Safety Plus Security: Solutions And Methodologies

Part 2: Connecting to the Internet adds new demands for safety-critical markets.

popularity

By Ed Sperling & Brian Bailey

As more technology makes its way into safety-critical markets—and as more of those devices are connected to the Internet—security issues are beginning to merge with safety issues.

The number of attempted cyberattacks is up on every front, which has big implications for devices used in safety-related applications. There are more viruses, ransomware, and counterfeit chips and IP. And while the total number of breaches is flat, mostly due to increased attention to security, the impact of those breaches is larger. In effect, hackers are getting better at choosing their targets.


Fig. 1: Total cybersecurity breaches. Source: Symantec Internet Security Threat Report, April 2017.


Fig. 2: Ransomware demands. Source: Symantec Internet Security Threat Report, April 2017.

This is bad enough for IT systems. But as as medical devices, cars, and industrial control systems are connected to the Internet, cybercrime increasingly will have a direct effect on personal and public safety. Moreover, while most of this has involved software in the past, chips increasingly will be part of the attack infrastructure.

There is another facet to consider with these new applications, as well. Most hardware designs today have a life expectancy of two for consumer/mobility designs, to four years for server hardware. But in the case of industrial, medical and automotive applications, electronics are supposed to last a decade or more.

Security, meanwhile, is never 100% effective, and it becomes less effective over time. Connectivity and device complexity, which is compounded by regular software updates, are contributing factors to a rise in data leakage. In addition, security measures that are considered impervious to attacks today likely will be vulnerable within several years because hacker tools and know-how are constantly evolving.

“As soon as you think you have a secure device, you find a hole,” said Dipesh Patel, president of the IoT Services Group at Arm. “So you are never done. And devices need to be upgraded, which is done with software. That makes it more vulnerable. If you look at the Mirai attack, devices were exposed because someone decided to use default passwords.”

Patel said hardware-software co-design will be a baseline necessity for security. “But that will not be enough. You can supply more secure devices, but you need to educate others about the need to do things properly. Secure devices need to be complemented with other things, such as tutorials, how-to guides, and in the case of enterprises, they need to be more aware. The best solutions are a combination of technology and best practices.”

But how, exactly, does this work for an autonomous vehicle or a medical device such as a pacemaker? The answer is that nothing is perfect. Numerous steps need to be considered at every level, from design through manufacturing and out into the market, and they need to be revisited regularly.

“Security is a big topic for EDA, and it’s a big topic for the semiconductor industry,” said Wally Rhines, president and CEO of Mentor, a Siemens Business. “While it hasn’t become critical yet, we believe that ultimately you’ll need to have trustworthy silicon as part of the total solution because chips will be subject to Trojans and companies will get more and more concerned about what gets into their chips and how it gets protected. Over time, it will become one more big part of IC design and verification. Tools will be available to help you, but this is a dynamic. Unlike a physics problem that you solve and it stays solved, security is one where the people working to break the security are just as smart as the people working to improve the security.”

Different approaches for different markets
Standards compliance adds cost, complexity and time to safety-critical designs. A chip designed for any automotive application would likely have to adhere to the ISO 26262 standard, which is essentially a best-practices checklist. But if that chip is used in the control of an autonomous vehicle, it also would have comply with the most stringent restrictions defined by the SAE and ASIL standards, as well as ISO 26262.

In the medical electronics field, it would have to adhere to a different set of standards being developed by such groups as the U.S. Food & Drug Administration and the Medical Device Innovation, Safety and Security Consortium. And in mil/aero, it would have to follow the DO-254 standards as well as various country- and region-specific regulations for supply chain integrity.

This adds a whole different level of scrutiny, validation and verification. And that, in turn, will boost the cost of a design and the time it takes to get a chip certified and into production.

“With safety, we are looking at single-fault effects, and for that we know what full coverage means,” said Ashish Darbari, director of product management for OneSpin Solutions. “We can analyze that every fault is detected using a number of mechanisms. But for security, attacks are not equivalent to single faults. How can we measure the effectiveness of the protections for security? If we could model and specify what the interactions need to be, what must happen, what must not happen, intentional versus unintentional, then you can come up with a good set of checks that could be specified. Security is more systematic analysis, but it will always be difficult to get a handle on completeness.”

In many cases, markets define what security means. “Security means different things to different people,” said Darbari. “To one person it is about illegal access to an unprivileged user to a CPU or part of memory. Firmware plays a big role here, as well, and a lot of bad firmware can cause these issues to manifest and allow access to the hardware. What is the security vulnerability model?”

Software updates add security risks, too. While updates are necessary to keep devices current and help close security holes as they are spotted, the update process itself provides another attack vector.

“If you look at the market for cars, which is still evolving, over-the-air updates open up a whole new level of exposure,” said Bernd Stamme, vice president of product marketing at Kilopass . “At least with the CAN (controller area network) bus, to hack the system you physically have to open it up. But with over-the-air updates, physical connections are no longer required.”

There is plenty of experience with securing over-the-air updates to software, particularly with set-top boxes and information technology downloads. But Stamme noted that carmakers will require sophisticated ways of distributing security keys over the network, which most have never done before. “Companies need the most secure on-chip medium for this. Otherwise, if you get a hold of the chip you can reverse engineer it. The algorithms being used are well understood. If you have enough compute power, it’s easier to decide how to prevent this. But not all of these devices will have that.”

Security solutions
There are several recurring aspects to security. One is the protection of data. “The addition of cryptographic capabilities to support secure communication and data storage requires software with hardware support for secure storage of keys and, in many case, acceleration is added for performance,” said Tim Mace, senior manager business development in the MIPS Business Unit of Imagination Technologies. “However, every additional capability added to a chip adds to the power and cost.”

Security isn’t free in any respect. It can affect overall chip performance, particularly if the security is active rather than passive. Active is considered more effective, but it’s also more expensive on every level. In some cases, it may require a separate chip or IP accelerator on the same chip.

“Security is one aspect of the workload,” said Anush Mohandass, vice president of marketing and business development at NetSpeed Systems. “You need different chips for different workloads. And if you’re using heterogeneous IP within a single chip, to get the maximum out of that chip you need to understand the workload.”

It also may require such techniques as virtualization to keep the data from one function separate from another, which also affects the initial design. “If you have 10 operating systems running, they should not have knowledge of each other,” Mohandass said. “That way there is no contamination of data.”

Memories are another area that needs shoring up. “The next level of protection is that they may encrypt regions of memory,” said Drew Wingard, CTO at Sonics. “In a more secure chip you may want to ensure that if someone was able to gain access to the entire content of the memory, they would still not be able to understand anything. That has a latency impact because you have to map the data between memory and processing.”

Another common form of protection is the establishment of a secure enclave. “You can run security functions isolated from other aspects of the chip,” said Mike Borza, member of the technical staff for Synopsys’ Security IP. “There are different ways to get that secure enclave. There are embedded hardware security modules that run inside the chip and are a companion to the main CPU. It is designed to provide a real, hard target for the security processing to take place. That tends to be a larger solution and adds cost in terms of IP licensing and area. For something in the class of a small router or IoT hub, the costs that may be acceptable are in the order of a few cents per chip for a chip that sells in the low single digit dollar range.”

Another way to do this is to create virtual environments. “Separation of the data and applications can be best implemented using an approach based on virtualization,” added Mace. “This is often supported by hardware memory management for performance.”

Virtualization depends on the system having a memory management unit, which is not always the case with heterogeneous system. “We introduced a firewall into the NoC that lives in front of the transaction destinations,” Wingard explained. “This builds a memory protection capability and allows the chip designer, or software people at runtime, to configure the chip to allow one region of memory to be accessible to this processor while in this mode, or these three units and the DMA engine to be able to access another part when in another mode. We can build multiple mutually secure nodes. This is easy and simple to understand and has very little software overhead if you don’t have to reprogram it. There is no performance impact.”

This type of system can also hunt for suspicious activity. “We are starting to see things that look at traffic flows between interfaces or between ports on a bus and identify patterns that are unusual or shouldn’t be happening at all,” said Borza. “If a network interface is talking directly to an encryption controller – that is not what should be happening and may be flagged as an unusual pattern that you may want to detect. We are starting to see people build this into the fabric of the chip.”

Making progress?
While the fundamentals of security are understood well enough, metrics about what makes one device or IP block more secure than another are less than clear.

“Security is very difficult to measure,” said Asaf Ashkenazi, senior director of product management in Rambus‘ Security Division. “There is a lot of misinformation out there, and you can claim whatever you want. You can claim that security is built in, but there is not a way to measure it that has consequence. There are no guidelines or best practices.”

This may be an annoyance with a consumer or business system, but it can be life-threatening in a safety-critical device. “If a computer is hacked, you lose data,” Ashkenazi said. “But if you hack a car, industrial machine or a traffic light, you can cause reasl damage.”

Until there is some formalization of the malicious fault problem, it is difficult to think about adequate analysis or automation tools. “There is some research devoted to building a more objective measure for how secure something is,” said Borza. “An example of that is a DARPA project that is trying to build those metrics and provide a quantitative assessment of security.”

This may require a simplification of the problem. “One approach is based on root of trust modules that are starting to become more common,” Borza explained. “This recognizes that providing a small isolated environment, which uses relatively simple software, can be assessed and analyzed for vulnerabilities and immunity to certain types of attacks. The approach is to contain complexity in the security functions in order to provide a reasonable guarantee of how secure that part of the chip is. Then you can use that to bootstrap the rest of the system securely.”

Perhaps the most important change that a team has to make is rooted in their mindset. “Both safety and security are not solved by simply adding some special IP, or software, as an afterthought,” said Mace. “They need to be addressed throughout the design and manufacturing process as in both cases the overall level of safety and security of a product is limited by the weakest element.”

There is no disagreement on that point. “The teams that are putting out successful semiconductors have baked this in from day one,” said Rob Knoth, product management director for the DSG group at Cadence. “The architecture of the system and the verification plan, the physical floorplan – everything has the concepts baked into it. Otherwise it becomes a horribly non-convergent process and you end up missing stuff and having to do a respin.”

The industry is taking the problem seriously. “Security is lagging safety by about five years,” said Darbari. “We will see compliance standards for security being established within five years. But if you are not even doing your functional verification properly in the first place, and relying on directed test – then you don’t have a hope.”

Safety and security need to be baked into the methodology. “Only then will they permeate through the chip as needed for both efficiency and effectiveness,” concludes Mace. “It is important that each stage in the development process is reviewed closely to consider the design implications. It is only when these techniques are embedded into the development tools and the design and verification processes, that new chips will be created with safety and security at their core.”

Related Stories
Safety Plus Security: A New Challenge (Part 1)
There is a price to pay for adding safety and security into a product, but how do you assess that and control it? The implications are far reaching, and not all techniques provide the same returns.
Security: Losses Outpace Gains
Complexity, new and highly connected technology, and more valuable data are making it harder to keep out hackers.
IoT Security Risks Grow
Experts at the table, part 2: Mirai, Shodan, and where the holes are in security; establishing a chain of trust from a solid root; how to future-proof security.