Implementing Memory Protection Primitives on Reconfigurable

Hardware

Brett BrothertonNick CallegariTed Huffmire

Project Goals

•Evaluate security primitives for reconfigurable hardware

•Build a real system with multiple cores

•Design a security policy for the system

•Efficient memory system performance

•Programmatic interface to system

Reconfigurable Protection

Separation Kernels

DR

AM

DR

AM

DR

AM

DR

AM

DR

AM

DR

AM

app1 app3app2

kernel

Separate Processors D

RA

M

DR

AM

DR

AM

DR

AM

DR

AM

DR

AM

gatekeeper

DR

AM

DR

AM

DR

AM

DR

AM

DR

AM

DR

AM

gatekeeper

DR

AM

DR

AM

DR

AM

DR

AM

DR

AM

DR

AM

gatekeeper

app1app3 app2

Reconfigurable Protection

DRAM

DRAM

DRAM

DRAM

DRAM

DRAM

app1app2

app3

ReferenceMonitor

Physical Software

Reference Monitor

0000 1000 1110 0111 1011 0000 0001 10XX

0000 1000 1110 0111 1011 0000 0000 1XXX

Address-ModuleID Op

,Illegal}

1

Parallel Search

2

Range IDRange

N0001 0101 1111 0000 0001 1010 1111 XXXX

Module ID-Op Range ID Bit Vector Access Descriptor

DFALogic

Match?

0

1

0

(0x8E7B018)(rw)(2)

{0,1,0,...,0}

Enforcement Module

{Legal

init 1

0

{M1,w,R4}

{M3,z,R3}

{M1,rw,R1},{M1,r,R3},{M2,rw,R2},{M3,rw,R3}

{M1,rw,R1},{M1,r,R3},{M2,rw,R2},{M2,r,R3},{M3,rw,R3}

Moats

System Overview

OPB

ublaze 1 ublaze 1

Ref Monitor/Arbiter

Shared External Memory

AES Core

RS232 Ethernet

Ethernet

• Have integrated an ethernet core into the system

• Designed Software to communicate over TCP with the processor

• Can send data and operation and get back encrypted/decrypted data

Software For Microblaze

• Have modified the serial code to work with new file format.

• Can receive and process files over serial and Etherenet

• Have set up two processor system and ran simultaneous applications

Reference Monitor and OPB

• First Integrated reference monitor with OPB block ram controller Functions correctly low latency and

overhead

• Next integrated reference monitor with the OPB Can regulate access to any of the slave

peripherals on the bus Adds one cycle to the latency

No way to get around this really?

Still To finish

• Design reference monitor with new stateful security policy Integrate this with the system and run

tests

• Test Microblaze software with new file sending application

User Interface

• Currently using Hyperterminal to connect to AES core via serial connection Tested using 128 bit key & data

manually parsed into 32 bit lines and sent via Hyperterminal.

• GOAL Incorporate a User Interface to

allow the user to select a data file and key file and receive the corresponding result

s5816160000ce537f5e5a567cc9966d92590336763e6a118a874519e64e9963798a503f1d35

User Interface

• Progress Implemented User Interface in C++ to

allow more functionality and user friendliness.

• ENCRYPT OF DECRYPT? [1-ENCRYPT][2-DECRYPT]• INPUT FILENAME:• KEY FILENAME:• OUTPUT SENT TO OUTPUT.TXT

Modularized functionality Currently implemented serial socket

coding to allow user to connect to Xilinx board. Functions enabled to listen to the board and output the encrypted/decrypted data to a text file

User Interface

• Future Work The main goal is the Memory Reference

Monitor Key ingredient:

Multiple cores accessing Shared Memory

User interface’s role Incorporate UI for multiple I/O (Serial &

Ethernet) Each I/O can have its own corresponding core. Merge Brett’s Ethernet interface with the Serial

Interface, and allow user to specify which platform to connect to the Xilinx board.