Two Xilinx Field Programmable Gate Arrays (FPGAs) products have a critical vulnerability dubbed “Starbleed” that could allow an attacker to remotely take control of the chip and change its functionality — meaning malicious actors could steal intellectual property, or destroy workflows.
That’s according to researchers at the Horst Görtz Institute for IT Security and the Max Planck Institute for Security and Privacy, who have identified a way to decrypt and then tamper with the FPGA’s bitstream — a sequence of data in binary form that ultimately controls the chips.
(FPGAs are highly flexible and programmable computer chips that are present in most data centres, connectivity infrastructure and AI processors. They are highly valued for their powerful, reprogrammable nature, which allows them to completely change functionality as required).
Xilinx, however, says any attack would require “close, physical access” to the hardware — by which point security teams potentially have bigger things to worry about — and say it is as complex as well-known, little-exploited existing side-channel attacks across the silicon world.
The researchers say that Xilinx’s widely deployed 7-Series and Virtex-6 devices can be attacked using the technique, and warn in a new paper that “we consider this as a severe attack, since (ironically) there is no opportunity to patch the underlying silicon of the cryptographic protocol.”
They disclosed the bug to Xilinx on September 24 and say they got a response the following day acknowledging the findings. (Xilinx’s newer UltraScale and UltraScale+ devices are not affected by the vulnerability.)
Xilinx, which noted the disclosure in a short missive to customers, told Computer Business Review that given the nature of the attack, customers should not be worried: “The only proven way to perform the so-called ‘Starbleed’ attack is to have close, physical access to the system.
“When an adversary has close, physical access to the system there are many other threats to be concerned about…”
“It is also important to recognize that when an adversary has close, physical access to the system there are many other threats to be concerned about. We advise all of our customers that they should design their systems with tamper protection such that close, physical access is difficult to achieve.”
It told customers: “The authors successfully exploited the lack of error extension in AES-CBC mode and the fact that configuration commands, specifically WBSTAR, can execute prior to authentication passing. This allowed them to successfully defeat device security. The complexity of this attack is similar to well known, and proven, DPA attacks against these devices and therefore do not weaken their security posture.”
… Attackers Could Exploit Remote Update Service
The researchers, Maik Ender, Amir Moradi, and Christof Paar, admit that the attack makes some demands on a would-be hacker. (They will present the results of their work at the 29th Usenix Security Symposium in August 2020) but disagree that it should be ruled out as a viable attack.
But they believe it could exploited remotely, albeit in a way that would already require some substantial credentials for tools designed to programme or debug the chips (that most companies should be guarding tightly…)
They wrote: “The adversary can be anyone who has access to the JTAG or SelectMAP configuration interface, even remotely, and to the encrypted bitstream of the device under attack. In contrast to side-channel and probing attacks against bitstream encryption, no adequate equipment nor expertise in electronic measurements is needed.”
“If the adversary succeeds in violating the bitstream authenticity, he can then change the functionality, implant hardware Trojans, or even physically destroy the system in which the FPGA is embedded.”
How Does the Attack Work?
The Starbleed bug takes advantage of the reprogrammable nature of FPGAs. It does this by manipulating the bitstream in the configuration process and sending a redirect of decrypted content to a WBSTAR configuration register.
“The bitstream’s manipulation exploits the malleability of the CBC mode of operation to alter the command in the bitstream which writes data to the WBSTAR configuration register. After the configuration with the encrypted bitstream, the FPGA resets, since it detects an invalid HMAC,” note the researchers.
“We use the WBSTAR configuration register for the readout, because the reset procedure does not clear it. After the reset, we finally use a second bitstream to readout the WBSTAR register to uncover the decrypted bitstream word by word. In summary, the FPGA, if loaded with the encryption key, decrypts the encrypted bitstream and writes it for the attacker to the readable configuration register. Hence, the FPGA is used as a decryption oracle.”
The researchers propose using “obfuscation schemes or patching the PCB to use the FPGA’s RS pins for clearing the BBRAM key storage in case of an attack. Although these countermeasures are not a substitute for a sound bitstream encryption, they still raise the bar for legacy systems until more secure devices can be provided.”
Whether anyone will actually go ahead and use this design flaw in an attack remains a bit of an open question. It looks unlikely: there are arguably easier ways to get access to the crown jewels of a data centre, from unpatched Cisco systems, to phishing campaigns, or social engineering.
As a reminder to vendors to tighten their product design, few would doubt it. As to the difference of opinion on exploitability, accurately triangulating the timeless difference between security researchers keen to play up a vulnerability they have found, and vendors keen to downplay it remains a somewhat thankless task: we would welcome hearing from any security researchers who have independently tested this kind of attack.