Activation of secure zones in many-core systems with dynamic rerouting

Abstract

Many-core architectures provide massive parallelism and high performance to the users. They also introduce key challenges regarding security. The main threat rises from the resource sharing. Adoption of firewalls, encryption mechanisms and resource isolation (processor or memory) are common strategies to treat the security threats. The two first strategies present high hardware cost, while the resource isolation does not protect the communication infrastructure. This paper proposes to protect communication and computation simultaneously, creating continuous Secure Zones (SZ) at runtime. The SZ is an isolated area in the system, preventing traffic flows to cross the boundaries of the zone, reserving the Processing Elements (PEs) inside the SZ to execute a secure application (Appsec). The Appsec traffic is enclosed inside the SZ, and any other traffic crossing the SZ is rerouted to the outside of the SZ. Experiments evaluate the cost to close and open an SZ, the impact in the packet latency with and without the SZ in the presence of malicious flows, and the performance penalty in non-secure applications due to the rerouting process when an SZ is closed. Results show that: (1) the latency to start an Appsec is small, 1.2 μs for an SZ with 25 PEs; (2)the isolation process prevents Deny-of-Service (DoS), timing, and spoofing attacks and guarantees confidentiality and integrity;(3)the overhead in the non-secure applications' execution time is also small, being the worst-case 2.56% longer.