A critical security flaw exists in the Field Programmable Gate Arrays chips. Dubbed ‘Starbleed’, this vulnerability allows an attacker take complete control over target FPGA chips.
Researchers from German institutes have shared their findings regarding a critical vulnerability in the Field Programmable Gate Arrays (FPGA) chips. This vulnerability, which they call ‘Starbleed’, can allow an adversary to gain complete control of all chip functionalities.
FPGA chips are frequently used in various key industries such as aviation and medical fields. These chips are powered by bitstream which bears encryption for securing the chips against cyber attacks. They are flexible for reprogramming which makes the chips highly useful for industrial devices.
However, the same property now turns into vulnerability as researchers found a way to decrypt bitstream during reconfiguration. This allows gaining explicit access to execute various malicious activities. According to researchers:
In their study, the researchers could successfully break the bitstream encryption of Xilinx 7-Series and Virtex-6 devices. They then broke the authenticity of the encryption too by encrypting arbitrary messages.
Decrypting Bitstream Content
Briefly, the researchers used MultiBoot address register WBSTAR to enable the FPGA boot with a different memory address. They then manipulated bitstream to write a single 32-bit word to the register in decrypted form. Hence, they redirect the decrypted bitstream content to the register to read it following a reset.
Repeating this process allows an attacker to retrieve the entire bitstream content. Though, retrieving one word at a time may take several hours. For example, it took 3 hours and 42 minutes for the researchers to decrypt and read Kintex-7 XC7K160T bitstream.
Breaking Encryption Authenticity
In a subsequent attack, the researchers used FPGA as a decryption oracle to encrypt arbitrary messages. Repeating the process allowed them to encrypt the entire bitstream with legit encryption and validation.