MAX PLANCK INSTITUTE

FOR SECURITY AND

PRIVACY

STARBLEEDA FULL BREAK OF THE BITSTREAM ENCRYPTION OF XILINX 7-SERIES FPGAS

Maik Ender, Amir Moradi, and Christof Paar

↘ Ruhr University Bochum & MPI for Privacy and Security

USENIX Security, August 14, 2020

MAX PLANCK INSTITUTE

FOR SECURITY AND

PRIVACY

STARBLEEDA FULL BREAK OF THE BITSTREAM ENCRYPTION OF XILINX 7-SERIES FPGAS

Maik Ender, Amir Moradi, and Christof Paar

↘ Ruhr University Bochum & MPI for Privacy and Security

USENIX Security, August 14, 2020

https://www.reddit.com/r/ElectricalEngineering/comments/g6vaey/u/iguetesilva

FIELD PROGRAMMABLE GATE ARRAYS

Field Programmable Gate Array

(FPGA)

Special IC

Reprogrammable logic

Bitstream

program01

Ph

oto

by P

atrick Tom

assoo

n U

nsp

lash

Ph

oto

by C

hu

anch

ai Pu

nd

ejon

Un

splash

Ph

oto

by A

merican

Pu

blic P

ow

er Asso

ciation

on

Un

splash

Ph

oto

by Th

om

as Jensen

on

Un

splash

Bitstream contains

FPGA‘s design

Stored on external

memory

Bitstream Security

BITSTREAM SECURITY

Possible Consequences

• IP theft & design cloning

• Reverse engineering

• Design manipulation

• Hardware Trojans

Bitstream

FFFFFFFFAA995566"StartDec""WrCntr0"02003FE5

program

Ph

oto

by P

atrick Tom

assoo

n U

nsp

lash

Ph

oto

by C

hu

anch

ai Pu

nd

ejon

Un

splash

Ph

oto

by A

merican

Pu

blic P

ow

er Asso

ciation

on

Un

splash

Ph

oto

by Th

om

as Jensen

on

Un

splash

Bitstream Encryption

BITSTREAM ENCRYPTION

Bitstream

FFFFFFF

F

AA995566

"StartEnc"

"WrCntr0"

02003FE5

Security Goals • Confidentiality: bitstream is encrypted

• Authenticity: FPGA loads only designs from integrator

• Integrity: Bitstream is not changed

Key

FPGA

encrypted program

AES-256

HMAC

0 101 CRYPTO

Attack in a Nutshell

ATTACK IN A NUTSHELL

Bitstream

FFFFFFF

F

AA995566

"StartEnc"

"WrCntr0"

02003FE5 okay

CRYPTO

FPGA

encrypted programplease decrypt the bitstream

Manipulate the

encrypted bitstream

Bitstream

FFFFFFFFAA995566"StartEnc""WrCntr0"02003FE5

Security Goals • Confidentiality: bitstream is encrypted

• Authenticity: FPGA loads only designs from integrator

• Integrity: Bitstream is not changed

Starbleed Attack I:

Break Confidentiality

Starbleed Attack II:

Break Authenticity

Key

HOW TO PROGRAM AN FPGA?

CONFIGURATION ENGINE

FabricJTA

G

FPGA

Bitstream

"Header""StartDec"HMACHead

"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070

HMAC tag

CONFIGURATION ENGINE

FDRO

…

Status

Control 0

WBSTAR

FDRI Fabric

Configura

tio

n E

ngin

e

Configuration

RegistersBitstream

Dec?

AES

JTA

G"Header"

"StartDec"HMACHead

"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070

HMAC tag

FPGA

BITSTREAM PROGRAM

FDRO

…

Status

Control 0

WBSTAR

FDRI Fabric

Configura

tio

n E

ngin

e

Configuration

RegistersBitstream

Dec?

AES

JTA

G

"Header""StartDec"HMACHead"WrCntr0"02003FE5"WrFDRI"COFFEEEE

"Header""StartDec"HMACHead

"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070

HMAC tag

FPGA

ATTACK IBREAKING CONFIDENTIALITY

Authenticity

Check

FPGA

ATTACK

FDRO

…

Status

Control 0

WBSTAR

FDRI Fabric

Co

nfig

ura

tio

n E

ng

ine

Configuration

RegistersBitstream

Dec?

AES

JTA

G

"WrCntr0"

02003FE5

WrWBSTARCOFFEEEEBADB0070HMAC tag

"Header""StartEnc"HMACHead

"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070

"Header""StartDec"HMACHead

"WrCntr0"02003FE5"WrWBSTAR"

COFFEEEEBADB0070

HMAC tag

Exploit CBC

malleability

COFFEEEE

Cut bitstream

FPGA resets

MultiBoot – Documentation

MULTIBOOT – DOCUMENTATION

ATTACK – READOUT

FDRO

…

Status

Control 0

WBSTAR

FDRI Fabric

Configura

tio

n E

ngin

e

Configuration

Registers

Dec?

AES

JTA

G

COFFEEEE

Bitstream

RdWBSTARRdWBSTAR

FPGA

HMAC tag

02003FE5

COFFEEEE

Authenticity

Check

FPGA resets

Bitstream

"Header""StartDec"HMACHead

"WrCntr0"02003FE5"WrWBSTAR"

COFFEEEEBADB0070

HMAC tag

Exploit CBC

malleability

Cut bitstream

Authenticity

Check

FPGA resets

Configuration

Registers

FPGA

ATTACK – OVERVIEW

FDRO

…

Status

Control 0

WBSTAR

FDRI Fabric

Configura

tio

n E

ngin

e

Dec?

AES

JTA

G

COFFEEEE

WrWBSTAR

"Header""StartDec"HMACHead

"WrCntr0"02003FE5"WrWBSTAR"

COFFEEEEBADB0070

"Header"RdWBSTAR

2) Readout

Bitstream

1) Manipulate the bitstream

4) Read out the WBSTAR

register

3) Resets the FPGA

(automatically)

2) Configure the FPGA with

the malicious bitstream

5) Reset the FPGA

(manually)

HMAC tag

1) Manipulated

Bitstream

→Leaks one bitstream word (32 bits)

ATTACK IIBREAKING AUTHENTICITY

• HMAC key can be decrypted by attack I

→Forge new valid HMAC tags

ATTACK II: BREAKING AUTHENTICITY

Bitstream

"Header""StartEnc"HMACHead

"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070

HMAC tag

HMAC key

Attacker can forge

valid HMAC tags

WHAT WENT WRONG?

1. ‘‘Use before validate‘‘ (Attack I)

2. Key dependency (Attack II)

WHAT WENT WRONG?

Bitstream

"Header""StartDec"HMACHead

"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070

HMAC tag

Commands

interpreted before

HMAC validation

HMAC key

COUNTERMEASURES

AND

DEFENSE TECHNIQUES

Countermeasures

Current 7-Series

Only raise-the-bare

countermeasures exists

COUNTERMEASURES & DEFENSE TECHNIQUES

Countermeasures

New FPGA Series

• Validate the bitstream before

use

• Needs new silicon

• Available in new FPGA

Series

General defense

techniques

• Avoid ad-hoc security

designs

• Model checking, information

flow analysis

• Community analysis

CONCLUSION

CONCLUSION

Full break of

Xilinx 7-Series

Bitstream

Encryption Any questions? @MaikEnderEU

Amir Moradi

@ChristofPaar