The Next Big Threat: Manufacturing

The business adage that you’re only as good as your partners should be a core principle of doing business when it comes to security. But with a complex SoC you don’t always know all your partners, who financed them—or worse, who else they’re working with or working for.

Consider this scenario: A band of sophisticated thieves grinds off the top of an SoC package, inserts probes to map the current, determine what turns certain segments of the chips on and off and all the possible I/O configurations, then dumps an underpriced component on the market to win a place in that SoC. It’s all legal. The only problem is that component has a back door, and it’s been put into a chip that shows up in millions of consumer devices or point of sale computers or perhaps even a military application inside a fighter jet.

It may sound like something out of a Hollywood action movie, but this and similar scenarios are keeping a lot of people awake at night worrying about when they’re going to witness a problem like this and just how big of an impact it will have.

There are four main areas in chip development that are particularly worrisome to security agencies and companies, and at this point there are holes in the security and tools around all of them.

Design risks
The increase in third-party IP from small and relatively new vendors has ignited concerns in multiple security agencies around the globe, particularly in markets where there are a lot of startups and price defines success.

“For every IP block, you test it before you incorporate it into the design said Serge Leef, general manager of the system-level engineering division at Mentor Graphics. “But no one asks the question, ‘What else can it do?’ You have to tune your tools to see if it can do different things.”

Known alternately as sleeper cells and Trojans, this extra circuitry has been around for years, but until the explosion of third-party IP it was almost impossible to inject into the supply chain. Moreover, previous versions required activation via a physical network or software. With the proliferation of wireless connectivity, that’s no longer an issue. Even worse, an increasing number of components are always on and always listening for a signal to wake up other parts of a chip.

“A malicious Trojan can hijack a bus or lock up traffic on a business,” said Leef. “But it also can do more subtle and undetectable things.”

It’s those other things that are particularly scary. The U.S. Department of Defense recognized this threat, publishing multiple documents in the past year that regulate suppliers of critical components, calling on all agencies to review those suppliers and establishing the right to bar suppliers from contracts without stating why. The latest one is here.

“Government and industry have very different perspectives on this topic,” said Bernard Murphy, chief technology officer at Atrenta. “For government, it’s a research topic. For industry, it’s a real threat. This is topic No. 1 for a lot of people.”

But even for approved government contractors, managing their access to information is a thorny issue, as evidenced by the classified documents leaked by Edward J. Snowden. And the steady stream of acquisitions, particularly in the IP industry, only make this tougher.

“Most customers are concerned about secret projects they are working on for the government and there are only a certain number of people who are allowed to access data for those projects,” said Srinath Anantharaman, CEO of Cliosoft. “But it needs to be set up so other users can’t access that data. That’s not always the case.”

Free circuits
Perhaps even harder to track is the threat of extra circuitry added during tapeout of an SoC. This is partly due to the sheer complexity of chips. With billions of transistors, multiple power modes, and processors and memories scattered around a chip, it’s impossible to know every component that’s supposed to be there and identify those that weren’t part of the design.

This is compounded, however, by the tacit freedom given to foundries to make sure a chip can be manufactured with sufficient yield to improve the business prospects for both the chipmaker and the foundry. A chip that doesn’t yield impacts the bottom line of both companies, while a successful chip can add to the fortunes of both. But what happens when a small specialty foundry adds circuitry into a chip?

“There’s always a fine line where some manipulation by the foundry is okay,” said Mentor’s Leef. “But there also are reports of unexplained silicon structures being found. One possibility is that you get a chip that optically looks like a regular chip but performs the function of the original chip—and more.

Overproduction
Another risk is that instead of producing 10,000 chips, a foundry produces 20,000, with the rest ending up on the black market. This is blatant theft of IP. Rather than stealing secrets out of a chip, it’s a matter of stealing the entire chip—thousands or millions of them—along with a potential market.

This kind of threat isn’t particularly severe for companies with their own fabs, such as Intel, or with those that use large foundries such as TSMC, UMC or GlobalFoundries. But there are a lot of chips that are produced by smaller specialty foundries where manufacturing controls aren’t quite so well regulated.

Companies didn’t want to talk on the record about this, but it’s one of the most cited fears among chipmakers we interviewed for this series.

Test
Perhaps the least understood connection is between security and test, and it’s one more possible place to find valuable data about a design—particularly how and where it’s secured.

“If you’re feeding data through scan cells you can figure out the internal security mechanisms,” said Greg Yeric, senior principal design engineer at ARM. “When you’re testing IP, you see that. And it’s more challenging to secure when the IP content is coming from many sources. It used to be that you got all your IP from one company. Now you get it from multiple third-party sources.”

To view part one of this series, click here.
To view part two, click here.