It has been reported that, in a joint research project, scientists from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum and from Max Planck Institute for Security and Privacy have discovered a critical vulnerability is hidden in FPGAs’. Field Programmable Gate Arrays (FPGAs) are flexibly programmable computer chips that are considered to be very secure components and are deployed in many applications. The team has called the security bug “Starbleed” and attackers can gain complete control over the chips and their functionalities via the vulnerability. Since the bug is integrated into the hardware, the security risk can only be removed by replacing the chips. The manufacturer of the FPGAs has been informed by the researchers and has already reacted.
As Internet connectivity becomes ubiquitous, it seems that everything in the world is transforming into what is effectively a differently-shaped computer—from planes to cars to buildings to household appliances and everything in between. FPGAs play a central role in speeding along this evolution.
Field Programmable Gate Arrays (FPGAs, for short) are computer chips that are effectively digital Lego blocks. While normal CPUs and GPUs are what is referred to as “instruction-based” and execute software, FPGAs are programmed to become a digital circuit. FPGAs can then be chained together rather easily to have the circuitry execute a wide variety of tasks that previously were relegated to the old-style alarms, monitors, gauges, and a great many other non-digital, non-Internet-enabled things that many of us grew up with.
FPGAs have great utility in the modern world, derived largely from their properties of being both hardware and programmable to form all kinds of circuits. While it’s not quite this simple, you can effectively tell some FPGAs to do toaster things and tell a different group of exactly the same model of FPGAs to do some thermostat things. That’s really handy, like using the same Lego blocks to build a rocket or bridge.
We need to understand the difference between what an FPGA is and what it does. While we can tell an FPGA to “be a toaster,” the FPGA itself is a device with its own properties. One of those properties is the ability to be “field programmable” to become a particular kind of circuit. That’s really handy. Unfortunately, if an attacker with physical access can tell the FPGA to do something different, like to not shut off when the toaster overheats, then the FPGA-enabled device fails to meet our expectations and bad things can happen.
A vulnerability allowing such a thing was recently discovered in a series of FPGAs. Unfortunately, given the nature of FPGAs, the vendor can’t simply send out a “patch Tuesday” blast so IT teams can fix these devices. In fact, the devices can’t even be fixed locally by a hardware expert. The nature of the vulnerability is such that the devices have to be replaced. This will take time and effort. Meanwhile, anyone affected by the patch should ensure their physical security procedures are commensurate with whatever is being touched, monitored, or otherwise affected by FPGAs in their environment. Over time, lessons learned from this event will help everyone in the FPGA design industry.