Hacker Timesnew | past | comments | ask | show | jobs | submitlogin

"We built a fake network card that is capable of interacting with the operating system in the same way as a real one, including announcing itself correctly, causing drivers to attach, and sending and receiving network packets. To do this, we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA."

I wanted to call that out; that's nifty!



> we extracted a software model of an Intel E1000 from the QEMU full-system emulator and ran it on an FPGA."

I need to look up what they did for this - lots of the tools promise the ability to turn a pile of C into SystemVerilog, but require a bit of manual massaging.

Edit: "used the Arm Cortex A9 CPU on an Intel Arria 10 FPGA" well that's boring and much simpler.

It does not surprise me that drivers are not secure against maliciously-constructed messages from the "hardware". Most drivers are tested in a fairly limited fashion, and nobody's even got the infrastructure to fuzz them like this.

(There are lots of FPGA-on-PCIe boards, but they tend to be horribly expensive. This one is almost $5000. https://www.digikey.com/products/en?mpart=DK-DEV-10AX115S-A&...)


There was actually an interesting talk on fuzzing drivers in the session before ours: https://www.ndss-symposium.org/ndss-paper/periscope-an-effec...

We're working on porting to a cheaper FPGA-on-PCIe board, but it's still ~EUR 800.


Have you looked at PicoEVB ($300 mini-PCIe x1) or Numato Aller ($400 M.2 x4) with Xilinx Artix-7 FPGAs?


We need to use an Intel Arria or Stratix FPGA due to the 'config bypass' feature we use to allow QEMU to implement its own PCIe config registers. Xilinx, Lattice and Cyclone FPGAs don't support this as far as I can tell.


If you later move beyond QEMU, these OSS projects may be of interest.

https://github.com/texane/vpcie

> virtual environment consisting of QEMU, LINUX and GHDL glued alltogether by a small TCP based protocol. It allows PCIE devices to be implemented as standard userland processes, answering actual PCIE requests coming from QEMU. It supports PCIE configuration headers, requests, memory read/write operations and MSI. Different abstractions are provided to simplify the implementation of PCIE devices.

https://github.com/KastnerRG/riffa & http://kastner.ucsd.edu/wp-content/uploads/2014/04/admin/fpl...

> RIFFA (Reusable Integration Framework for FPGA Accelerators) is a simple framework for communicating data from a host CPU to a FPGA via a PCI Express bus. The framework requires a PCIe enabled workstation and a FPGA on a board with a PCIe connector. RIFFA supports Windows and Linux, Altera and Xilinx, with bindings for C/C++, Python, MATLAB and Java. On the software side there are two main functions: data send and data receive ... Users can communicate with FPGA IP cores by writing only a few lines of code.


It is getting increasingly easy to buy off-the shelf FPGA boards that plug into exposed computer ports. Fomu is particularly unobtrusive.


But not as likely to be a security vulnerability since it's strictly USB. Hmm, well it depends very much on the probably very horrible USB driver..




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: