ACM Transactions on Reconfigurable Technology and Systems ( IF 2.3 ) Pub Date : 2024-04-30 , DOI: 10.1145/3633204 Nils Albartus 1 , Maik Ender 1 , Jan-Niklas Möller 1 , Marc Fyrbiak 1 , Christof Paar 1 , Russell Tessier 2
Field Programmable Gate Arrays (FPGAs) have become increasingly popular in computing platforms. With recent advances in bitstream format reverse engineering, the scientific community has widely explored static FPGA security threats. For example, it is now possible to convert a bitstream to a netlist, revealing design information, and apply modifications to the static bitstream based on this knowledge. However, a systematic study of the influence of the bitstream format understanding in regards to the security aspects of the dynamic configuration process, particularly for Xilinx’s Internal Configuration Access Port (ICAP), is lacking. This article fills this gap by comprehensively analyzing the security implications of ICAP interfaces, which primarily support dynamic partial reconfiguration. We delve into the Xilinx bitstream file format, identify misconceptions in official documentation, and propose novel configuration (attack) primitives based on dynamic reconfiguration, i.e., create/read/update/delete circuits in the FPGA, without requiring pre-definition during the design phase. Our primitives are consolidated in a novel Stealthy Reconfigurable Adaptive Trojan framework to conceal Trojans and evade state-of-the-art netlist reverse engineering methods. As FPGAs become integral to modern cloud computing, this research presents crucial insights on potential security risks, including the possibility of a malicious tenant or provider altering or spying on another tenant’s configuration undetected.
中文翻译:
关于 Xilinx 内部配置访问端口 (ICAP) 的恶意潜力
FPGA 在计算平台中变得越来越流行。随着比特流格式逆向工程的最新进展,科学界广泛探讨了静态 FPGA 安全威胁。例如,现在可以将比特流转换为网表,揭示设计信息,并基于此知识对静态比特流应用修改。然而,目前还缺乏对比特流格式理解对动态配置过程安全性影响的系统研究,特别是对于 Xilinx 的内部配置访问端口 (ICAP)。本文通过全面分析主要支持动态部分重配置的 ICAP 接口的安全隐患来填补这一空白。我们深入研究 Xilinx 比特流文件格式,识别官方文档中的误解,并提出基于动态重配置的新颖配置(攻击)原语,即在 FPGA 中创建/读取/更新/删除电路,而无需在设计过程中预先定义阶段。我们的原语被整合到一个新颖的隐形可重构自适应木马中(