100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans
2019-11-10, 16:30–16:55, Red Day

First commercially introduced in 2013, Cisco Trust Anchor module(TAm) is
a proprietary hardware security module that is used in a wide range of
Cisco products, including enterprise routers, switches and firewalls.
TAm is the foundational root of trust that underpins all other Cisco
security and trustworthy computing mechanisms in such devices. We
disclose two 0-day vulnerabilities and show a remotely exploitable
attack chain that reliably bypasses Cisco Trust Anchor. We present an
in-depth analysis of the TAm, from both theoretical and applied
perspectives. We present a series of architectural and practical flaws
of TAm, describe theoretical methods of attack against such flaws. Next,
we enumerate limitations in current state-of-the-art offensive
capabilities that made the design of TAm seem secure.
Using Cisco 1001-X series of Trust Anchor enabled routers as a
demonstrative platform, we present a detailed analysis of a current
implementation of TAm, including results obtained through hardware
reverse engineering, Trust Anchor FPGA bitstream analysis, and the
reverse engineering of numerous Cisco trustworthy computing mechanisms
that depend on TAm. Finally, we present two 0-day vulnerabilities within
Cisco IOS and TAm and demonstrate a remotely exploitable attack chain
that results in persistent compromise of an up-to-date Cisco router.
We discuss the implementation of our TAm bypass, which involves novel
methods of reliably manipulating FPGA functionality through bitstream
analysis and modification while circumventing the need to perform RTL
reconstruction. The use of our methods of manipulation creates numerous
possibilities in the exploitation of embedded systems that use FPGAs.
While this presentation focuses on the use of our FPGA manipulation
techniques in the context of Cisco Trust Anchor, we briefly discuss
other uses of our bitstream modification techniques.

Field-programmable gate arrays (FPGAs) are widely used in real-time, data-intensive, and mission critical system de- signs. In the space of trusted computing, FPGA-based security modules have appeared in a number of widely used security conscious devices. The Cisco Trust Anchor module (TAm) is one such example that is deployed in a significant number of enterprise network switches, routers, and firewalls. We discuss several novel direct FPGA bitstream manipulation techniques that exploit the relative simplicity of input and output pin configuration structures.
We present an analysis of the efficacy of Cisco TAm and discuss both the high-level architectural flaws of the TAm as well as implementation specific vulnerabilities in a TAm- protected Cisco router. By combining techniques presented in this talk with other recent advancements in FPGA bit- stream manipulation, we demonstrate the feasibility of reliable remote exploitation of all Cisco TAms implemented using Xilinx Spartan-6 FPGAs. The TAm exploit described in this presentation allows the attacker to fully bypass all Trust Anchor functionality, including hardware-assisted secure boot, and to stealthily inject persistent malicious implants within both the TAm FPGA and the application processor. Lastly, we discuss the applicability of our bitstream manipulation techniques to other FPGA-based devices and propose several practical mitigations.

Presentation Outline:
Cisco Trust Anchor, defeat the evil power! * What is it? What is it designed to do? * Brief historical context, life before TAm, evolution of Cisco secure boot & trustworthy system design. * Discussion of Patent US20120303941A1. * Overview of the FPGA-based TAm implementation on Cisco ASR1001-X. * Spoiler, FPGA is not immutable, but bitstream manipulation was thought to be infeasible at the time of design. Wrong on both counts...
Cisco 1001-X dissection, assay, and 5 fun ways to lose $10,000 fast! * Describe initial recon process, disassembly, and the first way to make a $10,000 mistake with a soldering iron. * Hypothesis A on secure boot process (we were super wrong) * A maze of twisty maze SPI chains and a JTAG multiplexer. * Electromagnetic emanation analysis, out of desperation. * Record emanation during boot process with near-field probe. * Power on, SPI read, SPI read, FPGA stuff, XEON processor stuff, everything else turns on. * Dump SPI content, find 2 Xilinx FPGA bitstreams. * Unencrypted bitstream = Good * Bitstream modification = Hard * We enter state of denial, pretend that we might win without having to understand the
FPGA. We go about exploring every other plausible attack path. We hoped the FPGA might disappear by itself. It did not.
TAm 0, Researchers -$50,000 * Hypothesis B on secure boot process (we were wrong, but at least we had amusing and creative imagination) * FPGA bitstream manipulation is complicated. We explore alternative attack paths * We destroy 3 routers. TAm is alive and well. Researchers must now defeat both TAm and poverty.

  • Hypothesis C: FPGA loads bitstream, becomes TAm, emulates a SPI device, yields XEON bootloader, performs integrity attestation
  • Hypothesis C.1: Upon detection of corruption, FPGA resets XEON processor.
  • Fan hypothesis suggests accurate due to pinout of processor
  • Destructive hardware analysis confirms that a FPGA pin is attached to the XEON processor RST pin.
  • Another -$10,000 for researchers, but TAm sees its metallic box fortress faltering, and begins to worry.
    FPGA Bitstream Manipulation
  • Current orthodoxy around FPGA bitstream manipulation.
  • Bitstream extraction -> unpack -> analysis -> "logic level recovery", usually RTL reconstruction -> modify recovered logic -> re-synthesize new logic to bitstream.
  • RTL reconstruction is a complex problem. RTL reconstruction without intimate knowledge of the specific FPGA hardware design is currently infeasible.
  • Orthodoxy be damned! We can circumvent RTL reconstruction and still win.
  • FPGA-based TAm asserts the CPU RST pin when it is unhappy about the integrity of system's

  • Build FRAK module to unpack bitstream.

  • Identify IOB that controls FPGA GPIO pin that affects RST pin. * Reconfigure IOB, disrupt verification process
  • Win without doing any RTL reconstruction.
    TAm -1, Researchers -$50,000, We Win!
  • We broke $50,000 equipment, but learnt valuable lessons * Fundamental flaw of FPGA-based TAm design
  • FPGA is not immutable (theoretical flaw)
  • FPGA bitstream manipulation is now feasible (practical flaw) * All FPGA-based TAm implementations are vulnerable
  • How does a firmware patch fix a hardware design flaw? * Spoiler, it can't.
  • What about encrypted FPGA bitstreams?
  • Describe PSIRT 0968652476, a remotely exploitable command injection vulnerability that yields rootshell.
  • Chain PSIRT 0513862549 with PSIRT 0968652476, demonstrate remote FPGA bitstream manipulation attack to bypass Cisco Trust Anchor on ASR1001-X.
  • The Cisco patch is out. What does it do? What does it not do?
  • How do you know if your Cisco device has been compromised? Can you really tell from IOS?
  • Not really, but we'll show you how you can test it yourself. (We plan to release an audit tool, pending approval from Cisco)
  • Direct FPGA bitstream modification has many interesting new applications
  • We can add any additional logic into the bitstream if enough unused FPGA real-estate exists. * We can remove select FPGA functionality. Certainly at a IO pin level.
  • We can remove functionality, and add functionality, all without RTL reconstruction.
  • What to do with this newly found power?
  • Automotive ADAS, weapon guidance & control systems