100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans

Black Hat USA 2019

Presented by: Ang Cui, Richard Housley, Jatin Kataria
Date: Thursday August 08, 2019
Time: 09:45 - 10:35
Location: Islander FG

First commercially introduced in 2013, Cisco Trust Anchor module(TAm) is a proprietary hardware security module that is used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the foundational root of trust that underpins all other Cisco security and trustworthy computing mechanisms in such devices. We disclose two 0-day vulnerabilities and show a remotely exploitable attack chain that reliably bypasses Cisco Trust Anchor.

We present an in-depth analysis of the TAm, from both theoretical and applied perspectives. We then present a series of architectural and practical flaws of TAm and describe theoretical methods of attack against such flaws. Next, we enumerate limitations in current state-of-the-art offensive capabilities that made the design of TAm appear secure.

Using Cisco 1001-X series of Trust Anchor enabled routers as a demonstrative platform, we delve into a detailed analysis of a current implementation of TAm, including results obtained through hardware reverse engineering, Trust Anchor FPGA bitstream analysis, and the reverse engineering of numerous Cisco trustworthy computing mechanisms that depend on TAm. Finally, we present two 0-day vulnerabilities within Cisco IOS and TAm and demonstrate a remotely exploitable attack chain that results in persistent compromise of an up-to-date Cisco router.

We will discuss the implementation of our TAm bypass, which involves novel methods of reliably manipulating FPGA functionality through bitstream analysis and modification while circumventing the need to perform RTL reconstruction. The use of our methods of manipulation creates numerous possibilities in the exploitation of embedded systems that use FPGAs. While this presentation focuses on the use of our FPGA manipulation techniques in the context of Cisco Trust Anchor, we briefly discuss other uses of our bitstream modification techniques.

Jatin Kataria

Jatin Kataria is the Principal Research Scientist at Red Balloon Security where he architects defensive technologies for embedded systems. Playing both the role of cat and of mouse at Red Balloon, he has many suggesting that he may be the first real source of perpetual energy. He tires of n-days easily and is always looking for new and exciting ELF shenanigans, caching complications, and the Fedex guy who lost his engagement ring. Prior to his time at Red Balloon Security, Jatin worked at a number of firms as a systems software developer and earned his Master of Engineering at Columbia University.

Richard Housley

Rick Housley is a Research Scientist at Red Balloon Security and leads their advanced hardware reverse engineering efforts. He often finds himself at the end of a soldering iron hoping he has not bricked another expensive COTS product. His focus at Red Balloon includes vulnerability discovery and the development of novel firmware extraction techniques. When not designing secure-boot defeating EMPs and interposers, he is building axe handles and baby rattles in his wood-shop.

Ang Cui

Dr. Ang Cui is the Founder and Chief Scientist of Red Balloon Security. Dr. Cui received his PhD from Columbia University in 2015. His doctoral dissertation, titled "Embedded System Security: A Software-based Approach", focused exclusively on scientific inquiries concerning the exploitation and defense embedded systems. Ang has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, he has uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Dr. Cui is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received various awards on his work on reverse engineering commercial devices and is also the recipient of the Symantec Graduate Fellowship and was selected as a DARPA Riser in 2015.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats