Managing Security in FPGA-Based Embedded Systems

Naval Postgraduate School, Monterey, California

Sunday, April 01 2012 A strategy is needed for lifecycle protection of hardware to provide accountability in the development process, including control of the development environment and tools, as well as trusted delivery of the chips from the factory. Both cores and tools should be placed under a configuration management system. Ideally, it should be possible to verify that the output of each stage of the design flow faithfully implements the input to that stage through the use of formal methods such as model checking.

An alternative is to build a custom set of trusted tools for security-critical hardware. This tool chain would implement a subset of the commercial tool chain’s optimization functions, and the resulting designs would likely sacrifice some measure of performance for additional security. Existing research on trusted compilers could be exploited to minimize the development effort. A critical function of lifecycle protection is to ensure that the output (and transitively, the input) does not contain malicious artifacts. Testing can also help ensure fidelity to requirements and common failure modes. For example, it should consider the location of the system’s entry points, its dependencies, and its behavior during failure.

Lifecycle management also includes delivery and maintenance. Trusted delivery ensures that the FPGA has not been tampered with from manufacturing to customer delivery. For an FPGA, maintenance includes updates to the configuration, which can occur remotely on some FPGAs. For example, a vendor might release an improved version of the bitstream that fixes bugs in the earlier version.

Programmability of FPGAs is a major advantage for providing on-chip security, but this malleability introduces unique vulnerabilities. Industry is reluctant to add security features to ASICs, because the edit-compile-run cycle cost can be prohibitive. FPGAs, on the other hand, provide the opportunity to incorporate self-protective security mechanisms at a far lower cost.

One example of a runtime security mechanism that can be built into reconfigurable hardware is memory protection. On most embedded devices, memory is flat and unprotected. A reference monitor, a well-understood concept from computer security, can enforce a policy that specifies the legal sharing of memory (and other computing resources) among cores on a chip. A reference monitor is an access control mechanism that possesses three properties: it is self-protecting, its enforcement mechanisms cannot be bypassed, and it can be subjected to analysis that ensures its correctness and completeness. Reference monitors are useful in composing systems because they are small and do not require any knowledge of a core’s inner workings.

This work was done by Ted Huffmire, Timothy Levin, Thuy D. Nguyen, and Cynthia Irvine of the Naval Postgraduate School; Brett Brotherton of Special Technologies Laboratory; Timothy Sherwood of the University of California, Santa Barbara; and Ryan Kastner of the University of California, San Diego. NRL-0058