Increasing attention from hackers on embedded systems developed for the internet of things (IoT) is going to drive a need for designers to take crime into account as part of their design signoff process, Mentor Graphics chairman and CEO Wally Rhines argued in his keynote at the company’s U2U conference in San Jose on Tuesday (April 21).
Rhines outlined three areas that chip designers and their EDA suppliers will have to worry about in terms of their crimeproofing strategies: side-channel analysis; counterfeiting; and Trojan-horse circuits.
“A lot of companies are popping up that provide IP to embed in chips that protect against side-channel attacks. More and more of these techniques are creeping into the toolkit for designers to design chips that are protected,” Rhines said. Earlier this week, The Athena Group announced it had added side-channel countermeasures to its IP cores.
Rhines added: “There will be many, many more devices that hackers want to access. We will have to harden the IP and make it more inaccessible. The way to know is through simulation, emulation and verification to see how the chip stands up to attacks.”
Counterfeiting has been a problem underestimated by many manufacturers, Rhines continued: “There are a lot of misconceptions about semiconductors today. One of them is the idea that counterfeit components are a one in a million risk. Distributors say up to 30 per cent of incoming product is suspected to be counterfeit. Most of the counterfeits are sold by good honest distributors who have no effective way to screen chips. At one time they were concentrated on expensive chips. That’s no longer the case.”
“There are a full spectrum of chip protection capabilities. Why don’t we use them? The answer is cost. The most common form of protection against counterfeiting is doing nothing.
“What can we do about it? One answer is product traceability,” Rhines said, pointing to some tool support that already exists in the company’s Valor product line as well as DARPA-sponsored research proposed for fingerprinting authentic parts.
“One thing that will evolve is to insert structures in the chip like on-chip odometers,” Rhines said, that could be used to catch parts recycled from defunct motherboards. “You could tell whether a chip is brand new or has been used a lot.
“And there are techniques where you don’t activate a chip until it’s in the system and has been authenticated. Ultimately what you will see from tools vendors are techniques that take encryption and spread it out across the chip, so there is no way to decode the data and which render it unusable if you don’t insert the right code. It’s one more thing to embed but it means that you have more than just a functional part, it’s a well-protected functional part.”
Hardware Trojans represent a potentially insidious threat, Rhines said: “In EDA most of our effort is spent verifying that a chip does what it’s supposed to do. A much bigger challenge is to verify that the chip doesn’t do what it isn’t supposed to do.
Although it is currently unclear as how real the threat of hardware Trojans is to current chip designs, Rhines said the disaggregated business model has resulted in many potential places where they can be inserted. “About a fourth of the IP in an SoC came from a third party. Even with IP that came from an internal company source, you don’t always know the source of that and whether something else is embedded within it.
“A Trojan can activate on a signal or the activation can be time-based. It can disable a system or access information covertly,” Rhines explained. “Hardware lies at the root of trust in any system. Once it starts showing up in silicon, it undermines the root of trust.
“The biggest problem is testing for unknown unknowns. That’s a great challenge for designers and EDA companies. The places I anticipate being the major sources of Trojans in the future are in IP or in the scripts used to synthesise designs. The threat now is in the design phase.”
Designers may begin to scan IP for known Trojan signatures, although these are vulnerable to the same issues as virus scanners. “Then there are runtime detection mechanisms, testing for unusual operations using a cybersecurity coprocessor. I anticipate that the EDA industry will be called upon to develop better ways to deal with this, because I’m sure people will not want to design their own coprocessor to detect problems.”
“We will see an emerging customer demand for all types of silicon authentication,” Rhines argued.