JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing
- URL: http://arxiv.org/abs/2402.09845v1
- Date: Thu, 15 Feb 2024 10:03:35 GMT
- Title: JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing
- Authors: Maik Ender, Felix Hahn, Marc Fyrbiak, Amir Moradi, Christof Paar,
- Abstract summary: We investigate fuzzing for 7-Series and UltraScale(+) FPGA configuration engines.
Our goal is to examine the effectiveness of fuzzing to analyze and document the inner workings of FPGA configuration engines.
- Score: 12.338137154105034
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Fuzzing is a well-established technique in the software domain to uncover bugs and vulnerabilities. Yet, applications of fuzzing for security vulnerabilities in hardware systems are scarce, as principal reasons are requirements for design information access (HDL source code). Moreover, observation of internal hardware state during runtime is typically an ineffective information source, as its documentation is often not publicly available. In addition, such observation during runtime is also inefficient due to bandwidth-limited analysis interfaces (JTAG, and minimal introspection of internal modules). In this work, we investigate fuzzing for 7-Series and UltraScale(+) FPGA configuration engines, the control plane governing the (secure) bitstream configuration within the FPGA. Our goal is to examine the effectiveness of fuzzing to analyze and document the opaque inner workings of FPGA configuration engines, with a primary emphasis on identifying security vulnerabilities. Using only the publicly available chip and dispersed documentation, we first design and implement ConFuzz, an advanced FPGA configuration engine fuzzing and rapid prototyping framework. Based on our detailed understanding of the bitstream file format, we then systematically define 3 novel key fuzzing strategies for Xilinx configuration engines. Moreover, our strategies are executed through mutational structure-aware fuzzers and incorporate various novel custom-tailored, FPGA-specific optimizations. Our evaluation reveals previously undocumented behavior within the configuration engine, including critical findings such as system crashes leading to unresponsive states of the FPGA. In addition, our investigations not only lead to the rediscovery of the starbleed attack but also uncover JustSTART (CVE-2023-20570), capable of circumventing RSA authentication for Xilinx UltraScale(+). Note that we also discuss countermeasures.
Related papers
- Demystifying OS Kernel Fuzzing with a Novel Taxonomy [42.56259589772939]
We present the first systematic study dedicated to OS kernel fuzzing.
It begins by summarizing the progress of 99 academic studies from top-tier venues between 2017 and 2024.
We introduce a stage-based fuzzing model and a novel fuzzing taxonomy that highlights nine core functionalities unique to kernel fuzzing.
arXiv Detail & Related papers (2025-01-27T16:03:14Z) - Patching FPGAs: The Security Implications of Bitstream Modifications [7.018192484539043]
FPGAs are known for their reprogrammability that allows for post-manufacture circuitry changes.
Malicious manipulations may lead to leakage of secret data and the implementation of hardware Trojans.
We present a framework for manipulating bitstreams with minimal reverse engineering.
arXiv Detail & Related papers (2024-11-17T12:47:05Z) - G-Fuzz: A Directed Fuzzing Framework for gVisor [48.85077340822625]
G-Fuzz is a directed fuzzing framework for gVisor.
G-Fuzz has been deployed in industry and has detected multiple serious vulnerabilities.
arXiv Detail & Related papers (2024-09-20T01:00:22Z) - Transferable Watermarking to Self-supervised Pre-trained Graph Encoders by Trigger Embeddings [43.067822791795095]
Graph Self-supervised Learning (GSSL) enables to pre-train foundation graph encoders.
Easy-to-plug-in nature of such encoders makes them vulnerable to copyright infringement.
We develop a novel watermarking framework to protect graph encoders in GSSL settings.
arXiv Detail & Related papers (2024-06-19T03:16:11Z) - MaliGNNoma: GNN-Based Malicious Circuit Classifier for Secure Cloud FPGAs [1.6273816588362844]
MaliGNNoma is a machine learning-based solution that accurately identifies malicious FPGA configurations.
It can be employed by cloud service providers as an initial security layer within a necessary multi-tiered security system.
MaliGNNoma achieves a classification accuracy and precision of 98.24% and 97.88%, respectively, surpassing state-of-the-art approaches.
arXiv Detail & Related papers (2024-03-04T09:16:12Z) - WhisperFuzz: White-Box Fuzzing for Detecting and Locating Timing Vulnerabilities in Processors [18.926324727139377]
Researchers have adapted black-box or grey-box fuzzing to detect timing vulnerabilities in processors.
We present WhisperFuzz--the first white-box fuzzer with static analysis.
We detect and locate timing vulnerabilities in processors and evaluate the coverage of microarchitectural timing behaviors.
arXiv Detail & Related papers (2024-02-06T04:47:58Z) - Patch2QL: Discover Cognate Defects in Open Source Software Supply Chain
With Auto-generated Static Analysis Rules [1.9591497166224197]
We propose a novel technique for detecting cognate defects in OSS through the automatic generation of SAST rules.
Specifically, it extracts key syntax and semantic information from pre- and post-patch versions of code.
We have implemented a prototype tool called Patch2QL and applied it to fundamental OSS in C/C++.
arXiv Detail & Related papers (2024-01-23T02:23:11Z) - Stealing Maggie's Secrets -- On the Challenges of IP Theft Through FPGA Reverse Engineering [5.695727681053481]
We present a real-world case study on a Lattice iCE40 FPGA found inside iPhone 7.
By reverse engineering the proprietary signal-processing algorithm implemented on Maggie, we generate novel insights into the actual efforts required to commit FPGA IP theft.
We then introduce general netlist reverse engineering techniques that drastically reduce the required manual effort.
arXiv Detail & Related papers (2023-12-11T08:17:04Z) - Global Context Aggregation Network for Lightweight Saliency Detection of
Surface Defects [70.48554424894728]
We develop a Global Context Aggregation Network (GCANet) for lightweight saliency detection of surface defects on the encoder-decoder structure.
First, we introduce a novel transformer encoder on the top layer of the lightweight backbone, which captures global context information through a novel Depth-wise Self-Attention (DSA) module.
The experimental results on three public defect datasets demonstrate that the proposed network achieves a better trade-off between accuracy and running efficiency compared with other 17 state-of-the-art methods.
arXiv Detail & Related papers (2023-09-22T06:19:11Z) - On the Security Blind Spots of Software Composition Analysis [46.1389163921338]
We present a novel approach to detect vulnerable clones in the Maven repository.
We retrieve over 53k potential vulnerable clones from Maven Central.
We detect 727 confirmed vulnerable clones and synthesize a testable proof-of-vulnerability project for each of those.
arXiv Detail & Related papers (2023-06-08T20:14:46Z) - Beyond the Prior Forgery Knowledge: Mining Critical Clues for General
Face Forgery Detection [61.74632676703288]
We propose a novel Critical Forgery Mining framework, which can be flexibly assembled with various backbones to boost generalization and performance.
Specifically, we first build a fine-grained triplet and suppress specific forgery traces through prior knowledge-agnostic data augmentation.
We then propose a fine-grained relation learning prototype to mine critical information in forgeries through instance and local similarity-aware losses.
arXiv Detail & Related papers (2023-04-24T23:02:27Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.