MAX PLANCK INSTITUTE
FOR SECURITY AND
PRIVACY
STARBLEEDA FULL BREAK OF THE BITSTREAM ENCRYPTION OF XILINX 7-SERIES FPGAS
Maik Ender, Amir Moradi, and Christof Paar
↘ Ruhr University Bochum & MPI for Privacy and Security
USENIX Security, August 14, 2020
MAX PLANCK INSTITUTE
FOR SECURITY AND
PRIVACY
STARBLEEDA FULL BREAK OF THE BITSTREAM ENCRYPTION OF XILINX 7-SERIES FPGAS
Maik Ender, Amir Moradi, and Christof Paar
↘ Ruhr University Bochum & MPI for Privacy and Security
USENIX Security, August 14, 2020
https://www.reddit.com/r/ElectricalEngineering/comments/g6vaey/u/iguetesilva
FIELD PROGRAMMABLE GATE ARRAYS
Field Programmable Gate Array
(FPGA)
Special IC
Reprogrammable logic
Bitstream
program01
Ph
oto
by P
atrick Tom
assoo
n U
nsp
lash
Ph
oto
by C
hu
anch
ai Pu
nd
ejon
Un
splash
Ph
oto
by A
merican
Pu
blic P
ow
er Asso
ciation
on
Un
splash
Ph
oto
by Th
om
as Jensen
on
Un
splash
Bitstream contains
FPGA‘s design
Stored on external
memory
Bitstream Security
BITSTREAM SECURITY
Possible Consequences
• IP theft & design cloning
• Reverse engineering
• Design manipulation
• Hardware Trojans
Bitstream
FFFFFFFFAA995566"StartDec""WrCntr0"02003FE5
program
Ph
oto
by P
atrick Tom
assoo
n U
nsp
lash
Ph
oto
by C
hu
anch
ai Pu
nd
ejon
Un
splash
Ph
oto
by A
merican
Pu
blic P
ow
er Asso
ciation
on
Un
splash
Ph
oto
by Th
om
as Jensen
on
Un
splash
Bitstream Encryption
BITSTREAM ENCRYPTION
Bitstream
FFFFFFF
F
AA995566
"StartEnc"
"WrCntr0"
02003FE5
Security Goals • Confidentiality: bitstream is encrypted
• Authenticity: FPGA loads only designs from integrator
• Integrity: Bitstream is not changed
Key
FPGA
encrypted program
AES-256
HMAC
0 101 CRYPTO
Attack in a Nutshell
ATTACK IN A NUTSHELL
Bitstream
FFFFFFF
F
AA995566
"StartEnc"
"WrCntr0"
02003FE5 okay
CRYPTO
FPGA
encrypted programplease decrypt the bitstream
Manipulate the
encrypted bitstream
Bitstream
FFFFFFFFAA995566"StartEnc""WrCntr0"02003FE5
Security Goals • Confidentiality: bitstream is encrypted
• Authenticity: FPGA loads only designs from integrator
• Integrity: Bitstream is not changed
Starbleed Attack I:
Break Confidentiality
Starbleed Attack II:
Break Authenticity
Key
HOW TO PROGRAM AN FPGA?
CONFIGURATION ENGINE
FabricJTA
G
FPGA
Bitstream
"Header""StartDec"HMACHead
"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070
HMAC tag
CONFIGURATION ENGINE
FDRO
…
Status
Control 0
WBSTAR
FDRI Fabric
Configura
tio
n E
ngin
e
Configuration
RegistersBitstream
Dec?
AES
JTA
G"Header"
"StartDec"HMACHead
"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070
HMAC tag
FPGA
BITSTREAM PROGRAM
FDRO
…
Status
Control 0
WBSTAR
FDRI Fabric
Configura
tio
n E
ngin
e
Configuration
RegistersBitstream
Dec?
AES
JTA
G
"Header""StartDec"HMACHead"WrCntr0"02003FE5"WrFDRI"COFFEEEE
"Header""StartDec"HMACHead
"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070
HMAC tag
FPGA
ATTACK IBREAKING CONFIDENTIALITY
Authenticity
Check
FPGA
ATTACK
FDRO
…
Status
Control 0
WBSTAR
FDRI Fabric
Co
nfig
ura
tio
n E
ng
ine
Configuration
RegistersBitstream
Dec?
AES
JTA
G
"WrCntr0"
02003FE5
WrWBSTARCOFFEEEEBADB0070HMAC tag
"Header""StartEnc"HMACHead
"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070
"Header""StartDec"HMACHead
"WrCntr0"02003FE5"WrWBSTAR"
COFFEEEEBADB0070
HMAC tag
Exploit CBC
malleability
COFFEEEE
Cut bitstream
FPGA resets
MultiBoot – Documentation
MULTIBOOT – DOCUMENTATION
ATTACK – READOUT
FDRO
…
Status
Control 0
WBSTAR
FDRI Fabric
Configura
tio
n E
ngin
e
Configuration
Registers
Dec?
AES
JTA
G
COFFEEEE
Bitstream
RdWBSTARRdWBSTAR
FPGA
HMAC tag
02003FE5
COFFEEEE
Authenticity
Check
FPGA resets
Bitstream
"Header""StartDec"HMACHead
"WrCntr0"02003FE5"WrWBSTAR"
COFFEEEEBADB0070
HMAC tag
Exploit CBC
malleability
Cut bitstream
Authenticity
Check
FPGA resets
Configuration
Registers
FPGA
ATTACK – OVERVIEW
FDRO
…
Status
Control 0
WBSTAR
FDRI Fabric
Configura
tio
n E
ngin
e
Dec?
AES
JTA
G
COFFEEEE
WrWBSTAR
"Header""StartDec"HMACHead
"WrCntr0"02003FE5"WrWBSTAR"
COFFEEEEBADB0070
"Header"RdWBSTAR
2) Readout
Bitstream
1) Manipulate the bitstream
4) Read out the WBSTAR
register
3) Resets the FPGA
(automatically)
2) Configure the FPGA with
the malicious bitstream
5) Reset the FPGA
(manually)
HMAC tag
1) Manipulated
Bitstream
→Leaks one bitstream word (32 bits)
ATTACK IIBREAKING AUTHENTICITY
• HMAC key can be decrypted by attack I
→Forge new valid HMAC tags
ATTACK II: BREAKING AUTHENTICITY
Bitstream
"Header""StartEnc"HMACHead
"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070
HMAC tag
HMAC key
Attacker can forge
valid HMAC tags
WHAT WENT WRONG?
1. ‘‘Use before validate‘‘ (Attack I)
2. Key dependency (Attack II)
WHAT WENT WRONG?
Bitstream
"Header""StartDec"HMACHead
"WrCntr0"02003FE5"WrFDRI"COFFEEEEBADB0070
HMAC tag
Commands
interpreted before
HMAC validation
HMAC key
COUNTERMEASURES
AND
DEFENSE TECHNIQUES
Countermeasures
Current 7-Series
Only raise-the-bare
countermeasures exists
COUNTERMEASURES & DEFENSE TECHNIQUES
Countermeasures
New FPGA Series
• Validate the bitstream before
use
• Needs new silicon
• Available in new FPGA
Series
General defense
techniques
• Avoid ad-hoc security
designs
• Model checking, information
flow analysis
• Community analysis
CONCLUSION
CONCLUSION
Full break of
Xilinx 7-Series
Bitstream
Encryption Any questions? @MaikEnderEU
Amir Moradi
@ChristofPaar