Toward Hardware-Based IP Vulnerability Detection and Post-Deployment Patching in Systems-on-Chip

System integrators create heterogeneous systems-on-chip (SoCs) by integrating numerous third-party intellectual property blocks (3PIPs) to achieve application-specific design goals. With increasing intellectual property (IP) complexity, 3PIPs can suffer from hardware bugs or they can inadvertently introduce other software-exploitable security threats to the SoC. To ensure the ongoing survivability of new SoCs, we need infrastructure for patching newly discovered IP issues after an SoC has been deployed. To address the increasing risks from 3PIPs, we explore the feasibility and limitations of implementing monitoring and mitigation capabilities in hardware. Our proposed monitoring and mitigation patch (MoP) blocks provide a defensive foundation against critical IP-centric issues, focusing on situations where a system integrator only has interface-level visibility of 3PIP designs. The MoPs are distributed throughout the SoC to monitor and mitigate issues directly in hardware and transparently for potentially compromised software - the MoPs are resilient against run-time compromised software and firmware. We ensure that these monitors are reconfigurable after deployment by implementing them using embedded-FPGAs or as a reprogrammable, fixed-design module. We perform a case study of numerous IP-types and model a selection of security-relevant issues and bugs in the IPs, exploring the relative complexity and potential resource overhead. Our study shows the utility of our proposed approach, with MoP blocks requiring less than 1.5% of the adaptive logic modules (ALMs) in a Cyclone V FPGA for interface monitoring and issue mitigation per IP.