Policy-Driven Memory Protection for Reconfigurable Hardware [presentation] by Huffmire, Ted et al.
Calhoun: The NPS Institutional Archive
Faculty and Researcher Publications Faculty and Researcher Publications
2006
Policy-Driven Memory Protection for
Reconfigurable Hardware [presentation]
Huffmire, Ted
Ted Huffmire, Shreyas Prasad, Tim Sherwood, and Ryan Kastner, Policy-Driven Memory
Protection for Reconfigurable Hardware. Proceedings of the 11th European Symposium on
Research in Computer Security (ESORICS), Hamburg, Germany, September 2006, Pages 461-478.
http://hdl.handle.net/10945/36694
Policy-Driven Memory Protection 
for Reconfigurable Hardware 
Ted Huffmire, Shreyas Prasad, 
Tim Sherwood, and Ryan Kastner 
www.cs.ucsb.edu/~arch/RCsec 
FPGA Systems are ubiquitous 
FPGA Systems are ubiquitous 












































































Why are FPGAs desirable? 
• Fabrication, Verification Cost 
 
• IP is vulnerable during fabrication 
 
• Parallelism à Throughput 
 
• Updatable  
CPU ASIC FPGA 
General-Purpose Application-Specific 
However… 
• Security is an afterthought at best 
 
• Fundamental security primitives do not yet 
exist 
 
• Goal: Start building those primitives 
 
• Opportunity to leverage the benefits of 
hardware 
§  Low-overhead stateful reference monitors 
 
• Separation: a very important primitive 
Separation 
• Multiple Cores on one chip 
 
• Cores may have different trust levels and 
clearance levels 
 
















































































































app1 app3 app2 































app1 app3 app2 
kernel 
Physical Software 
Why reference monitors? 
• Provides a well-understood foundation for 
controlled sharing [Anderson 72] 
 
• Standard memory protection does not make 
sense for FPGA systems 
 
• Separation kernels [Irvine et al. 04] are a software-
based scheme that won’t work for embedded 
applications that lack code 
 
• Modern processors have more state in the 
hardware, making kernel development harder 
 
• Need to protect the integrity of the reference 
monitor 
A Memory Protection Language 
• Exploit the fine-grained reprogrammable nature 
of FPGAs 
 
• All modules on chip must obey a memory 
access policy 
§  Ensured via the architecture 
§  Formal, mathematically precise 
 
• Memory protection policies are expressed in the 
language  
§  Formal Top Level Specification (FTLS) 
 
• Compiler translates the policy FTLS to a circuit 
Formal Memory Protection Specifications 
• A precise language of legal 
accesses 
§  Subjects (Modules) 
§  Access Rights 
§  Objects (Memory Ranges) 
 
• Fixed (Stateless) Models 
§  e.g., B&L, Biba 
 
• Transitional (Stateful) Models 




• A fixed (stateless) model 
 
• Each core is restricted to a fixed range (or set of 
ranges) of memory 
 
• Each range can only be assigned to one core 
 











1. Policy FTLS: 
§  Accessà{Module1,rw,Range1} | {Module2,rw,Range2}; 
§  Policyà(Access)*; 
2. Regular Expression: 
§  ({Module1,rw,Range1} | {Module2,rw,Range2})* 
 
3. Minimized DFA: 
 
 
4. Verilog HDL: 
§  case({module_id,op,r1,r2}) 
§  9’b011110: //Module1,rw,Range1 
§  state=s0; 
§  9’b101101: //Module2,rw,Range2 
§  state=s0; 
§  default: 






What we have done 
• Automated design flow from FTLS to 
synthesized circuit 
 
• Language has a well-defined grammar 
 
• Powerful enough to express a variety of 
policies that we have compiled and tested 
§  Chinese Wall 
§  Redaction 
§  Access Control List 
§  Secure Hand-off 
Methodology 
• Constructed several isolation policies 
§  Varied the number of ranges 
 
• Used Quartus to synthesize 
 
• Measured: 
§  Area (Logic Cells) 
§  Setup Time 
















































































• A higher level language 
§  Abstract formal security policy model 
 
• Verify correctness of automatic translation 
§  Model - FTLS - Verilog - circuit 
§  Verify the model and FTLS using formal methods 
 
• Information flow policies 
• Dynamic policies 
• Evaluate on a realistic embedded application 
Acknowledgements 
• NPS CISR!
• NSF Grant CNS-0524771, Adaptive 
Security and Separation in 
Reconfigurable Hardware!
• Andrei Paun and Jason Smith of 
Louisiana Tech University!
Questions? 
• huffmire@cs.ucsb.edu 
 
• www.cs.ucsb.edu/~arch/RCsec 
