Multi-die assemblies enable more analog content, but that adds new security vulnerabilities for which there is little available research.
The move toward multi-die assemblies and the increasing value of sensor data at the edge are beginning to focus attention and raise questions about security in analog circuits.
In most SoC designs today, security is almost entirely a digital concern. Security requirements in digital circuits are well understood, particularly in large data centers and at the upper end of edge computing, which are dominated by digital computing. This is largely a function of limited on-chip real estate, because analog doesn’t scale. Even mixed-signal IP has become progressively more digital so it can fit into a smaller space. But as the industry shifts from planar SoCs to multi-dimensional, heterogeneous systems-in-package (SiPs, including 2.5D, 3D, and 3.5D), those area restrictions have loosened up.
That doesn’t make integrating analog circuits any easier, but process node and size are no longer the most pressing problems. Analog dies can be developed at whatever node makes sense and still fit into a package, which can be appropriately sized to handle larger dies. That, in turn, also could help increase the reuse of analog components.
There are other benefits, as well. Because some of those circuits can operate with greater independence — SiPs can be heterogeneous and globally asynchronous — they should be able to plug into multi-die assemblies much more easily than today. In addition, extra area can help mitigate interruptions to smooth analog waves, which are a challenge to isolate against noisy, densely packed digital transistors.
But that also exposes analog circuitry to potential cyber attacks in ways most chipmakers haven’t considered. Those attacks can occur on multiple levels, starting with the physical layers that are used to move and convert a growing amount of analog data to digital data.
“Chiplet I/Os are exposing some subsystem-to-subsystem communications that are usually really difficult to get to,” said Scott Best, senior director of silicon security products at Rambus. “If you have a security processor on one chiplet talking to a performance chiplet — and those two chiplets are separate and distinct, made by two different vendors and communicating over a multi-chip package — I now can tap into the communications between those two subsystems in a way I never had access before because they were all on the same SoC with 12 layers of metal and 10 billion transistors. When you look at a transistor array, the security processor was not set off from the apps processor with a very clear box around it. All of it was a hodgepodge of automated place-and-route and a massive sea of gates. Yeah, there’s a security subsystem in there, but it’s a billion transistors and the security module is 2 million of that. You could never find it.”
Compartmentalizing these different processors makes it easier to find the communication channel. “Some of the security-by-density that SoCs have had for a very long time are what I call signal entanglement,” Best said. “Now, those chiplet-to-chiplet interfaces need to have point-to-point security on both sides, because neither side of that chiplet link can be trusted anymore.”
While multi-die assemblies are not new, they are becoming more complex and feature-rich. This is due in large part to the need for more compute power, particularly for AI, and the inability to scale transistors enough to provide the density needed to achieve that goal. So far, nearly all of the chiplets used in these multi-die assemblies have been developed in-house, but over the next half-decade more third-party chiplets are expected to enter the market, pushing multi-die assemblies into the mainstream.
“One of the things people worry about in an open-chiplet marketplace is what happens if a bad actor creates a counterfeit chip that exposes the entire functionality to risk,” said John Koeter, senior vice president and head of Synopsys’ IP group. “So building in security for side-channel attacks is something we think is absolutely fundamental to making a chiplet era really work. By far the most common partitioning now is a compute die, an I/O die that has a mix of digital and analog components, surrounded by a sea of memory. Could more pure analog chips be mixed into that? Maybe, like a wireless chiplet, but we haven’t seen that yet because of the market segments where these chiplets are being used. Advanced packaging is expensive, and those types of applications that require RF can be more cost effectively put into a multi-chip module versus a 2.5D or 3D-IC package. Over time, as we see more advanced packaging at different cost points, you will see more and more heterogeneous integration that’s not just the traditional memory, I/O, and compute.”
Analog security at the edge
The spread of AI/ML into everything reaches well beyond SoCs and SiPs in data centers. The edge build-out is heavily sensor-driven, and because the physical world is analog, the analog data collected at the edge is increasingly valuable and needs to be secured.
“The first thing you have to do is make your sensor smarter, because it now has to be able to do a cryptographic operation,” said Erik Wood, senior director of product security at Infineon. “So there’s something called ‘time of use,’ or ‘time check at use.’ Essentially what you want to do is check the authenticity of the source while you’re taking a reading. That goes not just in the sensors, but the machine learning models, as well. Those models are primarily stored in external flash memory, and they’re done with an execute-in-place architecture. Each time you boot your system, you verify the authenticity of the code system-wide. But then, each time you want to conduct an operation with the machine learning models and do an XIP (execute in place) during runtime, you also do an authenticate/decrypt at the same time. You want to check everything as you’re using it to promote the trustworthiness of the whole system.”
Analog data in motion shares many of the same security issues as digital data in motion. “Security is basically about two things,” said Wood. “It’s about encrypting and doing all those things there. And then there’s the fault side of it — injecting a fault such that you can perturb the device and extract some information, or skip a step, like in your boot chain. Authenticating the next image is something that happens in a secure boot change, where you can inject a fault such that the command for doing the authentication of the next image is disrupted. Therefore, you can load code that is not authenticatable, and you can take over the device. Sensors are a big part of that security. We have voltage sensors, temperature sensors, electromagnetic fault injection sensors, and light sensors. Those are analog circuits that do the sensing, and they degrade over time. That causes bias changes. You have increases in noise, hot carrier effects, and all these kinds of things that decay or degrade over time, or become less precise, and it’s the thresholds of those sensors that trigger the fault injection reaction.”
In some cases, those sensors are automatically recalibrated. That often is combined with some level of redundancy, depending upon the use case and the associated risk. But redundancy adds cost and impacts performance. “You’re counter to performance, to battery life, and to processing time,” Wood said. “I have a counterpart who owns software, and on his first day I told him, ‘Look, we’re not going to get along because I cause your software problems. I require things that you don’t want to do. It slows down and bloats your software.'”
In the past, analog security at the edge was largely managed by reducing the amount of analog content and relying instead on well-understood digital security methods. And because digital transistors are less susceptible to heat, response time to temperature fluctuations was less of an issue.
“You might start some attacks on the analog level, like heating up systems,” said Benjamin Prautsch, group manager for advanced mixed-signal automation in Fraunhofer IIS’ Engineering of Adaptive Systems Division. “That depends on how accessible your chip is and exactly what the goal of the attack is. You also might try to identify the circuitry itself, maybe using lasers to try to motivate some change in analog behavior.”
Today, most of that is still being dealt with on the digital side. But some of the same techniques should apply for pure analog content. “For example, you can use some monitors on the chip — assuming the monitors are secure and cannot be corrupted,” Prautsch said.
Different worlds
Digital and analog remain very different domains. Digital design engineers heavily leverage EDA tools, while analog engineers use them only sparsely. In fact, the greatest success EDA companies have had in tapping into the analog market is with mixed signal design that is heavily weighted on the digital side (big D, small A).
“EDA companies have been trying to bring digital closer to software,” said Warren Savage, researcher at the Applied Research Laboratory for Intelligence and Security, an affiliate of the University of Maryland. “Analog has resisted that type of mass adoption because you really need to have a good understanding of the physics, which is a somewhat specialized skill in electronics. The closest thing I’ve seen to anyone worrying about analog has been DARPA’s project around asynchronous technology.”
That project stemmed from an IP core developed by the University of Arkansas that used polymorphic asynchronous encryption. “It did AES (Advanced Encryption Standard) and SHA (secure hash algorithm) in the same circuit,” Savage said. “You could have the voltage at 1.5 and it would do AES, and then you could lower the voltage to 1.2 and it would do SHA. This type of polymorphic circuit is extremely hard to reverse engineer. It’s hard to figure out what it’s doing unless you know exactly what the voltage is at the time it’s doing it, and because it’s asynchronous, it’s very hard to do a side-channel attack because you have that power balancing going on all the time.”
That’s essentially using an analog approach for security itself. But the general idea is that instead of just a single approach to security, or even a layered approach to security, multi-die assemblies will add a whole new dimension of security challenges. That means analog needs to be just as secure as the digital components, and research needs to advance before analog chiplets become more prevalent.
“You need to have some sort of hardware security module that uniquely identifies all chips, whether they’re analog or digital chips, with a unique identifier so that you can authenticate them and trust them,” Synopsys’ Koeter said. “And that’s probably what we’re going to see in the future.”
Others point to similar approaches. “I don’t see we are doing more analog,” said Moshiko Emmer, distinguished engineer at Cadence. “What we are doing is moving a lot of concepts from intra-chip handling to an inter-chip handling, which sometimes involves analog I/Os, power supplies, and things like that. When we are looking at the integration of chiplets and security, we treat each chiplet not only as a subsystem, but also as a standalone chip. And from that sense, it has to be fully secured. You need to ensure the security of that chiplet within its boundaries, both hardware-wise and software-wise. And then you also need to look at the system level and see how you manage a system of secure chiplets. They can be on different security islands. So in our architecture we are looking at how to build such a system, where one of the chiplets is actually the system manager. There’s a central system chiplet that is managing the entire security in the system, and it can control other chiplets.”
Safety-critical systems
Where this becomes particularly important is in safety-critical systems. The automotive and mil/aero markets have been promoting the idea of chiplets and sensor fusion for the past decade. Now that chiplets are shown to work, at least some of the focus has shifted to how well they work at any point in time. For analog chiplets, that kind of monitoring is largely about keeping the “eyes” open in a circuit. (See fig. 1, below)
Fig. 1: Multiple eyes in long-reach SerDes PHY. Source: Rambus
“There are aging counters that know this chip’s getting a bit older in the tooth and I need to dial down my clock performance because I know that offsets have accumulated over the last 5 to 10 years of operation,” said Rambus’ Best. “Maybe I need to dial down performance. There are sensors for temperature to be able to know what you need to set things at for voltage that’s coming in from the system. Is it too low? Is it too high? Is there something weird going on with the voltage? And in some security chips, there are light sensors to tell whether something is upside down and decapped on a lab bench underneath a microscope, because that’s the only way that light is hitting this substrate. So a lot of the analog circuitry is protected by analog sensor technology. But that begs the question, ‘Who’s watching the watchman?’ How are you protecting the sensor circuitry that’s protecting the more expensive circuitry?”
Conclusion
Analog and digital are very different engineering disciplines. Even where they come together in mixed-signal IP, the impetus for that combination remains largely digital. But several things are changing that will require chipmakers to take a much closer look at analog security. Among them:
Related Reading
Cyber Threats Multiply With Commercial Chiplets
Opening the door to third-party chiplet makers requires new approaches, greater diligence, and a deeper focus on security.
 |
 |
 |
 |
 |
 |
 |
Leave a Reply