MITM: Transparent PCIe NIC Bridge

Overview

The MITM system is a transparent FPGA-based bridge that sits between a host system and a network interface card (NIC). It acts as an invisible intermediary, relaying PCIe traffic while enabling advanced monitoring and interaction capabilities without detection by the operating system or security software.

Background

Developed by a research team specializing in DMA and system concealment technologies, this system represents a novel approach to hardware-level network and memory access. The FPGA bridge intercepts PCIe communications transparently, maintaining full compatibility with existing hardware and software while adding powerful monitoring and manipulation capabilities.

Key Features

Transparent Device Impersonation

• FPGA presents the original NIC's identity (Vendor ID, Device ID, class codes, BAR configuration)
• Host OS sees only the genuine NIC and loads standard vendor drivers
• No additional PCIe endpoints or functions exposed
• Conventional scans and driver checks cannot detect the intermediary

Real-Time PCIe Traffic Relay

• Intercepts and forwards all PCIe transactions (config reads/writes, memory operations, DMA requests, interrupts)
• Establishes upstream link to host root complex and downstream link to NIC
• Faithfully forwards transaction-layer packets (TLPs) between both links
• Acts as protocol-level relay while remaining hidden to host software

Authorized DMA Memory Access

• Leverages NIC's DMA engine and bus privileges for host memory access
• Injects legitimate-looking memory read/write requests during NIC idle periods
• Requests carry NIC's device identifiers and pass IOMMU/VT-D checks
• Enables memory inspection or modification appearing as trusted DMA activity
• Designed to evade virtualization-based detection systems

Advanced Monitoring and Injection

• Monitors all host-NIC PCIe transactions in real-time
• Captures configuration accesses, MMIO operations, DMA descriptors, packet payloads, and interrupts
• Supports traffic logging, filtering, modification, and injection
• Operates at hardware transaction level, invisible to OS and applications
• Enables network traffic capture, tampering, and covert signal injection

Technical Architecture

Topology

Host PCIe Root Complex ↔ FPGA (Endpoint Mode) ↔ FMC-X8 Adapter ↔ Downstream NIC

Implementation Details

• FPGA acts as transparent bridge rather than general-purpose PCIe switch
• Downstream TLPs from host forwarded to NIC
• Upstream TLPs from NIC forwarded to host
• Internal interception, analysis, and selective modification capabilities
• Precise link and transaction handling prevents exposure in host PCIe topology
• MSI/MSI-X interrupt capture and forwarding
• DMA write duplication for analysis while maintaining original data flow

Test Platform

Hardware Configuration

• FPGA Board: Xilinx Kintex UltraScale KCU105 evaluation board
• Adapter: HiTech Global FMC-X8 PCIe RCC adapter
• Test NIC: Intel X710 or X520
• Host Platform: X870 chipset motherboard with AMD 9950X3D CPU
• Operating System: Windows 10 64-bit with vendor NIC drivers

Clock Configuration

• Common Clock mode when hardware permits (shared PCIe reference clock)
• SRIS (Separate Reference Clock) mode for downstream link when necessary
• Ensures stable link training and reliable TLP exchange

Validation Results

• Successful power, initialization, and enumeration
• Both upstream and downstream links trained successfully
• Stable TLP exchange achieved
• Windows correctly enumerated NIC through bridge
• Correct device ID and configuration space reads
• Driver loaded and NIC transmitted/received packets normally

Advantages

Stealth

• No visible hardware changes from host perspective
• No additional hardware IDs or configuration space anomalies
• Standard PCIe scans return only legitimate NIC information
• No custom host drivers required beyond standard vendor NIC driver
• Reduced detection risk compared to external PCIe devices

Security and Forensic Applications

• Passive network capture without disrupting operations
• On-the-fly packet modification capabilities
• DMA-based memory reads disguised as NIC activity
• Live memory analysis and data extraction
• Platform for penetration testing and security research
• Low-visibility forensic operations

Compatibility

• No modification to host or NIC software required
• Leverages vendor NIC hardware for actual packet I/O
• Compatible with existing protocol stacks and applications
• Plug-and-play operation
• Preserves NIC performance close to direct connection

Development Status

Current Progress

• Basic transparent bridging operational
• Initial integration tests successful
• Adapting open DMA framework to platform
• FPGA DMA controller integration in progress
• Interrupt mapping refinement ongoing

Work in Progress

• Advanced memory read/write control
• MSI-X forwarding enhancement
• DMA engine integration testing
• Multiple MSI-X propagation support
• Stability and concealment improvements

Commercial Information

• Development board cost: ~1,100 USD
• Low firmware flashing costs
• Subscription and buyout pricing models under consideration

Technical Notes

The system is specifically designed to pass CPU virtualization checks (VT-D/IOMMU) with hardened firmware. Unlike NTB hardware which also supports these checks but requires high user skill, the MITM system is designed for broader commercial deployment.

Use Cases

• Penetration testing
• Security research
• Network forensics
• Traffic analysis and monitoring
• Hardware-level security assessment
• Low-visibility data collection

Community

The research team welcomes discussion and collaboration from the community. This project represents ongoing research in PCIe protocol implementation, DMA security, and hardware-level network analysis.

---

Note: This system is intended for authorized security research, penetration testing, and forensic applications only. Users must comply with all applicable laws and regulations.