Risk Assessment on Hardware Offloading Architecture of Network Security Protocols with Linux-based Control Plane

The Linux Operating System is used worldwide in communication devices hosting multipurpose applications. With the evolving communication infrastructure, such as 5G cellular networks, critical applications with strict high-performance requirements will be developed and also rely on Linux. Due to the nature of these applications, security needs to be ensured in addition to performance. Linux provides softwarebased implementations of network security protocols. However, their performance is limited by the CPUs they are running on. To meet higher performance, the data plane of security protocols needs to be offloaded to dedicated hardware, such as FPGAs and ASICs, with the control plane kept in software. The resulting system architecture introduces a new attack surface where vulnerabilities can be exploited that threaten the control plane. This can reveal sensitive control information or cause a Denial-of-Service attack. This paper presents a risk assessment of the hardware offloading system architecture of security protocols with Linux-based control plane. The data link layer security protocol MACsec was chosen as a reference use case, however, the assessment framework can be applied to other security protocols as they share a similar architecture. Twelve risks were identified during the analysis, which elucidates the urgent need of security measures to protect this type of architecture from possible threats and attacks. Additionally, this paper proposes a set of control recommendations to reduce the impact of the identified threats.