Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems Ted Huffmire, Brett Brotherton, Gang Wang, Timothy Sherwood, Ryan Kastner, Timothy Levin, Thuy Nguyen, and Cynthia Irvine 23 May 2007

Field Programmable Gate Arrays Design of high-performance systems  Can’t achieve high speed with a standard CPU ASIC chips have been used traditionally  Increasingly expensive Need something in between CPU and ASIC  FPGAs becoming common Raises interesting security questions  How to manage security in FPGA designs Set of security primitives  Foundation for building secure systems on FPGAs

FPGA Systems

FPGA Chip Reconfigurable Hardware SDRAM (off-chip) DRAM Reference Monitor Crypto Core CPU Core AES μPμP μPμP

Tradeoffs Software vs. Hardware  Generality vs. performance  FPGAs are in between ASIC performance comes at a high NRE cost  Fabrication  Verification Security  IP is vulnerable in overseas foundries  Reduce problem of trusting foundry to problem of trusting FPGA CPU ASIC FPGA General-PurposeApplication-Specific

Motivation Ideal: Performance approaching ASIC, cost approaching CPU Problem: Embedded systems designers need security primitives Opportunities:  Spatial mapping of apps to device  Build primitives in reconfigurable hardware

Outline Motivation and Background Security Primitives for FPGAs  Logical isolation  Interconnect tracing  Secure communication architecture  Configuration scrubbing Apply primitives to memory protection  Reference monitor Conclusions and Future Work

Protection on Embedded Systems Separation Kernels DRAM app1 app3 app2 kernel Reconfigurable Protection DRAM app1 app2 app3 Reference Monitor Physical Software SpatialTemporal

Related Work Intellectual Property Theft  Bit-stream encryption [Bossuet 04] [Kean 02]  Fingerprinting and watermarking [Lach 99]  Secure configuration update [Harper 04] Use FPGAs to compose a trusted ASIC system  RC virtual machines provide process isolation on a CMOS processor [Chien 99]  Security Primitive Controller [Gogniat 06]  Implement encryption primitives on an FPGA  FPGA is one component of an embedded system with CPU and other ASIC components

FPGA Systems SDRAM (off-chip) DRAM FPGA chip μPμP μPμP μPμP μPμP SRAM Block BRAM FPGA Fabric

FPGA Applications Mem FPGA App1 App2

FPGA Fabric Switchbox CLB A B Out

Intertwined Cores

Mixed Trust Cores Multiple cores on one chip  Integration onto single device to save $  Cores run “naked” on the device Cores are provided by third parties  Soft IP cores can be distributed as HDL, netlist, or bitstream Sophisticated software tools developed by third parties  Logic synthesis transforms HDL to netlist  Place and route transforms netlist to bitstream

Logical Isolation Motivation Security Primitives for FPGAs  Logical isolation  Interconnect tracing  Secure communication architecture  Configuration scrubbing Apply primitives to memory protection  Reference monitor Conclusions and Future Work

Moats Goal: Physical isolation of cores  Intermingled cores are not safe Opportunity: Divide computation spatially  GP Processor divides temporally Exploit spatial nature of FPGAs to provide isolation  Surround each core with a moat in which routing is disabled

FPGA Chip Moats SDRAM (off-chip) DRAM Reference Monitor Crypto Core CPU Core AES

Moats

Methodology Tradeoff between area and performance  Narrow moats use less area  Restriction to short routing segments hurts both area and performance Use VPR to synthesize 20 largest MCNC benchmark circuits on different routing configurations  Measure effect of constrained routing on area of core and critical path timing

Effective Utilization A Dead areas for moats (Depends on # Cores) B Inflation due to restricted routing (~10%) C Useful logic with no inflation (unrestricted routing) U Eff =C/(A+B+C) 100%

Moat Tradeoffs Dead Space Inflatio n Useful Logic Moat Size = 2 Dead Space Inflatio n Useful Logic Moat Size = 1 Dead Space Useful Logic Moat Size = 6 Inflatio n

Effective Utilization

Interconnect Tracing Motivation Security Primitives for FPGAs  Logical isolation  Interconnect tracing  Secure communication architecture  Configuration scrubbing Apply primitives to memory protection  Reference monitor Conclusions and Future Work

Drawbridges Goal: Ensure that only specified communication is established between cores Opportunity: Spatial isolation Specify legal connections  Location of cores  I/O pins  Valid connections Statically verify these connections

FPGA Chip Interconnect Tracing SDRAM (off-chip) DRAM Reference Monitor Crypto Core CPU Core AES μPμP μPμP X X

Secure Communication Architecture Motivation Security Primitives for FPGAs  Logical isolation  Interconnect tracing  Secure communication architecture  Configuration scrubbing Apply primitives to memory protection  Reference monitor Conclusions and Future Work

Secure Communication Architecture Goal: Secure communication between cores on shared bus  Must prevent snooping on the bus  Must ensure that shared communication medium cannot be used as a covert channel Opportunity: Programmability of FPGAs  Build some logic to enhance the bus Shared memory bus with time division access  Each module gets an equal share of time to use the bus  Arbiter ensures that a core can only access the bus during its scheduled time

FPGA Chip Communication Architecture SDRAM (off-chip) DRAM Arbiter/Reference Monitor Crypto Core CPU Core AES μPμP μPμP

Configuration Scrubbing Motivation Security Primitives for FPGAs  Logical isolation  Interconnect tracing  Secure communication architecture  Configuration scrubbing Apply primitives to memory protection  Reference monitor Conclusions and Future Work

Configuration Scrubbing Goal: Allow FPGA to change its configuration securely at run-time  Ability to swap cores improves system flexibility  Reconfigurable crossbar [Lysaght 04] Opportunity: Use partial reconfiguration to properly erase prior core’s logic Use ICAP interface with an embedded core  Read in a configuration frame  Modify configuration frame  Write back modified frame Bitstream decryption is prohibited when using partial reconfiguration

Memory Protection Motivation Security Primitives for FPGAs  Logical isolation  Interconnect tracing  Secure communication architecture  Configuration scrubbing Apply primitives to memory protection  Reference monitor Conclusions and Future Work

Memory Protection Goal: Allow cores to share memory securely  Embedded systems often lack memory protection mechanisms Opportunity: Leverage the benefits of hardware  Low-overhead stateful reference monitors A reconfigurable reference monitor enforces a policy that specifies the legal sharing of memory  Compiler translates policy specification to hardware description of enforcement module

FPGA Chip Memory Protection SDRAM (off-chip) DRAM Crypto Core CPU Core AES Reference Monitor X X

Conclusions Fabric of computing is changing  G-P uni-processor model  Embedded  Exploit performance of raw hardware  New approach to system design is needed FPGAs are growing in importance  Custom ASIC is 3 generations behind  FPGA starts in 2005: 80,000 Growing to 110,000 by 2010 [Dataquest 05]  ASIC starts in 1997: 11,000 ASIC starts in 2005: 3,000 [Meyers 05]

Future Work Covert Channels  Power, thermal, state of policy Accurate Policies  Higher-level language, policy checker Verify Each Stage of Ref Monitor Design Flow  Output of stage correctly implements input Apply primitives outside RC domain  CMP MLS Information Flow Control  Multilevel data Reconfigurable computing  Swap an entire core

Questions?