Title :
Security in MPSoCs: A NoC Firewall and an Evaluation Framework
Author :
Grammatikakis, Miltos D. ; Papadimitriou, Kyprianos ; Petrakis, Polydoros ; Papagrigoriou, Antonis ; Kornaros, George ; Christoforakis, Ioannis ; Tomoutzoglou, Othon ; Tsamis, George ; Coppola, Marcello
Author_Institution :
Technol. Educ. Inst. of Crete, Heraklion, Greece
Abstract :
In multiprocessor system-on-chip (MPSoC), a CPU can access physical resources, such as on-chip memory or I/O devices. Along with normal requests, malevolent ones, generated by malicious processes running in one or more CPUs, could occur. A protection mechanism is therefore required to prevent injection of malicious instructions or data across the system. We propose a self-contained Network-on-Chip (NoC) firewall at the network interface (NI) layer which, by checking the physical address against a set of rules, rejects untrusted CPU requests to the on-chip memory, thus protecting all legitimate processes running in a multicore SoC. To sustain high performance, we implement the firewall in hardware, with rule-checking performed at segment-level based on deny rules. Furthermore, to evaluate its impact, we develop a novel framework on top of gem5 simulation environment, coupling ARM technology and an instance of a commercial point-to-point interconnect from STMicroelectronics (STNoC). Simulation tests include scenarios in which legitimate and malicious processes, running in different CPUs, request access to shared memory. Our results indicate that a firewall implementation at the NI can have a positive effect on network performance by reducing both end-to-end network delay and power consumption. We also show that our coarse-grain firewall can prevent saturation of the on-chip network and performs better than fine-grain alternatives that perform rule checking at page-level. Simulation results are accompanied with field measurements performed on a Zedboard platform running Linux, whereas the NoC Firewall is implemented as a reconfigurable, memory-mapped device on top of AMBA AXI4 interconnect fabric.
Keywords :
firewalls; multiprocessing systems; network-on-chip; AMBA AXI4 interconnect fabric; I-O devices; Linux; MPSoC; STMicroelectronics; STNoC; Zedboard platform; coarse-grain firewall; commercial point-to-point interconnect; coupling ARM technology; deny rules; end-to-end network delay; gem5 simulation environment; malicious instructions; malicious processes; multicore SoC; multiprocessor system-on-chip; network interface layer; on-chip memory; on-chip network; physical address; physical resources; power consumption; protection mechanism; reconfigurable memory-mapped device; rule-checking; self-contained NoC firewall; self-contained network-on-chip firewall; untrusted CPU requests; Hardware; Linux; Network interfaces; Nickel; Ports (Computers); Security; System-on-chip; Deny rules; MPSoC; Spidergon STNoC; Spidergon STNoC.; deny rules; firewall; network-on-chip; segment-level security;
Journal_Title :
Computer-Aided Design of Integrated Circuits and Systems, IEEE Transactions on
DOI :
10.1109/TCAD.2015.2448684