Keeping chips secure is really a foot race between the good guys and the bad guys. Going forward, expect heavily funded, grouped efforts to place tremendous pressure on security envelopes. This includes everything from simple home devices, such as routers, to the most critical infrastructures, such as power, telecom, transportation, and soon, the IoT.
Fig. 1: Courtesy of Blade Genexis
In order to stay that one step ahead, the semiconductor industry has a number of challenges that need to be addressed, as well as looking into the next-generation of developments that will secure hardware, across the board.
Challenges and options
The No. 1 challenge is to get the entire supply chain to acknowledge the value of security. This is easier said than done.
“Security just doesn’t sell well,” said Asaf Shen, vice president of products at Sansa Security. “That isn’t news, but it is a cold, hard fact. Chip manufacturers are striving to make more powerful and functional chips, but not striving to make more secure chips. The outcome of this is that software stacks that ride on these chips develop faster than the underling hardware, making it a real challenge to create security for them. And this is true regardless of the industry.”
There is certainly a recognition in some industries, such as defense and banking that security is critical. But in others, such as the Internet of Things and consumer markets, security is low on the value chain.
One of the biggest challenges to tomorrow’s security environments is to undo some of the paradigms that have taken so long to establish and think outside of the momentum box. That means such conventions such as smaller, faster, and better may have to undergo some retooling.
However, there is also a gotcha in this paradigm. “The more elaborate and complex one gets, the better it is to do security in hardware,” said Kurt Shuler, vice president of marketing for Arteris. “So balancing this out for tomorrow’s chips is certainly a challenge.”
And those chips are getting bigger and more complex. As Shen noted, “Having more functional and powerful chips typically results in a much greater attack surface due to the multiple software layers that run on the chip.” That translates into yet another challenge to security platforms.
Shen added that it isn’t all about performance. There is an economic factor here,as well. “We are designing chips to run significantly larger amounts of code, but which are only incrementally more secure. This because the money is in efficiency and not security.”
He’s not alone in seeing this. “One of the paradigms that will have to be revisited has to do with how fast chips are today and how to make that cheap,” said Paul Kocher, president and chief scientist at Rambus‘ Cryptography Research Division. “We have solved that first, elementary problem of making chips acceptably fast and acceptably cheap to manufacture. We have gotten really good at exercising that optimization muscle.”
Fig. 2.
But, as it turns out, the industry may have to rethink that success when dealing with tomorrow’s chip security. “There are some issues that we need to look at, around security that will require sacrificing some of the gains we have made, in terms of speed and cost,” Kocher added. “This will certainly present some new engineering challenges as well as cultural challenges.”
One of the key areas that has a number of challenges is where mature devices work well and have little innate security, namely where function and cost were optimized at the expense of security. “Such devices function reasonably well, but the failure modes are uncertain or complicated, especially when it involves design or human errors,” he said. One way to address this “is to take a calculation and, rather than one piece of circuitry do it, have two pieces of circuitry do it. Each circuit can use separate approaches. If they don’t yield the same answer, then something is wrong.”
In a similar vein, systems can be designed to decrypt data via parallel paths, with separate components per path. At the output, if the data is valid, it gets reassembled and all is well. That adds a layer of security to the hardware. If, for example, a hacker manages to capture one of the data streams, they only get part of the information, which will be gibberish. Moreover, if any of the data is compromised by some sort of tampering, it will have a different configuration at the reassembly and, again, be corrupt.
“Something we are starting to see is a trend towards isolating the roots of trust in the hardware and isolating the execution environment,” said Shen. Typically, in today’s chips one sees more than just a single execution environment. “For example, TrustZone from ARM and hypervisor-based execution environments are typical of isolated environments that run software.”
Shen noted that one of the approaches being revisited is to allocate and create a standalone execution environment in pure hardware. “This environment has very limited functionality where you cannot introduce new code, and it runs very specific functions that are dealing with the most sensitive assets within the chip. This type of configuration prevents leakage of sensitive data to other execution environments within the chip.”
While this and other promising methodologies are being looked at for next-generation devices, implementing them has some challenges. “How to map that into real-world designs, and get people to actually use, it is actually a rather complex scenario,” said Kocher. “One example is that the tools we have available, for both hardware and software engineering, are designed to optimize things.”
That is an interesting conundrum. In nearly all cases, the optimal results are the desired results. If the design is not optimized, present tools will attempt to replace it with something that is faster and better. “For example, if there is a safety mechanism that monitors the operation, and as long as the operation is correct, it never gets triggered,” said Kocher. “So the present design tools would be programmed to, essentially, look at it as an ‘unnecessary’ element. The ‘smart’ tools would consider it a redundant, unnecessary check, for example, and remove it. This is kind of like smart vehicle design where the design tools assume the vehicle will never be in an accident. So it would go through the design and remove the seat belts, air bags, and any other safety components related to crash safety.”
So wrapping that back to the parallelism with circuit design, present hardware and software design tools do the same thing to circuits, make them as small, as fast, and as efficient as possible. That is a major challenge to tomorrows’ circuits, namely making the design tools “smarter” in a collaborative way.
“Another area where there are challenges to IC security is in the manufacturing process,” noted Kocher. In today’s competitive manufacturing environments, with few exceptions, to remain competitive means manufactures must shoot for the lowest cost per square millimeter on a die. Realistically, that means going to factories in locations that have cheap labor and low operating expenses. Unfortunately, that pushes security options to the back burner. “The challenge here is how to develop solutions that make factory environments with untrusted elements more secure.”
For example, the primary driver in manufacturing is to keep the factory up and running without glitches. So if there is a malfunction, the idea is to diagnose it by monitoring the network as tightly as possible. The way to do that is to monitor the data so it presents exactly what happened, when it happened, with what equipment and under what circumstances.
That scenario doesn’t work when it comes to security, though. “For such networks that are tightly monitored, you don’t really want the keys to be part of monitoring data, or having the test tractions being sent over to whomever is managing the secrets for the process,” he said. There are solutions that can be implemented, such as the applying a Diffie-Hellman key exchange scenario. The fact that such solutions can be done, mathematically, has been known for a long time, but the engineering to bring such capabilities into mainstream manufacturing hasn’t, for the most part, actually been implemented in chip factories.”
Microsemi’s CTO Jim Aralis has another angle to the how to meet some of the chip security challenges. “We have developed an approach that builds a security architecture into the chip, to physically secure it, such as anti-tamper,” Aralis said. “We can encapsulate the architecture into a chip, which will protect the boundaries of that chip.”
That addresses the angle of physically opening, or attacking the chip because, new efforts to use physical techniques to compromise chips certainly are on the horizon. The efforts to attack chips using side channel and power signature analysis will only get more sophisticated, he said.
Finally, there is the topic of economics that hovers over all of this. How does the industry make enough money from security so that people would use and apply it. One looming, long time enigma, at least in the software space, is that if there is a security bug in the system, many of the stakeholders generally won’t punish you over it. However, there is some movement towards change happening, in light of the very public exposures that megalopolises like Target, Home Depot, Chase, Sony, and other have had. Such exploits are starting to have significant economic effects on companies, so the level of awareness is starting to ramp up and the value of security is being realized.
“The most important question is always who should pay the money for the security features,” added Shuler. “In the case of consumer electronics, the content providers benefit but the device providers pay. That’s a messed up business model because an investment in security is ‘insurance’ that the device provider pays to not be sued by content providers, so the bare minimum to avoid legal liability is the best implementation from a cost perspective.
So who protects the protection? This is a challenge chipmakers face when embedding on-chip security features such as interconnect fabric firewalls that are software-programmable. As a result, design teams are looking for ways to protect the communication to these firewalls (registers) and ensure the contents (algorithms) of the firewalls are genuine.
Again, however, implementing changes that include security is challenging and easier said than done and. “Making the business case for better security is a significant challenge all along the supply line,” Kocher said. “And the main challenge is how to make the security technology help everyone from the chip manufacturer to the end user.”
Conclusion
While experts have slightly different perspectives on the challenges of chip and object security, they share the same global concern.
There are several common threads behind those concerns, and important questions that have yet to be answered:
The economics of security: Who is going to pay for it and how can the cost be minimized?
The supply chain: How can the global supply chain be secured?
PPA vs. more secure: What is the best approach to manage the performance, power and area equation and still improve security?