So far, many deployed secure systems resistant to software threats have been assisted by hardware security technologies such as HSMs and secure processors. Notwith- standing such protection against software attacks, both approaches are not flawless, leading to the growing importance of the silicon security. Several reasons have been pointed [1.102, 1.103, 1.104, 1.105], mainly because chips are prone to insider attacks during their design and fabrication, and among them the following five are of the utmost relevance: (1) defenses against software-based attacks becomes mature and strong, (2) creative, new side-channel attacks is continually emerging, (3) compro- mised chip with embedded hardware Trojan, (4) threats embedded in hardware and firmware are currently undetectable by traditional security tools and (5) counterfeit- ing in supply chain is becoming bigger and mainstream in semiconductor industry. Due to the global economy, third-party components manufactured around the world have been integrated into new IoT endpoint devices, becoming difficult to ensure they have not been compromised or to trace them back to their sources.
In [1.102] several issues and challenges regarding silicon security are discussed such as (1) vulnerability and migration of security mechanism from software to hardware, (2)
Malicious Logic inside Chip
(TROJAN DETECTION)
Counterfeit Chips
(SUPPLY CHAIN SECURITY)
Static Tests Analyse RTL (unknown unknowns) Dynamic Detection Insertion of logic to analyse run time activity Over-produced, re-
maked, cloned, recycled or otherwise unauthorized IC S Distibuted through unauthorized distributors Profit motivated SIDE-Channel Attacks (ON-CHIP COUNTERMEASURES) Use of hardened IP or altered design to resist
attack
Simulation of attacks to identify weaknesses
Figure 1.5: Levels of security concerns for designer and countermeasures for them
type of attacks covering all execution stack and their relative impact in each layer, (3) levels of security concerns for chip designer such as malicious logic embedded on chip, counterfeit chips and side-channel attacks (Figure 1.5 [1.102]), and (4) countermeasures for the above design concerns based on Trojan detection, supply chain security and on-chip monitoring for side-channel attacks.
Attacks at different stages of integrated circuit (IC) design flow were recognized and categorized as (1) third-party intellectual property (IP) and code reuse during requirements, design specification and register-transfer level (RTL) coding stages, (2) complicated third-party scripts during functional verification and logic synthesis stages and (3) physical IP during gate-level synthesis, place and route, and layout verification stages.
Additionally, modification to traditional system-on-chip design flow and methodol- ogy was suggested to enable robust hardware design methodology, traceability, and proof of health as demanded by several standards, in several domains like medi- cal, automotive, avionics, railway and military. For proofing of health, an identity microscopy dielet or chiplet complemented with a cybersecurity co-processor were proposed as part of the design. The identity dielet should provide a unique identi- fication to make the design genuine, enabling the chip to work only after the use of an activation key. The cybersecurity co-processor (Figure 1.6 [1.102]) is an IP block targeting issues such as hidden functionality, prevention of undeclared communica- tions and chip usage (e.g., based on some physical events like memory access and power cycle to check if it is a second hand chip).
In [1.103] is claimed that main reasons for vulnerability and migration of security mechanism towards hardware are: (1) maturity of secure software development and its pro-active approach to security, (2) undefined hardware development with no
CPU Memory Input / Output
Control Bus
Data Bus
EDA Tool Micro Code Rules
Sy
st
em
Bu
s
Cybersecurity Co-processor Address BusFigure 1.6: Cybersecurity co-processor for runtime trojan and side-channel detection similar scrutiny in terms of security as software design methodology and (3) the inherently slower, more expensive and difficult hardware hacking which make us to blindly trust in hardware. Three RTL designs were reviewed for common security vulnerabilities and then the process to discover, exploit and fix them were discussed. Rajendran et al. [1.104] also proposed modification to traditional SoC design flow with additional stages to test and search for UNKNOWN UNKNOWNS, i.e., hard- ware trojan as maliciously inserted rogue functionality during design and fabrication. They recognize that detection techniques targeting Trojans inserted in a foundry are limited by their detection sensitivity. Therefore, carefully designed Trojans whose sizes are much less than this detection sensitivity may go undetected. Their proposed secure hardware design flow will firstly leverage processor encryption by using trusted security validation team, trusted integration team and logic encryption techniques (e.g., by adding extra XOR/XNOR gates, logic states into the state machine, or by inserting memory elements). They define logic encryption as hiding the hardware’s functionality instead of encrypting the design file by a cryptographic algorithm. Secondly, the trusted security team performs logic encryption on the components obtained from the design teams and finally, security modules are designed with pro- visions to store keys. Processor encryption will be crucial as it ensures that inserted Trojans larger and smaller than the detection sensitivity will be detected and will not function, respectively. They also proposed several security modules for secure execution of a program and approaches to bypass them by rogue insiders in the design house and the foundry, if processor encryption is not leveraged.
Power fingerprinting (PFP) [1.105] is an IP as a trojan carrier capable of detecting tampering at all levels of the execution stack, from hardware to firmware to software. It utilizes side channels to assess the integrity of an electronic device through moni- toring, analysis and identification of otherwise undetectable threats in hardware and
firmware. It looks for anomalies that could be indicators of malicious behavior which are manifested in alternating current, direct current and electromagnetic interfer- ence (EMI) power signals. Because PFP can be embedded in the chip, it operates within the resource constraints of IoT while leveraging the following characteristics: it is able to detect dormant as well as active attacks, it does not require threat intelligence, it requires no additional software, and it cannot be detected or evaded by attackers. PFP observes a chip operation to look for some signature based on power consumption, timing/deadline, thermal, or electromagnetic emissions and de- tect deviation from expected operation. For example, since power consumption and electromagnetic emissions only depend on the circuit layout, semiconductor technol- ogy, and manufacturing process, physical sensors are used to capture fine-grained side-channel signals, which contain unique signature that emerge during operation of a given hardware/firmware combination. To assign unique signature to an IoT endpoint device, the execution code can be personalized for desired functionalities and the signature extract and load as microcode each time the device is updated.