Starbleed A Full Break of the Bitstream Encryption
Starbleed A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs Maik Ender, Amir Moradi, Christof Paar Hardwear. io 20. 10. 2021
Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 https: //www. reddit. com/r /Electrical. Engineering/co mments/g 6 vaey/ u/iguetesilva 2
Starbleed A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs Maik Ender, Amir Moradi, Christof Paar Hardwear. io 20. 10. 2021
Field Programmable Gate Arrays Bitstream contains FPGA‘s design Stored on external memory program Field Programmable Gate Array (FPGA) Special IC Reprogrammable logic Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 Photo by Chuanchai Pundej on Unsplash Photo by American Public Power Association on Unsplash Photo by Patrick Tomasso on Unsplash FFFF AA 995566 "Start. Dec" "Wr. Cntr 0" 02003 FE 5 Photo by Mario Caruso on Unsplash Bitstream 4
Bitstream Security FFFF AA 995566 "Start. Dec" "Wr. Cntr 0" 02003 FE 5 program • Bitstream security is vital – – Design cloning Reverse engineering Design manipulation Hardware Trojans Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 Photo by Chuanchai Pundej on Unsplash Photo by American Public Power Association on Unsplash Photo by Patrick Tomasso on Unsplash Photo by Mario Caruso on Unsplash Bitstream 5
Bitstream Encryption FPGA Bitstream FFFF AA 995566 "Start. Enc" "Wr. Cntr 0" 02003 FE 5 encrypted program CRYPTO Key Fuses/BBRAM Bitstream encryption AES-256 HMAC • Confidentiality: bitstream is encrypted • Authenticity: FPGA loads only designs from integrator • Integrity: Bitstream is not changed Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 6
Attack FPGA Bitstream FFFF AA 995566 "Start. Enc" "Wr. Cntr 0" 02003 FE 5 encrypted program please decrypt the bitstream CRYPTO okay Key Fuses/BBRAM Bitstream encryption Manipulate the encrypted bitstream • Confidentiality: bitstream is encrypted • Authenticity: FPGA loads only designs from integrator • Integrity: Bitstream is not changed Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 Starbleed Attack I: Break Confidentiality Starbleed Attack II: Break Authenticity 7
HOW TO PROGRAM AN FPGA? Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 8
Configuration Engine FPGA Configuration Registers "Header" "Start. Dec" HMAC tag JTAG "Wr. Cntr 0" E 02003 FE 5 nc ryp "Wr. FDRI" ted COFFEEEE BADB 0070 Dec? HMACHead DEC Configuration Engine Bitstream Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 FDRI Fabric FDRO Status Control 0 WBSTAR … 9
Bitstream Program FPGA Configuration Registers "Header" "Start. Dec" HMAC tag JTAG "Wr. Cntr 0" HMACHead "Start. Dec" "Wr. Cntr 0" BADB 0070 "Wr. FDRI" "Header" HMAC tag 02003 FE 5 COFFEE "Wr. FDRI" COFFEEEE BADB 0070 Dec? HMACHead DEC Configuration Engine Bitstream Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 FDRI Fabric FDRO Status Control 0 WBSTAR … 10
ATTACK I BREAKING CONFIDENTIALITY Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 12
Attack Bitstream The FPGA notices the manipulation (HMAC invalid) and resets Configuration Registers "Header" "Start. Enc" "Start. Dec" HMAC tag Exploit CBC malleability JTAG "Wr. Cntr 0" HMACHead "Start. Dec" "Wr. Cntr 0" Wr. WBSTAR "Header" HMAC tag BADB 0070 COFFEEEE 02003 FE 5 "Wr. WBSTAR" "Wr. FDRI" COFFEEEE BADB 0070 Dec? HMACHead DEC Configuration Engine FPGA Fabric FDRI FDRO Status Control 0 COFFEEEE rt e v di WBSTAR … Cut bitstream Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 13
Multi. Boot – Documentation Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 14
Attack – Readout Dec? Bitstream JTAG "Header" Rd. WBSTAR The FPGA notices the manipulation (HMAC invalid) and resets Configuration Registers DEC Configuration Engine FPGA HMAC tag Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 Fabric FDRI FDRO Status Control 0 02003 FE 5 COFFEEEE rt e v di COFFEEEE WBSTAR … 15
Attack – Overview 1) Manipulated Bitstream FPGA "Header" "Start. Dec" 2) Configure the FPGA with the malicious bitstream HMACHead Dec? "Wr. Cntr 0" 02003 FE 5 "Wr. WBSTAR" HMAC tag 2) Readout Bitstream "Header" Rd. WBSTAR JTAG COFFEEEE BADB 0070 3) Resets the FPGA DEC (automatically) 4) Read out the WBSTAR register 5) Reset the FPGA (manually) Configuration Engine The FPGA notices the manipulation (HMAC invalid) and resets Configuration 1) Manipulate the bitstream Registers Wr. WBSTAR FDRI Fabric FDRO Status Control 0 COFFEEEE WBSTAR … Leak one bitstream word (32 bits) Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 16
Bitstream Security Bitstream security is vital • Design cloning • Reverse engineering • Design manipulation ? • Hardware Trojans ? Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 ? Photo by Chuanchai Pundej on Unsplash Photo by American Public Power Association on Unsplash Photo by Patrick Tomasso on Unsplash = Attacker can decrypt bitstream Photo by Mario Caruso on Unsplash Attack I: Break Confidentiality 17
ATTACK II BREAKING AUTHENTICITY Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 18
Attack II: Breaking Authenticity • Attack I: Decrypt the bitstream • HMAC (still) assures authenticity Any manipulation is detected Bitstream "Header" "Start. Enc" HMAC key HMACHead "Wr. Cntr 0" 02003 FE 5 "Wr. FDRI" COFFEEEE BADB 0070 HMAC tag Attacker can forge valid HMAC tags • HMAC key can be decrypted by attack I Forge new valid HMAC tags FPGA • Encrypt new/manipulated bitstreams: – Decryption oracle + CBC malleability = encryption oracle – Know attack: ‘‘Practical padding oracle attacks‘‘ Rizzo et al. WOOT 2010 Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 please decrypt the bitstream CRYPTO okay 19
Bitstream Security Bitstream security is vital • Design cloning • Reverse engineering • Design manipulation ? • Hardware Trojans ? Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 Photo by Chuanchai Pundej on Unsplash Photo by American Public Power Association on Unsplash Photo by Patrick Tomasso on Unsplash Attack II: Break Authenticity Photo by Mario Caruso on Unsplash Attack I: Break Confidentiality FULL BREAK ? OF THE BITSTREAM ENCRYPTIO 20
WHAT WENT WRONG? Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 21
What Went Wrong? 1. ‘‘Use before validate‘‘ (Attack I) 2. HMAC key stored inside the encrypted bitstream (Attack II) Commands interpreted before HMAC validation Bitstream "Header" "Start. Dec" HMAC key HMACHead "Wr. Cntr 0" 02003 FE 5 "Wr. FDRI" COFFEEEE BADB 0070 HMAC tag Attacker can forge valid HMAC tags Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 22
COUNTERMEASURES & DEFENSE TECHNIQUES Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 23
Countermeasures & Defense Techniques New Devices New Series Validate before use • • Patchable Encryption • • IFA, Model Checker • Open. Source Hardware • Current 7 -Series Obfuscation Revision Select PIN Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 24
Countermeasures & Defense Techniques New Devices New Series Validate before use • • Patchable Encryption • • IFA, Model Checker • Open. Source Hardware • Current 7 -Series • Countermeasures – Validate the bitstream before interprete by the configuration engine Obfuscation Revision Select PIN Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 25
Countermeasures & Defense Techniques New Devices New Series Validate before use • • Patchable Encryption • • IFA, Model Checker • Open. Source Hardware • Current 7 -Series • Countermeasures – Validate the bitstream before interprete by the configuration engine – Patchable bitstream encryption in the reconfigurable fabric Obfuscation Revision Select PIN Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 26
Countermeasures & Defense Techniques New Devices New Series Validate before use • • Patchable Encryption • • IFA, Model Checker • Open. Source Hardware • Current 7 -Series • Countermeasures – Validate the bitstream before interprete by the configuration engine – Patchable bitstream encryption in the reconfigurable fabric • General defense techniques – Attack already visible in documentation specification is flawed Obfuscation Revision Select PIN Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 27
Countermeasures & Defense Techniques New Devices New Series Validate before use • • Patchable Encryption • • IFA, Model Checker • Open. Source Hardware • Current 7 -Series • Countermeasures – Validate the bitstream before interprete by the configuration engine – Patchable bitstream encryption in the reconfigurable fabric • General defense techniques Obfuscation Revision Select PIN Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 – Attack already visible in documentation specification is flawed – Open. Source transparency • Follow Kerckhoffs Principle "Everything except the key is known" • Open. Titan 28
Countermeasures & Defense Techniques New Devices New Series Validate before use • • Patchable Encryption • • IFA, Model Checker • Open. Source Hardware • Current 7 -Series • Countermeasures – Validate the bitstream before interprete by the configuration engine – Patchable bitstream encryption in the reconfigurable fabric • General defense techniques Obfuscation Revision Select PIN Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 – Attack already visible in documentation specification is flawed – Open. Source transparency • Follow Kerckhoffs Principle "Everything except the key is known" • Open. Titan 29
Obfuscation • Still same functionality • ‘‘Harder‘‘ to reverse engineer • Raise-the-bar countermeasure only https: //www. flickr. com/photos/curious_e/ Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 Photo by American Public Power Association on Unsplash 30
Revision Select PIN Value default 0 During attack leaks bitstream content ≠ 0 1 1 Revision select pins Drive output pin on next warm boot RS Pins • • – Reset FPGA – Remove BBRAM key power to clear encryption key FPGA Reset Logic Modify PCB Wire RS pin to a reset logic If Revision. Select ≠ 0 WBSTAR Key CLEAR BBRAM Power (Vcc) PCB CRYPTO Vcc • Attacker can still modify the PCB Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 31
Conclusion Attack I: Break Confidentiality decrypting the bitstream Attack II: Break Authenticity manipulating the bitstream Full break of confidentiality and authenticity Only access to configuration interface needed Xilinx 7 -Series and (partially) Virtex-6 affected For current devices only raise-the-bar countermeasures • General defense techniques: Verify the specification, Open. Source @Maik. Ender. EU • • Starbleed – A Full Break of the Bitstream Encryption of Xilinx 7 -Series FPGAs| Hardwear. io | 30 April 2020 https: //www. usenix. org/conference/ usenixsecurity 20/presentation/ender 32
Thank You For Your Attention! Any Questions?
- Slides: 32