Defending Against Reverse Engineering

Even the most benign devices can provide a security risk. What happens when you remodel a house and don’t deactivate a “smart” device?

popularity

Most of us are familiar with the term “reverse engineering.” We generally know that it is used to extract data or designs from chips, but exactly how is pretty much a mystery.

Today, chip security has very broad implications. The landscape of tomorrow will be cluttered with devices that are microprocessor-controlled, including some that are autonomous. Numbers vary, but the current estimate is more than 30 billion devices by 2021, according to an IDC report. And at least right now, very little has been done them secure and out of the hands of hackers.

A monumental risk
Each of these devices will have at least one chip of some sophistication, and they will be connected to someone’s life. Even “intelligent” bathroom cabinets can tell you it is time to restock toilet paper. That may sound benign enough, but if the bathroom is remodeled and that cabinet is discarded—and the chip isn’t deactivated—it is quite likely that chip can become a security hole into one’s personal life, dragging along everything that is attached to it. Extrapolate that to the 30 billion or more devices and you can imagine how large this problem can become.

With this in mind, there has to be some sort of forethought put into this ecosystem that keeps data secure, and defeats potential hackers and criminals from compromising such chips, especially in the light of the impending evolution to the Internet of Things/Everything (IoT/E). As the world prepares for IoT/E, the proliferation of autonomous devices will offer up a smorgasbord of opportunity for hardware chip attacks.

New places and faces
With today’s bleeding-edge technology, reverse engineering (RE) has metastasized from the research labs, high-value government projects, and ultra-proprietary business secrecy into the hands of just about anyone who wants to get it.

Much of what is likely to be reverse engineered isn’t the latest and greatest crypto processor. That is a specialized niche and reserved for the upper echelons of the spy game. It is more likely to be a smart phone SIM card or those smart bathroom cabinets of the future.

“We have seen an explosion in the usage and efficacy of reverse engineering due to increased value of what’s at stake,” said Ambuj Kumar, system architect at Cryptography Research. “Today, multiple billions of dollars of revenue (including razor blade model industries such as printers and medical supplies) are vulnerable to reverse engineering and cloning attacks.”

And this threat isn’t just from terrorist cells or secret government labs. It’s simple enough that some of it is identity theft, spearheaded by a ring that has set up a boiler room operation a garage somewhere. The goal is to steal as much personal data as possible from unsecured chips, using methodologies and techniques that are cheap with materials that are readily available.

With that in mind, a handful of companies (Rambus, NXP, ChipWorks, for example), have become well versed in the field RE. They’re also active players on the bleeding edge of finding ways to defend against it. Some, like ChipWorks, have been doing just that for many years. Others have risen to meet the challenges that are appearing on several fronts.

Defusing RE
There are two types of analysis methodologies – hardware and software. Hardware analysis involves physically breaching the chip with probe and analyses responses; analysis of timing and power signatures; delayering, imaging, and schematic generation; and focused ion beam (FIB) circuit modifications. Software RE is generally the process of extracting and analyzing embedded codes and chip functionality.

Defending against various RE methodologies is a fairly well documented process. But the cost of defending against RE is proportional to the level of defense, which poses a conundrum at the lower end of chips. At the top are the super-secret processors that are embedded in state-of-the art defense systems, or banking hardware. For such systems, millions of dollars are spent to secure such devices from RE.

“Most security architects that deal with these devices try to make it as expensive as possible to get at the data – so expensive that it just isn’t economically worthwhile to go after,” said Randy Torrance, circuit analysis manager at ChipWorks.

Because attackers often probe and exploit component interfaces, it’s best to design with the the assumption that interfaces and intermediate data (such as off-chip DRAM, flash storage or network traffic) are not secure either.

“A system is only as secure as its weakest link,” says Cryptography Research’s Kumar. “It’s not sufficient to secure software components from software attacks and hardware components from hardware attacks.” He said that in one common scenario, attackers perform reverse engineering to mass produce a clone of a high-margin product. Examples include chips for authenticating network infrastructure, enforcing compatibility policies in printer toner cartridges and medical devices, and other consumables.

The most effective defenses address the attacker’s reverse engineering process. For example, in the above scenario, the attacker must successfully complete all of the following tasks: (1) extract protocols, functionality, and algorithms, (2) extract keys and sensitive parameters, and (3) commercialize an attack. Each of these steps has certain costs associated for the attacker. Kumar also noted, “Another good strategy is to use device specific keys and revoke and update them when they are compromised.” That immediately renders all the effort of the attacker ineffective.

At the high end, security chips are designed with very sophisticated algorithms using high-level encryption, making it difficult to decode even if successfully extracted by RE techniques. One method uses a software-encrypted algorithm stored in a chip’s memory that erases itself if breached. There also can be physical deterrents such as optical sensors that cause the chip to erase memories if light is detected by opening the case, for example.

For side-channel type RE attacks, the defense is uniformity. Ramesh Karri, professor in the Department of Electrical and Computer Engineering at the Polytechnic Institute of New York University (and this year’s chair of the security track at DAC), gives this piece of advice: “Design the chips so that the algorithms all consume the same amount of power, and that timing is the same for each function. Furthermore, ensure that there are no, or as low a level as possible, leaked RF radiation signatures. The ideal scenario is to have the lowest-power platform you can. That way you don’t consume much power and don’t leak as much either.”

He noted that chipmakers also need to determine exactly what is sensitive, because they might not want to use these design techniques all over the chip. There are almost always some components that aren’t security-sensitive, so these measures may only be required for selective code, IP or data.

Another RE impediment technique is to place a resistive grid over the sensitive areas. Generally, the grid’s resistance is coded into the security platform, and if the grid is disturbed, the system senses the change in circuit values and will go into the self-destruct or erase mode.

Why aren’t we there now?
Many of these, and other defensive measures to secure the chip are plausible, and designable. However, Karri noted that just because we can do it, doesn’t mean we do. He says that “much of this is about to happen, but hasn’t happened yet, but it definitely is going to happen.” There are, of course, some exceptions to that but, in general, much of this is still on the drawing board.

“The industry needs to make the customer aware of just how critical the RE threat is and to convince them to incorporate them into the chip design,” he said. “Demand will be the driving factor.”

That may seem like a simple objective, especially in light of all the security threats of late. However, the chip market is very competitive, and adding security into a chip adds cost. In fact, when it comes to inexpensive chips such as SIM and RFID, the cost of the securing it can be more than the cost of the chip. “A change of mindset is the first step to get some traction in this area,” Karri said.

Moreover, levels of security vary. But every effort in this direction makes it more difficult for the attacker to compromise the chip, and there are many different sweet spots across the chip landscape.

Conclusion
We all know that chip security is something we will need to address. “While the technology may exist, very little exists in the physical world as of yet,” Karri said. “In my opinion, it will be 5, maybe 10 years, before we see a significant infrastructure investment of security at the silicon or microchip level. This is a very import design dimension, especially with the IoT, because everybody will have access to everything once that becomes a reality.”

One consideration is the proliferation of apps for every smart device out there (and app devices continue to emerge – Google Glass and Beats headphones, for example). Many, if not most, will be near-field communications (NFC), RFID, or other close quarters (RF small cell, Wi-Fi) interconnect. Worrying about security later will cause huge problems sooner rather than later.

Finally, of, course, as all of this unfolds, the hacker will become more prolific, smarter and have a better arsenal of tools at their disposal. So in the end, the global solution is to “increase the cost and difficulty to the point that expected ROI for an attacker is not attractive. That includes preparing to deal with if/when a part is reverse engineered.”

Taking all of this into consideration and looking at it from a detached perspective, if we’re not ready with a solid layer of security when the IoT/E, CoT rolls out…well, one can only imagine the potential chaos that might ensue.