Starbleed: Hidden bug in FPGA chips can help hackers steal critical data
grarpamp
grarpamp at gmail.com
Mon Apr 20 18:50:44 PDT 2020
On 4/19/20, jim bell <jdb10987 at yahoo.com> wrote:
> https://gulfnews.com/technology/hidden-bug-in-fpga-chips-can-help-hackers-steal-critical-data-1.1587319240780
https://www.digitalmunition.me/starbleed-bug-impacts-fpga-chips-used-in-data-centers-iot-devices-industrial-equipment/
The Unpatchable Silicon: A Full Break of the Bitstream Encryption of
Xilinx 7-Series FPGAs.
https://www.xilinx.com/support/answers/73541.html
https://www.usenix.org/system/files/sec20fall_ender_prepub.pdf
As usual, "[ir]responsible disclosure" in full effect...
you have to leave your ass wide open till August for the details,
so the corp and researchers can profit spin and pomp,
and so the CIA NSA Mossad and every other thug on the
planet with a brain has plenty of time to exploit you.
Xilinx is of course wholly untrustable closed source.
#OpenHW, #OpenFabs, #OpenAudit
"If an attacker has access to the bitstream and breaks its
confidentiality, he can reverse-engineer the design, clone
intellectual property, or gather information for subsequent attacks
e.g., by finding cryptographic keys or other design aspects of a
system. If the adversary succeeds in violating the bitstream
authenticity, he can then change the functionality, implant hardware
Trojans, or even physically destroy the system in which the FPGA is
embedded by using configuration outside the specifications.
In their study, the researchers could successfully break the bitstream
encryption of Xilinx 7-Series and Virtex-6 devices. They then broke
the authenticity of the encryption too by encrypting arbitrary
messages.
Decrypting Bitstream Content
Briefly, the researchers used MultiBoot address register WBSTAR to
enable the FPGA boot with a different memory address. They then
manipulated bitstream to write a single 32-bit word to the register in
decrypted form. Hence, they redirect the decrypted bitstream content
to the register to read it following a reset.
Repeating this process allows an attacker to retrieve the entire
bitstream content. Though, retrieving one word at a time may take
several hours. For example, it took 3 hours and 42 minutes for the
researchers to decrypt and read Kintex-7 XC7K160T bitstream.
Breaking Encryption Authenticity
In a subsequent attack, the researchers used FPGA as a decryption
oracle to encrypt arbitrary messages. Repeating the process allowed
them to encrypt the entire bitstream with legit encryption and
validation."
More information about the cypherpunks
mailing list