After years of development, FPGAs are finally making an appearance on multi-tenant cloud servers. These heterogeneous FPGA-CPU architectures break common assumptions about isolation and security boundaries. Since the FPGA and CPU architectures share hardware resources, a new class of vulnerabilities requires us to reassess the security and dependability of these platforms.
In this work, we analyze the memory and cache subsystem and study Rowhammer and cache attacks enabled on two proposed heterogeneous FPGA-CPU platforms by Intel: the Arria 10 GX with an integrated FPGA-CPU platform, and the Arria 10 GX PAC expansion card which connects the FPGA to the CPU via the PCIe interface. We show that while Intel PACs currently are immune to cache attacks from FPGA to CPU, the integrated platform is indeed vulnerable to Prime and Probe style attacks from the FPGA to the CPU's last level cache. Further, we demonstrate JackHammer, a novel and efficient Rowhammer from the FPGA to the host's main memory. Our results indicate that a malicious FPGA can perform twice as fast as a typical Rowhammer attack from the CPU on the same system and causes around four times as many bit flips as the CPU attack. We demonstrate the efficacy of JackHammer from the FPGA through a realistic fault attack on the WolfSSL RSA signing implementation that reliably causes a fault after an average of fifty-eight RSA signatures, 25% faster than a CPU rowhammer attack. In some scenarios our JackHammer attack produces faulty signatures more than three times more often and almost three times faster than a conventional CPU rowhammer attack.
Daniel Moghimi: Daniel Moghimi is a PhD candidate in the Department of Electrical and Computer Engineering at Worcester Polytechnic Institute (WPI). He received his Master of Science degree from the Department of Computer Science at WPI in 2017. His research interests are in the area of computer security with special focus on side channels and microarchitectural attacks. He has published in top tier academic conferences including papers in Usenix Security, ACM CCS, IEEE S&P. Some of his notable publications including Spoiler, ZombieLoad and TPM-Fail have been featured in the news articles by Ftorbes, Wired and The Register. In his free time, he enjoys reverse engineering, finding vulnerabilities, and being involved with various sports and outdoor activities.
Thore Tiemann: Thore Tiemann is a PhD candidate at the Institute for IT-Security at the University of Lübeck, Germany. He got his Master of Science degree from the University of Lübeck in 2020. His research interests lie in the area of microarchitectural attacks and FPGA security. He is part of the University's CTF team and loves solving crypto challenges.
Zane Weissman: Zane Weissman is a PhD candidate in the Department of Electrical and Computer Engineering at Worcester Polytechnic Institute, where she received her Master of Science in Electrical and Computer Engineering in 2019. Her research interests include computer microarchitecture, digital hardware design, cryptography, and security. In her free time, she enjoys rock climbing, cooking, and playing and listening to music.