The increasing adoption of System-on-Chip Field-Programmable Gate Arrays (SoC FPGAs) in AI-enabled satellite systems, valued for their reconfigurability and in-orbit update capabilities, introduces significant security challenges. Compromised updates can lead to performance degradation, service disruptions, or adversarial manipulation of mission outcomes. To address these risks, this paper proposes a comprehensive security framework, AegisSat. It ensures the integrity and resilience of satellite platforms by (i) integrating cryptographically-based secure boot mechanisms to establish a trusted computing base; (ii) enforcing strict runtime resource isolation; (iii) employing authenticated procedures for in-orbit reconfiguration and AI model updates to prevent unauthorized modifications; and (iv) providing robust rollback capabilities to recover from boot and update failures and maintain system stability. To further support our claims, we conducted experiments demonstrating the integration of these mechanisms on contemporary SoC FPGA devices. This defense-in-depth framework is crucial for space applications, where physical access is impossible and systems must operate reliably over extended periods, thereby enhancing the trustworthiness of SoC FPGA-based satellite systems and enabling secure and resilient AI operations in orbit.

翻译：随着片上系统现场可编程门阵列（SoC FPGA）在AI赋能卫星系统中的日益普及——其价值在于可重构性与在轨更新能力——也带来了严峻的安全挑战。受损的更新可能导致性能下降、服务中断或对任务结果进行对抗性操控。为应对这些风险，本文提出了一种综合安全框架AegisSat。该框架通过以下方式确保卫星平台的完整性与韧性：(i) 集成基于密码学的安全启动机制，以建立可信计算基；(ii) 实施严格的运行时资源隔离；(iii) 采用经过认证的在轨重配置与AI模型更新流程，以防止未授权修改；(iv) 提供强大的回滚能力，以便从启动和更新故障中恢复并维持系统稳定性。为进一步支持我们的主张，我们进行了实验，展示了这些机制在当代SoC FPGA设备上的集成。这种纵深防御框架对于空间应用至关重要，因为在空间应用中物理访问无法实现，且系统必须在长时间内可靠运行，从而增强了基于SoC FPGA的卫星系统的可信度，并支持在轨安全、韧性的AI操作。