JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing
CoRR(2024)
摘要
Fuzzing is a well-established technique in the software domain to uncover
bugs and vulnerabilities. Yet, applications of fuzzing for security
vulnerabilities in hardware systems are scarce, as principal reasons are
requirements for design information access (HDL source code). Moreover,
observation of internal hardware state during runtime is typically an
ineffective information source, as its documentation is often not publicly
available. In addition, such observation during runtime is also inefficient due
to bandwidth-limited analysis interfaces (JTAG, and minimal introspection of
internal modules). In this work, we investigate fuzzing for 7-Series and
UltraScale(+) FPGA configuration engines, the control plane governing the
(secure) bitstream configuration within the FPGA. Our goal is to examine the
effectiveness of fuzzing to analyze and document the opaque inner workings of
FPGA configuration engines, with a primary emphasis on identifying security
vulnerabilities. Using only the publicly available chip and dispersed
documentation, we first design and implement ConFuzz, an advanced FPGA
configuration engine fuzzing and rapid prototyping framework. Based on our
detailed understanding of the bitstream file format, we then systematically
define 3 novel key fuzzing strategies for Xilinx configuration engines.
Moreover, our strategies are executed through mutational structure-aware
fuzzers and incorporate various novel custom-tailored, FPGA-specific
optimizations. Our evaluation reveals previously undocumented behavior within
the configuration engine, including critical findings such as system crashes
leading to unresponsive states of the FPGA. In addition, our investigations not
only lead to the rediscovery of the starbleed attack but also uncover JustSTART
(CVE-2023-20570), capable of circumventing RSA authentication for Xilinx
UltraScale(+). Note that we also discuss countermeasures.
更多查看译文
关键词
FPGA,FPGA Configuration Engine,FPGA Security,FPGA Bitstream Protection,Hardware Fuzzing,Fuzzing Framework
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要