Abstract
After years of development, FPGAs are finally making an appearance on multi-tenant cloud servers. Heterogeneous FPGA-CPU microarchitectures require reassessment of common assumptions about isolation and security boundaries, as they introduce new attack vectors and vulnerabilities. In this work, we analyze the memory and cache subsystem and study Rowhammer and cache attacks enabled by two proposed heterogeneous FPGA-CPU platforms from Intel: the Arria 10 GX with an integrated FPGA-CPU platform, and the Arria 10 GX PAC expansion card which connects the FPGA to the CPU via the PCIe interface. We demonstrate JackHammer, a novel, efficient, and stealthy Rowhammer from the FPGA to the host’s main memory. Our results indicate that a malicious FPGA can perform twice as fast as a typical Rowhammer from the CPU on the same system and causes around four times as many bit flips as the CPU attack. We demonstrate the efficacy of JackHammer from the FPGA through a realistic fault attack on the WolfSSL RSA signing implementation that reliably causes a fault after an average of fifty-eight RSA signatures, 25% faster than a CPU Rowhammer. In some scenarios our JackHammer attack produces faulty signatures more than three times more often and almost three times faster than a conventional CPU Rowhammer. Finally, we systematically analyze new cache attacks in these environments following demonstration of a cache covert channel across FPGA and CPU.
Highlights
In recent years, as improvements in the performance of microprocessors have slowed, developers have looked to other computing resources
We investigated all possibilities of cache interaction offered by the CCI-P interface on an FPGA Programmable Acceleration Card (PAC) and found that cache lines read by the Accelerator Functional Unit (AFU) from the main memory will not get cached
We show that modern FPGA-CPU hybrid systems can be more vulnerable to well-known hardware attacks that are traditionally seen on CPU-only systems
Summary
As improvements in the performance of microprocessors have slowed, developers have looked to other computing resources. Amazon Web Services [Ama17] and Alibaba Cloud [Ali19] already offer FPGA instances with ultra-high performance Xilinx Virtex UltraScale+ and Intel Arria 10 GX FPGAs to the consumer market. These FPGAs are designed for high I/O bandwidth and high compute capacity, making them ideal for server workloads. High-end FPGAs can be integrated into a server as an accelerator, e.g. connected via PCIe interface [Int18b, Xil19]. Such combinations provide unprecedented performance over a high-throughput and low-latency connection with the versatility of a reprogrammable FPGA infrastructure shared among cloud users. We propose attacks that exploit practical use cases of these interfaces to target adjacent systems such as the CPU memory and cache
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have