Slashdot Mirror

← Back to Stories (view on slashdot.org)

FPGA Bitstream Security Broken

Posted by timothy on from the your-determined-foes-rub-their-hands-gleefully dept.

NumberField writes "Researchers in Germany released a pair of papers documenting severe power analysis vulnerabilities in the bitstream encryption of multiple Xilinx FPGAs. The problem exposes products using FPGAs to cloning, hardware Trojan insertion, and reverse engineering. Unfortunately, there is no easy downloadable fix, as hardware changes are required. These papers are also a reminder that differential power analysis (DPA) remains a potent threat to unprotected hardware devices. On the FPGA front, only Actel seems to be tackling the DPA issue so far, although their FPGAs are much smaller than Xilinx's."

18 of 90 comments (clear)

  1. Good or bad? by Hatta · · Score: 3, Interesting

    Is this the good kind of security breach, which enables end users to do new things with their FPGAs? Or the bad kind, that enables attackers to do malicious things with others FPGAs? Or both?

    --
    Give me Classic Slashdot or give me death!
    1. Re:Good or bad? by Anonymous Coward · · Score: 3, Informative

      If the encryption is cracked it can expose the core to reverse engineering as well as injecting malicious code. If the bitstream contains a soft processor and sw image it could really get interesting as it opens up another vector for getting malicious software onto the device in question.

    2. Re:Good or bad? by Andy+Dodd · · Score: 3, Informative

      There's nothing about the Xilinx bitstream encryption that prevents you from loading in an unencrypted bitstream, or a new bitstream with a new key.

      Unfortunately it means that it's easier to compromise/clone/tamper with FPGA designs. FPGA cloning/tampering has been a big problem for Cisco as I understand it (counterfeit Cisco products).

      --
      retrorocket.o not found, launch anyway?
    3. Re:Good or bad? by Animats · · Score: 4, Informative

      Is this the good kind of security breach, which enables end users to do new things with their FPGAs? Or the bad kind, that enables attackers to do malicious things with others FPGAs? Or both?

      This attack is only useful when an FPGA is programmed by a third-party manufacturer using a canned encrypted bitstream provided by someone else. This is the case for many products nominally made by US, Japanese, or Taiwanese firms but actually built in China. The attack allows someone with access to the encrypted bitstream to recover the unencrypted bitstream, from which they can potentially reverse-engineer the device and make changes.

      An end user, who has only the programmed FPGA, can't do anything with this attack.

      For background, here's a short note on where this technology is used.

    4. Re:Good or bad? by harrkev · · Score: 3, Insightful

      Also, if you SELL products with FPGAs in them, it makes it harder to make a profit if somebody decides to reverse-engineer your stuff. Really, all this is good for is cracking into a design that somebody else made. Once you GET the actual bitstream, there are really two things that you can do with it...

      1) Make copies of the FPGA. Boards are not that hard to reverse-engineer, so you could copy somebody else's design completely.

      2) Reverse engineer the code. However, you will NOT have anything that would help you do this, like net names or hierarchies. This will make actual reverse-engineering in order to change something or learn something very challenging.

      This doe NOT make FPGAs any more useful, since you can easily download free development software from every FPGA vendor and put whatever you want on there. Really, the only thing that you CAN'T do with the free software is stuff related to licensed IP (processor cores, various controllers for things like Ethernet, SATA, etc.). While you COULD pull that out of an encrypted bitstream, using it without any sort of documentation or the configuration wizards would be very challenging and, 9 times out of 10, it is just easier to pony up the money to license the cores in the first place.

      --
      "-1 Troll" is the apparently the same as "-1 I disagree with you."
    5. Re:Good or bad? by chrb · · Score: 2

      there are really two things that you can do with it... 2) Reverse engineer the code. However, you will NOT have anything that would help you do this, like net names or hierarchies. This will make actual reverse-engineering in order to change something or learn something very challenging.

      I think you underestimate the difficulty of number 2. I know I guy who figured out the bitstream format of a particular FPGA type that he was using so that he could write his own synthesis tools for research. It took him a couple of months, but he did it. There are now published papers on this topic From the bitstream to the netlist, A library and platform for FPGA bitstream manipulation, so it should be somewhat easier. There was even a tool called "debit" that disassembled the bitstream back to FPGA tools format, but it got censored. This exploit is a big deal. Every system that uses Xilinx FPGAs is now vulnerable. If you can get the bitstream, then you can decrypt it, modify it, and deploy it onto real devices. Some possibilities:

      • Pay TV hacking. Modify the bitstream to dump out the video encryption keys.
      • Those secure encryption PCI cards and credit card payment terminals can be modified to dump data (keys, pin codes).
      • Network switches can be modified to allow eavesdropping.
      • Mess with safety critical systems in some way to induce failure.

        Basically, any system that used a Xilinx FPGA to perform some task, before this exploit the FPGA was considered tamperproof and therefore "safe" - it could be handed critical tasks and trusted to do them and not leak data. Now, someone with physical or remote access to the system can upload altered code and change the behaviour.. the functions of the FPGA can no longer be trusted. The only limitation is that you need physical access to at least one device in order to extract the symmetric signing key.

    6. Re:Good or bad? by chrb · · Score: 2

      I think you underestimate the difficulty of number 2.

      Should obviously be "overestimate"...

    7. Re:Good or bad? by Man+On+Pink+Corner · · Score: 2

      Heck, a modern DSO will even decode the I2C bitstream for you. Even if it's encrypted, the data can still be copied.

      The Chinese have proven capable of cloning a whole goddamned Apple store, so I don't imagine a serial EEPROM is going to cause them too much grief. As a culture, they seem to be happy to invest amounts of money and effort to copy our stuff that could otherwise have been used to compete legitimately. Go figure...

  2. Re:Alright, someone help by Anonymous Coward · · Score: 4, Informative

    As transistors switch they create little glitches in the power supply, or rather they consume a little more or less current than at the previous steady state (where steady state may be nanoseconds long). By correctly interpreting the changes in current consumption the encryption key can be read.

    For the car analogy (this is slashdot after all) think of it as monitoring fuel flow to extrapolate acceleration, speed and distance.

  3. Re:Alright, someone help by Anonymous Coward · · Score: 5, Informative

    An FPGA is sort of like a PROM except that instead of memory circuits you program logic circuits into it.

    If this hack allows people to reverse-engineer the chip, they can basically dump its logic diagram, which means that they could copy it. As I understand it, it's normally pretty hard to reverse-engineer a microchip, so this is a pretty significant breakthrough.

  4. DPA protection is patented... by kbonin · · Score: 2

    An interesting blurb from the Actel linked page:

    Many of the fundamental techniques used to defend against DPA and other side-channel attacks are patented by Cryptography Research, Inc. ... One of CRI's businesses today is licensing this portfolio of very fundamental patents. Nearly all the secure microcontrollers used in smart cards, set-top boxes, SIM cards for GSM phones and Trusted Platform Modules (TPM) for personal computers are built under license to CRI, amounting to about 4.5 billion chips per year in total.

    Yet another critical set of concepts which should be obvious to anyone working in the field locked behind a paywall due to USPTO incompetence and/or malfeasance...

    1. Re:DPA protection is patented... by bws111 · · Score: 4, Insightful

      Yet another idiot who doesn't understand the simple fact that the 'obvious' test is applied BEFORE the patent is public. Of course it is 'obvious' AFTER the patent is public. If you asked 100 people working in the field how to "defend against DPA and other side-channel attacks" BEFORE the patent (or anything using the patent, or any papers based on the patent, etc) was public, what percentage of them would have come up with the EXACT SAME WAY (not 'general concepts', the exact methods used) that CR did? It had better be very close to 100% if you are going to claim 'obvious'. If you ask these same 100 people AFTER the patent is public, 99 of them will claim that the CR method is 'obvious'.

  5. they would have to add additional circuitry... by mrflash818 · · Score: 2

    ...to try to keep the power consumption constant, therefore not giving hints, if I understand correctly.

    --
    Uh, Linux geek since 1999.
    1. Re:they would have to add additional circuitry... by Anonymous Coward · · Score: 4, Insightful

      There is only so much you can do. We put a fair amount of power supply filtering around FPGAs because of the switching noise, but the cost in board space and materials to make the switching undetectable would be astronomical. As HW engineers we're always asked to cram a little more in that space, and "do you really need that many capacitors?"

      The company I work for (and the reason I'm posting anonymously) uses a bunch of FPGAs per board with man-years of code invested into them, and we usually use Xilinx parts. It's relatively trivial to get the bitstreams from our systems which hasn't bothered us since they're encrypted (or I guess they used to be).

  6. I think I understand, but... by mrflash818 · · Score: 2

    I am referring to adding circuitry into the FPGA's themselves, so that the current consumption cannot be as easily used for side-channel attacks.

    In a sense, think of adding additional NOT gates, within the FPGA itself, and their only purpose would be to always have the combination of an actual [data line + NOT] provide a sum of constant power consumption wherever the FPGA is doing anything that might leak side-channel info. None of the NOT gates would actually be part of processing actual data. At least, that is an idea of what kind of approaches they could try.

    --
    Uh, Linux geek since 1999.
  7. Re:General concepts by kbonin · · Score: 2

    Not everyone who complains on Slashdot is naive on patent realities, and the problem is real and ugly.

    Aside from the legal fiction of the PHOSITA (Person Having Ordinary Skill In The Art), the intent of this clause by the framers was that it should not be possible for anyone to obtain a patent on something that would be obvious to someone working in the field.

    In this specific case, once the feasibility of power vector side channel attacks was understood, any ideas that should have been obvious to someone having ordinary skill in the applicable fields (cryptanalysis of side channels, EE, FPGA layout internals) should not be patentable.

    While credit must be given to researches who discovered these attack vectors, the fact remains that the patents they obtained are broad enough to intersect essentially every idea a PHOSITA would come up with. While it is possible to interpret claims narrowly through the context of the background and description, juries often (especially in East Texas) fail to narrow interpretations sufficiently, and just attempting just a narrow interpretation will still cost you $1-3M in legal fees.

    If your job includes evaluation of risk of patent infringement (which mine does, for one of the worlds largest companies) then you would understand that the combination of lowering the bar on "obvious" and "prior art", along with the challenges that venue shopping presents, have created a situation where it has become nearly impossible to do anything interesting without infringing many patents that should NOT have been issued.

  8. Re:General concepts by kbonin · · Score: 3, Interesting

    You miss the point - the researchers discovered an application of the laws of physics to cryptanalysis. Cool, interesting, but not inherently patentable. Then they patented every way to fix that problem, many of which would be obvious to someone skilled in the art.

    If I discover that 1+2 = 3, I cannot patent that equation. If I discover an application of that equation to a physical problem, the intent of the framers in patent law was that only a non obvious application may be patented. The fact that they discovered the problem doesn't (at least by law) eliminate or nullify the PHOSITA requirement.

    The researchers found a hard to find problem, then patented the obvious solutions to that problem.

    This is one of the problem with patents in general - patents are being issued where the person "skilled in the art", i.e. someone who has the same degree of specialization, would have developed the same solution, and the USPTO no longer makes a reasonable effort to prevent that.

  9. Re:Alright, someone help by Laser+Dan · · Score: 2

    Note that most FPGAs (and all of Xilinx's) are SRAM based - the bitstream has to generally be loaded from an external memory IC at boot-time.

    Not true, the Xilinx Spartan-3AN can store the bitstream in internal flash memory.
    That is the only family with that feature though.