EPIC Erebus Puts a Tiny Yet Powerful FPGA Onto Your PCI Express Bus for Security Research and More

Portland-based SecuringHardware.com has announced EPIC Erebus, a compact M.2 board that hosts a field-programmable gate array (FPGA) — to make it easier to carry out research into PCI Express security vulnerabilities.

"EPIC Erebus is a small, portable, and easy-to-use M.2 FPGA board specifically tailored for PCIe research and DMA attacks," SecuringHardware.com's Joseph FitzPatrick explains. "In addition to supporting most of the capabilities of other PCILeech-compatible hardware, it is well-suited to embedded, stand-alone operation. We're also working on a completely open PCIe implementation that will allow us to tinker around with the lowest layers of the PCIe protocol in a way that’s impossible on devices with hard PCIe implementations."

The small M.2 2230 A+E-key board is built around a Lattice Semiconductor ECP5 FPGA, either the ECP5-25 or the ECP5-5G-85, with either 128Gb (16GB) or 256Gb (32GB) of RAM. There's a microSD Card slot for storage, or the option of 8GB of on-board flash memory, and it supports PCI Express Gen. 1 or Gen. 2 on one side and USB 2.0 or 3.0 on the other.

"EPIC Erebus is designed primarily as a PCIe DMA [Direct Memory Access] research device," FitzPatrick explains. "We aim to deliver it with a bitstream that, out of the box, allows standalone operation for memory acquisition and match/patch functionality. We hope to support tethered operation over USB in the future."

"Even if you’re not interested in PCIe," FitzPatrick continues, "Erebus will operate as a tiny ECP5 dev board you can keep installed inside your laptop. Alternatively, you could adapt it to any other high-speed serial interface with mechanical adapters and the appropriate gateware."

The company plans to fund production of the board via Crowd Supply, where interested parties can be signed up to be notified when the campaign goes live; FitzPatrick has also promised to release the hardware and gateware under an unspecified open-source license on GitHub — though, at the time of writing, the repositories had not yet been made public.