More and higher value data, thinner chips and a shifting customer base are forcing long-overdue changes in semiconductor security.
Protecting chips from cyberattacks is becoming more difficult, more expensive and much more resource-intensive, but it also is becoming increasingly necessary as some of those chips end up in mission-critical servers and in safety-critical applications such as automotive.
Security has been on the semiconductor industry’s radar for at least the past several years, despite spotty progress and inconsistent applications of security technology. However, that is starting to change for the better due to shifts in the economics behind security. While security always has been a risk versus benefit equation, for the most part it was one step removed from the semiconductor market. That’s no longer the case. As systems vendors and OEMs increasingly design their own chips, instead of buying commercially developed devices and IP created by third-party developers, they effectively are creating their own ecosystems and requirements, and security is a key concern for them.
The economic drivers fall roughly into three categories:
Macroeconomics
The most visible of these three drivers is macroeconomics. The discovery of high-profile security vulnerabilities in speculative execution and branch prediction (Meltdown, Spectre, Foreshadow) ended up requiring costly fixes for data centers. All of the major processor vendors had to patch holes with software, and in doing so they eliminated two effective techniques for improving performance. As a result, customers that had upgraded their servers to leverage the latest processors lost much of the performance improvement. That, in turn, forced them to add more servers to process the same volume of data in the same amount of time.
This was part of the reason system vendors opted to develop their own custom chip architectures, which could provide even bigger gains in performance and power. Many have since leveraged Arm cores and custom accelerators (RISC-V, eFPGAs) rather than just relying on Intel, AMD, IBM or Nvidia processors. That move also puts chip security squarely under their own control, and it has provided an element of design freedom because new solutions do not need to be backward compatible with a particular ISA.
How much of an impact all of these changes will have remains to be seen. What is clear, however, is that the economics of hardware attacks are changing. The tools needed to hack into chips and systems of chips are no longer beyond the reach of ordinary criminals. Moreover, in the past, most attacks on hardware were less visible than software breaches because they mainly involved corporations and government entities, neither of which likes to call attention to security breaches. As computing becomes more pervasive and connected, the potential attack surfaces is widening to include many more devices, all of which will increase the visibility of hardware attacks.
“There are four main attack surfaces, and each of those has different costs,” said Serge Leef, program manager in DARPA’s Microsystems Technology Office. “One is the supply chain, which is based on the size of a PUF (physically unclonable function). The tradeoff here is size, not performance or power. The second is a side-channel attack, where you cancel out the active gates. That can double the size of the security features, or it can cost power from generating random noise. The third is reverse engineering, where you employ logic locking or obfuscation. Because you’re using additional circuits that are active, it has an impact on real estate and performance. The fourth is Trojan detection. That also costs real estate and performance.”
For mil/aero applications, hardware security is an obvious necessity. But for automotive, this is a new and critical issue that is still evolving because the electronic architectures in vehicles continue to evolve. Over the past few years the underlying strategy for assisted and ultimately autonomous driving has shifted from sending everything to the cloud and back to the vehicle, to centralized processing in a vehicle, then to distributed processing, and finally to a combination of distributed processing at the sensor level with centralized processing of structured and cleaned data. This is partly due to the fact that carmakers have come to the realization that whoever owns the electronic infrastructure owns the market, and they are not about to be supplanted by their suppliers. Strategies for securing that data in autos have likewise seesawed to accommodate different architectures. But due to the liability implications of a breach and the potential cost for ransomware, there is a growing recognition that hardware is as much of a target as software. Approaches here tend to fall into a couple of different camps.
“There are two main kinds of attacks,” said Jason Oberg, CEO of Tortuga Logic. “One is physical, such as shooting a laser at chip and using optical measurements and microscopes. That also includes physical side-channel attacks, like electromagnetic radiation and thermal changes. Getting physical access to a chip requires you to actually have that chip. There also are things in the digital domain that can get exploited remotely, like low-level microcode, which leverages an actual problem with the chip. We see a lot more growth in the remote attacks, particularly in the commercial domain. Those are the scariest ones, because if you find a flaw in the engineering, you don’t have to tear something apart or do reverse engineering. But you also can’t patch it with firmware. That makes it harder to fix.”
In addition, regardless of who designs a system, almost all of them utilize third-party IP. This becomes particularly challenging to secure in automotive, where the supply chain is enormous and systems need to react to a broad range of objects and ambient conditions.
“A lot of designs in automotive are highly configurable, and they’re configurable even on the fly based on the data they’re getting from sensors,” said Simon Rance, vice president of marketing at ClioSoft. “The data is going from those sensors back to processors. The sheer amount of data that’s running from the vehicle to the data center and back to the vehicle, all of that has to be traced. If something goes wrong, they’ve got to trace it and figure out what the root cause is. That’s where there’s a need to be filled.”
Tracking and security typically have been separated in the past, but that’s beginning to change, particularly with ISO 26262 requirements for traceability. “We’re definitely seeing a lot more traction in that space,” Rance said. “The semiconductor IP providers have had this for 10 years, but it’s certainly growing with multiple uses of IP, especially with legal agreements.”
Microeconomics
How many of these various approaches to security are required depends upon the market segment and the need of a particular application. Each security solution has a cost, so it comes down to the value of the data and the price elasticity for each device.
“The big question is whether they are going after data, or whether they are they trying to bring down an entire system,” said Scott Best, technical director of anti-counterfeiting products at Rambus. “Those are two different attack surfaces. The adversary is going to go after those with different sets of tools and strategies, and the countermeasures will be different to either prevent and/or delay. Eventually the adversary will win, so you’re trying to delay until they get tired and move onto your competitor’s system, which doesn’t have as strong security. We see that a lot in the anti-counterfeiting space. Usually you’re just trying to delay.”
A successful delay is based on a complex security stack coupled with best practices. With enough determination any security can be broken. But this also needs to be viewed in the context of an evolution toward edge computing. The IoT concept that everything can be sent to the cloud for processing has proved to be unworkable on many counts, including power, latency, and ultimately cost. That cost includes everything from the power and bandwidth needed to send data back and forth, the amount of memory needed to store it, and the resources necessary to process large quantities of data.
The current solution is to do more processing much closer to the source of data, where that data can be processed and cleaned. That requires some level of intelligence to determine what is useful data and what is junk, and it requires security to be localized and well integrated into the edge device/system architecture.
The challenge is that much of the development at the edge ranges from highly customized to semi-customized. The only ways to manage those costs are to either build a platform, utilize a LEGO-like chiplet/tile approach, or adopt the superchip approach. As a result, the security infrastructure now needs to be extended across the supply chain for whichever approach is used.
“We’ve seen efforts for tile-based heterogeneous strategies, and we’ve also seen huge SoCs with a number of IP blocks that have been deactivated,” said DARPA’s Leef. “So you may have parts with 1 to 1,000 different blocks, where 70% are turned off. This is all done through software, or where you deactivate a number of blocks. Even though it’s large, it’s more cost-effective. What you’re seeing is that the economic curve has changed. It’s more expensive to get manufacturing ramped up.”
However, each of those blocks or chiplets needs to be secure, and so does the software, the firmware, and the interconnects that allows different blocks to communicate with each other and the outside world. The same is true for platforms developed by a single vendor, where different pieces are layered on for specific applications.
“We’ve built in security for a number of purposes,” said Kris Ardis, executive director for Maxim Integrated‘s Micros, Software & Security Business Unit. “One is just application-level security. But we also consider the weights and the network configuration to be IP. We treat an FPGA program file just like your software, and C code is your IP. One of the reasons we put secure encryption in there is we want to be able to securely load a file. If you’re a contract manufacturer and you ship your network file in raw text, someone can take that and program it on the different versions of your chip. But if it’s encrypted and it has secure boot, then your weight file is just like a secure boot would be protected under normal software. This roadmap has many parts. It’s designed for different networks, peripherals and applications. But we certainly see other kinds of security and robustness features being implemented, particularly for some of the higher-end industrial and medical applications.”
There is good reason for this, too. “Attacks used to be confined to security labs, where they would do fault injection to bypass security schemes,” said Mike Borza, principal security technologist at Synopsys. “But as imaging technology has fallen in price, it’s no longer just being done by university labs and private labs. Attacks are not just research anymore. There are actual malicious attacks. It’s still somewhat of an esoteric concern for many people, but we are are seeing improvements showing up in chips.”
Nanoeconomics
Nowhere is that more evident than at leading-edge nodes, where building in effective security poses perhaps the most daunting challenge. Chips developed at these nodes are the most complex, the most costly, and often the hardest to secure. In fact, there is growing concern that continued scaling is opening up new attack surfaces that never existed in the past.
At 10nm and below, encryption schemes can be scanned without actually touching a chip. This was first identified as a possible attack surface several years ago by researchers at Technische Universität Berlin, who demonstrated that by utilizing optical contactless probing on a 28nm FPGA, they were able to execute a non-invasive attack on the chip’s bitstream encryption. FPGA vendors have since installed various blocking and obfuscation techniques, but a number of security experts familiar with this method said they were shocked at how easy it was to view data encryption schemes without ever touching the chip.
At these process nodes, thinner insulation layers and thinner substrates also mean more noise across a chip. Some of that is due to electromagnetic radiation, which already is causing signal interference on-chip. It can be heard off-chip, as well.
“Since it’s hardware-based, if there’s a flaw in your system, once it’s out in the field there’s very little you can do about it,” said Marc Swinnen, director of product marketing at Ansys. “With software, you can send out a patch. If the signals can be heard through the package, you have to make a new one. It really needs to be designed in early. If you look at the chips for your credit card, every switch has to consume the same amount of power. They put in dummy switches to thwart electronic probing.”
Fig. 1: Near-field EM analysis simulation. Source: Ansys
While the economics of scaling are still attractive enough for some companies, they are forcing chipmakers to implement security measures at these advanced nodes that are not necessary at older nodes.
“As you get more compact, more gate count into a physical piece of silicon, the amount of physical emanations become harder to mitigate,” said Tortuga Logic’s Oberg. “Optical is very thin. A lot of times you add secure meshes into these chips so that if someone shines a light in there, you can’t actually see what’s going on. Those techniques become harder as the system becomes smaller.”
This extends to memory, as well, which in advanced chips tends to be vulnerable because it is scattered around the die in order to reduce the distance that data needs to travel between various processing elements. DRAM and SRAM are relatively safe, because they are volatile and data disappears when they are powered down. But there are an increasing number of non-volatile memory types being deployed in these leading-edge chips, as well.
“All of the embedded non-volatile memories generally come in two flavors,” said Rambus’ Best. “Either you’re storing data using a charge-based approach, or you’re storing the data using an impedance-based memory. Charge is much easier. The data is sitting in a bit cell on an isolated gate, and there are all sorts of ways of extracting that data. There’s a technique called passive voltage contrast, which involves using a scanning electron microscope (SEM) to actually sense what the charge is inside a charge-based memory. There are dozens of papers about people using SEMs in this way to extract content from embedded non-volatile memories that rely on charge. The other non-volatile memories — MRAM, RRAM, phase-change memory — are all similar in that the impedance of the bit cell changes as the function of something. You change the magnetic spin in an FRAM and the impedance changes. You form an inductive bridge in the CBRAM (conductive-bridging RAM) and the impedance changes. With RRAM you have oxide vacancies, and that changes the impedance. Those are all impedance-based memories. The good news is that, in general, the adversary is more familiar with memory based on charge.”
Solutions
Adversaries typically fall into three camps with security — nation states, which have unlimited resources, criminals looking for a payoff with something valuable such as ransomware, or thrill-seekers looking to disrupt something. The application typically dictates the risk, which in turn dictates the required level of security.
“Everything has a cost,” said Geoff Tate, CEO of Flex Logix. “So the needs in defense are different than for the commercial community. This is particularly difficult for the U.S. military because there is no trusted fab. In the past, all chips were designed and fabricated by American companies. Now, chips are run through standard commercial fabs and they have no way of knowing whether something has changed or whether there are Trojans or even whether the chips are counterfeit. But there is a lot of concern about the processor architecture, and that’s a lot harder to breach with an embedded FPGA. By definition, an FPGA is a blank slate.”
Another thing that can help is machine learning, which is something of a double-edged sword because adversaries are as bent on using ML to compromise systems as security experts are to protect it. But it works particularly well on the defensive side when a baseline is established for legal behavior and traffic. The same is true for watermarking of chips and IP.
“If a company is about to ship an IP core to a customer, a customer can walk about the door and add their own code,” said Leef. “But the IP vendor could watermark that IP before they release it. In the future, the party designing in that IP could force the IP to self-identify.”
There also is work underway to build resilience into chips, which allows chips to reboot securely after being attacked. Arm has been especially active in this effort. And there is now a database of common hardware weaknesses, which was developed by MITRE, a not-for-profit organization that manages federally funded R&D centers for the U.S. government. Mitre previously had focused on software. It introduced its latest database in February that includes hardware.
Conclusion
Security always has included an economic risk assessment component, but the risks are increasing due to increased complexity and thinner components, as well as the increase in the amount of data and the value of processed data. This has prompted chipmakers to begin taking security much more seriously than in the past, and demanding everyone who does business with them to do so, as well.
Previously, security was largely a standalone feature. It is now tightly intertwined with design, system architecture and potential liability in markets that involve mission- and safety-critical designs. And wherever economics require it, the industry now appears ready to follow.
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply