Fourth in a series: Why you can’t possibly know where the next breach will occur, and what’s being done about that.
No SoC ever will be totally secure, and no technology will stop experienced thieves who really want to get into a device. But chipmakers and IP companies are examining ways to at least make it more difficult—and at least in theory, far less lucrative.
One big change, of course, is that a connected electronic ecosystem has made location irrelevant. In the past, crime was limited to where the criminals were physically located, and that alone mathematically reduced the odds of a crime. An increasingly connected world will continue to change those odds, as criminal organizations, many of them highly trained, are able to pilfer data, money and other valuables from anywhere on the globe.
The most recent proof of this comes from a just-released report by Cisco, which shows a steady trend of increased alerts, up 14% year over year.
Experts everywhere agree there is no single solution to this problem. It has to be tackled on every level, with relentless vigilance because attacks occur around the clock, seven days a week, with breach time frequently measured in nanoseconds. Thieves already have penetrated IP, embedded software, and even the communications within an SoC.
This trend hasn’t gone unnoticed by chipmakers, of course, and there are two major approaches being used to build security into chips. The first involves putting in as many hurdles as possible to deter thieves, such as data that self-destructs if a chip is tampered with, secure zones that shift from one region of a chip to another, and memory that shifts the ones and zeros of code. So rather than a single security wall, there are many. The second approach is to limit the damage in case thieves do gain access. It’s bad enough to gain access to one set-top box, for example, or one iPhone. It’s quite another matter to break into one and then be able to get into all of them.
The biggest risk for that may come from the Internet of Things, which includes a huge range of applications from many different vendors around the globe with no central security watchdog.
“If you look at an Internet provider, right now they know what’s connected to their network,” said Drew Wingard, chief technology officer at Sonics. “The Internet of Things will change that because devices will just show up. That scares the network providers to death. They can create havoc and it doesn’t even have to be intentional. So there’s an opportunity to charge more, which they like. But there’s more concern about control of it, particularly when it comes to health care and electronic wallets. And if you think about chips for the Internet of Things, the focus is on low power. That means simpler chips, and simpler chips don’t have much in the way of protection.”
Layering security and parallel networks
Partly because of this, security has to be built in layers across a variety of technology, from third-party IP to processor cores to embedded software. And it has to be resident inside of every home network, with duplicate networks that don’t interact within homes, businesses and health care facilities.
Consider this scenario. A criminal organization breaks into a set-top box, taps into the wireless network to which the television is connected, and gains access to computers on that network that have personal information, bank passwords and any other information that thieves might want. The simplest way to prevent this from happening is to keep a separate network and router for computers and any devices that contain important information.
“We need to apply the same approach to hardware,” said John Swanson, senior manager in the IP group at Synopsys. “Today we do a lot of encryption, but a single encryption layer is harder to secure than if you add another layer with physical detection and an interrupt. And you do that layer upon layer for multiple systems, with encryption upon installation using a customized key.”
One option is to embed software code into devices—or even with IP blocks and subsystems—using ultra-low-power techniques so that devices can be woken up if they detect any intrusions. That can include everything from physical or traffic motion sensors to package integrity monitoring. Several experts in this area also noted privately that it’s not foolproof, either. Accidentally dropping a device with this kind of technology can set the tamper-proof shutdown sequence in motion, disabling a chip forever.
Stopping the crime spree
Industrial companies and utilities are particularly worried about limiting the damage once intrusion does occur, and given the rising number of attacks there is general agreement that one or more intruders will break through firewalls and into valuable data at some point in all companies. The question is how to limit the damage once that happens.
“Attackers will usually hit the easiest point to go in,” said Tiffany Strauchs Rad, senior security researcher and a member of the Global Research and Analysis Team at Kaspersky Lab. “If they’ve compromised IP, everywhere that IP touches is vulnerable.”
Rad said chipmakers need to start thinking about every piece of the technology they create or integrate, from the hardware to the embedded software to the network. But the emphasis on security also requires a step back from improving performance with lower power, which have become competitive metrics in design. “There is definitely a tradeoff between how quickly a program loads and making it secure,” she said. “If you’re using more memory for security it will make a phone run slower. But there also is work under way for secure coding practices. Carnegie-Mellon has a whole segment of its curriculum devoted to this. It’s easier to think about security at the beginning of a design than after it’s done.”
Security isn’t free, either. It’s like a tax on design resources, requiring extra programming and more silicon—not to mention more debugging, verification, and possible yield issues.
“There’s a big challenge in balancing between cost and security,” said Hayden Povey, director of marketing security for ARM. “You can spend an infinite amount of money on this, starting with making sure you have control of the supply chain, the gray market, and that you have a very strong root of trust in all components, which is the same as the pharmaceutical industry does. From there you have to use internal firewalls, and with super complex SoCs you may need more network on chip approaches with different components separated by firewalls.”
Inside of data centers, one approach increasingly being used for security involves technology that is already in place—virtualization. This is somewhat ironic, given that virtualization became immensely popular inside data centers as a way of improving utilization of servers, which were expensive to power and even more expensive to cool in densely packed racks. Virtualization proved to be a huge cost savings for companies, allowing them to use virtual machines to run applications rather than restricting servers to running one application on one operating system.
That approach also can limit access to data, though, by adding permissions into the virtualization layer to say which data or which operating system it can run. It also can be layered with technology such as pattern detection, which can send triggers at every level, from hardware cycles to network traffic to the software being run.
“We’ve been using a ring architecture, but we have added in features to that such as secure boot so that you boot a product into a known and trusted environment,” said David Doughty, director of security engineering at Intel. “On top of that, the McAffee has been developing deep sender technology where they use virtualization technology to put a thin layer beneath the OS. When someone is trying to access a resource in place in a stack, that’s hard to corrupt because you can look at it from the standpoint of a different privilege level.”