Anthony Karnowski
A field-programmable gate array (FPGA) is an integrated circuit designed to be configured by a customer or a designer after manufacturing—hence "field-programmable". The FPGA configuration is generally specified using a hardware description language (HDL), similar to that used for an application-specific integrated circuit.
The ability to update the functionality after shipping, partial re-configuration of a portion of the design and the low non- recurring engineering costs relative to an Application specific integrated circuit design offer advantages for many applications. Basically the time in production for using this type of controller is much shorter.
FPGA’s are widely used in all of the following industries and applications Aerospace and Defense Avionics/DO-254 MILCOM Missles & Munitions Secure Solutions Space Audio Connectivity Solutions Portable Electronics Radio Automotive High Resultion Video Image Processing Vehicle Networking and Connectivity Automotive Infotainment Broadcast Real-Time Video Engine EdgeQAM Encoders Displays Switches and Routers Consumer Electronics Digital Displays Digital Cameras Multi-function Printers Portable Electronics Set-top Boxes Data Center Servers Security Routers Switches Gateways Load Balancing High Performance Computing Servers Super Computers SIGINT Systems High-end RADARS High-end Beam Forming Systems Data Mining Systems Industrial Industrial Imaging Industrial Networking Motor Control Medical Ultrasound CT Scanner MRI X-ray PET Surgical Systems Security Industrial Imaging Secure Solutions Image Processing Video & Image Processing High Resolution Video Video Over IP Gateway Digital Displays Industrial Imaging Wired Communications Optical Transport Networks Network Processing Connectivity Interfaces Wireless Communications Baseband Connectivity Interfaces Mobile Backhaul Radio
The FPGA industry is a 2.75 billion dollar a year industry. – Considering the low cost of FPGA’s, and the fact that there are in so many devices, we will just say ALOT!! We will be looking at a specific FGPA later. – 50,000 of these units are produced a year and have been for the last 5 years. – These FPGA’s are specifically used in large format LED signage.
FPGA’s are physically vulnerable. – FPGA’s can be easily flashed by Jtag connection. – Flash protocols are some time vendor specific, we are not going to in depth. FPGA’s often have vulnerable services. – FPGA’s operating systems often offer backdoor services for re-flashing.
CompanyProductProcessor ENEA Embedded TechnologyOSEPowerPC® 405 eSOL Co., LtdPrKernel (µITRON4.0)PowerPC 405 / MicroBlaze™ Express LogicThreadX®PowerPC 405, 440 / MicroBlaze Green Hills SoftwareIntegrity®PowerPC 405, 440 LynuxWorksBlueCat LinuxPowerPC 405, 440 LynuxWorksLynuxOSPowerPC 405 Mentor Graphics ESDNucleus PlusPowerPC 405, 440 / Microblaze MicriµmµC/OS-IIPowerPC 405 / MicroBlaze MiSPONORTi/ulTRONPowerPC 405 / MicroBlaze MontaVista SoftwareMontaVista LinuxPowerPC 405, 440 PetaLogixuClinux and Petalinux 2.6MicroBlaze QNXNeutrino®PowerPC 405 Wind River SystemsVxWorks®PowerPC 405, 440 Wind River SystemsWind River GPP LinuxPowerPC 405, 440 TimesysLinuxLinkPowerPC 405, 440
FPGA’s are made by the manufacturer to be “field programmable.” – This means that usually the device can be flashed by physically connecting to the device. – Some third party operating systems allow for a flash to be reset to defaults by way of a system service. A great example would be of both would be a wireless router. – Most wireless routers have a reset button to reset the router to defaults. – Most routers also have a web-based management system that allows the same. – Most routers even have a configuration page to load firmware. – And most routers are using some sort of FPGA controller Consider that most of these third party operating systems are based on open source technologies or are freely available to users. It is pretty easy to get an understanding of vulnerabilities in a device. I would suspect that some of the students in this course have loaded third party firmware on a router at some point. When dealing with another FPGA, the ideas are no different.
External Storage in form of USB. External Storage in form of Compact Flash. External Storage in form of SD Card. FPGA Controller RJ-45 and JTAG Connection
We don’t have access to the device to Flash via the JTAG. – The controller is under lock and Key. After a couple of scans we found that our device has many services running. – FTP – HTTP for configuration – Telnet – SSH
We have guessed the root username and password for this device. We connected via telnet and can run any of the following commands from the existing Linux kernel. We have at least one storage device available to us. If this device is on a network with other computers, we will be able to mount an attack from the device. We will use wget to download the necessary packages. We will store them to external storage. We will use make and install to build source packages. We will attack the network. We will use FTP to send data collected off network. As this kernel is Linux based, we may be able to install and run a full installation of Metasploit. As this is a full Linux kernel, a worm or virus could also be ran via root privileges.
The first thing we do is create a separate user for the software package to use. We edit the software to only have access to needed services. The next thing we do is add a stronger password for the root user. We always try to present the end customer with a closed network separate from their network. If we install on the network we deny the controller access to the Internet.
Yes. Other devices have some of the same services installed and running for diagnostics and communications. FPGA’s are used in a wide variety of networking equipment. We must maintain the security of FPGA’s to maintain our networks. Please be weary.
ECEs spot FPGA security weakness; Finding may lead to new chip ID – US Military Chips "Compromised” – compromised/ compromised/ Study looks into Xilinx FPGAs' vulnerability – S S Backdoor Found (Maybe) in Chinese-Made Military Silicon Chips –