ShEF: Shielded Enclaves for Cloud FPGAs
This addresses security concerns for users of cloud FPGAs handling sensitive data like financial and medical records, offering a novel solution to protect against adversaries controlling CPU software and having physical access.
The paper tackles the problem of securing sensitive data on cloud-based FPGA accelerators by introducing ShEF, a trusted execution environment independent from CPU-based TEEs, which provides secure boot, remote attestation, and a customizable Shield component with minimal performance and area overheads.
FPGAs are now used in public clouds to accelerate a wide range of applications, including many that operate on sensitive data such as financial and medical records. We present ShEF, a trusted execution environment (TEE) for cloud-based reconfigurable accelerators. ShEF is independent from CPU-based TEEs and allows secure execution under a threat model where the adversary can control all software running on the CPU connected to the FPGA, has physical access to the FPGA, and can compromise the FPGA interface logic of the cloud provider. ShEF provides a secure boot and remote attestation process that relies solely on existing FPGA mechanisms for root of trust. It also includes a Shield component that provides secure access to data while the accelerator is in use. The Shield is highly customizable and extensible, allowing users to craft a bespoke security solution that fits their accelerator's memory access patterns, bandwidth, and security requirements at minimum performance and area overheads. We describe a prototype implementation of ShEF for existing cloud FPGAs, map ShEF to a performant and secure storage application, and measure the performance benefits of customizable security using five additional accelerators.