Next Bonanza: Security Holes

Security threats—both real and potential—are beginning to reshape the semiconductor business.

These threats are drawing venture capitalists back into the industry as they race for the next big opportunity. They are blurring the lines between software and hardware, as threats grow in complexity at every level of a device and its myriad and sometimes perpetual connections to the outside world. And they are drawing the best and brightest young graduates into a graying industry, refreshing the pool of expertise around the globe.

While it’s impossible to determine whether the upside in business opportunities is greater than the downside in loss of data and outright theft of money, big changes are afoot across a wide swath of markets, regions and technologies.

Regional threats, global threats
Security typically is viewed as a global threat, and in many ways it is. But some regions react to threats more quickly than others.

This is particularly evident in the credit card business. Europe and Asia adapted to credit card fraud much more rapidly than the United States, adding EMV chips—an acronym for the security chip standard created by Europay, MasterCard and Visa—while the United States has relied instead on data encoded into magnetic strips. The result has been a migration of credit card fraud to the United States, which now accounts for more than half of all global credit card fraud.

That is almost certain to change over the next couple of years. Brintha Koether, payments segment director at NXP, said about 30% to 40% of all cards used in the United States will include security chips by the end of next year, with that number rising as high as 85% by 2017. But she noted that also raises the stakes for thieves, as well as the complexity of the technology being used.

“There is not just one door in anymore,” she said. “It’s more difficult to replicate a threat across the board and more difficult to gain access using reverse engineering, laser attacks or light attacks, which are used to manipulate a chip to get a signal. What we’re doing here is integral security.”

But that’s only part of the picture of what will change. EMV chips are just one piece of multiple forms of identification that will likely be required in the future for transactions. Koether said biometrics alone are not sufficient, but an EMV chip plus a fingerprint sensor plus a pin are much more difficult to crack—and if that isn’t enough, that pin can be randomly generated and sent to a smart phone.

“The concern is about the overall consumer experience,” she noted. “The U.K. deal with this using a huge campaign around chips and pins and built a strong awareness for this, which made it successful. The United States is a much bigger and more diverse market, which adds more complexity, but the market for EMV chips has accelerated over the past six months as the number of breaches has grown.”

Global opportunities
As thieves become more sophisticated—and particularly as more things are connected together—the threat level has grown. It’s no longer just about malware infecting computers. The goal now is to extract secrets and money, and interconnectivity has created many doors that didn’t exist before, not all of which are secure.

From the technology side, this opens business opportunities ranging from verification of code and IP to secure supply chain management. Jasper Design Automation (now part of Cadence) focuses on using formal verification as vectors to figure out where there are anomalies within a design, or potential vulnerabilities.

“If a mechanism assumes that secure firmware in ROM is the only one that can access security information, how do you hack that? You intercept the output from ROM,” said Lawrence Loh, vice president of engineering at Jasper. “That’s pretty obvious. But what if the playing field is not level? Are there other ways to access to the ROM? The hardware has to be able to assure the only way through is secure.”

This is a new application for existing technology. Along the same lines, Atrenta has taken its IP exploration software and started checking IP security with it, as well. But security also has fueled interest by venture capitalists in new chip startups for the first time in more than a decade. One new startup, ChaoLogix, is focused on embedded IP for security, using differential power analysis and fault analysis to limit attacks.

“The state of the art right now is adding noise to obfuscate what’s happening inside a device,” said Chowdary Yanamadala, senior vice president of business development at ChaoLogix. “These are secure standard cell libraries with sensitive blocks that are added into the existing EDA flow. And there is no differentiation between a one and a zero so nothing gets leaked outside. We’re not adding noise. We’re subtracting it—decoupling the chip activity from the power.”

A second startup, called Intrinsic-ID, works off the idea that every device has unique properties and those properties can be used for protecting a device as well as hacking it. The company focuses on storing and managing cryptographic keys, including binding hardware and software to prevent cloning.

“Our target is the semiconductor companies, or one or two levels higher than that,” said Pim Tuyls, Intrinsic-ID’s CEO. “What we do is extract data and turn that into a security application. It’s sensitive to environmental changes, voltage changes, and you can do error correction. That works for FPGAs, smart cards, USB tokens, or set-top box applications. We work with the whole value chain.”

Mixing up things
Perhaps more intriguing is the blurring of lines between hardware and software.

“If you look at ARM’s TrustZone, for example, you assume that everything is correct at the beginning,” said Paul Kocher, president and chief scientist at Cryptography Research (acquired by Rambus in 2011). “But with software, there are a huge number of different people who write the code. It depends on what cache dependencies they put into the code, so there is a great deal of variety. What we do is get keys from our core. So we can send randomized values and create a function as a response. There is no display of this data, but it allows you to make sure the authorized device has the keys it’s supposed to have. This is a controlled debug mode, with policies set by the company that made the chip.”

Kocher noted that the ASIC team cannot possibly anticipate all the different ways a signal will be authorized or managed. In fact, sometimes it will only turn on once the chip is off, so it can’t be replayed in a message.

Nevertheless, security needs to be dealt with at every level, which is why Synopsys acquired Coverity earlier this year. The company plugs holes in software of all types. This is an interesting crossover point between hardware and software—the full stack of software from embedded code, firmware and RTOSes all the way up to applications downloaded from the Internet—mixing with IP, semiconductor architectures all the way up to full system designs. Security needs to span multiple disciplines involved in creating complex systems, and the interaction of all of these pieces brings together the best minds in hardware, software and white-hat hackers.

It also points to a recurring complaint among hardware engineering managers, namely how to compete against companies such as Google and Facebook for the best and brightest engineering graduates. The answer may be a merging of disciplines using security as the glue. While it’s too early to tell just how effective this will be, the reality is that most hacker organizations are much younger than semiconductor engineering teams, and mixing these disciplines can only help both sides.

And because threats drift from one region to the next, it also shakes things up to pull expertise from all markets. Security is a horizontal problem that needs to be interlaced across a slew of vertical markets with regional differences. And as hackers become more sophisticated, the opportunities for fixing these problems, not to mention leveraging synergies and closing gaps between these different markets, are almost unlimited.