Karlsruhe Institute of Technology (KIT)

Karlsruhe Institute of Technology (KIT) – The Research University in the Helmholtz Association
campus of the KIT
With more than 9,000 employees and an annual budget of about EUR 785 million, KIT is one of the biggest research and education institutions worldwide and has the potential of reaching a top position in selected research areas on an international level. The objective is to turn KIT into an institution of top research, excellent scientific education, and a prominent location of academic life, life-long learning, comprehensive advanced training, unrestricted exchange of know-how, and sustainable innovation culture.

Uncovered vulnerability of cloud service hardware
Cloud services and the Internet of Things often use FPGA chips, which are considered relatively secure. Scientists have now found a vulnerability that should be protected against attacks
Field programmable gate arrays (FPGAs) are more flexible than ordinary, specialized computer chips. So far, they have been considered particularly secure. (Photo: Gnad, KIT)
Field programmable gate arrays (FPGAs) are more flexible than ordinary, specialized computer chips. So far, they have been considered particularly secure. (Photo: Gnad, KIT)

They are the Lego bricks of computer manufacturers: Field Programmable Gate Arrays (FPGAs) are electronic components that can be used very flexibly unlike ordinary computer chips. FPGAs are also used in large data centers that are used for cloud services, such as those offered by large tech companies. So far, the use of such services has been considered relatively secure. Researchers at the Karlsruhe Institute of Technology (KIT) have found potential entry points for cybercriminals, as explained in the journal IACR. (DOI: 10.13154)

While traditional chips usually only perform a very specific, consistent task, FPGAs can handle virtually any function of any other chips, which is why they are often used in the development of new devices or systems. “FPGAs, for example, are installed in the first product batch of new devices because, in contrast to a special chip, whose expensive development pays off only in very large quantities, it can be subsequently changed,” says Dennis Gnad from the Institute for Technical Informatics (ITEC) of the KIT. You could imagine it as if you were building a sculpture out of reusable Lego bricks, instead of hardening modeling clay, explains the computer scientist.

The digital jack-of-all-trades are used in a wide range of areas such as smartphones, networks, the Internet, medical technology, vehicle electronics and aerospace. At the same time, FPGAs consume comparatively little power, which is ideal for use in the server farms of cloud services. In addition, the programmable chips have another advantage: they can be divided as required. “For example, one customer can use the upper half of the FPGA, a second one can use the lower one,” says Jonas Krautter, also from ITEC. For cloud services, this is an attractive usage scenario. For example, it deals with tasks in the fields of databases, AI applications such as machine learning or financial applications.

Use by multiple users allows attacks

The problem: “The use of a chip with FPGA by multiple users at the same time is a gateway for malicious attacks,” says Gnad. Tricky hackers namely the versatility of the FPGAs offers the opportunity to perform so-called side channel attacks. The attackers draw information from the chips’ energy consumption, which they can use to crack their encryption. With such in-chip measurements, one customer of the cloud service can spy on another, warns Gnad. In addition, hackers could not only spot treacherous fluctuations in power consumption, but also generate it themselves. “This can distort the calculations of other customers
or even the entire chip could crash, causing data to be lost, “explains Krautter. There are similar dangers with other chips, Gnad continues. For example, those often used in Internet of Things applications such as intelligent heating controls or lighting.

Gnad and Krautter want to solve the problem by limiting the users’ immediate access to the FPGAs. “The difficulty lies in filtering out malicious users without restricting legitimate users too much,” says Gnad.