Memory Scraping Attack on Xilinx FPGAs: Private Data Extraction from Terminated Processes
Bharadwaj Madabhushi, Sandip Kundu, Daniel Holcomb
TL;DR
The paper investigates memory privacy risks in FPGA accelerators, showing that local FPGA DRAM memory used by offloaded processes can retain data after termination due to inadequate sanitization and weak process isolation. It introduces a debugger-based memory-scraping attack on Xilinx PetaLinux-enabled FPGAs, mapping terminated-process memory via process maps and pagemaps to physical addresses, then extracting and analyzing data to identify models and reconstruct inputs. The authors demonstrate the approach on a Xilinx ZCU104 board with a resnet50_pt workload, successfully extracting model identifiers and recovering a corrupted input image, thereby highlighting a practical confidentiality flaw in FPGA-based accelerators. The work motivates need for memory-init techniques, stronger memory sanitization, and restricted debugger access to mitigate cross-tenant data leakage in hardware accelerators, with ethical disclosure and plans to share tooling for reproducibility.
Abstract
FPGA-based hardware accelerators are becoming increasingly popular due to their versatility, customizability, energy efficiency, constant latency, and scalability. FPGAs can be tailored to specific algorithms, enabling efficient hardware implementations that effectively leverage algorithm parallelism. This can lead to significant performance improvements over CPUs and GPUs, particularly for highly parallel applications. For example, a recent study found that Stratix 10 FPGAs can achieve up to 90\% of the performance of a TitanX Pascal GPU while consuming less than 50\% of the power. This makes FPGAs an attractive choice for accelerating machine learning (ML) workloads. However, our research finds privacy and security vulnerabilities in existing Xilinx FPGA-based hardware acceleration solutions. These vulnerabilities arise from the lack of memory initialization and insufficient process isolation, which creates potential avenues for unauthorized access to private data used by processes. To illustrate this issue, we conducted experiments using a Xilinx ZCU104 board running the PetaLinux tool from Xilinx. We found that PetaLinux does not effectively clear memory locations associated with a terminated process, leaving them vulnerable to memory scraping attack (MSA). This paper makes two main contributions. The first contribution is an attack methodology of using the Xilinx debugger from a different user space. We find that we are able to access process IDs, virtual address spaces, and pagemaps of one user from a different user space because of lack of adequate process isolation. The second contribution is a methodology for characterizing terminated processes and accessing their private data. We illustrate this on Xilinx ML application library.