Security. We know we need it, but nobody wants to pay for it. You can see why.
Set aside the multimillion-gate behemoths for communications, CPU, GPU and APU. Think of the billions of devices we expect to sell for the Internet of Things. Adding security may cost only a few cents per chip, but IoT margins are already likely to be that slim. Security features could wipe them out.
Then there is the issue of why the market resists paying for security. You create a health-monitoring device. The user – be it a consumer, HMO or a single-payer healthcare system – will see security as a strict requirement. The same goes for an electronic payment service, or one that tracks stock in a warehouse. Users do not see security as a differentiator but as the supplier’s responsibility.
We need to attack the question laterally. Can we recast it so that on-chip security is part of a structural rethink about how we configure and deliver silicon?
Blue skies research undertaken at Mentor, a Siemens business, suggests we can. Moreover, we can do it with existing design technologies and without disruption to design and manufacturing flows.
The key lies in approaching the problem economically. We need to ask not how we get greater security on to silicon, but what we can do with it above and beyond providing the confidence end-users demand.
Security = profit
There are a number of features and services which enhanced security could enable that will have a positive impact on the bottom line for chipmakers and OEMs. The list is not exhaustive, but already it includes:
- Combatting the counterfeiting and unauthorized overproduction of devices.
- Controlling device mask costs by reducing the number of parts-in-production relative to end applications.
- Avoiding respins following in-field customer test after fusing of the JTAG port.
- Making reverse engineering prohibitively expensive.
- Enabling the retargeting of devices to other customers in the event of cancelled orders.
- Enabling reconfiguration at the factory gate or in the field within the terms of a hardware-as-a-service business model.
From that list, the hardware-as-a-service opportunity is perhaps the most exciting in terms of generating new revenues from greater on-chip security. Nevertheless, all of them address significant – and in some cases increasing – risks that harm profitability across the supply chain.
We’ll consider the importance of these models in a moment. First, we need to describe the underlying technology that could make them happen. Such an ambitious list may imply that the steps needed to realize it are burdensome. That is not the case.
Components of profitable security
The necessary design and process additions are relatively straightforward.
- We assign a fingerprint to each individual piece of silicon, implemented in PUF memory with some surrounding logic.
- We camouflage the various blocks of IP on the chip.
- We ‘black box’ various parts of the chip’s functionality.
- We assign a series of configuration codes to each chip, matched to the fingerprint, that each individually allows specific forms of access (e.g. test, reconfiguration, etc.).
- We take the human element out of the equation by automating and applying these steps in RTL, rather than physically fusing parts of the device (e.g., the JTAG port) at the wafer or during packaging.
Obviously, there will be some complexity in the implementation. But the relative to the benefits it offers, it is relatively modest.
The other important assumption is that the strategy is applied to connected and addressable devices. This is a fair assumption because it is likely to be true for the overwhelming majority of silicon produced from now on.
Let’s briefly look at how this additional design cost will pay for itself in terms of the six goals identified earlier.
In this security strategy, every chip will have a unique fingerprint. This can be addressed at any time to verify the chip, at the foundry, during packaging and in the field. The fingerprint is applied before the design goes to manufacturing. There are only as many fingerprints as there are devices. The oversight now available across the supply chain can detect unusual traffic.
Moreover, the fingerprint is associated with a number of unique configuration codes. Each code will provide a certain type of access. They will turn certain parts of the device on or off, again at any point in the supply chain. Overproduction of an unauthorized device will mean that, without the codes, any malicious player has no more than a brick. And remember, all the fingerprints and activation codes were set automatically in RTL during design.
The industry has gone through another wave of consolidation. The resulting companies are finding that they have a massive number of SKUs and parts-in-production. The resulting management task here alone pushes the limits of sustainability.
Meanwhile, forecasts may point to a massive overall market for the IoT, but it is a highly fragmented sector. For many applications, a dedicated chip and thereby a dedicated mask simply will not make economic sense.
In this context, imagine a typical IoT chip. It will have a core set of functions – MCU, RAM, RF, sensor – and in a great many cases will require only a small amount of additional application-specific IP.
Why not place multiple blocks for different applications on a single design and use a dedicated configuration code to turn the appropriate ones on?
Part management becomes much easier. Activation of the chips’ various functionalities can be handled remotely over servers. And one mask will serve multiple markets.
Or we could take a cue from what we already do for large memory chips. Rather than, say, implementing a specific number of cores and hoping for 100% successful test, we could add ‘redundant’ cores, reconfiguring the chip after production to mark the bad ones. Here, the strategy would help in terms of yield as well as mask-cost reduction.
Avoid post-silicon respins
Today, the JTAG port will often be fused before delivery to the customer to reduce vulnerability to reverse engineering. But what if the JTAG port had its own configuration code, one that would allow a customer or third party only to conduct in-field test during final qualification, once such access had been against the fingerprint?
It has happened that customers have received JTAG-fused devices that have failed in-field test and then they have had to hack silicon they have paid for to fix the problem. Not good. That is a recipe for very expensive debug.
There is no such thing as a 100% tamper-proof chip. The goal is to produce chips where it is near impossible (or at least hellishly difficult) to reverse engineer them.
This model creates various tiers of access, applies individual identities and addressability to each piece of silicon, and then camouflages the IP held on the chip.
The chip can notify the central server as to who is doing what to it or, if its communications are disabled, can have a hard self-destruct function built-in should it be unable to ‘call home’ after a certain period of time (an option that will particularly appeal to the mil/aero market).
The essential point is that there are numerous potential ways of making life a great deal harder for the hacker.
A customer puts in an order for 100 million parts, but then disappears off the face of the earth. If the devices you have been producing for that company have been manually set to their configuration and then fused, you now have a lot of scrap on your hands.
If, however, functionality can be turned on and off digitally using the fingerprint and configuration codes, that scrap can be reconfigured and offered to other customers.
Firmware upgrades are well established. But what if you could configure a chip so that you could securely turn on, say, an extra processor or block of IP, after installation in the end product? Those firmware upgrades could each be uniquely encrypted for the target device.
The revenue models here are interesting. This kind of upsell could involve a one-off fee, but it also opens up the prospect of marketing subscription services (e.g., turning on certain levels of functionality only for a specific period of time).
This opens up a hardware-as-a-service business. The application and functionality for those services would support many potential uses in a broad range of devices.
I’m not making many concrete suggestions here because the possibilities and their exploitation will most likely depend on the imaginations of chipmakers and their customers.
To bring us back to the beginning, what links these tempting possibilities is the addition of new security features. By implementing them, silicon companies will not just address their own concerns and the demands of their customers. They can also develop a whole new set of revenue streams and improve profitability by minimizing risk.
One comparison that springs to mind is Netflix. It has succeeded by disrupting an entire supply chain to deliver content on demand. What if we could move to more secure semiconductor platforms that deliver flexible IC content on demand?
Fully realized and developed, we believe that this kind of security platform – mixed with some lateral thinking – could do exactly that.