Imagine sharing a backyard with your next-door neighbor. The classic spats over property lines, overgrown trees and noisy pets would seem petty compared to newfound security concerns: Is the person in the yard the neighbor’s friend or an unwanted trespasser? Who moved the tools in the shed? Exactly how friendly is the dog next door?
University of Nebraska–Lincoln hardware researcher Sheng Wei said the perils of a shared backyard help describe the potential security challenges of a high-speed computing platform: the CPU-FPGA hybrid, a type of computing architecture used by companies such as Amazon and Microsoft to boost the speed of cloud computing. Wei earned a $496,940 Faculty Early Career Development Program award from the National Science Foundation to advance this work.
In these systems, the so-called “brain” of the computer, its CPU, is placed alongside a field-programmable gate array, a customizable hardware chip whose circuits can be configured to perform a wide range of digital functions. Positioning the CPU and FPGA as “neighbors” within the computer accelerates the machine’s performance by enabling the CPU to outsource computational tasks to the FPGA, creating two simultaneous paths of work.
“It reached a point where the CPU’s potential was almost maximized — it’s difficult to improve it anymore to make computers faster,” said Wei, assistant professor of computer science and engineering. “The hardware accelerator — the FPGA — is a ‘new neighbor’ that accelerates the work.”
But the hybrid also creates new security concerns. Communication between the FPGA and CPU is a “shared yard” of vulnerabilities that attackers can exploit. Wei’s five-year CAREER project tackles these problems, ensuring that the thirst for speed doesn’t compromise the security of cloud computing, which has applications in medical image processing, big data analytics, scientific computing, and video processing and delivery, to name a few. CPU-FPGA hybrids also could support emerging technologies such as virtual reality and self-driving cars, where the security stakes are perhaps even higher.
“Researchers have been mostly focused on the performance of the hybrids. They ask, ‘How much faster are they?’” Wei said. “My focus is on security. Previously, only hardware manufacturers could change the hardware. Now, anyone can do it by programming the FPGAs in the cloud.”
To stymie potential attacks, Wei is developing a hardware “fence,” which will physically separate CPU-FPGA components into a secure domain containing sensitive data and operations, and a non-secure domain comprising non-private information. The fence thwarts malicious communications between the two domains with the help of a secure agent.
The agent, a hardware component embedded in the secure domain, monitors input and output by confirming the legitimacy of service requests, preventing leaks of private data or falsified information, and checking computational accuracy, among other tasks.
“It’s not enough to just build a fence; you also need some form of security control,” said Wei, who is developing the system with Nebraska graduate student Mengmei Ye. “It’s like having a security guard checking ID when you come in and verifying that you can exit.”
Together, the fence and secure agent create what Wei calls a hardware isolation-based architecture, or HISA. While it’s useful for security purposes, it adds a layer of complexity for developers, who must manually categorize secure versus non-secure information. To ease the burden, Wei and Ye, in collaboration with Nebraska software engineering researcher Witawas Srisa-an, are developing a programming tool that automatically slices the information — the first of its kind for a CPU-FPGA system.
To test the slicing tool and HISA, Wei, along with Husker graduate students Xianglong Feng and Nan Jiang, will leverage existing partnerships to deploy the technology in three areas. In collaboration with Adobe Research, they will test HISA in video surveillance and motion detection systems. With Visa Research, they will explore the potential of HISA in securing machine learning computations. And in partnership with David Swanson, director of the university’s Holland Computing Center, they will test HISA’s capacity to protect the large datasets involved in scientific computing.
Wei also is fostering interest in the cybersecurity field by developing hardware-focused curricula for Husker students, exposing a diverse group of young pupils to his research and mentoring student researchers interested in hardware security.
The NSF CAREER awards support pre-tenure faculty who excel as teacher-scholars through outstanding research, excellent education and the integration of education and research.