Standards group tries to get more information for secure design

If a company selling you a chip, or a chunk of logic intended to go into one, tells you its design is secure, how can you be sure? Can they be sure? As it stands today, it would be a brave engineer to give a positive answer to either. If the experience has taught us anything, it’s that hackers will exploit any gaps they can. And a lot of those gaps arise out of misplaced confidence. A group from one of the leading standards bodies for chip design is trying to fix that problem, but is not sure how it’s going to solve it.

At the recent Design Automation Conference (DAC) in Las Vegas, members of the committee formed by Accellera, together with an observer from DARPA, set out the challenges they face with buying in IP cores such as processors and network interfaces and closing the holes in the final design that can invite hackers in. One answer may lie beyond conventional techniques.

Serge Leef, who joined DARPA last year as programme manager in the Microsystems Technology Office with a primary interest in design security, wants to see if ideas from the human immune can be adopted by the designers of system-on-chip (SoC) devices.

Leef believes there are ideas in the immune system’s ability to protect against previously unseen viruses in many cases is something that could ultimately influence SoC design. One issue that no chipmaker wants to copy is the immune system’s tendency to attack itself under certain conditions. Something less ambitious could yield answers, working in a manner similar to that used by network-based warning systems now used by a lot of large organisations that watch for anomalous activity. “My vision is that security architecture involves a central nervous system. The design is made up of IP blocks that need to be connected by the tissue of this central nervous system,” he says.

The plans of the Accellera working group on IP security are for the moment far less ambitious, focused mainly on the kinds of guarantees that vendors can provide to integrators as to how their cores behave. Intel security researcher and working group chair Brent Sherman says: “The problem we are trying to solve in the working group is to find, as integrators, the information we need to determine the security of the IP we buy.”

This information could take the form of a risk assessment to show how the core would react under different scenarios. A potential outcome is for vendors to provide risk assessments for their cores based on different threat models. “It would show what kind of behaviours could undermine the IP. For example, test modes can undermine security and cause unwanted behaviours,” Sherman explains.

Companies making SoCs that are designed specifically for security already use a risk-assessment model. Lei Poo, technology director of secure architectures and platforms at Analog Devices, says: “You need to do a threat analysis ahead of time. Without that, you are at risk of either overdesigning or underdesigning: neither is good.”

A risk assessment for IP to be integrated into an SoC could show what protections are built in and where designers need to take care in how they implement the features. Many cores contain built-in self-test modes for manufacturing. If it is possible to activate those test modes in the field, they become potential backdoors for hackers to exploit. Based on the risk assessment, an SoC designer would be expected to add countermeasures to prevent them being activated after the product has left the factory - but the devil is in the detail.

“What does such a standard for security assurance look like?” Sherman asks. “We don’t know yet. That’s one of the problems we are trying to solve.”

Even with a risk assessment of each core, engineering teams will still have problems determining how secure their designs are. There is a bigger problem at hand that will take years to solve, largely because of the ingenuity of the hacker community. Leef says: “Verification for security is an unsolved problem. It is a search for unknown unknowns. If you do have a strategy for this, I have some money for you.”

At the start of September, the Accellera group published a white paper that describes the current thinking within the group. Although the group is looking for proposals and input, the idea at the moment is to develop a database of concerns: the Common IP Security Concerns Enumeration (CIPSCE). This lists the known security problems that exist. IP vendors would be expected to indicate how their IP protects against them or which facilities need to be integrated to provide protection.

However, there is still some way to go and the bigger search is for those unknown unknowns.