As they try to build a standard for the security assurance of intellectual property (IP) cores, members of an Accellera working group were among those who explained the challenges they face in handling the unpredictable nature of hardware and software hacks. The discussion happened during a panel session at this week’s Design Automation Conference (DAC) in Las Vegas (June 3, 2019).
Intel security researcher and working group chair Brent Sherman said: “The problem we are trying to solve in the working group is to find, as integrators, the information we need to determine the security of the IP we buy.”
Today’s plan for a standard is to develop a threat model or risk assessment for each core, he said, to ensure that teams do not inadvertently compromise their designs during IP integration. “It would show what kind of behaviors could undermine the IP. For example, test modes can undermine security and cause unwanted behaviors.”
The risk assessment would ideally show how those test modes are activated and what needs to be added to the infrastructure around the IP to prevent unauthorized users from triggering them in the final chip. The assessment would help identify if more sophisticated anti-tamper measures would be needed around the IP, based on the threat model for the final product. These measures would be quite different for a simple home temperature sensor than for a sophisticated gateway protecting payment information, which presents a richer target for hackers.
Lei Poo, technology director of secure architectures and platforms at Analog Devices, said: “You need to do a threat analysis ahead of time. Without that, you are at risk of either over-designing or under-designing: neither is good.”
Sherman added: “What does such a standard for security assurance look like? We don’t know yet. That’s one of the problems we are trying to solve.”
Layered on top of the problem of developing a workable standard for security risk assessments is the issue of how complete designs are checked for their ability to resist attack. Today, verification represents the biggest problem facing teams trying to determine whether their IC designs are secure in the real world.
Serge Leef, who joined DARPA last year as program manager in the Microsystems Technology Office with a primary interest in design security, said: “Verification today answers the question: does it do what it’s meant to do? It doesn’t answer the question: what else does it do?”
Poo added: “For security you don’t just do positive testing. You have to do negative testing as well. Generally that is something that we don’t see a lot of verification engineers believing they need to do, but it is something you need to explicitly test.”
Panelists outlined a number of issues for verification practice that have led, in the view of Andrew Dauman, vice president of engineering at Tortuga Logic, to a gap opening up between design for security and the ability of teams to verify those designs.
Poo said: “I agree with Andrew that verification is lacking compared to design. Verification is definitely not up to par. For example, there are very few pre-silicon tools that we can use to gauge things such as whether [information] leakage is safe against side-channel attacks.”
Breaking down silos
A related problem is that of the increased specialization of members of chip-design teams and the tendency to work in closely defined silos. Many of the flaws in security emerge at the system level because of assumptions made by integrators when pulling the design together and verifying it. In addition, Poo noted: “At system level, simulation takes a long time to run.”
Engineering teams who want to check security flaws face an additional issue that will likely remain even if the others are solved. Leef explained: “Verification for security is an unsolved problem. It is a search for unknown unknowns. If you do have a strategy for this I have some money for you.”
One possible solution that Leef floated, though it may prove not to be viable, is to model IC security on the human immune system and its ability, in many cases, to protect against previously unseen viruses. He said one potential issue that no chip integrator would want to replicate is the possibility that such immune systems can and do attack themselves. Another approach might involve overlaying security protection on the core design.
“My vision is that the security architecture involves a central nervous system. The design is made up of IP blocks that need to be connected by the tissue of this central nervous system.”
Despite the many challenges of security assurance, Sherman insisted: “I’m more optimistic here. IP security is still in its infancy. But we are seeing some momentum here. The working group already has participants from 17 companies. There is a chance of getting this off the ground.”