waits for FPGA users to visit hacking urls and then download exploits to their servers?

      FPGAs are often placed in consumer devices and connected to a network (both internal and external networks). If a bitstream is decrypted, modified and passed off as a real update to that device the device can be exploited. My company puts many networked FPGAs in our systems, most of these FPGAs contain a "soft processor" which is a processor coded into the FPGA fabric. Most of those processors are running Linux and are connected to high speed networks. The Linux image is loaded into RAM along with the firmware bitstream and then it boots. So not only can the firmware be hacked, but so can software...I'll bet most of the software to enable exploits or distributed attacks can already compile for the soft processor. Then you have a powerful OS that can be exploited relatively easily and will operate without detection, because after all who checks for exploits on their appliances?

    2. Re:vulnerable by Anonymous Coward · · Score: 0

      stuxnet anyone?

  6. What does it mean? by Anonymous Coward · · Score: 0

    I didn't really understood what this means, but from reading a cople paragraphs from the papers it sounds like the FPGAs are protected using a triple DES module and the attackers were able to get the keys, what allows "full access" to the hardware (it comes partially locked to prevent IP infringing and some kinds of modification). So overall it sounds like it is a "good" hack, the kind that allows full hardware access to the hardware you bought. Please someone correct me if I'm wrong or there is any harmfull application for this hack (remote access and hw trojan integration into networked devices using those FPGAs or similar).

  7. I'm not a hardware person... by I+Read+Good · · Score: 1

    but I am a security person. The way I understand it, these keys are different for each individual device. Also, the attack requires direct physical access to the device. As a customer, wouldn't all potential threats require a physical security breach? Forgive me if I'm mistaken I'm not entirely sure I understand how/where these things are implemented. It seems like they're mostly used in switches and routers and things. If someone is poking at the power supplies on your switches and routers, I'd imagine that this vulnerability doesn't rank very high on your list of problems.

    1. Re:I'm not a hardware person... by Anonymous Coward · · Score: 0

      I'm not a security person, but it seems to me that the private keys are identical for FPGAs with the same part number. So if you have a XC6SLX45T, the private keys would be identical for all XC6SLX45Ts, but not necessarily for XC6SLX45s. Identical FPGAs need to decrypt the same bitstream, you don't generate a new bitstream for each appliance you ship, just for each model.

      If this is the case, then merely getting the evaluation kit for a given FPGA is enough to extract the private keys for the FPGA. I'd be willing to bet that the manufacturers don't generate seperate private keys for each model of FPGA. So if you extract the keys you've likely gotten the keys for the entire line. Given that the dev kit can be obtained for a couple hundred dollars (or borrowed from Avnet or Arrow) it's relatively easy to get what you need for the job.

    2. Re:I'm not a hardware person... by Anonymous Coward · · Score: 0

      No, the keys are not dependent on the FPGA part number but are pre-programmed into the FPGA by the user/company themselves before hand (e.g using JTAG). There is no way to read back the keys programmed, but can be reprogrammed to something else.

  8. I think I understand, but... by mrflash818 · · Score: 2

    I am referring to adding circuitry into the FPGA's themselves, so that the current consumption cannot be as easily used for side-channel attacks.

    In a sense, think of adding additional NOT gates, within the FPGA itself, and their only purpose would be to always have the combination of an actual [data line + NOT] provide a sum of constant power consumption wherever the FPGA is doing anything that might leak side-channel info. None of the NOT gates would actually be part of processing actual data. At least, that is an idea of what kind of approaches they could try.

    --
    Uh, Linux geek since 1999.
    1. Re:I think I understand, but... by Anonymous Coward · · Score: 1

      Adding that into an FPGA still adds cost and takes room, if you put inverting gates to drive equivalent loads that reduces the number of resources available for the job. Therefore I have to pay more to get and FPGA that will do what I want. Then there's the unfortunate reality of real circuits. The two gates will never be perfectly timed and so as a result there will still be small glitches on the power supply. This becomes a race to security through obscurity which is only effective if it is the last step on top of a lot of other good security. I'm not a security guy, but I don't see a way to put secret keys in the device without leaking them somehow. Maybe we can use certificates much like HTTPS.

    2. Re:I think I understand, but... by man+machine · · Score: 1

      This won't work because you will still information leaked when the bits are toggling vs. not toggling. The reason for that is that the logic (CMOS gates in particular) generates power spikes when a a bit toggles. That needs to be addressed.

      See here: http://en.wikipedia.org/wiki/Cmos#Power:_switching_and_leakage

    3. Re:I think I understand, but... by garyebickford · · Score: 1

      IANA EE, but ... include an additional circuit that switches randomly, imposing a random element on the current flow - if you have some gate space left over from doing the real work.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  9. the first paper by bugs2squash · · Score: 1

    gives a reasonable description of what all of this means, but it seems to me that xilinx are approaching this wrongly.
    They should create a chain of trust and sign vendors certificates (or for large production runs allow purchasers to do so). The FPGA would only accept a signed bitstream that can be traced back to a particular vendor. All new FPGAs should have a burned in CRL and a burned in xilinx-signed certificate in ROM. That would allow mutual authentication at least. you can layer encryption on top of that if you wish, it is, after all, an FPGA, especially a high-end FPGA like a virtex is an expensive programmable device.
    I see no reason why the new FPGAs should differ in pinout or other specs aside from fixing their crypto algorithms to make them less susceptable to DPA, so this problem will eventually become obsolete as new boards use the new parts with no hardware re-design.

    --
    Nullius in verba
  10. Satellite CAMs by Anonymous Coward · · Score: 0

    These aren't used as part of the "secrets box" of any satellite/cable system CAMs by any chance, are they?

    1. Re:Satellite CAMs by Anonymous Coward · · Score: 0

      These aren't used as part of the "secrets box" of any satellite/cable system CAMs by any chance, are they?

      CAMs do not use FPGAs, however given that the private keys are likely stored on the CAM it is probably open to the same sort of attack.

  11. OK do not get this by Anonymous Coward · · Score: 0

    CIA had a project in the mid 80's to do precise this, So how this is news?

  12. General concepts by tepples · · Score: 1

    what percentage of them would have come up with the EXACT SAME WAY (not 'general concepts', the exact methods used) that CR did?

    People who complain on Slashdot about the USPTO's examination process are under the impression that inventors manage to score patents on "general concepts".

    1. Re:General concepts by kbonin · · Score: 2

      Not everyone who complains on Slashdot is naive on patent realities, and the problem is real and ugly.

      Aside from the legal fiction of the PHOSITA (Person Having Ordinary Skill In The Art), the intent of this clause by the framers was that it should not be possible for anyone to obtain a patent on something that would be obvious to someone working in the field.

      In this specific case, once the feasibility of power vector side channel attacks was understood, any ideas that should have been obvious to someone having ordinary skill in the applicable fields (cryptanalysis of side channels, EE, FPGA layout internals) should not be patentable.

      While credit must be given to researches who discovered these attack vectors, the fact remains that the patents they obtained are broad enough to intersect essentially every idea a PHOSITA would come up with. While it is possible to interpret claims narrowly through the context of the background and description, juries often (especially in East Texas) fail to narrow interpretations sufficiently, and just attempting just a narrow interpretation will still cost you $1-3M in legal fees.

      If your job includes evaluation of risk of patent infringement (which mine does, for one of the worlds largest companies) then you would understand that the combination of lowering the bar on "obvious" and "prior art", along with the challenges that venue shopping presents, have created a situation where it has become nearly impossible to do anything interesting without infringing many patents that should NOT have been issued.

    2. Re:General concepts by Anonymous Coward · · Score: 0

      The founder of CRI is the guy who found side channel attacks. He published the original paper. Look it up. The names on the paper are Kocher, Jaffe, and Jun. He then patented the countermeasures before anyone else knew about them. Therefore, when he patterned them, it was not common knowledge.

      So the credit WAS given to the researchers who discovered the attack vectors. Your argument is invalid, because the people who you are arguing should be getting the money ARE GETTING THE MONEY!

    3. Re:General concepts by kbonin · · Score: 3, Interesting

      You miss the point - the researchers discovered an application of the laws of physics to cryptanalysis. Cool, interesting, but not inherently patentable. Then they patented every way to fix that problem, many of which would be obvious to someone skilled in the art.

      If I discover that 1+2 = 3, I cannot patent that equation. If I discover an application of that equation to a physical problem, the intent of the framers in patent law was that only a non obvious application may be patented. The fact that they discovered the problem doesn't (at least by law) eliminate or nullify the PHOSITA requirement.

      The researchers found a hard to find problem, then patented the obvious solutions to that problem.

      This is one of the problem with patents in general - patents are being issued where the person "skilled in the art", i.e. someone who has the same degree of specialization, would have developed the same solution, and the USPTO no longer makes a reasonable effort to prevent that.

    4. Re:General concepts by Anonymous Coward · · Score: 0

      So you're a cryptography and electronics expert, I gather, or else how do _you_ judge obviousness of this patent?

      What I see here is the classic application of patents - they researched a thing, made improvements to current technology based on their findings and published their invention in exchange for time-limited monopoly.

      Just like Watt, say, did with steam engine.

  13. Signing for evaluation kits by tepples · · Score: 1

    The FPGA would only accept a signed bitstream that can be traced back to a particular vendor.

    How would the user of an evaluation kit sign a bitstream for such an FPGA?

    1. Re:Signing for evaluation kits by bugs2squash · · Score: 1

      Presumably the manufacturers of the FPGA would provide parts for dev kits (or for customers that don't care) that will accept any self-signed certificate.
      They already provide devices with lots of different options, the certificate options would only add a few more {xilinx CA, any CA acceptable, customer-1 CA, customer2 CA} etc. with parts accepting customerX CA only available to customer X. For all I care, they could provide them for programming by anything with a verisign certificate if they wanted to or any combination of different CAs. The acceptable CA descriptions, like the certificate revocations don't take up much room and one can fit a lot of ROM on a die

      --
      Nullius in verba
  14. This reminds me of the Stuxnet Attack by ygtai · · Score: 1

    The very well written story How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History on Wired.com describes an attack on an Iranian nuclear plant through inserting frequency changing commands sent to the PLC to damage centrifuges. The papers the OP mentioned are probably something very important if encrypted FPGA bit streams can indeed be meaningfully tampered with easily.

  15. Hello by Colourspace · · Score: 1

    7 year Altera person here. Your'e bitstream got compromised? your chip is copied.

  16. Smaller process geometry FTW? by Anonymous Coward · · Score: 0

    "The main difference was that the attack on Virtex 5 FPGAs
    required more power traces to be successful, which is mostly
    due to a worse signal-to-noise ratio due to a newer process
    technology (i.e., 65nm instead of 90nm). For the attack to
    work we applied a bandpass filter on our measured traces.
    Furthermore, we were able to improve our analysis method
    by removing all phase shifts from the measured traces using
    an additional FFT preprocessing step."

    Cool papers.. I wonder how this scales on V6 and V7?

  17. "Terminators..." by Anonymous Coward · · Score: 1

    Remember kids: FPGA's are used in robotics... so, see subject-line above & beware!

    ("Muahahahaha" mad-scientist laughter & "SiNiSteR" sounding organ music plays...)

    APK

    P.S.=> On a more serious note though - this MAY have "security-implications" on the note of robotics, one day in the future - Hence the subject-line I used...

    ... apk

  18. Software's Reality by Anonymous Coward · · Score: 0

    Oh no! GASP!!

    The "machine code" (bitstream) of the "software" (hardware) is available to reverse engineer!!?!?!

    Welcome to software's reality. Get over it, or die trying.

  19. It even goes back to the Industrial Revolution by garyebickford · · Score: 1

    Back in the late 1700s, the technology behind the textile industry (spinning, looms) was a British state secret. Nobody who had been trained in the technology was allowed to leave Britain. Samuel Slater dressed as a girl, sailed to America, and replicated the British technology. That was a big part of the beginning of the American Industrial Revolution, and the beginning of the end of the British monopoly on cheap textiles.

    Some of the mills built in the early 1800s in New England still stand. Of course, the textile industry has moved on - the New England mills started going out of business throughout the 20th century. But in the meantime that industry was a big part of the American economy, politics (directly affecting the reason for and course of the Civil War, for example).

    One wonders just what the US would be like had Slater not stolen the British technology.

    --
    It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/