noc-centric security of reconfigurable socsdiguet/papers/noc2007_diguet_6may.pdfnoc-centric security...
TRANSCRIPT
NoC Symposium 2007, 8/05/2007 NoC-Centric security of RSoCs 1
LESTER lab.CNRS / Université Européenne de BretagneLorient, France
NOC-centric Security of Reconfigurable SoCs
Jean-Philippe Diguet
NoC'07 NoC-Centric security of RSoCs 2
Outline
Attacks on embedded systemsClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario Example
Our approachStrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
Implementation case studiesConclusion
NoC'07 NoC-Centric security of RSoCs 3
Classification
Embedded system securitySensitive dataPersonal devices
Attacks on Embedded Systems Our approach Implementation Conclusion
Digital media center / set-top box Wireless tablet / laptop Smart phone
ClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario
A cryptosystem should be secure evenif everything about the system, exceptthe key, is public knowledgeA.Kerckhoff, J. Sc. Militaires, 01/1883
NoC'07 NoC-Centric security of RSoCs 4
Classification
Hardware vs Software attacks
Attacks on Embedded Systems Our approach Implementation Conclusion
ClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario
Power consumption Analysis
Timing analysis
Electromagneticemissionanalysis
Chemical attack of the chip
Chip cutting
Variation of Vdd or T°
Glitch attack(power, clock)
Fault Injection
Logic bomb
Trojan horse
Virus
Worm
Hardware attacksSoftware attacks
PhysicalIrreversible
(invasive)
PhysicalReversible
(non-invasive)Side-channel(non-invasive)
Active attacks Passive attacks
Bus Eavesdropping
Remote attacks
Proximity-based
NoC'07 NoC-Centric security of RSoCs 5
Classification
Security Objectives : Protect Data / Programs / Design /System Against :
Extraction of secret informationModification its the behavior
HijackingDenial of service
Overloading computing / communications resources
Solutions1. Ciphering : Readable Data2. Integrity checking : before using Data or running Programs3. Access Control : to Data / Program / Configuration (bitstream)
Entity authentication4. Monitoring and Countermeasures
Detection of abnormal behaviors
Attacks on Embedded Systems Our approach Implementation Example Conclusion
ClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario
NoC'07 NoC-Centric security of RSoCs 6
RSoC perspective
Reconfiguration becomes an industry concernTime to market
Start design before standard full specificationHardware required for Performances
Hardware debugHW/SW firmware updates (Multimedia, Telecom Stds)New Opportunity for Attack (fake HW, hijacking) but also for countermeasures
What’s specific ?Hardware is no more fully trustable
Confidentiality + Authentication solutionsConfiguration memories: new sensitive dataSecured / unsecured area map can changeAccess control scheme can evolve
Attacks on Embedded Systems Our approach Implementation Conclusion
ClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario
NoC'07 NoC-Centric security of RSoCs 7
NoC perspective
Means multiplication of IPs and complex communicationsNon Centralized ManagementNI = existing smart interfaces = opportunity for distributed access controlTraditional network security (IDS) not applicable in embedded SoC
New threat: Denial of communication servicelife-lock, dead-lock, incorrect paths
Paths and Emitter @ = new features for identificationSeparation between global and local access control
New opportunities for HW-based monitoring security1. SW control access, OS supervision: important overhead in embedded SoC2. HW to alleviate security cost
Secure coreEncryption coprocessorHW integrity / authentication: a posteriori solution (board perspective)
3. HW control access: few work, bus based solution (SECA, [Coburn05])4. NoC can provide HW efficient and scalable solutions
Attacks on Embedded Systems Our approach Implementation Conclusion
ClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario
NoC'07 NoC-Centric security of RSoCs 8
Model of threats
Trusted and untrusted IP / Sensitive & non-sensitive memoriesNoC is a secured area but the payload may vehicle attacks
Secured packetingSecured routing
Security based on access control and monitoringSoftware attacks:
Hijacking: Write controlData extraction: Read ControlDenial of service: NoC use monitoring
Attacks on Embedded Systems Our approach Implementation Conclusion
ClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario
Arbiter
SCM
NI NI NI NI NI NI NI
NI
NININININININI
NI
NoC'07 NoC-Centric security of RSoCs 9
Scenario
Attacks on Embedded Systems Our approach Implementation Conclusion
ClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario
NetworkProc.
GPP 1 M4SharedData
M3SecureData
M1M2
GPP2
NI NI NI NI NI NI NI
NI
NINININININI
NI
Example of Attack Stategy with a unsecured NoC:
T
(1) Execution of Fake Application: Trojan T installed, modifies NI path tables.GPP2 has now access to Mem.2 and GPP1 to Mem.3 containing secure data
(3) GPP1 download malicious multimedia data (D.jpg) in M1, a buffer overflowlaunchs W that copies secure data from Mem.3 to share Mem.4.
D0x0FFF
0x1
000
NI
NININI
(2) GPP2 runs an infected application, a Worm W that can copy itself in Mem.2
W
(4) W finally implements a logic Bomb for hiding the first attack, while producinglater a denial of NoC services with infinite access loop to system memories.
FIFOs
You’re done…
NoC'07 NoC-Centric security of RSoCs 10
Outline
Attacks on embedded systemsClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario Example
Our approachStrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
Implementation case studiesConclusion
NoC'07 NoC-Centric security of RSoCs 11
Strategy
Attacks on Embedded Systems Our approach Implementation Conclusion
StrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
Security objectives :1. Detection of abnormal communication behaviors.
Control Global and Local R/W Accesses (Hijacking, Extraction)Supervise Traffic, detection of overload (Denial Of Service)
2. Implement counter-attacks (close infected ports, reboot, …)
Methodology for security implementation based on 4 ideas :Separation high priority channel security-related traffic and low prioritychannel for application trafficHierarchical access control strategySecure Network InterfaceSecure protocol for (re)configuration
NoC'07 NoC-Centric security of RSoCs 12
Centralized decision & distributed execution
Attacks on Embedded Systems Our approach Implementation Conclusion
I-“Centralized Security Decision with Distributed Security PolicyExecution through Secured NI”
One single IP for Security Management (SCM)First mission stored in system boot memory.Configures NI, i.e. control access rulesPends on attack detection from NI
Boot ROM,1st ciphered config
NOC
SCM(1)
NI
(2)
SecuConfig.
(3)Alerts
StrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
NoC'07 NoC-Centric security of RSoCs 13
4-Steps access control strategy
Attacks on Embedded Systems Our approach Implementation Conclusion
II-“Hierarchy of simple tests”I/O Rules loaded by the SCM
1. Global Inter-IP access checking:R/W communication rules based on packet header (Path)
2. Local Access R/W checkingR/W communication based on local @ from the Payload
3. Overflow checking:Comparison between announced (in Payload) and Real messagesizes (Credit based)
4. Traffic MonitoringCredits counting, comparison with boundsRules violation => Alerts transmitted to the SCM
StrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
NoC'07 NoC-Centric security of RSoCs 14
Secured Network Interface and Separate Channels
Attacks on Embedded Systems Our approach Implementation Conclusion
III-“Enhanced Secured NI applying security rules connected toSCM through a secure Virtual Channel”2 Virtual Channels
No physical links between IP and Security ManagementNI / SCM communications: Priority Best Effort
Configuration / Alerts
IP / IP: Best Effort
NI overhead:VC FIFOSCountersSecurity Table Memory
Port
Data
@ NIController
Slav
e / M
aste
r Wra
pper
FIFO BEInChannel
FIFO ctrl
Depacket
Local Credits
Packet
Routing
Received Credits
FIFO BEOutChannelFIFO ctrlR
/W C
trlSi
gnal
s
Message Size
Monitoring Tables
SNI, IP configuration
AGUCountersMessages
FIFO PBEInChannel
Offset
Access Config.
FIFO PBEOutChannel
Statistics
Security Controller
StrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
NoC'07 NoC-Centric security of RSoCs 15
Secureed protocol for (re)configuration
Attacks on Embedded Systems Our approach Implementation Conclusion
IV-“Avoid security weakness due to SCM access to both VCs”4 states FSMSpecific configuration for SCM
Exclusive access to Secured VC (Priority BE) and Un-Secured VC (BE)Access to Secure VC for NI configuration and monitoring in RUN StatusAccess to Unsecure VC (BE) during (re)configurationSwitch to SNI or DPR
Port
Data
@
Slav
e / M
aste
r Wra
pper
FIFO BE/PBEOutChannel
FIFO BE/PBEInChannelDepacket
Packet
FIFO ctrl
R/W
Ctrl
Sign
als
Message Size
Monitoring Tables
FIFO ctrl
RoutingLocal Credits
Received Credits
SNI, SCM configuration
NIController Security Controller
CountersMessages AGU
HW1. INIT
2. SNI
3. RUN
SW
4. DPR
NoCIPDynamic, PartialReconfiguration
Reconfigurationor Alert
Alert
StrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
NoC'07 NoC-Centric security of RSoCs 16
Outline
Attacks on embedded systemsClassificationRSoC perspectiveNoC perspectiveModel of threatsScenario Example
Our approachStrategyCentralized decision & distributed execution4-steps access control strategySecure Network Interface and separate channelsSecure protocol for (re)configuration
Implementation case studiesSynthetic Set-Top BoxSECA case study (DRM)NoC generation
Conclusion
NoC'07 NoC-Centric security of RSoCs 17
Synthetic Set-Top Box
Sensitive Data : Crypto Proc. Pgm, Private data, Network Accesses1st step, boot/reset: SCM/ IP-SNI communications instanciated over PBEVC. SCM starts transfering security rules in SNI tables
Attacks on Embedded Systems Our approach Implementation Conclusion
CryptoProcessor
CryptoProc.PGM
Memory
PrivateData
Memory
PublicData
Memory
DataMemory 3
(Clear)
DataMemory 2(Ciphered)
VideoProcessor
GPPs
DataMemory 1
(Clear)
DataMemory 2(Ciphered)
SCMGPPsProgramMemory
Netw
ork
Pro
cess
or
Mac
DMA GraphicsEngine
GPPProgramMemory
CipheredExtra
Bitstreammemory
Secu
rity
Cip
here
dB
oot
RO
M
ICAP Controller
GPP
External ResetROM
Global cipheredBitstream
NOC
SNI
BEPBE
Synthetic Set-Top BoxSECA case study (DRM)NoC generation
NoC'07 NoC-Centric security of RSoCs 18
Synthetic Set-Top Box
Attacks on Embedded Systems Our approach Implementation Conclusion
2nd step, as a result of 1st configuration process BE communications areinstanciated between SCM and IP SNI for security rules configurationSecurity rules may be reduced to sensitive access
CryptoProcessor
CryptoProc.PGM
Memory
PrivateData
Memory
PublicData
Memory
DataMemory 3
(Clear)
DataMemory 2(Ciphered)
VideoProcessor
GPPs
DataMemory 1
(Clear)
DataMemory 2(Ciphered)
SCMGPPsProgramMemory
Netw
ork
Pro
cess
or
Mac
DMA GraphicsEngine
GPPProgramMemory
CipheredExtra
Bitstreammemory
Secu
rity
Cip
here
dB
oot
RO
M
ICAP Controller
GPP
External ResetROM
Global cipheredBitstream
NOC
BESensitive BEPBE not indicated
Synthetic Set-Top BoxSECA case study (DRM)NoC generation
NoC'07 NoC-Centric security of RSoCs 19
Synthetic Set-Top Box
Attacks on Embedded Systems Our approach Implementation Conclusion
At run time, a reconfiguration for Firmware Update => newcommunication scheme
CryptoProcessor
CryptoProc.PGM
Memory
PrivateData
Memory
PublicData
Memory
DataMemory 3
(Clear)
DataMemory 2(Ciphered)
VideoProcessor
GPPs
DataMemory 1
(Clear)
DataMemory 2(Ciphered)
SCMGPPsProgramMemory
Netw
ork
Pro
cess
or
Mac
DMA GraphicsEngine
GPPProgramMemory
CipheredExtra
Bitstreammemory
Secu
rity
Cip
here
dB
oot
RO
M
ICAP Controller
External ResetROM
Global cipheredBitstream
NOC
BESensitive BEPBE not indicated
GPP
TC
DSP
Synthetic Set-Top BoxSECA case study (DRM)NoC generation
NoC'07 NoC-Centric security of RSoCs 20
DRM case-study from SECA
Attacks on Embedded Systems Our approach Implementation Conclusion
DRM architecture for Portable playback of MM contentDifferent memory access rights for CPU A (ARM) and CPU B (crypto)
Access rules for proc. X : X-N : Not accessible, X-R : Read Only, X-RW : Read Write, XW : Write only
CryptoProc.
(CPU B)
Crypto procCode
Device key
ROMmemory
CryptoProc.data
SDRAMMemory 5
LCD Controller
Static dataUser application
Library codeSDRAMMemory 3
Shared data
SDRAMMemory 4
CPU A (ARM 920T)
Boot codeISRs, IVect
Flash
Frame buffer
SDRAMMemory 1
StackHeap
SDRAMMemory 2
CCMGPIO
NOC
DMAController
Timer
CipheredExtra
Bitstreammemory
SecurityCiphered
Boot ROM
ICAP
CODECInterface
UART B-NA-RW
Memory Controller
Interupt Controller
B-NA-RW
B-NA-W B-N
A-RB-RWA-RW
B-RA-N
B-NA-RW B-N
A-RWB-N
A-RWB-N
A-RW
B-NA-RW
B-NA-RW
B-NA-RW
B-NA-R
B
B
B
BBB B B B B B
BB
BBBBB
B-RWA-NRead Only
Read & Write
Synthetic Set-Top BoxSECA case study (DRM)NoC generation
NoC'07 NoC-Centric security of RSoCs 21
NoC Generation
Attacks on Embedded Systems Our approach Implementation Conclusion
µSpider NOC CAD Tool: flexible framework for NoC generationWormhole Packet switchingTopology, minimum routing instruction sizeRouting / Arbiter PoliciesNumber of Virtual ChannelsTDM / BE / BE with priority
New Network InterfacesSecurity TablesCountersRule CheckersNo Time OverheadLimited Area Increase compared to routers
Synthetic Set-Top BoxSECA case study (DRM)NoC generation
NoC'07 NoC-Centric security of RSoCs 22
NoC Generation
Attacks on Embedded Systems Our approach Implementation Conclusion
Test Topology for synthetic Set Top Box example:2D MESH : 4 X 322 SNIBitwidth: 32; Buffer depth: 8 words for BE, 4 words for PBE7 Master IP, 13 Slave Memories,Same architecture applicable to SECA example
µSpiderVHDL generationSpecific Output for EDK Xilinx NOC IP generationPreliminary Results :
Without Security : 23818 slicesWith Security : 34568Overhead: 45%Mainly due to Routers for implementing PBE VC
Synthetic Set-Top BoxSECA case study (DRM)NoC generation
NoC'07 NoC-Centric security of RSoCs 23
Conclusion
Attacks on Embedded Systems Our approach Implementation Example Conclusion
A complete architecture and methodology is proposed for NoC-centricsecurity applicable to RSOC.Security has a cost ... (2.2 % of main US company turnover in 07)
How much for personal security in the future ?Separate channels are necessary
The Secured NoC overhead can be reduced :By using a reduced number of routers with 2 Virtual ChannelsLow bandwidth requirementsBitwidth may be reducedBy improving synthesis, FPGA => overestimation
Anyway, a systematic methodology is required to address complex accesscontrol schemes in future multi-processor RSoCFuture work: Implementation of countermeasures strategy
What’s the reaction against attacks alerts ?
NoC'07 NoC-Centric security of RSoCs 24
Thank You
Conclusion