1 / 48

Hardware Support for Trustworthy Systems

Hardware Support for Trustworthy Systems. Ted Huffmire ACACES 2012 Fiuggi , Italy. Disclaimer. The views presented in this course are those of the speaker and do not necessarily reflect the views of the United States Department of Defense. Lecture 2 Overview. Reconfigurable Security

urian
Download Presentation

Hardware Support for Trustworthy Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hardware Support for Trustworthy Systems Ted Huffmire ACACES 2012 Fiuggi, Italy

  2. Disclaimer • The views presented in this course are those of the speaker and do not necessarily reflect the views of the United States Department of Defense.

  3. Lecture 2 Overview • Reconfigurable Security • Reconfigurable hardware is widely used due to growing non-recurring engineering (NRE) cost for ASICs

  4. Field Programmable Gate Arrays • Design of high-performance systems • ASIC chips have been used traditionally • Need something in between CPU and ASIC

  5. Field Programmable Gate Arrays • Raises interesting security questions • Set of security primitives • Examples of FPGA systems

  6. DRAM DRAM Reference Monitor DRAM DRAM DRAM DRAM CPU Core DRAM DRAM μP DRAM DRAM DRAM DRAM AES Crypto Core CPU Core SDRAM (off-chip) μP FPGA Chip Reconfigurable Hardware

  7. General-Purpose Application-Specific CPU FPGA ASIC Tradeoffs • Software vs. Hardware • ASIC performance comes at a high NRE cost • Design, Verification • Fabrication, Packaging, Test • Security

  8. Motivation • Ideal: Performance approaching ASIC, cost approaching CPU • Problem: Embedded systems designers need security primitives • Opportunities: • Spatial mapping of apps to device • Build primitives in reconfigurable hardware

  9. Outline • Motivation and Background • Security Primitives for FPGAs • Logical isolation • Interconnect tracing • Secure communication architecture • Configuration scrubbing

  10. Motivation and Background • Motivation and Background • Security Primitives for FPGAs • Logical isolation • Interconnect tracing • Secure communication architecture • Configuration scrubbing

  11. Reconfigurable Protection Separation Kernels Separate Processors app1 app2 app3 ReferenceMonitor app1 DRAM gate keeper gate keeper gate keeper kernel DRAM app2 DRAM app2 app1 app3 DRAM DRAM app3 DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM Physical Software Spatial Temporal Protection on Embedded Systems

  12. DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM DRAM BRAM BRAM DRAM DRAM μP μP BRAM BRAM SRAM Block BRAM BRAM FPGA Fabric μP μP BRAM BRAM SDRAM (off-chip) FPGA chip FPGA Systems

  13. FPGA App1 Mem App2 FPGA Applications

  14. Switchbox A BOut 0 0 0 CLB 0 1 0 1 0 0 1 1 1 FPGA Fabric

  15. Mixed Trust Cores • Multiple cores on one chip • Cores are provided by third parties • Sophisticated software tools developed by third parties

  16. Mixed Trust Cores • Entanglement

  17. Mixed Trust Tool Chains

  18. Logical Isolation • Motivation • Security Primitives for FPGAs • Logical isolation • Interconnect tracing • Secure communication architecture • Configuration scrubbing

  19. Moats • Goal: Physical isolation of cores • Opportunity: Divide computation spatially • Exploit spatial nature of FPGAs to provide isolation

  20. DRAM DRAM Reference Monitor DRAM DRAM DRAM DRAM CPU Core DRAM DRAM DRAM DRAM DRAM DRAM AES AES Crypto Core CPU Core SDRAM (off-chip) FPGA Chip Moats

  21. Moats

  22. Methodology • Tradeoff between area and performance • Use VPR to synthesize 20 largest MCNC benchmark circuits on different routing configurations

  23. 100% Dead areas for moats (Depends on # Cores) A Inflation due to restricted routing (~10%) B Useful logic with no inflation (unrestricted routing) C Effective Utilization UEff=C/(A+B+C)

  24. Moat Size = 1 Moat Size = 2 Moat Size = 6 Dead Space Dead Space Dead Space Inflation Inflation Inflation Useful Logic Useful Logic Useful Logic Moat Tradeoffs

  25. Effective Utilization

  26. Interconnect Tracing • Motivation • Security Primitives for FPGAs • Logical isolation • Interconnect tracing • Secure communication architecture • Configuration scrubbing

  27. Drawbridges • Goal: Ensure that only specified communication is established between cores • Opportunity: Spatial isolation • Specify legal connections • Statically verify these connections

  28. DRAM DRAM Reference Monitor DRAM DRAM DRAM DRAM CPU Core DRAM DRAM μP DRAM DRAM DRAM DRAM AES Crypto Core X X CPU Core SDRAM (off-chip) μP FPGA Chip Interconnect Tracing

  29. Jbits Interface • Jbits is a java software interface from Xilinx • It provides abstract methods for • Reading bitstreams • Modifying bitstreams • Creating bitstreams • Allows us to obtain the information we need to trace the routes from the actual bitstream

  30. How Route Tracer Works • Initialization • Parse Input file to get all modules, pins, and connections • Obtain list of search pins for incoming and outgoing connections • Trace all connections from input pins • Trace all connections leaving modules • Reverse Trace to ensure that there are no invalid connections entering the modules

  31. RouteTree trace(pin, module) { add pin to routeTree for all sinks of wire this pin is on { if sink is connected to pin if sink has already been search return if sink is in another module check if connection is valid return add sink to list of searched pins trace(sink, module) } } Route Tracing Algorithm

  32. Route Tracing SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB

  33. Example Input file #C source destination width C B25 MB1 1 C C36 MB1 1 C MB1 J30 1 C B25 MB2 1 C MB1 MB2 32 C MB2 MB1 32 C B25 MB3 1 C MB3 C9 1 C C8 MB3 1 C B25 MB4 1 C MB4 MB3 32 C MB3 MB4 32 # denotes a comment # first declare the device type #D device D XC2V6000 FF1517 #N moudules pins connections N 4 5 12 #M modulenamexminxmax # yminymax M MB1 11 35 57 80 M MB2 11 35 13 35 M MB3 54 78 57 80 M MB4 54 78 13 35 #P pinname in/out P B25 rst #Reset P C36 in #rs_232_rx_pin P J30 out #rs_232_tx_pin P C8 in #rs_232_rx2_pin P C9 out #rs_232_tx2_pin

  34. Output from Route Tracer . . . Found Valid connection:MB1 to MB2 CLB.S6BEG5[57][33] . [CLB.S6END5[51][33]] . . CLB.S6BEG5[51][33] . . . [CLB.S6END5[45][33]] . . . . CLB.S6BEG3[45][33] . . . . . [CLB.S6END3[39][33]] . . . . . . CLB.S2BEG3[39][33] . . . . . . . [CLB.S2END3[37][33]] . . . . . . . . CLB.S2BEG1[37][33] . . . . . . . . . [CLB.S2END_S1[34][33]] Found Valid connection:MB3 to MB4 CLB.OMUX0[58][58] . CLB.LV12[58][58] . . [CLB.LV18[28][58]] Found Valid connection:MB3 to C9 . . . Design Successfully verified!

  35. Partial Reconfiguration Route Tracing SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB Input Pin SM CLB SM CLB SM CLB SM CLB Output Pin SM CLB SM CLB SM CLB SM CLB This is our partially reconfigurable area SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB SM CLB

  36. Moats 1.0 • Example four-core design, moat size = 2

  37. Moats 2.0 • Subset of connections that must be traced

  38. Secure Communication Architecture • Motivation • Security Primitives for FPGAs • Logical isolation • Interconnect tracing • Secure communication architecture • Configuration scrubbing

  39. Secure Communication Architecture • Goal: Secure communication between cores on shared bus • Opportunity: Programmability of FPGAs • Shared memory bus with time division access

  40. M1 M1 M2 M2 M3 M3 Mn Mn . . . Arbiter BRAM Block Communication Architecture

  41. DRAM DRAM Arbiter/Reference Monitor DRAM DRAM DRAM DRAM CPU Core DRAM DRAM μP DRAM DRAM DRAM DRAM AES Crypto Core CPU Core SDRAM (off-chip) μP FPGA Chip Communication Architecture

  42. Configuration Scrubbing • Motivation • Security Primitives for FPGAs • Logical isolation • Interconnect tracing • Secure communication architecture • Configuration scrubbing

  43. Configuration Scrubbing • Goal: Allow FPGA to change its configuration securely at run-time • Opportunity: Use partial reconfiguration to properly erase prior core’s logic • Use ICAP interface with an embedded core • Bitstreamdecryption is prohibited when using partial reconfiguration

  44. DRAM DRAM DRAM DRAM DRAM DRAM CPU Core DRAM DRAM μP DRAM DRAM DRAM DRAM AES Crypto Core CPU Core μP CPU Core SDRAM (off-chip) μP FPGA Chip Scrubbing Example

  45. Lecture 2 Reading • [Conference Version] Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems • http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=4223233 • [Journal Version] Security Primitives for Reconfigurable Hardware-Based Systems • http://dl.acm.org/citation.cfm?id=1754391

  46. Lecture 2 Reading • Reconfigurable Hardware Security • Trusted Design in FPGAs • http://dl.acm.org/citation.cfm?id=1278483 • Security on FPGAs: State-of-the-Art Implementations and Attacks • http://dl.acm.org/citation.cfm?id=1015052 • Security for Volatile FPGAs • http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-763.pdf

  47. Lecture 2 Reading • Reconfigurable Hardware Security • Reconfigurable Computing: The Theory and Practice of FPGA-Based Computing • http://store.elsevier.com/Reconfigurable-Computing/Scott-Hauck/isbn-9780123705228/ • FPGA-Based Single Chip Cryptographic Solution • http://mil-embedded.com/pdfs/NSA.Mar07.pdf • http://www.xilinx.com/applications/security/index.htm • Of Gates and Wires • http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=1303100

  48. Lecture 2 Reading • Handbook of FPGA Design Security • http://springer.com/978-90-481-9156-7 • Security Trends for FPGAs • http://springer.com/978-94-007-1337-6

More Related