Secure Cross-Domain Data Validation with Field Programmable Gate Arrays

Abstract

Cross-domain systems have traditionally employed virtualization to isolate security domains, providing communication though standard TCP/IP networking stacks coupled with access permissions and credentials to enforce isolation. This deep and complex chain of trust typically depends upon a hardware base, such as a Trusted Platform Module (TPM) chip combined with a secure bootstrapping process. This paper describes a novel and high-performance alternative, Secure Transfer Link (STL), leveraging the unique architectural characteristics of the AMD UltraScale Multi-Processor System-on-Chip (MPSoC) device family: CPU affinity, an on-chip field programmable gate array (FPGA), and bus-mastering. These architectural characteristics make it possible to construct a secure data transfer path within the FPGA that can control which virtual machines may access and transfer data, enforcing isolation. The abstraction can be extended to include deep packet inspection and validation, such as parsing that checks adherence to the JavaScript Object Notation (JSON) protocol. Validation is achieved through the combination of formal grammars with a pushdown automata (PDA) parser and automatic transformation into an FPGA hardware configuration, resulting in a formally verifiable and hardened intellectual property (IP) called the Data Validator. The Secure Transfer Link is constructed by combining this Data Validator with another IP, the Memory Guard, which enforces access controls. These hardware Ips, together, comprise a system which prevents malicious software resident on a processor from undermining access policies or transferring malicious data. The presented IPs are performant. Their throughput improvement over traditional UDP/IP networking stacks is dramatic: speedups of up to 7x for tactical length messages and up to 4x for larger messages. The IPs are created using High-Level Synthesis (HLS), making it possible to formally specify a broad range of alternative policy and enforcement options then automatically include them in the Secure Transfer Link, constituting a novel isolation enforcement solution that is higher throughput than state of the art alternatives and enables selective domain access contingent upon formal verification of data.