Protection of heterogeneous architectures on FPGAs: An approach based on hardware firewalls

Cotret, Pascal; Gogniat, Guy; Florez, Martha Johanna Sepulveda

doi:10.1016/j.micpro.2016.01.013

Cited by 15 publications

(5 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Firewall-based and crypto-based techniques integrated at the network interface are the most commonly used approaches against active NoC attacks over the past decade [6] [2]. Firewalls implement authentication, access control and integrity services by means of traffic matching with a security table.…”

Section: Related Workmentioning

confidence: 99%

Side-channel attack resilience through route randomisation in secure real-time Networks-on-Chip

Indrusiak

Harbin

Sepulveda

2017

2017 12th International Symposium on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC)

View full text Add to dashboard Cite

Abstract-Security can be seen as an optimisation objective in NoC resource management, and as such poses trade-offs against other objectives such as real-time schedulability. In this paper, we show how to increase NoC resilience against a concrete type of security attack, named side-channel attack, which exploit the correlation between specific non-functional properties (such as packet latencies and routes, in the case of NoCs) to infer the functional behaviour of secure applications. For instance, the transmission of a packet over a given link of the NoC may hint on a cache miss, which can be used by an attacker to guess specific parts of a secret cryptographic key, effectively weakening it.We therefore propose packet route randomisation as a mechanism to increase NoC resilience against side-channel attacks, focusing specifically on the potential impact of such an approach upon hard real-time systems, where schedulability is a vital design requirement. Using an evolutionary optimisation approach, we show how to effectively apply route randomisation in such a way that it can increase NoC security while controlling its impact on hard real-time performance guarantees. Extensive experimental evidence based on analytical and simulation models supports our findings.

show abstract

Section: Related Workmentioning

confidence: 99%

Side-channel attack resilience through route randomisation in secure real-time Networks-on-Chip

Indrusiak

Harbin

Sepulveda

2017

2017 12th International Symposium on Reconfigurable Communication-Centric Systems-on-Chip (ReCoSoC)

View full text Add to dashboard Cite

show abstract

“…Cotret et al proposed a hardware firewall architecture that enforces programmable security policies to protect external and internal traffic in FPGA based multiprocessor architectures, serving as a security bridge between the system resources and the shared system communication bus to monitor control activities. Their proposed work reduces the performance penalty compared to a fully encrypted approach, however it is limited to the detection of attacks and does not provide countermeasures, other than freezing the system communication bus [22]. Jacob et al presented a detailed study of FPGA MPSoC security mechanisms with the focus on Hardware Trojans [13].…”

Section: Related-workmentioning

confidence: 99%

“…Jacob et al presented a detailed study of FPGA MPSoC security mechanisms with the focus on Hardware Trojans [13]. They proposed the concept of a light-weight AXI-wrapper as one of the prevention methods, similar to one proposed by [22], to encapsulate system assets. Following this work, Benhani et al presented a security evaluation of the ARM TrustZone technology available on FPGA MPSoC.…”

Section: Related-workmentioning

confidence: 99%

Pro-Active Policing and Policy Enforcement Architecture for Securing MPSoCs

Siddiqui

Hagan

Sezer

2018

2018 31st IEEE International System-on-Chip Conference (SOCC)

View full text Add to dashboard Cite

Embedded multiprocessor system-on-chip (MPSoC) architectures allow implementation of mixed critical applications and provide security mechanisms to segregate and protect system resources such as ARM TrustZone. These architectures enforce strict security measures right from the powering on of the system, to prevent misuse and compromise. However, such security measures have been found vulnerable where security design practices are not considered or are poorly implemented, particularly at software and hardware stack boundaries. Also, the embedded solutions developed using these MPSoC platforms are vulnerable to single points of failure and do not contain active response or mitigations for circumstances where a compromise occurs. This paper proposes pro-active hardware based policing and policy enforcement approach, along with system architecture and its hardware components, to this research problem. The architecture is physically isolated from the rich computing resources which actively monitors communications of system resources on the ARM AMBA-AXI4 bus. It detects anomalous system behaviours such as policy violation or compromised bus communication responses, and responds with predefined active countermeasures, such as deletion of secret data or disabling of the device to tackle security vulnerabilities and attacks at runtime. This proposed solution complements existing embedded hardware and software security technologies and provides an additional layer of hardware security when a vulnerability is found and exploited. This contribution lends itself to the principle of least privilege, implemented in software-based access control solutions like SELinux to mitigate when other protections have failed. This paper presents a proof-of-concept work supported by preliminary synthesis results on Xilinx Zynq-7000 and Ultra-Scale+ MPSoC chips.

show abstract

“…Evaluar las capacidades defensivas de los firewalls y su impacto en las comunicaciones de las redes que monitorean constituyen aspectos esenciales para determinar su efectividad como herramientas de seguridad, y para facilitar su selección en correspondencia con las necesidades de las organizaciones (Lee et al, 2015;Konikiewicz & Markowski, 2017;Mora & Villero 2020). Cotret, Gogniat & Sepúlveda (2016) concluyeron que los firewalls basados en hardware poseen elevadas funcionalidades de seguridad y mantienen índices de desempeño de red eficientes. Sin embargo, los costos de estos dispositivos dificultan su adquisición por parte de las PYMES de países en vías de desarrollo.…”

Section: Introductionunclassified

Evaluación del rendimiento de cortafuegos basados en software libre

Llanes

2022

NOVASINERGIA

View full text Add to dashboard Cite

El objetivo de la presente investigación fue evaluar cuantitativamente los rendimientos y las funcionalidades de seguridad de los principales cortafuegos basados en software libre existentes en la actualidad. Para medir los rendimientos de red de los cortafuegos se emplearon métricas como el ancho de banda, el jitter y la tasa de pérdida de paquetes mediante la herramienta iPerf3. Se utilizó la herramienta htop para comprobar el consumo de CPU y memoria RAM de las soluciones. Se identificó que Endian, Zentyal, pfSense, OPNsense, VyOS, IPFire y ClearOS brindan un conjunto de funcionalidades que contribuyen a elevar la seguridad en las redes de datos. Los resultados obtenidos evidenciaron que ClearOS posee de forma general, los mejores índices de consumo de CPU y memoria RAM, lo cual confirma su elevada eficiencia para asegurar las redes de datos con ahorro y uso óptimo de los recursos de hardware. Los hallazgos identificados facilitan la toma de decisiones para el despliegue de herramientas de ciberseguridad en redes digitales de organizaciones con escasos recursos computacionales.

show abstract

Protection of heterogeneous architectures on FPGAs: An approach based on hardware firewalls

Cited by 15 publications

References 26 publications

Side-channel attack resilience through route randomisation in secure real-time Networks-on-Chip

Side-channel attack resilience through route randomisation in secure real-time Networks-on-Chip

Pro-Active Policing and Policy Enforcement Architecture for Securing MPSoCs

Evaluación del rendimiento de cortafuegos basados en software libre

Contact Info

Product

Resources

About