SoK: On the Security Challenges and Risks of Multi-Tenant FPGAs in the Cloud

TL;DR

This paper surveys the security challenges of multi-tenant FPGAs in cloud environments, highlighting vulnerabilities, existing attack methods, and emphasizing the need for further research to address unresolved security and privacy issues.

Contribution

It provides a comprehensive survey of deployment models, adversary assumptions, and security shortcomings of multi-tenant FPGAs, including classification of physical attacks and identification of open challenges.

Findings

Multi-tenant FPGA deployment models vary in security guarantees.

Existing physical attacks can be launched remotely by malicious tenants.

Significant security and privacy challenges remain unaddressed.

Abstract

In their continuous growth and penetration into new markets, Field Programmable Gate Arrays (FPGAs) have recently made their way into hardware acceleration of machine learning among other specialized compute-intensive services in cloud data centers, such as Amazon and Microsoft. To further maximize their utilization in the cloud, several academic works propose the spatial multi-tenant deployment model, where the FPGA fabric is simultaneously shared among mutually mistrusting clients. This is enabled by leveraging the partial reconfiguration property of FPGAs, which allows to split the FPGA fabric into several logically isolated regions and reconfigure the functionality of each region independently at runtime. In this paper, we survey industrial and academic deployment models of multi-tenant FPGAs in the cloud computing settings, and highlight their different adversary models and security guarantees, while shedding light on their fundamental shortcomings from a security standpoint. We further survey and classify existing academic works that demonstrate a new class of remotely exploitable physical attacks on multi-tenant FPGA devices, where these attacks are launched remotely by malicious clients sharing physical resources with victim users. Through investigating the problem of end-to-end multi-tenant FPGA deployment more comprehensively, we reveal how these attacks actually represent only one dimension of the problem, while various open security and privacy challenges remain unaddressed. We conclude with our insights and a call for future research to tackle these challenges.