Rambus security researchers recently presented a paper at NSS 2015 that details the process of cryptographically securing on-chip firewalling.
Authored by Jean-Michel Cioranesco, Craig Hampel, Guilherme Ozari de Almeida, and Rodrigo Portella do Canto, the paper describes how complex SoCs continue to influence the evolution of on-chip interconnects as points of integration for a variety of system level functions, including security.
“Integrators have begun to rely on distributed access control hardware to protect resources that are shared between IP cores executing both trusted and untrusted software,” the researchers explained in the article abstract. “Existing solutions cover enforcement of on-chip access control policies but don’t secure the programming interface or the hardware against possible attacks. As embedded content increases in theft value, on-chip access enforcement will need to consider both software and hardware directed attacks.”
To address this issue, Rambus security researchers designed a secure on-chip access device that enables secure and programmable allocation of resources in a SoC. This is accomplished via cryptographically authenticating the programming agent, fault detection and key integrity – with synthesis results demonstrated in both ASIC and FPGA implementations.
“[This is] a novel way of firewalling resources securely in an SoC by cryptographically signing reprogrammed firewall access rules and checking them for modifications or errors during operation,” said the researchers. “[This means] Cryptographically Secure Access Control (CSAC) can be used to efficiently and securely segment address spaces between secure and non-secure initiators.”
More specifically, the programmer controlling the above-mentioned segments or partitions can be located on-chip or off-chip, while sequences are authenticated with a very strong collision resistance. Similarly, CSAC is resistant to fault injection/glitching techniques, effectively allowing a given access to be securely maintained. Last, but certainly not least, CSAC can be utilized in broader applications, as its principles are also applicable (to a certain extent) to memory management units (MMUs).