Demands on cloud services continue to increase but the end of Moore's law means that transistors are no longer getting significantly smaller every year. Heterogeneity is the answer: servers need flexible platforms.

Field-programmable gate arrays or FPGAs, are semiconductor devices so adaptable that they can be reconfigured at runtime. Most integrated circuits are built with at least some set of specific tasks in mind, but FPGAs are built to behave like almost any digital circuit by simply reconfiguring their hardware.

Mirjana Stojilović, a scientist in IC’s Parallel Systems Architecture Laboratory (PARSA), is the lead author of the recent cover article in the latest edition of the prestigious IEEE Proceedings, A Visionary Look at the Security of Reconfigurable Cloud Computing | IEEE Journals & Magazine | IEEE Xplore.

The article is both a survey of the current state-of-the-art use of FPGAs in cloud computing and a prediction of how this technology will evolve in the face of multiple security risks. It outlines that Microsoft led the way in embracing the potential of FPGA technology for data center applications: its Catapult servers relied on FPGAs to accelerate the Bing search engine. Since then, Amazon AWS, Alibaba, Baidu, Microsoft Azure, and others have followed suit.

However, FPGAs in data centers bring security risks. They can empower a malicious user to execute a variety of remotely-controlled electrical-level attacks: denial-of-service, fault injection, power side-channel, and crosstalk side-channel attacks. “The problem is that the FPGAs themselves – their architecture, their implementation – allow the users to deploy circuits of almost arbitrary complexity, which is great for many applications but can also be misused,” explains Stojilović.

Malicious users can build circuits to sense signals from another FPGA that is not allocated to them. They can create fluctuations in the power supply that might reset the entire device or cause errors in someone else’s application simultaneously running on the same FPGA.

“There are barriers to malicious attacks, but we have observed that it is possible for sophisticated attackers to pass right through them. We make it clear in our article that data center managers have to apply a holistic approach: safety measures must be deployed across all levels!” she continued.

“We were able to set up a demonstration to show engineers from Amazon that they were open to certain types of attack. They reacted by deploying defences against these threats, and also by slowing down the roll-out of simultaneous FPGA sharing. Ideally, from a data center perspective, an FPGA should be open to several users at the same time, but the security risks are too great for that – and Amazon recognized it.”

In From the Earth to the Moon, Jules Verne pitted cannon makers against armour plating manufacturers, in constant rivalry, each attempting to outdo the other in ingenuity. FPGA pits the hypervisor against the hacker, and for data center operators this means they will have to be ever vigilant, as Stojilović states in her conclusion:

"Such awareness should be the guiding assumption when designing mitigation mechanisms that should necessarily be tackled in a holistic manner and allow for continuous updates to address the evolving attack surface."

Authors: John Maxwell, Tanya Petersen