Secure Hardware Kernels Execution in CPU+FPGA Heterogeneous Cloud

In this paper, we present a new security framework which allows controlled sharing and isolated execution of mutually distrusted FPGA-accelerators in heterogeneous cloud systems. The proposed framework enables the accelerators running in FPGAs in cloud computers to transparently inherit at run-time, software security policies of the virtual machines processes calling them. This capability allows system security policies enforcement mechanism to propagate access control privilege boundaries expressed at the hypervisor level, down to individual FPGA-accelerators. Furthermore, we present a software/hardware prototype implementation of the proposed security framework, showing that it can easily be transparently integrated within the virtual machine software stacks that run in today's cloud-based systems. Experimentation results show our proposed framework provides secure hardware execution with negligible execution overhead on guest VMs applications.

[1]  Christophe Bobda,et al.  Shielding non-trusted IPs in SoCs , 2017, 2017 27th International Conference on Field Programmable Logic and Applications (FPL).

[2]  Eric Peeters SoC security architecture: Current practices and emerging needs , 2015, 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC).

[3]  Yu Zhang,et al.  Enabling FPGAs in the cloud , 2014, Conf. Computing Frontiers.

[4]  Christophe Bobda,et al.  Inheriting Software Security Policies within Hardware IP Components , 2018, 2018 IEEE 26th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[5]  Kizheppatt Vipin,et al.  Virtualized FPGA Accelerators for Efficient Cloud Computing , 2015, 2015 IEEE 7th International Conference on Cloud Computing Technology and Science (CloudCom).

[6]  Sandip Ray,et al.  Security policy enforcement in modern SoC designs , 2015, 2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[7]  Ryan Kastner,et al.  Enforcing memory policy specifications in reconfigurable hardware , 2008, Comput. Secur..

[8]  Paul Chow,et al.  FPGAs in the Cloud: Booting Virtualized Hardware Accelerators with OpenStack , 2014, FCCM 2014.

[9]  Swarup Bhunia,et al.  A flexible architecture for systematic implementation of SoC security policies , 2015, 2015 IEEE/ACM International Conference on Computer-Aided Design (ICCAD).

[10]  Peter Loscocco,et al.  Meeting Critical Security Objectives with Security-Enhanced Linux , 2001 .

[11]  G. Edward Suh,et al.  FPGA-Based Remote Power Side-Channel Attacks , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[12]  Daniel E. Holcomb,et al.  FPGA Side Channel Attacks without Physical Access , 2018, 2018 IEEE 26th Annual International Symposium on Field-Programmable Custom Computing Machines (FCCM).

[13]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[14]  David Andrews,et al.  Breeze computing: A just in time (JIT) approach for virtualizing FPGAs in the cloud , 2016, 2016 International Conference on ReConFigurable Computing and FPGAs (ReConFig).

[15]  Christophe Bobda,et al.  Secure integration of non-trusted IPs in SoCs , 2017, 2017 Asian Hardware Oriented Security and Trust Symposium (AsianHOST).

[16]  Gang Wang,et al.  Moats and Drawbridges: An Isolation Primitive for Reconfigurable Hardware Based Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Ken Eguro,et al.  Leaky Wires: Information Leakage and Covert Communication Between FPGA Long Wires , 2016, AsiaCCS.

[18]  Paolo Ienne,et al.  Virtualized Execution Runtime for FPGA Accelerators in the Cloud , 2017, IEEE Access.

[19]  Christophe Bobda,et al.  Synthesis of Hardware Sandboxes for Trojan Mitigation in Systems on Chip , 2019, 2019 IEEE High Performance Extreme Computing Conference (HPEC).