DPU for Cybersecurity: Enabling Inline Defense and Self-Protection

As conventional CPU-based security architectures struggle to scale with ever-growing network bandwidths and increasingly sophisticated cyberattacks, the data processing unit (DPU), a specialized processor for datacenter infrastructure, has emerged as a transformative foundation for secure and high-performance computing. Unlike prior fragmented studies, this work proposes a comprehensive security framework for DPUs by systematically investigating the DPUs' dual role in cybersecurity, serving both as an active security enforcer and as a critical component that must itself be protected. First, the framework offloads security policies onto the DPU to enable line-rate packet inspection and hardware-accelerated security processing. Second, the framework re-architects the DPU itself to defend against physical and architectural attacks, acknowledging that the DPU also introduces a new attack surface. We validate these two design directions through two representative case studies, demonstrating the effectiveness and practicality of the proposed DPU security framework. Experimental results show that the proposed framework reduces remote direct memory access (RDMA) cache side-channel detection latency by up to 98.7% compared with the state-of-the-art, while enabling a trusted execution environment on field-programmable gate array (FPGA)-based DPUs with sub-100 ns overhead and less than 4% FPGA resource consumption.