中文 English

Building A More Secure SoC

Thwart hackers with security-focused embedded IP.

popularity

SoC integrators know that a software-only chip security plan leaves devices open to attack. All that a hacker needs to do is find a way to replace key parts of the bootloader or the low-level firmware to compromise other software in the system used to support secure access.

The most simple attacks come remotely over a network, and these can be patched with software upgrades. However, we see an increasing number of cyber attacks that involve physical access, and this type of attack cannot be fixed by a software upgrade. Take for example “jackspotting” attacks on automated teller machines (ATMs) where hackers replace legitimate hard drives containing the core ATM software with their own version of the operating system and applications, or introduce spyware devices that plug into an unprotected USB port.

To prevent remote and local physical attacks, designers can integrate security-focused hardware modules into the core machine design, for example the OpenTitan project. The hardware module provides a root of trust, see figure 1, and supports functions such as a secure or measured boot, which ensures only firmware hashed against a known signature or security certificate is allowed to run. Any modifications that are applied in the absence of the code-signing processes will fail the hash test applied by the root of trust and will be terminated by the bootloader.


Fig. 1: The root-of-trust model.

Root of trust is implemented with a protected cryptocontroller that can act as a secure enclave used to perform any sensitive operations. But even the root of trust and similar secure enclaves are vulnerable to attack from other techniques attackers can deploy to subvert its protections. These attacks often exploit the gap between the theoretical security offered by encryption protocols and behavior of the hardware and software functions that implement them.

For example, the way in which algorithms are implemented can give hackers the clues about how they operate and the data, like private keys, that they work with. A cache side-channel attack looks for small variations in the execution timings of operations due to cache contention. When combined with knowledge of the underlying algorithm, an attacker can figure out key values. Caches, execution pipelines, electromagnetic (EM) emissions and instantaneous changes in voltage and current on power rails all provide clues as to what a target is doing. Cache and pipeline behavior can be tracked remotely. Figure 2 shows an attack output vs. sample number for subkey guesses. The leakage that lets an attacker deduce each key byte is frequently isolated to specific groups of calculations and is often identified by changes in correlation. In this example, a large change in correlation in the region around 350 samples shows the results of a correctly guessed key byte.


Fig. 2: Attack output vs sample number for subkey guesses.

Attacks are evolving

In the past, attacks that require physical presence were mostly on consumer-facing, financially sensitive devices: smartcards, point-of-sale terminals, and pay-TV decoders. Now, the increase in use of edge devices in large distributed systems presents a larger attack space. Hackers will use several different approaches, and employ advanced statistical tools and machine learning to reverse-engineer a target and increase its vulnerability to the final attack.

Side-channel analysis is an example of the use of machine learning in cyber attacks. The attacks study emissions from the circuitry, often seen as electromagnetic interference or as supply-rail fluctuations, to reveal information on the data being processed. With a large number of traces – 10,000 or more – statistical tools can locate samples that provide the strongest clues. Countermeasures can hide these telltale transitions, although they may fail to disguise all the operations. These attacks can be difficult to fight because they focus on elements of circuit design that are assumed to be well behaved in a system that passes its manufacturing tests. If successful, attacks like this can compromise an entire network of devices if a private key is exposed, or access to a privileged account is gained.

Other attacks take advantage of temperature and voltage responses. Attackers can heat an SoC to trigger errors or cool the device to trigger other faults. Attackers will experiment with voltage levels to see how the victim device reacts up to and including temporary brownout conditions. Another option is clock glitching attacks. An attacker can modify device clocks directly if external clock sources are used. Clock glitch attacks are relatively cheap to carry out and are even featured modes in off-the-shelf kits such as the ChipWhisperer.

There are more sophisticated attacks that use electromagnetic (EM) radiation and lasers to generate faults. Less obvious targets include inputs like the vibration sensors that protect the magnetic disk read heads from damaging the surface of the platters underneath. If fed with strong low-frequency pulses, the controller could misinterpret the incoming vibration readings with the result that the heads would damage the magnetic coating and destroy the data it contains and so will endeavour to prevent this from happening, resulting in a denial of service (DoS) attack. Some hacks take advantage of the distributed nature of many systems. Automobiles, for example, use a network of sensors that feed into electronic control units (ECUs) and are vulnerable to attacks where a compromised module or one that has been inserted as a Trojan into the network can generate false signals. The vehicle controller area network (CAN) typically has no way to check the authenticity of messages passed along the bus.

Countermeasures

There are many possible countermeasures that implementors can decide to incorporate into their designs. The key to handling them is having an infrastructure that is secure, adaptive to different forms of intrusion, and responsive. It must also operate independently of the main system logic so that it can react to events while target subsystems come under attack. Designers can use commercially available embedded transaction-aware monitors that connect using a message-based architecture.

This framework makes it possible to integrate a wide range of system-control, debug and security-monitoring cores. For example, a Bus Sentry module can identify and immediately block suspicious communications within the chip. Other providers offer monitors that continuously check clock, voltage, and temperature within the SoC. By tying the monitors into a cross-chip infrastructure, SoC integrators can not only react to specific intrusions but combine information from multiple sources as well as locally stored history to tune the response as necessary. A complete on-chip security infrastructure is shown in figure 3.


Fig. 3: A complete on-chip security infrastructure.

Summary

As malicious actors have shown with their attacks on real-world systems, information is power. With a full-chip security infrastructure that incorporates smart controllers with both analog and digital sensor modules, SoC integrators can use their access to real-time information to turn the tables.

Cyber attacks that circumvent traditional security measures can be detected and prevented through the use of a comprehensive hardware-based cybersecurity infrastructure that combines embedded on-chip analytics with advanced on-chip analog monitoring IP.

Additional resources
Technical paper: The evolving landscape of SoC vulnerabilities and analog threats



Leave a Reply


(Note: This name will be displayed publicly)