Implementing Memory Protection Primitives on Reconfigurable

Hardware

Brett BrothertonNick CallegariTed Huffmire

Project Goals

•Evaluate security primitives for reconfigurable hardware

•Build a real system with multiple cores

•Design a security policy for the system

•Efficient memory system performance

•Programmatic interface to system

System Overview

OPB

ublaze 1 ublaze 1

Ref Monitor/Arbiter

Shared External Memory

AES Core

RS232 Ethernet

Security Policy

•Range0[0x41400000,0x4140ffff]; (Debug)

•Range1[0x28000000,0x28000777]; (AES1)

•Range2[0x28000800,0x28000fff]; (AES2)

•Range3[0x24000000,0x24777777]; (DRAM1)

•Range4[0x24800000,0x24ffffff]; (DRAM2)

•Range5[0x40600000,0x4060ffff]; (RS-232)

•Range6[0x40c00000,0x40c0ffff]; (Ethernet)

•Range7[0x28000004,0x28000007]; (Ctrl_Word1)

•Range8[0x28000008,0x2800000f]; (Ctrl_Word2)

•Range9[0x28000000,0x28000003]; (Ctrl_WordAES)

Security Policy

•Access0{M1,rw,R5}|{M2,rw,R6}|{M1,rw,R3}• |{M2,rw,R4}|{M1,rw,R0}|{M2,rw,R0};•Access1Access0|{M1,rw,R1}|{M1,rw,R9};•Access2Access0|{M2,rw,R1}|{M2,rw,R9};•Trigger0{M1,w,R7};•Trigger1{M1,w,R8};•Trigger2{M2,w,R7};•Trigger3{M2,w,R8};•Expr1Access0|Trigger3Access2*Trigger4;•Expr2Access1|Trigger2Expr1*Trigger1;•Expr3Expr1*Trigger1Expr2*;•PolicyExpr1*|Expr1*Trigger3Access2*• |Expr3Trigger2Expr1*Trigger3Access2*• |Expr3Trigger2Expr1*|Expr3|;

Security Policy DFA

init

M1 M2R0: rw rwR3: rw __R4: __ rwR5: rw __R6: __ rwR7: _w _w

M1 M2R0: rw rwR2: __ rwR3: rw __R4: __ rwR5: rw __R6: __ rwR8: __ _wR9: __ rw

{M2,w,R7}

M1 M2R0: rw rwR1: rw __R3: rw __R4: __ rwR5: rw __R6: __ rwR8: _w __R9: rw __

{M1,w,R7}{M2,w,R8} {M1,w,R8}

System Overview

OPB

ublaze 1 ublaze 1

Ref Monitor/Arbiter

Shared External Memory

AES Core

RS232 Ethernet

Performance Results

•One cycle latency increase for reference monitor 25.75 vs 26.75 cycles

•Area overhead very small 116 LUTs (1% increase)

•Clock speed increase 65 to 73 MHz

Impact of Moats

•Moats tested for size 0, 1, 2, 6•Best case: 0 and 6 only a 4% decrease in

clock frequency•Area overhead minimal

User Interface

• Currently using Hyperterminal to connect to AES core via serial connection Tested using 128 bit key & data

manually parsed into 32 bit lines and sent via hyperterminal.

• GOAL Incorporate a User Interface to

allow the user to select a data file and key file and receive the corresponding result over multiple communication platforms to test multi-core design and Reference Monitor.

s5816160000ce537f5e5a567cc9966d92590336763e6a118a874519e64e9963798a503f1d35

User Interface

•Progress Implemented User Interface in C++ to

allow more functionality and user friendliness.

SERIAL OR ETHERNET? [1-SERIAL][2-ETHERNET] ENCRYPT OR DECRYPT? [1-ENCRYPT][2-DECRYPT] INPUT FILENAME: KEY FILENAME: OUTPUT SENT TO OUTPUT.TXT

Demo

•Demo