Unexpected Security Holes

Security is emerging as one of the top challenges in semiconductor design across a variety of markets, with the number of security holes growing by orders of magnitude in sectors that have never dealt with these kinds of design constraints before.

While security has been a topic of conversation for years in mobile phones and data centers, commercial and industrial equipment is being connected to the Internet for the first time. This provides benefits such as remote management capabilities and alerts for potential failures. But it also increases the risk of data theft or remote tampering.

Consider a commercial refrigerator, for example, which may be used to store medical samples or transplant organs. In this market there are no standards for security, no guidelines for best practices, and little awareness of why anyone would ever want to hack into one of these systems.

“With a medical-grade refrigerator you’ve got a publisher of data that can be used for machine service, clinical researchers who store things in the refrigerator, the Department of Health, and for legal defense,” said Phil Strong, CEO of Zymbit. “To make this work you take existing equipment and add devices to it. So there are multiple technology disciplines going into fragmented markets. You add a hardware module and a root of trust, which is probably silicon and a fingerprint of the refrigerator. Trust is a product of security. But if you don’t know how to use the security it doesn’t matter. To make this work you need authentication, confidentiality, integrity and non-repudiation.”

Strong said the biggest problems these days are usually the result of misunderstandings and confusion. Even in markets where there are standards, those standards typically are not sufficient.

“In these markets a lot of the hardware is low-cost,” he said. “So you have to assume the base level of security today is zero. But if you put in security, you have to expect that will have a life of four to five years.”

Layered security
Even within markets that are used to dealing with security threats, the increased reliance on third-party IP and the disaggregation of the chip market means there are subcomponents such as embedded software or additional circuitry within sourced components. Some of this is developed in countries that never appear on bills of materials, and many are never subject to the kinds of scrutiny that are expected for major IP blocks or subsystems.

“Open-source IP is the easiest place to put back doors, trap doors and Trojans,” said Serge Leef, general manager of the System-Level Engineering Division at Mentor Graphics. “For blocks of any size, these cannot be found. And if you get verification IP from the same source, it will not show the corner cases. There also are design errors that humans cannot find, and there are malicious errors that cannot be caught.”

Securing all of this circuitry requires the cooperation of many companies, multiple industry segments, not to mention greater participation in standards groups. So far, there is only marginal progress on any of those fronts. Where there are standards, they often conflict with other standards, which is a growing problem as different markets are mashed together, or they lag technology progress within those markets. In cases where progress has been made, it is largely due to the efforts of individual companies working within their own ecosystems or within highly regulated industries such as aerospace and defense.

Adding security costs money. It also can affect power and performance, particularly if that security is active rather than passive. And done wrong, it may do little to deter hackers.

“One approach is to address security from the system level without touching the device,” said Xu Zou, CEO of Zingbox. “In our opinion, this is the only way to scale IoT security. Most IoT devices are purposely built, perform specific tasks, and there are few human interactions. But unlike laptops and smart phones, which are general-purpose devices, IoT devices are not protected with antivirus software.”

Zou said that makes the firewall the single line of defense. “If you look at MEDJACK (medical device hijack), that works on back doors into hospital networks. Patient records are worth seven times more than credit cards. Health care is always among the top three hacking targets. Today’s medical devices are electronically connected. To hack a machine and steal information is much easier than hacking a credit card.”

“PATIENT RECORDS ARE WORTH 7 TIMES MORE THAN CREDIT CARDS.”

He said the key is to understand what the IoT does, and if there is an aberration, send an alert using a mathematical model. This is similar to the kinds of alerts that have been in place inside of corporate networks for years. The key there is to identify extraordinary behavior rather than slowing down the network traffic.

End-to-end security
What’s difficult to comprehend is the enormity of the security problem. Most engineers are used to thinking block by block. Even SoC architects tend to think in terms of a series of blocks connected together and the most efficient way to utilize power and memory. But IoT/IoE security for a chip extends well beyond that, from the initial design to the manufactured chip that will be used inside some larger system, whether that’s a car or a home gateway device.

“We typically consider security from a root of trust,” said Zining Wu, CTO at Marvell. “But we need to consider this from a root of trust and a chain of trust.”

Wu said any security solution needs to be policy-based to guarantee that it is secure, an important consideration because a continuous security link could be a challenge to maintain if components are powered off. One such approach is to use keys. But even keys can be a security risk if they aren’t managed properly.

“The question we ask is how you put a key inside of these devices and still make sure no one makes a copy of the key,” said Asit Goel, senior vice president and general manager for business line secure monitoring and control at NXP. “Our production lines have zero manual touch with no humans inside. You need to protect and design a secure device, and part of that includes how you manage the key.”

Goel, in a presentation at ISQED’s recent IoT Summit, said that chipmakers can design in all kinds of security, but it still may not be effective. The challenge is making it easy enough to use so that people actually will take advantage of it. He said that tokens requiring people to type in their numbers every time they do online banking are too cumbersome for most users even though they are effective.

Those tokens typically use random number generators based on a seed number. But even seeds can be hacked, which means any numbers generated from that seed can be anticipated.

“There are three problems to solve,” said Richard Moulds, vice president of strategy at Whitewood Encryption Systems. “The first is that just having millions of random numbers does not solve the problem. If an application is running in a cloud, you are not sure if that is secure. The second problem is how you get these numbers into the application. And the third is that silicon today will catch noise from WiFi and other communication that allows you to extract the randomness.”

“JUST HAVING MILLIONS OF RANDOM NUMBERS DOES NOT SOLVE THE PROBLEM.”

One solution is to get rid of that noise altogether by using an optical source. Los Alamos National Laboratories, for example, has developed an optical module that it is licensing to private industry to reduce those fluctuations. “With this kind of approach you need physical access to a device, and there is no reasonable way to do that,” said Raymond Newell, R&D scientist in the Physics Division of Los Alamos.

Another security scheme is the public key cryptography scheme, which was developed by Ralph Merkle, a former Xerox PARC computer scientist. Paul Kocher, president of the Cryptography Research Division of Rambus, noted that all public key schemes are based on Merkle’s research, but that the U.S. government is now exploring quantum cryptography for the next wave of highly secure data communication.

Embedded software
When all of these schemes finally come into play is unknown. Hardware is just now being recognized as a medium for breaches. So far, most of the highly publicized security failures have involved software. While most of the focus has been on applications and operating systems, embedded software may be even more vulnerable because there is limited experience with breaches and so much of it is customized for a particular design.

“Most of the software people use is software that was developed by someone else,” said , chairman and co-CEO of Synopsys. “We need sign-off on quality and security of software.”

There is certainly a growing awareness among embedded software developers that security can be compromised. But how to fix the problem isn’t so clear.

“There needs to be a shift in culture,” said Glen Clark, vice president of Virtuoso R&D at Cadence. “Getting software out the door isn’t good enough anymore.”

Clark said the next big challenge is determining where the vulnerabilities are in software. “That’s just starting to open up. It’s a matter of being able to document what you did (on the development side) from a traceability standpoint. If you have printouts and waveforms, you can test any point in time.”

Conclusions
Security is just beginning to creep into semiconductor design. As with power, which many design teams ignored until several years ago, it will take time to be absorbed into the design flow. But unlike power, once there is a failure it can have widespread impacts across a number of industries, including some that impact safety. Moreover, in many of these markets, those chips will stick around for years, which means that ignoring security today can have long-term impacts.

“Security is one of the most important IoT requirements,” said Jen-Tai Hsu, vice president of engineering at Kilopass, who noted that many more potential customers are asking questions about security than in the past. Kilopass isn’t alone here.

“In every conversation we have now, security is a big deal,” said Farhad Mafie, vice president of worldwide product marketing at Microsemi. “The problem is that there is no one-size-fits-all solution. A lot of old technology is still around. But as we move to more connected everything, such as more electrical versus mechanical components in cars, security becomes a bigger challenge. With the new generation of electronics, if it isn’t connected it’s like it’s broken.”

Some companies are well out in front of this problem—Intel, ARM, Andes, Xilinx, Cisco, the big EDA companies—but the vast majority are just now waking up to the fact that the entire ecosystem and supply chain needs to change. There is a need for consistent standards, a recognition by industry groups that security is an essential element for a connected world, and an understanding that security adds value to all electronics. Unfortunately, that may take years.

Related Stories
Back Doors Are Everywhere
Despite fears about hardware breaches, access to firmware and chip data is more common than you would expect.
The Race To Secure The Car
Connectivity and complexity are raising concerns about safety and reliability.
Securing The Cloud
The cloud presents a variety of unique challenges for data security, including some from the inside.