Showing 1–12 of 12 results for author: Ender, M

Patching FPGAs: The Security Implications of Bitstream Modifications

Authors: Endres Puschner, Maik Ender, Steffen Becker, Christof Paar

Abstract: Field Programmable Gate Arrays (FPGAs) are known for their reprogrammability that allows for post-manufacture circuitry changes. Nowadays, they are integral to a variety of systems including high-security applications such as aerospace and military systems. However, this reprogrammability also introduces significant security challenges, as bitstream manipulation can directly alter hardware circuit… ▽ More Field Programmable Gate Arrays (FPGAs) are known for their reprogrammability that allows for post-manufacture circuitry changes. Nowadays, they are integral to a variety of systems including high-security applications such as aerospace and military systems. However, this reprogrammability also introduces significant security challenges, as bitstream manipulation can directly alter hardware circuits. Malicious manipulations may lead to leakage of secret data and the implementation of hardware Trojans. In this paper, we present a comprehensive framework for manipulating bitstreams with minimal reverse engineering, thereby exposing the potential risks associated with inadequate bitstream protection. Our methodology does not require a complete understanding of proprietary bitstream formats or a fully reverse-engineered target design. Instead, it enables precise modifications by inserting pre-synthesized circuits into existing bitstreams. This novel approach is demonstrated through a semi-automated framework consisting of five steps: (1) partial bitstream reverse engineering, (2) designing the modification, (3) placing and (4) routing the modification into the existing circuit, and (5) merging of the modification with the original bitstream. We validate our framework through four practical case studies on the OpenTitan design synthesized for Xilinx 7-Series FPGAs. While current protections such as bitstream authentication and encryption often fall short, our work highlights and discusses the urgency of developing effective countermeasures. We recommend using FPGAs as trust anchors only when bitstream manipulation attacks can be reliably excluded. △ Less

Submitted 17 November, 2024; originally announced November 2024.

JustSTART: How to Find an RSA Authentication Bypass on Xilinx UltraScale(+) with Fuzzing

Authors: Maik Ender, Felix Hahn, Marc Fyrbiak, Amir Moradi, Christof Paar

Abstract: Fuzzing is a well-established technique in the software domain to uncover bugs and vulnerabilities. Yet, applications of fuzzing for security vulnerabilities in hardware systems are scarce, as principal reasons are requirements for design information access (HDL source code). Moreover, observation of internal hardware state during runtime is typically an ineffective information source, as its docu… ▽ More Fuzzing is a well-established technique in the software domain to uncover bugs and vulnerabilities. Yet, applications of fuzzing for security vulnerabilities in hardware systems are scarce, as principal reasons are requirements for design information access (HDL source code). Moreover, observation of internal hardware state during runtime is typically an ineffective information source, as its documentation is often not publicly available. In addition, such observation during runtime is also inefficient due to bandwidth-limited analysis interfaces (JTAG, and minimal introspection of internal modules). In this work, we investigate fuzzing for 7-Series and UltraScale(+) FPGA configuration engines, the control plane governing the (secure) bitstream configuration within the FPGA. Our goal is to examine the effectiveness of fuzzing to analyze and document the opaque inner workings of FPGA configuration engines, with a primary emphasis on identifying security vulnerabilities. Using only the publicly available chip and dispersed documentation, we first design and implement ConFuzz, an advanced FPGA configuration engine fuzzing and rapid prototyping framework. Based on our detailed understanding of the bitstream file format, we then systematically define 3 novel key fuzzing strategies for Xilinx configuration engines. Moreover, our strategies are executed through mutational structure-aware fuzzers and incorporate various novel custom-tailored, FPGA-specific optimizations. Our evaluation reveals previously undocumented behavior within the configuration engine, including critical findings such as system crashes leading to unresponsive states of the FPGA. In addition, our investigations not only lead to the rediscovery of the starbleed attack but also uncover JustSTART (CVE-2023-20570), capable of circumventing RSA authentication for Xilinx UltraScale(+). Note that we also discuss countermeasures. △ Less

Submitted 15 February, 2024; originally announced February 2024.

Hybrid Magnonic-Oscillator System

Authors: A. Hamadeh, D. Breitbach, M. Ender, A. Koujok, M. Mohseni, F. Kohl, J. Maskill, M. Bechberger, P. Pirro

Abstract: We propose a hybrid magnonic-oscillator system based on the combination of a spin transfer auto-oscillator and a magnonic waveguide to open new perspectives for spin-wave based circuits. The system is composed of a spin transfer oscillator based on a vortex state which is dipolarly coupled to a nanoscale spin-wave waveguide with longitudinal magnetization. In its auto-oscillating regime, the oscil… ▽ More We propose a hybrid magnonic-oscillator system based on the combination of a spin transfer auto-oscillator and a magnonic waveguide to open new perspectives for spin-wave based circuits. The system is composed of a spin transfer oscillator based on a vortex state which is dipolarly coupled to a nanoscale spin-wave waveguide with longitudinal magnetization. In its auto-oscillating regime, the oscillator emits coherent spin waves with tunable and controllable frequencies, directions and amplitudes into the waveguide. We demonstrate the principle of this method using micromagnetic simulations and show that reconfiguration of the system is possible by changing the chirality and polarity of the magnetic vortex. Spin waves are emitted into the waveguide with high non-reciprocity and the preferred direction depends on the core polarity of the vortex. In contrast, different vortex chiralities lead to different amplitudes of the emitted waves. Our findings open up a novel way to design an agile spintronic device for the coherent and tunable generation of propagating spin waves. △ Less

Submitted 22 December, 2022; originally announced December 2022.

Journal ref: Journal of Applied Physics 132, 183904 (2022)

Parametric Excitation and Instabilities of Spin Waves driven by Surface Acoustic Waves

Authors: Moritz Geilen, Roman Verba, Alexandra Nicoloiu, Daniele Narducci, Adrian Dinescu, Milan Ender, Morteza Mohseni, Florin Ciubotaru, Mathias Weiler, Alexandru Müller, Burkard Hillebrands, Christoph Adelmann, Philipp Pirro

Abstract: The parametric excitation of spin waves by coherent surface acoustic waves is demonstrated experimentally in metallic magnetic thin film structures. The involved magnon modes are analyzed with micro-focused Brillouin light scattering spectroscopy and complementary micromagnetic simulations combined with analytical modelling are used to determine the origin of the spin-wave instabilities. Depending… ▽ More The parametric excitation of spin waves by coherent surface acoustic waves is demonstrated experimentally in metallic magnetic thin film structures. The involved magnon modes are analyzed with micro-focused Brillouin light scattering spectroscopy and complementary micromagnetic simulations combined with analytical modelling are used to determine the origin of the spin-wave instabilities. Depending on the experimental conditions, we observe spin-wave instabilities originating from different phonon-magnon and magnon-magnon scattering processes. Our results demonstrate that an efficient excitation of high amplitude, strongly nonlinear magnons in metallic ferromagnets is possible by surface acoustic waves, which opens novel ways to create micro-scaled nonlinear magnonic systems for logic and data processing that can profit from the high excitation efficiency of phonons using piezoelectricity. △ Less

Submitted 16 August, 2022; v1 submitted 11 January, 2022; originally announced January 2022.

Comments: This project has received funding from the European Union's Horizon 2020 research and innovation program under grant agreement No. 801055 "Spin Wave Computing for Ultimately-Scaled Hybrid Low-Power Electronics" - CHIRON

How Not to Protect Your IP -- An Industry-Wide Break of IEEE 1735 Implementations

Authors: Julian Speith, Florian Schweins, Maik Ender, Marc Fyrbiak, Alexander May, Christof Paar

Abstract: Modern hardware systems are composed of a variety of third-party Intellectual Property (IP) cores to implement their overall functionality. Since hardware design is a globalized process involving various (untrusted) stakeholders, a secure management of the valuable IP between authors and users is inevitable to protect them from unauthorized access and modification. To this end, the widely adopted… ▽ More Modern hardware systems are composed of a variety of third-party Intellectual Property (IP) cores to implement their overall functionality. Since hardware design is a globalized process involving various (untrusted) stakeholders, a secure management of the valuable IP between authors and users is inevitable to protect them from unauthorized access and modification. To this end, the widely adopted IEEE standard 1735-2014 was created to ensure confidentiality and integrity. In this paper, we outline structural weaknesses in IEEE 1735 that cannot be fixed with cryptographic solutions (given the contemporary hardware design process) and thus render the standard inherently insecure. We practically demonstrate the weaknesses by recovering the private keys of IEEE 1735 implementations from major Electronic Design Automation (EDA) tool vendors, namely Intel, Xilinx, Cadence, Siemens, Microsemi, and Lattice, while results on a seventh case study are withheld. As a consequence, we can decrypt, modify, and re-encrypt all allegedly protected IP cores designed for the respective tools, thus leading to an industry-wide break. As part of this analysis, we are the first to publicly disclose three RSA-based white-box schemes that are used in real-world products and present cryptanalytical attacks for all of them, finally resulting in key recovery. △ Less

Submitted 9 December, 2021; originally announced December 2021.

Fully Resonant Magneto-elastic Spin-wave Excitation by Surface Acoustic Waves under Conservation of Energy and Linear Momentum

Authors: Moritz Geilen, Alexandra Nicoloiu, Daniele Narducci, Morteza Mohseni, Moritz Bechberger, Milan Ender, Florin Ciubotaru, Alexandru Müller, Burkard Hillebrands, Christoph Adelmann, Philipp Pirro

Abstract: We report on the resonant excitation of spin waves in micro-structured magnetic thin films by surface acoustic waves (SAWs). The spin waves as well as the acoustic waves are studied by micro-focused Brillouin light scattering spectroscopy. Besides the excitation of the ferromagnetic resonance, a process which does not fulfill momentum conservation, also the excitation of finite-wavelength spin wav… ▽ More We report on the resonant excitation of spin waves in micro-structured magnetic thin films by surface acoustic waves (SAWs). The spin waves as well as the acoustic waves are studied by micro-focused Brillouin light scattering spectroscopy. Besides the excitation of the ferromagnetic resonance, a process which does not fulfill momentum conservation, also the excitation of finite-wavelength spin waves can be observed at low magnetic fields. Using micromagnetic simulations, we verify that during this excitation both energy and linear momentum are conserved and fully transferred from the SAW to the spin wave. △ Less

Submitted 11 January, 2022; v1 submitted 28 June, 2021; originally announced June 2021.

Comments: This project has received funding from the European Union's Horizon 2020 research and innovation program under grant agreement No. 801055 "Spin Wave Computing for Ultimately-Scaled Hybrid Low-Power Electronics" - CHIRON

The Unpatchable Silicon: A Full Break of the Bitstream Encryption of Xilinx 7-Series FPGAs

Authors: Maik Ender, Amir Moradi, Christof Paar

Abstract: The security of FPGAs is a crucial topic, as any vulnerability within the hardware can have severe consequences, if they are used in a secure design. Since FPGA designs are encoded in a bitstream, securing the bitstream is of the utmost importance. Adversaries have many motivations to recover and manipulate the bitstream, including design cloning, IP theft, manipulation of the design, or design su… ▽ More The security of FPGAs is a crucial topic, as any vulnerability within the hardware can have severe consequences, if they are used in a secure design. Since FPGA designs are encoded in a bitstream, securing the bitstream is of the utmost importance. Adversaries have many motivations to recover and manipulate the bitstream, including design cloning, IP theft, manipulation of the design, or design subversions e.g., through hardware Trojans. Given that FPGAs are often part of cyber-physical systems e.g., in aviation, medical, or industrial devices, this can even lead to physical harm. Consequently, vendors have introduced bitstream encryption, offering authenticity and confidentiality. Even though attacks against bitstream encryption have been proposed in the past, e.g., side-channel analysis and probing, these attacks require sophisticated equipment and considerable technical expertise. In this paper, we introduce novel low-cost attacks against the Xilinx 7-Series (and Virtex-6) bitstream encryption, resulting in the total loss of authenticity and confidentiality. We exploit a design flaw which piecewise leaks the decrypted bitstream. In the attack, the FPGA is used as a decryption oracle, while only access to a configuration interface is needed. The attack does not require any sophisticated tools and, depending on the target system, can potentially be launched remotely. In addition to the attacks, we discuss several countermeasures. △ Less

Submitted 28 May, 2021; originally announced May 2021.

Reducing cybersickness in 360-degree virtual reality

Authors: Iqra Arshad, Paulo De Mello, Martin Ender, Jason D. McEwen, Elisa R. Ferré

Abstract: Despite the technological advancements in Virtual Reality (VR), users are constantly combating feelings of nausea and disorientation, the so called cybersickness. Cybersickness symptoms cause severe discomfort and hinder the immersive VR experience. Here we investigated cybersickness in 360-degree head-mounted display VR. In traditional 360-degree VR experiences, translational movement in the real… ▽ More Despite the technological advancements in Virtual Reality (VR), users are constantly combating feelings of nausea and disorientation, the so called cybersickness. Cybersickness symptoms cause severe discomfort and hinder the immersive VR experience. Here we investigated cybersickness in 360-degree head-mounted display VR. In traditional 360-degree VR experiences, translational movement in the real world is not reflected in the virtual world, and therefore self-motion information is not corroborated by matching visual and vestibular cues, which may trigger symptoms of cybersickness. We have evaluated whether a new Artificial Intelligence (AI) software designed to supplement the 360-degree VR experience with artificial 6-degrees-of-freedom motion may reduce cybersickness. Explicit (simulator sickness questionnaire and fast motion sickness rating) and implicit (heart rate) measurements were used to evaluate cybersickness symptoms during and after 360-degree VR exposure. Simulator sickness scores showed a significant reduction in feelings of nausea during the AI supplemented 6-degrees-of-freedom motion VR compared to traditional 360-degree VR. However, 6-degrees-of-freedom motion VR did not reduce oculomotor or disorientation measures of sickness. No changes have been observed in fast motion sickness and heart rate measures. Improving the congruency between visual and vestibular cues in 360-degree VR, as provided by the AI supplemented 6-degrees-of-freedom motion system considered, is essential to provide a more engaging, immersive and safe VR, which is critical for educational, cultural and entertainment applications. △ Less

Submitted 17 November, 2021; v1 submitted 5 March, 2021; originally announced March 2021.

Comments: 27 pages, 1 figure; Software available at https://www.kagenova.com/products/copernic360/

Insights into the Mind of a Trojan Designer: The Challenge to Integrate a Trojan into the Bitstream

Authors: Maik Ender, Pawel Swierczynski, Sebastian Wallat, Matthias Wilhelm, Paul Martin Knopp, Christof Paar

Abstract: The threat of inserting hardware Trojans during the design, production, or in-field poses a danger for integrated circuits in real-world applications. A particular critical case of hardware Trojans is the malicious manipulation of third-party FPGA configurations. In addition to attack vectors during the design process, FPGAs can be infiltrated in a non-invasive manner after shipment through altera… ▽ More The threat of inserting hardware Trojans during the design, production, or in-field poses a danger for integrated circuits in real-world applications. A particular critical case of hardware Trojans is the malicious manipulation of third-party FPGA configurations. In addition to attack vectors during the design process, FPGAs can be infiltrated in a non-invasive manner after shipment through alterations of the bitstream. First, we present an improved methodology for bitstream file format reversing. Second, we introduce a novel idea for Trojan insertion. △ Less

Submitted 1 October, 2019; originally announced October 2019.

Journal ref: ASPDAC 2019 Proceedings of the 24th Asia and South Pacific Design Automation Conference Pages 112-119

Highway to HAL: Open-Sourcing the First Extendable Gate-Level Netlist Reverse Engineering Framework

Authors: Sebastian Wallat, Nils Albartus, Steffen Becker, Max Hoffmann, Maik Ender, Marc Fyrbiak, Adrian Drees, Sebastian Maaßen, Christof Paar

Abstract: Since hardware oftentimes serves as the root of trust in our modern interconnected world, malicious hardware manipulations constitute a ubiquitous threat in the context of the Internet of Things (IoT). Hardware reverse engineering is a prevalent technique to detect such manipulations. Over the last years, an active research community has significantly advanced the field of hardware reverse engin… ▽ More Since hardware oftentimes serves as the root of trust in our modern interconnected world, malicious hardware manipulations constitute a ubiquitous threat in the context of the Internet of Things (IoT). Hardware reverse engineering is a prevalent technique to detect such manipulations. Over the last years, an active research community has significantly advanced the field of hardware reverse engineering. Notably, many open research questions regarding the extraction of functionally correct netlists from Field Programmable Gate Arrays (FPGAs) or Application Specific Integrated Circuits (ASICs) have been tackled. In order to facilitate further analysis of recovered netlists, a software framework is required, serving as the foundation for specialized algorithms. Currently, no such framework is publicly available. Therefore, we provide the first open-source gate-library agnostic framework for gate-level netlist analysis. In this positional paper, we demonstrate the workflow of our modular framework HAL on the basis of two case studies and provide profound insights on its technical foundations. △ Less

Submitted 1 October, 2019; originally announced October 2019.

Journal ref: Proceedings of Malicious Software and Hardware in Internet of Things (MAL-IOT 2019). ACM, NewYork, NY, USA, Article 4, 6 pages

Dignité - DIGital Network Information & Traces Extraction

Authors: Thomas Marcel Ender, Patrick Vananti

Abstract: Web-based criminality like counterfeiting uses web applications which are hosted on web servers. Those servers contain a lot of information which can be used to identify the owner and other connected persons like hosters, shipping partners, money mules and more. These pieces of information reveal insights on the owner or provider of a fraud website, thus we can call them traces. These traces can t… ▽ More Web-based criminality like counterfeiting uses web applications which are hosted on web servers. Those servers contain a lot of information which can be used to identify the owner and other connected persons like hosters, shipping partners, money mules and more. These pieces of information reveal insights on the owner or provider of a fraud website, thus we can call them traces. These traces can then be used by the police, law enforcement authorities or the legal representatives of the victim. In our project 2 we had identified a vast range of possible traces. We had also considered their information content and existing limitations. During our Bachelor thesis, we have selected several traces and started the implementation of the API with its underlying library. After the successful implementation of the selected traces, we have created a graphical user interface to allow the use of our solution without using a command-line interface. To do so, we have learned to use the Scala Programming Language and its integration with Java code. The graphical user interface of our example application is built using Scala Swing, the Scala adoption of the Swing Framework. The test cases are defined using ScalaTest with FlatSpec and Matchers and executed using the JUnit Runner. △ Less

Submitted 27 October, 2015; originally announced October 2015.

Thunderstorm Observations by Air-Shower Radio Antenna Arrays

Authors: W. D. Apel, J. C. Arteaga, L. Bähren, K. Bekk, M. Bertaina, P. L. Biermann, J. Blümer, H. Bozdog, I. M. Brancus, P. Buchholz, S. Buitink, E. Cantoni, A. Chiavassa, K. Daumiller, V. de Souza, P. Doll, M. Ender, R. Engel, H. Falcke, M. Finger, D. Fuhrmann, H. Gemmeke, C. Grupen, A. Haungs, D. Heck , et al. (35 additional authors not shown)

Abstract: Relativistic, charged particles present in extensive air showers lead to a coherent emission of radio pulses which are measured to identify the shower initiating high-energy cosmic rays. Especially during thunderstorms, there are additional strong electric fields in the atmosphere, which can lead to further multiplication and acceleration of the charged particles and thus have influence on the for… ▽ More Relativistic, charged particles present in extensive air showers lead to a coherent emission of radio pulses which are measured to identify the shower initiating high-energy cosmic rays. Especially during thunderstorms, there are additional strong electric fields in the atmosphere, which can lead to further multiplication and acceleration of the charged particles and thus have influence on the form and strength of the radio emission. For a reliable energy reconstruction of the primary cosmic ray by means of the measured radio signal it is very important to understand how electric fields affect the radio emission. In addition, lightning strikes are a prominent source of broadband radio emissions that are visible over very long distances. This, on the one hand, causes difficulties in the detection of the much lower signal of the air shower. On the other hand the recorded signals can be used to study features of the lightning development. The detection of cosmic rays via the radio emission and the influence of strong electric fields on this detection technique is investigated with the LOPES experiment in Karlsruhe, Germany. The important question if a lightning is initiated by the high electron density given at the maximum of a high-energy cosmic-ray air shower is also investigated, but could not be answered by LOPES. But, these investigations exhibit the capabilities of EAS radio antenna arrays for lightning studies. We report about the studies of LOPES measured radio signals of air showers taken during thunderstorms and give a short outlook to new measurements dedicated to search for correlations of lightning and cosmic rays. △ Less

Submitted 28 March, 2013; originally announced March 2013.

Journal ref: Advances in Space Research, Volume 48, Issue 7, 1 October 2011, Pages 1295-1303, ISSN 0273-1177, 10.1016/j.asr.2011.06.003. (http://www.sciencedirect.com/science/article/pii/S0273117711004297)