Self-conﬁguration of latency-efﬁcient security enhancements for MPSoC communications monitoring Pascal Cotret, Guy Gogniat, Jean-Philippe Diguet Laboratoire Lab-STICC Universit´ e de Bretagne-Sud Lorient, France name.surname@univ-ubs.fr Abstract—Nowadays, security is a key constraint in MPSoC development as many critical and secret information can be stored and manipulated within these systems. One strategic point of a bus-based MPSoC is the communication architecture as all data goes through it. Most solutions are currently built at the software level; we believe hardware enhancements also play a major role in system protection. Our approach relies on low complexity distributed security ﬁlters connected to all critical IPs of the system. Implementations on a Xilinx xc6vlx240t Virtex-6 FPGA show a latency decrease of 33 % compared to existing efforts while a reconﬁgurable version of such security services gives a 37% area overhead on a simple dual-processor case study with a 33% latency decrease on a sample image processing application. I. I NTRODUCTION Embedded systems are facing an increasing number of threats as attacker’s motivation is raising every day. High technology devices contain many sensitive information (passwords and con- ﬁdential contents) that needs to be protected from software and hardware attacks. Reconﬁgurable technologies such as FPGAs are a good candidate to build such systems as they embed processors, memories and application-speciﬁc IPs in a single chip with moderate development costs. When dealing with logical attacks (e.g. targeting the external memory through code/data corruption), main existing solutions are based on software coun- termeasures. However, relying the system security on software- only solutions may not be adapted for high constrained embed- ded systems. This paper proposes a solution with reconﬁgurable hardware security enhancements aiming to protect a bus-based MPSoC from logical attacks while keeping a good area/latency overhead. This paper is organized as follows. Section II gives an overview of the threat model taken into account in this work. Section III presents the overall structure of security enhancements while Section IV shows some results of FPGA implementations. Section V highlights main perspectives. II. THREAT CONTEXT Considering an FPGA implementation of a MPSoC, it is assumed that attackers can only tamper with the system using logical attacks (side-channel and other physical threats are not considered). As the target FPGA is considered as trusted, the only way to access the system is through the external memory and the external bus. For many applications, building a ﬂexible solution where only the most critical code/data sections are protected with cryptographic services (instead of ciphering the whole external memory) is a good compromise to keep an acceptable area/latency overhead. In this case, attackers still have possibilities to jeopardize the system by tampering plaintext sec- tions of the external memory. That is why security enhancements have to monitor and detect any abnormal behavior and to propose a solution to reconﬁgure the system with new parameters to counter the current attack. The key contributions of this work include: • Demonstration of reconﬁgurable ﬁrewall enhancements. • Flexible cryptographic services. • Case study implementations. III. HARDWARE FIREWALLS This work is based on security enhancements embedded in the FPGA chip. It provides a low-latency solution based on hardware ﬁrewalls integrated in each IP bus interface providing protection against read/write access and format disruptions (this is done by Local Firewalls). The ﬁrewall connected to the external memory controller (Cryptographic Firewall) adds ﬂexible cryptographic services to protect the memory with conﬁdentiality and/or au- thentication (Figure 1). A. Static features When a data comes from the AXI system bus, it is stored in the Firewall Interface while other information (such as address, format and read/write modes) are sent to the Security Builder. The Correspondence Table indicated the location of the security policy associated with the bus address: security policies contain cryptographic information (such as keys), read/write access and format rules for a given address space. Then, these parameters are sent to the Checking Module which compares the system bus parameters with the values extracted from the security policy; at this step, if cryptographic operations are needed, the Crypto Module (based on an AES-GCM algorithm) manages the encryption/decryption and authentication tasks with a dedicated BRAM for cryptographic information storage. Once Checking Module complete its operations, a check out signal is sent to the Firewall Interface to conﬁrm or not the data validity (security policies are veriﬁed or not). Finally, Firewall Interface provides the ﬁnal data and manages synchronization tasks in order to ﬁt with the output bus interface. Using this method, the system is protected against logical attacks aiming to tamper the external memory without encrypting the whole memory which would have a strong impact in terms of latency.