How to break secure boot on FPGA SoCs through malicious hardware

Nisha Jacob; Johann Heyszl; Andreas Zankl; Carsten Rolfes; Georg Sigl

doi:10.1007/978-3-319-66787-4_21

How to break secure boot on FPGA SoCs through malicious hardware

Nisha Jacob
, Johann Heyszl
, Andreas Zankl
, Carsten Rolfes
, Georg Sigl

Chair of Security in Information Technology

Fraunhofer AISEC

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

24 Scopus citations

Abstract

Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.

Original language	English
Title of host publication	Cryptographic Hardware and Embedded Systems, CHES 2017 - 19th International Workshop, Proceedings
Editors	Wieland Fischer, Naofumi Homma
Publisher	Springer Verlag
Pages	425-442
Number of pages	18
ISBN (Print)	9783319667867
DOIs	https://doi.org/10.1007/978-3-319-66787-4_21
State	Published - 2017
Event	19th International Conference on Cryptographic Hardware and Embedded Systems, CHES 2017 - Taipei, Taiwan, Province of China Duration: 25 Sep 2017 → 28 Sep 2017

Publication series

Name	Lecture Notes in Computer Science
Volume	10529 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	19th International Conference on Cryptographic Hardware and Embedded Systems, CHES 2017
Country/Territory	Taiwan, Province of China
City	Taipei
Period	25/09/17 → 28/09/17

Keywords

FPGA SoCs
Hardware design
Outsourced
Secure boot
Threat

Access to Document

10.1007/978-3-319-66787-4_21

Cite this

Jacob, N., Heyszl, J., Zankl, A., Rolfes, C., & Sigl, G. (2017). How to break secure boot on FPGA SoCs through malicious hardware. In W. Fischer, & N. Homma (Eds.), Cryptographic Hardware and Embedded Systems, CHES 2017 - 19th International Workshop, Proceedings (pp. 425-442). (Lecture Notes in Computer Science; Vol. 10529 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-66787-4_21

@inproceedings{0aa8655a6a1d4e8b857c410cc15cc8db,

title = "How to break secure boot on FPGA SoCs through malicious hardware",

abstract = "Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.",

keywords = "FPGA SoCs, Hardware design, Outsourced, Secure boot, Threat",

author = "Nisha Jacob and Johann Heyszl and Andreas Zankl and Carsten Rolfes and Georg Sigl",

note = "Publisher Copyright: {\textcopyright} International Association for Cryptologic Research 2017.; 19th International Conference on Cryptographic Hardware and Embedded Systems, CHES 2017 ; Conference date: 25-09-2017 Through 28-09-2017",

year = "2017",

doi = "10.1007/978-3-319-66787-4\_21",

language = "English",

isbn = "9783319667867",

series = "Lecture Notes in Computer Science",

publisher = "Springer Verlag",

pages = "425--442",

editor = "Wieland Fischer and Naofumi Homma",

booktitle = "Cryptographic Hardware and Embedded Systems, CHES 2017 - 19th International Workshop, Proceedings",

}

Jacob, N, Heyszl, J, Zankl, A, Rolfes, C & Sigl, G 2017, How to break secure boot on FPGA SoCs through malicious hardware. in W Fischer & N Homma (eds), Cryptographic Hardware and Embedded Systems, CHES 2017 - 19th International Workshop, Proceedings. Lecture Notes in Computer Science, vol. 10529 LNCS, Springer Verlag, pp. 425-442, 19th International Conference on Cryptographic Hardware and Embedded Systems, CHES 2017, Taipei, Taiwan, Province of China, 25/09/17. https://doi.org/10.1007/978-3-319-66787-4_21

How to break secure boot on FPGA SoCs through malicious hardware. / Jacob, Nisha; Heyszl, Johann; Zankl, Andreas et al.
Cryptographic Hardware and Embedded Systems, CHES 2017 - 19th International Workshop, Proceedings. ed. / Wieland Fischer; Naofumi Homma. Springer Verlag, 2017. p. 425-442 (Lecture Notes in Computer Science; Vol. 10529 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - How to break secure boot on FPGA SoCs through malicious hardware

AU - Jacob, Nisha

AU - Heyszl, Johann

AU - Zankl, Andreas

AU - Rolfes, Carsten

AU - Sigl, Georg

N1 - Publisher Copyright: © International Association for Cryptologic Research 2017.

PY - 2017

Y1 - 2017

N2 - Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.

AB - Embedded IoT devices are often built upon large system on chip computing platforms running a significant stack of software. For certain computation-intensive operations such as signal processing or encryption and authentication of large data, chips with integrated FPGAs, FPGA SoCs, which provide high performance through configurable hardware designs, are used. In this contribution, we demonstrate how an FPGA hardware design can compromise the important secure boot process of the main software system to boot from a malicious network source instead of an authentic signed kernel image. This significant and new threat arises from the fact that the CPU and FPGA are connected to the same memory bus, so that FPGA hardware designs can interfere with secure boot routines on FPGA SoCs that are without any interruption on regular SoCs. An enabling factor is that integrated hardware designs are likely bought from external partners and there is a realistic lack of security review at the system integrators. This facilitates flaws or even unwanted functionality in such hardware designs. We perform a proof of concept on a Xilinx Zynq-7000 FPGA SoC, and the threat can be generalized to other devices. We also present as effective mitigation, an easy-to-review and re-usable wrapper module which prevents any unauthorized memory access by included hardware designs.

KW - FPGA SoCs

KW - Hardware design

KW - Outsourced

KW - Secure boot

KW - Threat

UR - https://www.scopus.com/pages/publications/85030836296

U2 - 10.1007/978-3-319-66787-4_21

DO - 10.1007/978-3-319-66787-4_21

M3 - Conference contribution

AN - SCOPUS:85030836296

SN - 9783319667867

T3 - Lecture Notes in Computer Science

SP - 425

EP - 442

BT - Cryptographic Hardware and Embedded Systems, CHES 2017 - 19th International Workshop, Proceedings

A2 - Fischer, Wieland

A2 - Homma, Naofumi

PB - Springer Verlag

T2 - 19th International Conference on Cryptographic Hardware and Embedded Systems, CHES 2017

Y2 - 25 September 2017 through 28 September 2017

ER -

How to break secure boot on FPGA SoCs through malicious hardware

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this