FPGA-based hardware accelerators are becoming increasingly popular due to their versatility, customizability, energy efficiency, constant latency, and scalability. FPGAs can be tailored to specific algorithms, enabling efficient hardware implementations that effectively leverage algorithm parallelism. This can lead to significant performance improvements over CPUs and GPUs, particularly for highly parallel applications. For example, a recent study found that Stratix 10 FPGAs can achieve up to 90\% of the performance of a TitanX Pascal GPU while consuming less than 50\% of the power. This makes FPGAs an attractive choice for accelerating machine learning (ML) workloads. However, our research finds privacy and security vulnerabilities in existing Xilinx FPGA-based hardware acceleration solutions. These vulnerabilities arise from the lack of memory initialization and insufficient process isolation, which creates potential avenues for unauthorized access to private data used by processes. To illustrate this issue, we conducted experiments using a Xilinx ZCU104 board running the PetaLinux tool from Xilinx. We found that PetaLinux does not effectively clear memory locations associated with a terminated process, leaving them vulnerable to memory scraping attack (MSA). This paper makes two main contributions. The first contribution is an attack methodology of using the Xilinx debugger from a different user space. We find that we are able to access process IDs, virtual address spaces, and pagemaps of one user from a different user space because of lack of adequate process isolation. The second contribution is a methodology for characterizing terminated processes and accessing their private data. We illustrate this on Xilinx ML application library.

翻译：基于FPGA的硬件加速器因其多功能性、可定制性、能效优势、恒定延迟和可扩展性而日益普及。FPGA可根据特定算法进行定制，实现高效的硬件实现方案，从而有效利用算法并行性。相较于CPU和GPU，这能为高度并行化应用带来显著的性能提升。例如，近期研究发现Stratix 10 FPGA可达到TitanX Pascal GPU高达90%的性能水平，同时功耗降低50%以上。这使得FPGA成为加速机器学习（ML）工作负载的理想选择。然而，我们的研究发现现有基于Xilinx FPGA的硬件加速解决方案存在隐私与安全漏洞。这些漏洞源于内存初始化机制的缺失和进程隔离不足，为未授权访问进程使用的私有数据创造了潜在途径。为阐明该问题，我们使用运行Xilinx PetaLinux工具的ZCU104开发板进行了实验。研究发现PetaLinux未能有效清除已终止进程关联的内存区域，使其暴露于内存刮取攻击（MSA）的风险之下。本文主要作出两项贡献：第一项贡献是提出跨用户空间利用Xilinx调试器的攻击方法。由于进程隔离机制不完善，我们能够从不同用户空间访问其他用户的进程ID、虚拟地址空间和页映射信息。第二项贡献是提出已终止进程特征化分析及私有数据访问方法。我们通过Xilinx机器学习应用库对该方法进行了实证演示。