Inheriting Software Security Policies within Hardware IP Components

Domain isolation enforcement is one of the challenging issues in software environments. To address this problem, NSA, in conjunction with the Secure Computing Corporation and the University of Utah, developed the open-source Flux Advanced Security Kernel (Flask), the mandatory access control (MAC) security architecture underlying major Operating Systems/Hypervisors widely deployed in cloud/desktop environments. In this work, we extend this security architecture to FPGA-based heterogeneous systems. Specifically, we explore the design and implementation of a security framework for controlled sharing of FPGA hardware modules in MAC-based OS/Hypervisor environments. The proposed design guarantees that hardware modules execute in the same security context as of the processes calling them by propagating the latter security policies expressed at the software level, down to the hardware. We prototype the proposed framework with SELinux and demonstrate its utility by evaluating trade-offs between security performance and execution overhead incurred by example applications. The preliminary results show our proposed framework provides isolation with an average of 0.6% worst case performance overhead.

[1]  Mike Hibler,et al.  The Flask Security Architecture: System Support for Diverse Security Policies , 1999, USENIX Security Symposium.

[2]  Gang Wang,et al.  Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[3]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  Paul Chow,et al.  FPGAs in the Cloud: Booting Virtualized Hardware Accelerators with OpenStack , 2014, FCCM 2014.

[5]  Ryan Kastner,et al.  Designing secure systems on reconfigurable hardware , 2008, TODE.

[6]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[7]  Yu Zhang,et al.  Enabling FPGAs in the cloud , 2014, Conf. Computing Frontiers.

[8]  Christophe Bobda,et al.  Shielding non-trusted IPs in SoCs , 2017, 2017 27th International Conference on Field Programmable Logic and Applications (FPL).