Implementing agile security to protect a product for its entire lifespan.
There’s no doubt we live in a world where technology is highly intertwined within our daily lives. It has become pervasive in our homes, our automobiles and, critically, at our work. With so many access points into our lives, we’ve not only become extremely vulnerable to data collection, but more devastatingly, hackers. Today, hackers have more time, resources, available training and motivation to disrupt our security than ever before. Combined with the evolution of quantum computing,1 our current security implementations are quickly eroding. Thus, it is critical we start thinking about solutions that are agile and long-lasting.
Still not concerned about vulnerabilities? Consider our recent past where popular IoT devices have been compromised. Devices as simple as our baby monitors, webcams, and even our automobiles have been hacked. In 2015, IBM researchers were able to penetrate the software of a Jeep SUV and take complete control of the vehicle, in turn causing the vehicle to crash.2 Interested in learning more about how vulnerable we really are? Check out CISA’s (Cybersecurity Infrastructure Security Agencies) current Known Exploited Vulnerabilities Catalog.3 As IoT devices continue to infiltrate our daily lives, we must consider ways to improve their security. Especially considering that we rely on many of these, like automobiles, to be a part of our lives for many years.
If not already considered by manufacturers, a product’s longevity may be dictated by the quality of its security capabilities. Chip manufacturers must scrutinize every security decision made today and evaluate if it can uphold the lifespan of the product. That may be a seemingly impossible task, unless you consider the ability to dynamically evolve your security solution over time – a term often referred to as “crypto agility.”
Many chip manufacturers may consider implementing agile security in software. But in most cases, a hybrid solution, where hardware and software work together, may be more robust. Especially when data throughput exceeds processing capabilities. In these cases, more stringent solutions may be required. Many ASIC vendors will implement novel hard solutions, however anything that is fixed in implementation is subject to violation, especially in a post quantum compute (PQC) era where algorithms can easily solve these mathematical problems.4 Q-day is something that should be on the mind of every chip designer.
Furthermore, this goes beyond the cryptography engine’s capabilities. For products that have external interfaces to the world, security is paramount as these interfaces can be the intrusion point for the hacker. This includes access ports to a device, which include input/output ports, sensor inputs and communications interfaces. Not only is it important to audit these interfaces, but also disable them when not being used, thus minimizing the attack surface.5
Lastly, governments are working on policies that will mandate chip manufacturers to conform to new security standards. Consider that both the EU and USA are both working on policies that expect compliance as soon as 2025. In the EU, it is known as the Cyber Resiliency Act6 and in the USA it is the CISA (Cybersecurity Infrastructure Security Agency).7 Thus, any product developed for each of these markets will have to conform to these regional requirements. In fact, this will likely extend to every nation or region soon. Once again, illustrating how valuable a flexible and dynamic solution can be.
While all of this seems like an impossible problem, a hybrid solution may be the key to providing long-lasting product security.
FPGAs (Field Programmable Gate Arrays) have re-programmable logic that have long been used to prototype and implement cryptography solutions. Algorithms like elliptic-curve cryptography (ECC) and others can be efficiently run on FPGAs due to their parallel processing capabilities. In fact, FPGA architectures can accelerate these algorithms by over 30 times faster than software-based implementations,8 which make them highly efficient with low latency – perfect for IoT applications.9
For an example, let’s take a look at how efficiently an AES256 core fits into Flex Logix’s EFLX (embedded FPGA) technology that can be implemented into any SoC or ASIC. Below what you see is a AES256 IP Core fitting into two EFLX4K eFPGA tiles. At a 7 nm node, this IP runs with a throughput of over 2Gbs.
Beyond accelerating cryptography functions, programmable logic can also be used as a coprocessor accessed through custom instructions. Many processors, including ARM and RISC-V, support such instructions. Highly complex instructions can be accelerated and easily called by software.
In addition to supporting parallel workflows, FPGAs also support pipelined flows very well. They can perform real-time, in-line data (packet) processing for monitoring, detecting and removal of malicious intrusions. This implementation gives the absolute highest level of performance and fastest response time which is critical not only in IoT systems but also networking applications where distributed denial of service attacks can cripple systems. FPGA’s field re-programmability allows the product to adapt as the dynamic nature of these protocols and threats change so quickly.
Finally, there is one more key element to protecting products and that is the concept of minimizing surface attacks. Surface attacks can come in many forms, including from exposed, unused hardware interfaces. Again, due to the adaptable nature, FPGAs can completely disable unused and vulnerable interfaces, preventing access into the device.
While standalone FPGAs can solve some of these problems, embedding this technology into your chip has many advantages.
First, and foremost, you save cost and power as standalone FPGAs are expensive and power hungry. In fact, you can save up to 90% of the cost and 85% of the power compared to a standalone FPGA implementation. Moreover, Flex Logix’s flexible EFLX FPGA tiles allow you to customize your implementation to exactly what you need, making it the most optimized solution.
Second, you completely eliminate the supply chain. In many cases, Zero Trust assurance is critical. And supply chains are where most products become vulnerable.10 By implementing this technology directly into your chip, you not only eliminate the supply chain of these devices, but also eliminate the vulnerabilities that come along with a discrete IC, including cloning, overbuilding, side channel attacks, spoofing, bitstream interceptions and many more.
Third, Flex Logix IP can be ported to any node, further increasing the efficiency of the design. Flex Logix has ported eFPGA IP to more nodes than any other supplier, including the following nodes: 40nm, 16nm, 12nm, 7nm, 5nm and 3nm coming soon.
Fourth, integration into your chip gives the absolute fastest interface to this IP. No need for external chip interfaces like PCIe, Ethernet or high-speed I/O. And things like custom instruction acceleration are greatly increased by having the IP immediately next to your processor instantiation.
And finally, integration also means obfuscation and reserving part of your design that no one can decipher, clone or intercept as the IP can be completely configured internally to the chip and post manufacturing.
Considering current and future security landscapes and their associated challenges, providing a dynamic and flexible solution may not only be the perfect solution, it may become the required solution. There is no crystal ball that tells us how to build a product that can provide a long-lasting security solution. Thus, to protect your investment and your customers, considering a silicon-proven, programmable solution that complements security solutions and very well may hold the key to a long-lasting product!
Want to learn more about Flex Logix EFLX IP and security solutions? Contact us at [email protected] to learn more or visit our website flex-logix.com.
References
 |
 |
 |
 |
 |
 |
 |
 |
 |
Leave a Reply