Content uploaded by Mohamed Amine Khelif
Author content
All content in this area was uploaded by Mohamed Amine Khelif on Jul 02, 2020
Content may be subject to copyright.
Toward a Hardware Man-in-the-Middle Attack on
PCIe bus for Smart Data Replay
Mohamed Amine Khelif1, Jordane Lorandel1, Olivier Romain1,
Matthieu Regnery2, Denis Baheux2and Guillaume Barbu3
1Laboratoire ETIS UMR 8051, Universit´
e Paris-Seine, Universit´
e de Cergy-Pontoise, ENSEA, CNRS, F-95000 Cergy, France
2Institut de Recherche Criminelle de la Gendarmerie Nationale, 95000 Pontoise , France
3IDEMIA augmented identity
{mohamed-amine.khelif, jordane.lorandel, olivier.romain}@ensea.fr
Abstract—The growing need for speed of recent embedded
systems leads to the adoption of the high speed communication
PCIe protocol (Peripheral Component Interconnect Express) as
an internal data bus. This technology is used in some recent
smartphones, and will be probably adopted by the others in the
next few years. The communication between the SoC and its
memory through the PCIe bus represent an important source
of information for criminal investigations. In this paper, we
present a new reliable attack vector on PCIe. We chose to
perform a hardware Man-in-the-Middle attack, allowing real-
time data analysis, data-replay and a copy technique inspired
by the shadow-copy principle. Through this attack, we will be
able to locate, duplicate and replay sensitive data. The main
challenge of this article is to develop an architecture compliant
with PCIe protocol constraints such as response time, frequency
and throughput, in order to be invisible to the communication
parts. We designed a proof of concept of an emulator based on
a computer with PCIe 3.0 bus and a Stratix 5 FPGA with an
endpoint PCIe port as development target.
Keywords-Hardware, Man-in-the-Middle, Security, PCIe,
Smartphones, Forensic.
I. INTRODUCTION
With the emerging of Internet of Things (IoT), Internet
of Everything (IoE) and the proliferation of communicating
objects that store and share data with their environment,
new issues and opportunities are created in many fields of
application, such as industries, health care, smart homes and
so on. Moreover with the recent technological advances, these
objects became more and more complex, by integrating always
more sophisticated functionalities, which are implemented
either in hardware or in software.
Smartphones, smart-tvs, laptops, tablets or even connected
watches, are some examples of devices that store personal
and sensitive data that must be strongly protected. In case
of attack, these devices could represent the new backdoor
towards the information systems and a third party could benefit
from these data without user consent. These backdoors are
called vulnerabilities, and their number has greatly increased
in the last years [1]. From the point of view of forensic
experts, accessing personal data into a smartphone without
permission became one of the main challenges today, to
retrieve information from criminal scenes. A taxonomy of
attacks is given, in order to better specify their properties
and the positioning of our approach. We deliberately focus on
attacks targeting smartphones. For the forensic and criminal
investigation domain, we decided to categorize these attacks
into three types, depending on the operating range, advantages
and complexity of countermeasures:
Software Attacks Level (SAL) are realized by exploiting
vulnerabilities in operating systems or applications to get a
privilege escalation, or by confusing the user about the nature
of the software to get more privileges. Both approaches aim to
leak secret data or even to take control of the infected device.
The main advantage of this type of attack is the unlimited
distance between the attacker and the victim. However, the
attacker has little or no precision on the targeted device.
This constraint makes this kind of attack unattractive for
forensic experts, excepted for specific cases where the target
is clearly identifiable and can be precisely attacked, like an
evidence. Countermeasures are easily deployable, usually a
simple antivirus program can solve the problem.
Protocol Attacks Level (PAL) target both wired and wire-
less communication protocols that do not require a hardware
modification to interact with. For smartphones, it could be
applied to NFC, Bluetooth, WiFi, USB and RF communica-
tions. These attacks require to be within the range of the device
protocol, i.e. going from USB connector to 30m for WiFi, and
need a minimum of equipment to interact with the protocol.
Depending on the vulnerability used and the chosen protocol,
countermeasures may be more or less difficult to implement
through a software update.
Hardware Attacks Level (HAL) do not exploit vulner-
abilities to gain privileges or to leak data, they create their
own vulnerabilities on devices by modifying the hardware
and realizing unexpected interactions with its components.
Historically, chips like CPU, GPU, AES cryptocore, RAM,
cache memory, NAND and baseband are the most affected
by these attacks. As of now, they are more complicated to
exploit due to physical countermeasures like shields and sen-
sors implemented directly into the chips, making them more
robust. Moreover, the periodic increase of transistor density
for each new generation of processor, creates an indirect
countermeasure due to the difficulty to perform accurate and
efficient attacks. The other alternatives for hardware attacks
are the internal communication buses such as I2C bus or
more recently in smartphones, PCIe (Peripheral Component
Interconnect express) bus. The most challenging part of an
attack on internal data buses consists in interfacing, while sat-
isfying high throughput and short response times requirements.
Countermeasures against hardware attacks are more complex
to perform as they need to wait for the next generation of
devices to be integrated.
Hybrid attacks are also possible by combining attacks on
different levels to recover data from a device.
In this paper, we present the design of an FPGA-based
platform that will be used to perform a hardware Man-in-the-
Middle (MitM) attack on the PCIe bus of a computer which
emulate the behavior of a SoC. This MitM is able to log,
modify and copy the data into a shadow memory in order to
be replayed to the host. The main challenge of our architecture
is to perform this attack in real time and without being
detected by the host, for this, we must imperatively respect the
highly constraining needs of the PCIe such as response time,
frequency and throughput. The architecture and the attack are
made for a perspective of a smartphone’s implementation, but
still compatible with all devices using PCIe bus.
This paper is organized as following: section II gives a state
of the art related to the main known attacks on smartphones
and Man-In-The-Middle technique. Then, section III describes
the proposed approach. Finally, experimental results are pre-
sented in section IV and perspectives and conclusion are given.
II. RE LATE D WOR KS
The growing interest of security agencies to access infor-
mation and personal data accumulated by connected objects is
notable, particularly for criminal investigations. Smartphones
represent a large amount of personal information (SMS, phone
calls, GPS positions, contacts, photos, etc.) that can be used
to resolve criminal investigations.
NFC
Wi-Fi
Bluetooth
BaseBand
SIM Card
RF
Transceiver
RAM
Non-Volatile
Memory
SoC
CPU GPU
Processor Cache
Sensors
Screen
Power Supply
WLAN
PCIe
PCIe
PCIe
Stacked
OS and
Applications
Data process and storage
Communication
Protocols
AES
Fig. 1. Simplified smartphone architecture.
Figure 1 illustrates the architecture of a smartphone, allow-
ing the identification of the generic components that can be
targeted by either protocol, software or hardware attacks.
A. Attacks on smartphones
For the forensic domaine, we propose the following taxon-
omy of smartphones attacks:
1) Software Attacks Level: malware, are the fastest attacks
to implement as they requires only a computer to be realized.
They has the advantage of being achievable at a long distance
with more or less efficiency and accuracy, depending on the
type of malware used and the attack desired. Malwares for
smartphones work in the same way as for computers. Several
types exist and the most relevant for forensic purposes are:
Viruses: for example Hummingbad [2], FalseGuide [3] and
Shedun family [4] malwares for the most famous ones, are
used to modify, corrupt or delete data and/or files on the
device.
Spywares: they are malicious softwares that are installed on
a device, in order to collect and transfer private information
without the user’s knowledge.
A well-known example is Pegasus [5] which is capable of
collecting passwords, gathering information from other apps,
tracking location, phone calls and text messages.
Trojans: they are malicious programs disguised as good
applications, such as Swearing [6], which is a bank trojan
operating in China that collects personal data, bank account
information and bypass the two-factor bank authentication.
Rootkits: they are malwares designed to infect devices in
order to install the necessary tools to take full control of it.
For example, the rootkit Gooligan [7] which breaches over
one million Google accounts by rooting the infected device
and access data from various Google applications.
2) Protocol Attacks Level: another kind of attack targets the
protocol of wireless and wired communication standards used
by smartphones by exploiting implementation vulnerabilities.
Bluetooth: the most recent attack and at the same time one
of the major one on Bluetooth, was carried out in September
2017 by Armis Labs company after the discovery of eight
zero-day vulnerabilities known as BlueBorn [8]. These vul-
nerabilities are the result of defects in the Bluetooth protocol
stack implementation and they affect all devices under Linux,
Windows, Android, tvOS and iOS. Proof of concept was
realized on Android [22] and linux [23] devices.
USB: the objective of Mactans [10] is to perform an attack
on an iPhone under iOS 6 by injecting a malicious application
through the USB port, without user’s agreement to take control
of the device. Mactans is a proof of concept realized after
a study of security mechanisms against arbitrary application
execution and installation, as well as during daily activities
performed by users. To performs this attack, the user must
unlock his phone at least once while he is connected to the
card disguised as a charging station.
NFC: an attack against this protocol has already been
performed in 2012 [11] and aims to discover potential vul-
nerabilities in the Android NFC stack. The attack chosen is
an NFC random data injection, which is one of the simplest
attacks which allows to test the robustness of algorithms
and to discover potential vulnerabilities. Using a contactless
NFC mobile reader, they took the control of a Galaxy Nexus
TABLE I
STATE OF TH E ART O F SMA RTP HON ES ATTAC KS
Attack Type Date Target Device Results Countermeasure
Hummingbad [2] SAL 2017 Virus Android Data corruption Antivirus update
FalseGuide [3] SAL 2017 Virus Android Data corruption Antivirus update
Shedun [4] SAL 2015 Virus Android Data corruption Antivirus update
Pegasus [5] SAL 2016 Spyware iOS Stealing data Antivirus update
Swearing [6] SAL 2017 Trojan Android Stealing data Antivirus update
Gooligan [7] SAL 2016 Rootkit Android Control device Antivirus update
Blueborne [8] PAL 2017 Bluetooth Windows, Linux, Android, iOS Stealing data Correction of the implementation protocol
MitM Bluetooth [9] PAL 2010 Bluetooth Bluetooth Secure Simple Pairing Data interception improve Secure Simple Pairingprotocol
Mactans [10] PAL 2013 USB Apple iPhone iOS Inject malware iOS 7: Ask user for trust host
NFC Fuzzing [11] PAL 2012 NFC Android Inject malware Correction of NFC implementation protocol
MitM NFC [12] PAL 2017 NFC NFC Tags Data interception atmospheric and temperature sensors
Key Reinstallation [13] PAL 2017 WiFi Android 6.0 Stealing data Protocol update: One time key installation
MitM Wifi [14] PAL 2018 WiFi Windows, Linux, Android, iOS Data interception No countermeasure known
Cellebrite [15] PAL 2018 USB Apple iPhone iOS Unlock iPhones iOS 12: Disable USB protocol after 1h
GreyKey [16] PAL 2018 USB Apple iPhone iOS Unlock iPhones iOS 12: Disable USB protocol after 1h
Nand mirroring [17] HAL 2016 NAND Apple iPhone 5c NAND Unlock iPhones No countermeasure known
EM attack [18] HAL 2015 Cache ARMv7-M Fault injection No countermeasure known
Side channel [19] HAL 2018 Cache ARM TrustZone Key extraction No countermeasure known
key extraction [20] HAL 2016 CryptoCore Android and iOS crypto lib Key extraction iOS 9: new implementation library
I2C attack [21] HAL 2017 I2C bus Android 6.0 Inject malware No countermeasure known
Our MitM Attack HAL 2019 PCIe bus All devices using PCIe bus Log and modify data No countermeasure known
(Android 4.0.1) by injecting a malicious web page through
NFC which can exploit a vulnerability to take control of the
device.
WiFi: it is the most known wireless communication proto-
cols and one of the most attacked. A recent attack on WiFi is
the key reinstallation attack [13], which consists in forcing
WiFi cryptography protocol implementation to reinstall the
encryption key using a MitM attack. This flaw affects several
types of WiFi handshake protocols. This attack is particularly
devastating on smartphones running Android 6.0 OS since it
replaces the encryption key by an all-zero key.
3) Hardware Attacks Level: as previously defined, HAL
attacks focus the vulnerability creation, directly by modifying
device’s hardware. Such attacks require a deep understanding
of the target device (reverse engineering, etc.) and a physical
access. Two categories of hardware attacks were identified,
called chip and bus attacks:
Chip attacks: this attack mainly targets the SoC (processor,
cryptocore, cache memories,...) and the NAND memory. For
the SoC, several attacks are known from the state of the
art such as fault injection and instruction skipping in the
application processor cache using electromagnetic attacks [18],
side channel attack on the integrated AES cryptocore of the
ARM Trust Zone cache [19] or the extraction of encryption
keys from iOS and Android devices by side channel and
electromagnetic attacks [20]. Regarding the NAND memory, a
relevant attack was realized on an iPhone 5C by mirroring the
memory in order to to have an unlimited number of password
attempts [17].
Bus attacks: data buses are a potential target of attack in
smartphones that is not deeply exploited while they represent
a huge amount of sensitive data. However, a recent attack [21]
was performed on the I2C bus using a malicious touchscreen,
allowing a touch injection attack and a buffer overflow attack
combined with a vulnerability of the touchscreen controller
to inject a malware to an Android phone. More recently,
with the growing need for fast massive memory access and
the democratization of high-speed flash memories such as
NVMe memory, it has been necessary to switch to buses that
provide higher transfer rates such as PCIe. Although, this bus
is historically used in computers, no hardware attack has been
found in the state of the art, targeting the PCIe bus of a
smartphone.
Table I gives a list of the most recent attacks realized on
smartphones, targeting protocol, hardware or software. It is
worth noting that there is no countermeasure yet for most of
hardware attacks. Moreover, attacks targeting communication
buses have not been deeply investigated and remain a poten-
tial source of vulnerability with a direct access to sensitive
data. Throughout this, we chose to investigate Man-in-the-
Middle hardware attack on a communication bus used into
smartphones.
B. MitM
The Man in the Middle - MitM - is an attack which consists
in introducing a third device into an end-to-end communica-
tion. This device works as an invisible rooter between the
two peripherals. In this position, the attacker can compromise
the confidentiality and the integrity of the communication by
recording and interfering with the exchanged data in real time.
MitMMemory CPU
Fig. 2. Man in the Middle communication.
This attack has been widely used [24], especially in net-
work communications for wireless protocols like WiFi [14],
NFC [12], Bluetooth [9], and for wired protocols like Ether-
net [25].
So far, performing a hardware MitM attack on a communi-
cation bus remains an under-exploited approach, particularly
for smartphones buses like PCIe or I2C. This attack does not
require the exploitation of any vulnerability, but uses the nor-
mal mechanism of bus protocol by interfering in SoC/NAND
communication and operating as an invisible rooter. MitM is
also a vector to more evolved attacks such as data replay, traffic
analysis or fault injection, which are interesting especially in
the context of encrypted communications as for smartphones.
Traffic analysis is an eavesdropping type attack that consists in
deducing information from patterns. Typical information that
can be obtained are: size of data in packets, reading/writing
addresses and number of access to a particular data, and so on.
In the case of fault injection attack, it consists in modifying
random data on the flow of communication, by switching bits
for example. Replay data is another type of MitM attack,
consisting in the replay of encrypted or clear messages,
previously recorded from legit communication between two
devices. The final objective is to gain privileges by confusing
the communication master. A clear advantage of these attacks,
is that can be applied to encrypted communications.
C. Problem statement and approach
HAL attacks, in contrast with PAL and SAL attacks, do not
require the exploitation of OS or protocol-related vulnerabili-
ties, but instead HAL attacks produce vulnerabilities that can
be exploited by other types of attacks. Hardware attacks are
also characterized by their robustness against countermeasures
since they can not be simply prevented by a software update,
but needs a hardware update only possible with the next device
generation.
Our approach focus on the implementation of a hardware
MitM attack on communication buses. Hardware MitM is one
of the less exploited attacks in the state of the art, while it is
very promising as it is the only attack that allows direct access
to data and in addition offers a wide attack vector possibilities
including data replay, traffic analysis and fault injection. The
objective of our architecture is also to be compatible with
the maximum, if not all, devices equipped with the same
communication bus. We chose the high-performance PCIe bus
as the target for our attack. Indeed, it is becoming widely
used in embedded systems, particularly in smartphones. As
example, PCIe is now used in the recent smartphones like [26]
as data bus between the SoC and NVMe (Non Volatile
Memory express). All the data stored in memory including
password attempts counter are encrypted but could be affected
by a hardware MitM attack. PCIe is also massively used in
computers which will be very helpful for the development
of our smartphone emulator. In the case of the MitM on the
PCIe, high constraints are imposed by the protocol such as bus
frequency, data rate and response time. The architecture must
imperatively respect all these constraints in order to guarantee
the MitM’s invisibility.
Finally, we decided to build our architecture on an FPGA
board for flexibility development and implementation. A PCIe
gen 3.0 compatible card will be used, which will facilitate
physical interfacing with the computer port and memory
emulation.
III. FLEXIBLE ARCHITECTURE FOR MITM ATTACK O N
PCIE
A. Objectives and Challenges
The PCI Express [27] is a serial local bus and the evolution
of the parallel buses PCI and PCI-X. It was developed and
introduced by Intel in 2004, with the aim of replacing all
computer buses (PCI and AGP) for expansion boards. The
bus is composed of serial links named lanes that connect the
devices directly to each other. Each lane is composed of 4
wires, two differential pairs for transmission reception, all
in full duplex. There are six possible interfaces for PCIe,
depending on the number of lanes (x1, x2, x4, x8, x16
and x32). It has also four generations, and at each new
one, the throughput is doubled, as indicated by Table II.
Historically used for GPUs communications, PCIe is a widely
used technology for fast massive data transfers. Recently, a
faster generation of SSD using an overlay called NVMe was
proposed to overcome the throughput limitations of the SATA
bus and the need for higher speed. For now, NVMe technology
relies on multiple parallel memory accesses allowing to fully
exploit the capabilities offered by PCIe. SSD based on NVMe
are compatible with PCIe 3.0 and later.
TABLE II
PCIE EVO LUT IO N
PCIe
Generation
Date Data
Encoding
Transfer
Rate
Throughput
per lane
1.0 2003 8b/10b 2.5GT/s 0.25GB/s
2.0 2007 8b/10b 5GT/s 0.5GB/s
3.0 2010 128b/130b 8GT/s 0.985GB/s
4.0 2017 128b/130b 16GT/s 1.969GB/s
As illustrated by Figure 3, PCIe protocol is based on three
layers [27]:
Transaction Layer (TL): this layer uses header and pay-
load provided by Core Device to generate a digest (optional)
and to transfer the packet to the Data Link Layer. The header
is made of 3 or 4 Data Word (1 DW = 32bits) depending on
its format and type. The first DW has a fixed format, and is
composed of the main information needed to decode the rest
of the header i.e. size of the header, presence of payload, type
of packet, presence of digest, length of the payload, etc. When
this information is known, the whole header can be decoded.
The packets provided by the TL are called TLP (Transaction
Layer Packets) and are divided into 4 categories : Memory,
IO, Configuration and Messages.
Data Link Layer (DLL): it has two principal purposes.
First, transfer incoming packets from the TL to the Physical
Layer, add a sequence number and a CRC that is checked by
the receiver. The second purpose is to transmit packets called
DLLP (Data Link Layer Packets) used for flow control, power
management and acknowledgement or negative acknowledge-
ment of packets after checking sequence number and CRC.
Physical Layer: add 8-bits start and end characters to make
easier the detection of the packet boundaries at the receiver.
PCIe technology is becoming one of the most popular
technology in many devices, including smartphones while
Device Core
Transaction Layer
Data Link Layer
Physical Layer
Data Link Layer
Physical Layer
TLP
DLLP
STP
STP
End
End
Seq Num CRC
Digest
DLLP Type Misc CRC
HDR Payload
Device Core
Transaction
Layer
Data Link Layer
Physical Layer
1B 2B 3-4DW 0-1024 DW 1DW 1DW 1B
1B 1DW 1B2B RX TX
Device
Fig. 3. PCIe Layers and packet types.
imposing a large number of constraints, especially for inter-
facing. In fact, the hardware attack must satisfy the following
requirements:
•PCIe 3rd generation with transfer rates up to 8GT/s
(0.985GB/s per lane).
•Maximal response time of 1ms.
•Physical interfacing to keep signal integrity.
•Invisibility to the communicating devices.
•Access data even encrypted.
From our knowledge, there is no work dealing with a MitM
hardware attack on smartphone targeting PCIe.
B. Scenarios
The objective of the attack is to realize a MitM between
the host (SoC) and its memory. For this purpose, an emulator
was developed to mimic smartphone’s behavior i.e. the com-
munications between the SoC and the NAND memory. As the
data transmitted are encrypted, we chose 3 cases of study to
validate our approach:
Traffic analysis: analyzing of bus communications to locate
sensitive data. The main target in smartphones is the password
attempts counter. We want to know at which address it is
stored, and for that we need to trigger the read and the update
of it’s value by trying a password.
Shadow Copy: when the secret data is located, the next
step is to store a copy of it in an external memory (shadow
memory). For smartphones, we can try again a password, and
when the counter is read from memory we duplicate its value
in the shadow memory.
Replay data: This will allow as to replay the sensitive
recorded data to the host when needed. For a smartphone, we
will be able to perform a brute force attack against the user
password and at each time the SoC want to read the value of
the counter we replay the one stored in our shadow memory.
This will provide an unlimited number of password attempts.
Typically, this type of attack represents a great interest in
the forensic domain since it will ultimately allow to target the
critical data. Countermeasures are difficult to implement on
this attack because it does not exploit a vulnerability of the
PCIe protocol, but rather exploits its natural behavior and the
typical case of use.
As earlier mentioned, the requirements of the PCIe bus 3rd
generation used in the smartphone have to be satisfied. The
MitM architecture has to support transfer rates up to 8GT/s,
meaning a throughput of 1GB/s per lane with a maximal
response time tolerance of 1ms. To this purpose, an Intel
Stratix 5 FPGA development board is used. This board has a
PCIe endpoint port 3.0 x8 and physical blocks compliant with
the transfer rates and throughput requirements of the bus. For
the response time, the way of implementing the architecture
will make the MitM respecting or not this constraint and this
will be detailed in the subsection III-C.
C. Prototype of the emulator
The proposed emulator for the MitM hardware attack on
PCIe is presented in Figure 4 and can perform:
•Analysis and filtering of packets that may contain en-
crypted data. However, packet headers are always not
encrypted and can be used to retrieve the metadata of the
packet including packet size and write/read addresses and
then analyze the number of accesses and their frequency
to a particular data in memory.
•Fault injection by modifying/replacing packets on the fly.
•Duplication of the data written in memory and replaying
it each time the host wants to read at a specific memory
address. Even if the data has been updated in memory,
the MitM will continue to replay the initial value.
As illustrated by Figure 4, the architecture is composed
of: ST-Avalon IP for interfacing with the host’s PCIe port,
our MitM IP for intercepting, filtering, and modifying packets
and it is connected to a FIFO that will duplicate a part of
the communication. Finally, Xillybus IP emulates the memory
using DDR3 RAM, accessible from the host.
1) ST-Avalon IP for PCIe: To physically interface with
the PCIe bus, our architecture is based on intel ST-Avalon
interface [28] which is based itself on the PIPE IP [29]
and specially built for PCIe. This IP is fully compliant with
different generations and number of lanes, and supports all
DLLP and TLP types. The DLLPs are handled internally by
ST-Avalon and TLPs, which contain data from the host, are
transmitted to Xillybus.
2) PCIe peripheral emulation with Xillybus IP: Xilly-
bus [30] is a proprietary IP that is designed to easily interface
FPGA with a host computer through PCIe Bus. Drivers are
provided, which greatly simplifies the communication. It also
includes an ST-Avalon IP to interface with the bus. Xillybus IP,
is designed to process the TLP packets of the communication
as a peripheral would do. The IP is available for several FPGA
families, which makes it flexible to adapt to a specific model.
In our case, it was also necessary to update the architecture
of PCIe interface from the first generation x8 lanes that is
provided by default to the third generation x2 lanes in order
to be closer to the interface used by most of the smartphones.
Our design must also satisfy the data size constraints of the
ST-Avalon IP.
FPGA Board
HOST
PCIe
Gen.3 x4
PCIe_RX
PCIe_TX
Stratix 5 Chip
RAM
Data
RAM
DDR3 Data
ST Avalon
MitM
Xillybus PCIe
Interface
rx_data
rx_valide
rx_sop
rx_eop
tx_data_M
tx_valide_M
tx_sop_M
tx_eop_M
rx_data_M
rx_valide_M
rx_sop_M
rx_eop_M
tx_data
tx_valide
tx_sop
tx_eop
Fig. 4. Man-in-the-Middle architecture.
3) Complete architecture: our MitM architecture, is there-
fore able to analyze, filter and modify PCIe packets on the
fly. The analysis of packets will permit the identification of
sensitive data by determining access times and frequencies to
data in memory, and correlate them to particular events such as
unlock attempts of smartphones, therefore involving a read of
the repetition counter in memory and an update if the password
entered is wrong, or resetting it if the password is correct.
Once the sensitive partition is identified, it will be copied into
the FIFO at the next completion for a reading request, to be
played back each time it is read again, which will freeze the
counter value form the SoC’s perspective. The host can always
update the value of the sensitive data in memory (Xillybus),
but when it sends a read data request packet it will be the
MitM who will serve the initial recorded value of the data.
This other scheme is illustrated in Figure 5.
We can notice that one of the main advantages of our archi-
tecture is that it can be used with any device communicating
over a PCIe bus with only few modifications to adapt to the
proprietary interface.
IV. RES ULT S
To validate our architecture, we emulate a smartphone ar-
chitecture on a dedicated computer, a DELL computer T7910
with 6 slots PCIe 3.0 x16. The proposed MitM architecture,
described previously, was implemented into an Intel FPGA
Stratix 5 DSP development board [31] which is equipped
with a compatible gen 3.0 x8 lanes endpoint PCIe slot and
enough resources to implement a complex design requiring
real-time data analysis and modification. All figures presented
are obtained from real test on PCIe using SignalTap II Logic
Analyzer from Quartus Software.
A. Data logging and packet filtering
A first test was to perform packet filtering during
host/memory or memory/host communication. This type of
set-up will validate the possibility to be invisible from the
two communicating elements, i.e. the computer and Xillybus.
In our case, we deliberately filter three types of packets, by di-
rectly looking at the headers which correspond to host/memory
SoC
FPGA
Memory
WMR(adress, data)
WMR(adress, data)
RMR(Adress, size)
RMR(Adress, size)
Cpl(data) Cpl(data)
WMR(adress, data)
WMR(adress, data)
RMR(Adress, size)
RMR(Adress, size)
Cpl(data)
Cpl(otherData)
RMR(Adress, size)
RMR(Adress, size)
Cpl(Counter) Cpl(Counter)
WMR(adress, Counter+1)
WMR(adress, Counter+1)
RMR(Adress, size)
RMR(Adress, size)
Cpl(Counter+1) Cpl(Counter)
Data logging and
Packet Filtering
Data logging
and Injection
Shadow Copy
Fig. 5. PCIe communication attack scenarios.
read memory request (RMR), write memory request (WMR)
and the memory/host packet for completion with data (Cpl).
The communication with the memory is done in the following
way: if the host (master) wants to write data in memory it
sends a WMR packet with the write address and the data to
be written in memory. Then, the memory responds with a
DLLP acknowledge. In case of RMR, if the host wants to
read from the memory, it sends an RMR packet with the read
address and the data size and the memory responds with a Cpl
packet which contains the requested data. These operations
are described in Figure 5. As indicated by Figure 6, the
architecture is able to successfully log only the appropriated
communications by filtering and decoding the packets.
Figure 6 represents a Cpl packet with data that contains a
test message. This message is sent by the host correctly and is
then filtered by our architecture from the information available
Fig. 6. Data filtering.
in the packet header in order to keep only the data from it.
A summary of the resources used by the hardware design is
given in Table III.
B. Data logging and injection
To go further, the previous architecture was improved,
enabling modification of the content of a packet on the fly.
These MitM IP is now physically inserted between Xillybus
and ST-Avalon, which means that all the communications
goes through the MitM and could interact with the packets
exchanged, by injecting errors or modifying their contents.
To illustrate the data injection capability of the architecture,
we decided to modify the content of the WMR packet sent by
the host to the memory. Results are presented in Figure 7. As it
can be seen, the packet sent by the host is transmitted through
several signals (rx sop, rx eop and rx valid) and is filtered on-
the-fly and then modified during a single clock cycle between
the arrival of the packet to its re-transmission from our MitM
to Xillybus, respectively using the rx data M, rx sop M,
rx eop M and rx valide M signals. In this example, our
architecture only modifies the data in the packet but other
filtering options could be applied to modify any field of the
packets such as packet type, write address, and so on.
Fig. 7. Data modification.
Table III gives an overview of the resource utilization of the
MitM design for the considered FPGA. The resources used are
less than 1% of that available in the FPGA which permits to
have enough surface to implement much more functionalities,
such as shadow copy.
C. Shadow Copy
An interesting capability for an attacker is to bypass security
mechanisms (which are not activated) by allowing only write
access to a memory while the read access is under control
of the attacker. For this attack, we took inspiration from the
shadow copy technology of Microsoft [32], which makes an
instant snapshot of volume. Figure 5 illustrates the shadow
copy principle and the corresponding communications between
the host, the memory and the role of our MitM architecture.
To perform and test our shadow copy architecture, we used
StreamWrite drivers of Xillybus with a custom C code to
send random data with different PCIe packet payload size,
Fig. 8. Shadow Copy of the communications.
between 1DW to 1024DW. The architecture stores a copy
of all the data sent from host to Xillybus by filtering and
decoding the packets on the fly. When the communication
is done, we use the StreamRead driver to recover the data
sent by our shadow copy memory that took the place of
Xillybus memory in the communication. We finally compare
between the original data sent and the data sent back from
the architecture, our solution does not generate any error, and
does not miss any data for these tests up to PCIe gen3 x2.
Our architecture achieves also better performance for decoding
and recording data than Xillybus. On the fly packet decoding
and data recording, allows to store all the data transmitted by
packet 4 cycles before Xillybus begin to store the first DW, as
it can be seen in Figure 8.
TABLE III
ARCHITECTURE PERFORMANCES
Tests ALUT Registers Frequency Latency
Logger 25 137 250 MHz 1 cycle
MitM 56 138 250 MHz 1 cycle
Shadow Copy 187 276 250 MHz 9 cycles
V. PERSPECTIVES
We are currently working to implement this attack on
a smartphone that uses PCIe bus. We started by reverse-
engineering the smartphone, in particular the SoC and the
NAND chips to find the best way to interpose. To realize a
MitM between the NAND and the motherboad, we developed a
protocol to extract the memory without damaging it or loss the
data. We also design an interposer to allow the logging of all
signals and power supplies using an active differential probe.
First results are presented in Figure 9. The recorded signals
Fig. 9. Data recorded.
need to be improved by using a higher frequency probe. The
next step is to develop boards that will interpose our MitM
FPGA architecture between SoC and NAND.
For the architecture, we need also to upgrade the FPGA
board to one that has a dual port PCIe like the Intel Alaric Ar-
ria 10 board which owns 2 PCIe gen 3.0 x4 ports, one endpoint
and one root. The ports will be connected to both smartphone’s
motherboard from the endpoint port and the memory from the
root port. Depending on the targeted smartphone for our attack,
we possibly need to make our architecture NVMe compliant
by implementing an overlay to decode this type of packets,
which will potentially increase the latency of our MitM.
VI. CONCLUSION
In this paper, we present a versatile hardware MitM archi-
tecture capable of interfacing with PCIe bus communications.
This lowfootprint architecture proves that an invisible MitM
can be performed on a high performance data bus like PCIe
with respecting its constraints. We also present an emulator
used to develop this architecture, which aims to mimic the
typical smartphone communication between the SoC and its
memory through internal PCIe data bus. To test and validate
our architecture, we performed three practical scenarios at-
tacks: log and filter packets, log and injection and shadow copy
of all the data transmitted through PCIe bus in real time. The
in the flow packet processing of our architecture, allowed to
duplicate and store all the data 4 clock cycles before Xillybus
begins its processing. The architecture uses 1% resources of
the board which will useful for implementing more complex
algorithms. Our future work will focus on the evolution of
the PCIe MitM architecture and the emulator to be NVMe
compliant. We investigated also the possibility of physical
interposition between the SoC and its memory, and we have
the objective to develop our custom boards to interface with
a smartphone PCIe bus in order to perform MitM attack.
REFERENCES
[1] Mitre Corporation, “CVE Details the ultimate security vulnerability
datasource,” https://www.cvedetails.com, accessed: 2019-03-06.
[2] Check Point Software Technologies LTD, “A whale of a tale:
Hummingbad returns,” Online, https://blog.checkpoint.com/2017/01/23/
hummingbad-returns/, accessed: 2019-06-20.
[3] ——, “Falseguide misleads users on googleplay,” Online, https://blog.
checkpoint.com/2017/04/24/falaseguide-misleads-users-googleplay/, ac-
cessed: 2019-06-20.
[4] M. Bentley, “Lookout discovers new trojanized adware; 20k pop-
ular apps caught in the crossfire,” Online, https://blog.lookout.com/
trojanized-adware, accessed: 2019-06-20.
[5] Citizen Lab, Lookout, “Sophisticated, persistent mobile attack
against high-value targets on ios,” Online, https://blog.lookout.com/
trident-pegasus, accessed: 2019-06-20.
[6] Check Point Software Technologies LTD, “Swearing trojan continues
to rage, even after authors’ arrest,” Online, https://blog.checkpoint.
com/2017/03/21/swearing-trojan- continues-rage- even-authors-arrest/,
accessed: 2019-06-20.
[7] ——, “More than 1 million google accounts breached by
gooligan,” Online, https://blog.checkpoint.com/2016/11/30/
1-million- google-accounts- breached-gooligan/, accessed: 2019-06-
20.
[8] B. Seri and G. Vishnepolsky, “Blueborne: The dangers of bluetooth
implementations: Unveiling zero day vulnerabilities and security flaws
in modern bluetooth stacks,” ArmisLabs, Tech. Rep., 2017.
[9] K. Haataja and P. Toivanen, “Two practical man-in-the-middle attacks
on bluetooth secure simple pairing and countermeasures,” IEEE Trans-
actions on Wireless Communications, vol. 9, no. 1, pp. 384–392, January
2010.
[10] B. Lau, Y. Jang, C. Song, T. Wang, P. H. Chung, and P. Royal, “Mactans:
Injecting malware into ios devices via malicious chargers,” Black Hat
USA, 2013.
[11] C. Miller, “Exploring the nfc attack surface,” Proceedings of Blackhat,
2012.
[12] S. Akter, T. Chakraborty, T. A. Khan, S. Chellappan, and A. A. Al Islam,
“Can you get into the middle of near field communication?” in 2017
IEEE 42nd Conference on Local Computer Networks (LCN). IEEE,
2017, pp. 365–373.
[13] M. Vanhoef and F. Piessens, “Key reinstallation attacks: Forcing nonce
reuse in WPA2,” in Proceedings of the 24th ACM Conference on
Computer and Communications Security (CCS). ACM, 2017.
[14] M. Vondr´
aˇ
cek, J. Pluskal, and O. Ryˇ
sav`
y, “Automated man-in-the-
middle attack against wi-fi networks,” The Journal of Digital Forensics,
Security and Law: JDFSL, vol. 13, no. 1, pp. 59–80, 2018.
[15] T. Brewster, “Cellebrite: We keep iphone flaws secret for the
public’s safetye,” Online, https://www.forbes.com/sites/thomasbrewster/
2018/03/01/apple-iphone- vulnerabilities-kept- secret-by- cellebrite/, ac-
cessed: 2019-06-20.
[16] ——, “Mysterious 15,000 dollars graykey promises to unlock iphone
x for the feds,” Online, https://www.forbes.com/sites/thomasbrewster/
2018/03/05/apple-iphone- x-graykey-hack/, accessed: 2019-06-20.
[17] S. Skorobogatov, “The bumpy road towards iphone 5c nand mirroring,”
arXiv e-prints, p. arXiv:1609.04327, September 2016.
[18] L. Riviere, Z. Najm, P. Rauzy, J. L. Danger, J. Bringer, and L. Sauvage,
“High precision fault injections on the instruction cache of armv7-m
architectures,” in 2015 IEEE International Symposium on Hardware
Oriented Security and Trust (HOST). IEEE, 2015, pp. 62–67.
[19] B. Lapid and A. Wool, “Cache-attacks on the arm trustzone imple-
mentations of aes-256 and aes-256-gcm via gpu-based analysis,” in
International Conference on Selected Areas in Cryptography. Springer,
2018, pp. 235–256.
[20] D. Genkin, L. Pachmanov, I. Pipman, E. Tromer, and Y. Yarom,
“Ecdsa key extraction from mobile devices via nonintrusive physical
side channels,” in Proceedings of the 2016 ACM SIGSAC Conference
on Computer and Communications Security. ACM, 2016, pp. 1626–
1638.
[21] O. Shwartz, A. Cohen, A. Shabtai, and Y. Oren, “Shattered trust:
when replacement smartphone components attack,” in 11th {USENIX}
Workshop on Offensive Technologies ({WOOT}17), 2017.
[22] B. Seri and G. Vishnepolsky, “Blueborne on android: Exploiting an rce
over the air,” ArmisLabs, Tech. Rep., 2017.
[23] B. Seri and A. Livne, “Exploiting blueborne in linux-based iot devices,”
ArmisLabs, Tech. Rep., 2017.
[24] M. Conti, N. Dragoni, and V. Lesyk, “A survey of man in the middle
attacks,” IEEE Communications Surveys Tutorials, vol. 18, no. 3, pp.
2027–2051, thirdquarter 2016.
[25] T. Kiravuo, M. Sarela, and J. Manner, “A survey of ethernet lan security,”
IEEE Communications Surveys Tutorials, vol. 15, no. 3, pp. 1477–1491,
Third 2013.
[26] Apple, “ios security ios 12.1,” Apple Inc, Tech. Rep., 2018.
[27] M. Jackson, R. Budruk, J. Winkles, and D. Anderson, PCI Express
Technology 3.0. Mindshare Press, 2012.
[28] Intel, Stratix V Avalon-ST Interface for PCIe Solutions, User Guide,
Intel Corporation, May 2017.
[29] ——, V-Series Transceiver PHY IP Core, User Guide, Intel Corporation,
February 2019.
[30] Xillybus, Xillybus IP core product brief, Xillybus Ltd, January 2018.
[31] Intel, DSP Development Kit, Stratix V Edition, Reference Manual, Intel
Corporation, July 2012.
[32] J. Gerend and G. Moore, Volume Shadow Copy Service, Microsoft
Corporation, online, https://docs.microsoft.com/en-us/windows-server/
storage/file-server/volume-shadow- copy-service, accessed: 2019-06-20.
