Defeating Cisco Trust Anchor: A Case-Study of Recent Advancements in Direct FPGA Bitstream Manipulation

Authors: 

Jatin Kataria, Rick Housley, Joseph Pantoga, and Ang Cui, Red Balloon Security

Abstract: 

Field-programmable gate arrays (FPGAs) are widely used in real-time, data-intensive, and mission critical system designs. In the space of trusted computing, FPGA-based security modules have appeared in a number of widely used security conscious devices. The Cisco Trust Anchor module (TAm) is one such example that is deployed in a significant number of enterprise network switches, routers, and firewalls. We discuss several novel direct FPGA bitstream manipulation techniques that exploit the relative simplicity of input and output pin configuration structures.

We present an analysis of the efficacy of Cisco TAm and discuss both the high-level architectural flaws of the TAm as well as implementation specific vulnerabilities in a TAm protected Cisco router. By combining techniques presented in this paper with other recent advancements in FPGA bitstream manipulation, we demonstrate the feasibility of reliable remote exploitation of all Cisco TAms implemented using Xilinx Spartan-6 FPGAs. The TAm exploit described in this paper allows the attacker to fully bypass all Trust Anchor functionality, including hardware-assisted secure boot, and to stealthily inject persistent malicious implants within both the TAm FPGA and the application processor. Lastly, we discuss the applicability of our bitstream manipulation techniques to other FPGA-based devices and propose several practical mitigations.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {238600,
author = {Jatin Kataria and Rick Housley and Joseph Pantoga and Ang Cui},
title = {Defeating Cisco Trust Anchor: A {Case-Study} of Recent Advancements in Direct {FPGA} Bitstream Manipulation},
booktitle = {13th USENIX Workshop on Offensive Technologies (WOOT 19)},
year = {2019},
address = {Santa Clara, CA},
url = {https://www.usenix.org/conference/woot19/presentation/kataria},
publisher = {USENIX Association},
month = aug
}