The research was conducted on Xilinx FPGAs and several series of devices shown to be vulnerable although it does require the hacker to have access to the configuration port of the FPGA. In theory, for wirelessly connected systems it could be possible to exploit the vulnerability remotely. The authors say they have informed Xilinx about the vulnerability.
The researchers have called the bug ‘Starbleed’ because they have found a way to redirect bitstream information to the WBSTAR configuration register, which can then be readout after a reset.
Using this method, the researchers have shown that it is possible to gain complete control over the chips and their functionality. This could include the theft of IP or the injection of ‘Trojan horse’ circuitry. And since the bug is in hardware it cannot be patched with software and the only fundamental solution is to replace the chips, the researchers said.
A research paper on the topic has been accepted for the Usenix Security Symposium, Boston, Massachusetts, 2020 due to take place in Boston, Massachusetts, in August 2020: ‘The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs’.
In the paper the authors discuss attacks on the encrypted programming bitstream for Xilinx 7-Series (and Virtex-6) FPGAs. The FPGA is itself used to decrypt its bitstream. The authors state that the attack does not require sophisticated tools and only requires access to the configuration port. Depending on the system architecture an attack could be launched remotely, the authors say. In addition to the attacks, the authors discuss countermeasures in the paper.
Next: Xilinx responds
The Starbleed vulnerability affects Xilinx’ 7-series FPGAs with the four FPGA families Spartan, Artix, Kintex and Virtex as well as the previous version Virtex-6.
“We informed Xilinx about this vulnerability and subsequently worked closely together during the vulnerability disclosure process. Furthermore, it appears highly unlikely that this vulnerability will occur in the manufacturer’s latest series,” said Amir Moradi, one of the authors, in a statement. The Max Planck Institute said that Xilinx will also publish information on its website for affected customers.
Xilinx sent the following statement to eeNews Europe: “We have read the paper and have issued a security advisory to our customers addressing it, located here. The only proven way to perform the so-called “Starbleed” attack is to have close, physical access to the system. It is also important to recognize that when an adversary has close, physical access to the system there are many other threats to be concerned about. We advise all of our customers to design their systems with tamper protection such that close, physical access is difficult to achieve.”
Related links and articles: