Security’s Very Strange Path To Success

Security at the chip level appears to be heading toward a more promising future. The reason is simple—more people are willing to pay for security than in the past.

For the most part, security is like insurance. You don’t know it’s working until something goes wrong, and you don’t necessarily even know right away if there has been a breach. Sometimes it takes years to show up, because it can be more like a slow leak than a frontal attack. That always has made security a tough sell, particularly in markets where chips were fighting for a socket based upon who could offer the lowest price.

Several fundamental things have changed. First, Moore’s Law has become a less obvious path forward for many companies, and the rise of multi-chip packaging has made it possible to spread out cost of security across all of the chipmakers developing IP or chips in a package. Second, a number of the largest chipmakers are vertically integrated companies developing custom solutions in a variety of market segments, and security can amortized across the final system price.

Third, there are a number of new and existing market segments where security is viewed as important—automotive, IIoT, AI/machine learning, the cloud, government and SoCs. In many cases, there is enough value in the technology itself to warrant more security. And increasingly, there is value in the data generated or processed by that technology to justify protecting against threats like IP theft or ransomware or lawsuits.

That has been a boon to security vendors, and there are several main approaches to solving these problems. One involves securing authentication keys or boot-up code in a very secure, tamper-resistant place, or securing the IP blocks themselves. Achronix, for example, has made it virtually impossible for anyone trying to tamper with keys or authentication to sneak into an FPGA. If they do, they will break a fuse, which basically shuts down the chip. Tortuga Logic has been working on a similar piece with its hardware root of trust for key management, and IntrinsicID has attacked it with bulletproof physically unclonable functions. Arm, meanwhile, has built its entire processor architecture around authentication and multiple layers of security. And Rambus has pushed security up a level with a synthesizable, pre-certified secure element that can be integrated into an SoC or an automotive chip. If the system is compromised, the firmware and software can be reset and re-installed with a clean version.

A second approach that seems to be gaining traction involves monitoring traffic from inside a chip or package. This can involve anything from thermal or power noise to data traffic, and this is a market UltraSoC, Moortec, ANSYS and ArterisIP are targeting. The idea is to measure even the slightest aberration using tools that previously were meant to ensure proper functionality of a system. So when a chip is supposed to be dark, why are some of the circuits in use? What makes this kind of monitoring particularly attractive is that this technology is already being used to ensure reliable operation. It’s a small step from there to using these tools for security, and what’s worth noting is none of these companies started out in the security space.

A third approach that seems to be catching fire involves software, where the code can be made more secure by automating the search for known violations. Synopsys has been particularly active on this side, buying up software companies and leveraging some of the same approaches to applications and custom code that are currently being used to find violations in RTL. This approach is well recognized in such markets as banking, but it is finding a new home in automotive, industrial and military applications where the threat level is rising and the price of security holes are measurable.

What makes all of these approaches increasingly viable is that companies are willing to increase their budget for security, particularly where there is government support or where it can be passed through to consumers. So even though a consumer electronics vendor may not be willing to spend extra money for security in a price-competitive market, large corporations such as banks or automotive OEMs or smartphone companies are able to spread that cost across a much wider user base or bury it in the cost of a system.

Putting all of these pieces together, security is becoming a profitable opportunity across a growing number of market segments. But it took a very complex and unexpected combination of factors to make all of this happen.