Secure silicon is a foundational element of a secure design supply chain for electronic systems, as semiconductors power everything from consumer electronics to critical infrastructure and defense systems. The complexity of the modern system-on-chip (SoC) designs fulfilling this demand often requires integration of third-party intellectual property (IP) components, such as cryptographic engines, network-on-chip (NOCs), processors, sensors, and hardware roots of trust, sourced from various specialized vendors. Incorporating third-party IP offers numerous advantages, as technological advancements from external partners can be integrated quickly, accelerate development timelines, and enhance overall system capabilities. This approach reduces research and development costs and enables organizations to focus on their core competencies while benefiting from the innovation and expertise of third-party partners.
The Hardware Security Risks of Third-Party IP
However, the integration of third-party IP may introduce system-level security vulnerabilities. These IP components are highly configurable and programmable, making them appealing for broad application, but this same flexibility can lead to security vulnerabilities if not properly managed. When these components are integrated into larger systems, any security vulnerabilities they contain may compromise the entire design. Additionally, improper integration of IP at the SoC level or misconfiguration in the firmware can introduce security weaknesses – even when IP itself is securely implemented.
These potential system-level security risks are harder to detect, and addressing hardware vulnerabilities after the product is released to customers is expensive, time-consuming, and could negatively impact brand reputation and market share. Therefore, it is key to develop, test, and verify security measures across the design supply chain, from block to system, and across organizations and third-party IP providers.
The Role of Transparency
The use of third-party IP requires a new level of transparency from providers to ensure security. Often, IP providers do not supply adequate security documentation or proof of security assurance, leaving users uncertain about potential risks. It’s important that IP vendors offer clear, measurable evidence of security, such as compliance with industry standards or documented results from vulnerability testing to provide a high level of assurance to the IP integrators. Such documentation helps ensure transparency about the security assumptions and measures made, and those not considered.
Strategies for Securing Third-Party IP
Transparency is a critical first step but it is not enough. Evaluating a vendor’s security protocols and adherence to industry standards is helpful in establishing the initial security posture of a third-party IP block, but it is equally vital to have proof of security that can easily be reverified.
IP vendors should provide reproducible proof that an IP core is secure, along with a formal specification for testing secure integration and configuration to maintain assurance throughout the design supply chain. A formal specification not only demonstrates that the IP meets security requirements, but also provides a measure to ensure that the IP meets security standards and requirements across different environments. SoC developers can use this formal specification to verify both the IP functionality as well as the IP security capabilities in their specific configurations and environments.
Staying Ahead of Emerging Threats With CWE
As demonstrated by the number of security weaknesses and categories identified in the hardware Common Weakness Enumeration (CWE) database, potential risk from emerging security vulnerabilities continues to grow. The CWE list provides a useful guide to perform comprehensive systematic analysis and as a way to measure coverage to generate security assurance evidence for third-party IP.
Proactive identification of both known and emerging security weaknesses is essential in reducing the risk of hardware vulnerabilities. Cycuity’s Radix offers a comprehensive methodology and approach for detection and mitigation of pre-silicon security flaws that could lead to system-level vulnerabilities. By aligning with established best-practice standards like CWE, Radix ensures a robust defense against a wide range of security threats that could be introduced during the design and verification stages.
Radix provides Security Verification across the design supply chain.
As shown above, Radix utilizes a security monitor to verify that third-party IP designs uphold security standards at all levels, from individual blocks to SoCs and complete systems. By applying the same monitor at each level, Radix ensures the third-party IP is secure across the design chain by confirming that no new security weaknesses are introduced during integration, configuration or through incorrect usage by firmware and software. Through this process, Radix delivers traceable and repeatable evidence to document the security of SoCs across the design lifecycle and organizational boundaries.
For more information on Radix technology and how it can provide security assurance to your third-party IP, please contact me by email: jagadish@cycuity.com