Paul McLellan

Community Member

Blog Activity
Options

Secure Before You Fabricate

5 minute read

breakfast bytes logo One thing that I have come into contact with recently is the notion that the US defense establishment does not believe that the US commercial establishment builds a billion transistors SoCs, and they work. I put "establishment" in the last sentence since there is not really any such thing as the commercial establishment, and companies like Apple, Tesla, Qualcomm, AMD, and NVIDIA have little in common beyond producing some of the most complex chips in the world.

With the defense industry, we created a cute slogan, "emulate before you fabricate," which is what the commercial world does. Nobody is going to tapeout a big SoC without booting up the operating system and running at least some of the application load. The economics are very clear. As I said in my post, The Benefits of a Common Methodology for Emulation and Prototyping:

They started by pointing out that software dominates development costs and schedules. You can't sell your silicon without the software, and as a result, delay in software delivery delays time to revenue, so starting software development as soon as possible is crucial. As a thought experiment, perhaps using emulation and prototyping reduces the time for software integration from 75 days to 15 days. If the annual revenue for the product is $100M, then two months is $18M. "You can buy a lot of emulation and prototyping for that."

Of course, the slogan should really be "emulate and FPGA prototype before you fabricate" to take full advantage of the dynamic duo of Palladium and Protium, but that doesn't exactly run off the tongue.

Everybody is very concerned about security, but the defense establishment more than most. Security is a major part of the lifecycle from specification to disposal. Of course, we at Cadence are involved in the design part in the center of the lifecycle. A key part of our security offering is the Tensilica product line of specialized processors. I took a deeper dive into this in my post Tensilica Security a couple of months ago. Defense semiconductors have to be manufactured in trusted foundries, which basically means in the US and staffed with citizens. The interface is managed by DMEA, Defence Micro-Electronics Activity. Cadence is the only EDA company that is trusted and accredited by DMEA. I just checked to make sure I got the name right, and it turns out DMEA is located in McClellan, California. They almost got the spelling right!

But security is not an area where we work alone. We have a number of partners. As an extension to "emulate before you fabricate," for security, we have "secure before you fabricate." That means attempting to find weaknesses in the product before tapeout. Obviously, one way to do this is the traditional red-team/blue-team approach, with good guys designing the chip and bad guys trying to compromise it. That can be done with simulation, emulation, or prototyping. But some of our partners in the security domain have approaches that make this much more effective.

I'll discuss a few of them.

Green Hills Software's Integrity operating system has the highest levels of certification for any OS that is commercially available. They have 100,000 security tests that you can run using emulation. This makes it idea for going up the stack from the hardware up to application software such as autonomous flight platforms.

Tortuga Logic has a language called Sentinel that lets you write security properties that can be checked during simulation or emulation in an efficient way. When you compile the RTL, they instrument it and duplicate registers in the design to keep track of which data is secret and where it goes. It even follows data through arithmetic operations and so on. This allows you to figure out if your secrets are leaking or not. They don't have their own simulator; their technology is built on top of commercial simulation and emulation engineers such as Xcelium and Palladium.

Microsoft Azure Sphere is a secure lifecycle management environment, working with microcontroller companies and helping diagnose intrusions.

Galois is a research organization in hard-science security, building capabilities on top of Cadence's JasperGold formal verification products. Cadence is supporting them on the DARPA SSITH program, which addresses security at the hardware/software boundary.

Riscure is in the business of security certification, developing tools on top of simulation for side-channel analysis. See my post EDPS Cyber Security Workshop: "Anything Beats Attacking the Crypto Directly" for some details of what side-channel analysis is and a presentation by Jasper van Woudenberg and Robert van Spyk of Riscure on just how effective it can be.

Micronet solutions is doing reverse engineering to attack things like anti-tamper.

Attack Surfaces

There are lots of ways to attack an electronic system. A rough taxonomy might look like this:

  • Logical – Software-based attacks on hardware, hardware-level logic sequence attacks, including logic side-channels, trojan insertion and fault injection
  • Digital – Not covered by logical, including timing, power and thermal based; i.e., physical quantities such as timing, voltage, current, and temperature in digital circuits
  • Analog/Mixed – Not covered by logical or digital, including glitching and faulting on analog circuitry and RF; i.e., physical quantities

Security During Design

The idea of a security and attack lab is to make "secure before you fabricate" a reality. In the verification world, we call this "shift left", doing things earlier and earlier in the design cycle.

  • Security analysis can begin with pre-silicon/pre-prototype ("secure before you fabricate")
  • With functional safety “there is no safety without security”
  • Hardware/software integration, verification and test
  • Virtual multi-fabric (chip, package, substrate, board, enclosure)
  • However, not all attack surfaces can be definitively explored at an early stage of design
  • Many costly and egregious errors can be spotted and mitigated quickly and inexpensively
  • Pre-silicon attack labs are an extension of existing security practices
  • Cadence possesses the technology foundation for pre-silicon attack practice
  • Pre-silicon attack lab can be leveraged for Digital Twin development

The consensus in the security community is that you have to work at all levels, including hardware. However, you can’t patch bad hardware with software, but good hardware alone is not enough. So security starts at the hardware level and goes all the way up. Cadence has a lot of capabilities in Jasper for formally proving security properties, and many of these weaknesses can be detected using Jasper. Good system and thermal analysis are also very important since it is possible to make things heat up and turn themselves off, or, worst case, simply burn up.

 

Sign up for Sunday Brunch, the weekly Breakfast Bytes email.

.