Compromising FPGA SoCs using Malicious Hardware Blocks

Nisha Jacob1,a, Carsten Rolfes1,b, Andreas Zankl1,c, Johann Heyszl1,d and Georg Sigl1,2,e,f
1Fraunhofer Institute for Applied and Integrated Security (AISEC), Munich, Germany.
2Technische Universitat Miinchen, Munich, Germany.


Modern FPGA System-on-Chips (SoCs) combine high performance application processors with reconfigurable hardware. This allows to enhance complex software systems with reconfigurable hardware accelerators. Unfortunately, even when state-of-the-art software security mechanisms are implemented, this combination creates new security threats. Attacks on the software are now possible through the reconfigurable hardware as these cores share resources with the processor and may contain unwanted functionality. In this paper, we discuss software protection mechanisms offered in conventional SoCs and how they can be circumvented by malicious hardware blocks. As a concrete example, we show how the malicious functionality within an IP core accesses and replaces critical memory sections. We refer to this type of attacks as hardware-assisted attacks against running software systems. We carry-out a proof-of-concept on the Xilinx Zynq device which runs a Linux OS and a software application that verifies system updates. The malicious IP core replaces the public key used to verify system updates, thus, allowing an attacker to maliciously update the FPGA SoC. Additionally, we propose a countermeasure that can be applied against such threats in the form of a security wrapper for hardware modules.

Keywords: FPGA SoCs, Zynq, Third party IP, Hardwareassisted attacks.

Full Text (PDF)