Frequently Asked Questions

These are things you may be asking yourself about, but if it’s not here, be in touch and we’ll do our best to help.

Hardware Security

Why is Hardware security important?

Hardware security is important for risk mitigation and protecting the brand image of your company and its resources. By implementing secure development processes during the early stages of semiconductor design, organizations can ensure their products are more secure and less prone to cyberattacks. This helps to reduce overall risk and ensures compliance with industry standards and regulations.

Why aren’t encryption and Hardware Root of Trust (HroT) sufficient on their own for product security?

While encryption and HRoT are necessary components of a secure system, it is also important to ensure that these security mechanisms are properly configured and integrated, and do not have any vulnerabilities that can be exploited. A proactive approach to security involves ongoing vulnerability analysis, verification, and testing of these security mechanisms to ensure their effectiveness.

How does Cycuity assist organizations in adopting proactive hardware security?

Cycuity makes it easy for organizations to write comprehensive and verifiable security rules and integrate them into their existing circuit design environment. By using Cycuity’s Radix technology, organizations can define, verify, and measure circuit security requirements throughout the semiconductor development process, allowing them to ensure that known and unexpected security issues have been identified and addressed prior to product manufacturing.

Would my organizations would benefit from using Cycuity’s Radix technology?

Any organization that develops semiconductors would benefit from adopting a proactive security approach using Cycuity’s Radix technology. This includes designs in the automotive, aerospace, industrial control, medical device, and consumer electronics industries. If your offerings require compliance with security regulations and standards like ISO 21434, ISO 26262 or UNECE R155, attention to the hardware circuit logic at the base of your offering is critical.

What are security requirements?

Security requirements are an essential step in ensuring the security of a system. They are developed early on as part of the hardware architecture and development process and compiled into a security specification document. Guided by security objectives and known weaknesses, such as those included in the Common Weakness Enumeration (CWE), each requirement is systematically derived by identifying the secure assets, documenting the security objectives, and protection mechanisms. These requirements are expressed independently from design and implementation details, and are built incrementally. They establish the central driver for the security verification plan and are key for ensuring security signoff.

When is the best time to start planning for circuit security?

It is best to start planning for security at the architectural level and implement it as early in the design as possible. By identifying and addressing weaknesses early on, organizations can have a higher level of confidence in their product security and the cost of remediating potential issues is much lower. Radix security rules can be written and applied at the block level and ported to SoC and system levels, making it easy to integrate enhanced security throughout the development process.

Radix

What is the difference between using formal tools and Radix?

At a high level, formal verification tools and Radix approach security verification in different ways. Formal verification is a mathematical method of ensuring that a design behaves as intended. Formal works well at the basic block level but can be engineering intensive. Formal verification does not scale well in larger designs and in cases where firmware or software or memory is involved. Radix, on the other hand, offers a user-friendly way to define and verify comprehensive security requirements throughout the entire design process, including firmware and software. With Radix you get full visibility into security assets and can identify weaknesses and potential vulnerabilities at the system level.

What are typical security vulnerabilities that can be detected by Radix?

Radix detects a wide range of security vulnerabilities, including over 80% of the weaknesses in the MITRE Hardware Common Weakness Enumeration (CWE) database. Some examples of the type of vulnerabilities that can be detected include: key leakage from a Root of Trust module, incorrect data flows through interconnects that violate security access policy, software misconfigurations of encryption modules, microarchitectural side-channel vulnerabilities like Spectre and Meltdown, as well as illegal data access through test and debug logic.

How does Radix verify security requirements?

Radix automates the process of verifying security requirements by allowing designers to express them in plain English, then translate them into Radix security rules that can be automatically verified within the existing design verification environments. Radix security rules are reusable across design stages and multiple SoCs, allowing for more accurate and efficient verification across systems.

Would my organizations would benefit from using Cycuity’s Radix technology?

Does Radix support both Verilog and VHDL?

Yes, Radix supports both Verilog and VHDL. In the case of a mixed environment, additional discussions may be needed to ensure proper integration and support.

What is Information Flow Tracking?

With Information Flow Tracking, designers see what is happening to security assets during functional verification and system-level verification. It provides a way for designers to identify potential vulnerabilities by identifying underlying weaknesses and validate that the design is secure before release.

How would a company benefit from using Radix?

Radix enables a complete security methodology to provide security assurance from spec to compliance. By using Radix, manufacturers gain a comprehensive understanding of their chip designs and the logic-level security requirements needed for coverage of their chip design before it goes into production. With Radix, they can then identify potential vulnerabilities early on and fix them before tape-out, reducing the risk of security breaches and potential liabilities. Additionally, by automating the verification process, Radix helps increase overall efficiency in the security assurance process. Radix gives companies the confidence that their product is secure and compliant with industry standards.

CWE

What is Common Weakness Enumeration (CWE)?

Common Weakness Enumeration (CWE) is a list of common software and hardware weaknesses developed and maintained by the MITRE Corporation. It is a comprehensive list of weaknesses that can be used to identify potential security risks in software and hardware systems.

How can CWEs be used for enhanced hardware security?

CWE provides a comprehensive database of known software and hardware weaknesses that can be exploited by attackers. By referencing and leveraging the CWE database, development teams can ensure the derived security requirements cover all industry-established common weaknesses applicable to the threat model. Reporting coverage against the CWE database offers a quantifiable metric to transparently communicate what has been verified. Furthermore, the CWE database can provide a guide for deriving security requirements that may have been missed.

How often is the CWE database updated?

The CWE database is continuously updated as new vulnerabilities are discovered and added to the list. The MITRE Corporation regularly releases new versions of the database, with updates typically made monthly.

Level up your hardware security today.

Get the confidence of end-to-end hardware security assurance throughout the product lifecycle. Contact us today to see how.

Talk to a Security Expert