Designing And Securing Chips For Outer Space

Design considerations for hardware used in space go far beyond radiation hardening. These devices have to perform flawlessly for years, under extreme temperature variations, and potentially banged up by space junk or other particles floating in the void over its projected lifetime.

Reliability in space adds a whole different set of design considerations. For example, while it’s unlikely anyone will physically tamper with hardware once a device is launched into space, there are other ways in. Communication can be disrupted, data can be stolen, and malware can be uploaded remotely. In addition, component failures or degradation due to particle collisions or aging can open new avenues for attack that didn’t exist at launch. And because it’s difficult to repair these devices, particularly if they’re unmanned, they must be highly secure the first time around. That’s a challenge particularly for long-life devices, because cybersecurity is a constantly evolving field.

Off-gassing is another issue that needs to be considered. “When things go out in space they are operating in a vacuum,” said Ian Land, senior director of aerospace and defense vertical solutions at Synopsys. “We introduce a lot of gases within the manufacturing process for semiconductors. Once it’s up in space, you actually can see the gases coming out of the metal in the packaging and the metal in the die itself. That gas can impact the packages within. In the old days, people used to do hermetically sealed packages to manage the off-gassing. Now what we do is create a package that allows off-gassing. It’s exposed to the environment, but it’s also designed to manage that situation.”

There’s also an issue with limited volume. For high-performance space flight computers, chips likely will be custom designed in limited quantities, with maximum radiation tolerance. That often involves several processing elements performing the same calculations. If one processor’s results are different from the other two the outlier calculation is dismissed as an error. Ideally, all three will return the same result, but making sure that happens over time requires good modeling, and strict manufacturing processes, because there is not enough volume to work out the kinks, and it’s too expensive and difficult to replace devices that don’t work correctly.

“You need to make sure the designs you build are working like platforms,” said Frank Schirrmeister, vice president of solutions and business development at Arteris IP. “You have to figure out how everything interfaces with the system, and even more so from a safety perspective in space. The space-related domains that look for predictability and repeatability of the process are sometimes more successful in applying higher-level techniques like model-based systems engineering, because what they want to simulate early in a project isn’t driven by the next consumer cycle. It has to adhere to very specific safety and security requirements. That predictability becomes very important because of the sheer complexity of what’s going on in. They are looking at traceability of requirements quite a bit more deeply than other domains.”

Full-custom electronics can be designed for the highest radiation tolerance attainable. Yet there are many other chips used in outer space than high-performance processors, often to perform more routine functions.

In the past, this was done using mature-node chips that were radiation hardened. But in a recent technical paper, Oak Ridge National Laboratory researchers examined how wide-bandgap junction-gate FETs used for sensing, instrumentation, and communication in low-earth orbit and deep space compared to chips designed in CMOS. They concluded that these wide-bandgap junction-gate FETs were superior in terms of safety and reliability, and that they performed well much longer than their silicon counterparts.

Fig. 1: Existing and new options for rad-hard electronics in space. Source: Oak Ridge National Laboratory

Security issues
Cyberattacks add another consideration in designing chips for space, because once launched, many of these devices will be sitting unattended for years with no immediate protection. As with cars and trucks, software in satellites and other space electronics needs to be updated to keep pace with new security threats, as well as to provide workarounds in case of hardware or firmware failures. But in space, this takes on additional challenges.

“The whole notion of over-the-air updates to be able to make changes becomes a topic, as well,” Schirrmeister said. “Digital twinning is especially relevant in this domain, certain aspects of which are more verification-related, and others that do things like predictive maintenance.”

In space, security can involve a physical or cyberattack, and systems need to be designed to cope with any event. “Hardware security is becoming more important, and it’s really application-dependent,” said Land. “It’s an area of customization based on how exposed we think these things are. If there is a trusted supply chain including logistics, then hardware security is low concern. But if it’s ever sitting out in shipment, then you need to concern yourself with hardware attacks.”

Safety and security are heavily interlinked. “You always have the question, ‘Where will they attack the system?’” said Schirrmeister, adding that system safety can in some cases simultaneously address some security vulnerabilities, thereby creating a “security halo effect.” 
Keeping memory safe and secure is a particular challenge. “Getting down to the chip level to look at memory and memory access and do the appropriate verifications is very important. You can even think about things like tagging these transactions to figure out if there’s anything non-kosher happening in that context.”

Space security can be framed in terms of six concepts — predict, prevent, detect, withstand, respond, and adapt.

“It’s a matter of understanding what has been done so far and then anticipating what can be done to thwart existing and future attacks,” Land said. “If we can imagine what they’re going to do, we can put prevention mechanisms in place to stop that from happening. We can withstand threats through techniques like isolation, so that if a threat gets into the region, you still have a more sensitive region that is protected. You have to respond, and then ideally you have a way to adapt in the future over time. Every day we’re thinking about how to manage security, manage space, and manage those things together.”

Fortunately, there is a fair amount that can be predicted about what sort of threats are most likely to attack space hardware. Physical attacks and glitch power attacks are unlikely once the hardware is in space, but they are possible when the device is still in the lab. Remote attacks are one of the primary concerns with regards to cybersecurity, including remotely-activated targeted faults.

Assessing these attacks requires another conceptual framework. “We concern ourselves with things like the severity of the attack versus the likelihood of the occurrence,” said Land. “Once we understand that level of detail, the next level is hardware, software, and then security over time. As people get more time to attack a device, they get better at it. Typically, this is done in a lab on the ground, but we have seen instances where devices are attacked remotely after getting through a network, and some piece of equipment is controlled in an unintended way.”

Land noted the same methods for targeted faults can be used for fault management, in general. “We can use things like fault injection to understand the impact of that targeted fault. We can do things like put in beneficial insertions of code, and/or sensors and entities, so that things can’t get attacked. We can separate regions on the device so that more sensitive regions are more isolated from the outside world than the inside world. We can run a number of tests in prevention of attacks, and then we can also do monitoring and sinking of those attacks while they’re in service.”

Fig. 2: Hardware security challenges addressed by fault injection. Source: Synopsys

In a paper presented at GOMACTech last year, Land and Meirav Nitzan, now director of engineering at Qualcomm, concluded that safety and security lessons gleaned from the automotive industry also can be applied to the aerospace and defense industry. Among the relevant critical standards on the aerospace and defense side are DO-254 (Design Assurance for Airborne Electronic Hardware), DO-178 (Software Considerations in Airborne Systems), NTSS (NASA Technical Standards System), MIL-PRF-38535 (IC Package Reliability).

In the paper, the authors discuss the usefulness of the fault injection technique for measuring the impact of random faults. They say the method can also be used to address malicious fault attacks on silicon. The technique begins with fault reduction, in which both static and formal analyses are performed.

Land noted that Synopsys is working with DARPA on the Automatic Implementation of Secure Silicon (AISS) program to enable designers to easily add security to devices, including those destined for space. “The worlds of space and security are rarely boring. The bad guys are really smart. The things they do are really clever and innovative. It’s an interesting challenge to be on the other side.”

Conclusion
Electronics used in space used to be relatively simple, based almost entirely on chips developed at mature nodes that were proven in space. But as devices sent into space become smaller, lighter, and much more capable, chip design is taking on a whole new level of complexity that involves new materials, new capabilities, and many more sensors with localized compute. Designing chips for this space is likewise changing to make these devices more predictable, more resilient, and much less expensive.

Future designs for chips in space may look very different from chips developed in the past. Radiation hardening could well happen at an advanced package level in multi-chip designs, or these chips could be built using different substrates and architectures that are hitting mainstream due to developments in automotive applications. Either way, electronics in space are about to become as advanced as those on Earth, and they are likely to face many of the same kinds of issues involving variation, accelerated aging, and security risks, as well as some additional ones that are specific to space.