Security Homesteads the Chip
Bad things may come in small packages, so experts safeguard the microelectronics supply chain.
The fight to secure microelectronic chips is becoming as basic as the chip itself. With chips facing a myriad of threats throughout their life cycle, experts are incorporating security measures into the development of the chip from the foundry to assembly. Other approaches safeguard against threats that could appear as the chip moves through the supply chain. The bottom line for microelectronics security is that necessary measures cannot wait until the device is in the hands of the user.
Threats can manifest in a number of ways, from an intruder breaking into a system after manufacture to someone inserting malware or hardware early that permits exploitation later. Paul Quintana, director of defense and security for Microchip Aerospace and Defense Group, notes that hardware Trojans can provide a broad-based attack after they are introduced into the supply chain. The attack can take place inside every device of the type manufactured. This threat has been known for several years, and work underway aims to improve detection.
The global supply chain for microelectronics offers several threats to safe and secure chips. Criminals and state-sponsored agents can access chips for sabotage and profit. Dishonest manufacturers can counterfeit legitimate chips with copies that do not meet performance standards, which could prove deadly in critical functions. Marketers can re-mark existing chips—called blacktopping and upscreening parts—as well as recycling old parts that have been removed from their original devices.
Even though a part may be designed in the United States, it’s probably manufactured offshore, verified at another location and packaged in a third country to be drop-shipped to its final destination. This creates numerous opportunities for malevolent actions.
The fundamental attack vectors almost always will involve breaking the implementation of the device, as opposed to breaking the actual design, Quintana says. “It’s just like cryptography—it’s only as good as the implementation; same with security. You can’t trust everything that’s on your chip,” he warns.
The Defense Department’s Instruction 5200.44 includes sections that address trust and assurance in the microelectronics supply chain. This instruction, which debuted in 2012 and was revised in 2016, is being redone, and Quintana expects the new version to come out next year. He adds that the Defense Department has a good grasp of supply chain issues, and now the commercial sector is beginning to engage on supply chain security, anti-tamper actions and data protection.
One defense approach being incorporated in the commercial sector is secure roots of trust. Industry wants to be sure that when an engineer designs a circuit card assembly with multiple chips on it, the company knows exactly what all these chips are supposed to do. “Being able to identify a part of the board is great—that is step one,” Quintana says. “Step two is being able to control it.”
He continues that the defense sector has been “stalwart” in microelectronic supply chain security. The commercial sector is just coming around to incorporating these security measures, but it is ramping up quickly. Industry falls somewhere in between the two, he offers.
This reality leads to two approaches. One is to ensure the fidelity of each chip element. “What we try to do is make sure that every piece of intellectual property that gets integrated into the device is trusted,” Quintana says.
Quintana relates that commercial security began 12 years ago as an add-on. A product would be developed, and then manufacturers would consider how to add security to it. Security largely was an afterthought. But, over the past five to eight years, the trend has been to design a microelectronic product with security in mind. A device must secure data inputs and outputs from the outset.
Designing security in from the start makes it easier for everyone to test the device, he says, which lowers operational costs. Customers also find it easier to use, especially when they go through their debugging routines. They don’t have to turn off security measures prior to debugging, Quintana points out, which avoids the security risk of forgetting to turn them back on.
The second approach is to incorporate security measures into the chips themselves. Hardware firewalls are embedded in devices, so a user can configure them to allow or limit access to subsystems. “It’s starting to get a little more complex,” he allows.
He compares current security approaches to those that were done years ago at the rack level. Just as multiple boxes were separated by security firewalls while functions were observed by sniffers at the network level, field-programmable gate arrays (FPGAs) now are including the same security approach internally as a part of the core function. Various technologies act as sniffers monitoring bus activity just as they did at the rack level. “Every semiconductor device essentially is a system on a chip. We may have two dozen microcontrollers as well as microprocessors on that chip,” Quintana says.
The key is supply chain risk management, Quintana offers. This begins with ensuring the chip is designed as intended, verifying the design and manufacturing it in a secure way. “When we go through a manufacture at a facility that we don’t control—at an offshore fabrication house—we want to make sure the manufactured devices are tested and that the cryptographic keys put inside them are all maintained securely,” Quintana states. “What that allows us to do is track every single device uniquely throughout our supply chain, from cradle to grave.” That way, when a chip goes into packaging, it includes a link that shows how it was tested along the way.
A variety of new technologies helps ensure microelectronic security. Cryptography has become much smaller and more available, Quintana notes. Being able to export cryptography throughout the world has increased its availability for supply chain protection.
Identifying a part has progressed from the days of reliance on serial numbers or fuses burned into a device. Now, physically unclonable functions can uniquely identify every single chip manufactured. These continue to advance, Quintana says. The next-generation version of this technology that is emerging can offer “an enormous number of digital signatures unique to that piece of silicon,” he adds.
And, blockchain has a role to play in supply chain security. Adding blockchain can increase attribution into the risk management effort—from the foundry through packaging and then distribution. It provides a ledger of a device throughout its entire manufactured life cycle.
Quintana notes that, for many parts, the effort doesn’t end with manufacturing. “From the physical protection of the device to the cyber protection of the device, a lot of the devices that are manufactured are programmed after the customer gets them,” he points out. “We need to make sure that all the supply chain security that we have, leading from the design to the manufacture, is extended into the customer use model.”
One approach is to let users have access to cryptography data so they can add their own data, he suggests. This has been done in some FPGA products over the past few years, he notes. When contract manufacturers build devices, the end customers can control the number of products built and the software and firmware loaded into those products. The same approach can be used with blockchain attribution, he adds.
On the cybersecurity side, action ranges from customer practices to legislative action. Quintana relates that the state of California has passed legislation requiring manufacturers to shun putting the same default key in every device that permits operational attacks. His company, in turn, requires that its customers use encrypted bitstreams on its FPGA products. The key differs for every device, he notes, and this approach is being taken on new and future products.
One hazard that pops up is when a cybermarauder rolls back an update that plugs a security hole. Revision 2 might be usurped by someone who reloads revision 1, which reinstitutes the security hole. Anti-rollback features can be installed to ensure that the correct software version is loaded onto the exact device that is specific to the actual serial number intended for the upgrade. Software would be loaded only onto the number of devices planned. As part of the new contract manufacturer controls, this approach can extend the supply risk management system from the package to the product. Quintana predicts a major rollout of this capability over the next couple of years, especially for lower-cost devices.
As the Internet of Things (IoT) burgeons, these security efforts are likely to grow commensurate with the IoT, Quintana offers. “As 5G rolls out and e-commerce rolls out across 5G, as consumers start using mobile devices and mobile endpoints have more and more access to our own personal data … ensuring that security is there from the outset is becoming more and more important. I think that is driving a lot of what we see in the industry,” he adds. Those security concerns include microelectronics.
Intentional or Unintentional Chip Errors: Does it Make a Difference?
One microelectronics issue that continues to draw attention is safety critical industrial systems. A question that always arises is whether a problem is an intentional one being inserted into a device or an unintentional error. Both are relevant, Quintana points out, as it matters little if a critical device fails to do its job. Unintentional errors include single event upset (SEU), or radiation effects. These can be especially troublesome in autonomous systems.
Unintentional errors are becoming more of an issue as technologies improve. A device’s physical geometry—its gate length—has changed greatly over the years. They have gone from 130 nanometers down to 90 nanometers, down to 65 nanometers and now to 14 nanometers. Gate lengths of 10, 7 and 5 nanometers are coming on line, Quintana offers. As gate lengths have become smaller, radiation effects have increased. With semiconductor devices steadily becoming more sensitive to radiation, understanding how to mitigate those effects has increased in importance.
Insulated gates have helped, but radiation effects “are not going away,” Quintana declares. They may even be becoming more relevant, he adds.