Issue link: https://read.uberflip.com/i/1400095
WHITE PAPER Cross-domain solutions for an evolving battlefield mrcy.com 5 5 can maintain line-rate communications throughput, so CDS security is not a performance bottleneck. The endpoint FPGAs can be embedded in memory controllers, I/O controllers or other board-level components, tying the associated system into a CDS. They have minimal SWaP impact on embedded systems, especially if currently designed-in FPGAs are leveraged. They are also cost-effective and the update path is straightforward. Most critically, the programmable logic in an FPGA functions as hardware, not software, so it is not vulnerable to cyberattack. While the firmware controlling an FPGA can be replaced, the ability to secure FPGAs from an adversary reloading firmware is based on mature and proven technology. Resistance to cyberattack is especially important when supporting communication to and from systems using commercial processor implementations, as many of these processors are not built to provide robust security isolation in hardware. In the longer term, it is likely that FPGA-based endpoint technology will accelerate CDS certifications. Used in a bookend model, the endpoints become highly modular solutions, which should simplify security evaluations relative to centralized model CDS designs. DEPLOYABLE BOOKEND MODEL CDS FROM MERCURY As a participant in the DARPA Guaranteed Architecture for Physical Security (GAPS) program, Mercury Systems is using the latest FPGA technology to develop a functional bookend model CDS. One GAPS goal is non-traditional, interface-agnostic (more than just Ethernet), high- performance methods for implementing CDS functionality. Another goal is creating CDS technology that does not need to be reaccredited for each new system deployment. Mercury is prepared to work with prime contractors who want to move this new technology into deployment. While the initial focus is on bookend model CDS, it also offers advanced capabilities for firewall and other boundary layer protection (BLP) implementations .In addition to FPGA implementations, the new capabilities can also be achieved using chiplets in SoC designs and via direct integration into I/O, memory and other functions-specific ASIC dies. REQUIREMENTS FOR THE NEXT GENERATION OF CDS To deal with current and future challenges, the next generation of CDS must satisfy a tough set of criteria. New solutions must: ▪ Provide greater overall security from attack, which includes both strong protection against cyberattack and designs without a single point of destructive vulnerability. ▪ Support the low-latency data movement required by embedded, real-time computing. In practice, this means they must be able to match the throughput rates of future communications protocols, including 5G. ▪ Be deployable at the edge, which means implementation in very small form factors. ▪ Be able to impose security rules on data transfers from all types of intelligent sensors, using multiple protocol interfaces. ▪ Be flexible in their implementations, able to adapt to dynamically changing network configurations and unpredictable AI demands for data transfers. ▪ Lend themselves to faster certification of secure performance. MOVING TO A NEW CDS MODEL Fortunately, advances in semiconductor technology are enabling a new type of CDS, the bookend model. The bookend approach puts security-level understanding and content-sharing decision authority at the endpoints of each connection. This model offers tremendous networking flexibility and avoids a single point of CDS failure. A new generation of field-programmable gate array (FPGA) processors have the capability to perform as bookend model CDS endpoints. Within the dimensions of a silicon chip, these FPGAs can support the awareness of security designations for connected systems and the ability to make transfer decisions based on a specified security policy. The endpoint FPGAs offload CDS tasks from other system components, allowing them to dedicate all of their resources to application execution. In addition, the parallelization within FPGAs enables high-bandwidth data streams that Domain A Domain B Domain C A Bookend Model CDS