Mathias Wagner, an NXP fellow and chief security technologist, talks about the latest thinking in security and how to foil attacks.
Semiconductor Engineering sat down with Mathias Wagner, NXP fellow and chief security technologist, to discuss the challenges in securing SoCs.
SE: Can we ever get a really firm handle on security issues in SoCs?
Wagner: No. There are too many papers on attacks and countermeasures that come out every year. In the embedded security field alone there are about 100 papers every year, so if you design a product in hardware—which takes about 1.5 to 2 years, and then the software on top of that, which takes another year—then you have missed out on 200 to 300 papers. In your architecture, you have to build something that is very forward-looking.
SE: So you’re thinking about this even before the chip is designed?
Wagner: Yes, you can’t just add this in later on. It doesn’t work. It’s like when you’re designing a co-processor. You start with a description of what you can do mathematically, and you add in algorithms and then you develop a model and then you begin implementing it. The functionality that comes out of it is a smaller part of the overall design.
SE: Do you start out really thinking you can keep any part of the chip safe, or do you begin with the premise that no part will be safe?
Wagner: The attacker will reverse engineer a chip and seek out any weak points, so you have to conclude there is no safe harbor anywhere on the chip. Everything is exposed, and everything can be undone with advanced machinery. The goal is to reduce the likelihood that an attacker would be able to overcome them all on a single die.
SE: Are we getting to the point where we need more vaults than in the past, particularly with the Internet of Things, multiple cores and cache and more I/O?
Wagner: The attacker has a certain amount of surface where they can attack. The early counter measures you can find in the books about spies.
SE: One of the balancing issues for security is cost. Can we bring the cost within reason to have good enough security?
Wagner: If you look at Internet payment, how many vendors are associated with a single card? If you design a system where you have one card and you can take the money from a million users, the incentive would be very high for an attacker. But if you restrict it to one card and the limit of the card is less than $1,000, then it probably isn’t worth it. The only remaining incentive after that for attackers is to get publicity.
SE: Money, sabotage and surreptitious theft are the three main areas we’ve heard about. Are there others?
Wagner: There is a fourth one that comes to mind—the software or hardware hacker who wants to prove they can do an attack. They see themselves as gods protecting society. That angle is not to be underestimated.
SE: Typically the hardware engineers weren’t part of this attack in the past. What’s changed?
Wagner: There are a few cases. And because there have been some attacks in the past that have been hardware, it’s shown that it isn’t hopeless. Now that people have been successful, there will be more attempts.
SE: What kind of tools are required for that?
Wagner: There are three different categories of attacks. One would be a cyber attack, so you’re listening in to power consumption or radiation coming off a chip and you try to correlate that with what you’ve used on a device. For that you need oscilloscopes and tools for analyzing it, so the costs are less than $100,000, plus the expertise. The second category is where you design an attack with a laser and you basically irritate the chip. It’s like an extra current. You hit it with a light, and what was supposed to be a zero is now a one, or the other way around. If you look at this way, you can change program code. So suddenly the program is not executing the way it’s supposed to and you can figure out how it was coded. What you need there is a good laser system. That may cost $100,000, plus with the other equipment around it will be about $200,000. The third category is where you go at the chip layer by layer, grinding and extract the electric circuit out of images you have taken from the chip. It shows where things can go. You need tools to cut wire and to create new wire, a probing station to put meters on the wire, and that gets really expensive. For that you’re looking at $500,000 or so.
SE: Once you understand what a chip is doing, you understand where the weaknesses are. How big a threat is the supply chain in creating a back door?
Wagner: These are Trojans, and these kinds of efforts are funded by the Defense Department. These are not that big a threat yet, but that may change down the road. The chip is very complex, and adding extra circuitry and still making sure it works is difficult. It’s easier to change the software that gets onto the circuit.
SE: Isn’t that what happened with Stuxnet?
Wagner: Yes, it’s a different route but the software is easier to add in than the hardware.
SE: How much harder is it to secure a complex SoC?
Wagner: It’s much harder. Coping with increased complexity is essential here.
SE: The only way the semiconductor industry has been able to reduce the cost of chips is through automation. But if everything is new, and there are 100 new papers a year, then you’ve got one-off solutions that are required. Does it just get more expensive as we go forward?
Wagner: The complexity goes up and we have more work to do, so designs do take longer. We have not managed to keep the same pace and throughput over the past year. There is a concern the certification scheme needs to be revised to cope with this increased complexity. In a few years, we expect there to be a bottleneck.
SE: If we can’t keep up, how do we manage to move forward?
Wagner: You really need designs that are inherently robust. You need to think about this not just in terms of individual attacks, but in terms of classical attacks. So you can think about very early countermeasures, where you are trying to make a constant power source so you cannot detect any leakage from the outside. Then someone came along and asked, ‘Why not measure the radiation coming off the chip in a very local way?’ When you do that, you find the power consumption is not consistent. It was too specific. So you need other countermeasures that are more localized to deal with leakage, whether it manifests itself as magnetic or power or temperature or light. If you can mathematically adjust this so you’re only looking at averages, that’s meaningless to the attacker. There’s no point closing one door if three other doors are open.
SE: So unlike data centers, where they’re trying to spot aberrations in network traffic, you’re trying to disguise these aberrations on a chip?
Wagner: That’s correct.
 |
 |
 |
 |
 |
 |
 |
 |
 |
Great article!
Regarding the increasing design complexity, how do you think that the development of secure IPs could be done in an automated way? Moreover, how could you verify the security of your chip if you are working in a “forward-looking” architecture which was not exploited yet?
Caio Campos
Jasper Design Automation
Designing secure IP in a fully automated way will not become reality in the next few years. What does help, though, is to look at ways to counter entire classes of attacks with a single countermeasure. So, avoid the concept where each attack requires its own plaster, resulting in hundreds of plasters, and instead look deeper and tackle the root causes that allow attacks in the first place. For the side channel attacks mentioned, this means that we want to transform the crypto algorithm with nice mathematical tricks in a certain way so that the information leakage that a side channel attack is trying to exploit does not exist in the first place. Then it does not matter, if the attacker tries to measure the power consumption as a side channel, or the electromagnetic radiation coming off the chip, or the light emission of hot electrons. Or some other side channel I am not even aware of yet. As designer I have tackled the issue at the roots. This is one example of a forward-looking architecture. Another example, which is more pertinent to the fault attacks with lasers and the like is that most attacks leave some “marks” on the chip in the sense that the chip has a chance to detect some inconsistencies, for instance. Then the chip can shut down for good, without having to “understand” the attack in all its details. This will also work for many new attacks.
Intriguing ideas about the side-band attacks! Let me tie your last point about making the chip “tamper aware” and/or consider a more fundamental, architectural question: what’s your feeling about applying mathematical algorithms to the RTL description of the hardware they would exhaustively prove or disprove the absence/presence of data leakage paths?
[…] To read more, and to find out how Mathias addresses the need to balance security with cost constraints, visit Semiconductor Engineering. […]