Defeating Cisco Trust Anchor: A Case-Study of Recent Advancements in Direct FPGA Bitstream Manipulation
In the space of trusted computing, FPGA-based security modules have appeared in a number of widely used security conscious devices. The Cisco Trust Anchor module ( …
| Talk Title | Defeating Cisco Trust Anchor: A Case-Study of Recent Advancements in Direct FPGA Bitstream Manipulation |
| Speakers | Jatin Kataria |
| Conference | NANOG77 |
| Conf Tag | |
| Location | Austin, TX |
| Date | Oct 28 2019 - Oct 30 2019 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | Talk Video |
In the space of trusted computing, FPGA-based security modules have appeared in a number of widely used security conscious devices. The Cisco Trust Anchor module (TAm) is one such example that is deployed in a significant number of enterprise network switches, routers, & firewalls. We discuss several novel direct FPGA bitstream manipulation techniques that exploit the relative simplicity of input and output pin configuration structures.We present an analysis of the efficacy of Cisco TAm & discuss both the high-level architectural flaws of the TAm as well as implementation specific vulnerabilities in a TAm- protected Cisco router. By combining techniques presented in this talk with other recent advancements in FPGA bitstream manipulation, we demonstrate the feasibility of reliable remote exploitation of all Cisco TAm implemented using Xilinx Spartan-6 FPGAs. The TAm exploit described in this presentation allows the attacker to fully bypass all Trust Anchor functionality, including hardware-assisted secure boot, & to stealthily inject persistent malicious implants within both the TAm FPGA & the application processor. Outline: *Describe Cisco ASR1001-X Tam & initial recon process. *Record emanation during boot process with near-field probe. *Hypothesis: FPGA loads bitstream, becomes TAm, emulates a SPI device, yields XEON bootloader, performs integrity attestation *Upon detection of corruption, FPGA resets XEON processor. FPGA Bitstream Manipulation *RTL reconstruction is a complex problem. RTL reconstruction without intimate knowledge of the specific FPGA hardware design is currently infeasible. *Identify/Reconfigure IOB that controls FPGA GPIO pin that affects RST pin. *Win without doing any RTL reconstruction *Fundamental flaw of FPGA-based TAm design,all FPGA-based TAm implementations are vulnerable *Chain PSIRT 0513862549 & PSIRT 0968652476, demonstrate remote FPGA bitstream manipulation attack to bypass TAm. *Cisco patch explanation *Effect: Automotive ADAS, weapon guidance & control systems
