Ben Levine, Senior Director of Security Product Marketing at Rambus, recently spoke with Semiconductor Engineering editor-in-chief Ed Sperling about the various security challenges associated with creating complex silicon. According to Levine, there are two primary issues associated with CPUs, SoCs and embedded systems becoming increasingly complex.
“Firstly, there are more things (components) that can be insecure. So, if there are n components in your chip, as n goes up, there are more things that may be potentially vulnerable,” he explains. “However, it’s worse than that. This is because security vulnerabilities are often not just in a single component, but rather, [occur] in interactions between components.”
As an example of a vulnerability created by interaction between components, Levine highlights the infamous Meltdown security flaw, which was independently disclosed by multiple researchers in 2018, including senior Rambus security advisor Paul Kocher and senior Rambus security engineer Mike Hamburg.
“The Meltdown vulnerability that was discovered in CPUs last year was actually an interaction between the branch prediction or speculative execution and the cache,” he elaborates. “And it wasn’t that one or the other was inherently insecure – it was the interaction between the two.”
As Levine points out, designers must get N squared things right, while an attacker only needs to locate a single vulnerability. In real world terms, this means that as silicon becomes more complex, there are significantly more security risks for CPUs, SoCs and embedded devices than ever before.
“We have more and more and resources, more transistors with Ohm’s law. The lower cost of components enables us to package more in one device,” he states. “[Moreover], a system [or device] has a lot of complex interactions and inherent security vulnerabilities. These are amplified by all the different use cases and ways in which a particular device is used.”
As Levine emphasizes, simply connecting a device to the internet or other devices within an ecosystem dramatically exposes and expands the attack surface. This is because an attacker doesn’t need to be in possession of a device to compromise it.
“[Securing silicon] is a very difficult problem. There isn’t a single solution to the problem, although one approach you can take is divide and conquer – [especially] if you have a very complex system,” he says. “Rather than trying to make the entire [system] secure, one approach is to identify the things that are important from a security perspective. This includes keys, credentials and decisions about access. [Moreover], I’m going to partition these away from the rest of the system.”
As Levine explains, this paradigm would see a specialized, siloed security processor embedded within an SoC.
“I’m going to move all my keys, all my certificates; I’m going to move decisions about access to resources and we can move all that into the secure processor. Now I can make the general-purpose processor as complex as I want. I can optimize it for performance or low-power, or whatever I need to do,” he states.
“I’m going to be doing things that are secure in this secure domain, including connectivity. So, perhaps I have a cell modem that’s going to be outside of the security domain. [Now] I can communicate between the outside world and the secure processor. The secure processor can be involved in authentication and setting up secure communication channels, although that interface is still outside of the security domain.”
As opposed to a general-purpose processor, says Levine, a secure processor can be specifically optimized to handle secure tasks – and only secure tasks. For example, a secure processor can help ensure confidentiality by encrypting data and managing secure keys.
“A secure processor, a secure root-of-trust, can manage keys, it can coordinate keys. Say you have a server in the Cloud – and I want to encrypt the data that passes through a cellular link to the Cloud. Well, I need to have a key in the Cloud that can decrypt the data. Maybe you have a key in the chip that can encrypt the data and I need to keep these keys synchronized without exposing the keys. To do that, you need some sort of secure root-of-trust to enable secure data encryption,” he concludes.
Interested in learning more about securing complex CPUs, SoCs and embedded systems? Download our Rambus CryptoManager Root of Trust white paper here.